NEHTA has released a document entitled “Privacy Blueprint – Unique Healthcare Identifiers (UHI) - Individual Healthcare Identifier (IHI) and Healthcare Provider Identifier (HPI) - Version 1.0 – 18 December 2006 For Comment”
Since it is said to be “for comment” I suppose I should feel free to offer a few comments! My comments are as follows:
1. For reasons that defy understanding the UHI project in general and this document in particular seem to either ignore, or be totally unaware of, the work being done by the Department of Human Services with the Access Card and the individual number being allocated to each of us.
The Access Card is going to give us all a number, and now NEHTA wants to give us another one which is manifestly less robust and less trustworthy and which won’t have legislative protection against misuse.
One also has to wonder about NEHTA’s costings – given the Human Services Department thinks number allocation will cost hundreds of millions of dollars and NEHTA has only $50 million over a few years to undertake a similar task.
Worse, the Access Card has done extensive public consultation on the privacy issues around numbering citizens and NEHTA is either ignorant of or ignoring it. I wonder which it is?
2. Blueprint is a misnomer. The document is in no way a blueprint – it is a consultation paper from which, I imagine, NEHTA plans to ultimately produce an actionable blueprint. As it stands it identifies and attempts to scope a good range of the contentious issues surrounding health information policy and asks for views on how they should be handled.
3. NEHTA has developed this document apparently in the absence of any input from the peak bodies representing health informatics practitioners, the Australian College of Health Informatics, the Health Information Society of Australia, health system vendors and health information managers.
Clinical input in the workshops conducted to develop and refine this document late in the year also appears to have been token at best (1 GP, 1 nurse and 19 others as I count it).
4. The document (on the basis of no evidence I can find within the document) seems to work from the implicit assumption that giving the entire population another unique number is a good and desirable thing. Given the cost and effort involved in doing this, and the known privacy implications of unique identifiers, this issue should have been addressed and reviewed.
To produce a privacy document that does not explore alternatives to giving every citizen yet another number is really staggering arrogance, especially when the business case for the entire project has remained on NEHTA’s secret list.
5. I think it is clear that if NEHTA has no capability to legislatively protect their planned identifier against privacy abuse and scope creep they should either drop the whole project or go back to government and get the protections that are so definitely required.
6. NEHTA proposes to obtain the basic information from the Medicare Australia individual person database. Given the well known lack of quality of, and number of duplicates in, this database due to the fact that its subjects do not, by and large, even know of its existence and thus have not corrected it, errors in record linkage based on the IHI are likely to be dangerously common.
Additionally I am not sure most Australian Citizens have been asked whether they are happy to have their demographic details shared by Medicare with a non-government company – as NEHTA most certainly is. I was under the impression that Medicare Australia – as a data custodian – should not disclose such information without the individual’s explicit consent.
7. The document mentions that consideration is being given as to the need for either one or two factor authentication for the IHI. Again where is the mention of the Access Card as a possible factor and even more worrying where is the discussion of individual verification of identity so the authentication can operate? Given that it is the initial registration phase that is both expensive and time consuming – one really wonders how NEHTA can plan to do anything other than adopt the Access Card identifier.
8. NEHTA has not appreciated that the main problem with identifiers such as the IHI is not technical security but mis-use by authorised users of a system. In this case we will have tens of thousands of providers and their staff able to search the IHI. Given the lack of effective controls seen at the ATO and CentreLink what is the chance this source of demographic information won’t be similarly abused. The answer is zero!
9. NEHTA seems to have a rather patronising view that they are equipped to make balancing judgements about the extent to which ‘my’ privacy should be protected and that this level can be balanced against some concept of ‘public good’. I would suggest that they are not so empowered and that I am the sole arbiter of what is sensitive to me and what needs protection. Were I, for example, be living with HIV / AIDS, I would expect not only an iron-clad guarantee this fact would not be disclosed to any-one without my permission but I would also want the right to substantial compensation for any system breach. NEHTA’s prime role is to facilitate the introduction and use of E-Health technologies and not offering a highly sensitive and responsive privacy approach that the public are totally comfortable with will doom their efforts before they start. This present document does not suggest they “get” this fact.
People are only going to allow electronic health records to be implemented and used if they are totally confident where the information is going and who has access to it.
There is a great deal also wrong with the detail of the document as well as with the proposed timing of the Privacy Impact Assessment (PIA). The PIA work needs to be undertaken and reviewed publicly long before the enabling system is designed. The PIA must also address all known technical, organisational and legal constraints.
This entire privacy proposal is deeply flawed in my view and has a high risk of destroying the possibility of progress with E-Health implementations due to the destruction of consumer confidence in the way their private information will be handled.
David.
0 comments:
Post a Comment