Privacy and e-Health – The Privacy Commissioner Provides a Very Useful Survey.

A day or so ago the Commonwealth Privacy Commissioner (Ms Karen Curtis) published an invaluable document for all those interested in privacy and health information sharing.

The full document can be downloaded from the this page in either .pdf or MS-Word Format.

The survey questions 1500+ adults about their attitudes on a range of privacy issues and appears to have been conducted in a robust and reliable fashion statistically.

I think the most important findings from the perspective of e-Health implementation and planning are:

1. By and large most Australians trust Health Service Providers to treat their private information in a trustworthy fashion. The more educated are slightly more sceptical than the less educated.

2. Most are happy to share private health information if they see the relevance in doing so.

3. There was a very strong dislike of being required to disclose any form information that is not relevant to the transaction at hand.

4. There was a strong rejection of the use of any information (especially by business and government) for purposes other than that for which it was collected. (This bears directly on what NEHTA is planning to do with Medicare Australia's personal records)

5. “The majority (76%) of Australians believe that inclusion in the National Health Information Network should be voluntary. At 21%, the minority believes all medical records should be entered. A greater proportion (76%) believe inclusion should be voluntary (cf. 64% in 2004 and 66% in 2001). As in 2004, females (80%) were more likely than males (72%) to say this. Unlike 2004 however, there were no significant differences in attitudes between age groups.”

This seems pretty clear cut that the public rejects compulsion in the sharing of their private health information and that the view on this is strengthening over time.

6. “Respondents were then asked whether, if such a database national health information network existed, permission should be sought before releasing their de-identified information. Females (53%) were more likely than males (43%) to say that permission should be sought. “

Again – even when not identified – close to half the population do not want to share without consent.

7. Interestingly, “While opinions varied, 52% thought that health professionals should share health information, but only if relevant to the condition being treated (35%) or if the condition was serious or life threatening (17%). A third (32%) believed health professionals should share health information only with the patient’s consent. The proportion believing anything to do with a patient’s health care could be discussed between health professionals stands at 25%.”

This says to me that people are wanting more control of information sharing, even the sharing of information between relevant professionals.

8.There is a low threshold for individuals to provide false identity information when conducting internet transactions. This has the implication that if access is provided for citizens to access major identity data-bases there will be at least a significant proportion who will provide false information.

It seems to me this survey makes it clear there is an emerging sensitivity in the populace to having their personal information leave their control without their specific consent and approval. All those implementing – or planning to implement – e-Health systems should take careful note of both the absolute values of the views as well as the trends.

NEHTA especially needs to take careful note of the results of this survey. The clear preference of the community is for all interactions with e-Health systems to be on the basis in individual specific consent. Just because it is inconvenient or more expensive to grant the public what they want is no excuse. Ignoring clearly stated public opinion has a habit of rebounding on those who move in these sort of directions. NEHTA you have been warned!

David.

BTW. Page 8 of the NEHTA Approach to Privacy document says:

“As further work on privacy and consent is conducted or finalised, additional information will be made available on the NEHTA website. The next privacy document to be published will be NEHTA’s Privacy Blueprint for the HPI and IHI (planned publication date August 2006). A Privacy Blueprint for the Shared EHR will be released in late 2006. “

It is fair to say these timelines were not met – we saw the UPI privacy draft in December 2006 (followed months later by a risible summary of the comments received – without the actual submissions) and the Privacy Blueprint for the Shared EHR is yet to see the light of day.

D.

e-Health in Australia – A Governance Farce that Will Hurt us All.

e-Health in Australia is a ‘rudderless ship’ in a very large storm and is way too close to the rocks!

Just a few short years ago everyone knew who was at least meant to be doing what in the e-Health Space.

We had the Australian Health Ministers Advisory Council (AHMAC) and the Council of Australian Government (COAG) who sorted out major policy directions and provided funds.

The Australian Health Information Council (AHIC) provided e-Health Strategy and Direction.

The Commonwealth Department of Health and Ageing (DoHA) set policy detail, sponsored national initiatives (such as HealthConnect) and tried to foster State co-operation and co-ordination.

Essentially, following the 2004 Boston Consulting Group (BCG) Review the HealthConnect Program was cancelled. It became a ‘change management strategy’ and a few annoying money-wasting remnant projects rolled on to use up the funds that had been committed.

By 2005 AHIC had been canned and the National E-Health Transition Authority (NEHTA) had begun operations. Virtually simultaneously most of the e-Health skills in DoHA left the public service and the place of e-Health was downgraded in the Commonwealth bureaucracy.

Come to 2007 and where are we?

First we have the BCG undertaking a review of the now 2.5 year old NEHTA. This review is a governance nightmare as we have senior health bureaucrats commissioning a report on their performance in managing NEHTA. Ever hear of a senior health bureaucrat criticising their own performance? Clearly the outcome will not say you have all done a poor job managing NEHTA as everyone knows they have. Talk about a conflict of interest!

Second we have the now resuscitated AHIC. It seemed to make some hopeful noises for a little while. The silence is now deafening and with an election due in a month or two we can be sure nothing will ever come of their work.

Last we now have a brand new E-Health Ministerial Advisory Council – established as an effort to blame shift away from the Minister and DoHA who have been negligent in their inactivity. Again we have a secret, non-communicating entity working away in a bureaucratic non-transparent vacuum.

Let’s not even consider the managerial qualities of the State Health IT bureaucrats. Most of them are still tied up in overly slow procurements (WA, SA etc) or are doing rigid state-wide system implementations that have the users more than a little grumpy.

IBA (our largest indigenous e-Health Company in which I have a few not so profitable shares) makes the point in its annual results, just released, that it has been forced overseas to survive as virtually no serious sales are likely until 2008/9 in Australia.

If ever there was a situation where an election offered hope for a re-start and a new plan this is it. What a humongous mess.

David.

Medicare, NEHTA and Your Privacy.

A week or so ago a quiet bit of regulation making occurred in the Federal Parliament. The following regulation was tabled under the Ministerial Authority of Senator Chris Ellison.

Here is the title of the Direction.

Medicare Australia (Functions of Chief Executive Officer) Amendment Direction 2007 (No. 2)

Medicare Australia Act 1973

I, CHRISTOPHER MARTIN ELLISON, Minister for Human Services, make this Direction under paragraph 5 (1) (d) of the Medicare Australia Act 1973.

Dated 8 August 2007

CHRISTOPHER MARTIN ELLISON

Minister for Human Services

The full text is downloadable from here. (It is only a page or two in .pdf format and well worth a read)

In plain language what this does is, without any contestability or assessment of value for money, have Medicare Australia scope, develop, build and test the NEHTA UHI (as defined in the regulation).

It also authorises them to make a copy of the two key identity databases supported by Medicare Australia (as defined in the .pdf file - essentially the client and the provider databases) and use them to provide an identity service.

This is really an amazing thing to be authorised. What seems to have happened is the despite the prohibition in the Commonwealth Privacy Act (2000) of personal information being used for purposes other than for which it was collected by Government Agencies it has been decided that information that was collected to enable Medicare benefits to be paid is to be used to operate the NEHTA UHI.

The implications this has for the trust the population will have in Medicare Australia to keep their private information private must be profound.

There are all sorts of questions this authorisation raises – such as:

1. Are the Consumer Directory Maintenance System and the Provider Directory System operated by Medicare Australia ‘fit for purpose’ in the role of electronic health record identification and linkage? (I think not).

2. How are those whose information is on this copy of the register able to see what is held and how accurate it is?

3. How will this information be protected from un-authorised or unwanted disclosure or look up. It seems every healthcare provider in the country will be able to search the customer data-base to find an associated UHI – this is a really terrible idea and will have victims of domestic violence and the like just terrified?

4. How are the Medicare and UHI data-bases going to be kept in synch as one or the other is updated? If a ‘snapshot’ of the databases is taken – how will the data’s currency be maintained into the future?

5. Where is the Privacy Impact Assessment that validates this approach?

6. Who is going to be responsible if there is a security breach or someone’s details are released and an individual is damaged or harmed. Is it the private company NEHTA or the Government through Medicare Australia?

7. Who is actually going to run the proposed service – NEHTA, Medicare Australia or someone else? Does anyone else notice a certain irony in a private company contracting a Government Agency for the delivery of services – as seems to be the case?

8. Why is such a potentially privacy destructive regulation just slipped through the House of Reps and the Senate with no public announcement etc?

It seems clear to me this proposal represents the health identifier you have when you are not prepared to pay for an identifier that one can be sure is fit for purpose in terms of safety and integrity.

Frankly this is a disaster in my view and should be aborted before it even gets started. If we are to have a UHI service (and I think it is vital) it should be based on privacy and security protections that are appropriate for clinical record linkage.

David.

Note: Comprehensive coverage on the basics of this issue is found in an article by Karen Dearne in the Tuesday Australian IT section of 28^th August, 2007. This can be seen on line at the following URL.

http://www.australianit.news.com.au/story/0,24897,22318001-5013040,00.html

Ellison unlocks Medicare databases

Karen Dearne | August 28, 2007

MEDICARE patient and provider databases will be the key sources of a healthcare identifier regime being introduced to support a shift to e-health programs.

Records belonging to 99 per cent of Australians are contained in Medicare's Consumer Directory Maintenance System, considered to be the most up-to-date and accurate government repository of personal information.

Although the law prevents the use of Medicare data for other purposes, Human Services Minister Chris Ellison has unlocked access via a legislative amendment tabled in Parliament on August 16.

Senator Ellison has authorised Medicare's chief executive to enter into a contract with the National E-Health Transition Authority and provide resources in support of the Unique Healthcare Identifier program.

Progress on the individual, healthcare provider and health organisation directories was flagged by NEHTA chief executive Ian Reinecke at MedInfo 2007 in Brisbane last week.

Dr Reinecke said NEHTA had established an operational governance model for contracting a universal identifier services operator, expected to be Medicare Australia.

….. (see URL above for full article)

D.