Here is what I have in mind - happy to take comments andthanks for all those on yesterday’s post.
-----
Submission to the Commonwealth Department of Health and Ageing.
Topic: Exposure Draft PCEHR Bill
Date October, 2011
Submissions Due: 28 October, 2011
Address for submissions:
E-mail
Postal Mail
PCEHR Legislation Issues Feedback
Department of Health and Ageing
GPO Box 9848
Canberra, ACT 2606
Department of Health and Ageing
GPO Box 9848
Canberra, ACT 2606
Submission Author:
Dr David G More BSc, MB, BS, PhD, FANZCA, FCICM, FACHI.
Author’s Background. I am experienced specialist clinicianwho has been working in the field of e-Health for over 20 years. I haveundertaken major consulting and advisory work for many private and publicsector organisations including both DoHA and NEHTA.
Previous Submissions
I previously provided a Submission on the PCEHR proposal toNHHRC in May, 2009 and the views expressed in that submission remain myposition despite the work undertaken by DoHA and NEHTA since.
This submission is available here:
A later submission on the Draft Concept of Operations forthe PCEHR from May2011 is found here:
Consent for Publication.
I am more than happy for this submission to be madeavailable for public review on the Department of Health and Ageing website.
Submission
As a non-lawyer I am unable to comment on the drafting ofthe planned Bills but am basing my comments on the Companion to the ExposureDraft Bill - as I am sure this document accurately reflects both the intentionand the drafting of the proposed Bill(s).
It is my view that the intent reflected in the Companiondocument is deeply flawed and will result in failure of the PCEHR System todeliver the outcomes sought by the Government.
In my view there are two major errors of omission and twomajor errors of commission contained in the present proposals.
Error of Omission Number1. - The Lack of an Agreed, Consulted and Legislated Framework for theGovernance of the PCEHR.
On Page 13 of theCompanion: (as reported by Adobe Reader)
"It isintended that the Secretary will fill the role of System Operator initially.Further discussions will be held with the states and territories aroundpossible future options for the long-term governance of national e-health suchas an inter-jurisdictional body."
This is a disastrous flaw and will guarantee there is simplyno one will trust the system. Having a system holding your private healthinformation which is not at arm’s length to Government and to political interferenceis vital.
I believe the best way this can be achieved is via anindependent Statutory Authority which is responsible to parliament for itsactivities, reports regularly, is subject to review by Parliament and SenateEstimates, has a formal recurring budget allocation and a properly constitutedand accountable board.
Unless this is planned, discussed, legislated and deliveredthe Government is simply setting itself up for a lack of public confidence andfailure.
Error of OmissionNumber 2. The Failure to Provide a Legislated and Obligatory Breach ReportingRegime.
On page 29 of the Companion to the Exposure Draft we read:
“Certainparticipants in the PCEHR system must notify certain matters such as databreaches or risk of being in contravention of the Draft Bill with potentialcivil penalties to apply to those contraventions.
Entitiessuch as the System Operator, a registered repository or registered portalprovider have obligations to report matters to the System Operator, or incertain circumstances both the System Operator and the InformationCommissioner.
Inaddition to the notification, the entity must do the followings things:
- contain the contravention and undertake apreliminary analysis;
- evaluate the associated risks;
- if the entity is the System Operator –consider notifying the affected consumers;
- if the entity is not the System Operator – askthe System Operator to consider notifying the affected consumers.
Inaddition, the entity must take steps to prevent or mitigate the effects offurther contraventions, events or circumstances in relation to the unauthorisedcollection, use or disclosure of health information included in a person’sPCEHR.
A furthercivil penalty provision in the Draft Bill provides that a registered repositoryoperator or a registered portal operator must not contravene the PCEHR Rulesthat apply to that operator or portal.”
Can Isuggest this is just not good enough. The legislation should make it clear thatthe release or breach of any personally identifiable information should benotified to the individual concerned and additionally any breach that involvesmore than 100 individuals should be notified to the public with an analysis ofwhat caused the breach.
Of coursenotification is just bolting the door after the horse has gone and clearly thelegislation should also make it clear, as it does to some extent, that toprevent breaches in the first place is required and to not take reasonablepreventative steps is also an offence.
Proof ofthe benefit of this approach is that in the US there is compulsion to notifysignificant breaches and, of course, this is the reason we know how it bad itis over there and why we need the same approach here.
Error of CommissionNumber 1. A blatant attempt to transfer responsibility for identification ofusers of the PCEHR from the Government provided security systems to thepractitioner or other entity who is accessing the PCEHR.
Page 33 of theCompanion: (As reported by Adobe Reader)
“Registeredhealthcare provider organisations must ensure that individuals accessing PCEHRson their behalf (i.e. authorised users) provide, at the time of access,sufficient information to identify the individual accessing the PCEHR. Thisrequirement is essential to ensuring a comprehensive audit trail is maintainedof access to consumers’ PCEHRs.”
What does thisactually mean and how will it work? It seems to it mean the providerorganisation needs to retain an audit trail of which user who logged on to whatsystem using the organisational certificate. Note this appears to transfer anobligation to do so from the PCEHR Operator and the PCEHR system back to thehealthcare provider organisation.
It is also clear thatthe approach to providing a user specific audit trail from provider to thePCEHR system is still pretty much a work in progress (in the absence of NASHactually being defined and implemented) - and that the assurances given byNEHTA and the Minister that full audit trails of user access will not beavailable when the System commences - and for a good while thereafter ifspecial legislative cover is required.
No provided is going to expose themselves to the substantialpenalties proposed for no benefit. This approach will ensure just zeropractitioner participation once they are advised of the risks by theirindemnity insurers.
Error of CommissionNumber 2. Removal of Both The Commonwealth and All Jurisdiction from AnyAccountability and Liability for Harm and Damage Caused by The PCEHR System.
Page 8 of the Companion: (As reported by Adobe Reader)
“Binding of the Crown
The Draft Billapplies to the Commonwealth, states and territories and section 7 of the DraftBill provides that all jurisdictions will be subject to this law.
While eachjurisdiction will be legally bound by the arrangements set out in the DraftBill, the Crown in right of the Commonwealth, states and territories will notbe subject to prosecution and will not be liable for pecuniary penalties.”
So it seems noGovernment can be sued or prosecuted for any harm or damage resulting from thisLegislation and its implementation.
This sectionclearly does not correctly balance the interests of citizens and government.
There are a numberof other minor points where I feel the planned Legislation is in error butcorrecting the issues cited above would clearly take enormous strides towardssome satisfactory and implementable outcomes.
David G More
Date 11.10.2011.
-----
Comments andSuggestions Please!
David.
