Anyone who use the internet is aware that the likes of Google and Facebook has a sneak and a peak at our habits and web-surfing so we know we should be careful in what we post and where we go.
On the other hand one would like to think that the likes of the Australian Government, at State or Federal level and/or large healthcare related organisations would take our privacy and security a bit more seriously.
One would like to think so.
Sadly this is not the case. Over the last decade I have been charging at the IT windmills like a modern-day Don Quixote but every step forward seems to result in two steps back. Many meetings and e-mails involved the roll-out of the My Health Record System and how to ensure that the implementation of the system results in a workable system that is going to be to the health benefit of the average Australian.
One cannot but help to be concerned about the various agendas of the parties involved.
Ostensibly it is promoted as a health benefit for patients – something which is hard to accept when the only Clinicians, in Canberra for instance, who can access the data are the participating GPs. While the Canberra Hospital may be able to upload discharge documents to the system no department or doctor within any public or private hospital in the ACT has a computer system able to formally access any patient records.
A more cynical view is that the focus of those rolling out the program is more on the bigger public health picture of gathering data – an open secret which for some strange reason does not seem to bother patients when I see them to gather their informed consent to participate in My Health Record.
Sadly many GPs are also now uploading useless rubbish to the My Health Record System purely to satisfy the financial requirements imposed on them by the Practice Incentive Payment system – Garbage in, Garbage out will affect the functionality of the system hugely.
Leaving behind the concept of sections of our Government who are collecting data in such a way we move on to other Government Departments, and associated entities, who are simply inept or could not care less about privacy and security.
Taking into account these real world threads one would consider that the systems and procedures employed by those that collect and curate our personal information would be ironclad – if only ! We are bombarded on a regular basis by examples of breaches and lapses of security – sometimes by mistake sometimes by sheer negligence. This could involve agencies entrusted with the records of the most vulnerable members of our community or at other times organisations who gather the health records of people who offer their services, time or blood products for the greater good.
The Australian Red Cross in particular has raised my ire when they, several years ago, started to refuse to accept any referrals by GPs to them other than through their “secure webportal”. They refused to engage with GPs about the system and enforced this on them with a total disregard of the very high quality security systems many GP clinics have in place as part of their compliance with the RACGP accreditation standards. I exchanged many an angry e-mail with them about this matter and was hopeful that they did eventually comply with industry accepted security standards – sadly the recent breach would suggest otherwise.
This brings me to the reason for this post – ACT Health.
Over the last decade I have often and repeatedly communicated with Clinicians and Administrative staff within ACT Health about two main issues:
a. Breaching the Privacy of e-mail recipients by distributing massive lists as a Carbon Copy (Cc), or simply in the “To:” field, instead of as a Blind copy (Bc). This resulted in:
- People’s confidential contact details being spread far and wide without their permission
- Recipients spreading this information further and further by replying or forwarding the e-mails
b. Breaching patient security by including patient details in the header, body or attachment of an unencrypted e-mail.
When these two issues are combined, as they often are, and some of the e-mail addresses are based outside of Australia (Gmail, Hotmail, Yahoo, etc.) any semblance of patient confidentiality and overall privacy goes out the door.
To no avail – they continue to ignore the rules and legislation and in the end I had on some occasions had no choice but to withdraw from participating further in clinical activities as the risk of a career ending financial penalty was simply too great – a $ 340,000 individual fine and a $1,700, 000 fine to my business was enough of a deterrent.
My most recent example was a clinical activity that I had been involved with for over a decade. Once we had reached the point where the parties involved were simply ignoring my concerns I decided to escalate the matter and involved the ACT Health Minister, ACT Health Director General, the RACGP and the AMA. Repeatedly.
Sadly the only response I had was for the RACGP to forward the details to the relevant committee and for the D-G’s office to advise me that they had received my communication.
The Health Minister and AMA simply ignored the communication. Even when I tweeted them about it.
Interestingly enough the reaction from Private Health service providers are, for the most part, much more appropriate. Many of them have started using one of the various robust secure messaging systems that are already commercially available and often installed on GP desktops.
There are off course exception in the private system ranging from some who revert to paper or fax systems (with a sigh of exasperation at the “difficult” GP) or one of the otherwise excellent online appointment booking systems who refused to change their system for online script ordering when I advised them that they were in breach of the legislation. Sadly we no longer use that part of their system.
Another example – as GPs we are now essentially forced to use government websites such as myagedcare.gov.au to obtain services for our most vulnerable patients.
Yesterday I received this confirmation of a referral we had sent in
– from a nice generic e-mail address (no one can be held accountable on their side) with the patient’s full name in the body of the unencrypted e-mail indicating. The most ironic part being the “important information” regarding confidentiality at the end – sent to us through a completely non-confidential platform.
Well & truly clueless