Dealing with a query about access to the My Health Record System


A week ago I wrote a blogpost about the rights and responsibilities of GPs who decide to use the MHR system.

In the blog I alluded to the challenge of getting straight answers from the various leading figures and/or entities.

Within the limitation of General Practice there are  broadly four main sources of information on this matter:

a. The two Specialist Colleges:

  1. The RACGP

I have attended many local and national meetings hosted by the RACGP over the                 last few years where this subject has been discussed and have spoken my mind                   loudly and clearly at these meetings. Unfortunately it was hard to feel that the                     concerns were taken seriously especially when announcers would dismiss evidence           based concerns, with references, as “out of date” yet provided nothing other than               their own interpretations without references in response. It is rather annoying to               put a lot of effort into investigating these issues in great detail only to be swatted               away like an annoying fly when you try engage in a discussion.

The RACGP does have various committees and groups dealing with these issues and          I have applied and joined those that would have me. And tried to engage in                          discussions. After months of trying I have managed to get  a 100% failure rates as                regards to any responses. They simply ignore the matter. There is no doubt that                  there is a lot of discussions happening with the elite inner circle of a few dozen                  people but they seem to have an utter disregard for any bidirectional                                      communication with, or input from, the remaining 35, 000 members which is most            disappointing.

2. ACRRM

This is a much smaller organisation but, being rural, the MHR has a much greater              potential for an impact in service delivery and clinical care. Despite this the only                visible activity in this field over the last few months was a Webinar and a few Press          releases.

b. The Australian Medical Association

This organisation represents doctors across a range of Specialities and has done a lot         of work in the development of safeguards. I have attempted to engage them in my             research and commentaries at both a Local and National level but is has mostly been a     one-way street. The only AMA luminaries that were willing to engage in some sort of         debate on Social Media seemed more intent on putting an insolent dissenter in his             place than having a serious discussion about the merits AND flaws of the system so           things very quickly turned ugly in the Twittersphere.

c. Medical Defence Organisations:

These are the entities Doctors turn to when things go sour. Unfortunately there has not      been any uniform advice on a great many issues related from the various MDOs. The        only consistent advice seems to be that the various legal principles will remain vague        until they have been tested in a court case.

In other words some guinea pig needs to be sued before they can give us a straight            answer.

d. The Australian Digital Health Agency:

The is the central source of information, the source of near all knowledge, should they     answer the questions posed to them. They interpret the various legal determinants             that underlies the MHR – if I want answer on the Healthcare Act I ask Medicare and if I     want answers about MHR I ask the ADHA.

This brings me to the reason for this post. My previous post had some unanswered questions and after near daily e-mailed prompting of the ADHA team I have answers to some of the questions.

The matter relates to the hypothetical case where a patient logs into his MHR and notices that someone has logged into his MHR several months ago. The log shows a date, time, the Organisation involved and what documents they looked at. Nothing was added, modified or deleted.

The patient decides to make enquires about the matter.

The following is the process to be followed

after all the information obtained from ADHA is taken into account:

a. The patient should call the My Health Record Helpline.              Not the organisation !              (if access was through the Portal the Organisation would have NO way of                               identifying the individual log-in that was used but the MHR System Operator can               identify the individual log in so let’s not waste time)

b.  If the System Operator investigates and determines that the access was through the           Conforming  Software (not the Portal on a PC elsewhere) on the Organisation’s                     Intranet they can contact the Organisation or direct the patient to do so and the                  Organisation can then do an internal audit search for the Individual.

Some questions have therefore been answered but the system remains deeply flawed for both the patient and organisations.

Patients will have a lengthy process of calling the Helpline (after perhaps initially wasting time on calling the Organisation and being re-directed), authorise an audit and then wait for the outcome.

Should an individual be identified as having accessed the MHR through the portal the patient could then decide if they have further queries and the contact the Organisation to seek clarification.

No answers will however be found if access had been through the Organisation’s own software which would require a call from the System Operator/Patient to the Organisation to initiate an internal audit.

From an Organisational level an audit can be a time consuming and costly exercise. In November 2017 there were at least fifty different software programs that had been certified to be conformant for MHR requirements. Every one of these was developed by a different team with different systems and processes.

At our Clinic, with our software, it would require manually checking logs on every single work station and if that fails paying for the software provider to log in remotely and search our database on the server. It would be very different for every software program and a massive financial & time imposition for many smaller organisations.

A simple and obvious solution would have been for the System Operator at MHR to simply log access in all cases down to the individual identifier.

It would speed up queries and free up Healthcare Organisations resources to do other things such as actually providing healthcare.

This certainly would not absolve any Organisation from the requirement to have stringent processes in place to prevent shared log-ins and other unacceptable IT security practices

A question that remains unanswered is whether the ADHA logs the downloading of documents from the MHR via the Portal. The patient audit log does not show this at all which remains most concerning as one could potentially end up with sensitive documents downloaded on PCs anywhere in the world without the patient’s knowledge.

This matter is only but one small component of the huge number of unanswered, poorly answered or ignored legal matters in this discussion and it is long overdue for the top-down decision making processes by the various organisations to be abandoned and for a truly interactive discussion to be held with the Clinicians and Patients who have to work with this system

9 September 2018 – addendum:

Overnight I received two interesting screen grabs from ADHA documents.

In essence they state:

1. It is up to individual software programs to decide which identifiers are sent to the System Operator when access happens. This may or may not be the HPI-I that ADHA can use to identify the person who logged in.

2. ADHA does not mandate that Software logs these access episodes given that it is logged by the System Operator.

Which poses a problem. – very few Organisations would have a clue what identifier is being sent by their software.

And at the end of the day the buck still stops with us.

This entry was posted in Medical IT, MHR, PCEHR and tagged , , . Bookmark the permalink.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s