The risk of eHR privacy model failure as a threat

to public and private health

David VaileCyberspace Law and Policy Centre, UNSW Law Faculty

d.vaile@unsw.edu.au

Medico-legal conference, Sydney, 29 March 2011

www.cyberlawcentre.org

Outline

Context Privacy rules?

Background Nat. EHR framework Grand challenges Perceptions and trust Consent Consultation?

Framework? Medical HI as ID card? Clinical outcomes

affected? Implications for private

health Implications for public

health

My Background Law and IT, with medical flavour

Law, IT, consumer protection Interest in both health information and citizen expectations Early case later became Rogers v Whitaker (informed consent) Work with Prof Coiera’s proto-CHI, medical cont. education NSW and Federal Privacy Commissioner’s offices Australian Privacy Foundation UNSW Cyberspace Law and Policy Centre (iPP project) Database developer IT security, risk assessment for why big IT systems fail, UCD Personal information security and privacy advocate Involved in the aborted ‘Access Card’ fiasco Advocate of transparency of risks

My background

Privacy you can control

Security you can understand

(Smith and Spafford 2004)

The IT Security Grand Challenges

The EHR Background Late arrival of IT, explosive diversification

Late arrival of full scale networked EHRs Great diversity of record systems Many stakeholders Many points of interconnect Many claimants on access, ownership or other entitlements Great potential financial and clinical benefits Risk management analysis seems to omit the risk Big IT projects fail ~ 75%, not mature industry Good methodology is not a luxury, it’s essential Risk focussed methodology + UCD is the only known way to

deal with massive, not well understood requirements

Future Trends for Healthcare Records Biometric identification Genetic information linked with medical records International travel, medical tourism Text messages re: medical appointments Telemedicine inc. virtual consultations, multiple clinicians Radio Frequency Identification Devices (RFIDs) Identity-as-a-service provided by independent organisations

(in response to issue of governments having dual roles of issuing and managing identifiers and related information, and also policing and governing their use?) Source: CSC 2009

National EHR framework?For Privacy and Personal information security?

National EHR system projects Massive effort in many domains Highly technical Expensive Often fragmented, components moving separately Appears to pay lip service to structured engagement of non-

institutional stakeholders (a.k.a. ‘the paying customer’, consumers, patients and their advocates)

Potential failure of methodology in relation to risk and user centred design (where patients = ‘users’)

Disconnected: UHI before a model of use, or privacy rules?

Trust and confidenceGood consent or poor consent?

Perceptions and trust… ‘Perceptions about privacy and notions of trust are critical to

the successful adoption of e-health. … the combination of existing privacy laws, existing consent mechanisms and the provider’s duty to protect patient confidentiality are supplemented by a security and access framework, new controls set out in healthcare identifiers legislation and proposed privacy reforms.’ NEHTA Blueprint FAQs, 2010

But:◦ Existing privacy laws largely unenforced (no complaint determ. in 5 yr)◦ Proposed new laws recede into the future (no new health privacy law)◦ Consent and duty are problematic (from patient’s perspective, in EHR)◦ Security and access framework are opaque◦ HI legislation does little to restrain or explain real limits on use.

Complexity of consent? ‘The Blueprint … skirts around the issue of how to deal

with the problems of complexity and detail in the levels of patient consent required for an effective IEHR. Too much complexity will overwhelm patients, yet too little detail, such as occurs with bundled consent, is not useful either. This balance is at the heart of the domain and presents a real challenge. NEHTA does not appear to have put it at the heart of their analysis or thinking about IEHR privacy options.’ APF submission on NEHTA Privacy Blueprint, 2008

What’s in a name No clear model for an integrated national EHR system◦ Individual Electronic Health Record (IEHR)

‘It is not proposed that the information added to an IEHR will be a complete medical record for an individual, instead it will supplement local records held by healthcare providers. It will be a record of information that the provider believes has a high impact on clinical decision-making. Accordingly, healthcare providers using information collected from the IEHR will need to be aware that the information is not necessarily complete’

◦ Shared Electronic Health Record (SEHR)◦ Personally Controlled Electronic Health Record (PCEHR)

In May 2010, $466 million investment over two yearsannounced into a Personally Controlled Electronic Health Record system to support the National Health and Hospitals Network.‘The PCEHR will not hold all the information held in your doctor's records, but will complement it by highlighting key information.’ NEHTA, ‘ What is a PCEHR?’ [No risk mentioned]

Blueprint: ‘few individuals are expected to read it all’ Glossary for terms: 8 pages

Consultation – with non experts Real consultation, as if it mattered to key design and

strategic issues Need clear high level, long term overview Big picture of information design. A limited number of: ◦ roles◦ information types◦ rule types

Plain english (jargon names may need to be changed) Detailed discussions about who gets to control what,

or not. When and why choice and consent occurs.

Framework?Good consent or poor consent?

Widely known EHR privacy framework? Is there a simple, widely consulted and accepted national

framework for eHealth system privacy and personal information security? (Many consultations got it wrong?)

Probably not? NEHTA and others largely looking inwards, or

preoccupied with ‘elephants stomping’ (big players)? Minister seeks to divert attention with ‘PCEHR’? Emphasis should be on externally accepted principles,

after informed consideration of hard cases, implications Essential basis for future trust?

Medical identifier as national ID card Sorry history of Access Card ‘This is not a national ID card system’, in Bill Culture of denial and evasion of functionality Not a good basis for trust Privacy-hostile assumptions may be built in to the

Foundations? Lack of explicit trading of benefits and risks, potential for

unintended consequences Public focus on benefits, undermines a model of

informed consent: spin, sales, not participation

Is the IHI a national ID card system?After Greenleaf 2009, in APF IHI submission

Clinical outcomes affectedReputation is hard won and easily lostImplications for loss are serious

Threats to clinical outcomes Erosion of trust consequent on awareness of failure of

security or privacy of medical or related records Most vulnerable will be most difficult to please – the

most to lose Private health – patients fail to disclose history,

symptoms, get tested. Suboptimal treatment, clinical outcomes.

Public health – patients fail to get tested, or disclose eg signs of infection etc. Potential for disease to spread and public health problem. Statistics wrong.

Where does this leave us? A uniquely challenging protective role… In the midst of massive overhaul of HRs Privacy law incomplete, mostly not enforced Government, institutions and profession racing on The hardest parts deferred? IT risk warning sign – fail early and cheap, not late & $$ Clinical risk warning sign – gambling with a potential

breach of the trust upon which frank history-giving depends

Sources Galexia Consulting, Preliminary PIA regarding the Unique Healthcare Identifier Program

recommendations , and NEHTA’s responses, 2006 Clayton Utz, PIA into the Unique Healthcare Identifiers Program recommendations, and NEHTA’s

responses, 2007 Mallesons Stephen Jaques, PIA into Individual Healthcare Identifiers recommendations, and

NEHTA’s responses, Aug 2009 ‘Data-matching in Commonwealth administration’, Guidelines issued by Privacy Commissioner

under section 27(1)(e) Privacy Act 1988 (Cth), February 1998 Mark A. Rothstein, ‘Debate Over Patient Privacy Controls in Electronic Health Records’,

BioEthics Forum, 17 Feb 2011 (US) A rising tide of expectations, Australian consumers’ views on electronic health records – a

necessary ingredient in healthcare reform, CSC Healthcare Research report, 2009 ‘Are Electronic Health Records Ready for Genomic?’ Genetics in Medicine, Vol. 11, Issue, 7, p. 510-

17, July 2009 Prashila Dullabh & Maria Molfino, ‘Liability Coverage for Regional Health, Information

Organizations’, AHRQ National Resource Center for Health Information Technology, June 2009 Merle Spriggs ‘When privacy can be a life or death call’, SMH, November 11, 2010

Sources (cont.) NEHTA, Privacy Blueprint for the Individual Electronic Health

Record, 2008 NEHTA, Privacy Blueprint for the Individual Electronic Health Record – Report on Feedback,

2008 Federal gov’t, ‘Personally controlled electronic health record system’ Fact sheet, 2010 Person-controlled Electronic Health Records, HISA, 2009 AHMAC, Healthcare Identifiers and Privacy: Discussion Paper on Proposals for Legislative

Support, 2009 Pamela Sankar, Susan Mora, Jon F Merz, and Nora L Jones, Patient Perspectives of Medical

Confidentiality - A Review of the Literature’, J Gen Intern Med. 2003 August; 18(8): 659–669. Ford CA, Millstein SG, Halpern-Felsher BL, Irwin CE, ‘Influence of physician confidentiality

assurances on adolescents' willingness to disclose information and seek future health care. A randomized controlled trial,’ JAMA. 1997 Sep 24;278(12):1029-34.

Fehrs LJ, Fleming D, Foster LR, McAlister RO, Fox V, Modesitt S, Conrad R. ‘Trial of anonymous versus confidential human immunodeficiency virus testing’ Lancet. 1988 Aug 13;2(8607):379-82.

D Carmen and N Britten, ‘Confidentiality of medical records: the patient's perspective’, British Journal of General Practice, September 1995, 45, 485-488.

Questions/DiscussionDavid VaileCyberspace Law and Policy Centre, UNSW Law Faculty d.vaile@unsw.edu.au

www.cyberlawcentre.org