Friday, July 22, 2011

The Privacy Commissioner Reviews The PCEHR ConOps. Wants A Few Changes.

We have had a submission on the PCEHR ConOps provided by the Privacy Commissioner

Draft Concept of Operations: Relating to the introduction of a personally controlled electronic health record (PCEHR) system

Submission to the Department of Health and Ageing

June 2011

Submission by Timothy Pilgrim, Australian Privacy Commissioner

The full submission is found here:

Here is the Executive Summary.

Executive summary

  • i. The Office of the Australian Information Commissioner (OAIC) welcomes the opportunity to comment on the Draft Concept of Operations: relating to the introduction of a personally controlled electronic health record (draft Concept of Operations).
  • ii. Gaining community confidence and trust in the PCEHR System (the System) is essential to its success. While individuals may welcome the potential benefits of shared electronic health records, they may be hesitant to participate if key privacy protections are lacking or are not apparent. As the office has previously stated, the assurance that privacy is protected will be fundamental to the overall success of any electronic health record system.[3]
  • iii. The OAIC recognises that the successful implementation of the System (the System) has the potential to greatly enhance the provision of healthcare to individuals. The model proposed will potentially involve the drawing together of health records from a variety of sources, in a way not previously possible. While this consolidation of information has considerable benefits from a healthcare perspective, the PCEHR’s capacity to allow access by many healthcare providers to a large quantity of sensitive personal information involves privacy risks. Overall, the office is supportive of the System, provided that it offers individuals appropriate control over the handling of their personal information, and employs a robust information handling and legislative governance framework.
  • iv. In the OAIC’s view, personal control will be central to the success of the PCEHR and key to community participation of the System. Providing choice and control to individuals about how their personal information is handled is a fundamental aspect of good privacy practice. The decision to implement the PCEHR on an express consent approach (an ‘opt-in’ model) offers important privacy benefits.
  • v. The draft Concept of Operations demonstrates that privacy has been an important consideration in the development of the PCEHR model. Privacy issues have generally been clearly identified in the draft Concept of Operations, and some good strategies for addressing those issues have been proposed. However, in a number of areas, the details of some of the privacy-enhancing measures remain unclear. In other areas further consideration and exploration is required.
  • vi. The recommendations in this submission focus on a number of issues the office considers would benefit from further consideration:
    • ensuring that the PCEHR realises, as far as possible, the aim of being genuinely ‘personally controlled’
    • the importance of educating individuals and healthcare providers about the operation of the System
    • the need for the ‘terms and conditions’ of participation for individuals to provide clear notice of the ways in which personal information will be handled by the System
    • the importance of educating healthcare providers and other users about compliance obligations
    • issues raised by the involvement of contracted service providers
    • data security issues raised by the proposed PCEHR model
    • the need for information about enabling legislation and the governance framework.
  • vii. As more detail of the PCEHR model is made available, the OAIC would welcome the opportunity to provide further input, subject to the availability of resources.

Here is the Table of Contents



Executive summary.


Comments on the draft Concept of Operations.

Section 2 of the draft Concept of Operations: Introduction.

Secondary uses.

Section 3 of the draft Concept of Operations: Participation.

Opt-in model

Informed consent and notice.

Access to personal information.

Nominated representatives.

Healthcare provider participation.

Contracted service providers, conformant portal and conformant repository providers

Education and Training.

Section 4 of the draft Concept of Operations: Managing PCEHR information.

Data quality.

Data retention.

Section 5 of the draft Concept of Operations: Privacy and security.


Privacy Impact Assessments (PIAs)

Data security.

Offshore data storage.

Access controls.

Audit trails.

Automatic uploads.

Automatic downloads.

Section 7 of the draft Concept of Operations: Operating model

Complaint Handing.

Desirable features of a governance model

Section 8 of the draft Concept of Operations: Implementation.

Section 9 of the draft Concept of Operations: Outcomes evaluation.

Of the recommendations the ones I see as most interesting are the following:

Conformant repositories

Recommendation 3.4

The OAIC suggests that the data security implications of the use of conformant repositories and other contracted service providers could be further considered in light of the concerns regarding the current ability of cloud solutions to deliver adequate privacy protections.

(see paras 47-51)

Comment: A bit of a ‘can of worms’ I suspect.

Healthcare provider rights and responsibilities

Recommendation 3.5

The OAIC recommends that healthcare provider ‘rights and responsibilities’ should:

  • contain clear accuracy, access and security obligations
  • be accepted by healthcare providers as a condition of participation in the System (this requirement could be included in legislation).
  • (see paras 44-45)

Comment: This will put a lot of providers off side unless the consumer has similar requirements to be careful about security etc.

National Privacy Principle 3 (NPP 3) – Data quality

Recommendation 4.1

The OAIC suggests that the governance framework should require healthcare providers to comply with the requirements of NPP 3:

  • to ensure System records are accurate, complete and up-to-date
  • a protocol should be created to notify any parties who have viewed inaccurate data to ensure they are aware it was erroneous.
  • (see paras 57-61)

Comment: This will be contentious as ‘personal control’ would seem to imply personal responsibility and not provider responsibility alone (there needs to be a shared accountability).

Data breach notification

Recommendation 4.4

To ensure data breaches are managed appropriately and the associated risks are minimised, the OAIC recommends that the governance frame workmake reference to the data breach notification methodology set out in the OAIC’s Guide to handling personal information security breaches[1](subject to any legislative reform arising from the Australian Law Reform Commission’s review of privacy). (see para 61)

Comment: This is important and needs to be part of any governance structure

‘Particularly sensitive data’

Recommendation 5.4

The office suggests that the following points relating to ‘particularly sensitive data’ would benefit from further clarification:

  • the definition of this term
  • the process for assessing the sensitivity of data
  • the nature of the stronger e-Authentication requirements that will apply in relation to this information.

(see paras 89-90)

Comment: This looks to open another ‘can of worms’ with complexity.

Upload of clinical documents

Recommendation 5.14

To enable the upload of clinical documents to occur in a way that is acceptable to individuals, the OAIC suggests that:

  • guidance for healthcare providers about what information may be inappropriate for upload to the PCEHR should be developed
  • the obligation on healthcare providers to consider and advise individuals about what information may be suitable for upload could be strengthened by inclusion in the healthcare provider ‘rights and responsibilities’
  • the possibility of enabling individuals to limit permission for the upload of documents to the PCEHR, for example by provider or episode of care, should be considered.
  • (see paras 114-119)

Access and download of information from the PCEHR

Recommendation 5.15

The OAIC suggests that the requirement for PCEHR users to download only information that is required to support the delivery of an individual’s care, or to ensure that medico-legal integrity requirements are addressed, should be included in healthcare provider ‘rights and responsibilities’ and legislation.

(see paras 120-121)

Comment: I suspect this will really stretch the governance mechanisms - which should already be in place.


Recommendation 7.1

The OAIC suggests that details of the proposed governance model and regulatory arrangements should be made available for public comment as soon as possible.

(see paras 122-123)

Comment: What a good idea!

All in all what one is left with is the sense we presently have a technically driven project which lacks the appropriate Governance and Consultation activities and which seems to imagine that all sorts of extra obligations will be able to be legislated, and placed on providers, with no resistance or ‘pushback’. Take it from me that simply won’t happen!

The consultation to get the right balance of rights and responsibilities should have started years ago - and that is really hasn’t will cause major issues and delay I believe.

I reckon those who won the ‘PCEHR Change and Adoption’ tender are going to be looking for extra funds real soon now!

That the Privacy Commissioner also writes the following I find amazing and alarming:

  • “20. The OAIC’s ability to comment fully on the privacy protections offered by the System design described in the draft Concept of Operations has been constrained by the level of detail currently available regarding the governance arrangements and the regulatory framework. The office notes that the technical design of the system, as set out in the draft Concept of Operations, is only one aspect of a comprehensive approach to privacy. The protections provided by legislation and governance play an equally important role.
  • 21. The OAIC would welcome the opportunity to have further input into the development of the PCEHR System. Throughout this submission, the office has flagged its willingness to engage further on particular issues. However, the OAIC notes that its ability to engage further may be constrained by budgetary considerations.
  • 22. The OAIC recognises that the PCEHR is a major initiative with significant privacy implications. The Office seeks to provide high quality input on all aspects of its development. However, the OAIC is a small agency with responsibility for providing advice and guidance on privacy, FOI and government information management issues to Australian Government agencies, private sector organisations and individuals. In the absence of dedicated resourcing, the OAIC’s ability to engage intensively on large initiatives such as the PCEHR, while meeting its other obligations, may be limited.”

Maybe the resourcing issue should be addressed by NEHTA / DoHA with some urgency. A mess with likely eventuate if that is not done!



Oliver Frank said...

"The OAIC suggests that the requirement for PCEHR users to download only information that is required to support the delivery of an individual’s care".

This sounds good in principle, but how will health professionals be able to know before downloading and reading each piece of infomation whether they needed to know it in order to care for the patient?

Dr David More MB, PhD, FACHI said...


Like so much else in all this, the absence of proper piloting and testing before a mad rush to national implementation (under pressure from a desparate politician) is throwing up all sorts of unresolved silliness and nonsense.

Just awful.