Quote Of The Year

Timeless Quotes - Sadly The Late Paul Shetler - "Its not Your Health Record it's a Government Record Of Your Health Information"


H. L. Mencken - "For every complex problem there is an answer that is clear, simple, and wrong."

Tuesday, August 07, 2018

Bernard Robertson-Dunn Brings The Threads Together - Clarifies Key The Issues I Believe!

Bernard sent this to me yesterday.

Privacy, Trust and My Health Record, or The Spy in The Consulting Room

This was first published in Privacy Unbound, the Journal of the International Association of Privacy Professionals ANZ (iappANZ) Edition no. 85, August 2018

1    Introduction

Dr Bernard Robertson-Dunn is an electronic and automation engineer, has a PhD in modelling the electrical activity in the human small intestine and has had over forty years modelling, architecting and designing large scale information systems, mostly in government environments.
These include the Departments of Health, Finance, Immigration, Defence Bernard has been following the progress of, and has contributed to, the debate on the My Health Record for over ten years. He has no association or affiliation with any vendor or government organisation. Bernard is chair of the Health Committee of the Australian Privacy Foundation.
The views in this article are his considered opinion and are provided to Privacy Unbound to provide a broad contextual analysis of the issue surrounding health records and My Health Record in particular.

2    A Medical Record primer

Back in the day, when General Practitioners wrote on paper with black ink about the consultation they had just had with their patient, there was an implied joint contract and mutual trust. The doctor wanted to remember what their patient’s symptoms were, what he (they were nearly always he in those days) had prescribed and his musings and guesses as to what you were suffering from. You didn’t have to know or remember what you were suffering from. You both had in interest in the existence of the record. It was written by and for the doctor, you never saw it and it was called a medical record.
There was a reasonable balance between two parties with different but compatible and complementary objectives. You trusted your GP to keep your data confidential and do their best to make and keep you well; the GP wanted to stay in business and he valued his reputation.

3    Automation

Then along came computers. Initially all they did was store the same information in the same manner as did the paper records. There was the odd downside; computers are more expensive than pen and paper; GPs had to learn how to use a keyboard and how to operate a computer. The relationship between patient and GP didn’t change much. The GP probably spent more time looking at a computer screen than they did when they used pen and paper, but that was seen as a small price to pay for improved record keeping.
It was a similar situation in those hospitals that implemented electronic health records, although there are some horrendous tales of failed IT projects, but that’s not particularly uncommon in such complex environments.
With early computerisation, the situation regarding privacy, confidentiality and trust between patient and health care provider was largely unchanged. The IT systems were more prone to single points of failure, to ransom-ware and to data breaches but they were issues that could be solved with proper management and attention to technology.
There were, and still are, some major problems with the access to, and management of, health care information. Much data is transferred via fax, only a small amount of information is interchanged, sometimes data exists but this is unknown to health providers who could benefit from having it available.
However, the old medical record systems did have one advantage. Only those involved in a particular aspect of a patient’s care had access to a patient’s data about that care. Poor sharing of data was a two edged sword. It was privacy enhancing but there were clinical downsides.
When it comes to addressing some of the problems facing data management in the health care system – better access to health information dispersed throughout a large, multifaceted industry – there are two potential approaches. These can be summarised as decentralised or centralised.

4    Distributed Health Eco-systems

A decentralised, or distributed system would create a mechanism for identifying the location of a patient’s health data and allowing a health provider to access that data. There would need to be a mechanism for implementing a need to know principle – i.e. a health provider could only see that data they needed to in order to treat or advise their patient. The holder of that information would be responsible for granting access to the data.
All data could remain where is was; thus not complicating data consistency, which would occur if data were copied from one system to another. However, there may be a good argument that there should be a single source of truth, which would logically be the patient’s primary health provider – their GP.
A distributed system has the added advantage or being far more resilient and thus reliable than a centralised one which is at risk of being overloaded in times of high usage e.g. in an epidemic or bio-hazard situation, or prone to failure dues to power or communication loss. It is far less risky to have clinical systems located as close as practical to the point of care.
A distributed system has the characteristics of a virtual health ecosystem, rather than a health record. Additional capabilities at the health provider level can include such integrated functions as appointments, repeat prescription requests and a patient portal access to relevant information. Such systems are being implemented overseas.
The result would be an eco system of health information in which a virtual medical record existed. This record, although distributed, could be made available to systems that could undertake complex analysis and predictive functions that would assist health providers in their diagnosis and treatment of the patients. The major characteristics would be flexibility, coexistence of a variety of capabilities and a platform for small scale innovation that would scale or find a niche if useful or atrophy if not.
The privacy, trust and confidentiality issues would not be unduly challenged; the symmetry of need between patient and health provider would be retained. The health provider would be responsible for maintaining patient privacy and the patient would only need to trust a single party.

5    Centralised Health Records

The alternative is a centralised system such as My Health Record. This requires a database at the hub and a system which acquires and stores data. If it only passed on the data and did not retain it, it would functionally be the same as a distributed system.
A centralised system results in the database becoming the defining feature of the health information ecosystem. Innovation is stifled because compatibility with the database is essential. In a distributed system, local innovation is possible and preferable – it can be tested and assessed locally. Change in a centralised system is totally dependent on the hub and would need to happen globally.
The primary issue of a centralised system is “who owns the database in the hub?” Ownership bestows significant privileges; the owner runs the system and any access rules do not apply to the owner.
This single characteristic completely changes the dynamics of the health data environment.
Now there are three parties –the patient, the health provider and the system owner. In the case of My Health Record, this is the Australian Digital Health Agency, an Australian government entity that both reports to, and is funded by, the Federal Minister for Health.
What was a symmetry of needs between the patient and their health provider is fundamentally altered. Not just changed but distorted.
If the health provider is a GP, then a number of changes are introduced into the interaction between the GP and their patient. My Health Record is an additional, summary system over and above the GP’s clinical support system. Uploading data into My Health Record is not a simple matter of a few clicks. The AMA has produced a set of guidelines [1] that GPs are supposed to follow. It is a 27 page document and following it takes time out of a consultation to manage a patient’s My Health Record.
In addition, and this is a significant issue, the government, through a variety of mechanisms, pays the GP to provide the patient’s data. It could be argued that this is “selling” patient data to the government. This may or may not be a valid description, but it does introduce a real or perceived conflict of interest. The patient suffers from less attention; the GPs is paid for something that does not involve treating the patient. The patient may not be happy with the financial arrangement and may perceive a conflict of interest. This issue has the potential to have a negative impact on the trust between the patient and their GP.
The relationship between the GP and the government is primarily financial. The GP gains little or no benefit, they already have the data. The GP still gets data from other providers via the traditional mechanisms – fax, or emails. Data that is not provided to GPs may or may not be uploaded to My Health Record. Patients have the option of requesting that pathology labs or specialists do not upload data. There is no guarantee that data that a new GP or an A&E department would like to see is in My Health Record. In short, it is unreliable. There are also reports that data is sometimes incorrect or uploaded to the wrong patient resulting in either compromised treatment or the need for a patient to spend significant time and effort correcting the error, if they discover it.
The relationship between the patient and the Federal government, a funding agent, is totally un‑necessary for the delivery of health care. However, it represents a real and potential problem for the patient. Why does the Federal Government want such detailed health data? This is a question that has never been answered satisfactorily. There is an argument that the government needs aggregated data in order to develop policy, but there is no rationale for more detailed data. Furthermore, there is a suggestion that it could match detailed health data to its existing payment data looking for patterns of health care decisions by health providers; but this is only supposition. However, this uncertainty does nothing to engender trust.
The existence of a centralised database means that data from different providers will be stored in a single location; data which is available to anyone authorised to see the record. The inherent privacy advantages of a distributed system, where only the originating health provider has access, are nullified. In order to retain the trust levels inherent in a distributed system there needs to be an access control mechanism that, at a minimum, mimics that of the old system. My Health Record does not provide this. My Health Record has a complicated, poorly implemented set of access controls that require the patient to take responsibility for monitoring and managing access controls. In a similar way that automation has failed to help GPs manage input and usage of data in their clinical system, My Health Record has introduced extra responsibilities into the management of a patient’s health data. This is a responsibility that most patients are unaware of, and are potentially unable to take on. If they don’t, their privacy is at risk from third parties.

6    Privacy and My Health Record

The symmetry of the original relationship between patient and GP has now been destroyed. To some, there is now the feeling that there is a spy in the consulting room – the government. In addition, the effort required by the patient to manage their own data has been increased. Hardly an improvement.
The government introduced legislation in 2016 that set the scene to make the system opt-out. Australians now have a three month window in which to tell the government they do not want to be automatically registered for a My Health Record.
In order to enable an opt-out approach the government has had to remove the need to obtain explicit consent to register people and to acquire and disseminate their health data.
Because of the change to My Health Record from opt-in to opt-out, the legislation, especially that in Section 70 has recently become a major issue.
Section 70 includes a wide range of circumstances where it can release or make available My Health Record data. These include providing data to courts, tribunals, coroners and to other government agencies “in the protection of the public revenue”. This last item has never been defined by the government but appears to be related to investigation of fraud and applies to any government, state or federal, that is able to impose fines.
The courts have long been able to subpoena health data from a health provider but, according to a report from the Parliamentary Library [2], the ease with which documents can now be obtained has been significantly increased. This report contradicts the Health Minister’s claims that a warrant is necessary to obtain information under Section 70. The library also makes the observation that the legislation is a major weakening of existing protections around health records. The Minister has also been contradicted by the Queensland Police union [3]. That the Minister for Health, himself a lawyer is seen to be (allegedly) misrepresenting the legal standing of My Health Record is not adding to the trust Australians might have had in the system.
The minister did not add to a feeling of trust or enhance his credibility when the Parliamentary Library withdrew the original document and replaced it with another, revised version.
Even the Human Rights Commissioner has concerns about confidence in the privacy and security of the system and wants the government to improve privacy protections. “I think we can do better. We definitely are saying that there are problems with My Health Record.” He told the ABC [4]

7    Conclusions

Unfortunately, there are significant consequences from having the government both own the system and set the laws and regulations that govern it. The big problem is that a government in the future could change the rules that permit easier access to My Health Record data.[5] What these are is a matter of guesswork and supposition, but is likely to be unsettling to a population that has already rejected several Identity Card/Number initiatives.
Privacy seems to matter to many Australians and they are not routinely likely to trust government initiatives, especially after problems with the recent census and the so called Robodebt debacle the result of the ATO and Centrelink sharing and linking data, something the government has expressed a desire to do with data from other agencies, including Health, more often. We do not know if that will include My Health Record data, but it could, in the future.
How the My Health Record initiative will all turn out is a matter of conjecture. What is certain is that My Health Record, if widely adopted by patients and health providers will have major consequences for the dynamics of health care system in Australia. Patients will need to become more involved in the management of their own summary health data; GPs will need to spend more time managing health record systems – their own and the governments; and the government will need to continue funding, maintaining and operating the system as well as protecting the data for the foreseeable future. The cost of this system is currently over $AUD2billion; what the return on this investment will be is not yet known.
Even if the issue of government ownership is resolved, there are other characteristics of a centralised system that make its use and effectiveness problematic and questionable. In summary these include:
  • The security of a system that is attached to the internet;
  • The system is designed to promote data being downloaded to other systems with fewer controls and less visibility;
  • The responsibility for accuracy, currency and completeness lies with the patient;
  • The significant cost and effort required by patients and GPs to maintain the system.
These are significant obstacles to making any centralised system acceptable for clinical use.
From a privacy and trust perspective, the distributed approach has much to recommend it. The simple yet important relationship between a GP and their patient is a significant driver in the maintenance of a high degree of privacy. Both have a lot to lose. The introduction of a third party, the federal government, apart from distorting the privacy trust relationship is also an asymmetry of power. Taking on the government is no trivial task and only one has a lot to lose.
My Health Record, even after six years operation is still very much a work in progress. The government is currently going through a market testing process that is looking at completely revamping system. This is an implicit acknowledgement that the system as it exists is not fit for purpose.
It is possible, even likely, that over the opt-out period public reaction will result in the government changing its mind regarding such things as the legislation that protects the privacy of My Health Record users. Unfortunately there are two characteristics that cannot be changed.
  1. My Health Record means the government acquires and keeps highly personal health data. It can also potentially track the behaviour and performance of health providers.
  2. The government has already changed the legislation from opt-in and a need to get a patient’s consent to opt-out and no need to get consent. At the end of the second week of the opt-out period, the government has been forced by statements made by the AMA and the Queensland Police to change the legislation to “remove ambiguity” and improve the protection of Australian’s privacy.
What has the potential to totally destroy any trust people may have in the government is the reality that in our political system there is nothing is to stop this or future governments from further changing the privacy protection.
Not only is My Health Record a work in progress, so is the government’s attempt to persuade Australians to adopt this scheme. Unfortunately for the government the twin problems of a lack of a guarantee regarding future governments and the reality that there is a better, cheaper, more flexible system with inherently better privacy protection means they have a difficult job ahead.


[1] AMA AMA Guide to Medical Practitioners on the use of the Personally Controlled Electronic Health Record System
[2] Law enforcement access to My Health Record data
Both the original and revised versions and a comparison are available through this site:
[3] My Health Record: Greg Hunt’s warrant claims contradicted by police union
[4] My Health Record needs privacy improvements to restore public confidence: Human Rights Commissioner
[5] My Health Record: it’s worse than you think

Here is the link:


Enjoy the read.



Anonymous said...

Very well put together Bernard. With the national drought providing optimal space for those who continue to stick their heads in the sand, I want to move beyond the protection of my privacy to what happens when my identity is stolen. Unsurprisingly there is no guidance from ADOHA on why steps I should take if my identity has been compromised and is actively being used for fraudulent purposes.

So how do I protect myself? Given the consequences outlined by the Australian Cybercrime Online Reporting Network

What can happen as a result of identity theft?

If a criminal steals your identity, they may use it to:

trick your bank or financial institution into giving them access to your money and other accounts,
open new accounts and build up debts in your name which can ruin your credit rating,
take control of your accounts, including by changing the address on your credit card or other accounts so you don’t receive statements and don’t realise there is a problem,
open a phone, internet or other service account in your name,
claim government benefits in your name,
lodge fraudulent claims for tax refunds in your name and preventing you from being able to lodge your legitimate return,
use your name to plan or commit criminal activity, and
pretend to be you to embarrass or misrepresent you, such as through social media.
Identity theft can be both financially and emotionally distressing for victims. Once your identity has been stolen it can be difficult to recover. You may have problems for years to come.

Peter said...

Hear hear.
The security issues with MyHR are a consequence of the architecture and any fix at this stage is just patching over the holes.
And, as has been discussed here, security is only one of the problems with the existing design. It just happens to be the one that people have focused on.

BTW - The Conversation (https://theconversation.com/my-health-record-deleting-personal-information-from-databases-is-harder-than-it-sounds-100962) last week had an interesting article on another aspect of opting out.

Anonymous said...

So what we do know if the future is a possible redesign, the government is asking me to participate on a system that is likely to change both in design and risk profile. It is likely to be based on FHIR, a standard that is not proven at this scale or function. At least in my bank or airline does this I can shift to another bank or airline. The government does not provide me this choice. Why?

Grahame Grieve said...

"It is likely to be based on FHIR, a standard that is not proven at this scale or function"

it's certainly true that it's likely to be based on FHIR. It's also certainly true that FHIR is not yet proven at this scale or function. Well, sort of true.

In terms of scale... FHIR is just a profile on web technologies, and they are certainly proven at much bigger scale than this. There's no other candidate standard that has that kind of demonstrated scale for it's technical base. Of course, that says nothing about any particular implementation of the standard (plenty to scope to get things wrong).

In terms of functionality... there's no other standard that has proof for this yet either. Unless you attempt to count the current approach: XDS + CDA. That's proven to work well for a subset of what MyHR is trying to do now, and not well for the rest. And not proven for any of the things that are proposed to be added.

It's my view that at this point, FHIR or no is not the point; replacing the present system with a functionally equivalent one entirely based on FHIR would be a fractional improvement that wouldn't justify the outlay (by a long way).

The thing we should do as a community is figure out what we do want have for a platform for innovation, what clinical functionality it should have, and why. (And which bits should be provided/hosted by the goverment, which by healthcare providers, and which by 3rd party specialists). When you have all that, then the choice of standards would follow. (only, would that it were so simple; such requirements analysis is always constrained by what's possible, so it must proceed hand-in-glove with grounded standards analysis. But we want to be at least led by community based requirements analysis, otherwise we'll just get 'better because of FHIR' without actually fixing things up)

Anonymous said...

All very reasonable steps Grahame, I was sloppy using FHIR, it could be any standard. What is more concerning is we are being opted into a system that very shortly will be redesigned and more than likely under a new operating partner. On top of legislative changes and now the function to be able to permanently delete records, the conditions have changed, surely any contract between the government and citizen is questionable. If they are serious about replatforming now is the time to stop conscription. Just seems to risky and I am surprised labour is willing to inherit this gift hoarse.

Anonymous said...

Agree with @4:51 PM. The contract (if ever there was one) is null and void. The system itself is broken and does not support a clinical or business model. The Government should quietly back out. The ADHA is not equiped to operate such a prize and certainly does not harbour the skills or depth of knowledge to conduct a national requirements and design project. The CEO has damaged the brand of the ADHA, the Minister and digital health.

It is well documented and becoming more evident that the culture in aspects of ADHA is not one to take us forward.

Anonymous said...

No, no! Please don't turn it off or set it on FHIR. All the children might die.