The following appeared in The Australian the day before yesterday.
Numbers game a threat to privacy: healthcare identifier number
- OPINION: Juanita Fernando
- From: The Australian
- March 06, 2010
WE'RE told that from July 1 the federal government will issue every citizen with a cradle-to-grave healthcare identifier number. By virtue of this new numbering program, more than half a million health workers will routinely use and disclose the HI and linked information gathered from many sources. This proposal creates extensive risks to privacy.
The HI is a 16-digit identity number that's linked to your Medicare number. It's like a virtual key to your personal and health information. A healthcare provider individual will use the Medicare number to access data stored about you.
You may wonder what that information will be. So does the Australian Privacy Foundation. Since 1987 it's been the country's leading public interest advocacy organisation, focusing specifically on privacy.
The APF has made many attempts to communicate with the National E-Health Transition Authority and the Department of Health and Ageing on the succession of e-health initiatives during the past few years. However, both agencies have avoided engagement with privacy advocates. Contrary to their claims, consultation with consumer advocacy groups about the HI scheme has emphatically not taken place.
At the moment, the HI will be linked to your name, birth date and address, unless more details, such as order of birth, are required to make a positive identification. Patients and consumers will need to identify themselves by verifying the information when visiting or telephoning a health service, or perhaps a Medicare office.
The first time many patients discover the HI will be at the GP's reception desk when their identity is checked.
The HI system -- as described in the Healthcare Identifiers Bill 2010 and Healthcare Identifiers (Consequential Amendments) Bill 2010 before parliament -- is self-defeating.
That's because it could facilitate medical error as clinicians depend on a potentially unreliable number to ensure a patient's identity for health care. That's the direct opposite of government assertions about the HI's capacity to make people well.
Under clauses 18 and 23 of the bill, from July 1 consumers will have to work through a third-party service operator, Medicare, to access the personal information linked to their HI, presenting yet another point at which sensitive personal data may leak.
As reported this week in The Australian, documents published by the Office of the Privacy Commissioner show several hundred Medicare staff were suspected of unauthorised access to patient records in 2008 and 2009. The HI scheme will extend the number of people with access to such information by more than half a million.
The HI database will be the most accurate and up-to-date list of the names and former names, dates of birth, addresses and former addresses, and birth order -- including that of twins, triplets and so forth -- of Australians.
But the lack of real-life, large-scale trials of the system before implementation means that we can't measure or control the impact of growing levels of medical identity theft and other information breaches on the database.
There's nothing in the HI bills that requires a record to be kept of each time a service provider makes a disclosure of a healthcare identifier. The bills don't specify security obligations for anyone storing or in possession of an HI or associated personal information.
Electronic systems will always require human input. But if something goes wrong, those devising the system will be indemnified.
This despite the fact that no data set is absolutely clean. No information system is completely secure. Errors will creep into the national database linked to one's HI, if indeed they aren't already present. It's essential that the HI bills be amended to ensure that, from the outset, consumers can check their personal data. Even if penalties for misusing patient information are available, they'll be completely ineffective if consumers don't know what's stored.
.....
Juanita Fernando is the academic convener, BMedSc (Hons), medicine, nursing and health sciences at Monash University; she is on the health subcommittee of the Australian Privacy Foundation and a councillor with the Australasian College of Health Informatics.
More here:
There is more available on the APF’s views here:
http://www.privacy.org.au/Papers/HI-Senate-100304.pdf
and here:
http://www.privacy.org.au/Papers/HId_Bill-100107.pdf
It is worth noting the APFs views as they are very vigilant on such matters.
I find it interesting that the Office of the Victorian Privacy Commissioner raises a number of major concerns.
Her concerns on data quality of the core data being used to create the IHI I find useful.
See here:
Whereas the Office of the Federal Privacy Commissioner seems to be ‘relaxed and comfortable’
See here:
I do have to say however that allocation of $500,000 for two years to monitor a program of this scale and complexity would seem to be a little fatuous. With on-costs etc that is only 4-5 people to keep an eye on a system which concerns all of us!
The case for not undertaking decent scale piloting and testing I see as utterly unarguable. (And it now seems NEHTA agrees – thank heavens!)
David.
One of the problems that happens in hospitals is that medical records numbers can be accidentally merged, and then require a process of unmerging. Integration of patient master index systems with all other systems in the hospital, including clinical systems is often managed via merge/unmerge messages, else there is a careful manual process in place to ensure that identifiers are corrected in each of the relevant systems. Hopefully the IHI bill, and therefore the requirements for the IHI system include this requirement. For example, if a GP/Hospital has received the wrong number (as the result of an incorrect merge) and makes a clinical decision based on that - is there an obligation on the IHI to send a new message indicating that there was an incorrect merge? (i.e. an unmerge notification)? To do this in a hospital - a broadcast message is made to all systems - usually via an interface engine. If a system is down, or the link is down, then people must make changes directly in the receiving system. Sometimes, if things go wrong with interfaces to clinical systems in the middle of the night, people on call need to get out of bed to fix it quickly. Will all of this me in place for the IHI?
ReplyDeleteThis is a valid concern. In the documents released publicly from the HI program, the HI Service Catalogue describes services to "Merge unverified IHI" and "Split IHI" - so the program designers know the issue.
ReplyDeleteWhat does not seem to be contained in the public documents is what will happen in the event of IHI merge or splits by the service operator. So, if a Medicare HI operations person merges two IHI numbers, what notifications (if any) go to the organisations which have accessed or used those numbers? There doesn't seem to be anything here.
If the "HPI-O checks IHI before each use" model is to be used instead of the HI service broadcasting notifications, there doesn't appear to be a service in the catalogue for an HPI-O to confirm that an IHI number is still valid, or to return the updated IHI number(s) in the event of a merge or split.
Perhaps a NEHTA lurker could update?
There must be a lot of this detail in the documents which have not been publicly released yet. It would be useful for NEHTA to publish more details about how it plans to share this information.