Four healthcare IT companies are warning that one of New Zealand’s largest networks of family doctors, nurses and general practice teams has been storing hundreds of thousands of patient records containing personally identifiable information (PII) – without the knowledge or consent of the data subjects.
“ProCare Health has been storing [PII] including names, addresses, financial information, clinical data and medication histories in a database called ‘Clinical Intelligence System,’” wrote four healthcare companies in a letter Tuesday to New Zealand’s Privacy Commissioner, obtained by the New Zealand Herald.
The four – HealthLink, Medtech Global, myPractice and Best Practice Software New Zealand – claim that up to 800,000 patients’ medical data is at risk, though they acknowledged that they didn’t know the full extent of the data collection.
They allege that most patients “seemed unaware of the ProCare database.” That could be a violation of the New Zealand Health Information Privacy Code, which, similar to HIPAA in the U.S., stipulates how health information is collected, used, held and disclosed by health agencies.
“At a time when attitudes towards patient privacy are shifting in favor of giving greater protections to the individual, here is an organization that has no direct patient relationship asking doctors to help it amass all the patient records it can get access to,” they wrote.
ProCare Health isn’t taking the allegations in stride, saying in a media statement that “Patients should understand from the enrollment form that identifiable information is shared with the [primary health organization] (PHO) for the purposes stated. The PHO has strict procedures to ensure that individual patient privacy is protected and uses the data for improving healthcare provision and planning…ProCare takes very seriously the care of both patients and their records and has very robust frameworks and processes in place to ensure all legislation obligations are met.”
The organization’s clinical director, Allan Moffitt, added: “As a PHO ProCare could not function without collecting this data and as an organization owned and governed by clinicians, we take very seriously our obligations to privacy and security of information.”