Quote Of The Year

Timeless Quotes - Sadly The Late Paul Shetler - "Its not Your Health Record it's a Government Record Of Your Health Information"

or

H. L. Mencken - "For every complex problem there is an answer that is clear, simple, and wrong."

Saturday, May 18, 2019

Weekly Overseas Health IT Links – 18th May, 2019.

Here are a few I came across last week.
Note: Each link is followed by a title and few paragraphs. For the full article click on the link above title of the article. Note also that full access to some links may require site registration or subscription payment.
-----

Study: How big data can inform personal health risks, precision treatment

Andrea Park – 9 May, 2019
Tracking genetic, molecular and daily health data on a regular basis — rather than only when a health issue arises — can help physicians predict the onset of disease and provide insights into the development of highly personalized treatments, according to a study published in Nature Medicine on May 8.
Researchers from the Stanford University School of Medicine tracked the health data of more than 100 people for up to eight years using wearable technologies, genome sequencing and molecular profiling. The scientists were thus able to assemble a "biological baseline" for each person.
Informed by this baseline, when an abnormality appeared, researchers could more easily identify issues like high blood pressure, arrhythmia, diabetes and early-stage cancer. Additionally, having access to such a wide swath of data about each person's biology aided in the development of precision treatment plans specifically for each individual.
-----

Rucker: Healthcare Interoperability Stymied by Contracts, IPR

Contractual and intellectual property rights (IPR) are being used to limit access to electronic health information and to prevent competition from developers of healthcare interoperability technologies, warned Donald Rucker, MD, national coordinator for health information technology.
May 08, 2019 - Contractual and intellectual property rights (IPR) are being used to limit access to electronic health information (EHI) and to prevent competition from developers of healthcare interoperability technologies, warned Donald Rucker, MD, national coordinator for health information technology, during a May 7 Senate hearing.
These barriers frustrate healthcare interoperability and stifle competition and innovation, Rucker said in written testimony submitted to the Senate Health, Education, Labor and Pensions Committee.
To overcome these barriers, Rucker said his office is proposing an exception to the information blocking prohibition that would permit licensing of interoperability elements on reasonable and nondiscriminatory terms.
-----

Majority of healthcare breaches come from inside the organizations: report

May 9, 2019 12:50pm
Within the healthcare industry, employees, whether nurses, doctor or administrative staff, are granted access to patients' data in order to do their jobs. But an alarming number of employees may be abusing this privileged access or committing errors that lead to data breaches.
Insider attacks were responsible for the majority of healthcare data breaches (59%) in 2018 versus external attacks (42%), according to a new data breach investigations report from Verizon. The healthcare industry is the only sector to show a greater number of insider attacks than external, according to Verizon's analysis more than 20 industries.
Across all industries, external threat actors are still the primary force behind attacks (69% of breaches) with insiders accounting for 34%.
Verizon analyzed more than 41,000 cybersecurity incidents and over 2,000 data breaches from 86 countries to take a look at cyber attacks from malware to insider threats to cyber espionage and identify trends.
-----

House committee appropriates $1.6B for VA EHR in FY 2020

Published May 10 2019, 7:41am EDT
House appropriators on Thursday approved the Fiscal Year 2020 Military Construction, Veterans Affairs and Related Agencies bill, including $1.6 billion for the VA’s new Cerner electronic health record system.
The legislation, passed by the House Appropriations Committee, funds the VA, Department of Defense and other related agencies.
“After at least a decade of congressional encouragement to DoD and VA to develop a single electronic health record, VA has completed a contract to acquire the same EHR that DoD is adopting,” states the committee’s report. “The bill includes $1,603,000,000 for the EHR contract entered in 2018, and continues strict quarterly reporting of timelines, performance milestones, costs, implementation and change management.”
-----

New research examines how IT issues affect care, outcomes

Published May 10 2019, 5:44pm EDT
Three researchers at the Australian Institute for Health Innovation and the University of California at San Francisco have documented potential adverse effects that health information technology has on care delivery and patient outcomes.
Widespread adoption of IT brings many potential benefits, the study authors acknowledge. Yet at the same time, it can increase likelihood of new and often unforeseen errors that affect the safety and quality of clinical care, which could lead to harm.
Mi Ok Kim, professor of epidemiology and biostatistics in California, Farah Magrabi, associate professor of Health Innovation in Australia, and Enrico Coiera, a professor and director at the Centre for Health Informatics in Australia, reviewed results from 34 studies to assess how IT problems affect user interactions, information receipt, decision-making, care processes and patient outcomes.
“Issues with system functionality, include poor user interfaces, fragmented displays and delayed care delivery,” the researchers note. “Issues with system access, system configuration and software updates also delayed care. In 18 studies (53 percent), IT problems were linked to patient harm and death. Near-miss events were reported in 10 studies (29 percent.)”
-----

MIT: AI platform beats existing models at predicting cancer risk

New data suggests that artificial intelligence can identify patterns that indicate breast cancer development.
May 09, 2019 10:21 AM
A team of researchers from the Massachusetts Institute of Technology MIT found a deep learning artificial intelligence platform had a high success rate in detecting breast cancer risk.
WHY IT MATTERS
The model retrospectively identified women at high risk of developing breast cancer from nearly 90,000 prior consecutive screening mammograms taken at Massachusetts General Hospital (MGH).
The deep learning model was able to correctly place 31 percent of all the patients who subsequently developed breast cancer, compared with just 18 percent achieved with the existing Tyrer-Cuzick model.
-----

They’re Doing It Again: Outpatient EHR Replacement Rates Still Brisk

May 8, 2019
After a decade covering the world post-HITECH Act and the incentives it provided for EHR adoption, I dared to believe that doctors had probably had time to find and settle in with compatible systems. Unfortunately for all concerned, that doesn’t seem to be the case, at least if a recent study is any indication.
According to a new Reaction Data survey of 153 ambulatory provider organizations, outpatient technology buyers are still restlessly searching for technology that serves their needs better, with a total of 39% considering replacing one solution or another.
Notably, 27% of respondents said that they were considering replacing their EHR within the next 18 months, followed by patient engagement tech (18%), revenue cycle management (12%) and population health platforms (12%).
-----

Cybercrime organizations work just like any other business: Here's what they do each day

  • Researchers from IBM and Google described how cybercriminal groups operate, and often mimic the behavior of companies, including the one you might work for.
  • Cybercriminal organizations compete with each other for customers, fight for the best project managers and even look for "CEOs" to help them stay organized and on the task of stealing your money.
















Cybercriminal organizations compete with each other for customers, fight for the best project managers and even look for leaders who serve in a CEO-like role to help them stay organized and on the task of stealing your money.
Researchers from IBM and Google described how cybercriminal groups operate, and often mimic the behavior of companies, including the one you might work for.
"We can see the discipline they have, we can see that they are active during office hours, they take the weekends off, they work regular hours, they take holidays," said Caleb Barlow, head of threat intelligence for IBM Security.
-----

24% of health IT experts would refuse to pay ransom

Mackenzie Garrity - Print  | Email
As healthcare information technology professionals become more confident in their ability to respond to a cyberattack, 24 percent remain steadfast in the decision to not pay a ransom, according to an Infoblox survey.
Infoblox, a provider of secure cloud-managed network services, polled health IT experts on their confidence in responding to various cyberattacks and what initiatives they have in place to improve security.
Almost all of those surveyed (92 percent) said they feel confident in their organization's ability to respond to a cyberattack, up 10 percent from two years ago. More than half (56 percent) indicated they have automated systems in place that scan their networks for suspicious activity.
-----

Digital assistant uses AI to ease medical documentation at Sutter

Published May 09 2019, 7:38am EDT
Sutter Health is pilot testing a voice-enabled digital assistant that makes use of artificial intelligence to see if it increases clinician efficiency.
The Sacramento, Calif.-based delivery system is testing the device with a group of doctors in Northern California. The device uses a combination of voice commands from physicians and the context in which they are operating to create a clinically accurate note that is pushed to an electronic health record.
The device is made by Redwood City, Calif.-based Suki, which conducted multiple pilots in 2018 in a variety of practices, including primary care, dermatology and orthopedic. That testing demonstrated a 70 percent reduction in the time physicians spend on medical notes, the company contends. As Suki is used over time, it can distill a physician’s conversation with a patient into an actionable plan of care.
-----

Untapped potential: investing in health and care data analytics

9 May 2019
Improvement in the quality of health and care services depends on good-quality analytical support. We need to use data to identify areas of poor care, guide choices about priorities for care, improve efficiency and improve patient care. An organisation's analytical capability is their ability to analyse information and use it to make decisions. However, we know that in practice health and care systems are often not able to draw on high-quality analytical support. There is a shortage of people with the right skills and tools to do analysis, and collaborate with clinicians and managers on using their insights to improve care. This is exacerbated when the analysts we do have spend much of their time doing relatively lowvalue work – for example, compiling reports that aren't read. By investing in the analytical workforce, we will be able to unlock the full potential of data.
Advances in digital technologies have the potential to transform how care is delivered, but many of these benefits will not be fully realised by organisations without in-house analytical support. The current analyst workforce needs to develop its skill sets and be given leadership and support at senior levels in each organisation.
To get the most out of digital technologies, we need to recognise the importance of investing in the people who shape the information that is communicated and used. Though specialist academic, data-science roles are welcome, we also need people who can implement innovation. Where there has been investment in wider analytics (people, education, tools and techniques), there have been some favourable outcomes, as shown by the examples included in this report.
Publication Details
Identifiers: isbn: 978-1-911615-30-9
Copyright: The Health Foundation 2019
Language: English
License Type: All Rights Reserved
Published year only: 2019
-----

NIH gives first look at All of Us precision medicine research health database

May 8, 2019 11:43am
When the National Institutes of Health announced the All of Us initiative in 2015, it kicked off the largest health and medical research program on precision medicine with the goal of collecting health data on 1 million people. 
To date, more than 192,000 people have enrolled, including more than 143,000 participants who have completed all of the initial steps of the program. The NIH announced on Monday the beta release of its interactive data browser to provide a preview of the data that study participants are sharing for health research.
NIH is making the online database available to enable participants, researchers and other members of the public to learn more about the All of Us participant community and explore summary data, NIH officials said. Later, researchers will be able to request access to the data for use in a wide range of studies that may lead to more customized ways to prevent and treat disease.
-----

AI is poised to radically transform software development

New tools and cutting-edge projects show how machine learning and advanced analytics may soon revolutionize how software is designed, tested, and deployed.

We are entering the age of what Tesla AI director Andrej Karpathy calls "Software 2.0," where neural networks write the code and people's main jobs are defining the tasks, collecting the data, and building the user interfaces.
But not all tasks can be tackled by neural networks — at least, not yet — and traditional software development still has a role to play. Even there, however, artificial intelligence, machine learning, and advanced analytics are changing the way that software is designed, written, tested, and deployed.
-----

ONC: Patients must balance benefits of third-party apps with risks

Published May 08 2019, 7:39am EDT
While the Office of the National Coordinator for Health IT is pushing to empower patients to access and share their electronic health information, ONC is warning about the inherent risks from third-party apps.
In March, ONC issued a proposed rule requiring healthcare providers to offer patients’ access to their electronic health information through secure, standards-based application programming interfaces. Specifically, the agency’s proposed rule—for the first time—requires HL7’s Fast Healthcare Interoperability Resources as the standard to which health IT developers must certify their APIs.
Yet by sharing that data with a third party API-based app, patients are potentially putting that health information at risk from inappropriate secondary uses and disclosures, according to National Coordinator for HIT Don Rucker, MD.
-----

HIT Think How to use data masking to boost security, privacy and compliance

Published May 08 2019, 5:34pm EDT
Analyzing data may be the main job of data scientists, but keeping it secure and private is not far behind. This is not easy—data is more complex and shared more widely than ever before, making it exponentially more vulnerable to today’s latest threats.
Of course, this is a significant concern for healthcare organizations and other businesses, even before the heightened fines imposed by recent regulations like HIPAA and the GDPR (not to mention the operational and reputational damages that have been rising, too).
As a result, data scientists and organizations are increasing their focus on security. For organizations, this means implementing stronger data security protections across the board. For data scientists, it means eliminating the risk of exposing the sensitive data within datasets, while still being able to understand and leverage that data.
-----

Opinion: Is digital transformation a reality in healthcare?

Digital transformation has to be at the core of business, policy and strategy, argues Dr Sam Shah, NHS England director of digital development.
May 08, 2019 03:34 AM
Digital transformation can sometimes seem like the emperor’s new clothes. It’s the thing that everyone is doing and everyone is interested in yet sometimes hard to define and to quantify. In healthcare this is not that different to any other industry. The dialogue on digital transformation in many other sectors focussed on the domains of the Chief Information Officers (CIOs) and Chief Digital Officers (CDOs). CIOs and CDOs is many sectors have described some of the tensions of driving digital transformation.
Making the case for digital transformation is itself complex, there will be uncertainty and unknown outcomes. It’s a sector that is moving at such pace that making predictions about the type of technology and the type of benefit is difficult and relies on a mixture of insights, evidence and global trends. Digital transformation will inevitably mean different things in different settings, the ability to transform will be dependent on culture, technology, legacy and funding as well as competing interests and priorities. 
Digital transformation opens up a whole new language and itself can lead to differences in understanding and outcome. We could simply assume that this is the fault of managers, decision-makers and digital leaders. Equally, the ground swell in the ecosystem of startups, SMEs and technology suppliers badging themselves under the umbrella of digital transformation can be equally confusing. Digital transformation has always been about significant transformation of activities and processes that capitalise on opportunities from digital technology. The impact of this change is intended to span society, it should be strategic and co-ordinated, i.e. there should be some sense of order. 
-----

Brightree extends CommonWell connectivity to home health, hospice customers

Rather than those providers having to obtain patient health data manually from each of a patient's other sites of care, CommonWell enables sharing with other providers across the continuum.
May 08, 2019 02:51 PM
Cloud-based IT company and CommonWell Health Alliance member Brightree is extending access to the interoperability network to its customer base of hospice and home health providers.
WHY IT MATTERS
In a move that will help bridge the gap between out-of-hospital care providers and the broader care ecosystem, Brightree says the partnership will give those customers with access to more than 50,000 provider locations and health systems nationwide.
Through CommonWell, Brightree customers can retrieve documents and data from a patient's previous hospital and physician visits within their electronic health record workflows.
------

Artificial Intelligence, Machine Learning Poised to Help FPs

May 03, 2019 01:27 pm Sheri Porter Kansas City, Mo. – Artificial intelligence and machine learning sound like topics that would appeal more to techie types than family physicians, but one glance around a packed meeting room at the AAFP's Annual Chapter Leader Forum quickly dispelled that notion.
The breakout session, titled "AI/Machine Learning and the Future of the EHR" and held here on April 26, was hosted by AAFP VP and Chief Medical Informatics Officer Steven Waldren, M.D., M.S. And the family physicians who filled those chairs were engaged from the get-go.
Waldren defined machine learning as the process that occurs when a computer is programmed to learn a task -- not to be confused with completing that task. And, he continued, artificial intelligence exists when a computer can complete a task that typically requires human-level intelligence.
Waldren assured his audience that AI is being created to augment physicians' work, not to replace physicians.
-----

Geisinger Health Plan sees benefits from HIE participation

Published May 07 2019, 7:25am EDT
Geisinger Health System and its health plan, Geisinger Health Plan, are working together to advance healthcare through the use of the organization’s Keystone Health Information Exchange.
Before now, health plans have not thought extensively about the use of HIEs, but that’s changing, say executives at Geisinger.
With value-based care growing, the environment is ripe for change, as healthcare providers and organizations across the continuum strive to find ways to improve care while holding costs down. As evidence of this trend, Pennsylvania has indicated it wants to close care gaps for chronic conditions and is encouraging healthcare organizations, including health plans, to participate in HIEs.
-----

Patients report benefits of having access to EHR clinical notes

Published May 07 2019, 7:31am EDT
Patients derive multiple benefits—including the ability to better manage their care—if they can access their electronic health records to read clinicians’ notes after medical visits.
That’s among the findings of a new study of more than 20,000 adult patients published in the Journal of Medical Internet Research.
For the study, three large health systems—Beth Israel Deaconess Medical Center, Geisinger and University of Washington Medicine in Seattle—conducted a web-based survey of adult patients who used portal accounts and had at least one visit note available in a recent 12-month period.
-----

HIT Think Challenges in using predictive analytics within clinical workflow

Published May 07 2019, 5:19pm EDT
You can lead a horse to water, but you can’t make it drink—this adage is especially true when it comes to implementing predictive analytics in a healthcare setting.
The use of artificial intelligence and machine learning solutions to detect the likelihood of disease is still a hot topic. As anyone who attended this year’s HIMSS conference will tell you, there is no shortage of vendors making grand promises based on what they can do with your data.
However, even the greatest algorithms in the world are of little value, unless they can become actionable and lead to intervention strategies. For example, flagging high-risk patients is only impactful if it leads to actually bringing those patients in for further evaluation or treatment. Otherwise, it is little more than yet another report or measure.
-----

Direct transactions increased by almost 50 percent in Q1 2019

There have been more 771 million exchanges using the DirectTrust network since it was first launched, and new use cases, beyond just referrals and care coordination, are boosting its growth.
May 07, 2019 10:25 AM
DirectTrust on Monday said it's seeing record growth in the number of users and data exchange transactions on its network.
More and more health systems are using the secure, verifiable email-like exchanges to share protected health information with other providers and patients – and many are leveraging it as an intuitive way to get around some long-standing interoperability challenges.
WHY IT MATTERS
The number of organizations served by DirectTrust health information service providers increased by almost 49 percent in the first quarter of 2018, to more than 167,000.
And the number of specific Direct addresses within those organizations saw a 13 percent uptick, with more than 1.9 million able to share PHI.
-----

Nurses are well-positioned to lead innovation and digital transformation

More and more health systems are taking steps to "fully unleash nurse innovators at the leadership level," a new report shows, tapping their specialized expertise for technology deployment, process improvement, patient experience and more.
May 06, 2019
More and more hospitals and health systems are recognizing the innovation their nurses can bring to the table, shows a new study from the BDO Center for Healthcare Excellence & Innovation and the University of Pennsylvania School of Nursing.
WHY IT MATTERS
On both the clinical and operational sides, nurses are appreciated by colleagues for their skills in areas such as "interface of clinical innovation and technology" and "design-thinking for process change," according to the report.
But the study also finds that health system leadership needs to do better encouraging and optimizing the forward-thinking skills these nurses can contribute.
-----

Cost Savings for Telemedicine Estimated at $19 to $120 per Patient Visit

By Christopher Cheney  |   May 07, 2019

Diverting patients from emergency departments with telemedicine can save more than $1,500 per visit.


KEY TAKEAWAYS

·         Telemedicine can both expand access and reduce costs.
·         Most telemedicine episodes of care can be resolved with one visit.
·         Cost savings outweigh increased healthcare service utilization that is linked to telemedicine's easy access.
·         Telemedicine visits generate cost savings mainly by diverting patients away from more costly care settings, new research shows.
The primary market opportunity for telemedicine visits is the value proposition that they can both expand access to patients while also reducing costs compared to alternative care settings.
The new study is based on data collected from 650 patients who used the JeffConnect telemedicine platform at Philadelphia-based Jefferson Health.
-----

California HIE to use $4.9M grant to connect ambulances with hospital patient data

May 3, 2019 1:22pm
As first responders, emergency medical service (EMS) providers often have to make quick, life-saving decisions without any patient health information during emergencies.
Using a $4.9 million state grant issued by the Emergency Medical Services Authority (EMSA), California health information exchange (HIE) Manifest MedEx is leading an initiative to facilitate better data exchange between ambulance service providers and hospitals to ensure first responders have relevant patient data when they are in the field.
Manifest MedEx will work with six local EMS agencies, 13 EMS providers and 16 hospitals across eight countiesRiverside, San Bernardino, Fresno, Tulare, San Joaquin, Merced, Amador, Stanislaus and Calaverasto develop a framework for bidirectional data exchange. EMS services and hospitals in those eight counties serve more than 7.6 million Californians.
-----
May 5, 2019 / 10:07 PM /

U.S. doctors use medical records to fight measles outbreak

CHICAGO (Reuters) - U.S. doctors are tapping into their electronic medical records to identify unvaccinated patients and potentially infected individuals to help contain the worst U.S. measles outbreak in 25 years.
New York’s NYU Langone Health network of hospitals and medical offices treats patients from both Rockland County and Brooklyn, two epicenters of the outbreak. It has built alerts into its electronic medical records system to notify doctors and nurses that a patient lives in an outbreak area, based on their Zip code.
“It identifies incoming patients who may have been exposed to measles and need to be assessed,” said Dr. Michael Phillips, chief epidemiologist at NYU Langone Health.
    Alerts in a patient’s medical record also prompt conversations with their visitors - who may also have been exposed to the virus - about their own health, prior exposure to measles and vaccination history.
-----

HIT Think How hospitals can prepare for the next WannaCry-style cyberattack

Published May 06 2019, 4:58pm EDT
We are nearing the second anniversary of WannaCry, a cyberattack that spread to more than 150 countries, infected 600,000 computers and cost victims a total of $4 billion. Healthcare was not spared, with ransomware demands and medical device hacks that crippled health systems and put patients at potential harm.
However, some two years later, too many health systems are still not properly equipped to combat the myriad attacks that could penetrate their networks. They grapple daily with an onslaught of cybersecurity threats, both to patient data and the systems in use to provide life-saving care.
Here are some of the strategies that cybersecurity leaders in the College of Healthcare Information Management Executives (CHIME) and the Association for Executives in Healthcare Information Security (AEHIS) recommend to reduce those potential risks.
-----

The hype cycle of AI in healthcare

“AI technologies in healthcare are slightly overhyped but in terms of real adoption, there needs to be factors like a really mature EHR system, good data streams & finding ways to deploy these technologies,” said Dr Ngiam Kee Yuan, GCTO, NUHS.
May 06, 2019 05:14 AM
Three representatives from their respective fields of AI – clinical practice, research and healthcare apps came together for a panel discussion around the current and future developments of AI in healthcare on the second day of the HIMSS Singapore eHealth & Health 2.0 Summit on April 24. The panel consisted of Dr Ali Parsa, Founder and CEO, Babylon Health, Dr Ngiam Kee Yuan, Group Chief Technology Officer, National University Health System, Singapore and Dr Hwang Hee, Chief Information Officer & Associate Professor, Department of Pediatrics, Seoul National University Bundang Hospital, South Korea.
The hype cycle of AI in general and in healthcare
Mr Neil Patel, President, Healthbox, Executive Vice President, HIMSS, USA, who was the panel moderator, began the discussion asking the panelists on their thoughts on the current hype cycle of AI broadly and in healthcare.
“I think at the general level, we’re seeing a much greater update of machine learning and deep learning because of the availability of two things: one is the data that becomes available and secondly, relatively cheaper or cheap computing power that one can get today.
-----

5 steps to digital transformation for healthcare

It’s a matter of change management – and there are some applicable best practices.
May 06, 2019 09:04 AM
Digital transformation. It sounds daunting and absolutely essential because it’s both.
HIMSS Media research, in fact, found that it’s a top priority for healthcare professionals but thus far fewer than 10 percent have executed a full digital strategy.
The current state of healthcare digital transformation, in fact, is fragmented. One-third of our survey participants are making enterprise-wide changes, another third are still collecting information with which to formulate a plan and the rest are progressing at the departmental or use case level. Only about 2 percent have no plans or are taking no action at this time.
Those who have yet to transform themselves digitally should know that it’s a change management issue more than anything else and best practices exist that can be applied in healthcare.
-----

Smart Glasses Deliver Clear View to Remote Physicians

By Mandy Roth  |   May 02, 2019

Innovation combines smart glasses with teleconferencing; company is seeking health systems to test the solution.

A new innovation that combines smart glasses with telehealth video conferencing could enhance virtual care by providing a clear, more precise view of a remotely located patient. The system also has  potential applications in academic settings, enabling students to view onscreen exactly what a physician is seeing in an operating room or other treatment environment.
The solution combines smart glasses from Rochester, New York-based Vuzix Corporation, which also develops augmented reality (AR) technology and products, with a video conferencing solution provided by VSee, a San Jose-based video telehealth company. The glasses and the conferencing technology are already commercially available; the innovation involved putting the two solutions together.
-----

NHS digital leaders leaving for private sector over Health Secretary's tech 'revolution', IT chief warns

4 May 2019 • 10:00pm
NHS digital leaders are leaving for the private sector in frustration over the “chaos” involved in introducing Matt Hancock’s tech “revolution”, a departing IT chief warns.
Richard Corbridge, formerly chief digital and information officer at Leeds teaching hospitals, describes the “excrutiating” situation of trying to realise centrally-imposed slogans such as “axe the fax” and “purge the pager” without dedicated funds.
Improving digital innovation in the health service is a central plank of the organisation’s 10-year plan announced in January.
-----
Enjoy!
David.

Friday, May 17, 2019

I Wonder Has The ADHA Considered The Issues It May Face Around The GDPR.

This appeared last week:

Navigating the GDPR - A compass for the Australian public sector

All public sector entities should seek to understand the application and reach of the GDPR and assess whether it applies to their activities.
The European Union General Data Protection Regulation (GDPR) is leading a revolution in international privacy and data standards. Although a European law, the GDPR's broad extra-territorial reach is such that it is impacting many entities within Australia and around the globe. But while much ink has been spilled about the GDPR's application to the Australian private sector, comparably little has been written about its potential application to, and impact on, the Australian public sector.
Accordingly, almost 12 months after the GDPR came into effect there still remains considerable uncertainty and complexity about how, and to what extent, it applies to the Australian public sector.
Ultimately, whether the GDPR applies must be carefully considered on a case-by-case basis and this article sets out some of the key areas of relevance for the Australian public sector.
But even where the GDPR does not apply, it is still helpful to understand it. The GDPR has become the new gold standard for the protection of personal data and public sector agencies should look to certain aspects of the GDPR to enhance how they handle and protect personal data.
How the GDPR might apply to the Australian public sector
The GDPR applies to two categories of entities: "controllers" and "processors" of "personal data". Broadly stated, personal data is similar to the concept of "personal information" that exists under the Commonwealth Privacy Act 1988 and under many Australian State and Territory privacy laws that apply to the public sector.
Both "controller" and "processor" are broadly defined under the GDPR to include a "natural or legal person, public authority, agency or other body". The GDPR does not define public authority, agency or body, nor whether these terms are restricted to bodies of EU member states. In the context of enforcement of the GDPR, it will likely then depend on the relevant implementing state as to how these terms are defined and applied.
Given the breadth of the terms "controller" and "processor" under the GDPR, it is likely that Australian Federal, State and Territory Government agencies and departments, as well as Australian public bodies such as public universities, would be captured by these terms. These entities will typically be a data "controller" under the GDPR because they have control over the way personal data is processed, including the purposes and means of processing the data. They may also be a "processor" in limited circumstances where processing data on behalf of another body.
However, the GDPR will only apply to the extent that a controller or processor falls within the territorial scope of the GDPR, that is, if it:
  • has an "establishment" in the EU and processes personal data in the context of the activities of the establishment (Article 3(1)); or
  • offers goods or services to individuals in the EU (Article 3(2)(a)); or
  • monitors the behaviour of individuals in the EU (Article 3(2)(b)).
Processing related to an establishment in the EU
The first point is focused on whether an entity has an establishment in the EU. Guidelines issued by the European Data Protection Board acknowledge that "the notion of establishment is broad" and that the presence of one employee or agent may trigger Article 3(1) in some cases. However, there are limits to the breadth of Article 3(1) and the European Data Protection Board states that it is unlikely that the GDPR would be triggered solely because a body has a website that is accessible within the EU. A body might be regarded as having an establishment in the EU if it has a physical presence within the EU – for example, a university with an EU campus.
Processing related to offering goods or services to people in the EU
The GDPR may also apply under Article 3(2)(a) to public sector entities in relation to their offering of goods or services to persons in the EU, such as promotional campaigns for tourism, trade or studying opportunities or educational programs that target EU subjects. Targeting could include websites or advertisements which are in the language of an EU Member State and/or allow payment in the currency of one or more EU Member States, such as in Euros. But without an offer to a person in the EU or an intention to target people in the EU, a website that is merely accessible in the EU will likely be insufficient to fall within the reach of the GDPR.
Processing relating to monitoring behaviour in the EU
In order for the GDPR to apply under Article 3(2)(b), the behaviour monitored must relate to a data subject in the EU and take place within the territory of the EU. Under the GDPR, it is the location of the data subject that is relevant and not the data subject's citizenship or nationality. The GDPR is concentrated on particular types of monitoring activities – especially those involving tracking via the internet for profiling personal preferences, behaviours and attitudes. For the public sector, the use of website cookies is an area to be particularly mindful of. Website cookies, which are used by several public sector entities, can constitute a form of behavioural monitoring depending on how and why cookies are being used. Public sector entities and their IT departments should therefore assess the way that they use cookies, along with other tracking or monitoring technologies, such as smart phones, to determine whether they constitute a form of behavioural monitoring that will trigger the application of the GDPR.
So, the GDPR potentially applies – what does this mean for the public sector?
The GDPR contains a number of provisions that broadly align with existing Commonwealth and State and Territory privacy laws – but with some salient differences:
  • The GDPR introduces several new concepts, such as the concept of data "controller" and "processor". This may require additional steps for ensuring compliance by service providers and other third parties where there is an exchange of personal data.
  • The GDPR also imposes a generally higher standard of data security compliance and greater rights for data subjects over how their data is used and managed, such as the right to restrict the processing of their personal data and the right to "data portability" in some circumstances. From a technical perspective, these requirements will require agencies to reassess their personal data processes and ensure they are geared to ensuring compliance in all applicable instances.
  • The GDPR imposes restrictions on the transfer of personal data outside the EU, which may impact the transfer of information from the EU back to Australia. This may cause difficulty for Australian public sector entities, as even when there is a legitimate basis for processing personal data under the GDPR, the legal requirements for the transfer out of the EU also need to be satisfied.
  • At present certain Australian State and Territory government agencies and departments (but not Commonwealth agencies) are not required to comply with the Australian Notifiable Data Breach scheme under the Privacy Act, unless they are a Tax File Number (TFN) recipient and the breach relates to TFN information. The GDPR does not have a similar exemption – it requires all personal data breaches be reported within 72 hours, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons (Article 33).
General exemptions from the GDPR
Given the nature of the activities that are typically carried out by public authorities and bodies, they may be able to rely on certain exemptions under the GDPR in some situations. The exemptions that are potentially available under the GDPR share similarities with those under Australian privacy laws – for instance, certain data processing activities carried out by a competent authority for the purposes of the prevention, investigation, detection or prosecution of criminal offences, including prevention of threats to public security.
However, the GDPR exemptions are subject to restrictions and depend on the particular circumstances of the case, including the way that the GDPR is administered through the national laws of EU member states – for example, the agency might have to be authorised for law enforcement purposes under the laws of the EU state enforcing the provisions.
Foreign immunity exemption
Another key aspect to consider is also the legal principle that foreign states and their agencies are entitled to some immunity from the jurisdiction of the courts of foreign jurisdictions, which may potentially impose limitations on the ability for certain public entities to be prosecuted and penalised under the GDPR, especially for acts connected to their government administration or law enforcement activities. However, this immunity is less likely to extend to situations of commercial activity by public sector entities or the activities of their suppliers located within the EU. Even if an agency successfully claims immunity from privacy laws, it will still need to consider the public perceptions of the alleged breach and its consequences.
What are the consequences of non-compliance where the GDPR does apply?
The potentially severe sanctions for non-compliance with the GDPR have been well-publicised, but the extent to which they apply to non-EU public authorities and bodies remains unclear. However, as a practical matter, formal enforcement against a foreign public body is probably less likely in the first instance than informal approaches directed to the relevant Australian diplomatic representative.
The public sector should act now
All public sector entities should seek to understand the application and reach of the GDPR and assess whether it applies to their activities. An area of particular risk for the public sector relates to data processing related to activities that have a commercial element (for example, public sector entities that offer goods or services to individuals in the EU).
Even where the GDPR does not apply to public sector entities, they should seek to understand the GDPR to see whether there are any aspects of the GDPR that, where practicable, are worth emulating to bolster their existing data protection practices and procedures. For example, public sector entities could adopt improved data governance and protection measures (such as data protection by design and default) that include appropriate technical and organisational measures, such as pseudonymisation, to protect the rights of data subjects (Article 25 and Recital 78).
Understanding the GDPR will also assist public sector entities to understand how the GDPR potentially applies to some of their contractors and suppliers who may be subject to it. Knowing the laws that suppliers and contractors are subject to, can assist the due diligence process of assessing whether or not those suppliers are able to protect personal information in a manner that will ensure compliance with the contract and applicable Commonwealth or State or Territory privacy legislation.
Here is the link:
It would be interesting to see an analysis on both what the GDPR might potentially mean for the My Health Record system and even more relevantly what it will mean when Australian legislation based on similar principles is passed. It is only a matter of time before this happens!
The public mood is shifting and more controls on personal data and privacy are going to be demanded real soon now.
David.