Tuesday, March 13, 2012

We Have A Way To Go on PCEHR Privacy Plans It Would Seem. In Fact It Seems To Be Going Backwards in Some Ways.

The following document appeared in the FOI Section of the DoHA website a few days ago.
23 February 2012

Preliminary Privacy Impact Assessment (PIA) into the personally controlled electronic health record (PCEHR) system undertaken by Convergence e-Business Solutions.

You can download the document cited from here:
1 document full release.
What is interesting is that the document was written by a former very senior NEHTA Staff Member Dr Bridget Bainbridge.
The document was finalised in June 2011 and for some reason is labelled
The key findings are presented on pages 5 and 6 of the report.
The points from the summary and the overall document I noted were:
1. It is clear having NEHTA doing technical design and DoHA doing policy setting was very unsatisfactory resulting in a Concept of Operations document which was not really fit for purpose.
2. Actually doing a proper Privacy Assessment requires much more stable technical and policy environment than presently exists.
3. The lack of a clear governance framework - which still persists - is mentioned often
4. There is a clear sense that the present legal patchwork covering privacy is just useless - with some areas not being covered and other areas having multiple different laws around the same area at State and Federal level.
5. There is a pretty clear sense that the author of the report does not believe DoHA or NEHTA really have their ’heads around’ the complexity of what is being proposed.
6. The ConOps was not sufficiently complete to permit assessment of end-to-end and longitudinal privacy impact as there was not enough detail on who would hold and mange just what information.
Sadly later versions still of ConOps and the PIA still really don’t get to grips with these issues as far as I can see.
The November 2011 attempt at a PIA is to be found here:
I have to say I agree with Dr Bainbridge in as much as she is suggesting that the true complexity and risk of the present plan is underestimated. The update from other authors does not seem to have improved things, in fact some key issues seem not to be followed up at all.
The document is clearly worth a download and careful read. That a later document has been released while the earlier one has needed FOI to be seen suggests this might be one that is quite close to the truth.
Time will tell if this whole PIA program is working or not I guess.

No comments: