In this article I review the Privacy Aspects of the recently released document.
The document can be found here:
There are a few positive points to be made about this document.
First, it does appear to have headings that cover all the major issues.
Second , it has been developed with the input of a range of people – according to Appendices F & G – that I know to understand most of not all of the issues.
Third it is clearly written and nicely comprehensible to non-specialists in the privacy / EHR domain.
So far, so good – so what is wrong?
A few things as I see it.
1. Given the importance of this topic – a document at even this high level has been a very long time coming. The initial material is now close to two years old.
2. Much of the analysis found in this document was available 3 years ago – having been developed by Clayton Utz in January 2005 for the HealthConnect Program. I can’t see this present document advances the state of play much at all. (Sadly these documents have all been pulled down off the web by the re-vamp of the Commonwealth Health Department web site following the Labour victory. If you want a copy for your files let me know. The full 3 documents are about 1.4 Megs as .pdf files)
3. It is not clear why, if there are Draft Privacy Impact Statements that have already been developed, that these are not also made available for discussion and review.
4.NEHTA is seeming very uncertain on the way forward with most of the major issues – while I recognise this is a consultation paper one would have liked clarity as to just what NEHTA is proposing in each area.
5. NEHTA seems on a number of topics to be rather too concerned about cost and/or technical difficulty rather than ensuring public confidence.
Overall I think we are quickly reaching a point where NEHTA needs to say, clearly, what is exactly proposed, what the cost and functionality tradeoffs are why they want to go down specific paths. This is the document that should attract the detailed comment – not this rather short and rather less than decisive effort.
Of course all this assumes one thinks the IEHR concept is a good one. Until vastly more detail – including costs, real benefits, provider engagement strategies, data quality strategies, timelines, technologies, security approaches, private sector interface approaches and strategies and implementation phasing and delivery are provided we and COAG run a real risk of buying a ‘pig in a poke’. We must not let that happen without vastly more information – provided before COAG meets – not after!