Monday, August 18, 2008

NEHTA is Told to do Much Better by the Commonwealth Privacy Commissioner.

The Privacy Commissioner published the following press release a day or two ago.

http://www.privacy.gov.au/news/media/2008_15_print.html

Media Release: E-health privacy blueprint - robust legislation is needed says Privacy Commissioner

15 August 2008

The Australian Privacy Commissioner, Karen Curtis, has called for legislation for the proposed national Individual Electronic Health Records (IEHR) system.

"The National E-Health Transition Authority (NEHTA) has identified some valuable privacy considerations for the proposed IEHR system," said Ms Curtis.

"The suggestion that individuals should be able to opt-in to an IEHR system is welcome, as this promotes genuine choice.

"It is also important that there is specific legislation for the system to ensure there are robust privacy protections in place."

Ms Curtis' recommendations were made in a submission by her Office in response to NEHTA's Privacy Blueprint, which will feed into a business case NEHTA will deliver to the Council of Australian Governments in late 2008.

Another key point made in the Office's submission was the importance of having "sensitivity labels" in place at the start of the system to restrict access to certain information within the IEHR.

"My Office argues strongly in favour of sensitivity labels being in place at the start of the project," Ms Curtis said.

"This would be of prime importance to, say, a patient who is suffering a sensitive condition, such as a mental or sexual illness.

"The sensitivity label would prevent a healthcare worker in an area unrelated to the patient's illness from accessing this information."

Ms Curtis has also called for individuals to be able to see who has accessed their records through the availability of audit logs.

"This is an important accountability and transparency measure," Ms Curtis said.

The submission is available at http://www.privacy.gov.au/publications/sub_nehta_0808.doc.

----- End Release.

The Executive Summary of the submission makes it quite clear what Ms Curtis thinks is needed by way of change in approach.

Executive summary

1. The Office of the Privacy Commissioner (‘the Office’) supports the development of an individual electronic health record (‘IEHR’) system to enhance the delivery of healthcare through improved sharing of selected health information. In the Office’s view, the assurance that privacy is protected will be a key element of the overall success of such a system.

2. The Office notes its support for the express consent approach to IEHR participation proposed by the National E-Health Transition Authority’s (‘NEHTA’) Privacy Blueprint on the IEHR (‘the Blueprint’). This approach offers important privacy benefits to individuals by ensuring that individuals’ active and express consent is required before they are enrolled in the system. The Office also welcomes individuals being able to consent to specific episodes of care being entered into their IEHR record.

3. While recognising the attention paid to privacy as part of the IEHR system’s development and the constructive approach taken to consent, the Office believes there are some key issues which require further consideration. These issues are:

· the need for enabling legislation for the system

· whether individuals will have sufficient choice as to who may access their IEHR, that is, individual health care workers or entire health care organisations

· whether individuals will be given the choice to limit access to particularly sensitive information by way of a ‘privileged care’ mechanism

· the suggestion that audit records may not be available to individuals and

· the need for further detail on how secondary uses of IEHR information will be managed, particularly with regards to uses beyond medical research.

4. In this submission to NEHTA, the Office provides input on these key privacy issues and other aspects of the IEHR system raised in the Blueprint.

----- End Executive Summary.

Reading the full submission it is clear Ms Curtis is not about to have NEHTA start its proposed IEHR without very robust legislation to protect individual privacy despite an obvious desire on NEHTA’s part to do so.

It is also clear that she rejects the blatant attempt by NEHTA to try to do a system ‘on the cheap’ by leaving out protections and abilities for choice she believes the public are entitled to.

Ms Curtis clearly also notes NEHTA’s proneness to try and operate in secrecy and recommends all the privacy impact assessments be made public – what a great idea!

Most of the rest of the 17 page submission then goes on to point out the number of areas where NEHTA have proposed the easy rather than the ‘privacy protective’ approach.

All in all – when the clear, well researched analysis is taken together with the concerns I expressed six or so weeks ago when the blueprint was released I think a major rethink of this proposed IEHR and how it will really operate is required.

My earlier comments are found here:

http://aushealthit.blogspot.com/2008/07/nehta-privacy-blueprint-for-iehr-how.html

We should all be grateful we have such a clear thinking and independent team looking after our privacy rights as we do at present. More power to them!

NEHTA has to go right back to the drawing board and properly address all the issues raised. I frankly doubt they will be able to do so without some considerable modification of their current proposals. Maybe NEHTA should have consulted a little more carefully privately before developing and publishing such a clearly flawed document and making such inadequate proposals regarding IEHR privacy. If I were a betting man I would not be putting much on ever seeing anything like the presently proposed IEHR actually happen!

All this just demonstrates just how out of touch NEHTA still is with the Health Sector and ordinary health consumers.

Interestingly we have also had the Australian Law Reform Commission weigh into the debate in the last week.

Tougher rules on records urged

Rules on medical records and population-based research may be reformed after a review of privacy laws. Health editor Adam Cresswell reports | August 16, 2008

MEDICAL records contain private information, often touching the most sensitive details of individual patients' lives. Doctors almost invariably guard access to their patients' files like hawks, ensuring only they and, occasionally, other doctors get to look inside.

You don't expect to find files such as these gathering dust in a garage, or dumped in a garbage bin, and especially not strewn over the footpath for any passer-by to see. But legal experts charged with conducting a review of privacy laws were shocked to find all these had really happened.

What's more, it was far from unknown for patients switching to another GP to face a battle to persuade their old GP to forward their records to the new doctor. Even though such records would be crucial to a proper understanding of the patient's history, in many cases the transfer simply did not occur.

And David Weisbrot, president of the Australian Law Reform Commission which conducted the privacy review, says it soon transpired that there was little patients could do to require doctors' co-operation.

In its 1996 ruling Breen v Williams, the High Court unanimously ruled that medical records are owned by the doctor who created them, not by the patient whose health they concern. While patients have access rights to that information, there has been no obligation on doctors to relinquish control to another doctor, or forward copies to another doctor.

That's one of several health-related issues that the ALRC, in the recommendations from its new 2700-page report on privacy laws, says should change.

"We heard a similar story quite often: if a doctor retired or died, or there was a merger or another practice took over the patients, they (patients) would have difficulty getting their records back to take to another doctor," Weisbrot says. "There were even stories of records being found in the rubbish bin, in the doctor's garage or even on the footpath.

Much more here:

http://www.theaustralian.news.com.au/story/0,25197,24182403-23289,00.html

It seems there is considerable alignment between the Privacy Commissioner and the NEHTA is the one out of step.

The Health Information Section of the ALRC report is important reading.

http://www.austlii.edu.au/au/other/alrc/publications/reports/108/

This is the relevant part of the Table of Contents:

Part H - Health Services and Research

60. Regulatory Framework for Health Information

61. Electronic Health Information Systems

62. The Privacy Act and Health Information

63. Privacy (Health Information) Regulations

64. Research: Current Arrangements

65. Research: Recommendations for Reform

66. Research: Databases and Data Linkage

Enjoy all this – we live in “interesting times”!

David.

19 comments:

  1. David, re Ch.66 the Victorian Government has bid successfully to host the National HPV Vaccination Register. The job has been costed at $23.5. Several aspects of this project raise the hairs on my neck, so I am writing a brief commentary to mail around.

    ReplyDelete
  2. COAG would be extremely foolish to support any proposal by NEHTA which calls for development of an IEHR until such time as NEHTA has delivered a Privacy Blueprint which has the full approval of the Privacy Commissioner. Nothing less should be acceptable. Privacy is paramount in this domain.

    ReplyDelete
  3. The Privacy Commissioner’s comments demonstrate that NEHTA’s Privacy Blueprint contains many inadequacies which must first be addressed else the fundamental design constructs which underpin the IEHR will erode its very fibre like a rampant malignancy.

    ReplyDelete
  4. Surely NEHTA knows it is premature to be delivering a business case to COAG which is not thoroughly underpinned by acceptable comprehensive Privacy considerations. NEHTA might find it frustrating but as you say - NEHTA "needs to go back to the drawing board". And it may have to do so more than once before it gets the Privacy Blueprint right. For COAG to remain credible on the subject of ehealth it needs to give that message to NEHTA unambiguously.

    ReplyDelete
  5. I doubt that NEHTA's culture has changed very much. Secrecy still seems to be the order of the day. Do you really believe NEHTA will listen to its critics no matter how right they may be? The simple fact of the matter is it doesn't like jumping through the hoops - all it wants is access to bucketloads of taxpayers funds so its army of PhD people can develop a world beating EHR ahead of everyone else on the planet! How about leaning to crawl first? How about getting some basics into place? Let's see the Health Identifiers rolled out as a first step - actually rolled out - that means implemented and working in real life.

    ReplyDelete
  6. I don't think Nicola Roxon will let herself get conned by all the "HYPE" and "URGENCY" around this EHR stuff. She is pretty pragmatic if her speech t the National Press Club last wek is anything to go by. Do you think anyone at COAG is listening to you?

    ReplyDelete
  7. Minister Roxon will encounter enormous resistance to her reforms from those with a vested interest in maintaining the status quo. Yet, reform she must and reform she will.

    Even so it is most unlikely she will let herself get trapped so early into supporting grandiose, high risk, high tech projects like NEHTA’s IEHR, at least until she knows that the Privacy Blueprint is fully compliant with the Privacy Commissioner’s requirements.

    It would not be surprising if she sent a Ministerial instruction to NEHTA to get Karen Curtis’ signature on its Privacy Blueprint before submission to COAG. One would hope that the Minister’s legal nous will see to that.

    ReplyDelete
  8. COAG would be extremely foolish to support any proposal by NEHTA which calls for development of an IEHR ... by any government department. This development must be outsourced to avoid a repeat of Health Connect.

    ReplyDelete
  9. Once again this forum reveals itself to be a hotbed of automatic nay-saying about anything related to NEHTA. Those who actually bother to read the Privacy Commissioner's report will see that it is generally supportive of NEHTA's approach to IEHR privacy. "The Office welcomes" or "supports" most of it, and its criticisms are generally about relatively small details. Even its largest criticism, about the need to enabling legislation, is about relative importance and timing, rather than about any major lack. The Privacy Blueprint already had discussion about legislative frameworks (see the review in paragraph 11 of the Privacy Commissioner's report), and the Privacy Commissioner is merely emphasing the importance and priority of such legislation.

    Even that is hardly a criticism of NEHTA, in a broader sense: the legislation will be a large amount of work for the feds and all state governments, and there must be a clear case to COAG for getting the work done. About the only way to get that case is to discuss alternatives (like the speculative idea of "mass contracting") and have authorities like the Privacy Comissioner firmly reject them.

    ReplyDelete
  10. Thanks Anon,

    I am not sure you considered the report without the blinkers. It is clear the Privacy Commission thinks NEHTA has a long way to go to get any sort of tick.

    You say:

    "The Office welcomes" or "supports" most of it, and its criticisms are generally about relatively small details.

    The details are not small at all as far as I can tell if you are part of the population who really need not to have their medical history and it details leak out.

    Maybe you have not read enough public opinion polls regarding people's concern of loss of control of their health information?

    David.

    ReplyDelete
  11. Describing this forum as a "hotbed of automatic nay-saying" could not be further from the truth.

    One point that needs to be made abundantly clear is that "Privacy is paramount in this domain".

    The very best way to guarantee that will be the case is for the Minister for Health & Ageing, The Hon. Nicola Roxon, to require NEHTA's Privacy Blueprint to be signed-of by the Privacy Commission er, Ms Karen Curtis. Surely no-one, ncluding NEHTA, could in all conscience object to such an emminently reasonable requirement.

    ReplyDelete
  12. Privacy is far too important an issue to let NEHTA play around with it willy-nilly without some very tight supervision being in place over what it 'does and does not' do.

    We have all seen what happens when there is inadequate supervision as occurred under NEHTA's previous leader.

    NEHTA has had 4 years to get Privacy right. They have produced reports, they have sought feedback, and some years ago they sought and received comment from many sources including the Privacy Commissioner. So too did DoHA which preceded NEHTA. So, it is more than reasonable to expect that by now, after all the work of so many, NEHTA should be able to get it 'right'. It should not be allowed to jump-the-gun until it does get it right.

    As consumers we are the ones most impacted by this. The only assurance we have that NEHTA has GOT IT RIGHT is the Privacy Commissioner.

    Therefore, as some of your earlier commentators have said - The Privacy Commissioner should be required by Minister Roxon to sign-off on NEHTA's Privacy Blueprint before moving forward. If NEHTA has any difficulties with this approach it should say so publicly.

    ReplyDelete
  13. Privacy is important but is it the only public policy consideration here? What is the true impact (health outcomes, duplication, financial, etc) of waiting till we have crossed all the 't's and 'i's before rolling out the perfect system into the market.

    From previous activity in similar Govt related activity (and I am primarily thinking HIC/HeSA here) I can say with some authority that we'd be better off defining the outcomes we want and broad technology directions and letting the commercial sector run with it. Govt can then regulate for perceived gaps based on experience rather than boxing at shadows.

    I like my privacy like the next man but I'd prefer to run some risk about my own personal records getting into the public domain rather than the risk that a treating doctor would not have all pertinent information when they are treating me and I might not be able to communicate critical information like allergic reactions that I have to certain drugs.

    Perhaps I'd think differently if I'd ever seen my own health record - but no one has ever shown it to me and I haven't been interested enough to ask.

    ReplyDelete
  14. "The Privacy Commissioner should be required by Minister Roxon to sign-off on NEHTA's Privacy Blueprint before moving forward"

    If only the world were that simple.

    That would give the Privacy Commissioner the power to effectively specify (by vetoing alternatives) privacy legislation to the federal government, and to all state and territory governments. The chances of the states and territories letting Ms Roxon give the Privacy Commissioner that power are close to zero. Ms Roxon, and the Privacy Commissioner, and NEHTA, are working in a complex environment where the only viable approach is to gently steer COAG to the right outcome.

    ReplyDelete
  15. August 21, 2008 11:36 said “The chances of the states and territories letting Ms Roxon give the Privacy Commissioner that power are close to zero."

    Perhaps. But don’t some of the States and Jurisdictions have their own equivalent of the ‘Privacy Commissioner’? Surely they can collaborate and agree and then sign-off on a NEHTA Blueprint that is acceptable to them all. Or is that also an impossibility to close to zero for your liking too?

    By the way - don’t forget that Nicola Roxon’s department funds 50% of NEHTA and the other 50% is funded in equal proportions by the States and Territories with monies provided to them by Minister Roxon’s Department!!!

    ReplyDelete
  16. "Perhaps. But don’t some of the States and Jurisdictions have their own equivalent of the ‘Privacy Commissioner’? Surely they can collaborate and agree and then sign-off on a NEHTA Blueprint that is acceptable to them all. Or is that also an impossibility to close to zero for your liking too?"

    Unfortunately not. Delegating a decision to a committee is a political trick for killing something off by delaying it, which could yet happen.

    ReplyDelete
  17. August 21 - 12.36 said that “Delegating a decision to a committee is a political trick for killing something off”.

    Committees do have a nasty habit of doing just that - highly unfortunate - I agree. So let’s re-examine the problem:-

    1. NEHTA’s Blueprint should be signed off by the Privacy Commissioner.

    2. The Jurisdictions also need to ‘approve’ the Blueprint.

    3. NEHTA’s job is to create a Blueprint acceptable to its constituents the jurisdictions (Federal, State & Territories) and the most important stakeholder - the consumer.

    4. The consumer, will, should and must be satisfied if the Privacy Commissioner is satisfied.

    Therefore, NEHTA should take up the cudgel and form ‘the committee’ whose responsibility will be to “Get the Privacy Blueprint signed-off” by the Privacy Commissioner with the support of the Jurisdictions who are NEHTA’s stakeholders.

    ReplyDelete
  18. The suggestion that NEHTA should be the one responsible for getting the Privacy Blueprint signed off to the satisfaction of the Privacy Commissioner and the Jurisdictions is the most sensible suggestion I have heard for a very long time.

    Is not that part of NEHTA's charter? If NEHTA can't do it - who can? Go for it NEHTA - lead the way.

    ReplyDelete
  19. David, on NEHTA's mention of Identity Management, I'd like them to state up front what they guess are the costs for IM in the health sector.
    Just yesterday we walked through the Convention Centre in Brisbane. Woolworths are/were having a big convention there. There's a stand demonstrating Woolies new credit/purchase card, being rolled out to employees first. It's a chip-and-pin card, a proximity device.
    IM is a rapidly evolving front, the big players are investing billions, so I hope NEHTA isn't stuck in the mud. But how would anyone know, one way or the other? If they are serious about IM, it would seem sensible to go to the Minister with their best estimate and put it out there for testing, so they can brief Finance and Treasury.
    Until they can do that, I guess we'll just have to be happy that someone knows more about my health, through my food purchases, and it may as well be Woolies. The Obesity Epidemic costing us billions, eh? Tsk, tsk.
    BTW, Medical Director is still happily replicating records in the afore-mentioned roll-out of TrakCare under VicGov's HealthSmart.

    ReplyDelete