Tuesday, February 19, 2013

AusHealthIT Poll Number 155 – Results – 19th February, 2013.

The question was:

How Seriously Should NEHTA and DoHA Take The Patent Claims From MMR Global?

Very Seriously 63% (36)
Slightly Seriously 7% (4)
Not Really Seriously 12% (7)
Should Just Ignore 11% (6)
I Don't Understand The Question 2% (1)
I Have No Idea 5% (3)
Total votes: 57
Very interesting. Looks like a good majority think this is actually serious!
Again, many thanks to those that voted!


Bernard Robertson-Dunn said...

I don't know about the patent issue, but maybe they should be looking a bit more closely at the legislation.

I’ve been told that the Rules
need to be read in conjunction with the Personally Controlled Electronic Health Records Act 2012 (PCEHR Act).

The term ‘authorised user’ is not used or defined in the PCEHR Act. The PCEHR Act uses the term ‘participant in the PCEHR system’ in the provisions relating to authorised collection, use and disclosure.

Section 5 of the PCEHR Act says:

Participant in the PCEHR system means any of the following:
(a) the System Operator;
(b) a registered healthcare provider organisation;
(c) the operator of the National Repositories Service;
(d) a registered repository operator;
(e) a registered portal operator;
(f) a registered contracted service provider, so far as the contracted service provider provides services to a registered healthcare provider.

That’s strange. The consumer and/or their authorised representative are not “participants” in the PCEHR system.

So what part does a consumer play in the PCEHR, according to the Act and the Rules?

The consumer is supposed to be able to control their eHealth record but it would seem that the legislation does not consider them as a participant.

I wonder what the legal consequences of all this are? Are only "participants" allowed to access the system?

Maybe all those consumers who have registered have broken the law. Maybe the System Operator has broken the law by providing access to consumers.

I’ll keep digging and let you know what I find.

Anonymous said...

NEHTA contacts US firm over patent breach allegations- Talks are on!!

Anonymous said...

The new poll needs the option for "Not the whole truth because it's limited to what they have been told"
--- Tim C

Anonymous said...

"The new poll needs the option for "Not the whole truth because it's limited to what they have been told""

I think they are smarter than that. There is a vested interest by those who are reporting against the targets to make themselves look good. Otherwise they will be seen to have failed, and they might get the heave-ho. They can say things like "we have so many records already loaded", but not qualify that these are merely the Medicare and PBS records that already exist.
Their underlings may be telling them the truth - (things are not going well!) but they will sack those truth sayers, and promote the spin doctors instead.
What are some really useful measure of how the PCEHR is progressing?
Yes it is useful to know the numbers of consumers and providers who are registered, but that doesn't tell us whether the system is being used effectively - just that providers are being incentivised to register themselves and their patients. More useful to know if and how the records are being used. E.g. how many aged care residents who are taken to the ED will have a record which is accessed in the ED, and then perhaps again when the patient returns to the facility and is visited by the GP? Perhaps they could even have an online survey for consumers to provide feedback about the system anonymously. these things may come in time as the system gains some traction and things like discharge summaries are available.

Bernard Robertson-Dunn said...

I’m looking at the legislation again. The Act specifies an Audit Service involving "flows of information". There is no mention of an Audit log or trail.

In the ConOp (September 2011 version) section 5.1 it says:

The PCEHR System will provide an audit service to record all activity on the National eHealth infrastructure services and PCEHR-conformant repositories.

The audit service will identify who has accessed the services, what they accessed, when they accessed it and what authorisation they obtained in order to access it.

In other words an access log.

Looking at the Act, Section 15, Functions of the System Operator says:

The System Operator has the following functions:
(g) to establish and maintain an audit service that records activity in respect of information in relation to the PCEHR system;
(h) without limiting paragraph (g)—to establish and maintain mechanisms:
(i) that enable each registered consumer to obtain electronic access to a summary of the flows of information in relation to his or her PCEHR; and
(ii) that enable each registered consumer to obtain a complete record of the flows of information in relation to his or her PCEHR, on application to the System Operator;

IMHO, an access log or trail is not a description of the flow of information. The Act does not specify what "flow of information" means, but I don't think a flow of information is a log of access.

The access log, as currently implemented shows a single time when access to the eHealth record is obtained (defined in ConOp Sept 2011). It doesn't show when access is completed. It would be interesting to know what constitutes end of access. The user goes to a new record? The user closes the browser tab? The user closes the browser? AFAIK, these details have never been disclosed.

Even if it is claimed that the PCEHR access log complies with the requirement for a summary, there is no facility to request a complete record. If they claim that a consumer can send an email requesting one, then I'd like to know the authentication procedure and how they would get the complete record back to the consumer.

And I don't think that the difference between a summary and a full record is the date range.

I understand that the data in the audit log has changed since the July 1 launch. It seems to contain more information now than was specified in the ConOp of September 11. Are they trying to fill the gaps left in the original implementation? Are they consulting with any external groups to get this sorted? Are they working to requirements identified before July 1 2012, but never implemented? If the requirements have not been written down and agreed, then how will they know they have met the requirements? Or do they intend to just keep going until the complaints stop coming? Or the project gets put out of everyone's misery.

If I am right, then the system as has been implemented does not comply with the PCEHR Act. And it does not comply in the area most critical to giving the consumer confidence that their health information is being properly managed and protected.

Is my interpretation of the Act and my assessment of what has actually been implemented in the PCEHR correct? I suggest that there is a prima facie case that the PCEHR, as implemented, does not meet the requirements of the Act.

Assuming I've correct, at a minimum I suggest a) the Act and the reality of the system and its documentation need to be more closely aligned and b) there needs to be a mechanism to provide consumers with "a complete record of the flows of information in relation to his or her PCEHR". Just like it says in the Act.

Maybe they should shut it down until the system complies with the Act. What with the consumer not being a participant and the Audit Service being at best unsatisfactory, at worst not legal, there's a few holes that need filling.

Bernard Robertson-Dunn said...

Reading the legislation again.

Re The Consumer not being a “Participant”

The Act differentiates between a) the consumer and b) the people associated with operating the system and who provide and need health information for health care.

Consumer: means an individual who has received, receives or may receive healthcare.

A “Participant” in the taxonomy of the legislation is just a list of entities. It doesn’t mean participant in the everyday sense, i.e. anyone who participates. In the Act it is a named subset.

It would have been so much simpler to have had an Entity Relationship Diagram in the Concept of Operations. This would have specified (from an information perspective) the Subjects in the PCEHR and their relationships to each other. As it is, I’m having to reverse engineer the PCEHR data model from legal documents and an incomplete Concept of Operations and am sometimes getting it wrong – my apologies.

So, the Act appears to refer to a data model that has Consumers on one side and “Participants” on the other. So, a Consumer participates in the PCEHR, they apply for registration (the system operator can, under certain circumstances, refuse to register them), they can set (some) access controls, can upload “consumer-only notes”, can read an Audit Log and they can look at their eHealth record. The eHealth record contains information about consumers.

“Participants” is a subset of participants who inter alia are “authorised to collect, use and disclose information”, although there are restrictions on these things. It is also more than health information it is also identifying information.

There is still, however, a lack of definition of "authorised user". I can't work out if there is such a concept in the system and/or what that might be.

Any Information System should really have an Entity-Relationship-Diagram and a Data Flow Diagram that specifies the information in the system and its behaviour. I hope the PCEHR has them and wonder why high level versions of them were not included in the ConOp.

It’s interesting that nobody has pointed out where I got this “Participant” thing wrong. Is that because nobody at NEHTA/DoHA realised that I’d got it wrong? Have NEHTA/DoHA put a ban on employees commenting on this blog?

Anonymous said...

"It’s interesting that nobody has pointed out where I got this “Participant” thing wrong. Is that because nobody at NEHTA/DoHA realised that I’d got it wrong? Have NEHTA/DoHA put a ban on employees commenting on this blog?"
Bernard -
That is probably because:
The whole access/registration thing is so very complex.
And probably no-one at nehta/doha understands or has read all the key documents (the Conops, the legislation, the design documents and the actual system as delivered – which in actual fact is still being delivered because the most important components such as the GP/Hospital system interfaces were still being specified after the legislation and are yet to be properly implemented).
Or if they have read all of these things, they will be aware of the holes and don't want them highlighted. Don't forget that the Conops was superceded by the Design (which was not public), and much of the staged delivery of the design is being done in ‘agile’ fashion, after the legislation was already in place for 1 July.
Sadly, no one sees the value of data models now, and Doha probably don't even know what one is. Agree this would have been an excellent tool to get the concept, the legislation and the design aligned.
Add to the whole issue the fact that the solution was COTS, with a clump of development hastily added to handle the complex registration of consumers and providers. And there was the re-use of already built 'foundation' components such as the Australia.gov and HI Service. These were all tweaked and are probably still being tweaked to fit.
It is no wonder we are all as confused as they are. It will be a miracle if it all works when they switch it all on together and clinical documents are being loaded and accessed and updated by providers.
But of course they will have done extensive end to end testing to make sure it all works ;)

Anonymous said...

"Have NEHTA/DoHA put a ban on employees commenting on this blog?"

No. all employees are prohibited from commenting on *any* blog as part of their contract, let alone this one. As are the employees of many other companies. It's hardly an unusual policy, though I don't think it's a productive one.

Dr David More MB PhD FACHI said...

However, they do anyway as Anon. A key reason I allow the option.