Wednesday, June 16, 2021

This Seems To Be Another Example Of Government Just Running Riot Over Citizens Because They Can!

This appeared last week:

Privacy experts alarmed medical data is collected without consent

The health secrets of millions of Australians have been extracted from GP computers in a data grab without permission. See what it means for you.

Sue Dunlevy

June 11, 2021 - 8:24AM

News Corp Australia Network

Exclusive: The individual health records of almost 25 million Australians have been scraped from medical clinics under a secret data grab that has alarmed privacy experts.

The move has laid bare information on patients’ mental health, alcohol consumption, weight, sexually transmitted diseases and HIV.

In most cases the material is being collected by data firms without explicit patient consent and patients have not been given the opportunity to opt out.

The Australian Privacy Foundation said if the records were to fall into the wrong hands they could be used to blackmail powerful people, track down a domestic violence victim or by employers to vet job applicants.

They could also be used against a person with mental health problems in a custody battle.

“While almost 10 per cent of Australians opted out of My Health Record, most may be unaware they are giving consent to their default data upload, when they sign the patient registration form to see their own doctor,” Juanita Fernando, Health Committee Chair of the Australian Privacy Foundation said.

Doctors are providing the patient health information under the Primary Health Insights program via two data collection firms which gives the files to 31 Primary Health Networks (PHN’s).

These are administrative health regions established by the government and the Department of Health said they would use it to improve health care and determine where new health resources are needed.

IT consultant to the medical profession Paul Power who raised the alarm that saw privacy protections in the My Health record legislation substantially strengthened said the data could be a hacking target for China or Russia and nefarious actors.

The Office of the Australian Information Commissioner said patient protections were imperative.

“It is essential that privacy protections are in place when dealing with such sensitive information,” a spokesperson said.

General practices are meant to seek patient consent to take the data but those who have been seeing the same GP for many years are unlikely to have been explicitly informed or given their consent or the chance to opt out.

And some patients who did ask to opt out said it took three months for the process to happen, others were told by GP’s they had no idea about the process.

The data is meant to be de-identified but when the Department of Health published “de-identified” health data of three million Australians in 2016, it took researchers at Melbourne University just three days to decode it and re-identify it.

In 2017 the Medicare numbers of Australians were found for sale on the dark web.

ANU researcher Dr Vanessa Teague, who was part of the team who re-identified the health data in 2016, said patient information containing Medicare or medicines information — or even the year a woman’s child was born — was the most vulnerable.

“It would be entirely inaccurate to describe it as de-identified,” she said.

More here:

https://www.couriermail.com.au/news/national/privacy-experts-alarmed-medical-data-is-collected-without-consent/news-story/7e2d7e8a224bdf3fe02f45e6bd8ec8a8

This program has been controversial since BC (Before COVID)

27 September 2019

PHN data arrangements a bit of a mess

By Penny Durham

GP bodies remain uneasy with data-sharing arrangements under the Practice Incentive Payment – Quality Improvement, despite having won a reprieve of sorts without sacrificing the payments promised.

The Australian GP Alliance (AGPA) and the RACGP say the incentive scheme is poorly designed, insecure and unready, but that the Health Department is “holding a financial gun to GPs’ heads”.

Worth up to $50,000 a year for the largest practices, the PIP QI requires the sharing of deidentified patient data with your Primary Health Network using data-extraction software supplied by the PHN, such as Polar or Pen CAT.

The data, which is deidentified before it leaves the practice, will be analysed at the PHN stage to yield 10 improvement measures (including the proportion of patients with smoking status recorded, the proportion of female patients with up-to-date cervical screening, and so on). The data will then be sent to the Australian Institute of Health and Welfare for national-level analysis.

The program went live on August 1 after several delays. The Health Department told The Medical Republic that in the first three weeks 4023 practices had registered for the incentive, or more than 65% of accredited general practices.

After the AGPA complained in July that the program risked compromising patient privacy and commercially sensitive information, the Health Department released a fact sheet clarifying the requirements, including the option to seek a time-limited exemption.

With the exemption, a practice that wishes to participate but does not wish to use the PHN-supplied software has, at most, 12 months in which to implement an acceptable alternative. During that year “practices will need to work in partnership with their local PHN to meet the other requirements of the PIP QI Incentive” but will not have to share any data, and they will still receive quarterly payments.

“The one-off exemption is for a maximum period of 12 months, or until a solution has been implemented, whichever occurs first,” the department told The Medical Republic.

AGPA board member and former AMA president Dr Mukesh Haikerwal told The Medical Republic this was still not satisfactory and the AGPA was writing to the department again to seek a different interim arrangement.

The department has made another concession for the first year of the program, agreeing that no data will be sent onwards. “PHNs will not provide data to the AIHW for the first 12 months of the PIP QI Incentive, however trial data exchanges will commence to ensure readiness for this to occur,” it said.

Dr Haikerwal said the AGPA wanted GPs to participate in the collection of quality data that would benefit the health system, but the data should go straight to the AIHW.

“We want them to participate in quality improvement, but we want to be sure that when they’re doing that, they’re not putting their practices or patients in jeopardy in terms of the data, because of the way it’s gathered, governed and passed on,” he said.

While the health department has justified using PHNs as the middleman by saying many practices already share data with their PHNs using supplied software, Dr Haikerwal said the PIP completely changed the premise and the expectations of the exercise.

The AGPA signatories to the original letter include other prominent GPs with a track record in digital health such as Dr Rob Hosking, Dr Karen Price and Dr Nathan Pinskier.

“The group of eight of us who wrote the letters, we’ve got around 35 years of average experience in the space,” Dr Haikerwal said. “We’ve actually pushed the whole e-health technology data, quality improvement agenda for that length of time. So it’s something that comes with a significant amount of knowledge and expertise.”

The department says it has consulted with all relevant doctor groups, citing representation on the PIP Advisory Group by the RACGP, ACRRM, AMA, the Rural Doctors Association of Australia, Australian Association of Practice Management and the National Aboriginal Community Controlled Health Organisation.

But the AGPA says all these representatives are also involved with PHNs, which are funded directly by the department.

“The vast majority of members of that group are directly involved in PHNs or work for somebody who actually is a chair of those organisations at the PHN,” Dr Haikerwal said. “So you’re not getting a clean steer, you’re not getting expertise from people who work in the sector.”

Dr Hosking, chair of the RACGP Expert Committee on Practice Technology and Management, told The Medical Republic there nothing wrong in principle with using data in this way, but that there were concerns around consent and the ability of PHNs to manage data securely.

Lots more here:

https://wildhealth.net.au/phn-data-arrangements-a-bit-of-a-mess/

Here is the official view on all this:

The National Primary Health Care Data Asset

Primary health care is a vital component of Australia’s health care system accounting for a large proportion of health care expenditure annually. It is often the first point of contact individuals have with the health system and encompasses a broad range of professions and services. Despite this, there is limited availability of primary health care system data making it difficult to assess the positive impact of this sector on the health of Australians and or identify where improvements are needed.

In the May 2018 Federal Budget the AIHW was funded to establish a Primary Health Care Data Unit and to develop a National Primary Health Care Data Asset (Data Asset). The Data Asset development aligns with priorities outlined in the 2018 Heads of Agreement on public hospital funding and health reform; specifically Enhanced health data as one of the goals of long-term system wide reform.

It is envisaged that an enduring Data Asset will contain reliable, detailed, high-quality data about primary health care which will assist in the creation of a comprehensive understanding of the system and a patient’s journey and experiences within it. It has the potential to create new avenues of analysis for providers, policy-makers and healthcare researchers to enable better population health planning, help identify gaps in primary health care services and ultimately improve patient health outcomes. The process of establishing the Data Asset will also be used to drive cyclical improvements in the quality and standardisation of contributing data.

The proposed Data Asset will:

  • enable better population health planning
  • support improved patient health outcomes, and enable comparison across geography, remoteness and socio-economic gradients
  • enable and inform integrated care
  • help identify gaps in primary health care services and outcomes
  • enable an assessment of the equitable distribution of care
  • shape primary health care programs and policies
  • allow for international comparisons.

The AIHW oncluded the consultation phase of this multi-phase project. A Consultation Report outlines feedback on the Data Asset received through the AIHW consultation workshop series and the associated online public submission process conducted in the first half of 2019. 

The key issues raised by participants were consolidated and summarised in the report which also includes a brief outline of the next steps in developing the Data Asset. 

Developing a National Primary Health Care Data Asset: consultation report (PDF 932KB)

Ongoing consultation is a key focus for the AIHW in developing the Data Asset, to this end, AIHW partnered with the Consumers Health Forum of Australia (CHF) to promote consumer and community awareness and confidence in the Data Asset. To stimulate this conversation webinars were held on 30 October and 11 November, chaired by CHF CEO Leanne Wells featuring a panel of knowledgeable consumers and clinicians. The Webinars focused on issues of privacy, security, patient consent and overall benefits of the Data Asset and are now available online 

Here is a link:

https://www.aihw.gov.au/reports-data/health-welfare-services/primary-health-care/primary-health-care-data-development

There is a useful article (full text) on all this from the MJA here:

https://www.mja.com.au/journal/2019/210/6/gathering-data-decisions-best-practice-use-primary-care-electronic-records

Gathering data for decisions: best practice use of primary care electronic records for research

Rachel Canaway, Douglas IR Boyle, Jo‐Anne E Manski‐Nankervis, Jessica Bell, Jane S Hocking, Ken Clarke, Malcolm Clark, Jane M Gunn and Jon D Emery

Med J Aust 2019; 210 (6): S12-S16. || doi: 10.5694/mja2.50026
Published online: 31 March 2019

In the fine print we read that best practice is to make it easy to opt-out but does not seem to make it clear that this needs to be offered.

Here is the full best practice approach:

Box 3 - A model for primary care data sharing for research

1. Preparing for data collection

·         Obtain ethics approval for data collection and undertake legal review.

·         Establish a robust and secure data housing environment with independent data governance oversight and proactive security review.

·         Establish a comprehensive standard operating procedure and policies for data curation and stewardship.

2. Recruiting a general practice

·         Establish a legal agreement with the practice and gain their informed consent. This ensures that both parties have a clear understanding of the terms under which data are shared.

·         Support any technical requirements for data extraction.

·         Inform patients that the practice is sharing de‐identified data. Explicit patient consent is not required if the data extraction tool can provide de‐identified data that satisfies the definition of de‐identification as per the Privacy Act 1988 (Cth). NHMRC guidelines on waiving patient consent should also be met. A best practice approach would enable patients to easily withdraw consent.

3. De‐identifying and transmitting patient and practitioner data

·         Data should be de‐identified on the practice computer.

·         Data should be transmitted securely to a protected database in a secure, on‐shore data storage facility.

4. Following due process

·         Maintain ongoing, proactive data security. This may include using accredited secure environments from which authorised researchers can access the data (depending on sensitivity of the data and the amount of data).

·         Ensure that researchers who are provided with data obtain ethics approval and sign a legal agreement stipulating the terms under which they manage, store, use and dispose of the data.

·         Use mechanisms to assess competence of researchers to safely and responsibly use the data for research.

·         Ensure that the research group includes (or consults with) someone who has experience practising in Australian general practice to ensure that results are interpreted appropriately.

·         Ensure that an independent data governance committee reviews all applications by researchers to access data.

·         Use principles of data minimisation to limit data sharing with researchers to the minimum necessary to complete their research.

5. Delivering research outputs

·         Research funders should not prevent researchers from publishing their findings.

·         Researchers should make publicly available plain language community reports of their research outcomes.

·         Researchers should contribute their data coding to repository‐specific data user groups.

6. Using consumer, clinician and researcher panels

·         Consult health care consumers and providers — ask them for ideas on how data are used and suggestions regarding potential research projects and questions. Such input should be fed back to researchers to inform future research.

·         Engage researchers to contribute insights, data cleaning and analytic codes, so that other research can build on what has already been done.

---- End extract.

Right now I note there has been a deferral of a similar plan in the UK which has much more careful privacy laws following a public outcry. This follows the failure of a similar plan (care.data) hatched by our old friend Tim Kelsey. I note that in the UK access to your record is provided – not here apparently.

Overall I tend to agree with the Sue Dunlevy that the public has heard too little about what is being done – just as we have come to expect these days. The process and data protections offered also seem a little flimsy to me.

Overall I think that this is happening needs to be better known and the right to review and opt out should be embedded in the system. A public awareness campaign would also not go astray where both benefits and issues are canvassed!

What do you think?

David.

 

11 comments:

  1. Dr Ian ColcloughJune 16, 2021 5:20 PM

    Is it not quite extraordinary that the Health Department finds it necessary to collect all this patient information from the 8,000 medical practice systems, via Primary Health Networks [PHN], instead of doing so by simply accessing, collecting and analysing deidentified information from the MY HEALTH RECORD!

    If doctors' patient records are the Health Department's PREFERRED GOTO SOURCE for collecting comprehensive patient medical information for research purposes [not to mention the PIP cost of $50,000] then WHY ON EARTH IS TE GOVERNMENT continuing to throw money at the My Health Record?

    ReplyDelete
    Replies
    1. The government is already spending around $350 million a year on the My Health Record.

      Why is it now spending a further $200M to $400M ($50,000 x 4,000 to 8,000 medical practices) to collect patient medical data from medical practices instead of collecting the same data from the My Health Record?

      Delete
    2. It's best described as DOUBLE WANKING. The Left hand and the Right hand are both wanking two completely different parts of the system. The end result is twice as much wanking doubles the money.

      Delete
  2. Why does the government want to collect comprehensive patient medical information for research purposes?

    Because they are looking for evidence of over-servicing and fraud.

    And in fact I doubt that they are collecting comprehensive patient medical information anyway. At best it's likely to be some sort of high level description of vague reasons why the patient is consulting the GP.

    ReplyDelete
  3. It is not explicitly clear what ‘research purposes’ actually means, I doubt it is limited to health research undertaken in an appropriate manner with all the checks in place.

    From my experience the PHN’s are not equiped to handling personal health information. How many are certified to collect, store and use dataset of this sensitivity- I have not seen any evidence they are even ISO 27k compliant let alone certified.

    ReplyDelete
  4. I doubt even ADHA is certified or meets the essential eight - so what is your point G. Carter?

    ReplyDelete
  5. The language used in the AIHW report related to the My Health Record speaks volumes as to an underlying problem is. They are clearly wishing it did not exist, not interested in it but cannot risk upsetting the high priests and priestess. Bit like that cult being run out Florida.

    ReplyDelete
  6. @9:07 AM How would ADHA answer that? Hopefully The Medical Republic, or PulseIT or Sue Dunlevy will ask the same question!

    ReplyDelete
  7. This is a good reason for the Federal Government to get out of running things like My HR and get back to what they love - regulating and dragging companies through mind-numbing and expensive audits.

    https://www.bmj.com/content/373/bmj.n1248

    Participants Users of 20 991 mHealth apps (8074 medical and 12 917 health and fitness found in the Google Play store: in-depth analysis was done on 15 838 apps that did not require a download or subscription fee compared with 8468 baseline non-mHealth apps.

    Main outcome measures Primary outcomes were characterisation of the data collection operations in the apps code and of the data transmissions in the apps traffic; analysis of the primary recipients for each type of user data; presence of adverts and trackers in the app traffic; audit of the app privacy policy and compliance of the privacy conduct with the policy; and analysis of complaints in negative app reviews.

    Results 88.0% (n=18 472) of mHealth apps included code that could potentially collect user data. 3.9% (n=616) of apps transmitted user information in their traffic. Most data collection operations in apps code and data transmissions in apps traffic involved external service providers (third parties). The top 50 third parties were responsible for most of the data collection operations in app code and data transmissions in app traffic (68.0% (2140), collectively). 23.0% (724) of user data transmissions occurred on insecure communication protocols. 28.1% (5903) of apps provided no privacy policies, whereas 47.0% (1479) of user data transmissions complied with the privacy policy. 1.3% (3609) of user reviews raised concerns about privacy.

    Conclusions This analysis found serious problems with privacy and inconsistent privacy practices in mHealth apps. Clinicians should be aware of these and articulate them to patients when determining the benefits and risks of mHealth apps.

    ReplyDelete
  8. You mean this government:

    National Covid aged care plan did not exist before Coalition published '7th edition' in late 2020
    https://www.theguardian.com/australia-news/2021/jun/18/national-aged-care-plan-did-not-exist-before-coalition-published-7th-edition-in-late-2020

    Guardian Australia FOI shows federal government "revising history" by claiming earlier versions existed, experts say

    Experts have accused the federal government of "revising history" by describing the current national Covid aged care plan as the "7th edition" when no prior editions of the document exist.

    The aged care royal commission in October 2020 criticised the Coalition for failing to establish a dedicated plan on how to deal with the virus in aged care and recommended it take "immediate action" to "publish a national aged care plan for Covid-19".

    The aged care minister, Richard Colbeck, at the time insisted the government did have a plan that it had "been continuously building and adapting … since January 2020".

    Using freedom of information laws, Guardian Australia asked for the six previous editions of the plan. The health department in response said the term "7th edition" actually referred to "the government’s 7th stage of endorsing or providing response/guidance for Covid-19 in aged care".

    ReplyDelete
  9. 8:07 AM - yes that’s the very same. The 7th Edition claim is something else. Wonder if the person or committee that came up with the one have ever read a book.

    ReplyDelete