David Vaile Cyberspace Law and Policy Centre, UNSW Law Faculty Medico-legal conference, Sydney, 29 March 2011www.cyberlawcentre.org

ContextPrivacy rules?  Background  Nat. EHR framework  Grand challenges  Perceptions and trust  Consent  Consultation?  Framework?  Medical HI as ID card?  Clinical outcomes affected?  Implications for private health  Implications for public health

Law and IT, with medical flavour

 Law, IT, consumer protection  Interest in both health information and citizen expectations  Early case later became Rogers v Whitaker (informed consent)  Work with Prof Coiera’s proto-CHI, medical cont. education  NSW and Federal Privacy Commissioner’s offices  Australian Privacy Foundation  UNSW Cyberspace Law and Policy Centre (iPP project)  Database developer  IT security, risk assessment for why big IT systems fail, UCD  Personal information security and privacy advocate  Involved in the aborted ‘Access Card’ fiasco  Advocate of transparency of risks My background

 Privacy you can control  Security you can understand (Smith and Spafford 2004) The IT Security Grand Challenges

Late arrival of IT, explosive diversification

Late arrival of full scale networked EHRs  Great diversity of record systems  Many stakeholders  Many points of interconnect  Many claimants on access, ownership or other entitlements  Great potential financial and clinical benefits  Risk management analysis seems to omit the risk  Big IT projects fail ~ 75%, not mature industry  Good methodology is not a luxury, it’s essential  Risk focussed methodology + UCD is the only known way to deal with massive, not well understood requirements

Future Trends for Healthcare Records  Biometric identification  Genetic information linked with medical records  International travel, medical tourism  Text messages re: medical appointments  Telemedicine inc. virtual consultations, multiple clinicians  Radio Frequency Identification Devices (RFIDs)  Identity-as-a-service provided by independent organisations (in response to issue of governments having dual roles of issuing and managing identifiers and related information, and also policing and governing their use?) Source: CSC 2009

For Privacy and Personal information security?

National EHR system projects  Massive effort in many domains  Highly technical  Expensive  Often fragmented, components moving separately  Appears to pay lip service to structured engagement of non- institutional stakeholders (a.k.a. ‘the paying customer’, consumers, patients and their advocates)  Potential failure of methodology in relation to risk and user centred design (where patients = ‘users’)  Disconnected: UHI before a model of use, or privacy rules?

Good consent or poor consent?

Perceptions and trust…  ‘Perceptions about privacy and notions of trust are critical to the successful adoption of e-health. … the combination of existing privacy laws, existing consent mechanisms and the provider’s duty to protect patient confidentiality are supplemented by a security and access framework, new controls set out in healthcare identifiers legislation and proposed privacy reforms.’ NEHTA Blueprint FAQs, 2010  But: ◦ Existing privacy laws largely unenforced (no complaint determ. in 5 yr) ◦ Proposed new laws recede into the future (no new health privacy law) ◦ Consent and duty are problematic (from patient’s perspective, in EHR) ◦ Security and access framework are opaque ◦ HI legislation does little to restrain or explain real limits on use.

Complexity of consent?  ‘The Blueprint … skirts around the issue of how to deal with the problems of complexity and detail in the levels of patient consent required for an effective IEHR. Too much complexity will overwhelm patients, yet too little detail, such as occurs with bundled consent, is not useful either. This balance is at the heart of the domain and presents a real challenge. NEHTA does not appear to have put it at the heart of their analysis or thinking about IEHR privacy options.’ APF submission on NEHTA Privacy Blueprint, 2008

What’s in a name  No clear model for an integrated national EHR system ◦ Individual Electronic Health Record (IEHR) ‘It is not proposed that the information added to an IEHR will be a complete medical record for an individual, instead it will supplement local records held by healthcare providers. It will be a record of information that the provider believes has a high impact on clinical decision-making. Accordingly, healthcare providers using information collected from the IEHR will need to be aware that the information is not necessarily complete’ ◦ Shared Electronic Health Record (SEHR) ◦ Personally Controlled Electronic Health Record (PCEHR) In May 2010, $466 million investment over two yearsannounced into a Personally Controlled Electronic Health Record system to support the National Health and Hospitals Network. ‘The PCEHR will not hold all the information held in your doctor's records, but will complement it by highlighting key information.’ NEHTA, ‘ What is a PCEHR?’ [No risk mentioned]  Blueprint: ‘few individuals are expected to read it all’  Glossary for terms: 8 pages

Consultation – with non experts  Real consultation, as if it mattered to key design and strategic issues  Need clear high level, long term overview  Big picture of information design. A limited number of: ◦ roles ◦ information types ◦ rule types  Plain english (jargon names may need to be changed)  Detailed discussions about who gets to control what, or not. When and why choice and consent occurs.

Good consent or poor consent?

 Is there a simple, widely consulted and accepted national framework for eHealth system privacy and personal information security? (Many consultations got it wrong?)  Probably not?  NEHTA and others largely looking inwards, or preoccupied with ‘elephants stomping’ (big players)?  Minister seeks to divert attention with ‘PCEHR’?  Emphasis should be on externally accepted principles, after informed consideration of hard cases, implications  Essential basis for future trust?

 Sorry history of Access Card  ‘This is not a national ID card system’, in Bill  Culture of denial and evasion of functionality  Not a good basis for trust  Privacy-hostile assumptions may be built in to the Foundations?  Lack of explicit trading of benefits and risks, potential for unintended consequences  Public focus on benefits, undermines a model of informed consent: spin, sales, not participation

Is the IHI a national ID card system? After Greenleaf 2009, in APF IHI submission

Reputation is hard won and easily lost Implications for loss are serious

 Erosion of trust consequent on awareness of failure of security or privacy of medical or related records  Most vulnerable will be most difficult to please – the most to lose  Private health – patients fail to disclose history, symptoms, get tested. Suboptimal treatment, clinical outcomes.  Public health – patients fail to get tested, or disclose eg signs of infection etc. Potential for disease to spread and public health problem. Statistics wrong.

Where does this leave us?  A uniquely challenging protective role…  In the midst of massive overhaul of HRs  Privacy law incomplete, mostly not enforced  Government, institutions and profession racing on  The hardest parts deferred?  IT risk warning sign – fail early and cheap, not late & $$  Clinical risk warning sign – gambling with a potential breach of the trust upon which frank history-giving depends

Sources  Galexia Consulting, Preliminary PIA regarding the Unique Healthcare Identifier Program recommendations, and NEHTA’s responses, 2006  Clayton Utz, PIA into the Unique Healthcare Identifiers Program recommendations, and NEHTA’s responses, 2007  Mallesons Stephen Jaques, PIA into Individual Healthcare Identifiers recommendations, and NEHTA’s responses, Aug 2009  ‘Data-matching in Commonwealth administration’, Guidelines issued by Privacy Commissioner under section 27(1)(e) Privacy Act 1988 (Cth), February 1998  Mark A. Rothstein, ‘Debate Over Patient Privacy Controls in Electronic Health Records’, BioEthics Forum, 17 Feb 2011 (US)BioEthics Forum  A rising tide of expectations, Australian consumers’ views on electronic health records – a necessary ingredient in healthcare reform, CSC Healthcare Research report, 2009CSC Healthcare Research report  ‘Are Electronic Health Records Ready for Genomic?’ Genetics in Medicine, Vol. 11, Issue, 7, p , July 2009  Prashila Dullabh & Maria Molfino, ‘Liability Coverage for Regional Health, Information Organizations’, AHRQ National Resource Center for Health Information Technology, June 2009  Merle Spriggs ‘When privacy can be a life or death call’, SMH, November 11, 2010SMH

Sources (cont.)  NEHTA, Privacy Blueprint for the Individual Electronic Health Record, 2008Privacy Blueprint  NEHTA, Privacy Blueprint for the Individual Electronic Health Record – Report on Feedback, 2008Report on Feedback  Federal gov’t, ‘Personally controlled electronic health record system’ Fact sheet, 2010Fact sheet  Person-controlled Electronic Health Records, HISA, 2009 Person-controlled Electronic Health Records  AHMAC, Healthcare Identifiers and Privacy: Discussion Paper on Proposals for Legislative Support, 2009  Pamela Sankar, Susan Mora, Jon F Merz, and Nora L Jones, Patient Perspectives of Medical Confidentiality - A Review of the Literature’, J Gen Intern Med August; 18(8): 659–669.  Ford CA, Millstein SG, Halpern-Felsher BL, Irwin CE, ‘Influence of physician confidentiality assurances on adolescents' willingness to disclose information and seek future health care. A randomized controlled trial,’ JAMA Sep 24;278(12):  Fehrs LJ, Fleming D, Foster LR, McAlister RO, Fox V, Modesitt S, Conrad R. ‘Trial of anonymous versus confidential human immunodeficiency virus testing’ Lancet Aug 13;2(8607):  D Carmen and N Britten, ‘Confidentiality of medical records: the patient's perspective’, British Journal of General Practice, September 1995, 45,

David Vaile Cyberspace Law and Policy Centre, UNSW Law Faculty