The fear of Big Brother using RFID to track hospital patients is largely unfounded.
That’s the conclusion of a white paper aimed at reassuring folk about privacy implications of the technology in the health-care sector.
The Ontario Information and Privacy Commissioner Ann Cavoukian teamed up with HP Canada to develop the white paper, called RFID and Privacy: Guidance for Health-Care Providers, to address these potential privacy concerns – including tagging things, tagging people and tagging things linked to people.
“We’re embedding privacy into the design of the products and a governance structure so [health-care providers] can use it without concern and with the openness and transparency that’s needed in this industry,” said Cavoukian.
That means, as RFID is more widely adopted in the health-care sector, strong privacy-protected systems will already be in place, and there won’t be compliance issues with PHIPA (the Personal Health Information Protection Act).
It’s something Cavoukian calls “privacy by design,” where privacy is embedded into the design of the technology. “It’s not either/or,” she said. “You can have the benefits of both.”
She said there’s a “comfort level” to introducing this technology in a this manner.
HP calls this architected IT, where business strategy is aligned with technology strategy, so these types of issues are addressed in its product design, and customers don’t have to worry about things going wrong once they’ve deployed it.
At this point, most Canadian hospitals are using – or interested in using) RFID – to track items in the supply chain, such as equipment, supplies and devices (including instruments used in the operating room).
And this is an area where the technology holds a lot of promise.
Inefficiencies in supply chain management have led to boxes upon boxes of unused supplies passing their expiration date, according to studies conducted in Canadian hospitals.
Hospitals can be carrying up to a 20 to 30 per cent excess supplies, simply because doctors and nurses don’t know where to find those.
And up to one-third of a nurse’s time can be wasted looking for them.
“Then you end up having waste,” said Victor Garcia, chief technology officer with HP Canada. “All of these problems can be [avoided] through the application of technologies such as RFID.”
In hospitals where RFID is being used, errors in finding the right patient in the right operating room and having the right procedure have been eliminated.
“We did a project in Taiwan at a hospital that has close to 90 operating rooms, so it’s impossible for the team in the OR to personally know all of the patients,” he said. “They often rely on identification methods that can lead to errors.”
RFID can help address this, as well as the surprisingly common problem of medical instruments being left inside patients after operations. (There’s a Web site dedicated to this).
Despite these benefits, when you talk about RIFD, privacy is always the first thing that comes up, said Cavoukian.
People fear it’s going to introduce an infrastructure of surveillance, but “that’s nonsense,” she said.
“It is within the realm of possibility if you’ve built in no protections whatsoever. But everyone is going to great lengths to ensure that huge protections are built in, especially in the health-care field.”
When it comes to the tracking of “things,” there are no privacy issues, since those things are not linked to any privacy information. But tagging people is a riskier area.
“We wanted to provide some guidance and protections in that area,” she said.
“You don’t ignore the area, you address it, you make sure the protections necessary are embedded into the technology, and recognize there are times you want to positively identify people in the best way possible.”
In Ontario, she has the ability to authorize indirect collection of information, which could be used for wandering patients (such as those with Alzheimer’s or dementia).
“If these individuals had RFID-enabled bracelets on, you would be able to – and you want to be able to – find them,” she said. “They’re not in a position to help themselves.”
To date, the way RFID is being used in healthcare really doesn’t affect patient privacy because it’s not being used at the patient level, said Mark Tauschek, senior research analyst with Info-Tech Research Group.
Active RFID is being used to monitor the location of equipment, and there’s also some chokepoint scanning going on, where you could put a bracelet or necklace around wandering patients in a retirement home to make sure they don’t walk out the door.
RFID is also becoming more common on the prescription drug front to eliminate counterfeiting – and to make sure people get the right drugs.
While this helps to protect the patient, there isn’t any personal information being stored on that RFID tag, contrary to what you would find with RFID and passports, said Tauschek.
“And that’s a real issue, particularly in the U.K. where they started to do this and found that it was pretty easy to crack the tag and get information off it.”
In some cases, privacy can be a real concern. “But the perception really is that if we start using RFID in our identification and credit cards that Big Brother will be able to track me wherever I go and whatever I do, and that’s really not true,” he said.
That’s largely a function of the technology itself, which isn’t well suited for spying on people.
Typically with a passive RFID tag you get reads from a couple of feet; even with an amplified reader, you might get reads up to 20 feet. And it’s not something that can be tracked with a satellite.
When implemented poorly without encryption or security, there are going to be privacy concerns, he said, but when implemented properly it’s pretty much unbreakable.