Dissenting Report by Coalition Senators
1.1
The Coalition shares the ambition of health professionals and the
Government to develop a quality e-Health system using a Personally Controlled
e-Health Record. However we accept the serious and disparate concerns of many
witnesses to this inquiry regarding the infrastructure, access controls and
governance of the proposed PCEHR and want the introduction of the PCEHR
delayed pending major changes.
1.2
There is currently a concerning dissonance between the assurances of the
Government and the very real concerns raised by practitioners and experts in
the e-health industry. The Coalition is concerned that the Government's
political needs for a "big bang" approach to the introduction of
e-health on a given date are being given primacy over common sense.
1.3
The majority of witnesses expressed serious concerns with the process so
far and the consequences of the legislation if it were to proceed in its
present form and time frame. The four major issues are:
-
the
functionality and interoperability of the PCEHR
- confidence
of consumers and clinicians in a proposed e-health system
- governance
and conflicts of interest problems in a system designed to hold the health
records of every Australian
- risk
and patient safety.
These four should be the spine of a
quality and safe system.
1.4
Given the Labor Government's track record on program implementation, the
Coalition fears that poor implementation and governance will occur leading to
yet more waste of taxpayers' funds when the system fails.
1.5
Further evidence about patient and systems safety and about NEHTA's
overstatement of delivery was presented to Committee members in the final week
of the inquiry. The information will be made public once responses to adverse
comments in the evidence have been received. This evidence further deepens the
Coalition's concerns about this Government's ability to deliver a functional
and safe e-health system.
Adoption, Functionality and Interoperability of the
PCEHR
1.6
Many witnesses seriously questioned aspects of the potential for
successful adoption, functionality and interoperability of a PCeHR within the
legislated system, particularly within the timeframe. In evidence the AMA
stated:
There are many systems set up differently, some with
different coding systems, and all of which at the moment do not talk to each
other well. I guess that is why we have a protocol, but unless those systems
are able to be used electronically it is going to be very difficult to provide
a health summary for other people to share that is meaningful.”
...there are many, many, many practices that will simply not
be able to communicate with that piece of software. I guess many practices
would also be very concerned about the risks to the practice, particularly in
relation to recording who has access to the record and when, because our
software does not do that.
1.7
From the allied health sector, Ms Shelagh Lowe, Manager, Policy and
Programs, Services for Australian Rural and Remote Allied Health stated:
In terms of rural and remote in general, some medical
services and medical centres are assisted to have IT support put in, but in
terms of allied health there has been no funding available. In fact, many
allied health professionals are still paper based and do not use electronic
records at all. That whole issue of being ready on 1 July for integrated
records is a major issue in terms of the infrastructure for allied health
professionals because they are not part of any integrated records system
currently and a lot of them are paper based, so the infrastructure does not
exist for them to even have any communication.
1.8
In his submission, Dr David G More, a blogger with acknowledged e-health
expertise, noted that the proposed system did not offer any of the facilities
that patients had cited as important:
Consumer use is also likely to be very low, as many of the
services that have been found to be useful for consumers (e-mail access to
practitioners, ease of arranging appointments and repeat prescriptions and
similar interactive services) are not catered for in the present PCEHR design.
1.9
Coalition members of the committee are also concerned that less than
four months from the start date, proponents could not advise:
- The
estimated number of clinicians who will adopt the system
- The
estimated number of patients who will adopt the system
- The
estimated impact of time taken to use the PCeHR on a clinical interaction.
1.10
Ms Anderson, Chief Executive Officer, metro North Brisbane Medicare
Local, said:
Once we get to the next stages of the project we will see
what the response rates are like, how many people come back to their practices
for help and the number of people who show up for their share health summary to
be uploaded., that is part of what we are trying to actually ascertain: is
there a dramatic impact or a significant impact on the GP’s time? It is part of
the information we help build.
“No Access” Controls
1.11
The absence of ‘no access’ controls goes to the very heart of a
‘personally controlled’ system and further undercuts claims by the Department
and NEHTA that some of key design features of the PCEHR are present to uphold
the primacy of the consumer in a ‘personally controlled’ e-health system.
1.12
Ms Carol Bennett, Chief Executive Officer, Consumers Health Forum of
Australia, said:
There has been unanimous support for the reinstatement of the
no-access consumer control. A number of consumers have described the issue as
deal breaker in terms of their participation in the PCEHR system. The access
controls have been significantly weakened since the release of the final
concept-of-operations document in October 2011, with consumers no longer having
the ability to mark a clinical document as 'no access'. Consumer
representatives to the NEHTA have expressed concern to us that this decision to
remove access control went against the advice of the NEHTA consumer reference
forum.
The issue of no access is contradictory to the principles of
personally controlled value, trust and confidence, which are all outlined in
the concept-of-operations principles document.
1.13
In regard to the withdrawal of the ‘no access’ provision was withdrawn
from the PCEHR, Ms Burnett said:
We have not been given a clear answer to the question. There
have been allusions to medico-legal issues; there have been allusions to the
break glass phenomena, where someone is admitted into a hospital and is
incapable of giving permission to access their record. There have been a range
of scenarios played out, but there has been no clear statement, certainly from
the consumer perspective, as to why they have removed the no access.
1.14
Dr Roger Clarke, Chair, Australian Privacy Foundation, stated:
The PCEHR Bill (or at a minimum, the PCEHR Rules) should
clarify the complaints handling process that applies in relation to privacy
complaints.
1.15
Coalition senators are concerned about this removal and the ambiguity it
creates.
The Consumer and the Bill
1.16
There was much criticism of the consumer complaints provisions of the
proposed legislation. Dr Juanita Fernando, Chair, Health Sub Committee,
Australian Privacy Foundation, said:
There are huge gaps. You could drive a truck through some of
the gaps in the responses. The simple question: 'How can I find out about who
has accessed my record?' And so on and so forth. From our point of view and
from the number of consumers that are contacting the Australian Privacy
Foundation ... in fact that mechanism is urgently required; it is not something
that can be deferred.
NeHTA Structure and Transparency
1.17
Coalition senators accept evidence that the very structure of the
project manager, NEHTA, is inimical to transparency, good governance and
responsiveness to consumer and stakeholder interests and proper engagement. As
NeHTA is not subject to the standard Government accountability processes,
including FOI, this has led to perceived culture of secrecy and a lack of
responsiveness to key stakeholders around strategic issues.
1.18
In this regard Dr Vincent McCauley, of the Medical Software Industry
Association, stated:
Fundamental to the PCEHR is the ability to control access,
which is based on the organisational identifier and the provider identifier,
and also to audit access, which again is based on those two identifiers, to
actually identify who has accessed the system from where. Without those numbers
being verifiable and validated, there is no actual control over who is auditing
or accessing the system. Any number could be put into the system, and there is
no way of determining whether that number is correct or has been allocated to the
right practitioner or organisation.
1.19
Ms Rosemary Huxtable, Deputy Secretary, Department of Health and Ageing,
advised that new processes would be adopted:
Once the system is ready for patient registration, the
department, as the system operator, will have strong governance support through
both the independent advisory council and the jurisdictional advisory
committee. The Australian Information Commissioner will be the key regulator of
the system and will have the capacity to conduct audits, investigate complaints
and impose a range of sanctions. Transparency is ensured by annual reports from
both the system operator and the Information Commissioner to the minister and
the ministerial council.
Extensive consultation with consumers, clinicians and the
health IT industry has and continues to be an essential element in the
development of both this legislation and the concept of operations for the PCHR
and will continue to guide safe and secure implementation’.
1.20
However, the Medical Software Industry Association stated:
The System Operator (as described) is impossibly conflicted
with roles as System Operator, System funder, and NEHTA Board Member.
1.21
Dr Clarke of the Australian Privacy Foundation thinks the legislation is
so deficient he said this in evidence:
We do not believe there should be a commencement of operation
with the current governance arrangements.
1.22
And he went onto say;
If you permit the bureaucracy to build it the way it wants
it, it will be set in stone. There will be so many things that will be unable
to be reversed ... because they would be designed to be unable to be reversed. So
it is not appropriate to commence that way.
Privacy
1.23
Dr Roger Clarke, Chair, Australian Privacy Foundation, commenting on the
arrangements for consumer/clinician complaints on alleged privacy breaches
under the legislation, said:
We submitted from the beginning that there had to be a
specialist arrangement developed here for complaints handling. We have not seen
that. DOHA has ignored those proposals, as it has done with so many of the
submissions put to it. It is completely unclear to us quite how the mechanisms
could work right now, because there are a great many state government and
territory government organisations that are involved in healthcare provision.
There are issues in terms of informed consent, because nobody
knows precisely what the roles, rights and responsibilities are of all the
players—patients, administrators, clinicians and so on.
1.24
In their submission to the inquiry the Office of the Australian
Information Commissioner said this of the proposed complaints process of the
PCEHR:
The PCEHR Bill specifies that one of the functions of the
System Operator is to establish a mechanism for handling complaints about the
operation of the PCEHR system.41 No further description of the complaints
handling regime is provided for in the Bill.
1.25
The Information Commissioner also raised concerns about the adequacy of
the proposed legislation in dealing with ‘data breaches’ saying:
Further, the data breach notification requirements will only
apply to the System Operator, registered repository operators and registered
portal operators, and not to other entities which may access consumers’ health
information from the PCEHR system. This limitation raises a number of concerns.
Firstly, the System Operator may not become aware of a data breach (or
potential data breach) known to a healthcare provider organisation, such as
large general practitioner practice, at the earliest possible time.
Consequently, the System Operator may not be able to appropriately respond to a
breach. Additionally, it may create an unintended gap in the comprehensive
protection of PCEHR information and risk lowering consumer confidence in the
handling of their information in the PCEHR System.
1.26
Dr More added:
Privacy safeguards must be in place to promote consumer and
healthcare provider confidence, uptake and benefits of e-health initiatives.
Without a robust privacy and regulatory regime, it will not
be possible to deliver the next stage of the national e-health work program.
The current patchwork of health privacy legislation across the country is a
major barrier to implementation of e-health initiatives. In addition, some
e-health initiatives, such as the health.
Even NEHTA recognised what is needed is far from what DoHA
and the Government are presently proposing and saying it will be fixed up ‘later’ with regulations is really just not good enough.
It is of note that the recently released Privacy Impact
Assessment for the PCEHR (prepared for the Department by Minter Ellison) -
which was released just before Christmas – identified a number of governance
issues it felt needed to be addressed.
1.27
None of these issues are adequately addressed in the proposed
legislation.
Legal Liabilities
1.28
There are many unanswered questions about medical indemnity and legal
liability. It is clear that the Government has not developed satisfactory
processes or is unable to communicate them in a manner that gives certainty to
stakeholders. These, in some cases, flow from problems of definition in the
proposed legislation that have been highlighted in the Chair’s report.
1.29
From evidence presented to the inquiry, clear doubts remain about
liability in the event of a medical misadventure predicated on information
contained in the PCEHR. The chain of responsibility in regard to possible
breaches of privacy caused by a clinician or health professional accessing a
PCEHR is murky at best. Dr Steve Hambleton, of the AMA, said:
The complexity of the penalty provisions and the severity of
those are a concern. Really, we are saying that we have to put these in the
background, put them on hold or wait until there are some software solutions to
make that an easy process.
1.30
The following exchange highlights Coalition senators' concerns:
Senator SIEWERT: Some of the submitters have raised
issues around liability. Medibank, for example in their submissions, raised
issues around liability. What happens if a practitioner relies on the
information that is in the records? What does that mean for liability?
Ms Huxtable: We have worked through this quite a lot
with the professions at the time.
1.31
Nevertheless, evidence from witnesses clearly indicated that the legal
issues surrounding liability have not been dealt with and cast doubt on the
integrity and viability of the proposed legislation. Dr Rod Phillips,
Chairman, Vascular Anomalies Committee, Royal Children’s Hospital, said:
The Bill allows any health care provider to access any part
of a consumer’s PCEHR in an emergency, even if the consumer has explicitly stated
that they forbid access to those parts of their record. This is inconsistent
with Australian medical law under which medical care cannot be forced on any
competent adult.
Adults can choose to start a PCEHR. However, they cannot
choose to delete it once formed. They can only deactivate it. This leaves their
PCEHR still intact and available to many to view – e.g. IT staff, departmental
staff.
This is based on a misunderstanding. It is incorrect to
consider PCEHR data as analogous to data held by Health Care Providers. No
original document is stored there. All documents are just copies of source
documentation held by Health Care Providers or others. PCEHR records should not
be treated as though they are original medical records that need to be kept for
7 years, or longer. All data that is in a PCEHR still exists even if the PCEHR
is deleted. There is no medical or legal reason why consumers should not be
able to delete their PCEHR, or parts of it. Adults should have the right to
permanently delete part or all of their PCEHR.
1.32
There are also a number of concerns referred to in submissions about
poor or inadequate definitions. Dr Fernando said:
The job description of the services operator presently, as
far as I am aware anyway, does not exist in the public domain. What are the
roles of the services operator? What information can the services operator ask
for? How can the services operator use information? How can the services
operator disclose information? No-one understands the role of the services
operator.
1.33
These concerns were shared by the Office of the Australian Information
Commissioner:
The OAIC submits that it is not sufficiently clear whether
any future System Operator prescribed by the PCEHR Regulations would be subject
to the Privacy Act. While the Explanatory Memorandum states that 'the System
Operator will be subject to the Privacy Act’, there is no corresponding
provision in the PCEHR Bill.
1.34
Dr Juanita Fernando, Chair, Health Sub Committee, Australian Privacy
Foundation, said:
The entire area of medico-legal liability is so grey that
there is a really urgent need to start addressing some of those legitimate
concerns about the legislative parameters of e-health. It needs to be done now,
not in two years. It needs to be done quickly. Clinicians need to feel
confident. They need to know what they are using and why they are using it. And
patients need their clinicians to feel confident in what they are using, in
terms of getting a good diagnosis. At the moment, what we have is a vacuum.
Risk and Patient Safety
1.35
The issue of ‘risk’ and patient safety is the bedrock of any health
system. Coalition senators are deeply concerned that an E-Health system and a
PCEHR could be put into public operation before all its components are properly
trialled, tested and certified as meeting a set of universally accepted
verifiable standards is not only dangerous but brings into question the
viability of the entire exercise.
1.36
It is clear from the evidence presented that serious issues
regarding risk and patient safety have plagued the development of the PCEHR
since its inception. What is of most concern given the proposed July 1, 2012
launch date is that industry experts almost universally do not believe those
risks have been satisfactorily resolved. Dr Fernando stated:
I am really concerned about safety. There seems to be no
focus on ongoing patient safety concerns. I am now talking about, for instance,
bridging software to link the personally controlled electronic health record to
practice software.”
In terms of the individual health identifier and the validity
of data stored on an individual health identifier, there does not seem to be a
very reliable way of ensuring that the IHI that you are dealing with is in fact
the IHI of the patient in front of you.
1.37
Concerns about risk and patient safety are compounded by the apparent
lack of Government response to criticisms of the design, management and
supervision of the PCEHR architecture embodied in the proposed legislation.
1.38
Dr McCauley of the MSIA said:
We initially believed that over time those issues could be
addressed. However, it has become apparent only in recent months, when finally
the full specification has been released to industry, that in fact those safety
concerns cannot be addressed without a significant change in the specification.
An independent technology assessment committee looking at the issues of
organisational and provider identifiers came to the conclusion that, in its
current form, the service could not be operated safely. Subsequently NEHTA's
clinical safety unit was also asked for an assessment. After some time, they
also endorsed that conclusion.
We were assured by NEHTA that a full safety assessment had
been made and we assumed that there was a report available of that. We have
asked for that consistently for over two years and it has not been provided.
More recently we have been asking for safety reports on the
PCEHR implementation strategy and specifications, and again such safety reports
have not been available. A freedom of information application by the Australian
to the Department of Health and Aging, looking for safety documents related to
the PCEHR, was returned with no records found.
Lack of consumer confidence in the management of the PCEHR
1.39
There is evidence from industry experts, clinicians, consumer and
privacy advocates that many key stakeholders have lost confidence in those
developing the e-health system. Dr Hughes of the MSIA said:
The PCEHR program has been characterised by ineffective
project management, unrealistic deadlines, inadequate review processes for
specifications and a lack of progress to Australian Standards. These have had a
significant impact on the introduction of risk, particularly patient safety,
and will result in significant continuing high costs to the sector.
Industry has lost confidence in NEHTA's ability to deliver
this program. There is evidence of a lack of probity, ineffective governance
and an inability to deliver targeted programs.
1.40
Dr Fernando, Australian Privacy Foundation, stated:
I am also concerned about ongoing project failure. Our point
of view is that there has been project failure after project failure. I will
give you an example: the declared outcome for the IHI, the individual health
identifier, was that we would be able to identify the right patient at the
right time in the right place. That in fact has not been able to be validated.
Standards are a mishmash. There is not a single international or national
standard that applies across the e-health sector; rather, we have borrowed from
standards all over the place.
Proposed Launch Date July 1, 2012
1.41
The launch date, less than four months away, was of extreme concern to
the majority of submitters to the inquiry. The AMA stated:
We are also uncertain about how much of the system will be
available on 1 July 2012 and how well the system will be connected to
healthcare providers. The parliament may pass this legislation and some of the
technical work might be finished, but there will not be a benefit for patients
and medical practitioners until we get appropriate, interoperable, tested and
affordable practice software that is available for providers to connect up to
the system.”
Senator SIEWERT: ... you also touched on the issue of
the 1 July start date. Do you think that, if all goes according to plan, the
start date is going to be significantly problematic?
Dr Hambleton (AMA): Yes, I certainly do.”
1.42
The Health Care Consumers’ Association Inc said:
We believe it is imperative that the functionality of the
system is sound in the lead-up to the initial roll-out of the PCEHR system and
are concerned that the time frame of July 2012 is too short to achieve this. We
would like to see more evidence to show that all the necessary mechanisms are
in place to achieve a successful E-Health initiative nationally, rather than just
a determination to meet a politically imposed deadline. In order to limit the
possibility of failed implementation, we believe that a rigorous risk analysis
needs to be applied to implementation strategy, with adjustments to the implementation
timeframe as necessary.
1.43
The project managers of the PCEHR acknowledge that the first real
‘public' test of the PCEHR system will be on July 1, 2012. Given the
complexity; the large number of important issues that are unresolved; the
significant risks to patient safety; and the lack of public confidence in an
E-Health system, a prudent government delay the launch date of July 1, 2012
until these issues are resolved.
1.44
The Government's determination to launch on July 1 is part of worrying
trend to "push through" with programs to meet artificial deadlines,
irrespective of reality. Ms Huxtable from DOHA admitted:
There is still some very significant development work to be
done on the PCHR functionality. The early focus has been on a certain
functionality where you get the maximum benefits, like medication management
and discharge summaries, but the business case for PCHR anticipates
functionality growing over time with the gradual incorporation of more and more
information.
1.45
The admission by the Department secretary is telling. This is not ready
to launch. The Government also has not finished the regulations which
operationalise the legislation and are now working on unsustainable timelines.
1.46
During the hearings both the Committee Chair Senator Claire Moore and Deputy
Chair Senator Rachel Siewert queried the lack of finalised regulations.
Chair: Is there any indication when we will have the
regulations so we will be able to look at the whole package?
Ms Huxtable: They are in an advanced stage of
drafting and we expect to be in a position to be able to release them quite
soon for public consultation. I could not give you an exact date but quite
soon.
Chair: Just to put on record clearly: there will be a
format of public consultation on those regulations as well.
Ms Huxtable: Yes.
Chair: It is an ongoing complaint that we do not get
the package beforehand.
Senator SIEWERT: I really appreciate you cannot give
us an exact date. Are we talking about months or weeks?
Ms Huxtable: No, weeks—not months.
Senator SIEWERT: Less than months.
Ms Huxtable: We do not have months to be honest. We
want it to start on 1 July.
Conclusion
1.47
That so many fundamental issues are yet to be resolved a little over
three months from launch after six years of development and the expenditure of between
$467 and $750 million must be a matter of great concern.
Recommendation:
1.48
Coalition senators recommend that the PCEHR legislation be
delayed until July 1, 2013, in order to satisfactorily address the many issues
raised during this Inquiry, especially those relating to governance, patient
risk, privacy and interoperability are resolved.
Senator Sue Boyce
Senator for Queensland |
Senator Bridget McKenzie
Senator for Victoria
|
Navigation: Previous Page | Contents | Next Page