The Privacy Commissioner published the following press release a day or two ago.
http://www.privacy.gov.au/news/media/2008_15_print.html
Media Release: E-health privacy blueprint - robust legislation is needed says Privacy Commissioner
15 August 2008
The Australian Privacy Commissioner, Karen Curtis, has called for legislation for the proposed national Individual Electronic Health Records (IEHR) system.
"The National E-Health Transition Authority (NEHTA) has identified some valuable privacy considerations for the proposed IEHR system," said Ms Curtis.
"The suggestion that individuals should be able to opt-in to an IEHR system is welcome, as this promotes genuine choice.
"It is also important that there is specific legislation for the system to ensure there are robust privacy protections in place."
Ms Curtis' recommendations were made in a submission by her Office in response to NEHTA's Privacy Blueprint, which will feed into a business case NEHTA will deliver to the Council of Australian Governments in late 2008.
Another key point made in the Office's submission was the importance of having "sensitivity labels" in place at the start of the system to restrict access to certain information within the IEHR.
"My Office argues strongly in favour of sensitivity labels being in place at the start of the project," Ms Curtis said.
"This would be of prime importance to, say, a patient who is suffering a sensitive condition, such as a mental or sexual illness.
"The sensitivity label would prevent a healthcare worker in an area unrelated to the patient's illness from accessing this information."
Ms Curtis has also called for individuals to be able to see who has accessed their records through the availability of audit logs.
"This is an important accountability and transparency measure," Ms Curtis said.
The submission is available at http://www.privacy.gov.au/publications/sub_nehta_0808.doc.
----- End Release.
The Executive Summary of the submission makes it quite clear what Ms Curtis thinks is needed by way of change in approach.
Executive summary
1. The Office of the Privacy Commissioner (‘the Office’) supports the development of an individual electronic health record (‘IEHR’) system to enhance the delivery of healthcare through improved sharing of selected health information. In the Office’s view, the assurance that privacy is protected will be a key element of the overall success of such a system.
2. The Office notes its support for the express consent approach to IEHR participation proposed by the National E-Health Transition Authority’s (‘NEHTA’) Privacy Blueprint on the IEHR (‘the Blueprint’). This approach offers important privacy benefits to individuals by ensuring that individuals’ active and express consent is required before they are enrolled in the system. The Office also welcomes individuals being able to consent to specific episodes of care being entered into their IEHR record.
3. While recognising the attention paid to privacy as part of the IEHR system’s development and the constructive approach taken to consent, the Office believes there are some key issues which require further consideration. These issues are:
· the need for enabling legislation for the system
· whether individuals will have sufficient choice as to who may access their IEHR, that is, individual health care workers or entire health care organisations
· whether individuals will be given the choice to limit access to particularly sensitive information by way of a ‘privileged care’ mechanism
· the suggestion that audit records may not be available to individuals and
· the need for further detail on how secondary uses of IEHR information will be managed, particularly with regards to uses beyond medical research.
4. In this submission to NEHTA, the Office provides input on these key privacy issues and other aspects of the IEHR system raised in the Blueprint.
----- End Executive Summary.
Reading the full submission it is clear Ms Curtis is not about to have NEHTA start its proposed IEHR without very robust legislation to protect individual privacy despite an obvious desire on NEHTA’s part to do so.
It is also clear that she rejects the blatant attempt by NEHTA to try to do a system ‘on the cheap’ by leaving out protections and abilities for choice she believes the public are entitled to.
Ms Curtis clearly also notes NEHTA’s proneness to try and operate in secrecy and recommends all the privacy impact assessments be made public – what a great idea!
Most of the rest of the 17 page submission then goes on to point out the number of areas where NEHTA have proposed the easy rather than the ‘privacy protective’ approach.
All in all – when the clear, well researched analysis is taken together with the concerns I expressed six or so weeks ago when the blueprint was released I think a major rethink of this proposed IEHR and how it will really operate is required.
My earlier comments are found here:
http://aushealthit.blogspot.com/2008/07/nehta-privacy-blueprint-for-iehr-how.html
We should all be grateful we have such a clear thinking and independent team looking after our privacy rights as we do at present. More power to them!
NEHTA has to go right back to the drawing board and properly address all the issues raised. I frankly doubt they will be able to do so without some considerable modification of their current proposals. Maybe NEHTA should have consulted a little more carefully privately before developing and publishing such a clearly flawed document and making such inadequate proposals regarding IEHR privacy. If I were a betting man I would not be putting much on ever seeing anything like the presently proposed IEHR actually happen!
All this just demonstrates just how out of touch NEHTA still is with the Health Sector and ordinary health consumers.
Interestingly we have also had the Australian Law Reform Commission weigh into the debate in the last week.
Tougher rules on records urged
Rules on medical records and population-based research may be reformed after a review of privacy laws. Health editor Adam Cresswell reports | August 16, 2008
MEDICAL records contain private information, often touching the most sensitive details of individual patients' lives. Doctors almost invariably guard access to their patients' files like hawks, ensuring only they and, occasionally, other doctors get to look inside.
You don't expect to find files such as these gathering dust in a garage, or dumped in a garbage bin, and especially not strewn over the footpath for any passer-by to see. But legal experts charged with conducting a review of privacy laws were shocked to find all these had really happened.
What's more, it was far from unknown for patients switching to another GP to face a battle to persuade their old GP to forward their records to the new doctor. Even though such records would be crucial to a proper understanding of the patient's history, in many cases the transfer simply did not occur.
And David Weisbrot, president of the Australian Law Reform Commission which conducted the privacy review, says it soon transpired that there was little patients could do to require doctors' co-operation.
In its 1996 ruling Breen v Williams, the High Court unanimously ruled that medical records are owned by the doctor who created them, not by the patient whose health they concern. While patients have access rights to that information, there has been no obligation on doctors to relinquish control to another doctor, or forward copies to another doctor.
That's one of several health-related issues that the ALRC, in the recommendations from its new 2700-page report on privacy laws, says should change.
"We heard a similar story quite often: if a doctor retired or died, or there was a merger or another practice took over the patients, they (patients) would have difficulty getting their records back to take to another doctor," Weisbrot says. "There were even stories of records being found in the rubbish bin, in the doctor's garage or even on the footpath.
Much more here:
http://www.theaustralian.news.com.au/story/0,25197,24182403-23289,00.html
It seems there is considerable alignment between the Privacy Commissioner and the NEHTA is the one out of step.
The Health Information Section of the ALRC report is important reading.
http://www.austlii.edu.au/au/other/alrc/publications/reports/108/
This is the relevant part of the Table of Contents:
Part H - Health Services and Research
60. Regulatory Framework for Health Information
61. Electronic Health Information Systems
- Introduction
- Background
- Issues Paper 31
- Discussion Paper proposals
- Medicare and Pharmaceutical Benefits databases
62. The Privacy Act and Health Information
- Introduction
- Definition of ‘health information’
- Definition of ‘health service’
- Agencies and organisations
- Provision of health services
- Consent
63. Privacy (Health Information) Regulations
- Introduction
- Collection of health information
- Use and disclosure of health information
- Access to health information
- Management, funding and monitoring of health services
64. Research: Current Arrangements
- Introduction
- Health and medical research in Australia
- Research and the use of personal information
- Information Privacy Principles
- National Privacy Principles
- Section 95 and 95A Guidelines
65. Research: Recommendations for Reform
- Introduction
- Section 95 and 95A Guidelines
- Research in areas other than health and medical
- Definition of research
- The public interest balance
- Impracticable to seek consent
- Human Research Ethics Committees
- Research exceptions to the model Unified Privacy Principles
66. Research: Databases and Data Linkage
Enjoy all this – we live in “interesting times”!
David.
0 comments:
Post a Comment