David Vaile
Cyberspace Law and Policy Centre, UNSW Law Faculty
d.vaile@unsw.edu.au
Medico-legal conference, Sydney, 29 March 2011
www.cyberlawcentre.org






Background
Nat. EHR framework
Grand challenges
Perceptions and trust
Consent
Consultation?
Context





Framework?
Medical HI as ID card?
Clinical outcomes
affected?
Implications for private
health
Implications for public
health
Privacy rules?
Law and IT, with medical flavour
My background












Law, IT, consumer protection
Interest in both health information and citizen expectations
Early case later became Rogers v Whitaker (informed consent)
Work with Prof Coiera’s proto-CHI, medical cont. education
NSW and Federal Privacy Commissioner’s offices
Australian Privacy Foundation
UNSW Cyberspace Law and Policy Centre (iPP project)
Database developer
IT security, risk assessment for why big IT systems fail, UCD
Personal information security and privacy advocate
Involved in the aborted ‘Access Card’ fiasco
Advocate of transparency of risks
The IT Security Grand Challenges

Privacy you can control

Security you can understand
(Smith and Spafford 2004)
Late arrival of IT, explosive
diversification
Late arrival of full scale networked EHRs









Great diversity of record systems
Many stakeholders
Many points of interconnect
Many claimants on access, ownership or other entitlements
Great potential financial and clinical benefits
Risk management analysis seems to omit the risk
Big IT projects fail ~ 75%, not mature industry
Good methodology is not a luxury, it’s essential
Risk focussed methodology + UCD is the only known way to
deal with massive, not well understood requirements
Future Trends for Healthcare Records







Biometric identification
Genetic information linked with medical records
International travel, medical tourism
Text messages re: medical appointments
Telemedicine inc. virtual consultations, multiple clinicians
Radio Frequency Identification Devices (RFIDs)
Identity-as-a-service provided by independent organisations
(in response to issue of governments having dual roles of
issuing and managing identifiers and related information, and
also policing and governing their use?) Source: CSC 2009
For Privacy and
Personal information security?
National EHR system projects







Massive effort in many domains
Highly technical
Expensive
Often fragmented, components moving separately
Appears to pay lip service to structured engagement of noninstitutional stakeholders (a.k.a. ‘the paying customer’,
consumers, patients and their advocates)
Potential failure of methodology in relation to risk and user
centred design (where patients = ‘users’)
Disconnected: UHI before a model of use, or privacy rules?
Good consent or poor consent?
Perceptions and trust…


‘Perceptions about privacy and notions of trust are critical to
the successful adoption of e-health. … the combination of
existing privacy laws, existing consent mechanisms and the
provider’s duty to protect patient confidentiality are
supplemented by a security and access framework, new
controls set out in healthcare identifiers legislation and
proposed privacy reforms.’ NEHTA Blueprint FAQs, 2010
But:
◦
◦
◦
◦
◦
Existing privacy laws largely unenforced (no complaint determ. in 5 yr)
Proposed new laws recede into the future (no new health privacy law)
Consent and duty are problematic (from patient’s perspective, in EHR)
Security and access framework are opaque
HI legislation does little to restrain or explain real limits on use.
Complexity of consent?

‘The Blueprint … skirts around the issue of how to deal
with the problems of complexity and detail in the
levels of patient consent required for an effective IEHR.
Too much complexity will overwhelm patients, yet too
little detail, such as occurs with bundled consent, is not
useful either. This balance is at the heart of the domain
and presents a real challenge. NEHTA does not appear
to have put it at the heart of their analysis or thinking
about IEHR privacy options.’ APF submission on NEHTA
Privacy Blueprint, 2008
What’s in a name

No clear model for an integrated national EHR system
◦ Individual Electronic Health Record (IEHR)
‘It is not proposed that the information added to an IEHR will be a complete medical record for an
individual, instead it will supplement local records held by healthcare providers. It will be a record of
information that the provider believes has a high impact on clinical decision-making. Accordingly,
healthcare providers using information collected from the IEHR will need to be aware that the
information is not necessarily complete’
◦ Shared Electronic Health Record (SEHR)
◦ Personally Controlled Electronic Health Record (PCEHR)
In May 2010, $466 million investment over two yearsannounced into a Personally Controlled
Electronic Health Record system to support the National Health and Hospitals Network.
‘The PCEHR will not hold all the information held in your doctor's records, but will complement it by
highlighting key information.’
NEHTA, ‘ What is a PCEHR?’ [No risk mentioned]


Blueprint: ‘few individuals are expected to read it all’
Glossary for terms: 8 pages
Consultation – with non experts



Real consultation, as if it mattered to key design and
strategic issues
Need clear high level, long term overview
Big picture of information design. A limited number of:
◦ roles
◦ information types
◦ rule types


Plain english (jargon names may need to be changed)
Detailed discussions about who gets to control what,
or not. When and why choice and consent occurs.
Good consent or poor consent?






Is there a simple, widely consulted and accepted national
framework for eHealth system privacy and personal
information security? (Many consultations got it wrong?)
Probably not?
NEHTA and others largely looking inwards, or
preoccupied with ‘elephants stomping’ (big players)?
Minister seeks to divert attention with ‘PCEHR’?
Emphasis should be on externally accepted principles,
after informed consideration of hard cases, implications
Essential basis for future trust?







Sorry history of Access Card
‘This is not a national ID card system’, in Bill
Culture of denial and evasion of functionality
Not a good basis for trust
Privacy-hostile assumptions may be built in to the
Foundations?
Lack of explicit trading of benefits and risks, potential for
unintended consequences
Public focus on benefits, undermines a model of
informed consent: spin, sales, not participation
Point of
comparison
Adult
coverage
Children
‘Australia Card’ proposal 1986 87
Every adult
Compulsory?
‘Pseudo-voluntary’ – top marginal
rate of tax payable unless
presented for transactions; no
access to social security or health
insurance benefits
Carriage?
No legal compulsion (cl 8) –
except when required to produce
(very often)
• Illegal to confiscate if produced
voluntarily (cl 170(1))
• Uncertain - confiscation ‘for good
cause’ on compulsory production
Attend government office to pro ve
identity
Confiscation?
Registration
requirements
Card from birth
Preventing
issue of
fraudulent IDs
Registration requirements
Re-issue
Lost/stolen
cards
[uncertain]
[uncertain]
Access Card proposal 2006 -
IHI 2009 proposal
Every Medicare recipient, plus
others
No card until 18
Listed on parents’ cards
‘Pseudo-voluntrary’ – no Medicare
benefits or other government
benefits unless produced
To ‘all individuals who receive
healthcare in Aust.’ (DP A.3.1)
IHI from birth
No legal compulsion – except
when required to produce (very
often)
Ownership of card proposed;
Uncertain - specific protections
against confiscation
Attend government office to prove
identity
4 ID documents necessary, with
copies to be retained online in
SCRS
Registration requirements and
comparison of photograph
templates (Case Study – Fraud;
Fact Sheet - Technology);
documents presented to be
checked against new Document
Verification Service (DVS)
7 years; new photo required
[uncertain] Fee to re-issue
IHI automatically assigned;
ascertainable from MCN; production
of MCC ‘pseudo voluntary’ – de facto
condition of Medicare benefits;
uncertain whether may be required
by HCPs
No legal compulsion to carry –
except when required to produce
MCC (as above)
Can MCC be confiscated and by
whom?
Automatic allocation if current MCN
(DP A.3.1) [uncertain] Reliance
solely on Medicare CDMS as basis
is implausible (low security)
[uncertain] May be partial
reregistration necessary to obtain
higher security.
[uncertain]
Lost/stolen MCCs now more
dangerous
Is the IHI a national ID card system?
After Greenleaf 2009, in APF IHI submission
Reputation is hard won and easily lost
Implications for loss are serious




Erosion of trust consequent on awareness of failure of
security or privacy of medical or related records
Most vulnerable will be most difficult to please – the
most to lose
Private health – patients fail to disclose history,
symptoms, get tested.
Suboptimal treatment, clinical outcomes.
Public health – patients fail to get tested, or disclose eg
signs of infection etc. Potential for disease to spread and
public health problem. Statistics wrong.
Where does this leave us?







A uniquely challenging protective role…
In the midst of massive overhaul of HRs
Privacy law incomplete, mostly not enforced
Government, institutions and profession racing on
The hardest parts deferred?
IT risk warning sign – fail early and cheap, not late & $$
Clinical risk warning sign – gambling with a potential
breach of the trust upon which frank history-giving
depends
Sources









Galexia Consulting, Preliminary PIA regarding the Unique Healthcare Identifier Program
recommendations , and NEHTA’s responses, 2006
Clayton Utz, PIA into the Unique Healthcare Identifiers Program recommendations, and NEHTA’s
responses, 2007
Mallesons Stephen Jaques, PIA into Individual Healthcare Identifiers recommendations, and
NEHTA’s responses, Aug 2009
‘Data-matching in Commonwealth administration’, Guidelines issued by Privacy Commissioner
under section 27(1)(e) Privacy Act 1988 (Cth), February 1998
Mark A. Rothstein, ‘Debate Over Patient Privacy Controls in Electronic Health Records’, BioEthics
Forum, 17 Feb 2011 (US)
A rising tide of expectations, Australian consumers’ views on electronic health records – a
necessary ingredient in healthcare reform, CSC Healthcare Research report, 2009
‘Are Electronic Health Records Ready for Genomic?’ Genetics in Medicine, Vol. 11, Issue, 7, p. 51017, July 2009
Prashila Dullabh & Maria Molfino, ‘Liability Coverage for Regional Health, Information
Organizations’, AHRQ National Resource Center for Health Information Technology, June 2009
Merle Spriggs ‘When privacy can be a life or death call’, SMH, November 11, 2010
Sources (cont.)









NEHTA, Privacy Blueprint for the Individual Electronic Health
Record, 2008
NEHTA, Privacy Blueprint for the Individual Electronic Health Record – Report on Feedback,
2008
Federal gov’t, ‘Personally controlled electronic health record system’ Fact sheet, 2010
Person-controlled Electronic Health Records, HISA, 2009
AHMAC, Healthcare Identifiers and Privacy: Discussion Paper on Proposals for Legislative
Support, 2009
Pamela Sankar, Susan Mora, Jon F Merz, and Nora L Jones, Patient Perspectives of Medical
Confidentiality - A Review of the Literature’, J Gen Intern Med. 2003 August; 18(8): 659–669.
Ford CA, Millstein SG, Halpern-Felsher BL, Irwin CE, ‘Influence of physician confidentiality
assurances on adolescents' willingness to disclose information and seek future health care. A
randomized controlled trial,’ JAMA. 1997 Sep 24;278(12):1029-34.
Fehrs LJ, Fleming D, Foster LR, McAlister RO, Fox V, Modesitt S, Conrad R. ‘Trial of
anonymous versus confidential human immunodeficiency virus testing’ Lancet. 1988 Aug
13;2(8607):379-82.
D Carmen and N Britten, ‘Confidentiality of medical records: the patient's perspective’,
British Journal of General Practice, September 1995, 45, 485-488.
David Vaile
Cyberspace Law and Policy Centre,
UNSW Law Faculty
d.vaile@unsw.edu.au
www.cyberlawcentre.org