Data danger

The blueprint on how the national e-health records scheme will be stored and managed is a minefield of medico-legal concerns, writes Leigh Parry.

IN JUST one year, your patients will have unprecedented access to their medical records – not only will they be able to view their records online, but they will be able to control who sees them, and even add their own notes.

In theory, the personally controlled electronic health record (PCEHR) scheme will drive safer, more efficient and better quality healthcare – as Health Minister Nicola Roxon says, “Patients will no longer have to remember every immunisation, every medical test and every prescription as they move from doctor to doctor.”

Doctor groups are generally supportive of the scheme, which aims to address the fragmentation of medical records that exist across a vast array of different systems.

But shared health summaries, in which multiple health providers and the patients themselves will be able to contribute information, opens the prospect of an unprecedented deluge of data – and a medico-legal nightmare for GPs.

In their responses to the recently completed consultation on the blueprint, or the Concept of Operations (Con Ops), both the AMA and RACGP raised concerns about the medico-legal ramifications of the scheme.

A key concern is how patient information will be shared and interpreted.

Dr John Bennett, chair of the RACGP e-health national standing committee, says information held in GPs’ electronic records should meet college standards – there are currently no clear guidelines about what the information in the PCEHR should cover.

While the Con Ops states patients can set access controls around who views their information and restrict access to sensitive information, Dr Bennett questions how well this will work in practice.

There may be dangers in patients omitting certain providers from viewing information, as it could result in these providers making clinical decisions without the full picture, he says. “This information is going to an unknown audience.”

AMA president Dr Steve Hambleton questions whether the selective sharing of information is really in patients’ best interests.

“It will not lead to safer care or reduce adverse medication events if all treating doctors do not have access to the critical medical information,” he says.

“Doctors have to be sure that the medical information on the PCEHR comes from a trusted source, without material omissions. Only medical practitioners should contribute medical information to the PCEHR.”

Patients can already legally access their medical records and see what their GP has written about them. But the PCEHR will enable them for the first time to make notes about GPs’ entries.

This raises legal questions as to whether – and when – the GP has any legal or professional obligation to review the patient’s notes and comments, says MDA’s medico-legal and advisory services manager, Dr Sara Bird.

Dr Bird’s understanding is that GPs will still have their own medical records relating to the patient and the PCEHR is an additional record that will, in part – at least initially – provide a health summary.

Yet there will still be complex legal issues around who ‘owns’ the PCEHR. “For example, if a subpoena for a PCEHR is issued, who should it be directed to?” she asks.

Then there’s the issue of who views the records. It is proposed that transactions within the PCEHR will be recorded in the system’s log and an individual will be able to request audit trail information from the PCEHR system operator, says a spokesperson from the Department of Health and Ageing.

Dr Juanita Fernando (PhD), chair of the Australian Privacy Commission’s health subcommittee and a lecturer at Melbourne’s Monash University, says the technical aspects of these ‘audit trails’ are fine, but the Federal Government has not given enough consideration to the ways people can still view the information without being detected.

“My understanding of the Con Ops suggests the audits will show which organisations have accessed a record and also the machine role of people writing to the record,” Dr Fernando says.

“But it will not show whether unauthorised people have actually looked at a record, downloaded it or printed it.”

She says if a health worker is accused of a data breach, all they need to do is resign their position to avoid liability. Recent cases support this view. In March 2010, Medicare Australia’s eBranch head Sheila Bird told a Senate inquiry there were 70 substantiated privacy breaches from investigations into around 950 employees suspected of having “unauthorised access” to client records.

Dr Fernando does support the government’s plans to store e-health records in a number of decentralised repositories, rather than in one central location.

She says a centralised repository is actually more vulnerable to cyber attack, and millions of records are potentially vulnerable, not just a few thousand.

“Also, most breaches are due to insider threat,” she notes.

The government has not announced any ongoing funding for the PCEHR beyond the 2012 implementation date, and there is no commitment yet to give GPs financial incentives to take on the role of nominated providers.

This is despite GPs’ concerns that the scheme will increase their workload.

Will GPs be required, for example, to look at everything patients write in their diary? If they notice something of concern a patient has written, are they obligated to follow it up? What are their responsibilities in terms of updating information? Are they expected to educate health consumers on the finer details of how their information will be shared between healthcare providers?

A Health Department spokesperson has told MO the government is exploring ways to encourage GPs to be involved in the system and hinted payments could eventually be made through the Practice Incentive Program.

She says the PCEHR will decrease, rather than increase, doctors’ workloads over time by giving current, comprehensive information about patients rather than relying on their memory or having to follow up with other health professionals the patient may be seeing.

The legislation and governance process for the PCEHR system is currently being developed, and as part of this process, a legislation issues paper was recently released for comment.

A consortium that includes the Australian General Practice Network has also been engaged to roll out the ‘change and adoption program’ for PCEHR.

AGPN chair Dr Emil Djakic says the consortium will focus on training and supporting the health workforce to ensure that general practice and the rest of the health care sector is ready to implement PCEHRs.

By and large, doctors strongly support the introduction of shared electronic health records, which should generally benefit patients, the health system and doctors.

“If [the scheme] improves the availability of information to healthcare providers it will help people,” Dr Bennett says.

“But there are still many questions… The more time we have considering this before it is implemented, the better.”