Insights from practitioners in Information Management

E-Health Records: Security Implications and personal records

On the 28th November I attended a Health Informatics Society of Australia (HISA) WA Branch event on Security Issues Associated with E-Health and the PCEHR – for those that don’t know that stands for Personal Controlled Electronic Health Record – presented by Dr Trish Williams who has a PhD in Medical Information Security and is a Senior Lecturer in the School of Computing and Security Science at Edith Cowan University.

The first thing I noticed at this presentation was the large number of acronyms that are used.  The second thing I noticed was that there seems to be a rush by the Federal government to get the PCEHR in place as well as the national rollout of the E-health system by July 2012 and yet there seemed to be still lots of questions.

I think the point that was important to me was that E-health Records is quite an independent project from PCEHR and that the PCEHR will be a front sheet summary of an individuals’ E-health record.  If I choose to opt out of the system then my PCHER will not be populated or kept up to date by my GP and later if I chose to opt in then it will have to be populated.  I wasn’t sure what would happen if I initially opted in, and then opted out and my GP closed their practice and I hadn’t had my records transferred to another GP.  Of course the question that all this raises is who owns the medical record?  In the past I have had a GP close and I was required to have my new GP request my medical record to be transferred to them.  So this would indicate that the information contained in the record is about me but the medical practice owns the records.  Does that mean that if my GP records all the medical information about me into the Federal E-health system that the records are owned by the medical practice and the government?  I am assuming that the GP will have either a paper based or E-health software system that will allow for the downloading of the medical information about me into the national system.  So how many copies of my health record will there be? And who owns it?  How will it be used? And when will it be deleted?  There was some talk about 60 years retention but that is going to make for some very large data storage requirements.

Besides the simplistic points I have raised as Ms Jane Citizen visiting my GP and deciding whether I want access to my own personal health record, I also gathered from Dr Williams presentation that there were some other issues:

• The complexity of the Australian health model because of the public and private services and as individuals we can choose who we see.
• There are no mandatory security laws requiring the reporting of breaches.
• Security is generally not integrated into workflow very well.
• It needs to be recognized that E-health will become critical infrastructure much like the power, water and banking services.
• Risk and Responsibility are important aspects of the systems.
• Individual’s must opt-in to the PCEHR and for it to be successful there needs to be a critical mass which an opt-in scheme may not deliver.

The final fact I found a little disconcerting was that on average a security breach remains undetected for 5 months.

Shirley R Cowcher