E-health privacy under the microscope

What worries you most about the government's personally controlled e-health record (PCEHR) plan? Is it the cost of implementation? Is it the fact that there's not a lot of incentive for doctors to take it up? Or is it the fact that if not implemented properly, it could be a privacy nightmare?

With doctors for parents, I know what would be concerning them the most. Doctors can be fanatical about privacy, and with good reason.

At the end of December, a report by Lawyers Minter Ellison and Salinger Privacy was released by the Department of Health and Ageing into the privacy implications of the legislation enabling the government's PCEHR plan, which hopes to provide every consenting Australian with an electronic medical record by 2012. The Department of Health and Ageing has also provided its responses to the recommendations in the report (PDF).

The system has been made complex by the many privacy safeguards being put in place, and I have said before that in some cases complexity is far too great, especially given the likelihood for IT projects to fail. (See this article on 10 of Victoria's projects that encountered problems.)

However, it does make me feel better that the government felt the need to engage a third party to look into the legislations for the privacy requirements on top of the many submissions it's received on the subject. It's accepted most of the recommendations made by the duo: it accepted or supported 77 of them, accepted 26 recommendations in principle or in part, was considering one and rejected eight. Six of the rejected recommendations were to be put to the Senate Committee, which is currently examining the legislation, and has to be passed by parliament before the program can get underway.

The recommendations I found interesting that the department has accepted were:

4.4 That the PCEHR Bill prohibit: ... (4) consumers being placed at a disadvantage (financially or in relation to access to healthcare) for declining to provide permission for a healthcare provider to access their PCEHR.

This seems to me to be absolutely necessary if the government really wants the system to be opt-in. After all, we all know how our older relatives complain when they're forced to pay our bills online because of the fees they face otherwise. The department pointed to a "no discrimination" rule in the legislation, which prevents a provider from discriminating against a consumer because they don't have a PCEHR.

4.14 That the arrangements with [Authorised Registration Agents] ensure that there are physical privacy protections for consumers using their shop fronts, such as timed log-outs and privacy screens on public-facing computers.

Why do we have to have this in this legislation? Would not this be better placed in a general data breach legislation, which says that organisations have a duty to protect the privacy of their customers and associates? If we got a move on with data breach legislation, then we could just put a reference in this sort of legislation to the data breach law. There are multiple recommendations in the documents that refer to things that I think could fall under such legislation.

4.21 That consumer communications advise consumers who are concerned about the privacy of specific illnesses or episodes of care (such as a pregnancy termination), that unless they are very health literate and prepared to 'remove from view' specific data items, their best option may be to not consent to the disclosure of the MBS/PBS data streams into their PCEHR.

The department is working with the National Change and Adoption Partner (a McKinsey & Company consortium) to develop information to help consumers choose how to participate in the record system. It's optimistic on behalf of the Department of Health to believe that if it gives patients information they'll follow it correctly. But then, should we be babying our citizens?

4.29 That consumers have available to them a 'preview' function, which allows the consumer to see how their record will appear to other types of users depending on the access controls they set.

This will probably nip a lot of privacy errors in the bud.

4.30 That the design of the system include some prompt every few years (such as a screen prompt on next log-in) to consumers with Nominated Representatives to review their choices and check the accuracy of their information.

Given the lazy nature of most people, this is also a good idea.

6.2 That the PCEHR Bill set a data retention period for PCEHR records in the 'Active' category, which have not been subject to any action on the record (such as any new data being added) for an extended period of time.

I'm of two minds on this. It is useful for those who might start a PCEHR, but then not monitor or use it. Removing those records allow them to start again if they want. However, someone who perhaps just leaves the country might have issues if they come back and their records have been expunged.

8.10 That the PCEHR Bill include an obligation on the PCEHR System Operator to report any data security breaches and any evidence of internal misuse of PCEHR data to the Australian Privacy Commissioner.

The department said where the service operator was involved it would have to notify the Australian Information Commissioner and all affected consumers. There's also another recommendation which says that participating organisations should have to report data breaches, too. Good to know that we have some form of data breach laws, although it would be nicer to have this in wider-reaching corporate legislation.

The recommendations that were refused but put to the committee were:

1. 4.20 That the PCEHR Bill clarify which data 'streams' can be populated with data that pre-dates the commencement of the consent decision.

   The department argues that patients will be deciding whether to populate information into their record (which can include historical data) from certain sources and therefore have enough control over what information is in their record. I agree with this.

2. 4.27 That the department develop some incentive for organisations to set their HPI-Os (for the purposes of the Access List) at a level which reflects the management of records within the organisation itself.

   The department wanted to retain flexibility for organisations to decide whether they wanted organisation-wide or department-wide identifiers as it suited them. I can't see why this shouldn't be the case, although it could get a little confusing to gain an overview.

3. 5.9 That the PCEHR Bill prohibit Conformant Portal Providers from recording a consumer's IHI.

   The portal providers are supposed to provide a user-friendly interface for consumers for their record. The department said that providers might need to collect a consumer's identifier, at least temporarily. It said that any collection, use or disclosure of identifiers by a portal is limited to purposes that are related to the delivery of the PCEHR system. I'm not sure there needs to be more than this in the Bill.

4. 5.12 That the design of the 'Authorised Representative' component of the PCEHR System be reconsidered, with a view to limiting the access of Authorised Representatives of adult consumers (and Authorised Representatives of children in some circumstances) to only viewing the Shared Health Summary and Consumer-Entered Health Summary, rather than all clinical records.

   I agree wholeheartedly with the department in this case, which said that "it is fundamental to the role of the authorised representative that he or she can manage the PCEHR in the same way as the consumer. In the absence of the authorised representative being able to do this, the consumer without capacity would not have a voice in dealings with the PCEHR system". I can think of many people whose technically unsavvy or mentally ill relatives would need them to take care of their records for them.

5. 5.17 That the PCEHR Bill define 'employee' to explicitly include tertiary healthcare students on placement.

   The definition already included tertiary students, according to the department. Whether these students will actually be provided with access to the system will depend on each individual organisation, the department said. I think that keeping tabs on who can access records is important, and that the focus should be on making sure that organisations are policing their employees' use of the system, whether they are students or not.

   The department agreed with other recommendations about making sure there was guidance for how organisations allow employee access to the system and doing ID checks before enabling access, but said that the legislation wasn't the place to voice these, but rather in terms and conditions for becoming a participant organisation. I'd agree. There are also many references in the Bill to penalties for misuse, with penalties to be civil so it's easier to punish misuse, which was expected to discourage it.

6. 8.12 That the PCEHR Bill provide the Australian Privacy Commissioner with the power to compel the PCEHR System Operator to exercise its power to disconnect or revoke the access of an individual or organisation.

   The department felt that the Australian Information Commissioner had been given enough powers elsewhere to instruct the system operator. I would hope that such powers wouldn't be necessary. It would have to be a dire situation for them to be needed.

The refused recommendations were:

4.26 That one option for the range of optional consumer notifications (SMS messages or emails) should be to receive a notification if an organisation on their 'Revoke' list changes their HPI-O in some way.

The department didn't think this recommendation was trying to provide what it was hoping for: enabling consumers to exclude particular individuals from accessing their records by seeing, for example, when one health organisation bought another. However, such transactions wouldn't have an effect on the identifier, the department said, so SMS notifications would be useless.

5.29 That the data quality framework for the PCEHR System design should ensure that the only mandatory field for identity/demographic data in relation to clinical records is the consumer's IHI.

The department believed that demographic data would help healthcare providers make sure they're looking at the right record. Given that mistakes do happen and that a manual cross check, if possible, would be a good thing, I agree with them here.

The recommendation under consideration was:

4.10 That Authorised Registration Agents (ARAs) for the PCEHR be encouraged to utilise the national Document Verification Service, instead of recording details of the [evidence of identity] documents presented.

I agree this would be a good idea. Why not use an existing government system to verify documents? I also understand, however, that the department would need time to look into the feasibility of this.

Altogether, the privacy report gives food for thought. I don't think that there's anyway that the government is going to meet the deadline of mid this year for implementation of the e-health record, given that the legislation hasn't even passed yet, but this sort of consideration is necessary before we rush ahead.

Which recommendations did you find interesting?