I thought it would be fun to collect up a few highlights from the Senate Enquiry. This lot are from Day 2 – March 10, 2010.
Italics show the really fun bits – sorry it is so long but context is important.
The full transcript is here:
http://www.aph.gov.au/hansard/senate/commttee/S12876.pdf
Senators in attendance: Senators Adams, Boyce, Carol Brown, Fierravanti-Wells, Furner, Mason, Moore and Siewert.
Terms of reference for the inquiry:
To inquire into and report on: Healthcare Identifiers Bill 2010.
WITNESSES
ANDREATTA, Mr Lou, Acting First Assistant Secretary, Primary and Ambulatory Care Division, Department of Health and Ageing
BANKS, Ms Robin, Chief Executive Officer, Public Interest Advocacy Centre
BIRD, Ms Sheila Margaret, General Manager, eBusiness Division, Medicare Australia
CLARKE, Dr Roger, Chair, Australian Privacy Foundation
DOWLING, Mr Anton, Business Operations Manager, Healthcare Identifiers Services, Medicare Australia
FERNANDO, Dr Juanita, Chair, Health Subcommittee, Australian Privacy Foundation
FLANAGAN, Ms Kerry, Acting Deputy Secretary, Department of Health and Ageing
FORMAN, Ms Elizabeth, Assistant Secretary, eHealth Strategy Branch, Primary and Ambulatory Care Division, Department of Health and Ageing
GIBSON, Mr Mark, Manager E-health Services, Health Information Exchange, GPpartners and Brisbane South Division of General Practice
GREENLEAF, Professor Graham, Private capacity
McGRATH, Mr Mike, Director, Health Information Regulation Section, eHealth Strategy Branch, Department of Health and Ageing
SILVESTER, Mr Brett, Deputy Chief Executive Officer, GPpartners and Brisbane South Division of General Practice
SIMPSON, Ms Lenore, Branch Manager, Healthcare Identifiers Branch, Medicare Australia
THOMSON, Mr Peter, Branch Manager, Information Management, Medicare Australia.
Page 7.
Dr Clarke—The Australian Privacy Foundation, as you are probably aware, is the country’s primary public interest organisation focusing on privacy. It was formed in 1987 and works in concert with councils for civil liberties and consumer organisations and it frequently provides evidence to Senate committees. The APF has been particularly vigilant in relation to national identification schemes. The Australian Public Service has persistently encouraged successive governments to implement such schemes. Following a rejection by the public and the parliament of the Australia Card and more recently the access card the healthcare identifier is the linchpin of the current attempt.
The APF published its policy statement on e-health data and health identifiers last year. A copy is with our submission. Our policy statement strongly supports the application of information technology to health care and strongly supports a federated approach to e-health. Our policy statement on the other hand strongly opposes data centralisation and a national identifier. Those are designed to benefit the tertiary purposes of administration, insurance and research, not the primary purpose of health care. The APF’s written submission, No. 24, was prepared by Dr Fernando and she will briefly speak to that submission.
Dr Fernando—Firstly, the key point of the submission is that the Healthcare Identifiers Bill actually contradicts the APF policy, basically entirely, so we oppose the Healthcare Identifiers Bill and the Healthcare Identifiers (Consequential Amendments) Bill. Secondly, we also want to draw attention to the impossibility of evaluating the utility of the health identifiers scheme for patient privacy and health when basically only a fraction of the proposal is on the table. Even the relevant agencies appear to know very little about how it will work in a real-life context. Finally, we are concerned about the utility of using the HI system for patient care when we know so very little about it. I will give you an example: one of the issues for us is the absence of a coherent and convenient mechanism whereby individuals will know what their own HI is.
Page 8.
Senator MASON—The evidence from yesterday is that e-health will make it easier to store and distribute information about particular individuals.
Dr Fernando—Not from the evidence I have collected in my research, no. In fact, when you talk to doctors, nurses and allied healthcare workers they are quite frank about the fact that they share logon details. NEHTA, in their own paperwork, found the same when they were doing their threat and risk assessments.
People share logon details, passwords and patient records. What happens is that one clinician downloads a whole range of patient records for a coherent view, to know everything about a particular patient’s health condition. That is then printed out on a single form and it is circulated to all of the other clinicians who work on a shift. During the shift, as people go on their rounds to see patients, they update the handover sheets and then at the end of the shift the handover sheet is given to a single person who transcribes the information back into the electronic health systems they are supposed to be using. That is the infrastructure and the environment that doctors are provided with. It is impossible for them to control patient privacy. I have done research with both clinicians—
Senator MASON—Is that any worse than the current system?
Dr Fernando—Yes, it is worse than the current system, because the health identifier is going to provide a way to index all of that information. So whereas previously I might have breached information security at some hospital somewhere and I then had to find out how I could get that person’s individual records from all of the various departments—their tax records, their surgical records, their outpatient records and so on and so forth—with the HI I have got the key to all of that information. So, yes, that is what is going to happen.
Page 9.
CHAIR—One of the things that we discussed, and Senator Mason highlighted it there, was that the current system allows people’s information to be insecure if people have bad practice.
Dr Fernando—It does allow people’s information to be insecure.
CHAIR—Sorry, but I just want to get that clear. Is that so, Senator Mason?
Senator MASON—It simply raises the danger; is that right?
Dr Fernando—It raises the danger from a few hundred records to millions of records.
Senator MASON—I understand.
Page 9.
Senator MASON—Thank you for that, Dr Fernando. We have run out of time. I want to get straight to the nub of what I see as perhaps the most cogent issue. Dr Clarke, you might also be of assistance here. All those issues are fine, and I understand them, but the issue that concerned me was a simple issue. You are setting up a universal personal identifier. You have a number that identifies every Australian. I think e-health is a great thing. I think that as a matter of principle it is terrific. We had evidence yesterday that the medical profession will find it very useful. I think that is all very noble and a very good thing. But it is about what hangs off that number. It is about the capacity for what you would call incrementalism—
Dr Clarke—or function creep.
Senator MASON—So that is what it is called, Dr Clarke—function creep. What I asked yesterday, and I am sure the chair will recall this, was what the whole scheme was going to look like. One of the witnesses said, ‘Look, we can’t hold back. We have to establish the number first.’ What worries me is that if we establish the number first we establish the infrastructure for a scheme that could be far larger in its scope than simply ehealth.
Dr Fernando—That is right.
Senator MASON—Dr Clarke, do you follow what I am saying?
Dr Clarke—Very much so. If I could just do a couple of generalities and then lead to that, from the viewpoint of complex systems generally—and particularly national schemes of this nature—there is far more to it than just the identifier. The identifier provides a link between an individual and data held in records. A system of this nature involves use of the identifier to give a key to records in a database. In this case, it is going to be a record in a central database whose intention is to provide ready access to many other pre-existing databases. So it is, if you like, the hub of a highly distributed network of databases. That is the purpose of the health identifier. It is not something in a vacuum; it is to enable access to large numbers of databases.
That led to the point that has just been discussed: now we have 500,000 people who have access to using this number out to vast numbers of databases that were previously islands. There is a downside to there being islands: when you want a discharge summary to go from the hospital to the GP, you do not want them to be islands; you want them to connect in respect of that particular data. But now it is going to be unconstrained because those linkages are available to all of the 500,000 people gaining access. Now we have got to build some complex mechanism to somehow limit that access, to somehow authenticate every healthcare provider and every administrator in that 500,000, identify them and authenticate them reliably and keep them out of the stuff that they should not have access to. What we do is create enormous scope for leakage of the most sensitive data in the country, as far as individual consumers are concerned—healthcare data always comes at the top of the list in all the surveys.
Dr Fernando—If I could just add, too, this is going to be the most up-to-date, well-maintained database of Australians’ names, addresses and ages that is in existence at the moment. So this is going to be the richest source of data that exists in Australia at the moment.
Dr Clarke—And if I can apply another buzz phrase that is used in this area, it represents a honey pot. If you are organised crime or if you are a kid in a back bedroom with considerable skills who is looking for interesting things to break into, you look for the honey pots that have got substantial amounts of data that could be interesting. So by pooling all of these hitherto quite isolated databases—subject to varying degrees of existing security; I agree, Chair, that is quite clear—you are creating an attracter for those people to gain access to.
Page 11.
Senator FURNER—Also in your submission you say:
The lack of direct consumer and patient access to their HI is likely to swell the health black market as individuals self diagnose to protect their privacy. Aren’t we jumping at shadows with that sort of statement? Aren’t we talking about people having the ability to access records comfortably and confidently—that is, getting those records without asserting that there is some sort of black market happening here?
Dr Clarke—I will start by answering generically. We are having to jump at shadows because we have this much of a proposal available to us. To an extent yes, we have to think ahead, so partly I agree with the implicit proposition, not specifically.
Dr Fernando—All I would like to add is to reiterate what Dr Clarke said and also to say that there is evidence to suggest that that is the way that patients who are concerned about their privacy respond to what they perceive to be control of their information. Some work was done in California and also in New Zealand that bears that out. To me, the health black market is fairly simple and that is the number of spam emails that I receive wanting to sell me various prescription drugs for my own purposes so I can self-diagnose and decide what I think I need or do not need and then order it over the internet or through spam.
Page 13
CHAIR—We will reconvene. I am not going to keep doing it for every witness, but I am just going to put on notice the apologies from our committee. Our schedule has been put back considerably, but we will not compromise on anyone’s chance to give evidence. You will get your full chance. I said before we left that you would have 10 minutes from when we returned.
Dr Clarke—We were discussing, as I recall, Senator Mason’s question relating to whether the bill is necessary for e-health and that related to Senator Furner’s earlier question about whether the bill is necessary for e-health data security. One of the key things that I wanted to convey was that there is a real opportunity in e-health not to adopt a centralist approach but to look for what in business we call ‘low-hanging fruit’ which are the big payback items capable of being addressed now. If the industry were to target some of those then we are in a position to do all the e-health we like taking advantage of interoperability standards, protocols, the various discussion for a that exist, which we believe is NEHTA’s real role, to get very high payback.
One of the sorts of things that we are thinking of as an example is chronic conditions. In the event that there were a voluntary IHI arrangement—which was under discussion until quite late in the piece—there is a fair bet that a very large proportion of people who suffer chronic conditions would say, ‘The trade off between my privacy and the centralisation and the risk factor to that data versus improvements in care because I have so many people who need access to so many bits of my data is such that I’ll sign up.’ I think many chronic care patients would love to do that, whereas many of the rest of us would prefer the opposite. So that is one example where, if you target some of those chronic conditions that are of considerable importance, you can achieve a lot of progress.
Page 14.
Senator ADAMS—Coming back to the person with chronic disease accessing public hospital treatment and then private hospital treatment, how do you see the private hospitals taking up this technology? Do you think they will? Just where will we go with the private providers?
Dr Fernando—There are some core difficulties in making that prediction. Part of the core difficulty relates
to the technology that is being used for the health identifier. There are basically two core standards that I am discussing in Australia. They are both under the auspices of HL7. One is a HL7 2; the other is HL7 3. At the moment most of the hospitals and health organisations in Australia use HL7 2 technical standards to intercommunicate. The HIA, though, will be based on HL7 version 3, which is completely different. So it is going to require some kind of short- to medium-term reinvestment in terms of technology for those kinds of information exchanges to take place. At the present they cannot take place.
Page 16.
BANKS, Ms Robin, Chief Executive Officer, Public Interest Advocacy Centre
CHAIR—The next witness is Ms Robin Banks, by telephone from the Public Interest Advocacy Centre. Ms Banks, I sincerely apologise for holding you on the line as long as we have had to do so. I know you have another appointment at 5.30. We have your submission. We will hear any comments you want to make and then we will have some very short questions from senators.
Ms Banks—Thank you for the opportunity to speak to you today. As we have identified in our submission, PIAC has had a longstanding interest in and concern about healthcare consumer and privacy issues. We are certainly keen to ensure that any implementation of electronic health records and systems in Australia is not marred by failures to ensure adequate consumer protection. The willingness of consumers to engage in electronic health systems will depend entirely on the system being implemented in a way that ensures security and protection of privacy and that also respects the centrality of the consumer, the healthcare recipient in the process. We are keen that parliament ensures that the Healthcare Identifiers Service is consumer centred and that consumers are aware of the service, its purpose and development to date and that consumers can feel, through a sense of openness and transparency about those developments, that they can have confidence that their personal information and access to the records is properly secured.
As the committee members will be aware from our submission, a key concern that we have is that this legislation is being progressed out of step with the reforms to the federal Privacy Act, particularly the reforms in the area of health privacy. From our point of view that is extremely unhelpful and risks undermining the confidence of consumers that the government is taking a holistic approach to health privacy and electronic health records—or even that government has made the clear connection between electronic health record development and the centrality of privacy law.
We believe the scheme is not well understood by the general public. I occasionally hear people say, ‘Oh, I understand there is something going on’, but people do not know what the developments look like or mean.
Without better information to the general public it is likely that many people will link it to the failed proposal of the former federal government to implement a health smartcard. While the two proposals are different, both show the potential for privacy breaches that could have significant and damaging impacts for consumers and both show the potential for function creep. That is one of the issues we have raised in our submission. In our view parliament needs to be vigilant to ensure that it does not pass legislation that is insufficiently clear and precise in the scope of the powers that it vests in the executive and it should not pass legislation that is insufficiently clear in its purpose. The current bill fails in both regards. The purpose, in our view, is overly expansive. We are already seeing in the bill the potential for function creep. The potential for key elements to be determined through regulation is also significant in the bill. Our concern about that is that regulatory processes do not enjoy the same level of public or parliamentary scrutiny.
Finally, in our view the bill remains underdone in the area of consumer rights and protection of data.
Healthcare recipients seem to be on the periphery of the design of the scheme and have very few express rights. There is also very little comfort, I think, for consumers to be gained from the limited information security obligations.
From our point of view more needs to be done to ensure that this legislation is in step with the major reforms being undertaken in the area of health privacy law at a federal level and to ensure that consumer confidence and trust can be maintained. Without that not only does the legislation risk undermining the development of effective electronic health records but also a loss of trust in this area will inevitably flow to other aspects of government operations, not only in health but beyond. A failure to protect such core information as consumer health information can only spread a lack of confidence in government more broadly.
Thank you.
Page 17.
Senator FIERRAVANTI-WELLS—Can I maybe kick off. Ms Banks, it is very clear from your submission that you are very much opposed to the bill. What is your suggested course of action? You are obviously concerned that there has not been sufficient consultation at this point, so what would you suggest as a way forward on this?
Ms Banks—There are two things. The first would be to ensure that there is a much broader public consultation process, not simply with those who are in the know—organisations like ours. More importantly, we think the legislative scheme should be deferred until the federal health privacy reforms, the reforms in the Privacy Act itself, go through. I heard some of the evidence from the Australian Privacy Foundation, where Dr Clarke referred to the issue of pseudonymity. Certainly, those sorts of issues are going to be picked up, we hope, in the reforms to the Privacy Act and should therefore flow on to anything that has privacy implications, like this legislation. So our primary concern is to defer consideration and further development of this scheme in legislative terms until the privacy reforms have been implemented and legislated. They will then inform this process much better. At the moment we are still waiting for those reforms to be finalised, and it may in fact give people a great deal more comfort if they know what the obligations are under the overarching privacy law.
So those are the two things—firstly, much broader consumer consultation around the whole underlying idea of electronic health records, what their purpose is and how they might benefit consumers; and, secondly and more importantly, bringing it into step with the federal privacy reforms.
Senator FIERRAVANTI-WELLS—So you think that if the consultation process had included broader, community-wide consultation there might not be as much enthusiasm for identifiers and, as a consequence, identifiers as the first step in e-health. Is that what you are saying, in a nutshell?
Ms Banks—That is a pretty good synopsis. I think that, if people were asked, ‘Do you want to opt into a system,’ as part of this process, there would be a whole lot less concern. But I think, fundamentally, that if you start talking about individual health identifiers without a good community information and consultation campaign, there is a significant risk of push-back.
Page 17.
Senator FIERRAVANTI-WELLS—In short, obviously your view is basically that the public has a lot more of a right to know about the policy underpinning of this whole issue, not just the identifiers but the identifiers as the first step in a much broader policy area.
Ms Banks—Yes, that is correct. The right to know what is proposed is critical. While I certainly have concerns about Medicare, equally I probably have concerns about any suggestion that somebody else could do it whereby there is a likelihood that there would be even less scrutiny available. So I think we really need to get it right as to whoever does it. I think it should be a government authority, so there is that level of accountability to parliament that government authorities have. We really need to get it right before we go down that track and we need to ensure that the community understands not only what is proposed and what the benefits of electronic health records can be but also who will have access to the information and in what circumstances.
Senator FIERRAVANTI-WELLS—Given the evidence thus far—and obviously you followed the evidence yesterday, which was really from those who perceive that there will be a benefit—in summary what you are really saying is that the biggest component of this whole program, starting from the health identifiers and going right through, is the consumers and you are expressing grave reservations from a consumer perspective.
Ms Banks—Certainly for us the central question is: what will the impact of this be on consumers? As I said in my introductory comments, I think there are clearly some benefits to be gained through the effective use of electronic health records, but at the moment there is too much risk in the legislative scheme that is proposed.
Senator MASON—I think that before you used the words that there is a risk of public pushback. Is that right?
Ms Banks—Yes
Page 19.
GREENLEAF, Professor Graham, Private capacity
CHAIR—Good afternoon, Professor Greenleaf. We apologise for holding you up. We have your submission and thank you very much for it.
Prof. Greenleaf—My apologies for it being so late, but I was scrabbling to get everything done in time. I apologise for a few typos in it as well. I will send a corrected version.
CHAIR—You have information on parliamentary privilege and the protection of witnesses.
Prof. Greenleaf—Yes.
CHAIR—Please make any opening comments you have and then we will ask questions. I hope this will take about 20 to 25 minutes so that gives you some idea of the time frame.
Prof. Greenleaf—I am a professor of law at the University of New South Wales and co-director of the Cyberspace Law and Policy Centre in the law faculty there. The fundamental problem that I would identify with this bill is essentially its incompleteness. It covers a small but central element of a much broader health identification and surveillance system, including the crucial element of electronic health records. Having a bill like this before you is similar to the position that parliament faced when the access card bill was introduced in 2007. That bill was very strongly criticised by the Senate committee that examined it, partly on the basis that it only covered a fragment of the overall legislative proposal. I think here you are looking at an overall identification system which shares a surprisingly large number of elements with both the Australia Card scheme of a couple of decades ago and the access card proposals of 2006-07.
In my view the Senate and the parliament is being put in an unreasonable position of being required to consider this bill in isolation from the full system that the government is proposing to implement, particularly concerning electronic health records. As the Victorian Privacy Commissioner has succinctly pointed out in her submission, this bill is artificial and limited because it does not deal with the broader privacy issues concerning e-health and in her view this guarantees function creep. As a result she says basically what I am saying that this makes it unreasonably difficult to adequately assess whether the safeguards in this bill will ultimately be sufficient or effective. For that reason I consider that this bill should be rejected in its current form until the full package is presented to the parliament. I cannot see any significant adverse consequences coming from delaying this bill until you have the full picture in front of you.
That was also the view I think taken by the privacy impact assessments commissioned by NEHTA. They were adamant that this was a major issue and, as Clayton Utz put it, there needed to be a new regime of privacy laws that were necessary before a universal health identifier was introduced and I have detailed that in my submission. My principal submission is that because of its fragmentary nature parliament should not pass this bill in its current form. I also think there is a significant issue that needs to be examined in the fact that most of the recommendations made by the second PIA Clayton Utz and the third PIA Mallesons Stephen Jaques have neither been implemented by NEHTA nor have they been embodied in this bill. There are about 30 or so recommendations, depending on how you count them, that have not been adopted. While one would not expect the government to adopt all recommendations made in a PIA, in my view, it is an essential part of the process that, where you have a PIA being done on a really important project like this, the government should systematically state why it has rejected each of the recommendations that it has rejected. Given that one of the main functions of the PIA is to in a sense give the Privacy Commissioner ammunition for considering what recommendations her office should make, I think the commissioner should also be required to state whether she supports or opposes each of those recommendations that has not been followed through on in the PIA. If we do not have these two elements then the PIA process remains substantially incomplete and becomes rather farcical in fact.
A third point I would like to make is that I think it is extraordinary that there is provision in section 6 that who runs the healthcare identifier system, the service operator, can be changed by regulations. One day it could be Medicare and the next it could be a private-sector operator. I would be very surprised if many people in Australia would regard with equanimity a private sector operator running a key element of national identification systems in such a sensitive area as health. I personally do not think any legislation should ever allow a national identification system to be operated by the private sector. Even more strongly than that, no legislation should allow a step like that to be taken without the full scrutiny of the legislative process not merely the potential disallowance by a bills and ordinances committee.
They are the three broadest submissions I have made. I will briefly mention the others in my submission in case they are of interest to particular senators. I think there should be an obligation for healthcare providers or Medicare to proactively tell a person when an individual health identifier has been allocated to them. As the process stands at the moment under the bill, it can and often will happen completely unbeknownst to the individual concerned. There might be elements of it that are wrong—it might have been allocated to the wrong person or the wrong name—but individuals affected by this will not be proactively notified. I do not think that is desirable at all.
There is also the question of the compulsory nature of the number. All of the original proposals in this area, as summed up by the Victorian Privacy Commissioner in her submission, were based around person controlled electronic health records. But, as she says, it does not seem to be consistent with a patient or person controlled system that we now have compulsory allocation of health identifiers. They will very probably become a de facto condition of obtaining health care. So my submission is that the bill should provide and guarantee that the use of the health identifier not be a condition of obtaining health care. No doubt it will be attractive to the majority of people, but there will also be many people who are very wary of providing identifying information in order to obtain health care, and we should avoid forcing them away from the healthcare systems.
Furthermore, in the bill at the moment there is not even a right of appeal against the provision of health identifiers. It is left to regulations to provide a right of appeal, which I submit is not acceptable for as important a thing as your rights in relation to this type of health identification system. I have put in further submissions about protection of anonymous health care, but I think many others have covered that in more detail than I have.
Finally, I will make some comments about a couple of aspects that are to do with inadequate controls on function creep and data matching. First, although there certainly is in clause 27 of this bill a serious attempt to stop uses outside the extremely wide—perhaps overwide—definition of ‘healthcare related purposes’ that is in the bill, outside that there is an attempt to stop the usage of the numbers of the private sector. But there is a major hole in the clause 27 prohibitions, and that is that any state or territory law can allow any other uses or disclosures. That was not recommended by Clayton Utz and it does not appear in the Mallesons recommendations either. I think that is an unacceptable avenue for function creep.
Secondly, I would point out that the way in which Medicare can obtain information to create the health identifier database is extraordinarily broad in that, by regulations, any organisation whatsoever can be declared to be a data source under clause 11, which has the effect of authorising them to disclose identifying information of a healthcare recipient to Medicare in order to create the health identifier database. Medicare can, without parliamentary authorisation, end up indulging in perhaps the most massively broad set of what would otherwise be breaches of the Privacy Act since the data-matching legislation. So I would propose that those forces should only be authorised by being specifically named in the legislation, therefore putting the matter back under the control of the parliament, where it belongs for something as important as a huge datamatching exercise like this.
Finally, on the subject of data matching, the Mallesons’ PIA recommended specific legislative restrictions on law enforcement security agencies being able to access the databases that are built for the purposes of operating this health identification service. At the moment in so many areas a very large number of organisations, not just law enforcement and security agencies but tax and others, have statutory rights to obtain information from other organisations—including government agencies, as you all know—and the bill as it stands completely fails, as did the access card bill, to place any limits on that because clause 15(2)(b) allows Medicare to allow disclosures for a purpose that is authorised under another law. So we have a huge and really undefined array of current demand powers that can be used to extract information out of this new universal database.
I propose in my submission that both the department and the Privacy Commissioner should be required by the Senate to identify all the current situations where disclosures under clause 15(2)(b) may be possible under another law so that the Senate can see whether that is at all justifiable. I think you will find that it is not and that once the breadth of that comes to the light of day it will be obvious that there should be more restrictions on access to this sensitive information.
I think I have probably said as much as I should. The most general theme through what I have said is that as with the access card, and as I found in Hong Kong when I did a study of their ID system, the biggest problem in this type of legislation is that it takes control of the expansion of the system out of the hands of the parliament and gives it to the bureaucracy via regulations, and as a matter of liberties of the citizen I think that is very definitely the wrong approach.
Page 21
Senator FIERRAVANTI-WELLS—I specifically asked her about clause 15 and a similar provision. One was clause 15(2)(b), to which you referred, and the other is clause 26(2)(b), which is in similar terms. Her response to us was that this is now stock standard phrase, a stock standard insertion in legislation, and effectively she dismissed it in that way. What is your view?
Prof. Greenleaf—Yes, I think that is rather extraordinary—although she may well be right in saying that it has become stock standard. But that is not to say that it should be. When you are dealing with parliamentary authorisation of databases containing information as sensitive as this—the key to the medical records of the whole Australian community—the importance of this database surely requires some special attention to which agencies can get access to the information. And what might be fair enough for the customs department or the tax department to get access to in other situations might not be fair enough here. I do find it rather extraordinary that the Privacy Commissioner should think that there is a one-size-fits-all approach to what government databases other government departments should have access to.
DoHA and Medicare Australia Staff
Page 25.
Senator FIERRAVANTI-WELLS—But my point is the fact—and I guess this is really the gist of it—that you have obviously set up this system. The article is headed ‘Medicare sets honey pot’. You have obviously had a problem in Medicare Australia because you have seen fit to set up some sort of system to try and find people who are actually snooping. Is that correct or not correct?
Ms Bird—I would say that every organisation that provides service delivery to members of the public sets up a system so that it can identify if its staff are inappropriately accessing records so that it can take appropriate action to investigate that and, if found to be upheld, take appropriate action against staff members.
Senator FIERRAVANTI-WELLS—Is this the first time you have done it, or have you done it in the past?
Ms Bird—November 2006 was when Medicare Australia started proactively investigating staff access. So that has been in place—
Senator FIERRAVANTI-WELLS—Right. So you did not do it before that.
Ms Bird—Not in that same way. Prior to that, if breaches of privacy were complained about, then action was taken. But this is a systemic, proactive approach to identifying possible unauthorised access to records.
Page 26.
Senator FIERRAVANTI-WELLS—Ms Bird, I am asking you, in your position as head or general manager of your division: can you give the public of Australia an assurance that there will not be breaches if you are given much greater responsibility and, as you would agree, the potential for accessing a greater scope of information? Can you give this committee and the public assurances along those lines? Yes or no will suffice.
Ms Bird—When you have staff who have access to systems, it is impossible to give you or anybody else a 100 per cent guarantee that no staff member will ever access somebody’s record that they are not entitled to. If I were to give you that assurance today I think I would lose any credibility whatsoever with this committee.
However, what I can assure you is that Medicare Australia has education and training in place so that all staff understand what their responsibilities are. All staff get refresher training and all staff receive a message from our CEO twice a year which reminds all staff of their roles and responsibilities. So we have a very proactive education program. We also have the big stick which is our very proactive audit program so that staff know that if they do inappropriately access records then they are likely to be found out and action will be taken in relation to that unauthorised access.
Senator FIERRAVANTI-WELLS—What, a rap over the knuckles?
Ms Bird—There are a range of actions that are taken. Yes, these range from a rap over the knuckles and also involve demotion, fines and dismissal.
Page 27.
Senator FIERRAVANTI-WELLS—This is the first step in personal e-health records—this bill builds that foundation. You might have heard the evidence that the professor gave earlier. Why isn’t the Australian public aware of the whole picture? Did you hear the evidence that the professor gave?
Ms Forman—Yes.
Senator FIERRAVANTI-WELLS—Do you have any comments in relation to that? Why is this bill not looking at the whole picture, the whole policy that underpins what you are beginning to do?
Ms Forman—You are probably aware that there has not been a government decision to fund, design or consult on a national electronic health record as yet. It is one of the key recommendations of the National Health and Hospitals Reform Commission. I am aware that the government has consulted quite widely on these recommendations but, as you have said, the concept of a national electronic health record is very complex and there are a wide range of issues that would need to be consulted on and debated. A lot of expertise needs to be brought in to look at different design options and to look at the privacy impacts. There is a whole body of work that would need to lead towards the development of legislation and a regulatory framework that would apply to electronic health records.
Senator MASON—But why should we pass this now? Why should we do that?
Ms Forman—I found the evidence yesterday very compelling.
Senator MASON—I didn’t.
Ms Forman—I think the immediate benefits—
Senator MASON—Honestly, we take you on trust!
CHAIR—Senator Mason, do not talk over the witness.
Page 27.
Senator FIERRAVANTI-WELLS—All right. I guess the point that Senator Mason was making is that surely the public has the right to know what are the policy issues surrounding the planned for healthcare record as it considers this bill. That is really the point: you are enacting a very small proportion of what is a much, much broader policy point and this is the point that Senator Mason and certain witnesses were making. Surely the public should be aware of the bigger picture about what these identifiers are going to do before this piece of legislation is enacted?
Mr Andreatta—I will address the question. The points made by the witnesses yesterday about this legislation delivering benefits on its own to the health system were very important. It is a foundation or building block to enable the use of health information in the future around electronic health records, e-referrals and e-prescribing. By itself, it is important legislation that needs to be embedded into the system, and it will take a number of years before it is embedded and government is able to implement an electronic health record system, if it chooses to do so. Yesterday we were told that there was some urgency in investing in e-health.
Identification is paramount and it needs to be accurate before any consideration is made of future uses of such identifier functionalities as the electronic health record.
Page 28.
Senator FIERRAVANTI-WELLS—The point is that you are not doing this, Mr Andreatta, because you want people to better identify; you are doing this is a first step to the next program, and I take it that the next step is to deliver e-health. Otherwise, are you doing this just for the sake of helping people to identify records?
Do you understand my point? You are doing this as part of a much broader program, and you have obviously invested quite a bit of money in it already. The point that Senator Mason and others have made is that surely the Australian public, before it gives its okay to the first steps, should have the right to know what the bigger picture is of where this department is trying to go. That is a simple question.
Mr Andreatta—As Ms Forman said, government has not decided on progressing with an individual electronic health record system as yet. It is still under consideration, so we are not able to provide the full scheme information that was discussed yesterday with witnesses.
Senator FIERRAVANTI-WELLS—I want to understand why you are embarking on this if you are not going to take the next step, which is e-health and e-health records. I do not know how much you have spent already on this, but obviously quite a bit of money has been spent. I am not saying one thing or the other; I am not arguing pro or anti. I am just trying to understand why you are taking the first step if you have not thought the second and the third steps through.
Mr Andreatta—The e-health strategy is a sequential strategy. The building blocks need to be in place before we look at what products or functionality can be rolled out in the future. The emphasis has been on getting those building blocks in place—the secure messaging, the identifier service. That is all part of preparing ourselves for what we can do in the future in e-health.
Senator FIERRAVANTI-WELLS—But surely you must know where you want to go to prepare a proper framework to start with. You must know where you are going to go to ensure that what you are building now is adequate for what you are trying to do in the future. I do not understand why you have not thought that through. That is the point that a lot of the witnesses have made in their submissions. It seems to me that you are putting in place the building blocks in isolation from the long term plan. If you think that that is fine and you are happy to spend millions of dollars with this process, say so. That is my point.
Ms Forman—There has been quite a bit of thinking and work done around where e-health is headed. While there are a lot of benefits that can be reaped along the way, there are steps in that journey. I think identifiers have been identified by a few of the witnesses here at the hearings, based on international experience, where electronic health records have relied for their accuracy and indexing on a national identifier. We do understand enough about the endpoint to know what needs to be in place as building blocks.
Senator FIERRAVANTI-WELLS—So do you have a business case for the next stage?
Ms Forman—There was funding provided to the department to develop that business case.
Senator FIERRAVANTI-WELLS—So you have the building blocks first, and the business case for the next stage covers how much it costs—and what is that?
Mr Andreatta—That is still under way. We are still working on the business case.
Senator FIERRAVANTI-WELLS—How much has that cost so far?
Mr Andreatta—We will have to take that on notice.
Ms Forman—We can get that from the department—the allocation of funds that have gone into the project up till now, is that right?
Senator FIERRAVANTI-WELLS—And I would be very interested to know how much you have looked ahead. A lot of this involves specialist IT and, given some of the evidence that we heard yesterday, what specialist skills do you have in the Department of Health and Ageing that will ensure that you will be able to meet your goals? Do you have a plan for e-health in the department? I assume that is where you are heading.
Has somebody drawn up a plan for the ultimate route you want to go down on e-health?
Ms Forman—We have a national e-health strategy that has been agreed by health ministers, which is the guide to e-health implementation for governments.
Senator FIERRAVANTI-WELLS—So you have a general outline. Has somebody worked out what the ehealth strategy is going to cost?
Ms Forman—There are costings for some elements in the e-health strategy. That is available publicly; it is on our website.
Senator FIERRAVANTI-WELLS—And you have the specialist skills in the department of health, which is running that?
Ms Forman—We ensure that we recruit specialist skills for each item on a work plan within the e-health branch in the department.
Senator FIERRAVANTI-WELLS—Have you got time lines around those?
Ms Forman—Time lines for our current work plan? We do.
Senator FIERRAVANTI-WELLS—How far into the future have you worked a time line?
Ms Forman—You would probably be aware that most governments government departments work on their immediate work plan rather than into some possible work that they might be doing in future.
Senator FIERRAVANTI-WELLS—Have you worked on how long you think it is going to take for your e-health plan to be implemented?
Ms Forman—The national e-health strategy is a plan that runs over 10 years. I think it was released in December 2008.
Ms Flanagan—There is a publicly released plan of what I believe governments have agreed to do. You would appreciate that, in order to enable that to occur, the decisions need to be taken about funding, et cetera.
Page 30.
Senator FIERRAVANTI-WELLS—I am more interested in concrete planning. Yesterday some evidence was given about funding of the system. You may have heard the evidence of the AMA and other people who attended yesterday. Obviously software vendors, doctors, specialists and other medical professionals are going to have to invest in such a system. Do you envisage that the government will be helping them or will they be out there on their own? How is the system going to be funded? Is it envisaged that they will be compensated for taking up a new system?
Ms Flanagan—There was some interesting discussion on costs yesterday. Our view is that it will vary significantly depending on the type of organisation, the type of systems they will be using, the size of the organisation and the approach they will be taking to adopt identifiers. Upgrades of systems are pretty much par for the course for organisations that are using IT systems to administer their services and to maintain patient records, so the introduction of identifiers may well be picked up as part of that regular upgrade process. It is an issue on which we are continuing to have discussions. We have programs within the department that we have been using for a number of years to assist the primary care sector to adopt and improve their capability in ehealth.
Senator FIERRAVANTI-WELLS—Yes, one was the PBS. It was referred to, I think, by one of the organisations that you helped incentivise uptake of those things. I guess what I am asking is: what assurances will these vendors, doctors, specialists and other medical professionals be given as to how the system is going to be funded? Is that something that you are planning?
Ms Flanagan—It is an area of further consideration and consultation. I think as we—
Senator FIERRAVANTI-WELLS—It is new, so you are not sure whether you are going to fund it, they are going to fund or it will be a bit of both?
Ms Flanagan—That is right.
Mr Andreatta—Senator, it might be worth noting that there is already an incentive in place for e-health take-up for general practice providers. They are incentivised to adopt some of the building blocks for future use of e-health—for instance, secure messaging and encryption products on their software. So we are already at this stage incentivising practices to improve their software and systems to take advantage of what is coming around the corner.
Page 32.
Senator BOYCE—Ms Bird, you would have heard evidence I think this afternoon suggesting that individuals should be advised when a health identifier is issued on them. Is that possible?
Ms Bird—The design at the moment is that all individuals that are on the Medicare Australia or the Department of Veterans’ Affairs database will automatically be assigned a Healthcare identifier. What the committee has not been made aware of, I think, is that individuals will be able to access that identifier themselves and they will be able to access that identifier through web services via the telephone or face to face at a Medicare Australia service centre.
Senator BOYCE—How will they know to do that? How will they know what the number is if they have not been advised that they have got one?
Ms Bird—They can contact to find out what their number is.
Senator BOYCE—Over the internet?
Ms Bird—Yes.
Senator BOYCE—As well as well as by phone and in person?
Ms Bird—Yes.
Senator BOYCE—What about the issuing of health identifiers to people who do not have Medicare cards?
Ms Bird—Where a person does not automatically receive a healthcare identifier, they can apply to get a verified healthcare identifier via a Medicare Australia service centre. They would need to provide evidence of their identity and they would be able to have a verified identifier allocated—
Senator BOYCE—But can a health identifier be provided to someone who has not asked for it?
Ms Bird—They will only get one automatically if they are on the Medicare database or the veteran’s affairs database. If they are not picked up in that process, then they will be able to get an identifier in one of two ways. They can apply to Medicare Australia for a verified one, and that would only be on their application, or if they are having an episode of health care the healthcare provider can allocate the person what is referred to as an ‘unverified health care identifier’ that that person will be able to use.
Senator BOYCE—It is like a temporary one.
Ms Bird—Yes. They can then have that identifier verified by providing the appropriate evidence of identity through Medicare Australia.
Senator BOYCE—How would people know that they had an identifier? I know you are saying that everyone automatically gets one if they are on Medicare, but where are they told that?
Ms Flanagan—My colleagues tell me there will be a communication strategy.
Senator BOYCE—Oh good; do tell.
Ms Flanagan—They can possibly provide more detail than that statement.
Ms Forman—There is a team that was formed some time ago of communications experts from each of the state and territory jurisdictions, from the Commonwealth and from NEHTA. Medicare staff have also been involved in developing a communication strategy and plan. The intention is that people will be informed. That may not necessarily be by a direct mail but could be posters and pamphlets at healthcare providers. That plan is still being developed and finalised.
Senator BOYCE—When would that start, Ms Forman?
Ms Forman—That is a good question. I do not have the date but I am sure there will be information out there.
Page 34.
Senator FURNER—Your submission is appropriately referenced to a number of statistics I wish to refer to. I would like you to elaborate on things like 18 per cent medical errors as a result of the introduction of the bill and further on down the track there will be a saving in that area; a conservative 10 per cent reduction on messaging costs, and overwhelmingly from yesterday’s evidence, an enhancement of safe and efficient lifesaving outcomes. Can you just expand on those references and, based on the evidence we heard yesterday, on the positive outcomes of these bills?
Mr Andreatta—We can table the details of those statistics referenced in the submission if you would like. They basically give you the background to what the statistic refers to and referenced to the complete document.
Senator FURNER—Is that consistent with what you already have in your submission?
Ms Forman—In our submission we did not actually provide the source references, so this provides those.
Senator FURNER—That is the same as what is in your submission and I already have that in front of me. I was hoping you would be able to elaborate further on what I have already seen and heard.
Ms Flanagan—In terms of the evidence that was given yesterday about the benefits of having this new identifier, Jane Halton the secretary was going to be here tonight but she was called away to another meeting, so at the last moment I got deputised to do this. She received an email from somebody yesterday who had been listening to the evidence. He provided a real life example of his father who was 86 years old with type 2 diabetes. This goes to privacy issues about the fact that his father is in a major university teaching hospital with pneumonia. He says that the care provided in the hospital was absolutely excellent. He has been an inpatient for four weeks and, because of the manual systems in place, there is very little security and privacy about his father’s medical history. As we would all know, if we have been in hospitals, the records are frequently open and available in nurse bays, they are left on trolleys and they are often stuck to the end of the bed so that anybody can see them. They indicate the patient name, location, type, diet and other personal information. That is not the fault of staff, of course; that is the way that the paper system operates at the moment.
I think that evidence was also given yesterday about the varying quality of the handwriting of some of our clinicians working in hospitals. This man thinks that it would be very easy at the moment to gain access to information without consent or authority and that an online system with security and PIN access would allow an audit trail and more readily detect unauthorised access. The secretary wanted to talk about a personal example that was brought to her attention and outline what she thinks and what the benefits of this identifier will be.
Page 35.
GIBSON, Mr Mark, Manager E-health Services, Health Information Exchange, GPpartners and Brisbane South Division of General Practice
SILVESTER, Mr Brett, Deputy Chief Executive Officer, GPpartners and Brisbane South Division of General Practice
Senator FIERRAVANTI-WELLS—In your submission you observe that many projects … can fail at the point of implementation due to human and social factors. We recommend that early demonstration projects be suitably funded to showcase the potential for eHealth …
Funded by whom? And do you have any sorts of demonstration projects in mind?
Mr Silvester—We are implementers. The passage of the bill is for you guys to deal with. We are being funded to do things like Closing the Gap programs for Indigenous populations. We are being funded to deliver chronic disease programs so we try to link better delivery of healthcare services and use this as an information infrastructure. You asked who should lead it. We think the ones who are actually delivering some sort of community based healthcare services.
Mr Gibson—A key part at the start of your question related to the failure of projects. Our view would be that it is the change management. How do those projects get accepted in the community by general practice and different organisations that need to collaborate, interact and work together? There is a lot of community based change and the fear of technology has to be overcome when you introduce technology. When we introduce shared electronic health records, our view is you have to work with various aspects of connectivity at the front line. You have to work with clinicians to look at their work practices and what happens in their practices, the sorts of impacts you have to have and make sure that the changes you are going to bring about are managed in a way that fits in with their normal practice so they will use what you provide and it will be effective. The area we are highlighting is that change management needs to be emphasised in terms of going forward and the funding for that is often ignored in projects. We believe by doing change management a lot of lessons can be learned in key exemplar projects. Then those lessons learned can be transferred to other parts of Australia and scaled to a national approach.
Page 36.
Senator FIERRAVANTI-WELLS—Okay. Earlier you may have heard some of the questions that I asked about assurances about how the system should be funded. I did not quite get the sort of straight answer that I was interested in, but I guess that, from your perspective, those are the sorts of assurances you would want.
The cohort of people who are going to have to implement the new system will take up new systems. Would you be looking for full compensation or, if not full compensation, at least some part involvement? In other words, if you have this new system and the government says, ‘That’s great; we’ll provide the framework but it’s over to you,’ how much, at the coalface, do you think people are actually going to uptake—do you see what I am getting at?
Mr Silvester—The benefits of better health care systems are actually to do with the patient, and what we all have to be focused on is better health outcomes. You have to derive the benefit from the healthcare program, so, ultimately, my opinion is that the healthcare programs themselves should fund their use of the healthcare infrastructure, much like a hospital currently funds its use of water or power. So, we need to get to the tipping point where everybody relies on that, and we are suggesting that you do need to fund e-health separately until you get to the point where it is business as usual.
Mr Gibson—Part of this is going to be: what are the sources of funding and how do funds manifest in the community to get e-health going? Public health organisations have a density of funds that they put into infrastructure, so hospitals will have IT systems and e-health systems being built. In the community it is much more fragmented. The density of funds is not high so the uptake is very low, and it is a challenge for us and other organisations as to how you start to take this up. So you do rely on sponsorship out of DOHA for community based infrastructure to initially kick-start these sorts of projects. There are various tools and mechanisms for doing that, but our belief at this early stage, where we are still trying to understand what sorts of things will work in the community, how uptake will work, what sort of change management, work practices are going to be adopted—there is a lot of experimental discovery to go on as to how that will work best in the community, and that represents a high risk. I do not think the private sector would be prepared to go into that uncertainty, so we rely on government funding and DOHA funding to get those initial projects going. That is why I said that I believe it needs government funding for those initial projects.
Page 37.
Senator FURNER—You also indicate in your submission that the introduction of e-health will facilitate increased privacy and better privacy transparency. What do you mean by that statement?
Mr Silvester—First of all I will talk about identification of the provider. We need to be absolutely sure that the person who is connecting to our system is a validated provider. So we absolutely need provider identifiers. Today we are using the certificates issued by Medicare Australia as a proxy for our identification of providers. But we would like something which is stronger—we would like to have even better provider identifiers.
The second one is that when you transfer something from one provider to another you need to be absolutely sure of the patient’s identification. Anything which can make that identification better and easier is a good thing for the patient. The third thing is that we also want to give the patients access to this type of information, so what are we going to use to give them access? Technically, we could use the Medicare card number today but legally we cannot. What we need is something that we can legally use to actually pass information between the providers and also to the patient.
Mr Gibson—We make that statement, too, based on the fact that our current system came out of the health connect trials some four years ago, and it was part of the design that complied with that. Within that, it had the ability to capture patient records, to identify the provider organisation through the certificate that provided that and to log it; any accesses on that record are also logged and able to be seen so that patient records being accessed are logged in the system and a patient or a provider can see who has access to those records. Our experience is that the tightness of and the approach to that design has told us that you can manage privacy, and the same principles are now being talked about for the national e-health approach.
Our view is that once you have a system like this your privacy transparency—the ability to test and validate that privacy is being maintained: who is looking at records and what activity there is on the records—is increased. In a paper world it is not—you do not know who has read a piece of paper. The system that we have was based on that health connect design at that time and it incorporated those sorts of features, so our system runs that way at present.
Comment: Note the comments about the need for accuracy, provider identifiers and change management!
---- End Transcript Extracts.
As always we learn even more when the Senators ask questions! The report that gets produced will be very interesting indeed.!
David.
