It seems that on both sides of the Pacific there is increasing interest in, and increasing difficulty with, working out an approach, and the supporting technology infrastructure, to meet public expectations for health information privacy and security while at the same time permitting health care providers the access to information they need, quite legitimately, to provide optimal care. This short article aims to provide some talking points and base assumptions / positions that may be relevant in the very difficult policy area.
The key assumptions I would make are:
1. Technology can provide any level of information security and privacy that can be desired.
In 2006 it is perfectly possible, through techniques such as encryption, to secure electronic health information in such a way as to render unauthorised access virtually impossible. The military of most advanced countries, as an example, achieve this despite quite expert efforts to compromise their message integrity.
So what then is the problem? As I see it there are a few problems. First there are issues of cost. Military grade security comes with a military price tag. Second there is the issue of convenience. If a system is clumsy or difficult to use it will either not be used or the users will work out ways to make things easier for themselves by doing such things as using easily remembered passwords (which are easily compromised) or writing harder ones down in places where they are easy to find.
So while the technology is willing and able it is a truism that the weakest link are the users of system who either for convenience, speed and very rarely for malice will compromise the best designed security system.
The only satisfactory approach to address this risk is a combination of user education around the importance of complying with the rules along with regular audit, both passive via audit file review and active through deliberate attempts to subvert individual user discipline to ensure the educational program is actually working.
That users will take advantage of privileged access to information is well known with many stories of staff in the police, tax departments and hospitals accessing information out of curiosity or occasionally for more nefarious motives.
2. If the issue of privacy of personal identifiable health information is not frankly and honestly addressed it is likely most initiatives involving the sharing of health information will either fail or be severely compromised.
It is an article of faith with me, and I suspect with most readers of this blog, that an appropriate deployment of information technology in the health sector can improve the quality and safety of healthcare services. Central to this improvement being achieved is to put in place individual patient records on which clinical decision making can be based and on which decision support systems can operate.
If the target of our care are not entirely comfortable with the caring professions efforts to keep confidential their most sensitive secrets any electronic record initiative will face major, and probably fatal, implementation hurdles.
At present, as best I read the research, the key concern most citizens have is that, unknown to them, their private information will move out of their control and ability to access and correct as well as a fear of disclosure, profit from or use by unknown third parties.
Most seem quite comfortable with their GP recording information about them in his personal clinical system and most are pleased to be cared for in hospitals where they are not asked for the same details ten times a day.
Concern arises once there is the possibility the information moves out of the direct control of the GP or hospital.
For any such use and sharing of information citizens are very keen to understand just what is being shared, why it is being shared and that they will have an effective right of veto before it is shared.
There is already concern, on the part of some, that GP prescribing sets and the like are being shared, without the patient’s knowledge, with pharmaceutical companies for marketing purposes. One wonders just how the patient’s interests are being served with this sort of disclosure
3. It is important to recognise individuals have differing sensitivities associated with their health information.
Your correspondent is well past his physical prime and in the last few years have had a number of stays in hospital. Each of these stays was for investigations and procedures that are quite commonplace and frankly if anyone where to get hold of my full record the worst that they could conclude is that I should have stopped smoking thirty years ago and not twenty years ago. In a health sense I have nothing to hide and so do no care who has my records.
An individual who is their past has a mental illness, a genetically inherited risk, an abortion, an STD, HIV/AIDS, a cosmetic breast operation or whatever may feel entirely different and wish to either be able to exert very fine grained control on what information can be shared or indeed prevent any sharing at all. This is entirely reasonable and it is up to system designers to ensure such control is available. Again this is not a technical issue but rather a system design issue.
4. While one can design technology neutral Privacy Principles their implementation has to respond to a very different set of risks. In no sense does one size fit all in these circumstances.
There seems to be a view among policy makers that all that is needed are a correct set of Privacy Principles and all will be well for all. I believe this is naïve and wrong.
First there seems to me to be a very good case for ensuring that the level of protection provided for identified health information should be more robust and better enforced than say financial, purchasing or employee records. Not to say these should not be robustly protected but given the potential personal impact of disclosure of health information that even more care is warranted than may be justifiable for other information.
Second, as already discussed on the blog, the risks that are faced by electronic and paper records are different and do require different risk analysis and different responses.
Essentially what we need to recognise it that if private information escapes into hands that the owner of that information is not comfortable with the consequences can be personally and professionally devastating.
What is needed is the sort of education and auditing mentioned above and for breaches there needs to be a carefully designed regime of penalties and enforcement that is swift, has real teeth so it can act as a serious deterrent and which considers the impact on the victim of the breach properly.
Additionally real privacy experts need to be involved in system design and implementation. As well it is important that there be proper piloting and evaluation of privacy controls as they are practically implemented to ensure the outcomes citizens expect are actually being delivered in the real world.
Overall if I had one mantra it would be that “care must to be taken to establish and retain citizen trust”. If this is not achieved we ultimately may not be able to successfully implement and operate the systems the Health Sector so badly needs.
David.
Appendix:
What is discussed above I would see as an ideal situation. What is happening in Australia falls far short of the ideal. The two most egregious examples that comes to mind is the apparent continued use of non-individualised and non role based security provided to protect information contained in the South Australian OACIS system. When I last heard – and I am happy to be corrected on this if things have moved on – a clinical user at one hospital, once logged on, could access any record of essentially any type for any South Australian on the system. When last I spoke with people in SA there was not even the capability for a patient to withhold results from the system. (Note an Updated Comment was posted on November 23, 2006 and should be read with the material provided here - David.)
I understand some similar issues also exist with the Healthelink trial in NSW. Here again there is a single level of access – you can find any patient on the system and see all that is held – or not if the patient has ‘opted out’. Patient have no capacity to segregate sensitive from other information and some will inevitably be disadvantaged by such poor initial system design.
The following two articles in the Australian of the 28th October 2006 make useful supporting reading.
.
http://www.theaustralian.news.com.au/story/0,20867,20655984-23289,00.html
Policing privacy
Plans to put the medical records of all Australians online face strong opposition from doctors and privacy advocates. Leigh Dayton reports
________________________________________
October 28, 2006
HERE'S the dream: your elderly mother suffers breathing difficulties. You take her to a GP who recommends a series of tests. The procedures are scheduled online, much like booking a flight to Bali.
When your mother arrives at the hospital for the tests, all her medical records are available to the specialists, again online. Results are added instantly to her "electronic health record" and a "cyber-script" is sent straight to her local pharmacist. The pharmacist checks the prescription against her other medications and has it filled when you drop by to collect it.
Meanwhile, your mother's doctor has reviewed her test results online and arranged a follow-up visit with a respiratory specialist who immediately has details at the click of a mouse. Online booking, online records, online service. Plus, neither you nor you mother has explained her problem numerous times, or waited for paper records to be sent by mail.
Here's the nightmare: you go to your doctor, seeking help for a drug and alcohol problem. There, you book online for specialist treatment at a discrete facility. The receptionist managing bookings at the facility recognises your name and tells a friend, your former – and very angry – spouse. Word reaches your employer's ear. You're fired.
Continued….
http://www.theaustralian.news.com.au/story/0,20867,20655988-23289,00.html
Patient privacy must be governed by a unified national system
Mukesh Haikerwal
October 28, 2006
THE Australian Medical Association has for a long time been calling for an overhaul of Australia's privacy laws and the establishment of a unified national system governing the privacy of information in the health sector.
Continued …
Dr Mukesh Haikerwal is president of the Australian Medical Association
D.
0 comments:
Post a Comment