Privacy in Your Own Home? Think Again.
Imagine you owned a property you call home. It can be a simple 4-room HDB flat or a sprawling Good Class Bungalow (GCB) in District 10. You receive guests from time to time. Naturally, there are some guests you allow only to sit in the sitting room and maybe you allow them to go to the kitchen so that they can go to guest toilet in the 4-room HDB flat. But certainly, you will not let them go to the master bedroom or use the toilet adjoining it or your children’s bedrooms, unless they are very close relatives or friends. And I mean real close.
If you are staying in a bungalow with many rooms, it gets even more complicated. You may have a family room upstairs or private dining area away from the dining area where you entertain guests. The bungalow may have a study, an attic or a domestic worker’s room which guests are never welcome. In fact, you do not even want anyone other than your immediate family members to know that these rooms exist. These are very ‘private’ rooms not meant for anyone else to enter other that your immediate family members who live in this building or the domestic worker that cleans these areas. You would normally welcome guests in the sitting room or dining room where you entertain. But rarely would a guest be welcomed upstairs where your family and you share private times together.
Now serious problems arise when a bunch of people who now insist that once they enter through the doorway into your sitting room, they have a right to access every single area in the house, including your master bedroom toilet and your wife’s walk-in wardrobe as well as your study and your kids’ study. Not only that, this bunch of people want to rummage through your refrigerator and trash bin to gather information on what foodstuff you have been buying, eating and disposing.
Would you allow that? I wouldn’t. And I guess neither would 90% of people in Singapore.
But that is what the National Electronic Health Record (NEHR) does, in an analogical sense. Actually, the NEHR goes further than this. You don’t even have to allow the person through the front door. Any person who claims he has business or matters to deal with you can walk into your house and every room in your house. He is presumably “authorised”.
This hobbit understands that today, the NEHR has been rolled out in all Restructured Hospitals other than IMH. Any doctor who attends to you has a right to enter into your NEHR and see practically everything there (walk through every room in your house). There may be some small pockets they may not access (equivalent to the small safe in your bedroom) to. He can even go into your fridge or wardrobe and see what you have bought (look at your pharmaceutical record) or eaten.
And you do not even have to allow him in. He just has to claim he is your doctor. Of course, if he isn’t your doctor, that can be tracked, and the doctor will be punished. But that is post-fact. The damage is already done, your house/NEHR has been trampled all over already by the trespasser or unwanted visitor.
Privacy Rights – The Right To Control Who Knows What
The NEHR does not take into account the privacy rights of the patient in a contextual sense. There are some things I will tell Doctor A and there are other things I want only Doctor B to know. I do not want Doctor A and B and C (whom I see for different things and in different contexts) to know everything or have the same information about me.
The fact is, we all compartmentalise our lives. In our families, there are some things we tell certain family members and some things we tell other family members. Each family member often has different information or data-sets of us. This is even applicable to close family members, such as siblings or children. Do you tell all you siblings or children exactly the same information about yourself?
The same applies in the workplace – certain colleagues know something of us that other colleagues do not. Of course, relatives and colleagues may share information among themselves through interaction but such interaction is usually coincidental, contextual and limited so that it is extremely unlikely that many relatives or colleagues have the same information about us. A simple example would be I would tell my sister certain information and I would tell my brother other information. I will also tell them they must tell no one. I thus retain privacy rights. Of course, if they betray my trust and tell each other the information they possessed without my permission, that is a breach in confidentiality (not privacy). We must not conflate confidentiality with privacy.
This is the essence of privacy rights being applied in our daily lives. As private individuals, we have the right to decide what each person knows about us through the selective disclosure of information to different parties by us. The control lies with me almost all the time, hence it is my right to privacy. It is not a privilege conferred by others. So, the latest reporting that states folks may opt-out of having their information onto the NEHR on a case-by-case basis (subject to approval) is manifestly not good enough. Case-by-case means it is a privilege conferred, not a right possessed. I have a right to privacy, not a privilege of privacy.
Of course, I do not have absolute control over privacy all the time. The elected government with the mandate of the people may take away those rights once in a while through the passing of laws. For example, the Infectious Diseases Act takes away some of these rights. Doctors have to inform MOH when their patients contract certain communicable diseases. The underlying premise is that this limitation of the individual’s privacy rights must be for a greater public good – the prevention and control of an infectious disease outbreak that affects a great many people.
However, what is the “greater public good” justification for the sharing of my medical information as a patient with all my caregivers? I would say that there is little good other than my own well-being or personal welfare. Don’t I get to decide what personal good I intend to achieve with the NEHR? Why can’t I decide what information to give each doctor or caregiver (e.g nurse)? Or even more fundamentally, If I decide to opt out completely of the NEHR, why is my doctor still forced to upload my information onto the NEHR? Yes, when I opt out, no one can access the NEHR, but that is a question of confidentiality, not privacy. My personal well-being arising from participating in the NEHR is not a public good, unlike that of the Infectious Disease Act. The decision to opt-out of the NEHR may be a medically suboptimal decision, but that is my business, not the people who operate the NEHR, as long as I know the consequences of me opting out.
NEHR: Runs Against the Grain Of Current Case Law?
It is even more confusing when you consider this in the light of the direction of medical ethics that our honourable judges are trying to steer us. The Modified Montgomery (MM) Test is now firmly established as case law in Singapore. Essentially, the MM Test firmly puts patient autonomy at the forefront of medical ethics in the country. The Chief Justice has said that patient autonomy is the “first” of the four core principles of medical ethics of beneficence, non-maleficence, social justice and autonomy.
The MM test basically says the patient has a right to decide what he wants, even if the final decision is medically-speaking sub-optimal and that the doctor’s responsibility is NOT to make that decision for the patient but simply to provide all relevant information (from the patient’s perspective) to the patient so that he can make an informed decision. An informed decision from the patient’s perspective may not be the best medical decision from the doctor’s perspective, and if the two do not match, the patient’s decision must prevail (as long as it is not against the law, such as euthanasia, surrogacy etc.). The MM test ensures that patient autonomy is expressed in its fullest sense in our society.
If that is the case with the MM test, then why are the NEHR planners and implementers forcing each patient to
- share the same medical information with all doctors and nurses when the patient may prefer otherwise?
- have their medical information uploaded onto the NEHR, even when the patient has opted-out?
Therefore, the NEHR as it now stands, is clearly going down the slippery slope of compromising patient autonomy.
A simple example would be, say, a married, 40 year old, working, female PMET. She would have in all likelihood most or all of the following doctors –
- a family GP she, her spouse and her children see (who happens to be her old classmate from junior college);
- a company doctor she sees occasionally at the workplace when she is unwell;
- a gynae who delivered her kids and does the her pap smears and gynae checkups;
- a breast surgeon who removed a benign breast lump a year ago and
- an aesthetic doctor she goes to occasionally for pigmentation treatment as well as for the occasional skin peel.
We haven’t even talked about other doctors she has used whom she hasn’t any recollection of – such as the radiologist, pathologist or anaesthetist, who ALL have “rightful” access to her NEHR records as “authorised” healthcare professionals.
Do you think she wants ALL her doctors to know she has had laser treatment for face pigmentation every six months? (We are not even talking about more extensive “work” like liposuction, filler injection and breast implants, just simple laser treatment for pigmentation)
Or do you think a 45 year-old homosexual man wants all his doctors to know he has had treatment with Dr Y for anal warts excision? (He hasn’t “stepped out” yet)
Or would a 58 year-old woman who is now happily married with adult children want anyone to know she had an abortion when she was 17 (We all make mistakes when we were young, just some mistakes are bigger than others)?
Would anyone want all his or her doctors to know one is on antidepressants or erectile dysfunction drugs? Most men wouldn’t even want most of their doctors they see to know they have prostate problems, let alone be given Cialis or Viagra.
Or that all your doctors now know you have been tested for HIV before (result negative, whew) and the test is not part of a mandatory pre-employment workout?
Or that the radiology results of you, a lady, who had a fractured cheek bone as shown in an X-ray taken at the A&E 10 years ago after your then (now ex-) husband assaulted you, is now known to all doctors and nurses taking care of you now for fractured ribs, whiplash and concussion arising from a road traffic accident? Your current husband loves you, but he is wondering why he gets strange looks when he visits you in the hospital from all the hospital nurses and doctors.
Of that that a well-known 60-year-old CEO of a bank (or Professor) was once admitted to a hospital for observation after a fight and had lost consciousness and fractured his nose 40 years ago?
The list goes on and on.
What NEHR Will Contain….
In case you are wondering if these examples are realistic, well – according to the official NEHR brochure: the following information will be uploaded onto the NEHR:
- Admission and visit history
- Hospital discharge summaries
- Laboratory test results
- Radiology results
- Medication history
- History of surgeries or procedures
- Allergies and adverse drug reactions
So all the above scenarios can happen in real life.
Seriously, from my personal viewpoint, I would like to share only the last two points onto the NEHR without reservation so that all my doctors and care-givers (i.e. who are “authorised healthcare professionals, according to the abovesaid brochure) can know this about me: allergies, adverse drug reactions and immunisations.
This hobbit has serious reservations about the rest, and thinks they should be handled with extreme care.
The last point I would like to deal with is that of security. Security can basically be defined as measures put in place to prevent breaches of confidentiality. How secure is the NEHR? I am confident that the planners and implementers have tried their reasonable best to ensure best practices in IT security have been put in place or are being put in place. After all, the NEHR, being backed by government, has enormous resources to do so.
Even then, no IT system, especially one that is internet-based and cloud-based, with literally unlimited number of entry points (every clinic or hospital computer that is linked to the internet is an entry point into the NEHR) is hack-proof. If it were not so, there would be no need for the government to delink civil servants’ work computers and intranet from the internet last year. It was reported this affected all 143,000 civil servants. That is a tacit admission that no security system is fool-proof or hack-proof. I suppose this shows cyberthreats cannot be wished away, but they can be effectively partitioned away.
This hobbit is sure the NEHR is as secure as can be, but not quite more secure from the civil servants’ work computers before they were delinked from the Internet. In fact, the fact that the NEHR exists must in itself be a very tempting trophy database for hackers from all over the world to try and test and breach.
In the event a breach happens and records and medical information are stolen, what is the liability of the NEHR or the government with regard to this breach, and what are the rights of the affected patients? Can he seek redress, compensation, damages etc.?
This hobbit is unsure. These are not stated in the aforementioned NEHR brochure. Theoretically, the NEHR is exempt from the provisions of the Personal Data Protection Act (PDPA) as it is a government programme. Today, if there is unauthorised access to your data with say, your mobile phone network operator, the mobile phone network company MUST inform you so, because the company has to comply with the requirements of the PDPA. If your GP record has been hacked into today (Pre-PDPA) or physically stolen, your GP has to inform you too. You can probably sue your GP or the mobile phone network company for civil damages and the regulators can use the provisions of the PDPA to punish the GP, or the mobile phone network company.
If there is a breach of the NEHR and your record is stolen, will the administrators inform you? No one knows. Will the penalties of the PDPA apply? Probably not. Can you sue the NEHR for civil damages? Again, this hobbit really doesn’t know.
In conclusion, is the NEHR a bad thing? No. But a lot of work needs to be done with the NEHR as it now stands; beginning with:
- We need to discuss openly about the potential downsides of the NEHR as the NEHR currently stands and not just only extol the positives of NEHR.
- We need to recognize that privacy rights need to be adequately addressed. The patient has to retain the power to give and retain information to the healthcare professionals or settings as he sees fit. It is natural to compartmentalise our lives and our interaction with people, and this compartmentalisation extends to the healthcare realm. You cannot talk about confidentiality and security without settling the issue of privacy rights first.
- We need to clearly spell out the rights of the patient and the responsibilities and liabilities of the NEHR owner(s) when there is a security breach. Some sort of a patient charter should extend to the realm of NEHR too.
And we are only talking about looking at the NEHR from the patient’s perspective. We haven’t even talked about the NEHR from the perspective of the people who record and use the information – the healthcare professionals.
A reader of this article may well ask “The typical or average patient in Singapore will in all likelihood not know the issues this article has raised and will not be concerned as such”. It is because this Hobbit is a doctor that he can understand and bring up issues such as privacy, confidentiality and security which dogs the planning and implementation of NEHR.
But that is besides the point. We are actually all in the same boat as “patient advocates”, working for the patient’s best interests and betterment of patient’s well-being: politicians, civil servants, IT experts, healthcare professionals such as doctors, nurses etc., and of course the patients themselves. If we are sincere and serious about being patient advocates, then the questions raised in this article need to be communicated to the public, recognised, considered and addressed by all stakeholders. These issues cannot be ignored, dismissed or simply swept aside if we truly work in the best interests of the patients from a holistic and comprehensive perspective.
The residency rollout was one bad example where those in power then were dismissive of the issues and reservations raised. They steamrolled ahead and adopted the ACGME-I system and the results are for all of us to see now. It is still early days, the NEHR need not go down the same painful route as residency.