Around 800,000 enrolled patients across Auckland could have had their medical records mined for a 'Clinical Intelligence System' by ProCare Health.

Healthcare IT companies have raised the alarm that up to 800,000 Aucklanders may have had their privacy breached as their medical records were copied into a new electronic database.

On Tuesday, four New Zealand and Australian healthcare IT companies, HealthLink, Medtech Global, myPractice and Best Practice Software New Zealand, raised concern with the Privacy Commissioner about a potential privacy breach involving identifiable medical records.

About a month ago they became aware that primary health organisation ProCare Health was extracting private medical information including patient name, age, address and all financial, demographic and clinical information, including lab results, BMI, diagnosed conditions and medications to store in a database called the 'Clinical Intelligence System'.

But patients and their GPs were being left in the dark about this, HealthLink chief executive Tom Bowden said.

READ MORE:

* US doctors warn of pitfalls of electronic medical records

* Want to see your medical records? Simply go online

* Hospital sends wrong records to dead woman's son in 'disappointing' privacy breach

ProCare represent more than 180 medical practices and 800,000 enrolled patients across the Auckland region.

An undated agreement sent from ProCare to its practices stated the Clinical Intelligence System was a "data warehouse" which they would utilise for "interactive, drillable to NHI (national health index) data reports".

"ProCare is getting a complete data set for all patients, including clinical codings/screenings, medications, prescriptions and invoices."

Bowden said he was "seriously concerned" this lack of transparency could undermine New Zealanders' confidence public health systems and their GPs to protect their privacy.

HealthLink services allow healthcare practitioners to hand over information securely to each other to help manage patients' care.

Bowden said the key aspects of health information exchange are privacy, security, and ensuring information goes only where it needs to.

"People must know if information is out there and if it is being sent anywhere."

For ProCare to create a Clinical Intelligence System allowing them to "gather daily updates" from 800,000 patient records went against that, Bowden said.

"It's big brother or big sister at work here."

Patient notes should stay where they are created and requested only when needed, such as if a patient ends up in the emergency department, he said.

Instead, an organisation with no direct patient relationship is asking doctors to help it amass all the patient records it can gain access to, Bowden said, the implications of which could be "corrosive".

SUPPLIED HealthLink chief executive Tom Bowden told Stuff the move was "big brother, big sister at work".

"When people become aware their information is being sent hither and yon they tend to clam up and not tell GPs what's going on out of fear, which prevents them doing a good job of diagnosing."

​The companies are questioning whether ProCare has breached the New Zealand Health Information Privacy Code.

They have also sent a letter to the Royal New Zealand College of General Practitioners asking it to ensure GPs are aware of what is happening to patient information and how to protect themselves and their patients.

However, ProCare says it could not function without this data and was "very surprised" to hear the companies' concerns.

Clinical director Dr Allan Moffitt said ProCare only extracts information consented to by patients and its practices, including financial and identifiable information.

Patients "directly consent" to their information being extracted when enrolling at the doctors, he said.

"Patients should understand from the enrolment form that identifiable information is shared with the PHO for the purposes stated.

"The PHO has strict procedures to ensure that individual patient privacy is protected and uses the data for improving healthcare provision and planning," Moffitt said in a statement to Stuff.

They sought a full Privacy Impact Assessment regarding the Clinical Intelligence System which was then reviewed by the Privacy Commissioner's office, he said.

"ProCare takes very seriously the care of both patients and their records and has very robust frameworks and processes in place to ensure all legislation obligations are met."

He said ProCare had not been contacted by the companies, and questioned their intentions.

"We will be taking an increased interest in helping our practices to take a deeper interest in ensuring their vendors are also aware and compliant with the regulatory framework we work in," Moffitt said.

A spokesman for the Privacy Commissioner confirmed they had been contacted by HealthLink on Tuesday on behalf of four health IT companies "alerting us to concerns about a ‘clinical intelligence system’."

"We will study the information and then decide how to proceed," the spokesman said.