Dissenting Report by Coalition Senators

Dissenting Report by Coalition Senators

1.1        The Coalition shares the ambition of health professionals and the Government to develop a quality e-Health system using a Personally Controlled e-Health Record.  However we accept the serious and disparate concerns of many witnesses to this inquiry regarding the infrastructure, access controls and governance of the proposed PCEHR and want the introduction of the PCEHR delayed pending major changes.

1.2        There is currently a concerning dissonance between the assurances of the Government and the very real concerns raised by practitioners and experts in the e-health industry.  The Coalition is concerned that the Government's political needs for a "big bang" approach to the introduction of e-health on a given date are being given primacy over common sense.

1.3        The majority of witnesses expressed serious concerns with the process so far and the consequences of the legislation if it were to proceed in its present form and time frame.  The four major issues are:

These four should be the spine of a quality and safe system.

1.4        Given the Labor Government's track record on program implementation, the Coalition fears that poor implementation and governance will occur leading to yet more waste of taxpayers' funds when the system fails. 

1.5        Further evidence about patient and systems safety and about NEHTA's overstatement of delivery was presented to Committee members in the final week of the inquiry. The information will be made public once responses to adverse comments in the evidence have been received. This evidence further deepens the Coalition's concerns about this Government's ability to deliver a functional and safe e-health system.

Adoption, Functionality and Interoperability of the PCEHR

1.6        Many witnesses seriously questioned aspects of the potential for successful adoption, functionality and interoperability of a PCeHR within the legislated system, particularly within the timeframe.  In evidence the AMA stated:

There are many systems set up differently, some with different coding systems, and all of which at the moment do not talk to each other well. I guess that is why we have a protocol, but unless those systems are able to be used electronically it is going to be very difficult to provide a health summary for other people to share that is meaningful.”

...there are many, many, many practices that will simply not be able to communicate with that piece of software. I guess many practices would also be very concerned about the risks to the practice, particularly in relation to recording who has access to the record and when, because our software does not do that.

1.7        From the allied health sector, Ms Shelagh Lowe, Manager, Policy and Programs, Services for Australian Rural and Remote Allied Health stated:

In terms of rural and remote in general, some medical services and medical centres are assisted to have IT support put in, but in terms of allied health there has been no funding available. In fact, many allied health professionals are still paper based and do not use electronic records at all. That whole issue of being ready on 1 July for integrated records is a major issue in terms of the infrastructure for allied health professionals because they are not part of any integrated records system currently and a lot of them are paper based, so the infrastructure does not exist for them to even have any communication.

1.8        In his submission, Dr David G More, a blogger with acknowledged e-health expertise, noted that the proposed system did not offer any of the facilities that patients had cited as important:

Consumer use is also likely to be very low, as many of the services that have been found to be useful for consumers (e-mail access to practitioners, ease of arranging appointments and repeat prescriptions and similar interactive services) are not catered for in the present PCEHR design.

1.9        Coalition members of the committee are also concerned that less than four months from the start date, proponents could not advise:

1.10      Ms Anderson, Chief Executive Officer, metro North Brisbane Medicare Local, said:

Once we get to the next stages of the project we will see what the response rates are like, how many people come back to their practices for help and the number of people who show up for their share health summary to be uploaded., that is part of what we are trying to actually ascertain: is there a dramatic impact or a significant impact on the GP’s time? It is part of the information we help build.

“No Access” Controls

1.11      The absence of ‘no access’ controls goes to the very heart of a ‘personally controlled’ system and further undercuts claims by the Department and NEHTA that some of key design features of the PCEHR are present to uphold the primacy of the consumer in a ‘personally controlled’ e-health system.

1.12      Ms Carol Bennett, Chief Executive Officer, Consumers Health Forum of Australia, said:

There has been unanimous support for the reinstatement of the no-access consumer control. A number of consumers have described the issue as deal breaker in terms of their participation in the PCEHR system. The access controls have been significantly weakened since the release of the final concept-of-operations document in October 2011, with consumers no longer having the ability to mark a clinical document as 'no access'. Consumer representatives to the NEHTA have expressed concern to us that this decision to remove access control went against the advice of the NEHTA consumer reference forum.

The issue of no access is contradictory to the principles of personally controlled value, trust and confidence, which are all outlined in the concept-of-operations principles document.

1.13      In regard to the withdrawal of the ‘no access’ provision was withdrawn from the PCEHR, Ms Burnett said:

We have not been given a clear answer to the question. There have been allusions to medico-legal issues; there have been allusions to the break glass phenomena, where someone is admitted into a hospital and is incapable of giving permission to access their record. There have been a range of scenarios played out, but there has been no clear statement, certainly from the consumer perspective, as to why they have removed the no access.

1.14      Dr Roger Clarke, Chair, Australian Privacy Foundation, stated:

The PCEHR Bill (or at a minimum, the PCEHR Rules) should clarify the complaints handling process that applies in relation to privacy complaints.

1.15      Coalition senators are concerned about this removal and the ambiguity it creates.

The Consumer and the Bill

1.16      There was much criticism of the consumer complaints provisions of the proposed legislation.   Dr Juanita Fernando, Chair, Health Sub Committee, Australian Privacy Foundation, said:

There are huge gaps. You could drive a truck through some of the gaps in the responses. The simple question: 'How can I find out about who has accessed my record?' And so on and so forth. From our point of view and from the number of consumers that are contacting the Australian Privacy Foundation ... in fact that mechanism is urgently required; it is not something that can be deferred.

NeHTA Structure and Transparency

1.17      Coalition senators accept evidence that the very structure of the project manager, NEHTA, is inimical to transparency, good governance and responsiveness to consumer and stakeholder interests and proper engagement. As NeHTA is not subject to the standard Government accountability processes, including FOI, this has led to perceived culture of secrecy and a lack of responsiveness to key stakeholders around strategic issues.

1.18      In this regard Dr Vincent McCauley, of the Medical Software Industry Association, stated:

Fundamental to the PCEHR is the ability to control access, which is based on the organisational identifier and the provider identifier, and also to audit access, which again is based on those two identifiers, to actually identify who has accessed the system from where. Without those numbers being verifiable and validated, there is no actual control over who is auditing or accessing the system. Any number could be put into the system, and there is no way of determining whether that number is correct or has been allocated to the right practitioner or organisation.

1.19      Ms Rosemary Huxtable, Deputy Secretary, Department of Health and Ageing, advised that new processes would be adopted:

Once the system is ready for patient registration, the department, as the system operator, will have strong governance support through both the independent advisory council and the jurisdictional advisory committee. The Australian Information Commissioner will be the key regulator of the system and will have the capacity to conduct audits, investigate complaints and impose a range of sanctions. Transparency is ensured by annual reports from both the system operator and the Information Commissioner to the minister and the ministerial council.

Extensive consultation with consumers, clinicians and the health IT industry has and continues to be an essential element in the development of both this legislation and the concept of operations for the PCHR and will continue to guide safe and secure implementation’.

1.20      However, the Medical Software Industry Association stated:

The System Operator (as described) is impossibly conflicted with roles as System Operator, System funder, and NEHTA Board Member.

1.21      Dr Clarke of the Australian Privacy Foundation thinks the legislation is so deficient he said this in evidence:

We do not believe there should be a commencement of operation with the current governance arrangements.

1.22      And he went onto say;

If you permit the bureaucracy to build it the way it wants it, it will be set in stone. There will be so many things that will be unable to be reversed ... because they would be designed to be unable to be reversed. So it is not appropriate to commence that way.

Privacy

1.23      Dr Roger Clarke, Chair, Australian Privacy Foundation, commenting on the arrangements for consumer/clinician complaints on alleged privacy breaches under the legislation, said:

We submitted from the beginning that there had to be a specialist arrangement developed here for complaints handling. We have not seen that. DOHA has ignored those proposals, as it has done with so many of the submissions put to it. It is completely unclear to us quite how the mechanisms could work right now, because there are a great many state government and territory government organisations that are involved in healthcare provision.

There are issues in terms of informed consent, because nobody knows precisely what the roles, rights and responsibilities are of all the players—patients, administrators, clinicians and so on.

1.24      In their submission to the inquiry the Office of the Australian Information Commissioner said this of the proposed complaints process of the PCEHR:

The PCEHR Bill specifies that one of the functions of the System Operator is to establish a mechanism for handling complaints about the operation of the PCEHR system.41 No further description of the complaints handling regime is provided for in the Bill.

1.25      The Information Commissioner also raised concerns about the adequacy of the proposed legislation in dealing with ‘data breaches’ saying:

Further, the data breach notification requirements will only apply to the System Operator, registered repository operators and registered portal operators, and not to other entities which may access consumers’ health information from the PCEHR system. This limitation raises a number of concerns. Firstly, the System Operator may not become aware of a data breach (or potential data breach) known to a healthcare provider organisation, such as large general practitioner practice, at the earliest possible time. Consequently, the System Operator may not be able to appropriately respond to a breach. Additionally, it may create an unintended gap in the comprehensive protection of PCEHR information and risk lowering consumer confidence in the handling of their information in the PCEHR System.

1.26      Dr More added:

Privacy safeguards must be in place to promote consumer and healthcare provider confidence, uptake and benefits of e-health initiatives.

Without a robust privacy and regulatory regime, it will not be possible to deliver the next stage of the national e-health work program. The current patchwork of health privacy legislation across the country is a major barrier to implementation of e-health initiatives. In addition, some e-health initiatives, such as the health.

Even NEHTA recognised what is needed is far from what DoHA and the Government are presently proposing and saying it will be fixed up ‘later’ with regulations is really just not good enough.

It is of note that the recently released Privacy Impact Assessment for the PCEHR (prepared for the Department by Minter Ellison) - which was released just before Christmas – identified a number of governance issues it felt needed to be addressed.

1.27      None of these issues are adequately addressed in the proposed legislation.

Legal Liabilities

1.28      There are many unanswered questions about medical indemnity and legal liability. It is clear that the Government has not developed satisfactory processes or is unable to communicate them in a manner that gives certainty to stakeholders. These, in some cases, flow from problems of definition in the proposed legislation that have been highlighted in the Chair’s report.

1.29      From evidence presented to the inquiry, clear doubts remain about liability in the event of a medical misadventure predicated on information contained in the PCEHR. The chain of responsibility in regard to possible breaches of privacy caused by a clinician or health professional accessing a PCEHR is murky at best.  Dr Steve Hambleton, of the AMA, said:

The complexity of the penalty provisions and the severity of those are a concern. Really, we are saying that we have to put these in the background, put them on hold or wait until there are some software solutions to make that an easy process.

1.30      The following exchange highlights Coalition senators' concerns:

Senator SIEWERT:  Some of the submitters have raised issues around liability. Medibank, for example in their submissions, raised issues around liability. What happens if a practitioner relies on the information that is in the records? What does that mean for liability?

Ms Huxtable:  We have worked through this quite a lot with the professions at the time.

1.31      Nevertheless, evidence from witnesses clearly indicated that the legal issues surrounding liability have not been dealt with and cast doubt on the integrity and viability of the proposed legislation.  Dr Rod Phillips, Chairman, Vascular Anomalies Committee, Royal Children’s Hospital, said:

The Bill allows any health care provider to access any part of a consumer’s PCEHR in an emergency, even if the consumer has explicitly stated that they forbid access to those parts of their record. This is inconsistent with Australian medical law under which medical care cannot be forced on any competent adult.

Adults can choose to start a PCEHR. However, they cannot choose to delete it once formed. They can only deactivate it. This leaves their PCEHR still intact and available to many to view – e.g. IT staff, departmental staff.

This is based on a misunderstanding. It is incorrect to consider PCEHR data as analogous to data held by Health Care Providers. No original document is stored there. All documents are just copies of source documentation held by Health Care Providers or others. PCEHR records should not be treated as though they are original medical records that need to be kept for 7 years, or longer. All data that is in a PCEHR still exists even if the PCEHR is deleted. There is no medical or legal reason why consumers should not be able to delete their PCEHR, or parts of it. Adults should have the right to permanently delete part or all of their PCEHR.

1.32      There are also a number of concerns referred to in submissions about poor or inadequate definitions.  Dr Fernando said:

 The job description of the services operator presently, as far as I am aware anyway, does not exist in the public domain. What are the roles of the services operator? What information can the services operator ask for? How can the services operator use information? How can the services operator disclose information? No-one understands the role of the services operator.

1.33      These concerns were shared by the Office of the Australian Information Commissioner:

The OAIC submits that it is not sufficiently clear whether any future System Operator prescribed by the PCEHR Regulations would be subject to the Privacy Act. While the Explanatory Memorandum states that 'the System Operator will be subject to the Privacy Act’, there is no corresponding provision in the PCEHR Bill.

1.34      Dr Juanita Fernando, Chair, Health Sub Committee, Australian Privacy Foundation, said:

The entire area of medico-legal liability is so grey that there is a really urgent need to start addressing some of those legitimate concerns about the legislative parameters of e-health. It needs to be done now, not in two years. It needs to be done quickly. Clinicians need to feel confident. They need to know what they are using and why they are using it. And patients need their clinicians to feel confident in what they are using, in terms of getting a good diagnosis. At the moment, what we have is a vacuum.

Risk and Patient Safety

1.35      The issue of ‘risk’ and patient safety is the bedrock of any health system.  Coalition senators are deeply concerned that an E-Health system and a PCEHR could be put into public operation before all its components are properly trialled, tested and certified as meeting a set of universally accepted verifiable standards is not only dangerous but brings into question the viability of the entire exercise.

1.36             It is clear from the evidence presented that serious issues regarding risk and patient safety have plagued the development of the PCEHR since its inception. What is of most concern given the proposed July 1, 2012 launch date is that industry experts almost universally do not believe those risks have been satisfactorily resolved. Dr Fernando stated:

I am really concerned about safety. There seems to be no focus on ongoing patient safety concerns. I am now talking about, for instance, bridging software to link the personally controlled electronic health record to practice software.”

In terms of the individual health identifier and the validity of data stored on an individual health identifier, there does not seem to be a very reliable way of ensuring that the IHI that you are dealing with is in fact the IHI of the patient in front of you.

1.37      Concerns about risk and patient safety are compounded by the apparent lack of Government response to criticisms of the design, management and supervision of the PCEHR architecture embodied in the proposed legislation.

1.38      Dr McCauley of the MSIA said: 

We initially believed that over time those issues could be addressed. However, it has become apparent only in recent months, when finally the full specification has been released to industry, that in fact those safety concerns cannot be addressed without a significant change in the specification. An independent technology assessment committee looking at the issues of organisational and provider identifiers came to the conclusion that, in its current form, the service could not be operated safely. Subsequently NEHTA's clinical safety unit was also asked for an assessment. After some time, they also endorsed that conclusion.

We were assured by NEHTA that a full safety assessment had been made and we assumed that there was a report available of that. We have asked for that consistently for over two years and it has not been provided.

More recently we have been asking for safety reports on the PCEHR implementation strategy and specifications, and again such safety reports have not been available. A freedom of information application by the Australian to the Department of Health and Aging, looking for safety documents related to the PCEHR, was returned with no records found.

Lack of consumer confidence in the management of the PCEHR

1.39      There is evidence from industry experts, clinicians, consumer and privacy advocates that many key stakeholders have lost confidence in those developing the e-health system.  Dr Hughes of the MSIA said:

The PCEHR program has been characterised by ineffective project management, unrealistic deadlines, inadequate review processes for specifications and a lack of progress to Australian Standards. These have had a significant impact on the introduction of risk, particularly patient safety, and will result in significant continuing high costs to the sector.

Industry has lost confidence in NEHTA's ability to deliver this program. There is evidence of a lack of probity, ineffective governance and an inability to deliver targeted programs.

1.40      Dr Fernando, Australian Privacy Foundation, stated:

I am also concerned about ongoing project failure. Our point of view is that there has been project failure after project failure. I will give you an example: the declared outcome for the IHI, the individual health identifier, was that we would be able to identify the right patient at the right time in the right place. That in fact has not been able to be validated. Standards are a mishmash. There is not a single international or national standard that applies across the e-health sector; rather, we have borrowed from standards all over the place.

Proposed Launch Date July 1, 2012

1.41      The launch date, less than four months away, was of extreme concern to the majority of submitters to the inquiry. The AMA stated:

We are also uncertain about how much of the system will be available on 1 July 2012 and how well the system will be connected to healthcare providers. The parliament may pass this legislation and some of the technical work might be finished, but there will not be a benefit for patients and medical practitioners until we get appropriate, interoperable, tested and affordable practice software that is available for providers to connect up to the system.”

Senator SIEWERT: ... you also touched on the issue of the 1 July start date. Do you think that, if all goes according to plan, the start date is going to be significantly problematic?

Dr Hambleton (AMA):  Yes, I certainly do.”

1.42      The Health Care Consumers’ Association Inc said:

We believe it is imperative that the functionality of the system is sound in the lead-up to the initial roll-out of the PCEHR system and are concerned that the time frame of July 2012 is too short to achieve this. We would like to see more evidence to show that all the necessary mechanisms are in place to achieve a successful E-Health initiative nationally, rather than just a determination to meet a politically imposed deadline. In order to limit the possibility of failed implementation, we believe that a rigorous risk analysis needs to be applied to implementation strategy, with adjustments to the implementation timeframe as necessary.

1.43      The project managers of the PCEHR acknowledge that the first real ‘public' test of the PCEHR system will be on July 1, 2012. Given the complexity; the large number of important issues that are unresolved; the significant risks to patient safety; and the lack of public confidence in an E-Health system, a prudent government delay the launch date of July 1, 2012 until these issues are resolved.

1.44      The Government's determination to launch on July 1 is part of worrying trend to "push through" with programs to meet artificial deadlines, irrespective of reality. Ms Huxtable from DOHA admitted:

There is still some very significant development work to be done on the PCHR functionality. The early focus has been on a certain functionality where you get the maximum benefits, like medication management and discharge summaries, but the business case for PCHR anticipates functionality growing over time with the gradual incorporation of more and more information.

1.45      The admission by the Department secretary is telling. This is not ready to launch. The Government also has not finished the regulations which operationalise the legislation and are now working on unsustainable timelines.

1.46      During the hearings both the Committee Chair Senator Claire Moore and Deputy Chair Senator Rachel Siewert queried the lack of finalised regulations.

Chair: Is there any indication when we will have the regulations so we will be able to look at the whole package?

Ms Huxtable:  They are in an advanced stage of drafting and we expect to be in a position to be able to release them quite soon for public consultation. I could not give you an exact date but quite soon.

Chair:  Just to put on record clearly: there will be a format of public consultation on those regulations as well.

Ms Huxtable:  Yes.

Chair:  It is an ongoing complaint that we do not get the package beforehand.

Senator SIEWERT:  I really appreciate you cannot give us an exact date. Are we talking about months or weeks?

Ms Huxtable:  No, weeks—not months.

Senator SIEWERT:  Less than months.

Ms Huxtable:  We do not have months to be honest. We want it to start on 1 July.

Conclusion

1.47      That so many fundamental issues are yet to be resolved a little over three months from launch after six years of development and the expenditure of between $467 and $750 million must be a matter of great concern.

Recommendation:

1.48             Coalition senators recommend that the PCEHR legislation be delayed until July 1, 2013, in order to satisfactorily address the many issues raised during this Inquiry, especially those relating to governance, patient risk, privacy and interoperability are resolved.

 

Senator Sue Boyce
Senator for Queensland
Senator Bridget McKenzie
Senator for Victoria

Navigation: Previous Page | Contents | Next Page