Tuesday, June 24, 2014

Opt in or Opt Out - A Discussion From A Privacy Expert.

This article is reprinted from the iappANZ Journal with permission of the Author - Ms Emma Hossack.
You can see the whole May 2014 Issue of Privacy Unbound here:

To Opt in or to Opt Out, THAT is one of the questions for the Personally Controlled Electronic Health Record [1]in Australia

Forgive me if it feels like Groundhog Day.
“EHealth is a complex infrastructure project that requires a fundamental change in consumer and business practice as well as a cultural shift in both professional and consumer behavior…..In such a project, implementation is key. I want to make sure we bring consumers with us in the eHealth journey by adopting an “opt in” model – allowing them to choose when to sign on. I believe that the benefits of giving the Australian public the choice as to whether they participate will be key to the successful implementation. I think moving to an “opt out” position would be a serious mistake.”
The Hon Nicola Roxon MP
Minister for Health and Ageing
Address to the Consumer Health Forum, Canberra. 14 September, 2011.
The above quote was the introduction to a piece published in this Journal in September 2011.  That article is useful background to the current and is reprinted in the current Journal. In essence, this is what happened in the interim:
·         The PCEHR Act 2012 (Cth) became law on 26 June 2012
·          The assurance that “…the Government is not going to build a massive data repository. We don’t believe it would deliver any additional benefits to clinicians or patients – and it creates unnecessary risks” (Ministers own bold type)[2] appears to have been forgotten.  A massive data repository has been built.   
·         The Opt In model was adopted and $50 Million AUD was spent on Medicare Locals to assist them with engaging consumers.[3]
·         The Medicare Local Review was released which impacts on the PCEHR implementation.[4]
·         The cost of the PCEHR Project blew out from $467 Million AUD to $1 Billion AUD.[5]
·         The lack of consumer and clinician engagement resulted in the current Health Minister stating in Parliament in 2013 that the cost was equivalent to over $100,000.00 for each person enrolled in the system.[6]
·         Minister Dutton called for a review of the PCEHR in November 2013.
·         The PCEHR Review[7] contained 38 recommendations, including one to convert the opt in system to an opt out system.
·         The Clinical Document Architecture, known as CDA which is used by the PCEHR has been found to be flawed with security risks[8]
·         The security flaw in the myGov website potentially opened health information held in the PCEHR to malicious attacks.[9]
·         The clinicians and consumers have not been given a business case for using the PCEHR and remain confused[10]
·         Clinicians having to renew PCEHR security tokens by fax has been criticised as it is not very efficient or modern[11]
·         It is suggested in the PCEHR Review that the name of the system be changed from the PCEHR to” My Health Record”. This would not normally rate a mention, but the fact that the concept has been given 5 names to date, suggest confusion not only about what it is, but what to call it. [12] “What’s in a name?  That which we call a rose
By any other name would smell as sweet.”[13] It is unlikely the name change will be the answer to a better system.
When a system works well, and people who benefit from using it would know about it and any risks, then opt out is clearly a good option to maximise the benefits for the community. When a system is not understood and is flawed, converting it into an opt out system is risky and inappropriate. We all know that “The most effective way of controlling information about oneself is not to share it in the first place.”[14]  We also all know that most people are naturally lazy, and the statistics for organ donation demonstrate that clearly.[15]However in health, where sharing of information and co-ordination of that information is critically important for the best outcomes, trust is the foundation. Earning the trust of patients is the difference between empowering individuals with knowledge, and saving or improving lives or not. Sharing clinical information in a privacy compliant way is worth getting right, and informing consumers and respecting their trust are the first steps.
Health information is amongst the most sensitive information, and the complexity and beauty of being able to share that information privately through technology is what changed my career.[16]The benefits when it is done well are compelling[17]it is also one of the hardest areas to get right. It involves politics (funding issues between states and commonwealth, enabling individuals and doing as much as necessary), technology (a world of architecture and acronyms), ethics, clinical support [18]and patience.[19] Underlying everything that we do in eHealth is the concept of “…abstain from doing harm”[20].  A system which is accessible by a consumer who is not aware of what kind of information the PCEHR holds, or what it means could result in harm.  The sharing of certain sensitive information has resulted in depression, embarrassment and suicide.
Having worked in this area for almost a decade I am committed to seeing ehealth reform work. This does not simply mean the economic benefits of $AUD7Billion savings annually which have been suggested[21].More importantly there will be better health outcomes and individuals will have more autonomy over their lives and health. The PCEHR Review supports returning to the decentralised architecture for ehealth which has been supported by the National Health and Hospital Reform Commission[22] which means it supports an ecosystem of different technologies with dedicated purposes which are interconnected.
Once the eHealth ecosystems s are working and Australians are fully educated about the pros and cons of the system, Opt Out would be justifiable. Getting more “numbers” in the system will not change the fact that the current PCEHR is not achieving its goals. Merely counting registrants is not a meaningful measure. We need meaningful use that provides clinicians, patients and all Australians with benefits. Adding empty numbers to a system to make it better is like changing its name – lipstick on a pig.  It’s too soon for Opt out.
Emma Hossack
President iappANZ
CEO Extensia
Vice president of the Medical Software Industry Association
Many thanks to Emma for a useful article!

[1] The Personally controlled electronic health record is an initiative of what was known as the Department of Health & Ageing in 2010 and was a part of the then Government’s eHealth reform and was allocated a spend of $467 Million

[2] The Hon. Nicola Roxon, MP, Minister for Health and Ageing – November 30 2010, opening address to the e-health Conference, “Revolutionising Australia’s Health Care”, Melbourne.
[12] Originally in 2009 the National Electronic Health Transition Authority called it the Shared Electronic Health Record “SEHR”, then the Individual Electronic Health record “IEHR”, then the PCEHR”, then the previous Government suggested the National Electronic Health record System “NEHRS” and now we see the fifth suggestion.
[13] Romeo & Juliet, Shakespeare Act 2, Scene 2.
[14] A Michael Froomkin, “The Death of Privacy” Vol 52: 1461 may 2001] 1462. 1463
[15] Cass Sunstein, Nudge
[16] The inherent conflict led me to post graduate work in privacy and ownership of shared electronic health records. I subsequently retired from legal practice and became CEO of Extensia a shared electronic health record company.
[17] 26% reduction of avoidable admissions to hospital in just one trial:
Part 2, Pg. 103, Tables 32 & 33: The National Evaluation of the Second Round of Coordinated Care Trials – Final Report, Commonwealth of
Australia 2007

[19] A ten year journey according to The Deloitte eHealth Strategy 2008 http://www.health.gov.au/internet/main/publishing.nsf/Content/National+Ehealth+Strategy
Endorsed by the National Health and Hospital Reform Commission 2009 http://www.health.gov.au/internet/nhhrc/publishing.nsf/content/nhhrc-report

[20] Hippocratic oath
[21] PCEHR Review at p.9 Booz & Co
[22] See recommendation 123 http://www.health.gov.au/internet/nhhrc/publishing.nsf/content/nhhrc-report and PCEHR Review recommendation #31.


Mayan said...

History shows that it will be used to build a central database which will be linked to other databases and, most likely, be subject to mission creep. Quite why anyone would expect anything else from a government is beyond me.

Grahame Grieve said...

"The Clinical Document Architecture, known as CDA which is used by the PCEHR has been found to be flawed with security risks"

Hi David. The reference given for this was my Pulse IT article. In that article, I do describe some implementation issues with CDA, both some inherent to CDA itself, and some associated with the adoption process.

But I do not think that "is flawed with security risks" is a fair summary of what I wrote (for a start, my article doesn't mention security risks at all).

Anonymous said...

As Emma says, getting more "numbers" in the PCEHR is not useful at present. In fact this is one of the problems with the public perception. All they see is the number of people registered. The Department keeps pushing these figures to show their success.

This is the wrong figure to show the success of the PCEHR. A better statistic would be the number of records accessed by various classes of providers, such as GPs and Emergency Departments. Even better would be some evidence based studies on the effectiveness of the PCEHR.

IMHO the public and the parliament are being fed unimportant statistics on the PCEHR deliberately by the Department in order to keep the program funded.

Anonymous said...

Dead right!

Now who and their dog are going to stop the department from committing and perpetuating this fraud on the Australian "NET" Taxpayer?

Our present system of crony democracy is desperately failing us miserably...