Sunday, October 02, 2011

Draft Legislation for the Planned PCEHR - Well Done or Not? It Has A Few Gaps and Kludges To Me!

Just before the two day ‘Festival of the Boot’ we have had Draft enabling legislation for the PCEHR along with the submissions made in response to the consultation document.
The announcement is found here:
The web site for the whole process is here:

Exposure Draft PCEHR Bill Released

The Exposure Draft PCEHR Bill 2011 will establish the legislative framework to support the establishment and implementation of a national personally controlled electronic health record (PCEHR) system.
The Exposure Draft PCEHR Bill 2011 (PCEHR Draft Bill) has been developed following feedback and submissions received by the Department of Health and Ageing for the public consultation of the PCEHR System: Legislation Issues Paper along with feedback from the Concept of Operations: Relating to the introduction of a PCEHR system released in final form on 12 September 2011.
The PCEHR Draft Bill supports ‘personal control’ by consumers, enabling individuals to access their own health information and to choose how access by healthcare provider organisations to their PCEHR is managed by the system.
The PCEHR Draft Bill includes provisions relating to participation in the PCEHR system, the circumstances in which PCEHR information can be accessed, obligations on users, penalties for inappropriate use, and functions and responsibilities of the PCEHR System Operator and other regulators.
To assist readers, the PCEHR System: Exposure Draft Legislation – a companion document to the PCEHR Draft Bill – sets out the proposed legislative provisions in plain English, explaining the reasons behind those provisions and describing how they are intended to operate.
.....
The closing date for comments and submissions is 10:00 am Australian Eastern Standard Time, Friday 28 October 2011.
 ----- End Page.
To me - as a legal novice - by far the most useful document is the one found here:
Here is the Executive Summary:

Executive summary

The personally controlled electronic health record (PCEHR) system is a key element of the Australian Government’s national health reform agenda. The PCEHR system and other health reform programs are designed to improve the delivery of health services and healthcare outcomes for all Australians.
The Department of Health and Ageing is responsible for managing the design and implementation of the system in association with consumers, the National E-Health Transition Authority, states and territories, clinicians, health sector stakeholders and key market partners.
The Exposure Draft Personally Controlled Electronic Health Records Bill 2011 and Exposure Draft Personally Controlled Electronic Health Records (Consequential Amendments) Bill 2011 have been developed to support the implementation and operation of the personally controlled electronic health record (PCEHR) system. The consultation process undertaken for the Draft Concept of Operations—Relating to the introduction of a PCEHR system1 and the PCEHR System: Legislation Issues Paper2 informed the development of this legislation.
The Draft Bills set out:
• key definitions and concepts necessary for the legislative framework to operate, including;
− the PCEHR of a consumer, which is constituted by a record
assembled by the System Operator from a number of separate data sources accessed through the record; and
− the entities that are participants in the PCEHR system;
• the functions and obligations of the PCEHR System Operator and its advisory committees;
• the registration of consumers, healthcare provider organisations, repository operators, portal operators and contracted service providers. Registration enables them to participate in the PCEHR
system. It does so by:
− authorising them to collect, use and disclose PCEHR information in specified circumstances; and
− imposing certain obligations on them to maintain the integrity of
the PCEHR system;
• civil penalties for:
− unauthorised collection, by means of the PCEHR system, of information included in a consumer’s PCEHR;
− unauthorised use or disclosure of such information;
− compromising the integrity of the PCEHR system;
• authorisations of various collections, uses and disclosures of PCEHR information;
• that contraventions of the legislation relating to health information included in a consumer’s PCEHR can also be investigated under the Commonwealth Privacy Act 1988;
• general matters, including:
review of decisions made by the PCEHR System Operator;
annual reports to be provided by the System Operator and the Information Commissioner;
review of the legislation; and
regulations and legislative instruments including the PCEHR Rules.
----- End Extract.
Before discussing my thoughts - while reading I came upon this - on Page 11- where prior consultation is discussed.
March 2011: The Department of Health and Ageing selected nine organisations as part of the second wave of lead sites. The e-health lead sites have been set up to implement and evaluate e-health infrastructure and standards in real life settings. The sites are required to demonstrate tangible benefits and outcomes from e-health projects, to build stakeholder support and momentum behind the system work program, and to provide a meaningful foundation for the PCEHR system’s further enhancement and roll-out. Because the sites will test critical elements of the PCEHR system in real life settings, they will help to ensure that lessons from their experience can be incorporated into the continuing development processes of the PCEHR system. While the first three lead e-health sites are focused on e-health infrastructure and standards around general practice and will allow the important elements of the PCEHR system to be tested in a range of practical settings, the following nine e-health sites will also allow important elements of the PCEHR system to be tested in a range of settings, but with a focus on specific cohorts including people with chronic illness and mothers and newborns.
As far as the section in bold is concerned is all one can say is ‘good luck with that’. I wonder what ‘tangible benefits and outcomes’ actually means and how it will be evaluated?
Back to the Draft Legislation:
Here are a few comments (on the explanatory document):
Page 8: (As reported by Adobe)
“Binding of the Crown
The Draft Bill applies to the Commonwealth, states and territories and section7 of the Draft Bill provides that all jurisdictions will be subject to this law.
While each jurisdiction will be legally bound by the arrangements set out in the Draft Bill, the Crown in right of the Commonwealth, states and territories will not be subject to prosecution and will not be liable for pecuniary penalties.”
So it seems no Government can be sued or prosecuted for any of this?
Page 13:
"It is intended that the Secretary will fill the role of System Operator initially. Further discussions will be held with the states and territories around possible future options for the long-term governance of national e-health such as an inter-jurisdictional body."
So it is clear they have not yet sorted PCEHR system Governance and that for now Jane Halton will operate the PCEHR system!
It is my view this is utterly un-acceptable to be creating a system to contain a very wide range of private personal information and not have the governance properly laid out and defined before the whole thing starts.
Page 14:
“(the System Operator) In performing these functions and in exercising any powers associated with those functions, the Draft Bill requires that the System Operator must have regard to advice provided to it by the two advisory bodies established by the Draft Bill: the jurisdictional advisory committee and the independent advisory council.
The System Operator is not required to follow the advice of these advisory bodies, however the existence of these bodies provides the System Operator with access to specialist advice in a broad range of areas.
The System operator and the advisory bodies may, of course, draw on other expert advice as appropriate, such as the Office of the Australian Information Commissioner in relation to privacy matters.”
This makes is clear the advisory committees are just that - advisory!
Page 16:
“This council will have the privileges and immunities of the Crown, which means the council will be immune from prosecution regarding the performance of its duties.
Membership of the council will comprise:
• a Chairperson, to be appointed by the Minister on a part-time basis;
• a Deputy Chair, to be appointed by the Minister on a part-time basis; and
• a minimum of four other members (maximum of seven), to be appointed by the Minister on a part-time basis. In appointing members, the Minister must ensure the members have experience in one or more of the following fields and that all fields are represented on the council:
− provision of healthcare as a medical practitioner;
− provision of healthcare as a healthcare provider (other than a medical practitioner);
− receiving healthcare as a consumer;
− law and/or privacy;
− health informatics and/or information technology relating to healthcare; and
− healthcare administration.
These fields of experience will ensure that detailed advice can be provided by the independent advisory council to the System Operator regarding the operations of the PCEHR system.”
The quality of all this - given that the committee can just be ignored - will depend on who is chosen to fill these slots. We can be sure no one who is at all sceptical of the whole thing will get a call! Of course that is what is needed! At least there is one e-Health expert to be involved!
 Page 22:
Authorised users
By registering, a healthcare provider organisation will be able to authorise persons within the organisation to use the PCEHR system. The organisation may authorise healthcare providers, administrative and other support staff, trainees (including medical students) and contractors as users of the PCEHR system.
The PCEHR Rules with which the organisation must comply will include arrangements for how the organisation must manage the authorisation of such users.”
What this means is, as I read it, that a practice location is authorised and anyone who that practice then authorises is able to access the system and that there won’t be individual practitioner and staff credentials - just an internal to the organisation system (see below). With this out goes any real Audit Trail capacity I reckon. We are not registering individual providers organisational users except for those who will upload summaries!
Page 23:
The doctors will just love this...
“• The organisation must not refuse to treat a consumer or otherwise discriminate against the consumer if the consumer does not have a PCEHR or, if the consumer has a PCEHR, the consumer has set particular access control, such as not permitting the treating healthcare provider to access the PCEHR or some information contained in the PCEHR. This goes toward ensuring that participation in the PCEHR system does not affect a consumer’s entitlement to healthcare.”
This is just offensive to my way of thinking - either you can be open with your doctor -or you go and get another one!
Page 24:
Nominated healthcare providers
A nominated healthcare provider will be responsible for creating and managing a consumer’s shared health summary, and is nominated by the consumer. It is intended that a nominated healthcare provider is involved in the ongoing care of the consumer.
Not all healthcare providers will be eligible to be a nominated healthcare provider. This restriction will ensure the utility of shared health summaries for use by other healthcare providers.
In order to be eligible to be a nominated healthcare provider, a healthcare provider must have an HPI-I (within an organisation that has an HPI-O) and must be a medical practitioner, a registered nurse or an Aboriginal health worker (i.e. Aboriginal and/or Torres Strait Islander health practitioner). The healthcare provider must also agree to be the consumer’s nominated healthcare provider.
Additional types of healthcare providers may be added by the regulations. Only a consumer’s nominated healthcare providers will be permitted to upload” the consumer’s shared health summary.”
So you need to quote a HPI-I to upload a summary but anyone can browse who has access to an HPI-O. I wonder where NASH is up to and when it will be active to secure all this - it seems to have gone pretty quiet!
Page 28:
“3.3.5 Division 5—The Register
This Division will provide for the establishment of the Register which will be the responsibility of the System Operator.
The purpose of the Register is to record the information submitted as part of the registration process for consumers, healthcare providers, repository operators, portal operators and contracted service providers. This information will consist of personal information such as names, dates of birth and healthcare identifiers.
This information needs to be retained for use by the System Operator to authenticate PCEHR use and access.”
It seems we are building yet another ID database of personal information for registration details.
It is not clear why another one is needed to me - but I am sure there is a reason.
Page 33:
“Registered healthcare provider organisations must ensure that individuals accessing PCEHRs on their behalf (i.e. authorised users) provide, at the time of access, sufficient information to identify the individual accessing the PCEHR. This requirement is essential to ensuring a comprehensive audit trail is maintained of access to consumers’ PCEHRs.”
What does this actually mean and how will it work? Does it mean the provider organisation needs to retain an audit trail of which user who logged on to what system using the organisational certificate. Note this appears to transfer an obligation back from the PCEHR system to the healthcare provider organisation.
The details here need to be spelled out for certainty given there are apparently penalties here!
Overall it seems to me there are two major issues here:
First the Governance Framework for the PCHER System is being pushed off into the never never. This is really unacceptable.
Second it is clear an approach to providing a user specific audit trail from provider to the PCEHR system is still pretty much a work in progress (in the absence of NASH actually being defined and implemented) - and that the assurances given by NEHTA and the Minister may not be quite there yet!
We will all have to just wait a little longer to see how all this will actually work. That the legislation has penalties for issues arising from the lack of an operational individual authentication system for providers would certainly give many a pause before signing up!
David.

2 comments:

Anonymous said...

Here is another section that will ensure that the PCEHR is not used:

Law enforcement officers can seek access to a record through the department under certain conditions, such as the “prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law” or for the “prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct”. (http://www.itnews.com.au/News/275292,fines-levied-for-e-health-data-breaches.aspx)

This means that a patient would be stupid to allow anything that may be illegal, such as being treated for drug addiction, to appear in their record.

Anonymous said...

What is the public to make of draft legislation that does not:
a. articulate a governance structure that is comprehensive, has the necessary accountability and controls to provide assurance that the PCEHR will be managed in an open, transparent and accountable way;
b. has the PCEHR operator, all Commonwealth and State agencies and their employees, agents and representatives immune from prosecution and any penalties for failure to perform the required services, inappropriate or unauthorised access, misuse of information etc etc - where is the accountability ??
c. has not addressed the multitude of issues and recommendations from the numerous responses to the draft issues paper

This is further testament to the arrogance and contempt that this Government and DOHA has for the public - this is not a suitable basis to build trust and confidence in the system

I am sure the Privacy Commissioner and Australian Privacy Foundation amongst others will be most concerned about what has been served up !!