Quote Of The Year

Quote Of The Year - Paul Shetler - "Its not Your Health Record it's a Government Record Of Your Health Information"

Friday, March 12, 2010

Another 4pm Friday Information Release Leaves e-Health Experts Gasping.

This appeared an hour or two ago.

Roxon folds and releases draft health identifier rules

  • Karen Dearne
  • From: Australian IT
  • March 12, 2010 6:08PM

FEDERAL Health Minister Nicola Roxon has buckled and released proposed draft regulations for the Healthcare Identifiers service, after privacy and security experts told a Senate inquiry the HI Bill could not rationally be considered without the accompanying rules that underpin the legislation.

A consultation paper prepared by the Australian Health Ministers’ Advisory Council was also released late Friday afternoon.

But it may be a case of too little, too late, with the regulations providing little new detail, and failing to address problems with the bill including the compulsory nature of the scheme, under which every Australian will be issued a 16-digit unique healthcare identifier from July 1 for improved medical information-sharing across the health sector.

Liberty Victoria's spokesman Tim Warner described the release as another "stunning performance by those guiding the e-health initiatives".

"To release documents that give at least a skeletal outline of what is actually going to happen - 24 hours after the last testimony was given to the inquiry (into the governing bill) and one week after the close of public comment - is a bravura performance in the theatre of transparency," Mr Warner said.

"Yes, they have released the regulations before the Senate committee reports its findings (on Monday) and the Senate votes. But after all of the lodged submissions and testimony had to be made blind."

Law Professor Graham Greenleaf, co-director of the Cyberspace Law and Policy Centre, University of NSW, this week told the inquiry the bill "shares a surprisingly large number of elements with both the Australia Card scheme of a couple of decades ago, and the (previous government's) Access Card proposals of 2006-07".

"There has been inadequate consultation and inadequate time for all concerned to really deal with the real details," he said. "Even now, none of us are in a position to know what this is about, because we do not have the rest of the legislative scheme (the regulations)."

Professor Greenleaf said the healthcare identifiers database, to be initially operated by Medicare, would become "the key national information system for just about the most sensitive thing that there is in the community - medical information".

"There is always the potential (for the system to be hacked)," he said. "Given how many databases these health identifiers will be the key to, with many other systems based around this number as the primary access key, there may well be very attractive illegal uses from access to that set of numbers.

"So yes, it becomes a very attractive location for unauthorised access. That increases the dangers that are involved."

More here:

http://www.theaustralian.com.au/australian-it/roxon-folds-and-releases-draft-health-identifier-rules/story-e6frgakx-1225840170232

What to say? I have had a look and the regulations are pretty brief.

This material amazes me (Last page of Consultation Paper) which is available here (italics mine):

http://aushealthit.blogspot.com/2010/03/draft-regulations-to-support-health.html

----- Begin Extract

f. Information requested after disclosure of healthcare identifiers

In certain situations, the Service Operator may need to request information from a healthcare provider; for example, to assist in the investigation of a complaint or enquiry from an individual about access to the individual’s records held by the Service Operator.

Section 22 of the Bill allows regulations to require a healthcare provider to make available to the Service Operator certain information about the disclosure of a healthcare identifier to that provider.

Regulation 11 provides that, on request from the Service Operator, a healthcare provider must provide sufficient information to identify the person who accessed the Service, in relation to the disclosure of a healthcare identifier to that provider.

It is recognised that healthcare providers currently work with a wide range of IT and identity management systems that may not at present be able to record details of every individual who requests healthcare identifiers from the HI Service on the organisation’s behalf. However, to ensure sufficient certainty for consumers that access to information held about them by the Service Operator will be able to be subject to enquiry and investigation in the event of a suspected unauthorised access, it will be necessary for healthcare providers to make changes to systems and practices that will record all requests to the HI Service at the individual employee level.

In practice, many healthcare providers may be transitioning to an improved state of identity management and security over the next couple of years as uptake of e-health and electronic records systems becomes more widespread. During this period it is important that expectations around standards on rules for interaction with the Service Operator are clearly established from the outset. A penalty has been provided for in Regulation 11 to make clear that these standards will be enforceable.

Consideration is being given to allowing a period of transition for the enforcement of this penalty provision. During this period, the specified penalties would not be actively enforced, except in exceptional circumstances. The focus of this transition period (with a suggested period of 2 years) would be educative, helping providers to incorporate improved identity management standards in their systems. After this period penalties would be enforced.

If such a transition period were in place, this would not remove the requirement from a healthcare provider to make available to the Service Operator on request as much detail as they have on their records about a particular request for a healthcare identifier to assist in any enquiry or investigation. In addition, the transition period is only being proposed in relation to the requirements in Regulation 11. All other penalties provided for in the Bill and the regulations would be enforced from the commencement of the legislation.

Stakeholder feedback is sought on whether a transition period for enforcement of penalties in relation to Regulation 11 is an appropriate way to achieve a balance between ensuring appropriate security and identity management practices are in place to support a healthcare provider’s interaction with the HI Service, while at the same time allowing sufficient time for providers to transition IT systems and day to day procedures to reflect these standards.

----- End Extract.

Is this not a just a license to just not bother about identifying who is using the HI system and make the planned audit trails a joke? Or have I missed something?

David.

18 comments:

Anonymous said...

Dr More, you ask “Is this not a just a license to just not bother about identifying who is using the HI system and make the planned audit trails a joke? Or have I missed something?”

This is extremely tragic.

This latest development in the ehealth saga in Australia is the culmination of a blatantly destructive and incompetent series of events which make a mockery of the enormous amount of time and effort that so many highly professional, competent, decent experts have spent in preparing submissions on this vitally important issue.

I think it can be best summed up in the words of former Federal Court judge and anti-corruption crusader Tony Fitzgerald in his book - The Fitzgerald Legacy: Reforming Public Life in Australia and Beyond - when he says:

- Australia's major political parties are exploiting gaps in the law to produce an amoral "whatever it takes" culture.

- “When conduct is legal and the political price is not too high, ethics become irrelevant or worse, a sign of weakness and ignorance of 'realpolitik'."

Anonymous said...

I am as big a critic of government waste and incompetence in eHealth as anyone - but David and his fellow travellers are now into criticism for the sake of criticism.

After bellyaching about lack of progress and overspending for years, I for one am happy to support something useful that has come out of NEHTA and DOHA.

The HI legislation has general bipartisan support from the major political parties and is supported by industry. Its content reflects the National Privacy Principles, which are more than nine years old!

Let's get at least one necessary pre-requisite for eHealth interoperability into place so that those of use who are actually delivering useful solutions and services in eHealth can get on and do a better job.

David, you have to learn to recognise the occasional useful government initiative and get behind it. You have become the Tony Abbott of eHealth - oppose everything on general principle!

Dr David More MB, PhD, FACHI said...

Single comment. If it was being done competently and honestly I would back it. My view is that neither are true.

David.

Anonymous said...

Saturday, March 13, 2010 8:23:00 AM said "David, you have to learn to recognise the occasional useful government initiative and get behind it. You have become the Tony Abbott of eHealth - oppose everything on general principle!"

Saturday, March 13 also said “I am as big a critic of government waste and incompetence in eHealth as anyone - but David and his fellow travellers are now into criticism for the sake of criticism.”

I am not persuaded that David and his fellow travellers are being overly critical. Rather it seems they have been very effective in their efforts to have government and bureaucrats held accountable. There is nothing wrong with that and it is to be hoped that with some deep reflection and a little more objectivity Saturday March 13 agrees.

Anonymous said...

Clearly Saturday March 13 8.23 AM is frustrated and impatient to move on, to get going, to start doing things. Unfortunately that is no reason for not getting it right at the outset as David and his many supporters among the legal and privacy fraternity advocate. It is pathetic to suggest that David “opposes everything on general principle”.

Anonymous said...

Overall David seems to have been very constructive and consistent. More often than not he has offered sound advice on how to achieve real improvements in building a strong ehealth environment in Australia consistent with the Deloitte eHealth Strategy.

Anonymous said...

Major IT projects seem to have a habit of going off the rails. Saturday, March 13 sounds like the proverbial ostrich. Tough medicine it may be but if UHIs, Privacy and legislation are not locked down satisfactorily at the outset and implemented smoothly it will be too late to fix the mess later. By all means let the techos do the job but hey Saturday, March 13 is more than naive to suggest the bureaucrats will get it right later on, some time down the track, when it is really necessary - oh yeah - come on get real - look at this stuff they put out yesterday at the last minute after Senate enquiry has finished - why wasn't it available 2 or 3 weeks ago? Sorry, March 13 you are wrong.

Anonymous said...

But the healthcare identifier doesnt represent progress. The senate inquiry was told over and over that it was "just a number". A number that doesn't do anything? What good is that?

Of course the intention is that it will be used to link things, not just files and records but data sets across systems belonging to more than 500,000 providers, from the corner shop podiatrist or chiropractor to every test lab, every public and private hospital, aged care centre, community health service, as well as researchers, government health and safety agencies.

And that's before someone decides it would be handy to use the number to link with Centrelink, the tax office, federal police, whoever

Who is going to check that Joe the homeopath has a secure IT system, with adequate backup and offsite storage, that his kids dont use the same computer after school, that Joe hasnt been targeted by phishers, that his computer has not been compromised and is now part of a botnet

Because it seems to me that in a fairly short time, having access to the system will give anyone access to a very great amount of information about all of us.

What's to stop many of us finding bits and pieces of unsecured patient data through some kind of Google search? It might be hard to hack Medicare's systems, but the Happy Smile dentist shop might be easier

The proposed number is only "safe" now because as yet the linking capacity doesnt widely exist.

Are the authories really so ill-informed about what they're proposing or are the politicians cynically pursuing this for their own reasons?

Anonymous said...

Everyone wants ehealth, everyone wants to participate and provide their opinion,no one can agree because peoples egos and agendas get in the way, and people want to be paid to take it up. Everyone wants it to be perfect from day one rather than an incremental approach that is subject to the scrutiny and revision....
....and then people wonder why Australia are lagards in so many areas.

Anonymous said...

From my perspective, the progression of eHealth at what remains an early stage comes down to openness and transparency in the process. Releasing the draft identifier rules at this time to avoid informed public input in to the senate inquiry makes a mockery of this. (Aside from incompetence, what other reason could there be?) On the other hand - there is some evidence of progress despite it being at a glacial pace.

On balance, I believe the criticisms raised in this blog are valid and do not constitute criticism for the sake of it.

I support the creation of a properly formulated HI service as part of a broader eHealth initiative. However, it has to be done in such a way to protect the personal information of everyone involved. Inappropriate disclosure of personal information and identity theft are major concerns and we ignore them at our peril. ba

Anonymous said...

It seems 'everyone' agrees that UHIs are important but that the job must be done properly from the outset if it is to be done at all. The only exception to this seems to be commentator Saturday, March 13, 2010 8:23:00 AM who says that he is happy to support something useful that has come out of NEHTA and DOHA. That’s fine, so are we all, but not in its present form.

Higher standards, better governance, more transparency are pre-requisites. No doubt commentator Saturday, March 13, 2010 8:23:00 AM wants the same but due to self interest has lost objectivity and compromised by lowering the standards just to see something happen!!!!!! Simply not good enough.

Anonymous said...

From my reading the transcript of the Senate Enquiry most if not all of the organisations who presented are in favour of the HI legislation as it now stands. Why have the concerns of the multiple anonymii posting here not been reflected in that process?

Dr David More MB, PhD, FACHI said...

I would say the one line summary of what we have heard goes rather like "We think a reliable, privacy enhancing identifier is a good thing but what we are being offered here fall rather short of that so far"

David.

Anonymous said...

Saturday, March 13, 2010 9:56:00 AM presents some real concerns about what can happen with health data. What they do not present is how the HI legislation can be modified to do anything about this.

Those concerns are out of scope of the HI legislation! Those concerns need to be dealt with under specific legislation for health information privacy.

The HI Legislation specifically limits the use of the numbers to health information. What more can the government do to prevent its use elsewhere?

Today medical records are usually linked with an almost unique number - the Medicare number - how is this new number any different?

Anonymous said...

David, how about another one line summary of where the identifier falls short. How is this any different from a Medicare number?

Dr David More MB, PhD, FACHI said...

My one line summary of the key problem is that we don't know how good the data quality of the planned IHI will be as it has not been tested to date for accuracy etc and we also know that most of the planned privacy protections are either delayed or impractical.

It is different - and probably a lot better - than the Medicare Number - but good enough - we don't know and we haven't checked.

That leaves aside all the privacy protection issues which are also problematic in implementation, so far, in my view.

Summary - good idea, lousy incompetent implementation.

David.

Anonymous said...

David, These are implementation issues. The legislation should be driving the implementation, not the other way round.

Dr David More MB, PhD, FACHI said...

But it isn't. The legislation is assuming quality skilled implementation. Does anyone think we don't need belt and braces on this?

David.