Wednesday, March 21, 2012

PCEHR Regulations and Rules Relased - Not Actually - Just A Statement of Intent And Some Considerable Silliness.

I was alerted to this release today.

PCEHR System Regulations and Rules

The PCEHR System: Proposals for Regulations and Rules describes the proposed regulations and rules which will be put in place to support the national personally controlled electronic health record (PCEHR) system and the legislation which is currently before Parliament. The Personally Controlled Electronic Health Records Bill 2011 (PCEHR Bill) and Personally Controlled Electronic Health Records (Consequential Amendments) Bill 2011 (Consequential Bill) were introduced into the Parliament on Wednesday 23 November 2011.
The paper has been developed by the Commonwealth in consultation with a working group of representatives from Commonwealth, state and territory health departments. It takes account of feedback and submissions received by the Department of Health and Ageing during the public consultation processes for the PCEHR system.
The PCEHR System: Proposals for Regulations and Rules describes the provisions that are proposed to be included in the regulations and rules, explains the reasons behind those proposals and describes how they are intended to operate.
The paper is intended to promote discussion within the community about how well the proposed regulations and rules would operate in conjunction with the PCEHR Bill and Consequential Bill, and support the PCEHR system.
Have your say on the PCEHR System: Proposals for Regulations and Rules via the web submissions form below or email your submission to ehealth.legislation@health.gov.au. Alternatively, you can send your submission to us via the postal address supplied on this page.
Submissions will be made public. Submissions that are intended to remain confidential should be clearly marked as such and submitters should be aware that confidential submissions may still be subject to access under Freedom of Information law.
The closing date for comments and submissions is 5 pm (Australian Eastern Standard Time), Wednesday 11 April 2012.
This page is found here:
Here is a direct link to the download file:
Having had a browse a few things struck me.
First the draft regulations are not provided. A description of the intent of the rules and regulations is all we get.
Second the governance framework is still utterly pathetic and amazingly the discussion (On Page 18) seems to suggest only one Health IT expert will be on the Independent Advisory Council. Even worse in addition there is another separate Council just for the States and Territories. Surely just one or two reps on the Advisory Council is all that is needed?
Third the arcane and complex access rules seem to be continuing to be implemented despite the need for close to a PhD to be able to understand and the Provider Access Control Code (PACC) which is a code and PIN will be able to lock a record away from view. Surely it is simpler just not to upload material the consumer sees as so sensitive. (Pages 20 to 26 really make my head hurt!)
 Fourth user identification is based largely on having a verified IHI. Just how that is secured and protected against misuse etc. is not clear. (Page 26).
Here is what a verified IHI means.
A verified IHI is a healthcare identifier in relation to which the HI Service Operator (Medicare) has evidence of an individual’s identity. This evidence may come from being a “known customer” of Medicare or the Department of Veterans’ Affairs or from the individual providing evidence of identity such as a passport, birth certificate or driver’s licence to the HI Service Operator. Unverified IHIs are healthcare identifiers that have been created at a healthcare facility where the individual has not yet provided evidence of identity to the HI Service Operator.
Fifth (on Page 27) we have participation requirements. It is here where the colour will drain from the faces of practice managers and their bosses when they see what IT and security responsibilities they have been given.
-----

Proposed arrangements

Risk mitigation
It is proposed that the rules will require that healthcare provider organisations, in order to be eligible to register, must develop, maintain, enforce and communicate to their staff, policies and procedures relevant to their access to the PCEHR system.
The matters that must be addressed by these policies and procedures will include:
  • the manner of authorising persons within the organisation to access the PCEHR system, including the manner of suspending and deactivating the account of any authorised person who leaves the organisation, no longer provides a service to the organisation or whose security has been compromised;
  • the training that will be provided to persons before they become authorised users, ensuring they have adequate training on how to use the system accurately and responsibly and are informed of their legal obligations;
  • the process for identifying a person authorised to access the system and providing identification information to the System Operator, ensuring the organisation is capable of satisfying clause 74 of the PCEHR Bill;
  •  the protection and security of IT equipment and related resources from unauthorised access;
  • the use of physical and system access controls, such as user identification, passwords and digital certificates, to ensure the person accessing the PCEHR system is known and authorised by the organisation; and
  •  mitigation strategies to ensure risks can be identified and acted upon expeditiously.
The organisation must review these policies and procedures on a regular basis to ensure their effectiveness and to identify any new or changing risks. Such reviews must include consideration of factors which might result in:
  • any access to the PCEHR system by unauthorised persons;
  • any misuse or inappropriate disclosure of information contained within a consumer’s PCEHR by authorised persons; and
  • any accidental disclosure of information contained within a consumer’s PCEHR.
In addition, reviews will need to consider any changes to technical specifications and regulatory requirements that have occurred since the previous review.
The policies and procedures must:
  •          be in writing and contain sufficient detail to make it clear how the organisation will meet its PCEHR-related obligations;
  •      record each iteration resulting from a review;
  •          be accessible to employees of the organisation and form part of employees’ training;
  •          be auditable in terms of whether the organisation has complied with its policies and procedures; and
  •          be provided to the System Operator upon request.
Access control
Particular to the organisation’s access to the PCEHR system, the organisation must implement access and account management practices that ensure all authorised users’ accounts accessing the PCEHR system employ good information security access management practices, including:
  • restricting access to those persons who require access as part of their work function;
  • uniquely identifying individuals within the organisation’s computer system, and having that unique identity protected by a password or equivalent protection mechanism;
  • following good password and access management practices, for example, a minimum length of seven alphanumeric characters for passwords and changing passwords every 60 days;
  •  deactivating user accounts for persons no longer authorised (such as if their duties no longer require access to the PCEHR system or where persons are no longer employed by the organisation); and
  •  suspending a user account as soon as practicable after becoming aware that the person’s unique identity or password has been compromised.
Consider: Does this proposal, in conjunction with the privacy and security provisions of the PCEHR Bill, adequately support the protection of sensitive health information within the PCEHR system? Does this proposal pose practical difficulties for healthcare provider organisations or their staff? Are there other areas that you consider must be addressed?
-----
Can’t you see providers rushing to take all this on for no compensation or incentive. I can’t.
They will get knocked down in the rush I am sure with people wanting to sign up.
Such silliness and impracticality.
David.

2 comments:

Paul Fitzgerald said...

re the Security/Privacy stipulations for Practices - add this to the draconian OH&S regimen, all the other MBS and "business" stuff that has to be done, and when exactly do the staff and clinicians actually see patients and do what they trained for? Beggars belief that Government stands up and says they will reduce red tape, and they do this!

B said...

Take just one bullet point (the last one)

suspending a user account as soon as practicable after becoming aware that the person’s unique identity or password has been compromised.

Questions: What does "becoming aware" mean? Who in the organisation has authority to suspend a user account?

Questions: What happens when a user account is suspended? How does it get re-instated? What are the conditions for re-instating it?

Question: Who will resolve disputes regarding account suspension?

Question: What happens if health care is negatively impacted because the user account has been suspended, either correctly or incorrectly?

The Con-op and its Addendum do not seem to address this issue at all. Three months out from the system going live!!!

Do we really think the requirements are stable yet?

Do we remember that unstable requirements usually lead to project failure?

And that's only for one bullet point.