Quote Of The Year

Quote Of The Year - Paul Shetler - "Its not Your Health Record it's a Government Record Of Your Health Information"

Wednesday, May 16, 2007

NEHTA Goes Back to Its Old and Less Desirable Ways.

NEHTA has just released a new document entitled “Privacy Blueprint on Unique Healthcare Identifiers - Report on Feedback - Version 1.0 - 14/05/2007”

The eight page document provides a summary of the fourteen written submissions received during the two-month public consultation period (which began in December 2006) with several bodies requiring an extension until mid-March 2007.

The first and most obvious question is where are the actual submissions? It seems we are not allowed to read them and form our own view as to what are the respondents views. We have to be given a 'pre-digested' and simplified summary. This is of course totally different to the operation of the Access Card Privacy Task Force where all the submissions – even the anonymous ones – are made available on the Department of Human Services web-site. I wonder what NEHTA has to hide?

As for the document itself the following caught my attention:

1. “ It is clear from submissions that the discrete concept of unique healthcare identification is difficult to understand in isolation from other e-health activities (such as the application of identifiers in clinical systems).”

Well clearly I am with the stupid! It seems pretty clear you only have healthcare identification (i.e. the allocation of a unique number or code to an individual person of healthcare provider) so you can apply, look up or use it in some application or system – so precisely how can it be understood in isolation? Blowed if I know.

2. “NEHTA will identify additional avenues and means of communication throughout 2007-08 to ensure wide coverage of key stakeholders for future consultation activities”

I see from this we are going to be consulted and communicated with for the next eighteen months. Seems to me a bit of focus and effort could do what is required in about a quarter of that time!

3. “Many submissions specifically commended and endorsed NEHTA's proactive approach to privacy management and consultation.”

I read this as saying those consulted appreciated being asked – not that they actually agreed with what was proposed.

4. “The connection to the Australian Government's Health and Social Services Access Card was queried by many submissions, some revealing the mistaken belief that there was or should be a formal relationship between the two initiatives.”

This statement comes from Section 3.2 “Overlap of UHI with other initiatives”. It is a great pity this section does not explain its position. All we get, in five short paragraphs, is that many respondents who thought there was or should be a ‘link’ were mistaken. But why were they mistaken? Where is the explanation?

It is clear that both projects are identity management initiatives being undertaken by government, that a key use of the Access Card is to provide access to health services, and that the Access Card will be a more trustworthy identifier than the IHI from NEHTA. So we need to have it explained to our simple minds just why the two ought not be linked – especially now we know the same department – Human Services – will be operating both databases almost certainly. The denial around this is just bizarre. They are clearly parallel projects that aim to do similar things. So why not explain why separate initiatives are needed. Blowed if I know – especially since we also now know that the IHI will almost certainly need its own enabling legislation – just like the Access Card.

5. “NEHTA's view remains that legislative support for the UHI Service will provide the greatest level of legal certainty around meeting consent requirements, and therefore promote trust and confidence.”

Section 3.3 on Consent gives us four paragraphs that say we will need to legislate but it does not say what the terms of the legislation will be. This is about as useful as the legendary 'barnacle on a battleship' and reflects the arrogance of the initial blueprint with its Joh like 'don't you worry about that' type of approach.

As I argue in another article it you don't get consent right in e-health projects you can doom yourself. It is not clear from this document NEHTA understands that.

6. “NEHTA's planned secondary uses consultancy for 2007 will identify principles for assessing secondary uses in both the UHI and Shared EHR and develop a secondary uses framework. NEHTA will examine national and international approaches to secondary uses, which will also inform recommendations on the degree to which secondary uses should be supported by and managed within NEHTA initiatives.”

In section 3.4 we get three paragraphs to cover what was learned from the fourteen submissions.

Essentially the document says we need to do more work.

I would make two points. First it is important to distinguish between the IHI and the associated data. I can conceive of no reason for the actual data record to be the subject of secondary use and second it would seem to me that the UHI itself would be recorded on any record that was to be the subject of secondary processing so it is all that is needed for secondary record linkage. That being the case I struggle to understand just why the IHI record would ever be disclosed external to the IHI service.

The use of the actual UHI identifier for secondary record linkage would of course need to be controlled as other such identifiers presently are under legislation and to required specific authorisation from ethics bodies and the like.

7. “NEHTA was aware of these overarching privacy risks as a result of internal privacy analysis combined with the results of the early-2006 preliminary Privacy Impact Assessment. Knowledge of these particular privacy risks for the UHI Service has informed the development and design of the UHI Service and will continued to be managed through work examining:

· Data security;

· User authentication;

· Audit and access requirements; and

· Governance.”

What this is really talking about is the 'honey pot effect'. Create a database with the demographics of all 16 million citizens and you create a resource every debt collector, thug and violent husband will look forward to be able to access, for a small fee. Access will be provided by the greedy and unprincipled in the healthcare provider community of which we all know there are some. Not many, but enough, to make any privacy assurances largely moot.

NEHTA just hopes no one will notice although it is of concern as they write:

“The remaining principle (informing consumers fully about any privacy breaches) is consistent with NEHTA's position on the need for openness and accountability, however was not specifically considered in the Privacy Blueprint.”

Pity it was not made clear NEHTA will make sure this is implemented – along with compensation for those who are forced to re-locate to escape the violent ex-spouse.

8. “Key issues noted in submissions included:

· The extent of administrator access and healthcare provider organisational access to healthcare individual's unique identifier and associated record;

· The requirement for strict guidelines for access to UHI Service to prevent abuse and the chance of errors in the system;

· The range of data fields on individuals proposed to be collected; and

· The need for a flexible framework dealing with authorised representatives so that the provision of healthcare is not adversely affected by administrative requirements.”

These are all important issues and again we get no answers.

In summary this document is a less than useful re-statement of the problems associated with the introduction of the UHI service which offers no significant answers, insights or progress.

Worse the material on which it is based is not disclosed despite “NEHTA's position on the need for openness and accountability”.

Yet another hastily pushed out useless and obfuscatory document. The imminent review of NEHTA’s usefulness must really have NEHTA worried. And rightly so in my view.

David.

And now some very late news!

Finally NEHTA is hiring a dedicated privacy officer!

“The National E-Health Transition Authority Limited (NEHTA) is advertising for a Privacy Officer. Advertisement is below.

Be part of Healthcare Reform

An exciting opportunity exists for an experienced Privacy Officer to join the Unique Healthcare Identification (UHI) Program - one of the cornerstones of a new e-health framework

• Sydney CBD

• Great development opportunity

The National E-Health Transition Authority Limited (NEHTA) is a not-for-profit company established by the Australian Commonwealth, State and Territory governments to develop better ways of electronically collecting and securely exchanging health information.

NEHTA’s mission is to set the standards, specification and national infrastructure requirements for secure, interoperable electronic health information systems. The Australian State and Territory governments will then adopt these requirements nationally, with the aim of creating a common national approach that will set the foundations for widespread and rapid adoption of e- health across the national health sector.

NEHTA and privacy

From the outset, NEHTA has recognised that privacy is an issue of great concern to Australians – particularly in the health sector. Protection of privacy is fundamental to maintaining consumer confidence and encouraging individuals to participate in e-health initiatives. At the same time, the frameworks must facilitate the best possible outcomes for the improved provision of healthcare and safety in Australia, including better sharing and availability of health information.

NEHTA’s privacy management strategy for the UHI Service is primarily set out in its Privacy Blueprint publication (available on the NEHTA website under Publications). The Privacy Blueprint for the UHI Service provides a framework for identifying and Discussing privacy issues and sets out an action plan for managing privacy risks. Using this approach has ensured that NEHTA has proactively considered its privacy compliance position and promoted a coordinated approach to privacy management.

An exciting opportunity exists....for an experienced Privacy Officer who will be responsible for further developing the UHI Program’s privacy framework and supporting documentation, including policies, procedures and privacy notices, and assisting with the management of key privacy activities, such as the Privacy Impact Assessment (PIA).

For further details about this position, please go to the NEHTA website at www.nehta.gov.au and navigate to the Employment page.

For enquiries please email careers-at-nehta.gov.au.”

Only three years too late and hardly making it clear they know what is public wants is key!

D.

1 comment:

Dr Ian Colclough said...

Unique Health Identifiers and Privacy are particularly complex and thorny issues which will not be resolved to the satisfaction of everyone for quite some time. Even so, gradual resolution of these issues should not be a major impediment to progressing the development of ehealth initiatives in Australia.

Your blog of 3 January made extensive comment on NEHTA’s approach to ‘Privacy’ as outlined in the “Privacy Blueprint – Unique Healthcare Identifiers (UHI) - Individual Healthcare Identifier (IHI) and Healthcare Provider Identifier (HPI) - Version 1.0 – 18 December 2006 For Comment”.

One must presume (perhaps you could confirm for your readers) that your commentary of 3 January was one of the 14 written submissions received by NEHTA during the consultation period.

In its ‘Report on Feedback - Version 1.0 - 14/05/2007” NEHTA made specific reference to four submissions received from The Australian Privacy Foundation (APF), Office of the Federal Privacy Commissioner (OPC), Consumers’ Health Forum of Australia (CHF), Health Issues Centre (HIC). These submissions are comprehensive and well argued.

In your blog of 3 January you brought to the fore the apparent disregard or oversight by NEHTA of work being done on the Access Card by the Department of Human Services (DHS), and the fact that the Access Card would provide every Australian with a unique number. It would not be unreasonable to expect that one or more of the submissions from APF, OPC, CHF and HIC would also have raised this issue.

It is a pity a list of parties who lodged submissions and who were consulted has not been made available, as is normal practice elsewhere, eg ACCC. It would be much easier for interested parties to draw their own conclusions if they could consider the ‘Submissions’ in the light of the summarised ‘Report on Feedback’.


A carefully considered read of the APF, OPC and CHF submissions will help illuminate some of the issues against the December 2006 Blueprint and the May 2007 Feedback Report. It seems the CHF and HIC may have lodged a ‘joint’ submission !

Links to those submissions follow:
APF: http://www.privacy.org.au/Papers/NeHTA_UHI_Blue070313.pdf
OPC http://www.privacy.gov.au/publications/subnehtauhi200703_print.html
CHF http://www.chf.org.au/Docs/Downloads/430_NeHTA_Privacy_Blueprint_Submission.pdf

Ian Colclough
Integrated Marketing & eHealth Strategies