A day or so ago we had the announcement of a consultation process around the NEHTA developed Individual and Provider Identifiers:
The basic information can be found here:
http://aushealthit.blogspot.com/2009/07/having-worked-on-it-for-years-doha-now.html
The direct link is here:
http://www.health.gov.au/internet/main/publishing.nsf/Content/pacd-ehealth-consultation
Government releases UHI consultation paper
I have now had a chance to browse the paper which can be downloaded from the above link.
Of course the document is not a consultation on the UHI. In fact the title of the document makes it clear just what it is:
Healthcare identifiers and privacy: Discussion paper on proposals for legislative support.
Translation. We know we need to get some legislation together to get started – we are not very organised in terms of aligning the jurisdictions - so we will need to just rush forward and hope for the best.
The rather messy situation is well discussed here:
National health data problems
Karen Dearne | July 14, 2009
THE nation's health ministers cannot agree on a uniform privacy framework for patient identifiers and are preparing to launch a Medicare number-based system with just a few tweaks to laws that forbid the use of Medicare data for such purposes.
As part of the $98 million Unique Healthcare Identifier program, Medicare is building a system that assigns an individual patient number to each Medicare number. Doctors and other medical providers will then be able to use the number on the Medicare card to access a person's records wherever they are held.
With the identifier service due to be ready by mid-next year, the Australian Health Ministers' Advisory Council says it cannot wait for public discussion of proposed reforms of health information privacy laws slated by the Rudd government in its response to the Australian Law Commission's comprehensive review.
Instead, the health ministers want to extend existing state and federal laws to include the new healthcare identifiers -- despite acknowledging current arrangements are "a patchwork of inconsistent and overlapping requirements" that cause confusion and increase compliance costs.
The new system is intended to ensure correct identification of patients and their health data, and will underpin more secure information sharing between medical providers.
More here:
http://www.australianit.news.com.au/story/0,24897,25777369-5013040,00.html
You can read a great deal about the NEHTA eID here:
http://www.nehta.gov.au/connecting-australia/e-health-id
The brief summary is as follows (from the site):
“The first requirement of any e-health system is the ability to uniquely identify and authenticate everyone involved in a single healthcare transaction. This includes the person receiving healthcare, the person administering healthcare, the place where healthcare is given and all people accessing health information systems.
The e-health ID Services will uniquely identify all parties involved in a healthcare transaction ensuring there is no misunderstandings about who health information belongs to. e-health ID Services enable healthcare providers to be assured that the information they need relates to the right person, has gone to the right place and was received by the right person.
Once the health information is exchanged it is also important to ensure only those authorised have access to it. Therefore Australia’s e-health system will be underpinned by a simple yet secure authorisation service for healthcare providers and healthcare administrators, using the best technology available.”
It is worth noting that most of the documents there are over 18 months old and, as an example the Concept of Operations (for the UHI) has all sorts of ‘to be determined statements’ running all through it.
As far as I can tell there are no technical specifications as to how the service will work – and the draft privacy framework is over 2 years old. Endless quantities of business requirements however!
The problem with all this is as follows. This is meant to be a public consultation on key privacy approaches and then legislation for the national e-Health identifier system and all that is offered as context couple of motherhood pages on what a good thing identifiers are and how we really need one for health.
Now all that may be true but I think before I signed up to approve what the quite draconian approach of using information on 20 million people to create a new identity database, using information which they gave for another purpose (getting Medicare payments) I would like to know a little more!
I would like to know answers to questions like:
What approaches are used in the rest of the world to address identification in e-Health and is what is being planned global best practice – and what is the evidence for that?
What did the various Privacy Impact Statements that NEHTA has developed say and why have they not been made available for public scrutiny?
What does the business case for this whole exercise say in terms of cost (short and long term) and benefits of this system (short and long term)? How is this system to be paid for when the establishment grants have expired.
Given the issues identified here with a similar system in the UK what steps have been taken to understand if there are implications for Australia?
GP raises concern about PDS security
14 Jul 2009
Renewed concerns have been raised about the security of the Personal Demographics Service after a GP was able to access details of colleagues and staff without being detected.
Dr Paul Golik, a GP in Stoke-on-Trent, Staffordshire, and secretary of North Staffordshire Local Medical Committee, told the GP magazine Pulse that he had accessed his own details and, with permission, those of several other people without the unauthorised accesses being reported.
Dr Golik told Pulse that he was “appalled” that such information was available to everyone with a smartcard. More than 600,000 smartcards have so far been issued, according to NHS Connecting for Health.
Dr Golik added: “It’s basically open – we might as well put our names and addresses on Google. If I know what your name is and roughly how old you are, within about ten seconds I can find your exact date of birth, your full name, your address, potentially your telephone number and your NHS Number.”
More gruesome details here:
http://www.ehiprimarycare.com/news/5024/gp_raises_concern_about_pds_security
As I read it any authorised provider in Australia could do the same thing – all 600,000 of them! If you reckon there won’t be one or two corrupt apples in that many providers whatever you are smoking sure is not legal!
The bottom line is that what DoHA should have done was not produce an isolated partial consultation document with a short deadline, but a complete up-to-date package that addresses all the issues raised above, puts the issues in context and then allows a reasonable time for careful review. There is no great rush and the public should be consulted on the whole package –not just one bit.
This is a Clayton’s consultation of ever there was one!
David.