A week ago I wrote a blogpost about the rights and responsibilities of GPs who decide to use the MHR system.
In the blog I alluded to the challenge of getting straight answers from the various leading figures and/or entities.
Within the limitation of General Practice there are broadly four main sources of information on this matter:
a. The two Specialist Colleges:
- The RACGP
I have attended many local and national meetings hosted by the RACGP over the last few years where this subject has been discussed and have spoken my mind loudly and clearly at these meetings. Unfortunately it was hard to feel that the concerns were taken seriously especially when announcers would dismiss evidence based concerns, with references, as “out of date” yet provided nothing other than their own interpretations without references in response. It is rather annoying to put a lot of effort into investigating these issues in great detail only to be swatted away like an annoying fly when you try engage in a discussion.
The RACGP does have various committees and groups dealing with these issues and I have applied and joined those that would have me. And tried to engage in discussions. After months of trying I have managed to get a 100% failure rates as regards to any responses. They simply ignore the matter. There is no doubt that there is a lot of discussions happening with the elite inner circle of a few dozen people but they seem to have an utter disregard for any bidirectional communication with, or input from, the remaining 35, 000 members which is most disappointing.
This is a much smaller organisation but, being rural, the MHR has a much greater potential for an impact in service delivery and clinical care. Despite this the only visible activity in this field over the last few months was a Webinar and a few Press releases.
This organisation represents doctors across a range of Specialities and has done a lot of work in the development of safeguards. I have attempted to engage them in my research and commentaries at both a Local and National level but is has mostly been a one-way street. The only AMA luminaries that were willing to engage in some sort of debate on Social Media seemed more intent on putting an insolent dissenter in his place than having a serious discussion about the merits AND flaws of the system so things very quickly turned ugly in the Twittersphere.
c. Medical Defence Organisations:
These are the entities Doctors turn to when things go sour. Unfortunately there has not been any uniform advice on a great many issues related from the various MDOs. The only consistent advice seems to be that the various legal principles will remain vague until they have been tested in a court case.
In other words some guinea pig needs to be sued before they can give us a straight answer.
d. The Australian Digital Health Agency:
The is the central source of information, the source of near all knowledge, should they answer the questions posed to them. They interpret the various legal determinants that underlies the MHR – if I want answer on the Healthcare Act I ask Medicare and if I want answers about MHR I ask the ADHA.
This brings me to the reason for this post. My previous post had some unanswered questions and after near daily e-mailed prompting of the ADHA team I have answers to some of the questions.
The matter relates to the hypothetical case where a patient logs into his MHR and notices that someone has logged into his MHR several months ago. The log shows a date, time, the Organisation involved and what documents they looked at. Nothing was added, modified or deleted.
The patient decides to make enquires about the matter.
The following is the process to be followed
after all the information obtained from ADHA is taken into account:
a. The patient should call the My Health Record Helpline. Not the organisation ! (if access was through the Portal the Organisation would have NO way of identifying the individual log-in that was used but the MHR System Operator can identify the individual log in so let’s not waste time)
b. If the System Operator investigates and determines that the access was through the Conforming Software (not the Portal on a PC elsewhere) on the Organisation’s Intranet they can contact the Organisation or direct the patient to do so and the Organisation can then do an internal audit search for the Individual.
Some questions have therefore been answered but the system remains deeply flawed for both the patient and organisations.
Patients will have a lengthy process of calling the Helpline (after perhaps initially wasting time on calling the Organisation and being re-directed), authorise an audit and then wait for the outcome.
Should an individual be identified as having accessed the MHR through the portal the patient could then decide if they have further queries and the contact the Organisation to seek clarification.
No answers will however be found if access had been through the Organisation’s own software which would require a call from the System Operator/Patient to the Organisation to initiate an internal audit.
From an Organisational level an audit can be a time consuming and costly exercise. In November 2017 there were at least fifty different software programs that had been certified to be conformant for MHR requirements. Every one of these was developed by a different team with different systems and processes.
At our Clinic, with our software, it would require manually checking logs on every single work station and if that fails paying for the software provider to log in remotely and search our database on the server. It would be very different for every software program and a massive financial & time imposition for many smaller organisations.
A simple and obvious solution would have been for the System Operator at MHR to simply log access in all cases down to the individual identifier.
It would speed up queries and free up Healthcare Organisations resources to do other things such as actually providing healthcare.
This certainly would not absolve any Organisation from the requirement to have stringent processes in place to prevent shared log-ins and other unacceptable IT security practices
A question that remains unanswered is whether the ADHA logs the downloading of documents from the MHR via the Portal. The patient audit log does not show this at all which remains most concerning as one could potentially end up with sensitive documents downloaded on PCs anywhere in the world without the patient’s knowledge.
This matter is only but one small component of the huge number of unanswered, poorly answered or ignored legal matters in this discussion and it is long overdue for the top-down decision making processes by the various organisations to be abandoned and for a truly interactive discussion to be held with the Clinicians and Patients who have to work with this system
9 September 2018 – addendum:
Overnight I received two interesting screen grabs from ADHA documents.
In essence they state:
1. It is up to individual software programs to decide which identifiers are sent to the System Operator when access happens. This may or may not be the HPI-I that ADHA can use to identify the person who logged in.
2. ADHA does not mandate that Software logs these access episodes given that it is logged by the System Operator.
Which poses a problem. – very few Organisations would have a clue what identifier is being sent by their software.
And at the end of the day the buck still stops with us.