Sunday, January 10, 2010

There Are Many Unresolved Concerns Regarding the Exposure Draft of the Health Identifiers Bill 2010.

Over the blog rest period, rather predictably, we had the Department of Health and Ageing conduct a second round of so called “consultation” on the Health Identifiers Bill 2010.

I told readers about the consultation period here:

http://aushealthit.blogspot.com/2009/12/e-health-news-from-doha-new-draft.html

and provided my feelings about the exposure draft here:

http://aushealthit.blogspot.com/2009/12/nehta-medicare-australia-health.html

Since then a few serious groups have made their submissions – which were due on January 7, 2010 public.

First we have:

6 January 2010

Re: The exposure draft Healthcare Identifiers Bill 2010

The Australian Privacy Foundation (APF) is the country's leading privacy advocacy organisation. I am writing in my capacity as Chair of the Health Sub Committee of the APF.

The Foundations’ feedback to the exposure draft Healthcare Identifiers Bill 2010 is listed below.

1. The APF policy statement in relation to eHealth data and Identifiers has been brought to the attention of senior health officials and has been publicly available for several months at http://www.privacy.org.au/Papers/eHealth-Policy-090828.pdf (Appendix A). The policy, which restates submissions we have made repeatedly over many years, is completely overlooked in the draft HI Bill.

The APF submits that the draft legislation fails to take account of significant privacy concerns despite these having repeatedly been drawn to the attention of senior health officials.

Because this initiative is at odds with the APF’s stated policy on the matter, we reiterate our opposition to this initiative in its entirety.

If the Department is intent on continuing down this path, despite the serious concerns, then we draw the following specific defects to your attention.

The rest of the 8 page or so submission can be read from here:

http://www.privacy.org.au/Papers/HId_Bill-100107.pdf

Second we have a submission to Government from the Australian College of Health Informatics.

Executive Summary

The Australasian College of Health Informatics (ACHI) is pleased to provide comment on the "exposure draft Healthcare Identifiers Bill 2010" with its supporting documents. The College combines the region’s peak health informatics expertise and experience and welcomes this opportunity to help inform the Health Identifier (HI) national e‐Health endeavour from an extensive background of significant knowledge and experience in health information systems and identification implementations.

1. ACHI is concerned the draft HI Bill may be enacted yet COAG has not yet made any decision about a national Electronic Health Records implementation. The draft seems to establish the framework for an e‐Health system that may never exist or be funded. It seems to ACHI the information available regarding any possible framework is also very scant and inadequate.

2. There are several major omissions from the draft Bill that are referred to in the documentation supporting the draft Bill, especially the "Building the foundations for an e‐health future … update on legislative proposals for health care identifiers:

The legislation does not specifically cover consumer ability to access information even though we understand it to be a requirement of the Health Identifier service provider.

The Bill appears to lack details of governance arrangements in place to manage the misuse of provider details in the provider directory, eg stalking.

There is no information about the NASH process or controls in the draft Bill or in papers supporting the Bill.

The Bill appears to lack clarity around the operation and governance of the HI Service.

Future development through regulation would be improved by linkages to Standards Australia and the International Standards Organisation.

In addition, we are concerned that a substantial pilot of the HI system for evaluation has not occurred.

Future development through regulation would be improved by linkage to Standards Australia and the International Standards Organisation. We also believe the HI will be affected by the lack of systems to put in place provider details, such as those to enrol some categories of Allied Health Care workers, which may take several years.

3. The punitive measures for the disclosure of patient information risk penalising clinicians in the patient care context, over which most have no control.

4. Any permitted information disclosures should comply with ISO Standard "ISO/TS 25237 Health Informatics: Pseudonomysation" (ISO TS 25237 2008).

5. A process defining the nature of accepted secondary uses of patient data needs to be made consistent with the international standards in this area and be the subject of appropriate public consultation.

6. The draft legislation links personal information to HIS. International and Australian standards on the identification of Subjects of Care and Health Care Client Identification offer a more controlled approach to linkage and implementation that does not appear to have been considered in the Exposure Draft.

7. ACHI suggests that it may be prudent to refer to international and national standards in the draft Bill rather than facilitate personal data linkages based on an outmoded technological stance.

8. The draft legislation leaves many important matters to regulation that has yet to be planned and does not leverage or comply with existing standards.

In summary, the College believes that the "exposure draft Healthcare Identifiers Bill 2010" is a timely national e‐Health endeavour. The establishment and broad implementation of a Health Identifier requires a comprehensive and mature legislative underpinning, which can be achieved by broad consultation.

With this response, the College seeks to support and contribute to this process. In particular, the College believes the identified agreed local and international standards should be leveraged and the issues surrounding implementation that we have identified should be further explored.

The Australasian College of Health Informatics comprises Fellows and Members that have led and contributed to local and international initiatives in the e‐Health area for many years. The College would be happy to leverage their expertise and experience to help ensure the national e-Health legislative framework interoperates with international standards, planned and implemented architectures as well as systems that are effective and sustainable. To this effect, ACHI would be pleased to continue and extend its input into future iterations of the legislation.

The full and quite detailed document is available at the ACHI web site:

http://www.achi.org.au/docs/ACHI%20Response%20to%20Draft%20Health%20Identifier%20Legislation%20V1.0.pdf

Thirdly – as cited last year we had the view from David Valie.

“But David Vaile, executive director of the University of NSW’s Cyberspace Law and Policy Centre, said the Bill was “contextless” and a “complete governance failure”.

“It’s almost as if they have deliberately tried to make the Bill impossible to comment on, because you can’t see the system it is a part of,” he told Australian Doctor.

The Bill did not answer whether the identifier could be used for financial monitoring, research or auditing, he said -– “things way beyond clinical care”.

He was also concerned that the legislation left some complaints to be dealt with in the Privacy Act, “which is encyclopaedic”.”

See here (registration required):

http://www.australiandoctor.com.au/articles/3d/0c06633d.asp

So we have the privacy experts, the health informatics experts and the legal experts all essentially saying this needs “lots more work”.

It would be nice to think there might be some considered rational responses to all the issues raised by DoHA and NEHTA but I guess I am dreaming.

My personal view is that if these issues are not properly addressed and we do not have a substantial expert consensus that what is being done is appropriate and reasonable then the public will likely suspect that they are being ‘mushroomed’ and act accordingly. This is just not the way for the first significant e-Health implementation, at a national level, to be conducted.

The secrecy surrounding where all this is up to, and what is actually going on, also confirms there is probably something to hide.

This is really very bad indeed in my view. It could have been done properly but it is being badly and I fear fatally mismanaged.

As Poll 3 showed the confidence of readers on success is not high.

http://aushealthit.blogspot.com/2009/12/aushealthit-man-poll-number-3-results.html

David.

Disclosure: I had a peripheral role in development of the ACHI submission.

D.

4 comments:

  1. The following sums up the status quo in my view quite succinctly.

    1. The AFP stated that “The APF policy statement in relation to eHealth data and Identifiers has been brought to the attention of senior health officials and has been publicly available for several months at http://www.privacy.org.au/Papers/eHealth-Policy- 090828.pdf (Appendix A). The policy, which restates submissions we have made repeatedly over many years, is completely overlooked in the draft HI Bill.”

    2. APF HI policies and views are repeatedly ignored during meetings with senior health officials.

    3. The AFP concluded “the implication of the concerns listed above is to query whether the APF is wasting our time with this and other submissions to health care authorities.”

    It is hard not to come to the conclusion the AFP is not alone in asking whether it is wasting time and resources responding to Requests for Submissions.

    ReplyDelete
  2. A question I've been asking myself is what happens if this legislation doesn't get through. How much time and money has been wasted already and who's going to be held accountable? Where to from there?

    There are some serious concerns raised here, but the clear concern is the contemptuous way the legislation and the establishment of the health identifier service has proceeded with only token consultation:
    - The Privacy Impact Assessments that NEHTA has assembled over a number of years and only very reluctantly shared a couple of months ago (and even then we see how narrow they are in scope),
    - the complete lack of any detail on the intended use of the health identifiers,
    - no detail avaialable on the actual health identifiers services and how they will / should be incorporated into clinical systems,
    - a window of a couple of weeks over Christmas to provide formal comment.

    Yet NEHTA are saying the health identifier service is already built, ready to go. They just need the 'ok' from the legislation.

    You think the public might feel 'mushroomed'. I work in health IT and I feel mushroomed, so I think this most certainly has the potential to evoke strong public suspicion. Combined with the amalgamation of Medicare and Centrelink and the defensive statements that that amalgamation will not lead to the creation of a 'de facto' Australia card, it's almost certain public suspicion will be aroused.

    So, here's my question: If you were the Health Minister and you were less than 10 months away from an election (one in which health reform is likely to be a major plank), would you introduce legislation into the lower house that would:

    (a) Provoke public criticism as to the intent and motives behind the creation of the identifiers. (Sadly, identifiers have a very legitimate value proposition for medical safety and quality, but this argument has never been made).

    (b) Almost certainly evoke opposition party criticism and potentially get blocked in the Senate anyway

    So perhaps a more cautious Health Minister who has much bigger plans around health reform would put this in the bottom drawer and wait for the major health reform legislation changes that are undoubtably coming, (or an election that would give control of both houses)

    I wanted to understand how much money has been wasted so far if that does eventuate, so I went through NEHTA's annual report (NEHTA is contracting Medicare to build the Identifier's service so I was sure I'd find it there.). Strangely there was no detail in the 2009 report, so I went back a year (2008) and found this entry in the financials for future commitments:

    Operating Commitments under a contract with Medicare Australia to provide the individual healthcare identifier and healthcare provider identifier services:

    Payable
    - not later than twelve months 13,100,000
    - between one year and five years 26,400,000

    Total: $39,500,000

    So Medicare is receiving $39.5million for the implementation of the health identifier service. My understanding is that this contract was signed 2 years ago (from the 2008 report), so I think a reasonable assumption would be that NEHTA has already given Medicare some $20million or so to build the health identifier service.

    NEHTA also has a staff working on health identifiers and privacy - I'll guess about 10 people because there's no details available but 10 x $150,000 = $1.5 million per annum = $3 million per year.

    So perhaps $23 million has been spent so far, possibly more.

    That's a ludicrous amount of money to spend on a relatively simple service, but I'll leave that for others to comment on.

    So if this all goes badly, one has to ask: Who will explain where this $23 million has gone? Who will be accountable? Peter Fleming? David Gonski? Jane Halton? Nicola Roxon?

    Perhaps as one bright spot, this may bring into clear focus the continued failure and absurdity of NEHTA, and the persistent neglect of DOHA.

    ReplyDelete
  3. In the end no-one is usually held accountable. The project overuns its budget, everyone acknowledges it was a tough gig (which is why it took so long before it finally failed), a report will follow listing lessons learned and identifying a new way forward, and the whole circus will be reborn yet once again - directed and managed by the same people who were in charge before.

    This is the way it will be done. This is the way it is always done. And people like you and me and many others will cry into our weaties every morning.

    ReplyDelete
  4. Sounds just like a repeat of the circus from 5 years ago when DOHA extracted itself from its HealthConnect extravaganza-disaster by transferring everything into a new entity called NEHTA.

    ReplyDelete