Privacy Law and Policy Reporter
The NSW Government announced major reforms to the structure and funding of the NSW health system in March this year. A number of health information technology initiatives were announced as part of the reforms, including a comprehensive statewide electronic health record (EHR) for every individual in NSW. EHRs and unique patient identifiers (UPIs) have been in place in parts of NSW for some years, but with very limited ability for data linkages. The combination of this initiative with the Federal Government’s plans for a national EHR system through the HealthConnect project promises a national scheme sooner rather than later.
Many people remain unconvinced that the substantial funds required to implement such a scheme will result in better health outcomes. There is even greater scepticism about promises that EHRs will give people better access and control over their records. In an environment where doctors still believe that consumers should not have a right to see their personal records, it would be foolhardy to believe technology alone will drive change.
The privacy implications of the NSW Government’s plans for an EHR system are being considered by a number of committees and reviews. A Ministerial Advisory Committee headed by the NSW Privacy Commissioner is currently conducting public consultations on Privacy and Health. An Implementation Group established by NSW Health to examine the clinical and technical issues is also considering privacy concerns. Both are due to report by the end of this year. This article discusses these processes and the issues they will be considering as part of implementing the reforms.
In March this year the NSW Minister for Health released the Report of the NSW Health Council, which made a range of recommendations to improve the quality of health care for the people of NSW. In the Report, effective use of information technology was identified as having direct implications for the quality and responsiveness of health care. The Council considered that existing information systems would stifle and limit the broader changes they were recommending, unless rectified urgently. It viewed the introduction of a comprehensive EHR system as leading to dramatic improvements in health care quality and the effectiveness of the health system. Errors in information transfer were identified as one of the major sources of preventable adverse events in the health care system by the report of the National Expert Advisory Group on Safety and Quality in Australian Health Care.
The Council found that existing information technology in NSW Health and the State’s health system had a number of legacy computer systems that are incompatible and do not allow for the transfer of information between providers or a complete record of a patient’s history. It also found inconsistent standards for the coding and classifying patient and clinical information, and inconsistent standards about privacy and confidentiality.
The limitations of the current system identified by the Council include:
To address these shortcomings the Council recommended linking all health care providers caring for individuals, linking metropolitan and rural health services and providing information to call centres and on the internet. Key tools to achieve these outcomes are the introduction of a secure, comprehensive EHR and a UPI for every individual in NSW.
An EHR is a complete patient record of all health care information relating to an individual. It could record all treatments that an individual has received including hospital admissions and diagnostic information such as test results. The Council recognised this would raise legitimate community concerns about privacy and confidentiality. It stressed the need for the NSW Government, the Commonwealth Government and NSW Health to lead the way in developing and implementing the strongest privacy legislation and the strongest security and confidentiality standards.
The Council highlighted the need to establish with certainty the identity of an individual who is seeking treatment and to link their identity with existing treatment records to successfully implement the EHR.
To achieve this, the Council advocated the use of a UPI to co-ordinate a person’s interaction with a number of health care providers, especially over time and between locations.
The Council recognised legitimate privacy and confidentiality concerns in the community arising from increasing use of computerised information, and concluded that these need to be addressed carefully.
The Council recognised that the introduction of a UPI is difficult to confine to State administered health services — it would be likely to involve the Commonwealth Government and Health Insurance Commission to maximise uniformity across jurisdictions.
The national health information network proposed under the Commonwealth Government’s Health-Connect initiative provides a wider context for the developments in NSW. Under HealthConnect, health related information about an individual would be collected in a standard electronic format at the point of care (such as at a hospital or a general practitioner’s clinic). Personal health information could then be collected, safely stored and exchanged — but only with the individual health consumer’s permission. This information would take the form of event summaries, not all the notes that a health care provider may choose to keep about a consultation. State and Territory Health Ministers agreed to the HealthConnect initiative in August 2000.
To implement the Health Council’s information management recomm-endations, the NSW Health Minister appointed an Implementation Group. The Group is to provide ‘clinical leadership and guidance to the development and implementation of a strategic information management framework that will underpin’ the reforms. Its tasks include developing a plan to achieve the EHR system statewide by 2010. A strategy to deliver EHRs is to be completed by November 2000.
As part of this work the Group will establish a management model and rollout plan for the UPI, a Core Clinical Systems project and a GP Linkage project before the end of the year. Estimated funding requirements to implement these reforms are about $300,000 to $400,000. The Implementation Group has eight working groups dealing with different aspects of the work plan. One of the working groups is examining privacy issues. It will prepare a submission to the Ministerial Committee on Privacy and Health Information, followed by a report recommending how to manage privacy issues to advise NSW Health and the Ministerial Committee.
The Implementation Group is chaired by Dr Dianna Horvath, CEO of the Central Sydney Area Health Service, and Professor Michael Kidd, Head of the Department of General Practice, University of Sydney and a member of the influential Clinical Council which oversees implementation of the health reforms package. The Group is accountable to Associate Professor Steven Boyages, Director of the Centre for Research and Clinical Policy.
There are various other standing committees responsible for privacy policies and practices within NSW Health. The central one is the Information Management Committee, chaired by the Director General of Health, which is responsible for information, policy and information management strategies. It has a subcommittee, called the NSW Health Privacy of Information Committee, which has operated since 1995. The primary work of the subcommittee has been the development of the NSW Health Privacy Code of Practice (first published in 1996) and the Code of Practice and Privacy Management Plan required under NSW privacy legislation since July 2000.
The NSW Health Minister appointed an Advisory Committee on Privacy and Health Information in May this year to address privacy issues in relation to health information. Mr Chris Puplick, the NSW Privacy Commissioner, is chairperson of the Committee. The Committee will focus on the recommendations of the Health Council and consider privacy concerns at each point of the information management lifecycle, including the collection, storage, access, transfer, use and disposal of health information. The Committee is to deliver a report to the Minister that provides effective strategies to enable NSW Health and its partners in health services delivery to ensure personal health information is collected, stored and used in accordance with NSW and Commonwealth privacy principles as applicable.
The strategies will address issues such as:
The Committee commenced public consultations following the release of a general background paper in August seeking written submissions by late September. A number of public seminars will be held in November 2000. The Committee has been asked to provide its final report by December 2000.
Privacy and confidentiality are central considerations of any health records system. Personal health data is often regarded by patients as the most sensitive and special data held about them, and there is particular concern about its disclosure to third parties, including other doctors and family members, without the patient’s express consent.
One of the key issues for the Advisory Committee is the adequacy of the current legislative framework to protect the privacy of personal health information in NSW, especially the planned EHR system.
There is no single comprehensive piece of privacy legislation in NSW applying to the private and public health sectors. The current legal framework includes:
The recently introduced Privacy and Personal Information Protection Act 1998 (NSW) provides an important starting point for protecting the privacy of personal health information in the public and private sector. The Act establishes the office of the NSW Privacy Commissioner, and introduces a set of privacy principles that regulate the way public sector agencies in NSW deal with personal information. The Act came fully into effect on 1 July 2000.
Under the Act, ‘personal information’ includes any information that relates to an identifiable person. It covers traditional paper files and any other record that would reasonably allow a person to be identified, including electronic files, video recordings, photographs, genetic material and biometric information such as fingerprints. The Act has special provisions limiting the disclosure of more sensitive types of personal information, including health information.
The Information Privacy Principles (IPPs) in the Act can be modified for an agency if it makes a privacy code of practice, which involves exemption from, or modification to, the IPPs. Any codes must be submitted to the NSW Privacy Commissioner for comments, and be approved by the Minister. The NSW Health Department has made a Code under the Act covering a number of specific activities.
Although the IPPs in the Act are only binding on public sector agencies, the Privacy Commissioner also has general powers to investigate complaints about breaches of privacy by organisations and individuals who are not public sector agencies. The Act establishes a range of penalties in cases where the IPPs are breached, including fines of up to $40,000.
NSW Health have been working on patient data linkage systems for many years. The concept of the EHR is nothing new, but the extent of data linkage now planned is of great concern in an environment where patients still lack a right of access to personal information. The NSW Health Council’s report is enthusiastic about the health benefits of a comprehensive EHRsystem, and the NSW Government has committed substantial funds to support its development. However, a fundamental starting point for such a project must be an agreed privacy framework for personal health information, backed by legislation. An emphasis on the use of technology to enhance communication between consumers and providers is also important.
The lack of leadership from the Commonwealth Government on privacy law reform, particularly in the health sector, will continue to hamper efforts to advance extensively data linkages in EHRs. In the meantime, NSW Health has work to do in developing processes that adequately engage the public in discussion about our electronic health future.
Amanda Cornwall is a Senior Policy Officer at the Public Interest Advocacy Centre (PIAC) in Sydney. This article is based in part on a background paper prepared by Privacy NSW for the NSW Health Privacy Review.