GPs and other practitioners have been using their unique e-health identifying number as a log-on for the AHPRA website since 2010 without being given any advice on security provisions or even warned the two numbers are the same.

Practitioners will use their Healthcare Provider Identifier (HPI-I) number to access patient information under the personally controlled e-health records system (PCEHR) and the number will be used to track each practitioner’s use and access of that information.

An AHPRA spokesperson confirmed their website log-on was comprised of the last 10 digits of a practitioner’s HPI-I. The first six digits of the HPI-I are common to every AHPRA registered practitioner.

AHPRA informed each practitioner of their HPI-I in 2010 but most practitioners never made the connection between the two numbers and MO understands the issue was only brought to the attention of NEHTA during recent PCEHR testing.

RACGP e-health spokesperson Dr Mike Civil said it was “just unbelievable” practitioners had not been made aware of the double-use of the HPI-I.

“GPs are being told on the one hand that security will be very important to the e-health system but then are not told about something as important as the use of our fundamental e-health identifier as a log-on for a different system,” Dr Civil said.

“I can understand why a lot of the profession might take the view that it would be better to wait until all these issues are ironed out before signing up and that is going to make the participation rates that much lower.”

Australian Privacy Foundation health subcommittee chair Dr Juanita Fernando said the fact GPs were using their HPI-I without realising it was “really alarming”.

“People are not being skilled or properly equipped to use these tools,” Ms Fernando said.

“The need for patient information to remain private and confidential deserves respect and I don’t see a lot of evidence for that in the process so far.”

However Southeast Melbourne Medicare Local e-health strategy and stakeholder engagement manager Paul Macdonald said he was unaware if the issue presented any serious security concerns and the coming registration renewal period could be used to raise awareness of the HPI-I and related issues.

Canberra University Centre for Internet Safety director Nigel Phair said log-on and password security for patients and practitioners would be the weakest points of the PCEHR system.

“I am confident the information within the system itself is 100% secure, but it is a bit like having the armoured truck picking up bags of cash from one cardboard box and delivering them to another,” Mr Phair said.