Quote Of The Year

Quotes Of The Year - Paul Shetler - "Its not Your Health Record it's a Government Record Of Your Health Information"


H. L. Mencken - "For every complex problem there is an answer that is clear, simple, and wrong."

Monday, March 01, 2010

There Might Be a Major Hole in the Design of the HI Service. Interested To Know What People Think.

Those who have been following the development of the Health Identifier (HI) Service by Medicare / NEHTA will be aware that a key document is that one describing the Concept of Operations for the HI Service.

The document is found here for those who do not have access to it.


A key part of the document describes the process by which one obtains a person’s IHI.

In the Use Cases provided the individual turns up to a health care provider (with or without a Medicare Card (A Trusted Data Source Identifier) and when the details are entered, and an exact match is found, the IHI is returned for incorporation in the patient record.

If no match is found – or multiple matches are found – the address is used to get an exact match and all the entered information and the IHI is provided by the HI service in return.

What this means – among other more useful attributes – is that we will now have 600,000 healthcare providers who now all have a way to confirm a name, DOB and sex and address for accuracy. Either an IHI will be retuned – details are correct and current – or an error will be returned and an unverified IHI process follows.

The issue is that this is the biggest and hopefully most reliable name, DOB and Address data base in the country that can now be used by all sorts of people for all sorts of reasons to confirm current details – some valid and some possibly considerably less so!

Better still it also offers a batch update capability so all sorts of options can be checked for validity!

The Australian Electoral Commission has a similar system but you can disappear easily from it by moving or never registering to vote – and of course children are not covered by the AEC – and you have to search one at a time.

It seems to me the sheer number of people who can access this environment make it virtually certain there will be abuse and it will be very hard to detect such abuse as those who do it can just claim typing inaccuracy.

It seems to me making sure such a facility is not abused and that no harm will flow is another very good reason to conduct a range of scaled pilots of a live and working system.

If there are clever, and possibly other, ways to abuse the HI Service we need to find out sooner rather than later. There is really only one way to do this and that is live progressively scaled testing.



Anonymous said...

The hard part with protecting sensitive information in health is that for the 99.9% of clinical staff, extra processes or restrictions stops them getting their jobs done. And the 0.1% intending misuse will still find a way to abuse it.

Even the top of the range solutions such as smartcards for clinicians to control access can be bypassed - just look at the NHS experience or sharing cards between nurses. Biometrics? Ask clinicians how many will tolerate fingerprints (or worse) in the real world just to confirm a number...

The HI service is not intended as a demographics service. The address is only used as a fallback in the situation of Medicare card not presented. And the person making the query has to already know the address!

And yet the situation you highlight now opens another way that a system intended to help improve healthcare can be abused by the 1 in 1000 who intend crookery.

Here is an interesting exercise. Weigh the benefits of a unique identifier against the weight of controls required to prevent any misuse of surrounding information.

The controls would smother HI out of existence. Nobody would tolerate the onerous processes required to prevent validating an address which the person querying *already knew*.

This is lesson which should come from a trial, not that Nurse Betty can confirm her ex-boyfriend still has the same address recorded in the system.

David, you can make this sound like a big problem. But is it?

And if it is, how would you propose that NEHTA actually fix it? Not just discover the problem (which can be done from the comfort of a blogging site), but to actually fix real issues for real clinical usage. What is the actual answer?

I suspect that there isn't ever going to be a clear answer where one thing is right and another is wrong. It's like politics - it's easy to campaign in black and white, but you end up governing in grey...

Dr David G More MB PhD said...

"David, you can make this sound like a big problem. But is it?"

We can only know if we actually do proper trials. This has been something I have been suggesting for a while now.

The old precautionary principle!


John Johnston said...

There should not be any contest to the submission that a series of initial implementations in a range of primary health and hospital settings would be highly appropriate. This would help shake out issues that are big or small. Examples of settings could be Aboriginal Health, General Practice Collaborative care, Domiciliary and Residential Aged Care, the prisons system etc. I did propose that from the floor at the release of the UHI strategy in Canberra last year and Peter Fleming's response was "Absolutely!!" Perhaps that is the intention. I do object, however, to the anonymous criticism levelled at David More in the context of his comment "from the comfort of the blogging site". You have to read a lot, and study a lot of detail to come up with some of this stuff and the "More view" helps me and my company stay aware of the issues in the eHealth environment.

Anonymous said...

"Peter Fleming's response was "Absolutely!!" Perhaps that is the intention."

Well, forgive me fr stating the bleeding obvious but if Mr Fleming was prepared to confirm that some initial implementations would be undertaken together with the characteristics and parameters of such implementations then David More would be happier, Senate Estimates would be happier, and a whole lot of other stakeholders would be happier and everyone would be 'smiling' with Peter Fleming. A win-win, smile-smile outcome for all. So come on down Peter, let's hear it from you.

Anonymous said...

Peter Fleming's organisation is not responsible for the implementation. That responsibility I believe vests with Medicare Australia. If that is so then Peter is unable to give any undertakings on the manner of implementation because he doesn't have the authority. But that of course shouldn't stop him and NEHTA making a recommendation about the optimal, risk minimized approach to implementation, testing, validation, evaluation and proof-of-concept preparatory to a nation-wide rollout. This surely in NEHTA's responsibility. All summed up in one word - leadership.

Anonymous said...

The next health worker to see my newborn child will probably be my GP. At the same time my GP will also examine me so I too will need a Personal Health Identifier. I presume that I will already have one issued to me at the time my baby is born, or if I have been seen my GP before my baby is born I might already have had a number issued by my GP. Have I got that right?

Will my baby's Personal Health Identifier be linked to mine in some way just like my doctor does today with his medical record system which links me with my other children and my husband all together in a family group?

Anonymous said...

My Personal Health Identifier number will be very important to me. I've been thinking about the lady and her baby above. Most of us have to go to our GP when we use the health system, at least until we get referred, or sent of for Xrays or pathology or whatever. So, doesn't it make sense for the GP to be the first port of call so to speak where we first get issued with a Personal Health Identifier?

The GP maintains my basic medical record. I would be happy if my GP was the central point for keeping my electronic health record even if not being the place where it is stored. Why can't government give my GP the facilities needed to let that happen?

Anonymous said...

To the two anonymous writers above:

The Health Identifier is not the Health Record. At the moment there is no integrated (cross practice) health record (called IEHR). This may come later. Most GPs now have computerised health records, but these are accessible only by the doctor.

Initially the Health Identifier will be used in Health Messages. A Health Message is sent from one place to another to pass information about a health event. For instance, a Hospital Discharge message can be sent from the Hospital to your GP detailing what happened while you were in hospital. Pathology results are another Health Message which is sent from a Pathology Lab to a GP.

The Health Messages already exist. The Health Identifier allows the receiver of the message to easily match the received message to their medical records system.

The debate around the IEHR needs to happen at sometime, but the HI Service is quite independent.