Much have been said in the media about the impact on privacy and security of personal health records for anyone who had signed up or, in the near future, are being automatically signed up for a My Health Record.
My most recent commentary on the matter was a discussion on the matter of standing consent and the apparent contradictory advice being provided by the Australian Digital Health Authority and the Royal College of General Practitioners on this matter.
My conviction that the RACGP is providing their members with incorrect information was strengthened by a leaked ADHA document that surfaced this week
There are a great many legal requirements and obligations placed on Healthcare Organisations and individual Healthcare Providers who opt to take part in the My Health Record system and many of these are flying under the radar.
Of particular concern to me is the great number of Healthcare Organisations who are not truly aware of their obligations that they have in actual fact signed up for when they started taking part.
As the Owner of a General Practice Clinic I decided to have a detailed look at this:
There are two ways in which a GP can access the MHR system:
a. Using Conformant Software on the Business Intranet – in our case a program called Medical Director
b. Using the National Provider Portal which GPs usually access through the PRODA system
The unfortunate reality is that a large number of GP Clinics have only started taking part in the MHR system under duress after the Federal Government changed the Practice Incentive Payment rules and effectively started to penalise clinics financially if they did not sign up to the system. This resulted in many a Practice Manager and Owner signing up for a system without reading the fine print.
So let’s look at the Fine Print:
The following legislation must be complied with:
- My Health Records Act
- My Health Records Rule
- My Health Records Regulation
- My Health Records (Assisted Registration) Rule
These are complex legal documents and I would hazard a guess that very few, if any, Healthcare Organisations are fully compliant with their requirements at all times
In order to assist Organisations through this maze the ADHA has developed a proposed list of practices & policies .
This is their proposed list – with pitfalls and likely non-compliant areas underlined in red
- My Health Record System Security Policy
2. Managing user accounts
3. Identification of staff
4. Staff training
5. Handling of Privacy breaches & complaints
6. Risk Assessments
After doing my homework on my responsibilities as the Responsible Officer of a Healthcare organisation I realised that I had to perform the following tasks ASAP:
- Undertake a Privacy and Risk assessment
- Update my Complaints Management Process
I did my assessment on both platforms that could be used to access the MHR by an individual and used the hypothetical scenario of an individual accessing a patient’s MHR without adding, deleting or changing any documents.
This access is noted by the patient several months later when they happen to look at the access log within their MHR. It prompts a phonecall from the patient who advises the Clinic that their MHR was accessed by someone at our Clinic at specific time and on a specific date. They could also see what Document was looked at.
In order to test this hypothetical scenario I ran two tests (using my personal MHR as a testfile and accessing it with my Professional Healthcare Individual Provider access)
a. Accessing the MHR as a GP on a computer at work using our Conformant Software (Medical Director) – I looked at a document and then closed it
b. Accessing the MHR as a GP on my laptop from home through the PRODA system – and also downloading the document I looked at as a PDF
c. I then logged into my personal MHR as an individual and looked at the logfile:
The only information that I as a patient could see was that the Clinic had accessed the records. It made no distinction as to where the access was made nor did it record the fact that parts of the record had been downloaded onto a laptop at my private residence.
So how would my Clinic deal with a query from a patient who found such an entry – say six months later?
- Medical Director logs individual users’ access to the MHR locally on each workstation. The logs would need to be inspected on each and every computer in the building. Logs that can be accessed, modified or even removed by any user.
- If there is no answer found on the local workstations a support request would be placed to the Medical Director team who would at some stage remotely log in and interrogate the databasis on the Server
- If no answer is then found the assumption must be that access was through the Portal and that the Organisation would have no ability to give any further answers.
The situation described above is extremely problematic because until a few days ago all sources, including ADHA, stated that the System Operator was only logging access up to organisational level
This prompted me to make urgent enquiries this to PRODA, ADHA and the RACGP.
Unfortunately all enquiries to the RACGP’s ehealth team were completely ignored.
PRODA bounced it back to the ADHA:
ADHA finally responded with some information (which contradicted all prior public advice on this issue):
Around the same time the leaked ADHA internal document surfaced that states:
This prompted me to send three further follow-up questions to the senior ADHA employee who had responded to my original question:
- Is the ADHA therefore logging access to individual level in both the Portal and within Conformant Software systems?
- Given our inability to identify access was through the Portal, and the very time consuming and labour intensive process to reach the conclusion that access was via the Portal could we simply direct all future patient enquiries on this matter to the System Operator who would then only contact us if they could not identify who the Individual involved was?
- Does the audit system capture the printing and/or downloading of documents onto personal computers?
Unfortunately it is nearly a week later and I am still awaiting answers
Ironically the very senior official who wrote back to me advised that there was no reason for me to be updating my internal policies or procedures after investigating this matter.
Clearly the left hand has no idea what the right hand is doing and I am taking no risks – until this matter has been clarified I have de-activated all access to the MHR through the Portal system for all users at our Clinic