Wednesday, October 12, 2011

Draft Submission on the Proposed PCEHR Legislation - Due October 28, 2011

Here is what I have in mind - happy to take comments and thanks for all those on yesterday’s post.

Submission to the Commonwealth Department of Health and Ageing.

Topic: Exposure Draft PCEHR Bill

Date October, 2011
Submissions Due: 28 October, 2011
Address for submissions:
Postal Mail
PCEHR Legislation Issues Feedback
Department of Health and Ageing
GPO Box 9848
Canberra, ACT 2606
Submission Author:
Author’s Background. I am experienced specialist clinician who has been working in the field of e-Health for over 20 years. I have undertaken major consulting and advisory work for many private and public sector organisations including both DoHA and NEHTA.
Previous Submissions
I previously provided a Submission on the PCEHR proposal to NHHRC in May, 2009 and the views expressed in that submission remain my position despite the work undertaken by DoHA and NEHTA since.
This submission is available here:
A later submission on the Draft Concept of Operations for the PCEHR from May2011 is found here:
Consent for Publication.
I am more than happy for this submission to be made available for public review on the Department of Health and Ageing website.


As a non-lawyer I am unable to comment on the drafting of the planned Bills but am basing my comments on the Companion to the Exposure Draft Bill - as I am sure this document accurately reflects both the intention and the drafting of the proposed Bill(s).
It is my view that the intent reflected in the Companion document is deeply flawed and will result in failure of the PCEHR System to deliver the outcomes sought by the Government.
In my view there are two major errors of omission and two major errors of commission contained in the present proposals.
Error of Omission Number 1. - The Lack of an Agreed, Consulted and Legislated Framework for the Governance of the PCEHR.
On Page 13 of the Companion: (as reported by Adobe Reader)
"It is intended that the Secretary will fill the role of System Operator initially. Further discussions will be held with the states and territories around possible future options for the long-term governance of national e-health such as an inter-jurisdictional body."
This is a disastrous flaw and will guarantee there is simply no one will trust the system. Having a system holding your private health information which is not at arm’s length to Government and to political interference is vital.
I believe the best way this can be achieved is via an independent Statutory Authority which is responsible to parliament for its activities, reports regularly, is subject to review by Parliament and Senate Estimates, has a formal recurring budget allocation and a properly constituted and accountable board.
Unless this is planned, discussed, legislated and delivered the Government is simply setting itself up for a lack of public confidence and failure.
Error of Omission Number 2. The Failure to Provide a Legislated and Obligatory Breach Reporting Regime.
On page 29 of the Companion to the Exposure Draft we read:
“Certain participants in the PCEHR system must notify certain matters such as data breaches or risk of being in contravention of the Draft Bill with potential civil penalties to apply to those contraventions.
Entities such as the System Operator, a registered repository or registered portal provider have obligations to report matters to the System Operator, or in certain circumstances both the System Operator and the Information Commissioner.
In addition to the notification, the entity must do the followings things:
  • contain the contravention and undertake a preliminary analysis;
  • evaluate the associated risks;
  • if the entity is the System Operator – consider notifying the affected consumers;
  • if the entity is not the System Operator – ask the System Operator to consider notifying the affected consumers.
In addition, the entity must take steps to prevent or mitigate the effects of further contraventions, events or circumstances in relation to the unauthorised collection, use or disclosure of health information included in a person’s PCEHR.
A further civil penalty provision in the Draft Bill provides that a registered repository operator or a registered portal operator must not contravene the PCEHR Rules that apply to that operator or portal.”
Can I suggest this is just not good enough. The legislation should make it clear that the release or breach of any personally identifiable information should be notified to the individual concerned and additionally any breach that involves more than 100 individuals should be notified to the public with an analysis of what caused the breach.
Of course notification is just bolting the door after the horse has gone and clearly the legislation should also make it clear, as it does to some extent, that to prevent breaches in the first place is required and to not take reasonable preventative steps is also an offence.
Proof of the benefit of this approach is that in the US there is compulsion to notify significant breaches and, of course, this is the reason we know how it bad it is over there and why we need the same approach here.
Error of Commission Number 1. A blatant attempt to transfer responsibility for identification of users of the PCEHR from the Government provided security systems to the practitioner or other entity who is accessing the PCEHR.
Page 33 of the Companion: (As reported by Adobe Reader)
“Registered healthcare provider organisations must ensure that individuals accessing PCEHRs on their behalf (i.e. authorised users) provide, at the time of access, sufficient information to identify the individual accessing the PCEHR. This requirement is essential to ensuring a comprehensive audit trail is maintained of access to consumers’ PCEHRs.”
What does this actually mean and how will it work? It seems to it mean the provider organisation needs to retain an audit trail of which user who logged on to what system using the organisational certificate. Note this appears to transfer an obligation to do so from the PCEHR Operator and the PCEHR system back to the healthcare provider organisation.
It is also clear that the approach to providing a user specific audit trail from provider to the PCEHR system is still pretty much a work in progress (in the absence of NASH actually being defined and implemented) - and that the assurances given by NEHTA and the Minister that full audit trails of user access will not be available when the System commences - and for a good while thereafter if special legislative cover is required.
No provided is going to expose themselves to the substantial penalties proposed for no benefit. This approach will ensure just zero practitioner participation once they are advised of the risks by their indemnity insurers.
Error of Commission Number 2. Removal of Both The Commonwealth and All Jurisdiction from Any Accountability and Liability for Harm and Damage Caused by The PCEHR System.
Page 8 of the Companion: (As reported by Adobe Reader)
“Binding of the Crown
The Draft Bill applies to the Commonwealth, states and territories and section 7 of the Draft Bill provides that all jurisdictions will be subject to this law.
While each jurisdiction will be legally bound by the arrangements set out in the Draft Bill, the Crown in right of the Commonwealth, states and territories will not be subject to prosecution and will not be liable for pecuniary penalties.”
So it seems no Government can be sued or prosecuted for any harm or damage resulting from this Legislation and its implementation.
This section clearly does not correctly balance the interests of citizens and government.
There are a number of other minor points where I feel the planned Legislation is in error but correcting the issues cited above would clearly take enormous strides towards some satisfactory and implementable outcomes.
David G More
Date 11.10.2011.
Comments and Suggestions Please!


Anonymous said...

>> "No provided is going to expose themselves to the substantial penalties proposed for no benefit. This approach will ensure just zero practitioner participation once they are advised of the risks by their indemnity insurers."

Second word should be provider... It's a joke that they don't have the audit trail switched on at launch.

Anonymous said...

This is getting beyond a joke. If they want a PCEHR with an audit trail then they provide the PKI infrastructure that enables it. If patient privacy is to be taken seriously then of course government agencies need to be liable for breeches.

Maybe they are finally accepting that they can't get anything right so are trying to silently create an environment where it all becomes unworkable. If the Tax department treats you unfairly then you have some vain hope of action against them. It seems with the PCEHR this is not the case!! Most privacy breeches are within the walls, and we have ample evidence of that from Medicare. In the case of the PCEHR you can take no action!!!

Anonymous said...

"In the case of the PCEHR you can take no action" - yes you can. Don't have one!!!! That's the safest, most secure option.