Sunday, December 10, 2006

Sometimes It’s Vital to Just Opt-Out!

Underneath the calm exterior of the NSW HealtheLink project it appears there is a little policy anxiety and confusion.

Prior to the trial commencing a Privacy Policy was published dated March 17 2006. As regular readers will be aware the policy was based on automatic opt-in and capture of clinical information with notification to each patient that they had thirty days to ‘opt-out’ before any information held on the Healthelink database would become available to all registered healthcare providers.

Regular readers will also be aware that, although there is an audit trail to record access to records, once any provider has access to Healthelink they can search for and locate any patient for which the most basic identifying information is known (e.g surname and approximate age).

The only patient control available is essentially to opt-out of the entire system.

We now find seven months later the Privacy Policy has been updated. The new document is dated October 22, 2006.

Two things appear different.

First the residential postcodes 2170 (around Liverpool) and 2560 (around Campbelltown) have been excluded from the paediatric trial. It’s hard to know what motivated these changes – unless maybe these areas lacked co-operating GPs.

Secondly the following has been added to the Privacy Policy.

2.3 Information specific laws and policies

All personal health information is generally considered to be sensitive personal information, dealing as it does with matters that are personal and which an individual will generally expect to be shielded from public disclosure.

Sometimes individuals will have different expectations about how some of their personal health information will be used or disclosed. These expectations can be based on their own cultural or personal background, family situation, a feeling that certain information is particularly stigmatizing. Some common examples include information collected by services providing specialist genetics services, child protection services or sexual health services. There are additional legal restrictions imposed on use or disclosure which apply to the release of a person’s HIV status, adoption and organ donation information.

Whilst the Healthelink pilot system does not have the ability to identify and restrict access to these different types of personal information, some information is able to be filtered out prior to being lodged with Healthelink. These are:

• Data received from community based sexual assault and PANOC (Physical Abuse and Neglect of Children) services. NSW has special restrictions on access to adult and child sexual assault records and PANOC records, in accordance with the Criminal Procedures Act, the Children and Young Persons (Care and Protection) Act , the NSW Interagency Guidelines on Child Protection, and other NSW Health Policy.

• All molecular genetics test results (e.g. familial cancer gene status) and all cytogenetics test results (e.g. karyotyping) received from community based genetics services in the Hunter New England Area Health Service.

• All HIV associated test results (e.g. HIV antibody, HIV conformations, HIV viral loads) received from Hunter New England Area Health Service. .

Unless the individual requests otherwise, health professionals who access the Healthelink record will be able to see all other personal health information contained in an individual’s Healthelink record. If an individual has concerns about this, they may choose which organisations can have access to their record, or the individual may elect to opt out of the system.

Alternatively, healthcare providers can contact Healthelink to request that access to individuals’ records by the individual or their associate be restricted if they consider there are risks to the individual. Further information about managing sensitive information generally is provided in a number of NSW Health policies which guide staff on the management of personal health information. These are summarised in the NSW Health Privacy Manual, Section 15.9.”

Essentially, what we have here is a confession that some very private and sensitive information can slip, unknown to the patient, onto the Healthelink data-base. Were this not the case the change shown above would not have been necessary. I can only assume it is to avoid Government liability for breach of trust and / or disclosure of a possible serious risk.

Given the inevitability of security violations – even in the best regulated environments – the inability of a patient to have sensitive data actually removed from the database – rather than simply made inaccessible - is a serious worry.

That better and more robust privacy controls were not developed before the trial commenced is also a real concern. Clinicians really need to look very hard at the contents of their clinical records before permitting automatic transfer of their patient’s record to Healthelink in my view, despite being assured they are indemnified.

Before posting there is another gem I noticed in the Privacy Policy as I was reading it through. After saying that personal private information can be disclosed for emergency, compassionate, audit legal and a range of other issues there is one last reason.

11. Use and disclosure as required by the Minister or Premier

NSW Health may use or disclose personal health information if the information is required by the Minister or Premier.

Further details: Privacy Manual, Section 11.3.14

Just exactly why the Premier or Minister would be so empowered beggars belief. No wonder there are problems with community trust in such projects when things like this are said to be acceptable. One has to be grateful the authorisation was not “the Premier or delegate” – which might ensure any public servant could disclose and use - I guess.

I note in passing some of these information categories are held on the Oacis databases in South Australia. I have yet to hear back as to how these sensitivities are handled there.

David.

No comments:

Post a Comment