After two years and over $1 billion in costs, only 26,332 shared health summaries have been uploaded by doctors to the troubled Personally Controlled e-Health Record system.
|
By Karen Dearne, on behalf of the Consumers e-Health Alliance.
December 2014
|
An analysis of Commonwealth Government annual reports covering e-health and PCEHR activities in 2013-14
|
Acknowledgement
By Peter Brown, Convenor, Consumers e-Health Alliance
On behalf of the CeHA Steering Committee, I wish to commend Karen Dearne for the dedicated effort she has put into this fine piece of much-needed research.
Hopefully we are approaching a turning point in the resuscitation of the national e-health program. The community supports the benefits to be gained from improved technology but is mystified by the amount of time and money expended to date, seemingly with little meaningful progress.
It is in that context we recognise Karen’s considerable contribution in producing this extraordinary record of events drawn from her unique experience in the midst of what has occurred; not just as a matter of historical interest but in providing details upon which the quality of the decision-making can be judged.
So we extend our sincere thanks to Karen for making this information available for the community at large.
CeHA - Consumers e-Health Alliance
An analysis of 2013-14 Commonwealth Government annual reports covering e-health and PCEHR activities
By Karen Dearne, freelance journalist and former e-health writer for The Australian,
on behalf of the Consumers e-Health Alliance.
on behalf of the Consumers e-Health Alliance.
What’s in the PCEHR system?
AFTER two years and more than $1 billion in costs, only 26,332 shared health summaries have been uploaded by doctors to the troubled Personally Controlled e-Health Record system.
While the Department of Health and the National e-Health Transition Authority trumpet their “success” in signing up 1.7 million Australians to date, the truth is that the system holds a mere 288,368 clinically useful documents.[1] Obviously, if every person who had registered had just ONE clinically relevant document uploaded to date, there would already be 1.7 million documents available.
For all the millions of hospital admissions across the country over the past two years, only 42,397 discharge summaries have been uploaded. See table 1
Just 2,403 event summaries have been created. Specialist letters? Seven. Electronic referrals? Six.
These are the key items of value consumers want – and expect – to be available through a national e-health system.
So where does that 288,368 come from in relation to clinical records? Prescription records (55,206) and dispensing records (162,030) from pharmacies account for almost all, at 217,236 in total.
That means there are only 71,132 potentially medical useful records available for just a tiny fraction of those 1.7 million people who signed up in the hope of better healthcare through information-sharing.
Now, some consumers were keen enough to enter their own health summaries, notes, observations and advanced care directives so there are 61,674 consumer created documents. Healthcare providers cannot access this material.
But hang on, the annual report of the PCEHR System Operator says more than 140 million records – 140,639,585 to be precise – are now in the system.
Well, yes, but more than 140 million – 140,289,543 – of these are Federal Government documents – Medicare has supplied MBS and PBS items, childhood and organ donor registry documents, while Veterans Affairs’ has handed over medical and pharmaceutical benefit claims.
All of these Medicare records were previously available through a well-established Medicare Online service; people could sign up for access.
TABLE 1:
Number of documents uploaded
to PCEHR system between launch on July 1, 2012, and end of financial year June 30, 2014
(Two full years of operation)
|
Number
|
Total
|
Clinical documents - types
| ||
Shared health summaries
|
26,332
| |
Discharge summaries
|
42,397
| |
Event summaries
|
2,403
| |
Prescription records
|
55,206
| |
Dispense records
|
162,030
| |
Specialist letters
|
7
| |
e-Referrals
|
6
| |
TOTAL CLINICAL DOCUMENTS
|
288,368
| |
Consumers’ own documents- types (Not seen by health providers)
| ||
Consumer-entered health summaries
|
37,401
| |
Consumer-entered notes
|
13,356
| |
Advance care directives (custodians)
|
5,580
| |
Personal health observations
|
2,529
| |
Personal health achievements
|
353
| |
Child parent questionnaires
|
2,442
| |
TOTAL CONSUMER DOCUMENTS
|
61,674
| |
Medicare/Veterans Affairs documents
| ||
Childhood Register
|
449,406
| |
Organ Donor Register
|
190,304
| |
MBS/Vets Affairs records
|
86,885,909
| |
PBS/Repatriation records
|
52,763,924
| |
TOTAL MEDICARE/VETS AFFAIRS (GOVERNMENT-HELD) DOCUMENTS
|
140,289,543
| |
TOTAL DOCUMENTS IN THE PCEHR SYSTEM
|
140,639,585
|
Source: PCEHR System Operator Annual Report, 2013-14.
Oddly, with only 1.7 million people registered for a PCEHR, it appears that each of these has generated an astonishing 80+ government record documents each. And that assumes everyone has requested that this data be provided by Medicare, as it’s optional. (Medicare holds records on around 23.3 million individual Australians.) See Table 2
Note: Under the National Health Act, it is prohibited to hold MBS and PBS information in the same database. See the binding guidelines on MBS and PBS programs issued by the Privacy Commissioner in 2008.[2]
TABLE 2: Usage (as at June 30, 2014)
| |
Number of Australians registered for Medicare
|
23,300,000
|
Number of Australians registered for PCEHR
|
1,700,000
|
Average number of documents in PCEHR per registered user
|
83
|
Number of clinical documents per user
|
0.17
|
Number of personal documents per user
|
0.04
|
Number of Government-held documents per user
|
82.5
|
Source: PCEHR System Operator Annual Report
Or could the PCEHR system instead hold six or seven records on each of us? Under amendments to the Healthcare Identifiers and PCEHR Acts, Medicare’s chief executive has the authority to upload MBS, PBS and other data without consent[3] – however, personal consent must be given by individual PCEHR users if they want that information visible within their records.[4]
Does this personal consent override the ban on holding MBS and PBS data in the one system?
Perhaps this cache of “hidden records” is intended to allow the PCEHR System Operator to meet its obligations to “prepare and provide de-identified data for research and public health purposes”.[5]
Wait a minute, wasn’t there something about “personal control” and “consent” over secondary use of information for purposes other than for which it was collected?[6]
And what about the risk of re-identification of personal records – often surprisingly easy in smaller communities and where certain medical conditions are involved.
Where did the consumer “boost” come from?
By the way, the large boost in consumer registrations from just 400,000 in 2012-13 is thanks to an energetic “assisted registration” campaign by the global “innovative healthcare solutions” firm, Aspen Medical – recently selected for the Federal Government’s anti-Ebola program in Africa.
Aspen claims it created records for 730,000 consumers in the latter half of 2013, massively over-delivering on its original target of 200,000.[7] “We deployed up to 350 people around Australia in ‘hot spots’ to encourage the public to set up their PCEHRs,” an Aspen case study says. “Once the initial information was gathered, we set-up the record.”
How well trained were these spruikers? Well, take a look at the training pack provided.[8]
It’s a quick sell, and just a one page form to fill in. “Registration in just a few minutes, with a 100-point check, eg photo ID and a Medicare card. Online and phone registrations require more lengthy ID verifications; other forms are much longer.”
Note that while the consumer is told he or she is “in control of what information is visible”, most people are likely “to allow any healthcare provider organisation involved in their care to access their e-health record. This is therefore the default setting.”
And that form is simply a paper record containing your name, date of birth, gender and email address or phone number; team members then take this document back to the office and enter it into the PCEHR system via the online Assisted Registration Tool on your behalf. After acceptance, you will be sent an Identity Verification Code so you can access the record on your computer.
Trainees are warned that the forms must be guarded closely to ensure privacy: “Ideally, file them away in a folder immediately. Keep this folder of completed forms on your person.” Truly. That’s what it says.
Oh, before signing, you will be directed to a very boring two-page sheet entitled: “Essential Information About Assisted Registration and Your Privacy in the e-Health Record System.”
It says: “Once an eHealth record is created information about you and/or your dependant, including health information, is collected by the System Operator to operate the eHealth record system. This information may be collected from registered healthcare providers, government programs such as Medicare, or you and your representatives.
“Information about you may be disclosed to healthcare providers; people nominated by you (family members); people who are authorised to act on your behalf; government agencies (such as the Healthcare Identifiers Service and DHS Medicare); authorised organisations (such as private firms contracted by the System Operator); and organisations that store the documents that form your e-Health record.” You can read more here.[9]
Pity that people aren’t given a copy of the much more useful Privacy fact sheet produced by the Office of the Australian Information Commissioner: “Ten Tips for Protecting the Personal Information in your e-Health Record.[10]
Are clinicians really using our e-health records?
Now, how many medical providers are using the PCEHR system? So far, 7,233 healthcare organisations have registered, primarily general practices (4,976), followed by pharmacies (1,087), hospitals (163), aged care (127), physiotherapy (108), chiropractic/ osteopathic (25), optometry (24), dental (22), pathology and diagnostic imaging services (3).
Note: There is an unexplained discrepancy between the total number of healthcare organisations stated by the System Operator (7,233) and the total number stated in each category.[11] (Page 8)
For comparison purposes, across Australia there are 7,035 general practices, more than 5,300 pharmacies, 746 public hospitals and 592 private hospitals (1,338 in total), 5,126 aged care facilities, around 7,000 dental practices, 4,788 optometrists and 200 pathology practices. See Table 3
TABLE 3:
| |||
Healthcare provider organisations
|
Number registered to use the PCEHR
|
Number of provider organisations across Australia
|
Number yet to register by provider organisation group
|
General practice
|
4,976
|
7,035
|
2,059
|
Pharmacies
|
1,087
|
5,300
|
4,213
|
Hospitals (total)
|
163
|
1,338
|
1,175
|
Private hospitals
|
592
|
-
| |
Public hospitals
|
746
|
-
| |
Aged care
|
127
|
5,126
|
4,999
|
Physiotherapy
|
108
|
26,123
|
26,015
|
Chiropractor/Osteo
|
25
|
6,710
|
6,685
|
Optometry
|
24
|
4,788
|
4,764
|
Dental
|
22
|
7,000
|
6,978
|
Pathology/Imaging
|
3
|
200
|
197
|
Total
|
6,535
|
63,620
|
57,085
|
Sources: PCEHR System Operator Annual Report; Australian Health Practitioner Regulation Agency
Here we need to consider the normal medical “business” transactions performed across the health sector already. According to figures supplied by the Medical Software Industry Association, there are hundreds of millions of transactions every year. There are 100 million GP consultations and 100 million GP-issued prescriptions annually.[12]
GPs lodge 40 million pathology requests, and receive 60 million reports back, almost always electronically.
Likewise there are 10 million GP requests for diagnostic imaging tests, and 10 million results sent back; 8 million GP referrals to specialists, and 8 million specialist reports returned to GPs.
With this scale of activity, the efforts in this area by the PCEHR look puny.
For example, every year, 7.5 million people are sent home from hospital with a discharge summary (4.5 million from public hospitals, 3 million from private hospitals).
Yet to date, only 42,397 discharge summaries have been uploaded to the PCEHR, seven specialist letters and just six electronic referrals.
So somehow, all of this activity is happening without the “benefit” of the still embryonic national e-health system.[13]
According to the PCEHR System Operator, people looked at their PCEHR via the consumer portal some 512,000 times. Another way to consider this result is that less than one-third of those who signed up have bothered to look even once. Probably because they were signed up via assisted registration and weren’t really interested. A more useful metric would be the number of times a consumer has returned to view their PCEHR.
On the other hand, healthcare providers viewed records in the PCEHR system, via their clinical information systems, just 24,815 times. Additionally, some healthcare providers accessed the PCEHR via the provider portal – 1,302 times.
Clinicians uploaded records to the system 68,474 times. See Table 4
Table 4: Viewing of records in PCEHR system during 2013-14
|
Number of times
|
Consumers via consumer portal
|
512,076
|
Healthcare providers, via their clinical information systems
|
24,815
|
Healthcare providers, via provider portal
|
1,302
|
Total views, consumer and provider
|
515,863
|
Average views per day, healthcare providers
|
72
|
Average views per day, total
|
1,413
|
Source: PCEHR System Operator Annual Report
One wonders how this low usage lines up with the PCEHR business plan, but clearly doctors don’t see any value in the system as it stands.
By the way, the Secretary of the Department of Health is the official System Operator, rather than an independent, suitably experienced administration agent as you might imagine. This arrangement, which was initially intended as a stopgap while a formal governance structure was put in place, was supposed to be subject to public review two years’ after commencement of operation. This has not occurred.
For the past two financial years, former Health secretary Jane Halton was System Operator, while also a member of the NEHTA board and the Australian Health Ministers’ Advisory Council.
What has it cost to achieve these limited results?
Before we turn our attention to NEHTA, it’s worth noting that the department’s annual report states that Health spent $138.25 million on e-health implementation in 2013-14; in the previous year, it was $105.6 million.[14]
So over the past two years, some $244 million has been spent by the federal government alone on producing 71,132 potentially useful medical records, which may or may not be available to around 7230 healthcare organisations.
It would be mischievous to suggest that each of these 71,000-odd documents has cost around $3,430 to produce as some funding went to telehealth pilots, for example, but it’s very hard to tell how much money has been spent on what.
There is a lack of detail in the financial reporting on e-health by NEHTA and the Health Department, so there is almost zero transparency. We know Health funds NEHTA to run projects, and NEHTA then subcontracts them out, thus avoiding the normal Tenders and Contracts reporting channels.
To our knowledge, the national Auditor-General has never conducted an audit on e-health spending or agency performance, despite proposing the issue as a potential audit a number of times.
The sums expended and noted here do not include the considerable amounts of money spent by the States and Territories on their own e-health programs, nor investment by the private sector.
NEHTA has been busy ‘connecting’ hospitals
According to NEHTA, there are now 267 public hospitals and health centres connected to the system across the country.[15]
“As at June 2014, 249 of these were able to view the PCEHR system, while 159 hospitals were able to upload patient discharge summaries,” says NEHTA chief executive Peter Fleming.
Whereas, the Senate Community Affairs committee was told in June that the hospitals connected “to actually upload discharge summaries” were all in Queensland, “where 111” were “actually” doing so.[16]
Wait, those 42,397 discharge summaries we keep hearing about are only in Queensland?
Maybe not. Apparently enormous strides have been made since early June. Mr Fleming is upbeat in the annual report released on November 6.
“A number of jurisdictions are already submitting discharge summaries from all – or almost all – public hospitals that have the ability to produce electronic discharge summaries,” he says. (Author’s emphasis)
“These include the ACT [where one hospital is connected to “view”, according to Health department officials speaking at Senate estimates], Queensland [219], South Australia [seven], and Tasmania [three].”
“Tasmania has begun uploading medication information to the PCEHR, with plans to implement PCEHR viewing [this month],” Mr Fleming continues.
“NSW is uploading inpatient and emergency department discharge summaries and PCEHR viewing across five health regions [involving 28 hospitals, according to federal officials].
“Victoria has just gone live with Eastern Health’s seven facilities uploading discharge summaries. Two other regions are scheduled to commence [seven hospitals reported to date].
“The Royal Perth Hospital in WA is live with the Albany health region scheduled to follow [none reported in June].”
For the record, NEHTA notes that some of the 267 state public hospitals and health centres connected to the national e-health record system cannot actually view records. In SA and Victoria, zero out of seven connected facilities can view records; in Tasmania it’s zero out of four.
Why is the PCEHR not working for doctors?
Puzzled about why we would build a system that is difficult for users to “view”? This is a question at the heart of the widespread disappointment and general refusal to participate.
The PCEHR e-health record system does not actually provide real-time medical information at the point of care. Instead, it was designed and built to simply pull together available clinical documents via a “viewing service” and display them in formats that can be seen by patients and health professionals.[17]
Essentially, it serves up copies of documents voluntarily uploaded from healthcare providers’ own clinical information systems.
As the design document originally stated: “An individual’s PCEHR may not represent a complete set of health information.”
Documents loaded to the system carry a date stamp, but it is up to medical providers to ensure patient records are updated – in order to do so, they have to create and upload a new document each time; they can’t simply update a shared health summary, for example.
Critically, the system does not support clinical decision-making or medication management, and lacks sophisticated analytics capabilities.
The original National e-Health Strategy adopted in 2008 by the Council of Australian Governments envisaged a more dynamic shared system that would pull data from wherever it was held to provide a real-time view and support interactive alerts or warnings at the point of care.[18]
As a secondary system that does not replace doctors’ own e-health record systems, the PCEHR at best is a haphazard accumulation of patient-consented and medico-uploaded snapshots in time.
And with the live and complete data still locked in doctors’ clinical systems, the public health benefits of real-time interventions – avoiding adverse drug events, better management of chronic conditions and improved prevention – will remain elusive.
Interactive clinical decision support, which can provide rich safety and quality benefits, can only occur in doctors’ systems, and not within the PCEHR as presently architected.
Nor will the PCEHR meaningfully support new health and community care pathways involving active collaboration and integration of services around individual patients.[19]
Not very ‘helpful’ case studies
NEHTA’s annual report is dotted with case studies showing how the basic system is supposed to work.
Take Brisbane-based GP Dr John Aloizos’s patient Kevin, a diabetic with renal failure and hypertension requiring extensive ongoing care.
Because Dr Aloizos is a senior clinical governance advisor at NEHTA and his medical practice has been involved in e-health pilots over many years, he created a shared health summary for Kevin and uploaded it to the PCEHR system.
When Kevin had a cardiac event and was admitted to a hospital in Brisbane which had the capability to upload a discharge summary, Dr Aloizos was able to view and download the document when he visited his patient at home.
“I was able to prepare and print the prescriptions for [five altered] medications and use the discharge summary as a checklist,” he says. “Without this information I would not have been able to provide the follow-up care I needed to.”
Dr Aloizos then uploaded a new shared health summary [because these documents cannot be updated on the fly], thus ensuring the medication list was accurate and up to date in the event it was needed by other healthcare providers.
This does not sound like a vast improvement on a hospital-faxed discharge letter, or a paper version brought in by the patient that can simply be scanned into the GP’s own records.
What about security risks, privacy complaints?
Oddly, while confirming the number of healthcare organisations registered with the system at around 7,230, NEHTA remains silent on the number of individual healthcare providers actually signed up. Apparently the PCEHR System Operator cannot find this information either, as no figure is given.
According to the Australian Health Practitioner Regulation Agency (AHPRA), there are 619,500 health practitioners in 14 professions registered to practice.[20]
Of these, just over 91,500 are medical practitioners, according to the latest Australian Institute of Health and Welfare figures. Most of these are doctors working in the private sector.[21]
Other major categories are nurses, pharmacists, psychologists, physiotherapists, dentists and optometrists.
In relation to the PCEHR, a lack of unique healthcare identifiers for individual health providers raises concerns over access to personal information; the audit trail currently only goes as far as individual organisations, and does not identify users within a pharmacy or dental practice, for example, who may have accessed your record.
Yet all healthcare providers registered with AHPRA have an individual healthcare provider identifier. The problem is that the HI service is so poorly designed, it is impossible to find them. And the likely reason for this is explored below, in the section on the National Authentication Service for Health.
Which brings us to security risks and complaints.
According to the System Operator’s report, 120 complaints were made in relation to the PCEHR during the past financial year: “As of June 30, 115 had been resolved and five were in the process of being resolved.”
What were the complaints and how were they handled by the System Operator and its partner agencies, the National Infrastructure Operator (IT contractor Accenture), the Department of Human Services and NEHTA?
Certainly the Information Commissioner did not receive any complaints about the PCEHR system (although there were two about the Healthcare Identifiers program).[22] People who are unhappy with the System Operator’s response have to separately find their way to the Privacy Commissioner to lodge another complaint.
In some states, complaints about health privacy breaches may be handled under separate privacy laws. For an overview of current Australian privacy law, see here.[23]
From a privacy and security standpoint, this is not a reassuring state of affairs. There is no effective, independent oversight of the conduct of the System Operator let alone its complaints-handling practices.
The Information Commissioner’s annual report shows the PCEHR System Operator did however make two mandatory reports relating to serious data breaches, in December 2013 and in May 2014.
The first involved a technical change that allowed healthcare providers to view consumers’ personally entered health notes. “A technical fix was put in place to prevent further access,” the Information Commissioner’s eHealth Activities annual report notes.
The second involved consumers logging into their MyGov accounts to link their PCEHR to that master account. “In some instances they also accidentally set up access to another consumer’s PCEHR whilst still logged into their own MyGov account,” Information Commissioner says.
“This resulted in the landing page of the first consumer’s PCEHR showing two ‘Open your eHealth record buttons’, which provided links to open both.”
The report noted that “the cause of the breach was not related to MyGov”. Consideration of the matter was “ongoing”.
MyGov is the online federal government services gateway, offering citizens “secure access” to a range of online services, through a single sign-on and password, provided by various agencies including Medicare, Centrelink, Child Support (Human Services); Health (the PCEHR); the Tax Office and Veterans’ Affairs. According to the DHS annual report, there are currently more than 2.9 million active MyGov accounts.[24]
But can we assume that MyGov is safe for our health, welfare and tax information? In May this year, the Sydney Morning Herald journalist Ben Grubb wrote, “Revealed: Serious flaws in the MyGov site exposed millions of Australians’ private information”.[25] [26]
And has anyone considered the possibility that if every Australian who uses Medicare is ultimately required to open a MyGov account, then the government may have created a single source of information about every citizen? In the past, attempts to impose a national identity card have been roundly rejected. Is the MyGov database shaping up as a “virtual” Australia Card?[27]
Safety and security at the user-end
But the security or otherwise of MyGov and the Departments of Health and Human Services PCEHR systems is the least of our privacy and security concerns.
Leaving aside the fact our bureaucrats ensured that legal liability for medical record data breaches would fall on private sector healthcare providers while federal and state agencies escaped prosecution by claiming Crown immunity,[28] most privacy and security breaches – deliberate or unintentional – are likely to occur at the user “endpoint”. That’s the computers and networks used by the GP, medical specialist, pharmacist, dentist, physiotherapist or any of their admin staff.
The independent computer emergency response team, AusCERT, has repeatedly warned of the risk hackers will target private consumer and commercial systems for fraud, financial gain and even illegal drugs.[29] [30] There have also been warnings about the danger of medical identity theft. [31]
Meanwhile, the complexities and challenges of ensuring information security are being considered by technically-minded academics in the health information management field, such as Dr Patricia Williams’ 2013 paper, “Does the PCEHR mean a new paradigm?” [32]
Others, like Professor Enrico Coiera, warn that the use of ICT in healthcare is “roughly in the same place aviation industry was in the 1950s with respect to system safety”.[33]
His paper, “The Dangerous Decade”, says: “Even if ICT harm rates do not increase, increased ICT use will increase the absolute number of ICT related harms. Factors that could diminish ICT harm include adoption of common standards, technology maturity, better system development, testing, implementation and end user training. Factors that will increase harm rates include complexity and heterogeneity of systems and their interfaces, rapid implementation and poor training of users. Mitigating these harms will not be easy.”
NEHTA’s never-ending ‘years of delivery’
Meanwhile, NEHTA chief executive Peter Fleming has been repeatedly claiming the “completion” of the standards and foundations needed for a nationwide e-health system since early 2009, when he declared an intention to “move very quickly into delivery mode”.
In fact, Mr Fleming said 2009 was “the year of delivery for NEHTA”.[34] Then, he was working towards the implementation of a shared, or individual e-health record system, in line with the National e-Health Strategy developed by Deloitte and adopted by COAG in 2008.[35]
Key benefits envisaged for an e-health system included reduction of costly inefficiencies across the healthcare sector and major benefits for patients through the reduction of avoidable medical errors and poor outcomes due to inadequate management of chronic conditions.
In May 2010, when then-Health Minister Nicola Roxon unveiled the Labor Government’s plan for a PCEHR she reiterated these concerns: “Poor availability of health information across care settings can be frustrating and time-consuming for patients and health professionals alike,” she said.
“It can also have damaging effects on a patient’s health outcomes through avoidable adverse drug events and lack of communication between healthcare providers.
“About 2-3 per cent of hospital admissions in Australia are linked to medication errors. This equates to 190,000 admissions each year and costs the health system $660 million.”
Ms Roxon said around 8 per cent of medical errors were due to inadequate information.
So what has happened in relation to this measure since 2008-09, when governments began efforts to improve this situation through e-health measures?
Sadly, the Australian Institute of Health and Welfare’s latest biennial report, “Australia’s Health 2014”, suggests things may have got worse.[36]
Between 2008-09 and 2011-12, the number of hospitalisations which involved an adverse event - where a patient experiences harm while receiving healthcare, typically due to infections, falls, and problems with medications or medical devices - increased from 4.8 to 5.3 incidences for every 100 hospital admissions.
While some of the increase in these figures may be due to better reporting of adverse events, for example, the data suggests the PCEHR as currently formulated is not the hoped-for panacea.
During 2012-13, emergency departments received almost 2.2 million patients presenting who could potentially have been treated by GPs – around 32 per cent of total presentations, the AIHW found. With the debate over “price signals” on health and the $7 co-payment for GPs and diagnostic services, perhaps this statistic should give the Government pause.
NEHTA’s 2013-14 report card
Let’s look at what NEHTA says it has delivered in the past financial year.
First, a note on costs. During 2013-14, the Department of Health paid NEHTA new grants and contracts totalling $75.24 million “for COAG and other PCEHR funding”[37]; NEHTA’s annual report records $81.5 million in total revenue.
NEHTA’s total expenditure topped $94 million, with employees and consultants pocketing the bulk, at a combined $83.4 million.
The annual report notes the body “provided important business as usual services to all healthcare organisations across the country. These included the national Healthcare Identifier (HI) service, the National Authentication Service for Health (NASH), monthly maintenance and release of the Australian Medicines Terminology version 3, and SNOMED-CT-AU”.
Healthcare Identifiers service
First up, the Healthcare Identifiers (HIs) service, which is the foundation for accurately identifying all participants using the PCEHR system.
HIs are 16-digit numbers available in three versions, to uniquely identify individuals who receive healthcare, individual health providers and healthcare provider organisations. All Australians have an Individual Healthcare Identifier, as these were compulsorily assigned to every one of us when the program commenced.
But Medicare created these identifiers from personal information held in its databases – essentially your Medicare or Veterans Affairs card number – under a $51.6 million contract with NEHTA, around four years ago.[38]
The Department of Human Services is paid around $10 million a year to operate the service, and take care of all the registrations, complaints, enquiries and so on.
In its Healthcare Identifiers Service 2013-14 annual report, Human Services notes that “a healthcare identifier is not a health record.
The information held is limited to demographic information such as an individual’s name, date of birth and gender, needed to uniquely identify the individual and their healthcare providers”.[39]
NEHTA’s involvement in the project did not prevent some serious hiccups. Although declared live by then-Health Minister Nicola Roxon in July 2010, the system sat idle for nine months while software interface specifications, licensing arrangements and compliance issues were thrashed out.[40]
Then in February 2011, the Health Department banned the use of the HI service in any live environment until concerns about the potential for misidentification of patients and mismatching of medical records were resolved.[41]
The Medical Software Industry Association had issued a white paper warning that the HI service, as designed, was unsafe to go-live.[42] And Victoria’s e-health adoption arm warned that the then-$90 million HI service was too dangerous to be used on its own for medical identification purposes.[43]
The Healthcare Identifiers annual report indicates there may still be some problems involving IHI searches, which may be concerning considering the low volumes of usage to date.[44]
Little actual real-world demand?
According to the latest HIs annual report, individual healthcare identifiers (IHIs) were accessed (or “disclosed”) around 52 million times through web services in 2013-14.
The service operator disclosed a further 82,472 IHIs through its call and fax channels.[45] Revealingly, NEHTA reports: “There were around 52 million unique searches of IHIs via electronic channels during the year for use in clinical information systems and clinical documents to support ongoing jurisdictional data quality initiatives and to authenticate access to e-health products.”[46]
If IHIs were accessed around 52 million times for data cleansing and testing purposes, does that mean lookup service was only actually used by healthcare providers on 80,000-odd occasions?
National Authentication Service for Health (NASH)
What about the National Authentication Service for Health? NASH is also operated by Human Services. It issues and manages digital, or Public Key Infrastructure (PKI), certificates to ensure that only authorised healthcare organisations can access e-health records and transmit personal health information to others.
The PCEHR system actually launched in July 2012 without this key user verification system, with NEHTA forced to concede it had failed to deliver the project on time.[47]
NASH was being built by IBM under a $23.6 million contract with NEHTA, after the e-health body surprisingly overlooked a tender bid by Medicare, which was already running similar services.
At the time, NEHTA said it had been working on requirements for the authentication system for quite some time (around five years) and had realised the complexity warranted participation by experienced industry players. Medicare’s solution would not be adequate, it claimed.[48]
NEHTA envisaged a NASH smartcard and PKI infrastructure that would “go beyond the HI service” to “support other foundation elements for other (future) e-health initiatives”. (See Appendix 1)[49]
In the event, the contract with IBM was terminated, with the parties eventually reaching agreement on confidential terms.[50] Taxpayers should be asking what happened. Has the NASH project and its aftermath ever been audited?
Notwithstanding, with the PCEHR launch due, Mr Fleming dismissed the lack of NASH as immaterial, saying “arrangements have been put in place to provide an interim NASH” provided by the Human Services department.[51]
That interim solution is still in place. Based on Medicare’s pre-existing PKI digital certificates to authenticate health sector business transactions such as billing and online claiming, they had been trialled in small PCEHR pilot sites.
Yet NEHTA had previously described the NASH as “a key foundational component for e-health” in Australia. “It is essential that the identity of people and organisations involved in each e-health transaction can be assured, and this requires high quality digital credentials. The NASH, Australia’s first nationwide secure and authenticated service for healthcare delivery organisations and personnel to exchange sensitive e-health information, will provide this”.[52]
No explanation has been provided as to why the Medicare PKI is now considered adequate when it wasn’t before. As noted above, the lack of the NASH has stymied full audit of third party accesses to your PCEHR.
Long way to go…..
The miniscule number of pathology and diagnostic imaging providers involved in the PCEHR to date – three – must be a concern for those planning to include these records in the near future.
Direct consumer access to test results has always been “sold” as a major benefit of the PCEHR, as well as third-party access by other healthcare providers (to reduce unnecessary duplication of tests, for instance).[53]
But while GPs and others debate how best to achieve this, the current lack of functionality suggests it’s a pretty pointless exercise - the documents may languish unseen by anyone for some time to come.
In any event, pathology and imaging providers have pretty sophisticated technologies for pushing results out to individual doctors, including a “receipt” notifying when each message has been opened by the requester, and alerts if a message is not seen within a certain timeframe.
We also now learn that the new Aged Care Gateway system, including a central client record, will not be linked to the PCEHR when Gateway goes live nationally next July – causing concern over the creation of two, parallel, e-health records for each person.[54]
Seemingly, aged care policy-makers were not confident the PCEHR would meet their clinical needs, in line with clinicians generally.
Oh, and remember that there 592 private hospitals across Australia, most of which have yet to be engaged in any way with the PCEHR program?
NEHTA is offering a total $500,000 in government funding to “support their deployment of a PCEHR viewing and/or clinical upload capability within their hospital facilities” by the end of June next year. Let’s see, if everyone rushes to accept, that’s around $1000 each from a standing financial and technical start, plus a tight six-month timeframe for implementation.[55]
Are the ‘solid foundations’ a mirage?
Notwithstanding, new NEHTA chair, former Australian Medical Association president, Dr Steve Hambleton, says in his inaugural annual report: “NEHTA has now delivered the solid foundational products that we need including individual healthcare identifiers, medicines and disease terminology and the infrastructure.
“This has, in effect, created the national e-health gauge (and some of the rolling stock) for securely transporting and sharing clinical information.”
Sadly, many of those working within the e-health arena reject these claims as not sustainable.
It is surprising and unclear why Dr Hambleton is now spruiking NEHTA’s future role in the nation’s e-health system when the three-man PCEHR Review panel, of which he was a part, recommended “dissolving NEHTA” in a restructuring of governance that would see the creation of the Australian Commission for Electronic Health.[56]
Back in May 2010, Dr Hambleton told me that it was not possible to reform healthcare without access to computer systems and secure email.[57]
The medical software industry and doctors said it wasn’t rocket science:
“To get health working, we need to be able to communicate with each other," says Steven Hambleton, a Brisbane-based general practitioner and federal vice-president of the Australian Medical Association.
"The National Health and Hospitals Reform Commission said let's connect up care so that we only investigate somebody once, we hand over care once, and GPs and hospitals can operate as one health system.”
Has Dr Hambleton found evidence of progress where others struggle to see it? The information referenced here in the official reports suggest that the claims by those in charge are not reassuring. It appears the key foundations and the essential standards are not operationally in place.
It’s still not rocket science
The following year, in 2011, Mr Fleming was telling people the task of creating a national e-health system was “like putting a man on the moon”.[58] [59]
Unfortunately, the PCEHR program has not produced the vast science and technology boost from the decade-long Project Apollo which spurred the US economy and technological growth.
Conclusion
The silly thing about the situation is that almost 100 per cent of GPs have been using their own electronic patient health record systems for years.
Their frustration lies still in the lack of a secure national information-sharing infrastructure and useful clinical decision-making support, no matter how many times NEHTA claims delivery.
Doctors are being asked to use a “national e-health system” that is far inferior to what they have on their desktops, and what the average consumer uses at home.
The usage figures revealed in these various annual reports demonstrate that the national PCEHR system has not yet moved beyond the pilot stage.
Could this failure be due to the basic reluctance of NEHTA and the Health Department – over many years - to properly engage all of the participants in the process and effectively address their issues and concerns?
It is worth noting that the key recommendations in the agreed National e-Health Strategy related to strong governance and practical engagement with all stakeholders from day one.
The National E-Health Strategy gives a good deal of attention to the working plan detail, but is less explicit in terms of how to co-ordinate and operationally manage a program of such inherent complexity both nationally and locally.[60]
However, the governance principles were addressed: “What do we need to do to establish effective governance of the e-Health agenda?”
Notably, it said: Establishing effective governance requires focused activity in three key areas --
· Establish a National e-Health Governing Board with an independent chair and breadth of cross-sectoral stakeholder representation, accountable for setting national direction and priorities, approving strategy and funding decisions and monitoring progress of deliverables.
· Establish a National e-Health Entity focused on strategy, investment, work program execution, standards development and e-Health solutions compliance, overseen by the national governing board.
· Establish a National e-Health Regulation Function to implement and enforce national regulatory frameworks for e-Health programs, working with existing regulatory and privacy bodies and with an independent reporting relationship to Commonwealth, State and Territory Ministers.
These important features were intended to be part of the one package. In particular, there was to be a clear distinction between the new e-Health entity and NEHTA, with a formal transition to include appropriate stakeholder representation.
There was no hint that responsibility for operating the network system would be given to the federal Department of Health, a body neither designed for such a task nor with any experience in an operation of this type and size.
The Strategy also states: “Implementation of the strategic work streams needs to be undertaken in a tightly co-ordinated and concurrent manner in order to effectively deliver the national e-Health work program. Each work stream is highly dependent upon the success of the others.
“Appropriate e-Health foundations, in the form of computing infrastructure and consistent information standards, rules and protocols, are crucial to effectively sharing information across geographic and health sector boundaries. In this regard e-Health foundations can be viewed as analogous to an ‘information highway’ – unless the system is connected up in some uniform and rules based way, then in formation cannot move across the network.
“Foundations alone will not be of any value unless consumers, care providers and health care managers have access to specific computing solutions or tools to enable them to view and share appropriate health information. E-Health solutions will be the tangible means by which users can benefit from the building of a connected information network.
“The implementation of national e-Health solutions will similarly be pointless unless consumers, care providers and health care managers are motivated to use these solutions. This is a two way relationship as the quality of the underlying e-Health solutions will also play a critical role in driving stakeholder take-up and support of the e-Health work program.
“Finally it is unlikely that any of this can be achieved unless supported by a governance regime which provides appropriate coordination, visibility and oversight of national e-Health work program activities and outcomes.”
It is unfortunate that such governance arrangements were not established from the outset.
The big questions that have to be considered now by the Federal and State Health Ministers are what exactly is the PCEHR intended to achieve, and is it worth spending further large sums on a vast overhaul, when there may be other options and better alternative approaches.
Perhaps it’s time to revisit the National e-Health Strategy.
Wait a minute. Wasn’t Deloitte employed to do just that, last year, under a “Refresh” banner?[61] [62] [63]
Sadly, Deloitte’s revised strategy document has not been released. The Health Minister might find that publishing this material for public consultation would be a great way to restart a national discussion.
APPENDIX 1: NEHTA Fact Sheet
eHealthID
National Authentication service for health (NASH)
In this electronic age, where significant amounts of sensitive and personal information are being sent electronically, there is a need to guarantee the authenticity and validity of the information being exchanged.
When the information being transferred is your personal medical information, there is an even greater imperative to ensure that information is collected and securely electronically exchanged only by those authorised to do so.
The National Authentication Service for Health (NASH) project being delivered through NEHTA will deliver the first nationwide secure and authenticated service for healthcare organisations and personnel to exchange e-health information.
Together with clinical terminology, messaging standards and unique healthcare identifiers, the NASH will provide one of the fundamental building blocks for a national e-health system, as well as providing security credentials for use at the organisational and local level.
NASH & the Authentication Vision
The vision for authentication in the Australian health sector is that provider authentication should use a strong credential (smartcard with PKI certificate) issued by a NASH-accredited organisation. All e-health transactions and records that need to be electronically signed will use standard credentials.
The goal is to issue NASH credentials to all healthcare professionals over the next five years.
NEHTA‘s vision for NASH is:
• A healthcare community and professional smartcard system that supports and facilitates the use of e-health information, for example unique healthcare identifiers and the individual electronic health record (IEHR), within the whole Australian community.
• Coordination of smartcards and reader supply arrangements for health professionals and employees.
• Provision of support for the smartcard implementation and operation to jurisdictions, software vendors and end users.
• Design and delivery of support arrangements that meet the needs of jurisdictions and software vendors.
• Provision of a trusted authentication service that addresses the data protection and privacy requirements of stakeholders and regulators.
What will the future look like with NASH?
Once the NASH is operational, healthcare workers will insert their smartcard into a slot in their desk top computer and enter a PIN. Once accepted this should be sufficient to meet the majority of their daily authentication requirements.
Mobile workers such as nurses will use their smartcard as they move from one workstation to the next, with not only immediate and convenient access to information systems but also session portability. Their NASH smartcard will enable them to seamlessly send and receive secure health messages and attached digital signatures.
It will be possible to add new credentials during the life of the smartcard at any time in response to initial and new/changed authentication requirements. Such credentials will be added to the card by authorised local staff, or by using an automated online service.
More than just a PKI and smartcard!
The NASH will provide:
• The technology, infrastructure, frameworks, processes and support services to enable health organisations to issue credentials within their own community of interest.
• Information and support about the use, integration and support of NASH credentials for software vendors and jurisdictions.
• Provision of robust setup and on-boarding processes for credential issuing points that protect the integrity of the overall scheme.
• Provision of a governance mechanism that will enable jurisdictional participation in the operational policies and services.
• Provision of support to software vendors and jurisdictions in transitioning existing systems to use the NASH.
NASH credentials can be used for whatever purpose is deemed suitable by the issuing community, for example signing electronic prescriptions, hospital discharges, hospital admissions, or government reports. By leveraging the national infrastructure, participants can also strongly authenticate and securely exchange health information.
Implementation Approach
As the NASH is a foundation service for wider e-health initiatives, it will be designed, developed and operated in collaboration with the healthcare community at all stages of implementation. The following milestones are likely, with detailed timelines being developed with our stakeholders:
• 2008 – NASH specification, design and build test and development environments, develop software interface specifications.
• 2009 - Deployment commences through early adopter organisations and through software vendor adoption.
[1] http://ehealth.gov.au/internet/ehealth/publishing.nsf/content/PCEHR-system-operator-annual-report-2013-2014-toc
(Note: the PCEHR System Operator Annual Report 2013-14 is not located on the DoH website along with the previous year’s report. Instead it has been published at this oddly obscure location: http://www.ehealth.gov.au/internet/ehealth/publishing.nsf/Content/ehealth-program-info )
[4] http://www.oaic.gov.au/privacy/privacy-resources/privacy-fact-sheets/health-and-ehealth/privacy-fact-sheet-22-medicare-and-your-ehealth-record
[6] http://www.oaic.gov.au/privacy/privacy-resources/privacy-fact-sheets/other/privacy-fact-sheet-17-australian-privacy-principles APP 6
[9] http://www.ehealth.gov.au/internet/ehealth/publishing.nsf/content/7144A74C90A644BCCA257AFD0012901A/$File/Essential%20information%20about%20assisted%20registration%20and%20your%20privacy%20in%20the%20eHealth%20record%20system.pdf
[10] http://www.oaic.gov.au/images/documents/privacy/privacy-resources/privacy-fact-sheets/Privacy_fact_sheet_15.pdf
[11] http://ehealth.gov.au/internet/ehealth/publishing.nsf/content/F1A3F67F2E5DC643CA257D7A000232F5/$File/PCEHR-System-Operater-Annual-Report13-14.pdf
[13] http://www.theaustralian.com.au/technology/minister-we-have-a-problem-ama-boss/story-fn4htb9o-1226415035470
[14] http://www.health.gov.au/internet/main/publishing.nsf/Content/DC5839D1C54A92C3CA257D50001CB666/$File/2.1%20Outcome%2010%20Health%20System%20Capacity%20and%20Quality.pdf
[17] http://ehealth.gov.au/internet/ehealth/publishing.nsf/content/CA2579B40081777ECA2578F800194110/$File/PCEHR-Concept-of-Operations-1-0-5.pdf
[22] http://www.oaic.gov.au/about-us/corporate-information/annual-reports/ehealth-and-hi-act-annual-reports/annual-report-of-the-information-commissioner-s-activities-in-relation-to-ehealth-2013-14
[24] http://www.humanservices.gov.au/corporate/publications-and-resources/annual-report/resources/1314/chapter-07/service-delivery-transformation Privacy report: http://www.humanservices.gov.au/spw/corporate/publications-and-resources/resources/mygov-inbox-privacy-impact-assessment.pdf
[25] http://www.smh.com.au/it-pro/security-it/revealed-serious-flaws-in-mygov-site-exposed-millions-of-australians-private-information-20140515-zrczw.html
[27] http://www.theaustralian.com.au/technology/e-health-plan-smokescreen-for-id-card/story-fn4htb9o-1226119986266
[28] http://www.couriermail.com.au/news/govt-agencies-escape-e-health-penalties/story-e6freon6-1226159750748
[29] http://www.theaustralian.com.au/technology/pcehr-open-to-hacking-says-auscert/story-fn4htb9o-1226294108297
[30] http://www.oaic.gov.au/images/documents/privacy/engaging-with-you/previous-privacy-consultations/ehealth-dbn/Submission_AusCERT_-_MDBN_Guide_-_Public.pdf
[37] http://www.health.gov.au/internet/main/publishing.nsf/Content/0B3DAB3FF63BAA29CA257D7300172B38/$File/Department%20of%20Health%20-%20Minchin%20Motion%20Report%20-%205%20May%202014%20to%2028%20September%202014%20.PDF See page 37
[38] http://www.theaustralian.com.au/news/health-science/medicare-to-set-up-healthcare-identifier-service/story-e6frg8y6-1111115316546
[40] http://www.theaustralian.com.au/technology/medicare-e-health-contract-in-limbo/story-fn4htb9o-1225927995135
[41] http://www.theaustralian.com.au/technology/health-record-identifier-held-up-because-of-safety-concerns/story-e6frgakx-1226001760208
[43] http://www.theaustralian.com.au/technology/national-e-health-identifier-hazardous-says-state-agency/story-e6frgakx-1226005955988
[47] http://www.theaustralian.com.au/technology/e-health-system-to-launch-without-key-user-verification-system/story-e6frgakx-1226397462298
[48] http://www.theaustralian.com.au/technology/smartcard-tender-issued-for-national-authentication-service-for-health/story-fn4htb9o-1225927013101
[49] Appendix 1, page 17
[50] http://www.pulseitmagazine.com.au/index.php?option=com_content&view=article&id=1185:nehta-terminates-nash-contract-with-ibm&catid=16:australian-ehealth&Itemid=327
[51] http://www.theaustralian.com.au/technology/e-health-system-to-launch-without-key-user-verification-system/story-e6frgakx-1226397462298
[54] http://www.pulseitmagazine.com.au/index.php?option=com_content&view=article&id=2172:aged-care-record-to-go-live-with-no-link-to-the-pcehr&catid=67
[55] http://www.nehta.gov.au/media-centre/news/722-invitation-to-apply-private-hospital-pcehr-rapid-implementation-programme
[57] http://www.theaustralian.com.au/news/health-science/care-at-the-click-of-a-mouse-health-vault/story-e6frg8y6-1225860394951
[61] http://www.theaustralian.com.au/technology/peter-dutton-shifts-into-high-gear-for-e-health-overhaul/story-fn4htb9o-1226725516175