Tuesday, November 13, 2012

The E-Prescribing Saga Is Just Going On And On. Will It Ever Be Sorted?

As followers of the evolving ePIP requirements for receipt of the Government e-Health Incentives will be aware there are 5 different capabilities a fully compliant system has to deliver for the clinician.
Here is a broad outline of the aspects covered:

eHealth Incentive Introduction

The eHealth incentive aims to encourage general practices to keep up to date with the latest developments in eHealth to assist in improving administration processes and enhancing the quality of patient care by, for example, by supporting the capacity to share accurate electronic patient records.
The Australian Government announced as part of the 2012-13 Budget that new PIP eHealth Incentive requirements had been developed in order to support the delivery of current eHealth initiatives particularly the personally controlled electronic health (eHealth) records system.
The new requirements and associated dates are:
Integrating Healthcare Identifiers into Electronic Practice Records
1 February 2013
Secure Messaging
1 February 2013
Data Records and Clinical Coding
1 February 2013
Electronic Transfer of Prescriptions
1 February 2013
1 May 2013
The site is found here:
What is of interest today is e-prescribing - noting that this has to be in place in less than three months.

Electronic Transfer of Prescriptions

The practice software system must be able to send an electronic prescription to a Prescription Exchange Service (PES) operator for later retrieval by a dispenser at the time of dispensing.
Oddly there are no conformance requirements:
“The practice software system must be able to send an electronic prescription to a Prescription Exchange Service (PES) operator for later retrieval by a dispenser at the time of dispensing.
There are no current CCA software conformance requirements for practice systems for the Electronic Transfer of Prescriptions (ETP).
If your software product is able to send an electronic prescription to a PES operator you can complete the Declaration of Conformity form and request to be recorded in the PIP eHealth Product Register using the Registration page.”
As of 11/11/2012 there are 2 private (and presently non-interoperable) prescription exchanges operating (MediSecure and eRx) and no standards finalised on ETP.
You can read about what is expected here:
You can read all about the exchanges here:
and here:
Interestingly there are now suggestions that the private providers will be both paid for their transactions under arrangements with the pharmacists and also be what is needed to get the medical e-PIP payments through until June 2014.
Seems to me they will be so settled in by then they will become permanent way things are done in OZ.
This is a classic example of where DoHA and NEHTA leadership and governance have clearly failed. They have been mucking about will all this for close to a decade already.
I wonder when we will see full interoperability between the two exchanges, instigated by the private providers themselves I suspect, and hopefully supported by Government. It is about time if we are to get the benefits prescription exchange can offer.
I have yet to spot any announcements in this area - let me know if you have - and, as we know, the ETP Standards via Standards Australia are a little way off yet (to say the least) so no real early hope there.


Anonymous said...

Elementary my Dear Watson.

DOHA/NEHTA relish being the Bully around the Healthcare sector until they themselves are bullied by an even bigger bully, that being The Pharmacy Guild.

While the Guild has our Health Ministers in their back pockets and the "Community Pharmacy Agreement" continues to underpin the Guild's Cartel and anti-competitive practices, the state of play will continue to be what the current state of play is, and that's not for the best interests and benefit of Australia’s Taxpayers and Patients.

Anonymous said...

Dear David what exactly do you mean by "Seems to me they will be so settled in by then they will become permanent way things are done in OZ."?

They are both private sector health software developers. Are you suggesting their systems will not or do not work? Or are you suggesting private sector vendors are not capable of doing the job which NEHTA and DOHA have failed to do? What is your problem? You have complained long and loud with much justification about the way DOHA and NEHTA have neglected to involve the private sector. Now that the private sector is in a position to deliver a working ehealth solution around a high priority ehealth application surely you should be jumping for joy that at last we will see something of substance working. I am sorry if I have misinterpreted you but it does seem as though you are not happy.

Dr David More MB PhD FACHI said...

No. I am so sick of DoHA / NEHTA fannying about that the time has come to just ignore them and for the private sector to do this properly and get rid on the dead hand of these incompetent bureaucrats.

I hope they will.

I hope that is clear enough!


Anonymous said...

The facts:

1. Interoperability is being developed as we speak and is scheduled to be delivered in the next few months.

2. The ETP ATS should be published by March 2013 but it is not an Australian Standard. Work on the AS is yet to start.

3. The payment to pharmacists which is passed through to the vendors is 15c per eligible prescription and has been around since the start of the 5CPA.

Anonymous said...

What does "Work on the Australian Standard is yet to start" really mean?

Has an AS been defined and signed off by all stakeholders?

If not when will it be agreed and signed off?

Who will fund the development work once it has been signed off?

How long will development work take if it is fully funded?

Have the stakeholders been identified and who are they?

Anonymous said...

Fact: ETP and interchanges are risky yet there is no CCA process in place to mitigate against ETP risk yet we are seeing $10s of millions being used to incentivise people to use the system at both the GP and Pharmacist end with out best practices in place.

I thought object of eHealth, NEHTA,PIP and DOHA was to make things safer - not encourage rapid uptake of unknown/unsafe systems.

Anonymous said...

Fact: there is a marked semantic difference between Fact, Fiction and Opinion.

Opinion: looks like someone needs to get a better grip of the "Facts" and recognise their own "Opinion" when they spout it.

Fiction: that any of this makes the least bit of difference to DOHA, NEHTA and the Pharmacy Guild as they pilfer the Australian Taxpayers to the tune of $$Billions$$

Anonymous said...

If 11/14/2012 08:37:00 AM removed the blinkers it would be patently obvious that once interoperability between the two script exchanges is in place and working it should then be relatively straightforward for NEHTA and DOHA to collaborate with the two script exchanges to finalise CCA matters.

Keith said...

From the evidence I doubt that the private sector is capable of doing what NEHTA has failed to do, namely to agree upon national standards and implement system that conform to those standards. As far as I know both eRx and Medisecure have produced competent prescription exchanges. Either would do the job. But they can't talk to each other! Some months ago there was an announcement that the two companies are working together to achieve compatibility and interworking between the two exchanges. No timeline given, and no further announcements. These two systems have both existed for years, and it's been clear that for most of that time there has been no intention of achieving compatibility. NEHTA promoted a standard (ETP 1.1 of Dec 2010) which is so flawed that since February this yeaer the doceuments have been prefaced with a warning that the the standard is "for information purposes only" and that it will be superseded by a new version in "mid-2012". I'd call that situation a failure on all sides, or in current parlance an "omnishambles". If one needed further evidence that private industry is incapable of working together to achieve a national system, just look at the secure messaging situation. At least a dozen solutions, each with its own market share, and negligible evidence of interworking in spite of numerous announcements and "connectathons" going back several years.

It's worth noting that true electronic transfer of prescriptions is dependent on doctors being able to sign electronic documents digitally. To do that each doctor must have a suitable personal PKI certificate. NASH was supposed to provide those, but since the failure of NASH and the substitution of a "Clayton's NASH" it is doubtful that we have the capability to distribute 30,000 or so PKI certificates. One certainly can't see that happening by the end of January!

Anonymous said...

Keith, perhaps DOHA and NEHTA don't want eprescribing to happen. If they did surely they would get together with eRx and Medisecure to ask them how they can make it happen and what do we the government need to do to support you both.

Let's face it - they only have to deal with two vendors as they already have APIs to most of the clinical and pharmacy systems.

Anonymous said...

"It's worth noting that true electronic transfer of prescriptions is dependent on doctors being able to sign electronic documents digitally. To do that each doctor must have a suitable personal PKI certificate."

Excuse my ignorance, but what actually constitutes an 'electronic signature' for a prescription being sent to an exchange? If the GP has individually logged in to his practice's system, and then is authorised by that system to construct an electronic prescription document, and then the system uses PKI with certificates at the organisation level to send a transaction (containing the prescription document with the doctor's identifier, prescriber number etc) to the exchange - why is that not OK? After all you can clearly trace the prescription back to the individual doctor who constructed it? The messaging between the practice and the exchange uses PKI. And the document, the prescription, has the individual doctor's HPI-I and prescriber number it, so we know who it is. Please explain why the document itself, the prescription, needs to have an individual certificate on it? I just don't get it…I am waiting for the light globe AHAA moment, so someone please enlighten me…

Andrew Patterson said...

What constitues an electronic signature for prescriptions is whatever meets the relevant state regulations. All state jurisdictions are now in the basic form

A valid prescription is blah blah blah
a) with a hand written signature
b) signed in a manner writing approved by the Secretary etc

The Vic regulations for instance


Digital signatures were 'approved' for the e-prescribing trial in the NT
a few years back but I am unaware of what has happened since. So all the
state health ministers have to agree on what constitutes an electronic signature
for prescribing purposes.

Then, once you get over the state regulatory hurdle, you have to meet
the PBS regulations if you want your patient to be able to claim against PBS


So when it comes to the pointy end of e-prescribing, the ball really is in the court of the government - its not something that can be solved purely by private enterprise (I mean that in the sense that the government has stuck itself legally in the way of achieving this, not that script hubs wouldn't be able to come up with perfectly good ways of doing digital signing).

But, the aged care prescribing off medcharts thing got done pretty quickly - so maybe proper legal e-prescribing could be done quite quickly as well with a bit of leadership.

Andrew McIntyre said...

An individual digital signature is essential to stop bogus scripts being generated by staff members of cleaners.

Forging of scripts is a significant issue in the paper world and only and individual signature that is part of the script itself can hope to solve this. The HL7v2 digital signature standard can achieve this withing the HL7v2 prescription standard, so its doable now.

Anonymous said...

TTBOMK, neither of the Prescription Exchange vendors, or NEHTA, are using HL7 v2 messaging in their ePrescribing solutions; so that's out of scope.

If a cleaner gained sufficient access to a PMS to create an ePrescription, and send it to the Exchange, then they would almost certainly be able to use the relevant provider's digital signature. By that stage the security walls would have been completely breached and the cleaner would have effectively stolen the clinician's eHealth identity!

Andrew McIntyre said...

Well Medisecure certainly had a v2 interface. I do not think you understan the difference between the level of security provided by an individual token and the password login to a pms system. They are orders of magnitude apart and access to a pms system should not provide access to an individual digital signature.

The fact is that we have a proven HL7v2 standard that does the job and nothing else workable at this time

Anonymous said...

eRx definitely doesn't use HL7 v2, so there might just be a working alternative to good old v2 messaging. Yes, there is a difference between a PMS login and a digital certificate, but one would expect a PMS to provide an end-user experience that enables clinicians to generate ePrescriptions with the relevant certificate being automatically added to the Prescription. Otherwise the process would be to cumbersome to use in the context of a busy GP practice.

Keith said...

Anonymous 11/15/2012 07:38:00 PM said...
"...Yes, there is a difference between a PMS login and a digital certificate, but one would expect a PMS to provide an end-user experience that enables clinicians to generate ePrescriptions with the relevant certificate being automatically added to the Prescription. Otherwise the process would be to (sic) cumbersome to use in the context of a busy GP practice."

As Andrew McIntyre has said there is a GULF of difference between the security level provided by a typical PMS account login and what is required for electronic prescriptions. I would expect the PMS to require some further explicit high-level authentication of the prescriber before generating a purely electronic prescription; I don't see it all happening automatically. Security always involves a tradeoff between what is convenient and what is safe. Note that eRx and Medisecure don't currently generate electronic prescriptions - they generate a paper document (which is the legal prescription) with an electronic copy to save some retyping of details. The systems may be capable of more (I hope so), but I think I've acurately described the current situation. With an electronic document the authentication method has to guarantee that the contents have not been altered since the document was written, and have to unequivocally identify the individual author. With prescriptions the stakes are quite high.

Andrew McIntyre said...

I think using standards for ePrescribing is a desirable attribute, ideally ones that work and have had scruitiny!! A national system based on add hoc formats doesn't sound good to me.

The individual signatures use a token/smartcard with the aim that it travels with the doctor and is not built into the system. Its 2 factor authentication, which we have proven to be usable with referrals with some basic support. To allow scripts without this level of security is silly and short sighted. The black market for scripts is huge and allowing anything less invites trouble.

Paul Fitzgerald said...

As I have mentioned on another post, the new privacy laws will require multi level authentication. As far as I know, none of the PMS have this and most have not worked out that this will be a need very soon - the legislation will be passed, if not before Christmas, in the first sitting next year. Providers do not realise that they have a problem looming with large fines for any breach - and do any of the PMS provide any way to actually know if there has been a privacy breach? Prescriptions are just a part of the picture - rad, path, referrals are all going to be under scrutiny. There is a locally developed solution which does address this.

Anonymous said...

11/16/2012 08:32:00 AM Paul Fitzgerald said... There is a locally developed solution which does address this.

Paul, would you be good enough please to share that with us? What solution are you referring to?

Paul Fitzgerald said...

Ah - David is very averse to "selling" on his site - and I am fine with that. email me at paulf@meridienhealthcare.com and I will send you some info.
David, please do let me know if this is not within the rules.

Dr David More MB PhD FACHI said...


Passing on useful information is just fine. I have no problem with commercial suppliers being both praised, recommended or the reverse as needed!

Just not so keen on utterly blatant advertising.


Andrew McIntyre said...

The Digital signatures in V2 Technical report provides for a solution that works with referrals, scripts and orders. That is locally developed and in the case of refferals has been used on a large scale. It is suitable for use with smartcards/usb tokens with individual certificates and satisfies the relevant requirements. It probably had more scruitiny han any other Standards Australia technical report is history!

Anonymous said...

Are the 'new privacy laws' referred to above contained in the Privacy Amendment (Enhancing Privacy Protection) Bill 2012? If so, it would be illuminating to know which clause mandates the use of multi-layer authentication in eHealth messaging. It is surprising if this would have escaped the attentions of the software vendors and, by implication, MISA.

If an additional layer of authentication will be required to digitally sign ePrescriptions, eReferrals, etc, that will be good news for vendors with biometric-based solutions. It's hard to see solutions that require typing in additional passwords being workable.

Then, as Keith noted above, there is the issue of managing digital certificates for each combination of provider and healthcare facility. How many of these will ultimately be required to enable each provider to perform the full set of EHR functionality?

While it's still possible for GPs to type in the details, print the prescription, sign it manually and hand it to the patient some may continue to view that as the better solution.

Andrew McIntyre said...

It's interesting that people want to keeo saying that it can't be done. At one point, before the requirements were watered down 70% of GPs on the Sunshine Coast were using individual tokens for referrals. The only onsite support they had was from a part time division support person. We did have the occasional problematic machine wrt drivers, but overall it worked well. Logging into a token when you login to your machine is not that difficult.

Digital signing of referrals/scripts/orders with individual keys is very doable with a small amount of effort, but the nay sayers, who don't understand the technology try and make out its impossible, but its not.

Considering the vast sums of money wasted on eHealth to date, the provision of support for GPs to have working individual tokens would be a drop in the bucket cost wise. Instead we blow $24M on a failed NASH to replace a PKI infrastructure that was already in place and working. The waste of taxpayers money is criminal.

Anonymous said...

Always interesting to note the inevitable silence when those who foretell the apocalyptic impact of upcoming legislation are requested to quote chapter and verse!

I'm also not quite sure how "logging into a token when you login in to your machine" solves the cleaner employee (mis)use case. If the provider is negligent enough to leave his machine on and logged into a PMS when leaves the office...

Anonymous said...

How bizarre. Is this another secret DOHA eHealth project?

Kate McDonald, in her Pulse+IT 20 Nov article on NEHTA funding secure messaging interconnectivity said Pulse+IT understands that the Department of Health and Ageing (DoHA) brokered the ePrescribing deal, although the department did not wish to comment and there is no word as yet whether that project will also be funded.

Hey - if it isn't being funded it should be. What has NEHTA got to say? Have these puppies lost their voices.

Anonymous said...

Another countdown has begun for DOHA, for NEHTA for vendors.

10 December
1 February

Will these self (DOHA, NEHTA) imposed deadlines be met or will we the vendors just be worn ragged to find the deadlines extended at the last minute?

On the other side of the fence will these deadlines leave any vendors out in the cold?

Anonymous said...

How about another countdown clock David?