Delivery and Exchange of Information: Clinicians

From SystemsWiki

Jump to: navigation, search

Contents

Introduction

As well as exploring information delivery and exchange this is a good point in the unit to explore issues of security, privacy, consent and interoperability as well as the concepts of the components of a useful health IT infrastructure covering such issues as Standards setting, regulation, shared services (identifiers, end point location and authentication).

Learning Objectives

With completion of this section it is intended that the student will have a high level understanding of the ways health information can be accessed and more importantly exchanged and shared between clinicians. The student will also have an appreciation of how an appropriate enabling infrastructure can be developed, sustained and governed.

Aims of Unit

In this Section we review the different ways Clinical Health Information is accessed and shared. We also consider the various technical and policy frameworks which permit such information exchange to be undertaken successfully

Section 1. Information Delivery and Exchange

Simple Information Access

At its most basic this is obviously access to information held in systems via either terminal (increasingly uncommon), personal or network computer found in offices and wards, mobile devices (tablets and so on.) and printed output of all sorts. The most obvious issue around such access is control of just what information is accessible and who is permitted to access what can be quite sensitive personal information. Under most, even the most basic, heath information access regimes, access is regulated by what essentially amounts to a ‘need to know’ framework, implemented in access rules. This typically leads to adoption of a ‘role based’ approach to control of access - with the permission to access being based on the job being undertaken - be in doctor, nurse, ward clerk and so on. It is also important to realise that in most jurisdictions holding such sensitive personal health information as might be found in a GP Electronic Patient Record brings with it obligations to protect and maintain the information. This area will be explored more fully under security and privacy. There are a wide range of approaches to authentication (i.e. establishing the true identity of) the system users. Even today the usual approach to deciding who is typing on the keyboard or screen is the use of a username / password combination. Use of passwords can be improved by increasing password length and character mix as well as insisting on regular password changes. The problem with all that is that such action tends to annoy and frustrate users who then work hard to develop work-arounds to the rules. The most important point in user authentication is to appreciate that optimal security is usually obtained by using what is termed two (or even three) factor identification to screen log-ins as well as having strong rules to handle failed attempts. Typically the factors used are something the user knows (password etc.), something the user has (a token, smartcard and the like) and to go even further you can use something the user is such as a biometric which is rather tricky to fake! Use of a password or pin and token such as a smartcard provides pretty good assurance as to who is accessing the system - assuming no deliberate fraud is involved. See below for a useful link for all this and a whole lot more on user authentication. While not part of this discussion clearly how information is presented on screens and devices, how important information is highlighted and how searching is undertaken are design factors which are important in both access device usability and more so clinical safety.

Secure Clinical Messaging

A key basic piece of Health Information Technology is what is termed Secure Clinical Messaging (SCM). What this does is provide a mechanism which permits the trustworthy, secure and private transfer of identified patient information from one clinician to another - including the confidential transfer of information such as referrals, test results and so on from the one provider to another. When considering the SCM area there are a range of issues that need to be addressed. In 2013 it would be true to say that the vast majority of such messaging is undertaken using the Internet as the transport mechanism. It is, however, widely known that the Internet is not a really secure transport mechanism and for this reason additional steps are required to reach a sensible and secure outcome using the Internet as the transport mechanism. The key requirements are:

  • The message must be robustly encrypted to ensure privacy. Because the destination clinician needs to be able to decrypt the message when it arrives, but no one else must be able to, the approach used is what is called Public Key Encryption or PKI. (You can read the details of how this is actually achieved here

This approach forms the basis of all the encryption and security systems used in the Health System in Australia for clinical messaging and underlies the systems used my Medicare Australia for billing claims and the services offered by commercial messaging providers (Healthlink, Medical Objects etc.) The same approach is included in the National Authentication System for Health (NASH) which is sponsored by the Australian National E-Health Transition Authority (NEHTA).

  • There must be some form of electronic directory which allows the sender to direct a message to a known recipient and for the recipient to acknowledge receipt of the message (to close the messaging loop in a medico legal sense). (This is technically called and End Point Locator Service).
  • Relevant patient identifiers to permit matching of the information in a message with a patient with a high degree of confidence. These may be based on the Australian National Health Identifier or some other more local identifiers.
  • There must exist Standards that define how the message, when it arrives and is decrypted, is then displayed and how the information contained within the message is placed in the receiving electronic record.

This information will include patient details, provider details, destination provider details and the message content itself be it some test results, prescriptions, referrals and so on. In Australia these Standards used are maintained by Standards Australia - guided by a committee of experts termed IT-14. The outcome of this work is a set of Australian Standards, Technical Reports and so on. These are able to be accessed here

Mobile Devices and Services

The advent of wireless (2G, 3G and recently 4G) and more ubiquitous wi-fi technology as well as the progress in the size, weight, battery life and utility of mobile phones and tablets (especially with web-browser technology) has been transforming information access over the last few years. In the last few years this area of activity has been termed ‘mHealth’ for Mobile Health and has been exhibiting very high growth rates in adoption and usage. With this happening we are seeing an impact beginning on the health sector - slowed a little by a secondary discussion that is happening in many industries about whether dedicated devices are needed or employees can use their own devices should they desire (This is what is referred to as Bring Your Own Device (BYOD). The concerns with BYOD are mainly based around security and compatibility with the local network infrastructure. Besides the expected telephone / voice functionality there are four broad areas where mobile devices are utilised.

  • Terminal Replication

This is simply providing routine access to the Hospital Information System information on a portable device as an iPad etc. as the clinician moves around the Hospital and provides care to patients. What is important in providing such access is to ensure the security of the information is the same as provided by standard access methods. There can be problems achieving this in environments where there are requirements for physical devices associated with the security (smartcards, dongles etc.) Recent innovations, such as using finger-print recognition technology with the new iPhones, which seems likely to spread to most mobile platforms, may offer a reasonable secure and simple solution if well implemented. Additionally there may be a range of useability issues where small screens and / or ‘glass keyboards’ are necessarily used.

  • Web Access

Connectivity to the internet has been a transforming capability for mobile devices. Implementation of web-browsers on such devices has not only permitted terminal access but also the use of a wide variety of other web-based applications. Obviously this includes the ability to research topics, review relevant literature and seek advice from other practitioners via e-mail, Skype etc. Additionally there are a range of web-based applications that can provide clinical decision support and access to clinical guidelines at the point of care. If used as intended it would be hoped that such applications could provide real patient benefit.

  • Specific App Access

The Apple and Android Universes provide a wide range of ‘Apps’ which have an almost unlimited range of mobile functionality in almost every conceivable health domain. Of course all these Apps are really just computer applications designed to operate in either the Apple iOS or Android operating system environment - with a smaller array available in the Windows Mobile and Blackberry environment. Many can trace their origin back to personal computer origins by many are now uniquely conceived to maximally exploit the functionality available in the mobile hardware - cameras, GPS, and so on.

  • Data Capture for Clinicians and Patients

Of particular interest are mobile applications which can capture clinical information for disease monitoring and documentation purposes. The use of such application can assist patients keep track of a range of clinical parameters from blood sugar readings to headache frequency and assist in patient engagement with their clinicians and illness. Most usefully to assist in making the value and impact of Mobile based health (mHealth) better understood and a valuable web site is now available. The site describes itself thus: What is mHealth Evidence? mHealth is the use of mobile information and communication technologies for improving health. It can be used for a wide range of purposes, including health promotion and illness prevention, health care delivery, training and supervision, electronic payments, and information systems. Many believe that it has the potential to shift the paradigm on when, where, how and by whom health services are provided and accessed. But mHealth is a young field and much of the evidence on “what works” is still emerging. Even the evidence that exists can sometimes be difficult to find. mHealthEvidence.org was designed to bring together the world’s literature on mHealth effectiveness, cost-effectiveness and program efficiency, to make it easier for software developers, researchers, program managers, funders and other key decision-makers to quickly get up to speed on the current state-of-the-art. It includes peer-reviewed and grey literature from high-, middle- and low-resource settings. The site is found here and is very well worth a careful review to assess the scope of mHealth and the associated evidence base for the use, deployment and adoption of such technology. As a last comment in this section it is worth just mentioning that we are presently in the very early stages of the ‘Wearable Computing’ revolution. Various devices like Google Glass and intelligent connected wristwatches with various sensors are probably just the beginning of a wide range on innovations we will see over the coming years and decades. For an amazing view of the range of possibilities this article is worth exploring.

Here is a summary from the Wall Street Journal: “I, smartphone. Google Glass has nothing on a new generation of wearable computers bubbling up in labs worldwide. In United Hemispheres magazine, Boyd Farrow tracks the technology industry’s efforts at melding sensors with the human body. One Massachusetts-based lab is exploring RFID tattoos for “a generation more accustomed to wearing ink than watches.” California’s Proteus Digital Health has a sensor-laden pill, that when swallowed, makes the entire body “an authentication token.” Meanwhile Samsung Electronics Co. is developing software that would be controlled by a user’s thoughts, to “select songs from a playlist, or even write on a Galaxy Note.” Mr. Farrow writes that one “computer guru” already is concerned that hackers will embed their spyware in brain-enabled digital technology: “If this were to happen, merely thinking about making a credit card payment could result in somebody, somewhere, buying a speedboat at your expense.” Here is the Wikipedia page to keep an eye on while tracking the evolution of these areas.

Health Information Exchange

This and the next section are all about moving useful Health Information to where it is needed and can then be used to improve patient care. Essentially there seem to be two competing approaches to reaching this end with all sorts of hybrid approaches potentially possible. In the first approach being reviewed here locally stored health information is made accessible to a service requesting access and with the appropriate security and authentication and assembled into usable form for an identified and authorised user. In order for this to be achieved a number of issues need to be addressed. Before anything can be a done there has to be agreement on access methodologies to each of the stored data sets and the format and content of the records to be provided need to be standardised and interpretable at the receiving end. Communication and security standards also need to be agreed and operate in a totally end to end fashion - given the potentially sensitive nature of the information being accessed and transported. As a practical matter most Health Information Exchanges (HIE) cover a defined geographic area and provide services within say a city, a US state or some region. The Australian PCEHR can be seen as a form of both shared record and a HIE and is unusual in covering a rather large geographic area. There is a similar system, on a much smaller scale operational in Singapore. If all this is in place there are still a few other things to be addressed.

  • First the records associated with a particular individual need to be identified and made available. This means each record must be either tagged with a known identifier of the data sources must be able to use an algorithmic approach to identify relevant records based on demographics such as name, date of birth, Medicare Number and so on. Use of such matching or algorithmic approaches risk the possibility of important records being overlooked and the opposite risk of including information from the wrong patient also exists.
  • Second there needs to be careful consideration given to how the information retrieved is presented to the receiving clinician, what priority is given to what information and how past and older information is to be navigated. Actual information access will typically be mediated by some form portal which provides the authentication and security services at the front access component of the Exchange (HIE).
  • Third with multiple information sources to be accessed the HIE often uses middle-ware to connect the disparate remote systems and the central service / portal. There are a number of commercial providers who now offer the portal, communication software, middle-ware connectors and user interface software as a package. (Examples include Oracle, Orion and many others.)
  • Fourth many HIEs find financial, management and governance issues to be quite demanding. There is an extensive literature available - with a strong US bias - on all these issues. The page - which requires free registration can be found here:

Browsing this site provides a useful overview of the current issues in this area. There is also a useful article covering the nature of HIE and predominantly the situation of HIEs in the USA to be found here

Shared Electronic Records

As mentioned above the other approach to the sharing of health information is to provide a centralised server and, in advance, populate the records of each known patient with what-ever relevant information is available. Typically such a record will have a defined, relatively small subset of information designed to act as a useful clinical profile in emergent situations or when a patient is seeking care away from their usual care provider(s). Three examples of such record systems are the English Share Care Record (SCR), a similar but slightly more comprehensive Scottish equivalent and the Personally Controlled Electronic Health Record (PCEHR) which is provided for Australian citizens should they choose to enrol in the system. In the UK the SCR is a very basic patient record which contains patient demographic details, allergies etc.

  • Overview of the Summary Care Record (SCR)
    • 2.1 What is the SCR?

The SCR is an electronic patient summary containing key clinical information from the GP record that is accessible by authorised healthcare staff in an urgent or emergency situation. An SCR is optional -a patient can choose whether or not to have one. Furthermore where a patient has an SCR it should only be accessed with permission from the patient except in exceptional circumstances, for example, emergency access if the patient is unconscious

  • 2.2 Content of the SCR

Every SCR is made up of the following core patient information: - Medications (Acute, Repeat and Discontinued Repeat) - Allergies - Adverse Reactions This information is shared from the GP practice IT system when a practice ‘goes live’ with SCR. Following this initial upload of patient information, the SCR will be updated whenever there are changes made to medications, allergies or adverse reactions in the GP Practice IT system by an authorised user. Additional clinical information over and above the core information, for example significant diagnoses or care plans, can be added to the SCR by a patient’s GP practice where the patient and the GP agree that adding further information may be beneficial to the patient. Patients are in control of any additional information and are required to give express consent (otherwise known as explicit consent) to additional information being included. This is an extract of an educational document for GPs produced by the UK Health Department. The full document can be found here

  • The Scottish system is quite similar to the UK version.
  • In Australia the PCEHR is rather different. For a start in the UK the SCR is an opt-out environment where a record is created unless the patient specifically requests it not be created - with typically very few making that request. In Australia the patient has to specifically request PCEHR registration and record creation which is not a totally simple process. The PCEHR covers a similar scope of information to the SCR (in the form of a Shared Health Summary prepared usually by a GP) but with the addition of a range information that is added by the patient, a range of clinical calculators as well as automatically added information from the National Medicare databases covering medications dispensed and testing that has been conducted.

It is important for the reader to visit here to assess just what is presently being claimed and offered by the Australian PCEHR. Crucially the PCEHR is intended to hold in perpetuity all documents that are uploaded in an attempt to create a life-long record, whereas the SCR only holds a single current record. Both environments provide a patient portal where the user can review the contents of the information held regarding them. There are a number of potential issues that arise whenever health information is shared between providers. Among these are assurance of the accuracy and currency of the information being provided, certainty that the information does actually belong to the patient under care, assuring that there is genuine consent for the disclosure of the information and that the information is maintained in a secure and private fashion. Despite the intuitive attractiveness of such systems to date there has sadly not been, to date, any studies which have actually confirmed the clinical value of shared EHR systems whereas there is reasonably good evidence for the clinical utility for clinician use of EHRs for patient care of their patients. There are a number of evaluation studies that have been conducted on the UK system.

  • Here are some links:

Full report on evaluation of summary care record - University College London Do summary care records do more harm than good? - Ross Anderson A defence of summary care records - Mark Walport [Wellcome Trust] Clinicians may not access summary care records - IT Projects Blog Summary of draft UCL report on summary care record - IT Projects Blog These links are taken from an excellent article which is important reading. Trisha Greenhalgh on Summary Care Record - where does the truth lie? By Ted Ritter on June 23, 2010 10:05 AM Found here There is considerable clinical concern about the shared records systems. Here is a UK link. and here is a similar set of concerns being expressed about the Australian PCEHR. Both these deserve careful review to gain an understanding of just how contentious such systems can become - especially recognising that the levels of expenditure on these systems have been in the billions of dollars or pounds both in the UK and Australia.

Section 2. Health Information Infrastructure and Ecosystem

In this section areas of importance to the use of all Health IT are discussed. In the design of virtually all the systems discussed in the overall Unit. These four areas need to be addressed if any Health IT system or implementation care to be successful. Each of these are to some extent inter-related and as a whole essentially cover the protection of information held within systems.

User Authentication

Clearly it is vital that a computer system of any sort has an appropriate level of confidence on just who is accessing the system. This is provided by a range of user authentication methods. This is discussed in the end of section on simple terminal access - Section 1.1 above and really does not need to be re-iterated here other than to point out the hierarchy of user authentication - where in order of increasing strength we talk of using something the individual knows (name and password for example), something the individual has (a specific token or USB key for example) and lastly something the patient is (a biometric for example). There is a discussion of this area found here. The issue with all user authentication is that it is very hard to counter deliberate fraud or insider corruption. While uncommon this always needs to be borne in mind. The other factor to be considered is user access convenience. If access is made too time consuming or too rigorous in the context of the information being protected then this will encourage user frustration and fraud. Thus there needs to be a balance between simplicity and ease of access and authentication level.

Security

Computer security is a huge topic - way beyond the scope of this small unit - but needs to be mentioned if only to point out first the complexity of creating genuinely secure systems - witness the endless security patches we see from the very professional and serious makers of all significant software packages - and to highlight that there are steps the users of typical clinical systems based on personal computers or tablets can take which will make a substantial difference.

  • First, all relevant security updates should be installed when they are released.
  • Second , ensure current and continuously updated antivirus and anti-malware software is in place and operational.
  • Third, if the computer or device is connected to the internet that appropriate firewalls are in place to protect the system from remote intrusions.
  • Fourth, that regular backups of all information are taken - and regularly tested to minimise the risk of actual information loss. Ideally at least one or two copies should be kept well away from the computer being backed up. These days backing up to the cloud can make considerable sense for data protection.

These steps will greatly help to increase the security of basic computer use. As far as larger computer systems are concerned this is really a specialist domain and security and the design and implementation of the associated policies and procedures need to be managed by well-trained specialists who are properly accredited. From a management perspective the key here is to recognise that in areas such as this most do not know what they don’t know but that there are real threats out there that need to be professionally addressed. There is a great deal more to read on the topic available here

Privacy

For thousands of years clinicians have recognised the need patients have to keep their health information between them and their clinician.

  • The Hippocratic Oath - which dates from the 4th to 5th Century B.C. contains the following lines.

Version 1. What I may see or hear in the course of the treatment or even outside of the treatment in regard to the life of men, which on no account one must spread abroad, I will keep to myself holding such things shameful to be spoken about. Version 2. All that may come to my knowledge in the exercise of my profession or in daily commerce with men, which ought not to be spread abroad, I will keep secret and will never reveal. Source and full oath is found here However different the words, the intent is clear. The clinician must not and should not reveal any patient information obtained in the course of care delivery. The only addition one might make to this is the recognition that the fully informed patient may, if they choose, permit disclosure of such information to whoever they choose.

  • Readers should note that the principles above and the discussion that follows applies equally to electronic as well as paper based information. The risks of disclosure may be slightly different but

The reason most believe such restrictions are good practice is that if the individual is confident that the private and sensitive information will be kept properly they are much more likely to fully disclose information that may improve diagnosis and treatment. A further related point centres around the fact that preservation of such information privacy - working with information security in the context of Health IT - reduces the risk of discrimination and persecution of the patient on the basis of some illnesses which may tend to stigmatise the individual. An obvious example is the Sexually Transmitted Disease Clinic. I suspect such clinics would be pretty empty and unused in the absence of an assurance of both privacy and information security!

  • It is also important to consider that for the Health System to function smoothly and be well co-ordinated there needs to be reliable secure flows of personal information between health providers as well as entities such a Medicare and private health insurers.

Each of these parties takes on an obligation to protect any personally identifiable information from disclosure and there are relatively strong regulatory controls that cover such information flows. An obvious issue that arises with these information flows is the almost total lack of explicit consent for the transfer of personal information between the various actors in the Health System. Indeed, the vast majority of patients are essentially unaware such information flows are happening.

  • In Australia there is both a National Privacy Law and a range of health specific State and Territory laws.

In the briefest of summary those who handle private health information are required to only collect information they need, to keep the information secure and to take reasonable steps to ensure the information is accurate. Finally, if they are asked by patients to access the information held on them it must be provided. Here is how the situation is summarised by the Office of the Information Commissioner.

  • Health information and the Privacy Act

Health information is regarded as one of the most sensitive types of personal information. For this reason, the Privacy Act 1988 (Privacy Act) provides extra protections around its handling. For example, an organisation generally needs an individual's consent before they can collect their health information. In addition, all organisations that provide a health service are covered by the Privacy Act (whether or not they are small businesses). Organisations providing a health service include:

  • traditional health service providers such as private hospitals and day surgeries, doctors, pharmacists
  • allied health professionals (such as psychologists)
  • complementary therapists (such as naturopaths and chiropractors) and in some cases gyms, weight loss clinics etc.

The Privacy Act regulates how these organisations collect and handle personal information, including health information. It also includes provisions that generally allow a person to access information held about them. The Office of the Australian Information Commissioner (OAIC) also regulates the handling of health information held in an individual’s eHealth record. The OAIC has developed privacy fact sheets and privacy guides to help individuals and organisations providing a health service understand their rights and responsibilities. Further information about health and medical research is also available on the Privacy Topics — Health page.

  • Medical research

The Privacy Act permits the handling of health information for health and medical research purposes in certain circumstances, where researchers are unable to seek individuals' consent. This recognises:

  • the need to protect health information from unexpected uses beyond individual healthcare
  • the important role of health and medical research in advancing public health.

To promote these ends, the Privacy Commissioner has approved two sets of legally binding guidelines, issued by the National Health and Medical Research Council (NHMRC). Researchers must follow these guidelines when handling health information for research purposes without individuals' consent. The guidelines also assist Human Research Ethics Committees (HRECs) in deciding whether to approve research applications. The guidelines are produced under sections 95 and 95A of the Privacy Act. The guidelines are:

  • Guidelines under Section 95 of the Privacy Act 1988: privacy and medical research (March 2000), which sets out procedures that HRECs and researchers must follow when personal information is disclosed from a Commonwealth agency for medical research purposes.
  • Guidelines under Section 95A of the Privacy Act 1988 (December 2001), which provide a framework for HRECs to assess proposals to handle health information for health and medical research (without individuals' consent). They ensure that the public interest in the research activities substantially outweighs the public interest in the protection of privacy.

Genetic information Using and disclosing genetic information The Privacy Act does not prevent a health service provider using or disclosing a patient's genetic information, if the patient has given informed consent. Where a health service provider has not been able to obtain consent from the patient, the Privacy Act allows the use and disclosure of genetic information where:

  • the health service provider reasonably believes that there is a serious threat to the life, health or safety of a genetic relative of the patient
  • the use or disclosure to the genetic relative is necessary to lessen or prevent that threat
  • the health service provider has complied with the Guidelines issued under section 95AA of the Privacy Act.

Further information Got a question on health privacy? Chances are someone's asked it before. See our Privacy Topics — Health page. If you're an individual and would like more information about your health privacy rights, see our consumer's guide to privacy and health information: My Health My Privacy My Choice. For a snapshot of how the Privacy Act applies to health information, see Health information and the Privacy Act 1988: A short guide for the private health sector. Health service providers can find out more about complying with the National Privacy Principles in the Privacy Act by reading our Guidelines on Privacy in the Private Health Sector. For information on Medicare and the Pharmaceutical Benefits Scheme, see the Medicare and pharmaceutical benefits page. If you think an agency or organisation has misused your personal information, you can make a complaint. To find out more, see the Privacy complaints section of this website. This page is found here

  • There has also been a very interesting survey related to public attitudes to the use and sharing of health information conducted quite recently.

Here is the relevant section for this unit. Medical and health information Health professionals sharing patient information Respondents were asked to nominate which of four options best described their views on access to health information (multiple responses had been allowed previously).

  • Chart 10. Situations when transfer of health information is appropriate

Q22 Which of the following four options best describes when you think it would be ok for your doctor to share your health information with other health professionals? Australians displayed quite different opinions with one in three saying that: such information could be transferred without their consent to treat the specific problem at hand (31%); or that consent should always be sought (31%). A quarter of people (25%) take a more relaxed approach, saying that they are happy for information to be shared between health providers for anything to do with their health. A further one in eight (13%) are happy for information to be transferred in serious or life-threatening cases. While the question was asked differently in previous surveys, the pattern of response is similar to the past. In 2007, just over one in three people (35%) felt that the transfer of health information is appropriate when the purpose is related to the condition being treated. A similar proportion (25%) stated health information should not be transferred unless they ask the patient for their consent. One in four people were happy for their information to be transferred if it had to do with their health, while less than two in ten respondents (17%) said it would be acceptable if they had a serious or life threatening condition. There was no variation in gender or age. Health professionals discussing patient information

  • Chart 11 shows that the number of Australians prepared to accept their doctor discussing personal health details with other professionals without consent has increased over time from six in ten (59%) in 2007, to two thirds (66%) in 2013.

This shift has been driven by a large difference in the views of people at both ends of the working spectrum. Whereas in 2007, half (53%) of white collar and six in ten (59%) of blue collar workers agreed with this proposition, in 2013 the proportions are six in ten (63%) and three quarters (76%). People living in blue collar households remain the most accepting of this, but all other sectors of society have drawn closer in their opinions. Women and men continue to hold slightly different views with seven in ten men (72%) and six in ten women (60%) now supporting their doctors discussing their health details without consent. This support has increased amongst both sexes since 2007 (64% and 55% respectively then).

  • Chart 11. Acceptability of doctor discussing personal medical details with other health professionals

Q23 To what extent do you think your doctor should be able to discuss your personal medical details with other health professionals in a way that identifies you without your consent if they believe this will assist your treatment? Age does not seem to have a strong impact on this relationship. However, older people (aged 35+ years) were more likely to be accepting of their doctor discussing personal health details with other professionals without their consent (68%) in comparison to younger people (aged 18-34 years) (60%). Hereis the link. This research should be read closely as it reveals current attitudes to much of the way Health Information is presently handled. Support is by no means universal and concerns are common.

  • In the USA there is a specific act covering all aspects of the topic and much more. It is called The Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Wikipedia article is worth a browse to see just how complicated things can become!

http://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act A useful source of ongoing information on the state of play in privacy is The International Association of Privacy Professionals - Australia and New Zealand. It is a community of privacy professionals eager to meet, share and learn. Here is a link to their website.

  • As a final note on privacy it is important to note that there are a major set of changes to the privacy act coming into effect in March, 2014.

Privacy law reform The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Privacy Amendment Act) was introduced to Parliament on 23 May 2012 and was passed with amendments on 29 November 2012. The Privacy Amendment Act is a part of the privacy law reform process that began in 2006. More information on the privacy law reform process is available on the History of the Privacy Act page. The Privacy Amendment Act introduces many significant changes to the Privacy Act. While these changes will not commence until 12 March 2014, Australian and Norfolk Island government agencies and businesses should start preparing now. Individuals should also be aware that from December 2012 if they fail to make loan or credit card payments on time, it may affect their ability to obtain credit in the future. Watch the YouTube video of Australian Privacy Commissioner, Timothy Pilgrim speaking about the changes to the Privacy Act. Here is the link. Those who handle personal information need to make sure they understand the implications of these changes. All hospitals and medical practices, for example, need to be compliant with the new regime.

Data Breaches

  • In the United States there is what is called a mandatory data breach law which is part of the HIPAA mentioned above. Here is the relevant text.

Breaches Affecting 500 or More Individuals As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals. These breaches are now posted in a new, more accessible format that allows users to search and sort the posted breaches. Additionally, this new format includes brief summaries of the breach cases that OCR has investigated and closed, as well as the names of private practice providers who have reported breaches of unsecured protected health information to the Secretary. The following breaches have been reported to the Secretary: Here is the relevant link. Thus there is a major name and shame approach along with a variety of penalties. Watching reporting in the US you will come across a significant reportable breach every few days.

  • A typical example that appeared the day I was preparing this section provides the flavour of what happens.

St. Louis University Security Breach Compromises Health Information of 3,000 People Written by Helen Gregg (Twitter | Google+) | October 08, 2013 A phishing scam targeting St. Louis University employees led to the disclosure of the personal health information of approximately 3,000 people. The university announced the incident, in which some university employees responded to personal information requests from fraudulent but official-looking emails, appears to have been targeting the employees' financial information. Some of the employees who responded to the scam were University physicians, and their disclosures led to unauthorized access to about 20 email accounts containing the protected health information of the 3,000 affected people. While the university does not believe the personal health information stored in the email accounts was accessed, a letter has been sent to all those affected, notifying them of the incident and offering one year of identity theft protection and restoration services. Here is the link. The impact of these breaches is non-trivial.

  • It’s Getting Scary Out There, In HIPAA Breach Land

Continuing its streak of HIPAA enforcement actions over the past year, the U.S. Department of Health and Human Services’ Office of Civil Rights (OCR) recently announced a $50,000 settlement with Hospice of North Idaho (HONI) arising from the theft of a laptop that contained encrypted patient data. This is the first settlement involving a breach of unsecured electronic protected health information (ePHI) affecting fewer than 500 individuals. While tragic, more and more stories like HONI’s are making headlines. According to a 2012 independent study by the Ponemon Institute, the number of healthcare organizations reporting breaches is rising; and what’s worse, only 40% of the study’s participants feel confident in their ability to detect and prevent breaches in the future.

  • Some additional stats from the study we’d like to highlight:

• The healthcare industry loses $7 billion a year due to HIPAA data breaches • The average economic impact of a data breach has increased by $400,000 to a total of $2.4 million since 2010 • 94% of healthcare organizations have had at least one data breach in the last two years • The average number of lost or stolen records per breach is 2,769 • Only 40% of organizations have confidence that they are able to prevent or quickly detect all patient data loss or theft • Top 3 causes of data breaches: Lost or stolen computing device (46%), Employee mistakes or unintentional actions (42%), Third party snafus (42%) • 18% of healthcare organizations say medical identity theft was a result of a data breach • Annual security risk assessments are done by less than half (48%) of organizations • 48% of data breaches in 2012 involved medical files • The primary activity conducted by healthcare organizations to comply with annual or periodic HIPAA privacy and security is awareness training of all staff (56%), followed by vetting and monitoring of third parties, including business associates (49%) More discussion is found here These statistics make it clear my mandatory reporting is important.

  • In Australia there is mandatory reporting for data breaches which involve the PCEHR but there is not general consumer notification regarding such breaches. There was an attempt to legislate such notifications in the last parliament but the Bill lapsed with the change of Government in September 2013.

Here is a link to the legislation page. The Privacy Commissioner has asked to Coalition Government to consider re-introducing the legislation so it may happen in future. Without such legislation it is hard to know just how frequent problems are in Australia as typically organisations are embarrassed by such problems and provide very little if any disclosure. Experience in both Australia and overseas suggests that the majority of data breaches are as a result of a lack of care and common sense rather than malicious activity, but there is a sense that malicious incidents are rising.

  • The OAIC provides a comprehensive set of suggestions on managing data breaches

Here are the key points: Key messages

  • This guide provides general guidance on key steps and factors for agencies and organisations to consider when responding to a data breach involving the personal information that they hold.
  • Agencies and organisations have obligations under the Privacy Act 1988 (Cth) to put in place reasonable security safeguards and to take reasonable steps to protect the personal information that they hold from loss and from unauthorised access, use, modification or disclosure, or other misuse.
  • Depending on the circumstances, those reasonable steps may include the preparation and implementation of a data breach policy and response plan (that includes consideration of whether to notify affected individuals and the OAIC).
  • Data breaches are not limited to malicious actions, such as theft or 'hacking', but may arise from internal errors or failure to follow information handling policies that cause accidental loss or disclosure.
  • In general, if there is a real risk of serious harm as a result of a data breach, the affected individuals and the OAIC should be notified.
  • Depending on the specific circumstances of the data breach, notification will be an important mitigation strategy for individuals, and can promote transparency and trust in the organisation or agency.
  • Notification of a data breach in appropriate circumstances is consistent with good privacy practices.
  • Compliance with this guide is highly recommended by the OAIC, but is not mandatory.
  • The ALRC has recommended that the Privacy Act be amended to impose a mandatory obligation to notify the Privacy Commissioner and affected individuals in the event of a data breach that could give rise to a real risk of serious harm to affected individuals. The operation of this guide could inform the Government's response to the ALRC's recommendation that mandatory breach notification be introduced into law.

The full page is here

  • It is important to note there are real obligations with serious consequences for not properly protecting private information (see point 2 above). It should also be noted that where deliberate data breaches occur the reasons are typically for fraudulent use such as identity theft and financial benefit, for revenge (by disclosure of another individuals secrets), or for simple curiosity as in the case of browsing the records of celebrities. Close monitoring and staff education are the keys to prevention of major harmful preventable breaches.

Concluding Comment

Taken as a whole these topics bring together an operating environment that is part technical and part social. What is key is that those implementing Health IT are aware of both the social and technical forces that surround what they are doing and what are aware what constraints are active and need recognition. ==Review Questions=.

  • 1. Having reviewed this section how comfortable would you be having your private health information held in a Government Shared EHR System? Discuss.
  • 2. What steps should general management take to minimise the risk of accidental disclosure of private patient health information?

Return to HI Homepage

Questions & Comments to Geoff McDonnell
Personal tools