Over the blog rest period, rather predictably, we had the Department of Health and Ageing conduct a second round of so called “consultation” on the Health Identifiers Bill 2010.
I told readers about the consultation period here:
and provided my feelings about the exposure draft here:
Since then a few serious groups have made their submissions – which were due on January 7, 2010 public.
First we have:
6 January 2010
Re: The exposure draft Healthcare Identifiers Bill 2010
The Australian Privacy Foundation (APF) is the country's leading privacy advocacy organisation. I am writing in my capacity as Chair of the Health Sub Committee of the APF.
The Foundations’ feedback to the exposure draft Healthcare Identifiers Bill 2010 is listed below.
1. The APF policy statement in relation to eHealth data and Identifiers has been brought to the attention of senior health officials and has been publicly available for several months at http://www.privacy.org.au/Papers/eHealth-Policy-090828.pdf (Appendix A). The policy, which restates submissions we have made repeatedly over many years, is completely overlooked in the draft HI Bill.
The APF submits that the draft legislation fails to take account of significant privacy concerns despite these having repeatedly been drawn to the attention of senior health officials.
Because this initiative is at odds with the APF’s stated policy on the matter, we reiterate our opposition to this initiative in its entirety.
If the Department is intent on continuing down this path, despite the serious concerns, then we draw the following specific defects to your attention.
The rest of the 8 page or so submission can be read from here:
Second we have a submission to Government from the Australian College of Health Informatics.
The Australasian College of Health Informatics (ACHI) is pleased to provide comment on the "exposure draft Healthcare Identifiers Bill 2010" with its supporting documents. The College combines the region’s peak health informatics expertise and experience and welcomes this opportunity to help inform the Health Identifier (HI) national e‐Health endeavour from an extensive background of significant knowledge and experience in health information systems and identification implementations.
1. ACHI is concerned the draft HI Bill may be enacted yet COAG has not yet made any decision about a national Electronic Health Records implementation. The draft seems to establish the framework for an e‐Health system that may never exist or be funded. It seems to ACHI the information available regarding any possible framework is also very scant and inadequate.
2. There are several major omissions from the draft Bill that are referred to in the documentation supporting the draft Bill, especially the "Building the foundations for an e‐health future … update on legislative proposals for health care identifiers:
• The legislation does not specifically cover consumer ability to access information even though we understand it to be a requirement of the Health Identifier service provider.
• The Bill appears to lack details of governance arrangements in place to manage the misuse of provider details in the provider directory, eg stalking.
• There is no information about the NASH process or controls in the draft Bill or in papers supporting the Bill.
• The Bill appears to lack clarity around the operation and governance of the HI Service.
• Future development through regulation would be improved by linkages to Standards Australia and the International Standards Organisation.
In addition, we are concerned that a substantial pilot of the HI system for evaluation has not occurred.
Future development through regulation would be improved by linkage to Standards Australia and the International Standards Organisation. We also believe the HI will be affected by the lack of systems to put in place provider details, such as those to enrol some categories of Allied Health Care workers, which may take several years.
3. The punitive measures for the disclosure of patient information risk penalising clinicians in the patient care context, over which most have no control.
4. Any permitted information disclosures should comply with ISO Standard "ISO/TS 25237 Health Informatics: Pseudonomysation" (ISO TS 25237 2008).
5. A process defining the nature of accepted secondary uses of patient data needs to be made consistent with the international standards in this area and be the subject of appropriate public consultation.
6. The draft legislation links personal information to HIS. International and Australian standards on the identification of Subjects of Care and Health Care Client Identification offer a more controlled approach to linkage and implementation that does not appear to have been considered in the Exposure Draft.
7. ACHI suggests that it may be prudent to refer to international and national standards in the draft Bill rather than facilitate personal data linkages based on an outmoded technological stance.
8. The draft legislation leaves many important matters to regulation that has yet to be planned and does not leverage or comply with existing standards.
In summary, the College believes that the "exposure draft Healthcare Identifiers Bill 2010" is a timely national e‐Health endeavour. The establishment and broad implementation of a Health Identifier requires a comprehensive and mature legislative underpinning, which can be achieved by broad consultation.
With this response, the College seeks to support and contribute to this process. In particular, the College believes the identified agreed local and international standards should be leveraged and the issues surrounding implementation that we have identified should be further explored.
The Australasian College of Health Informatics comprises Fellows and Members that have led and contributed to local and international initiatives in the e‐Health area for many years. The College would be happy to leverage their expertise and experience to help ensure the national e-Health legislative framework interoperates with international standards, planned and implemented architectures as well as systems that are effective and sustainable. To this effect, ACHI would be pleased to continue and extend its input into future iterations of the legislation.
The full and quite detailed document is available at the ACHI web site:
Thirdly – as cited last year we had the view from David Valie.
“But David Vaile, executive director of the University of NSW’s Cyberspace Law and Policy Centre, said the Bill was “contextless” and a “complete governance failure”.
“It’s almost as if they have deliberately tried to make the Bill impossible to comment on, because you can’t see the system it is a part of,” he told Australian Doctor.
The Bill did not answer whether the identifier could be used for financial monitoring, research or auditing, he said -– “things way beyond clinical care”.
He was also concerned that the legislation left some complaints to be dealt with in the Privacy Act, “which is encyclopaedic”.”
See here (registration required):
So we have the privacy experts, the health informatics experts and the legal experts all essentially saying this needs “lots more work”.
It would be nice to think there might be some considered rational responses to all the issues raised by DoHA and NEHTA but I guess I am dreaming.
My personal view is that if these issues are not properly addressed and we do not have a substantial expert consensus that what is being done is appropriate and reasonable then the public will likely suspect that they are being ‘mushroomed’ and act accordingly. This is just not the way for the first significant e-Health implementation, at a national level, to be conducted.
The secrecy surrounding where all this is up to, and what is actually going on, also confirms there is probably something to hide.
This is really very bad indeed in my view. It could have been done properly but it is being badly and I fear fatally mismanaged.
As Poll 3 showed the confidence of readers on success is not high.
Disclosure: I had a peripheral role in development of the ACHI submission.