I was given this to publish this week:
Submission to the Department of Health on the draft National Digital Health Strategy.
Australian Privacy Foundation
Date 14 April 2016
Date 14 April 2016
Contact
Dr Bernard Robertson-Dunn
Chair Health Committee
Dr Bernard Robertson-Dunn
Chair Health Committee
1. Executive Summary
This response to the draft National Digital Health Strategy for Australia, July 2016 – June 2019 is predicated on our belief that all information systems containing personal data represent a potential risk to privacy. However, that risk may be worth taking if the value of the system to the individuals involved outweighs the risk.
Our primary concern is that the value and benefits of the My Health Record system to consumers have not yet been adequately demonstrated.
Furthermore, making the system opt-out means that a large proportion of the population will have a health record with little or no value and as such represents a significant and un-necessary risk.
With regard to the draft strategy document, we contend that, as a strategy, it is flawed for reasons we discuss below, but just as importantly, its scope is skewed to the My Health Record project, not a strategy for identifying useful outcomes and associated issues as well as integrating access and privacy controls across the national electronic health record space. The latter is what a digital strategy must address, with the My Health Record as a subset of the larger picture.
On the strategy document itself we have several comments to make:
There are no References to Earlier Initiatives
The strategy seems to have been developed without reference to earlier initiatives. We specifically refer to the previous National Strategy issued in 20081, the Royle Review2 and the large body of feedback on the eHealth Legislation in June 20153. A number of key participants in the health, informatics and privacy domains expressed some serious concerns about the system and the proposed opt-out trials which appear to have been completely ignored by the Department since then. The feedback certainly has not been referenced or incorporated into the draft strategy.
In addition, we also draw attention to the considerations by several Senate committees regarding the eHealth bill of 2015. The Parliamentary Joint Committee on Human Rights and the Senate Standing Committee for the Scrutiny of Bills each raised significant concerns about the bill, especially regarding the proposed change to opt-out. Not including references to these committees, the issues raised and the way the strategy has incorporated the views of these committees is a significant and unwise omission.
The Purpose and Audience are Unclear
The purpose of the strategy is unclear. At whom is it aimed? The Federal government and its agencies? State governments as managers of health care facilities? State run health care facilities? Private health care facilities? Software vendors? Hardware vendors?
We suggest that the purpose of the strategy be made very clear, along with how the stakeholders at whom the purpose is aimed will be involved in both finalising the strategy and delivering it.
Our advice is to ensure that the purpose is directly linked to ways in which health care is made more effective first and more efficient second.
The Document Lacks Flow, Coherence and Analysis
The various sections of the document do not form a coherent, logical flow of evidential information, analysis, conclusions and initiatives. The content of each of the sections bear little, if any relationship with the others.
In addition there is no relationship between Digital Health – a technology enabler - and the problems and challenges of information management. Furthermore, the aims and objectives of information management lie in the delivery of better health care.
Turning this around, the need to deliver better health care through improved information management should be the drivers of Digital Health. Technology may offer opportunities for better use of data but it needs to be shown explicitly that this will lead to improved health care without unwarranted risks to privacy and that unintended consequences are minimized and that an approach to dealing with them is in place.
What is mainly missing is the linkage through information management through to improved health care processes and outcomes. There are some references to Digital Health and improved administrative processes, but the high value outcomes are more likely to be achieved from better health care decisions – a phrase that occurs only once in the draft strategy and only then in the context of engaging the patient.
The result is that, without a linkage to improved health care, the contents of Section 6 - Digital Health vision and Section 7 - Key strategic areas of focus lack justification and any explanation of why the particular objectives and initiatives have been selected and how they will achieve the vision.
This means that making an assessment of the value of the Vision, Objectives and Initiatives to Australians very difficult. It is our preference that a strategy as important as that driving eHealth in Australia should be based upon evidence, logic and analysis.
We recommend a cost/benefits analysis of the system should be undertaken to answer questions about the financial returns on the investments of the federal government, state governments, software vendors and medical practitioners.
With an estimated total cost over the first ten year period of the operation of the system of between $1.5-$2.0 billion, we are skeptical that improvements in health care that match that expenditure and which could be attributed to the system are achievable.
We would be interested in seeing the government’s calculations and predictions as to when the financial benefits of the My Health Record system are expected to overtake the cost of the system.
Also missing in the draft strategy is any detailed analysis of capability or funding constraints or expectations. The draft strategy says that “government and the private sector is funding the development and delivery of local digital health systems”, however, the strategy should be structured and predicated on the capability of the various parties and stakeholders to participate, not just state who will pay for it. Participation requires resources, both skills and financial. If the stakeholders do not have available the necessary resources, then the strategy needs to be tailored appropriately. A strategy that is not integrated into a known and agreed funding model is most likely to end up as shelf-ware or only partially implemented.
A National Electronic Health Record Privacy and Security Framework is Needed
A high priority for a strategy aimed at establishing trustworthy electronic health record systems (the My Health Record system is only one) for Australia should be elevating the issue of privacy, information security, confidentiality and access control. This means formulating a widely-accepted national framework to assist in dealing with these issues, solving the major problems in this area, clarifying how different schemes and protections fit together -- with an initial focus on secure, reliable clinical system intercommunication.
We suggest that the strategy be expanded to include such a framework.
As part of this framework, a priority should be to recognise the urgency to finally pass the long-overdue improvements to legal protection in this area, particularly what is often called the Tort of Privacy law, and the Data Breach Notification law. Without these laws, which are ready to go, the framework will lack necessary legal foundations to give confidence to patients and others that if something goes wrong, they will find out about it and could hold those responsible to account. At present neither is true.
Conclusion
In our opinion, the draft we have been asked to review is a start, however it requires major work before it could be seen as a useful document. The APF is more than willing to participate in its development.
We see the strategy as badly distorted by too much emphasis on the My Health Record, rather than the primary unresolved 'safe and easy communication' issues for the larger national eco-system of clinically relied-upon EHR systems, but we cover the MHR in some detail.
We are not convinced that the value of a national opt-out health database, paid for by the Federal Government, (which implies a strong degree of control) has been justified.
Neither are we convinced that the primary use of the database is to improve health care or efficiency.
The fact that the concerns about the usability, purpose and risks of the system raised by many institutions last year in the context of the eHealth bill have not been addressed has left the lasting impression that clinical support is not the driving force behind the government’s intentions of the My Health Record project.
----- End Exec Summary.
You can read the full document here:
I had a small part in putting this together and am pretty happy with the work that has been done at pretty short notice by the Health Sub-Committee.
As ever comments are welcome.
David.
Bagikan
The Australian Privacy Foundation Releases Its Commentary On The Draft National Digital Health Strategy.
4/
5
Oleh
Unknown
