Reports in the local media stated that on 4 November, the Prime Minister announced that new technology at Mater Dei Hospital would in the near future allow private family doctors to remotely access their patients’ medical records.
When talking about plans for the coming two to three years, Dr Gonzi said that doctors would be able to connect to the hospital from their private clinics and have access to up-to-date information about their patients. The Prime Minister also added that the time would come when identity cards would not solely be forms of identification but also include medical records accessible by doctors.
This may all be sweet music to your ears, but when you delve deeper you will discover that this accessibility, when put into practice, is very dangerous indeed. First of all, this is worrying both to the doctors and to the patients, and both of them are asking questions about how the system is going to work and how safe it is in protecting the patients’ data. Secondly, nobody knows if the same medical doctor is going to have one password to all the patients’ files or whether each doctor will have a different password for each patient.
What is worrying is that at present there are no guarantees that my personal data will only be accessible to the doctor whose consent you have given.
There are no guarantees that only that doctor will have access to your file. There are no guarantees that the other medical doctors will not have the same password as your doctor to your personal records.
Nor, for that matter, are there any guarantees that doctors who are engaged by insurance companies will not have access to your file or the doctor of your place of work. We all know how both insurance companies and employers are hungry for such data, and the system at present is that the Superintendent cannot give away any information from your medical records unless you have given him your consent.
But with the system that is being proposed – that of private family doctors accessing their patients’ medical records – such access needs to be carefully tailor-made to that family doctor and to those medical records only, and not be a blank cheque or a passport for all doctors to spy on all medical records under the pretext that they are accessing their patients’ medical records.
Even couples and spouses are worried, especially those who are in the process of separation. They are afraid that the other spouse’s doctor will have access via the Internet to their personal file. This can be a very delicate matter indeed, because we come across various cases when not all health or cosmetic problems are divulged to the other party but with this possibility, if introduced without the proper data protection measures, there will be chaos both in the handling of data and in the state of many relationships.
In Malta we have a Commissioner for Data Protection who is keen on protecting other data, but who to date has not thought fit to bring to the attention of the Prime Minister that such move will have to be done within the confines of the Data Protection Act.
The Commissioner for Data Protection must start working as from now in order to secure that data protection will be respected and that nothing is done which is not according to the Data Protection Act. The Act provides for a controller of personal data who alone or jointly with others determines the purposes and means of the processing of personal data and in exercising your right of access to personal date, you need to write to the person or organization you believe holds the information. The law says that the request must be made at reasonable intervals, in writing and signed by the data subject.
The situation at law at present is that nobody has a right to access your file or any copy contained in such file. Mater Dei and the Commissioner must work from now in order to ensure that the system of remote access to the patients’ records will secure the data protection of patient.
Measures must be taken on the use of the password: will the doctor have one password for every patient’s file? Or will he have one password for all the files? What guarantees are you going to have that your file will only be accessible to your family doctor and not to other doctors? Can your personal file be copied and splashed all over the Internet? You and I need guarantees so that only those who have our consent can access our file at Mater Dei.
The Prime Minister is regarding this service as a leap in quality in primary health care. However, unless the right safeguards are introduced, and data protection is respected, such service can be a leap in mediocrity rather than quality. It is easy to say that you want to do this and do that, what whatever you do has to be within the compounds of the law and of the rules of civil society.
Now I am sure that the Prime Minister has good intentions and he is only seeing it as another service to the public. But he must be very, very careful before giving the green light to this project as the implications can be very, very, serious without the right precautionary measures in place so that the system will not be abused. Before he knows it, he could find himself surrounded by people claiming damages because of the exposure of their personal data.
It is therefore in everybody’s interest to ensure that the facility intended to give the private family doctors access to their patients’ medical records via Internet, will respect data protection and that there will be no abuse of the system. If the consent of the patient is limited to a particular diagnosis only, the family doctor cannot go any further and his password must be limited to that patient’s file only and not be generic.