Inquiry into the My Health Record system.
From Dr. David G More BSc MB BS PhD FANZCA FCICM FACHI.
Brief Background.
I am a retired Critical Care and Emergency Medicine Specialist who has been involved in the procurement and delivery of clinical computer systems as well as advising on these systems for over 25 years up until the present. Evidence of my expertise in Digital Health can be found at my blog (www.aushealthit.blogspot.com) which has over 5000 articles on the topic over the last 12 years.
Synopsis Of Submission.
After a review of the Inquiry Terms of Reference and review of what I have learned about the My Health Record System and predecessor systems (since initial planning in 2009 / 2010) over the last eight years I have concluded that there is only one possible course, (if cancelling the whole program is not possible – my preferred option) and that is to move the myHR to opt-in, to strengthen the security of the system, to delete all inactive accounts and to revert the system to a simple single patient record containing appropriate information to assist with emergency care. Deliberate choices can be made, if required, to retain / or not ancillary services such as immunisation registries and advanced care directives.
It simply makes no sense to store millions of PBS and MBS records in a duplicate secondary database or to imagine the myHR will ever replace the usual systems used by GPs and Specialists.
The investment that was to be made in the myHR can be more usefully be directed to the improvement of systems used by practitioners and the interoperability of those systems with each other and laboratory / imaging systems.
It is assumed that all this would be planned by an externally facilitated Strategic Planning Process to create a roadmap that could be followed by the ADHA to achieve more clinical benefit, patient safely and value for money.
Terms Of Reference – Specific Commentary
The My Health Record system, with particular reference to:
- the expected benefits of the My Health Record system;
- the decision to shift from opt-in to opt-out;
- privacy and security, including concerns regarding:
- the vulnerability of the system to unauthorised access,
- the arrangements for third party access by law enforcement, government agencies, researchers and commercial interests, and
- arrangements to exclude third party access arrangements to include any other party, including health or life insurers;
- the Government’s administration of the My Health Record system roll-out, including:
- the public information campaign, and
- the prevalence of ‘informed consent’ amongst users;
- measures that are necessary to address community privacy concerns in the My Health Record system;
- how My Health Record compares to alternative systems of digitising health records internationally; and
- any other matters.
Each of these will be addressed in turn.
A. - The expected benefits of the My Health Record system.
To respond to the term of reference directly one needs to review the claims made by the ADHA for such benefits as reduced medication errors, improved patient safely, better care co-ordination and reduced repeat investigations etc. leading to reduced healthcare costs and an improved quality of care.
The problem is that after six years of operation none of these benefits have been convincingly demonstrated. The claim is that once everyone has a record, via opt-out implementation that the benefits will flow, but again there is no evidence backing this assertion I have seen – and I have looked diligently.
A clear pointer to the lack of evidence is that this year the ADHA has started to fund external organisations to try and demonstrate benefits etc. over the next few years confirming that to date any evidence base for benefit from the myHR is very flimsy to non-existent.
That any Government project has consumed in excess of $2.0Billion without rock-solid evidence of major financial or clinical benefit and proper detailed evaluation is both remarkable and alarming.
B. - The decision to shift from opt-in to opt-out.
The PCEHR was designed (2010-2012) from the outset (by Minister Nicola Roxon) to be specifically opt-in with a high level of personal / patient control of the information held within the system to avoid and manage any claims that the PCEHR was an stealth Australia Card or similar – there being considerable concern that such a link could cause the system to be abandoned.
With the change of Government the new Minister Dutton commissioned to Royle Review which found that there was a need to move from opt-in to opt-out as it otherwise would take many years for significant benefits to flow and that voluntary recruitment was not working well enough. There was no actual evidence backing the assertion suggesting the change.
A Privacy Impact Assessment (conducted by law firm Minter Ellison) of the transition to opt-out was given to Government in 2015 and raised many of the issues that have now emerged in the public dialogue in 2018. As far as I can tell this report was simply ignored – and protection for adolescents, victims of various diseases and domestic violence were not implemented.
Essentially the work needed for a hoped for smooth transition from opt-in to opt-out was not properly recognised, scoped, planned for, funded and implemented, so while the switch may or may not have been a good idea (being based on hunch rather than evidence) the execution has so far been woeful.
C. - Privacy and security, including concerns regarding:
C1. - The vulnerability of the system to unauthorised access.
ALL internet-connected systems are vulnerable to hacking and intrusion and there is no evidence to suggest that the myHR is any different, containing as it does valuable personal data and being accessible via the internet from thousands of points. The believe otherwise is simply delusional.
C2. - The arrangements for third party access by law enforcement, government agencies, researchers and commercial interests.
My thoughts on Secondary Use of myHR data are found here where I made a full submission:
It is attached at the bottom of this submission.
C3. - Arrangements to exclude third party access arrangements to include any other party, including health or life insurers.
I am opposed to any data access for insurers that might in any way harm the interests of any patient whose data in held in the myHR. Disclosure of this information should be at the total discretion of the data subject / patient.
D. - the Government’s administration of the My Health Record system roll-out, including
D1. – the public information campaign.
The public information should have used a mix of traditional and social media and should have, at least in part, be run before the opt-out period began so the public were not as ‘startled’ as they were by a the zero notice about what was about to happen. It would be kind to describe the whole campaign as an ‘unmitigated fiasco which failed spectacularly to both alert and explain what was happening’.
D2. - the prevalence of ‘informed consent’ amongst users.
Informal discussions with a range of clinician colleagues have suggested there has been very little cut-through in the community regarding the myHR and why people are suddenly being essentially to have one unless they are sufficiently digitally literate to opt out and are aware of potential issues that may arise if they do not.
E. – Measures that are necessary to address community privacy concerns in the My Health Record system.
Essentially what would be required if the plan to move to ‘opt out’ is continued with is acceptance of the recommendations of the 2015 Minter Ellison Privacy Impact Assessment and a much improved public communication / education program.
F. – How My Health Record compares to alternative systems of digitising health records internationally.
No country with a population of 25 million people has ever successfully established a secondary national electronic record system for all its citizens that has served to needs of both clinicians and patients. The problems associated with having individual clinicians, laboratories and so on feed data to a central hub and then have it made usefully accessible to both the patient and their doctor have not and I believe, will not be soluble, for reasons of currency, accuracy, reliability and useability. The size of the population served really matters which is why the more successful systems are found in Scandinavia and Scotland and why there are no detailed national systems in the UK, the US and so on.
KP Connect – the computer system operated by Kaiser Permanente to connect service their 9 million patients cost approximately $500,000 per doctor to install and up until 2010 cost $US6billion +.
G. – Any Other Matters.
The topics I want to address under this heading are:
1. The possibility that a comprehensive digital health record for each of the population may not be a good idea and that it may be preferable only to have a small emergency care summary to support emergency care with more detailed records being help by the patient and / or their practitioner.
2. The poor depth of the advice provided to Governments of both political stripes in an area as complex as national Digital Health. Most advice has failed to recognise that Digital Health systems, to work acceptably, need to be focussed on the needs of either the patient OR the clinician. Their system needs are different and cannot be served successfully by the same system. See book citation below.
3. The need to clearly face the possibility that the My Health Record program will not deliver what is desired and to start again with a process to discover what might actually be beneficial> This needs to ignore the anxiety associated with the large ‘sunk cost’ of what has gone before.
4. The actuality that the My Health Record program, by providing such a large footprint on a small e-health industry has had a damaging impact on innovation and initiative in this area where most actors in this sector have been forced to serve a rather poor idea (the PCEHR and then the myHR) for financial survival. This has been a very damaging distortion.
5. Any Digital Health System must, of necessity, be supported strongly by the Clinical community to be a success. Polls of clinicians conducted recently show that GPs are, by and large, uninterested in the system and are not supportive of the myHR without profound and far reaching improvement. Attempting to ‘strong-arm’ the profession will simply not work!
What Is Needed If A (Wrong) Decision Is Taken To Persist With the myHR.
If, for some reason it is decided to persist with the myHR System (which I do not advise) the following is an expansion of the steps are required to possibly make the system barely acceptable.
1. Making the default security settings such that you (the information owner) have to consent to any sharing of information rather than having to specifically block sharing.
2. Making the idea of “standing consent” be recognised for the nonsense it is in the sharing of personal health information, and require specific consent on all occasions.
3. Making the overall consent model of the myHR fully opt-in with the ability to restrict / delete the entire record – as well as the ability to download and preserve the record in a machine readable form.
4. Making available a suitable MBS item number to make it worthwhile for the GP to curate the record with the patient to ensure accuracy and currency of the data held in the system.
5. Allowing the capacity for the patient to print out a summary of their myHR to carry in their wallet to assist should they fall ill or be injured.
6. Full military grade encryption of the data-base to ensure breaches of the system lead to minimal data loss as well as two factor individualised authentication – with appropriate audit trail – to ensure it is very hard to get away with anonymous penetration of the system.
7. Specific measures to harden the security of the GP and Pharmacy endpoints to access the system with all other access removed except in secured emergency rooms. Uploads of information would still be permitted by Pathology, Radiology etc. but allied health, podiatrists and the like would be excluded. This means that just identified pharmacists and doctors can access the system – and no one else other than the patient – who also requires two factor ID.
8. Careful review of the situations regarding minors, estranged partners to ensure maximum user safety and privacy.
9. Make it illegal to discriminate against someone on the basis of whether or not they have a MHR
10. Law to make it illegal to discriminate against someone on the basis of whether or not they provide access to their MHR
11. Law to make applications to use data for research have ethics committee approval and explicit patient consent
12. Data cannot be used for commercial gain; it can only be used for public good with explicit consent from patients
13. Emergency access codes can only be used for direct care of the patient (not for 'public safety' reasons)
14. No government department to have access to MHR. Only police for investigation of an actual crime (not for prevention) with a court order
15. Make it illegal for any myHR data to be sold by anyone and no secondary use for commercial purposes.
16. Clarify how non-English speakers, those with intellectual disabilities (eg dementia), those without good computer proficiency can opt-out and/or change settings in the MHR.
17. All data access logged so the patient can see it (including police access).
18. All data access logged to an individual rather than an organisation.
19. Make default setting maximal restriction (rather than the minimal privacy setting it now has) - data cannot be shared by default – that it can only ever be shared via affirmative consent
20. Pause in the rollout whilst a public enquiry is held in to the privacy, data security implications of MHR.
Note: A number of these points were kindly suggested by Dr Thomas Rechnitzer of the Royal Melbourne Hospital.
Other than addressing the privacy and security issues discussed above there need to be major clinical utility and patient safety modification and review to optimise the clinical utility and data quality and so on as well as review of the various work-processes that surround the system.
This work requires formal expertise from a range of independent Health Informatics experts with a wide range of differing skill sets and would be best conducted independently by an international consulting firm.
Given the cost in practitioners time to curate the large number of health records (think 1-2 hours per week for 40,000 practitioners at $100 per hour = Close to $1B per annum) we also need a hard-nosed cost-benefit / value for money analysis. The myHR is going to have a considerable ongoing cost and we need to know there are not better ways to achieve as good if not better outcome.
Also needed is a proper Architectural Review to assess which of the alternatives as there are a range of other non-centralised options such as linked regional health information exchanges with operating parameters similar to the above, direct on-line access to beefed up GP systems or various shapes of card based systems which may be cheaper and better.
----- End Submission.
Recommended Book:
The committee could very usefully review this book which makes a very large number of useful points and provides pretty recent background:
Title The Digitalization of Healthcare: Electronic Records and the Disruption of Moral Orders
Publisher Oxford University Press, 2017
ISBN 0191804061, 9780191804069
-----
Useful Background Links:
https://aushealthit.blogspot.com/2009/05/nhhrc-e-health-submission-due-tomorrow.html (PCEHR Concept Comments)
https://aushealthit.blogspot.com/2011/10/final-submission-on-draft-legislation.html (PCEHR Legislation)
https://aushealthit.blogspot.com/2013/11/pcehr-enquiry-submission-november-2013.html (Review Submission)
https://www.myhealthrecord.gov.au/sites/g/files/net4206/f/pcehr_opt_out_pia_-_2015.pdf?v=1520887003 (Minter Ellison PIA - .pdf).
Draft 1 - Aged Care Complaints (Minter Ellison PIA .doc)
----- End Submission
Appendix 1.
November 16, 2017
Final Submission - Secondary Use Of MyHR Data.
Submission - Secondary Use Of My Health Record Data - November 2017.
Background to Submission Author.
Dr. David G More MB, PhD, FACHI, the author of this submission, is a registered medical practitioner with an over 20 year background in Digital Health implementation and use.
Short Summary.
Overall I would just like to be sure that whatever Framework the Consultation comes up with we have strong public accountability as to who is doing what with whose data and that it is conducted under ethical supervision - assuming that we decide we agree to proceed with Secondary Use - which I remain sceptical of - given the context of reduced public trust of institutions and other risks. If Secondary Use is to proceed I also offer what I believe is a sensible and pragmatic approach to implementation.
Background To Submission.
On behalf of the Commonwealth Department of Health HealthConsult has been tasked with assisting to develop a “Framework for the Secondary Use of My Health Record Data”
Conceptually this framework is to enable use of the data in this system (which is identified clinical and administrative data) of the purposes of extraction, analysis and reporting on any manner of data elements held in the record for health related purposes and for the ‘public good’.
Apparently specifically excluded is use of the data ‘exclusively’ for commercial or administrative purposed but ‘mixed’ use is apparently permitted.
An example of mixed use might be the use by a for-profit drug company of the data to assist in locating individuals for a clinical trial – as recently discussed on RN’s AM.
See here:
It seems to me that all those who have a myHR should at the least be offered an opportunity to opt-out and any Secondary Use while retaining their myHR if so desired.
Issues That Will Need To Be Addressed In The Final Framework.
Individual Consent
There is a general privacy principle that indicates the personal information should, in general, only be used, by anyone, for the purposes it was collected. As far as the myHR is concerned this would suggest the information held in the system is to be used for the purpose of delivering or supporting the individuals health care. Clearly using this same information for research, management etc. is unrelated to the direct care of the individual and so on is not what the data was given to the myHR for.
Data Quality
The data held in the myHR is largely held in rather old fashioned data-bases in forms where the is very little quality control and where it is held in forms that makes it very problematic to actually search or use the data. This has been openly acknowledged by the ADHA.
History Of Government Attempts To Misuse Health Data.
It was public opinion in the UK that resulted in the cancellation of the so called care.data program and in Australia data releases have been withdrawn after issue with the quality of anonymization were discovered. At the very least these issues should result in extreme care and caution with the use of the data or maybe have some actual experts oversee what Government does.
If There Is Any ‘Social License’ For Unannounced Use Of Personal Health Data Held In The myHR
It can be, not unreasonably, argued that unless individuals are fully informed and provided consent for data use that use of their data is a violation of the ‘social contract’ between the individual and the Government and that it is this sort of retrospective change of ‘the rules’ that is a contributor to the current lack of trust is government as starkly revealed in my recent poll.
----- Dated 12 November, 2017:
Do You Trust Government To Keep Safe And Not Abuse Private Information You Share With It?
Yes 4% (4)
No 95% (99)
I Am Not Sure One Way Or The Other 1% (1)
Total votes: 104
There Is Internal Government Awareness Of Complexity In, and Risks Of, Allowing Access To The Data
Discussions with the ADHA have not only confirmed major data quality and accessibility issues but also significant issues with safely providing any form of individual data access or downloading.
Proposal For Ethical Use Of Data Held In The myHR If It Is To Proceed.
Given that it is important that health data be properly used (where ethically possible) for the benefit of everyone I recommend the following approach to secondary use of the data held in the myHR system.
The approach also permits linkage to other relevant data sources.
1. All use of the data be as a result of a written publicly available proposal. This can be developed with the analytic entity. (A possibility for this entity may be a unit of the Australian Institute Of Health And Welfare)
2. The secondary use proposal is formally reviewed by an independent appropriately qualified and diverse expert ethics committee, and only proceeds if approved. The details of the Ethics Committee discussion should be publicly released. There should be a clear set of guidelines developed to explain what, and what not, constitutes ethical use.
3. All data analysis and reporting done in house – at a small group or sole purpose entity expert in handling data extraction, linkage and analysis. NO raw data leaves the analytic entity.
4. Researchers are encouraged to work with the entity experts to conduct analysis and reporting – but no data actually leaves the Government controlled repositories.
5. All summary reports resulting from the research / analytics is made publicly available on a dedicated web-site which also has the research proposal and ethic committee comments.
6. The supervising analytic entity should be within Government and publicly accountable.
This approach provides maximum transparency, considerable assurance of proper use of the information, reasonable data access and high security. There can also be total public confidence in what is done being done due to mandated transparency and disclosure. Additionally since no data is actually released, except in summary report form, the need to consent is obviated.
The disadvantages may be that outcomes may take a little time and may be more costly than simply handing the data over for use (and potential misuse).
I am happy to provide more details as may be useful to assess the proposal.
It should be noted that this submission is based on the assumption that the myHR Program proceeds as presently intended by the ADHA.
To be clear, overall I do not see Secondary Use of myHR data as either inevitable or positive, especially given the fact that most of the data is held and can be used elsewhere within Government, is more accessible there, and use of those sources avoids many of the privacy concerns associated with the myHR.
David More 16/11/2017.
----- End Appendix 1.
Comments Please....
David.
Comments Please....
David.
