Quote Of The Year

Timeless Quotes - Sadly The Late Paul Shetler - "Its not Your Health Record it's a Government Record Of Your Health Information"


H. L. Mencken - "For every complex problem there is an answer that is clear, simple, and wrong."

Wednesday, June 24, 2009

NEHTA E-Health ID - Looking Like a Big Mess So Far.

NEHTA, with very considerable public funding, has now been developing the UHI service for almost 3 years, having initially been funded to undertake the work in around August 2006.

The following very interesting and carefully researched article appeared yesterday.

Medicare the base for e-health IDs

Karen Dearne | June 23, 2009

PATIENTS' medical records will be linked across health providers using the present Medicare number and card, under the $98 million Unique Healthcare Identifier (UHI) program being developed by the National E-Health Transition Authority.

Few details of the planned UHI service have been revealed to date, despite the January 2010 deadline for completion of the project's design and build. The work has been directed by the Australian Health Ministers' Council (AHMC) and funded by the Council of Australian Governments

Although healthcare providers - doctors, pharmacists, community clinics and hospital administrators, in both the public and private arenas - will be issued with highly secure smartcards using PKI-based identity verification, consumers' individual healthcare numbers (IHIs) will be accessed by linking through the old Medicare number.

The stronger credentials for medical professionals will be managed through the planned National Authentication Service for Health (NASH), an extension of Medicare's existing arrangements to securely identify doctors accessing the agency's systems for claiming or payment transactions.

Individual healthcare identifiers have been touted as a key building block in the nationwide shift to e-health systems, with the free-flowing exchange of people's health records set to revolutionise patient care through improved safety and quality outcomes, together with greater efficiencies, cost savings and a wealth of new opportunities through telemedicine, remote monitoring of chronic disease and public health surveillance.

Eventually, the plan is for each person to have an individual e-health record, which holds their personal details; a summary health profile that can be shared with the person's permission between treating doctors; event summaries such as hospital discharge reports, care plans and test results, and a self-care management record where people can add their own material.

But consumer and privacy groups may be disappointed by the barebones approach outlined to The Australian, in response to questions put to NEHTA, Medicare Australia - which is creating the UHI system under contract to NEHTA - and federal Health Minister Nicola Roxon.

It appears Ms Roxon has been mistaken in her recent comments that patients will access their health records through a smartcard.

Instead, doctors or staff members will have to call up a person's shared record via the Medicare number, together with the existing, additional family member number.

"The IHI is simply an identifier that will facilitate the secure transmission of health information," a NEHTA spokeswoman said. "The IHI will predominantly be retrieved using an individual's Medicare number as opposed to a 'look-up' system, but separate security and authentication processes will be put in place regarding the actual use of the IHI in relation to health records.

"If an individual does not have a Medicare card, their healthcare provider will be able to use demographic information to obtain an IHI from the service. A patient will normally be asked to provide only his or her name and date of birth."

This approach assumes Medicare's well-publicised difficulties with data quality - mailing out replacement cards to deceased persons, duplications and other errors, and fake cards circulating in the black market - have been fixed.

Another issue involves ensuring the proper separation of data in the new registration and record databases from Medicare's financial transactions and business operations.

Read much more detail here:


The way this whole project is being run reveals frankly an astonishing level of arrogance and failure of technical and public consultation.

NEHTA apparently believes Privacy Impact Assessments should be kept from the public. This is clearly an absurdity and deserves condemnation.

NEHTA has not even got to the stage of even the draftest of legislation which they admit will be needed. With the present government turmoil and hostile Senate what chance of legislation, which seems to be likely to be privacy invasive, getting through in other than geological time?

NEHTA apparently plans to have an operational service available at the beginning of 2010. What seems to be missing are the technical specifications that people who will use the service will need to develop to in order to use the service once it is operational. We have lots of business specifications but not much in the way of technical specifications.

See here for the presently available documents.


(Note in passing how most documents are nearly 2 years old!)

I wonder does NEHTA have a plan to pay software developers to interface with their service or is that another unexpected cost they plan to impose.

On the basis of what we all know about the data integrity of Medicare Identifiers who would trust this to be used to assemble and manage a clinical record. I certainly would not. The Medicare ID databases are just not ‘fit for purpose’ in this context (creating an aggregate trustworthy EHR). What is going on here is that we will very possibly wind up with a less than satisfactorily robust individual identifier and over time it will fall into disuse as it causes more misidentification and problems than it is worth.

I am sure additionally NEHTA has vastly underestimated the complexity and cost of issuance, maintenance and deletion of certificates and tokens to 500,000 health professionals. Frankly that is a huge task which is not done properly will also cause more problems than it is worth.

I also wonder who is going to pay to operate this service in the longer term and at what stage will the users be charged a fee for use to recover ‘costs’.

NEHTA needs to get the PIAs, Technical Specs and Draft Legislation out pronto so their plans can be reviewed and assessed publicly to prevent any continuing waste of money and effort. Sneaking around fobbing people off with vague details and timelines is really not good enough.

We need identifiers I believe to make patient records work optimally – but not developed in secret like this.



Anonymous said...

How extraordinary. Surely no-one believes NEHTA will have an operational service available at the beginning of 2010!

Anonymous said...

I didn't think the article was saying that the Medicare Number was going to be used as the identifier - rather that it was likely to be the predominant way of retrieving the IHI - and if it was unavailable other demographic matching methods would be used to retrieve it. Sounds feasible to me - once the IHI is in a provider's system it would presumably not be needed to be retrieved again.

The big trick will be to get clinical systems to be able able to use the IHI (or to map it to whatever identifiers they currently use). A pretty big job in most of the public health systems although maybe made a little easier by efforts over past years to separate out client identifiers.

Anonymous said...

It has to be a big mess as you assume. It is quite reasonable to draw this conclusion because to-date there has been no statement forthcoming from Medicare, and hence there is therefore no evidence to the contrary, that Medicare has fixed the dirty duplicated data problem in its enormous database ..... namely "Medicare's well-publicised difficulties with data quality - mailing out replacement cards to deceased persons, duplications and other errors, and fake cards circulating in the black market".

If Medicare had managed to fix this problem it would have trumpeted the good news to anyone who would listen. That it has not done so speaks volumes.

Anonymous said...

If there is no draft legislation and no Privacy Impact Assessments available in the public domain for consideration and comment then you will need to add another 6-12 months at least you to the January 2010 ‘operational service available’ date. The first thing that should be done is to make the first two PIA's available or would that be too embarrassing?

Come to think of it - what is meant by having an “operational service available”? It doesn’t have to work and it doesn’t even have to have been tested. It doesn’t even have to be ready for implementation and roll out. It just has to be available to …….…(who)…………. . If the political chambers then obstruct progress - it’s the politicians who have to take the blame. And if the last couple of weeks are anything to go by (a la the Gresh affair) we know how much politicians love pointing the finger and playing the blame game.

Anonymous said...

Well I hope Medicare's security and privacy systems are right up there with the very best of them now that they are soon to be in the business of paying money into all our bank accounts and more importantly holding our bank account details. Theoretically it shouldn't be a concern as Centrelink does that today - quite successfully I think.

Anonymous said...

The following questions seem so basic so the information should be readily available, but if it is it is very difficult to find.

1. How much money was budgeted for the UHI's?

2. Over what period starting from when?

3. How much has been expended so far?

4. What has it been expended on?

5. How much is still available?

6. Have any of the unspent funds been clawed back into consolidated revenue as a necessity caused by the GFC?

7. If any funds have been clawed back - how much?

8. Of the funds not yet spent but still available - what are they to be expended on?