pdf (186 KB)

Table of Contents

Executive Summary 2

Introduction 4

Regulatory Measures 5

Regulation of privacy and HealthConnect 5

The approach to privacy 6

Recognising risks and benefits 8

Ensuring privacy protection 10

Consent models 11

Legislative measures for privacy protection 13

National Health Privacy Code and HealthConnect 14

Specific HealthConnect legislation 14

Oversight mechanisms 15

Technical Measures 17

HealthConnect systems architecture 17

HealthConnect technical model and privacy issues 17

National co-ordination layer 18

Messaging models 19

Multiple system owners 20

Interaction with other systems 20

Data linkage and other systems 20

Automatic uploads to HealthConnect 20

Implementation 21

Implementation plan 21

Expansion and extension of trials 21

Identification and registration systems 21

Registration 23

Role of the private sector 23

External pressures 24

Summary 25

Index 27

HealthConnect Interim Research Report and Draft Systems Architecture

Executive Summary

a) The Office of the Federal Privacy Commissioner welcomes the opportunity to comment on the HealthConnect Interim Research Report[1] (the Interim Report) and Draft Systems Architecture. These documents encompass the research and development undertaken to date on the concept of a national health information network, as proposed by the National Electronic Health Records Taskforce.

b) The importance of protecting privacy is acknowledged throughout the Interim Report. The importance and sensitivity of personal health information is recognised in proposing that an individual will retain control over their health information. In setting out the preferred implementation model, the Interim Report states that ‘…[t]o protect privacy in HealthConnect an individual must be able to control what information is included on his/her record, as well as who has access to that record.’

c) The Interim Report advocates the importance of effective legislative mechanisms and protocols to ensure privacy protection, including, for example, in controlling who can see and use data from HealthConnect.[2] However, there is a risk that an over-reliance on legislation and other codified rules may lead to inadequate protection for highly sensitive health information, particularly if not also supported by technical measures as may happen if they remain focused on IT-security mechanisms. Accordingly, privacy considerations must also be taken into account and addressed in a substantive way at the technical design and implementation stages. Moreover, the discussion on the content of the proposed rules tends to emphasise other important social considerations that compete with privacy, suggesting that privacy protections may be accorded a lower level of protection than the balance currently reflected in national privacy legislation. This Office believes that in many instances important health and social research can be performed in ways that do not compromise individuals’ privacy.

d) It is proposed that the technical measures will be addressed by way of a framework covering matters such as identification/authentication, access control mechanisms, message protection, monitoring and detection mechanisms, and audit/logging processes. Significantly though, while security is an important element in promoting privacy, it does not address all aspects of privacy associated with the technical architecture of HealthConnect, thus raising the potential that other considerations necessary to ensure a workable privacy protection scheme may be overlooked if there is a pre-determined focus on security. A more sophisticated approach may be to consider privacy enhancing technologies (PETs), including biometric identifiers and forms of anonymisation and pseudonymisation, as the base for the system – this will help ensure that privacy is built in.

e) There seems merit in undertaking more thorough consideration of the practical implications of some of the proposed design elements and implementation considerations. As a back-end system of common policies, common standards and systems architecture, but with multiple system-owners and information technology vendors providing various components and interfaces, there are a range of privacy risks and areas where the proposed system functionality appears to contradict the stated privacy objectives. The interaction of HealthConnect with clinical and patient information systems is one area in particular where there is some inconsistency in the documents regarding the principles underpinning the consent policy framework. There are several other aspects of the design elements that raise questions about privacy issues, including the proposed three-tier systems and the messaging models.

f) There are a number of other implementation issues that seem to require further analysis or clarification. One such issue that will require careful consideration is how the information collected into HealthConnect will be handled by others. The consent policy framework appears to focus on whether a health record in HealthConnect is created (that is, whether an individual opts to participate) and who can access the record, with less attention given to how the information in that record is handled by those with access to HealthConnect.

g) Another key implementation issue of relevance to privacy are the references, on a number of occasions, to the possible use of the Medicare number as a form of authentication and identification of patients. This Office has previously commented that the use of such a tool for the purposes of identification and authentication is flawed on a number of grounds, and would represent a misguided application of old technology.

h) Consent is one of the key mechanisms by which control by an individual of their personal information will be achieved.’^[3] While a number of consent models have been considered by the HealthConnect project, this Office suggests that a form of layered-consent be considered. While the importance of effective privacy protections is recognised in the Interim Report, the concept of an individual having control over the collection, use and disclosure of their health information appears to be challenged in a number of places by the interaction of legislative, technical and structural elements. This issue may be partly addressed by a more robust and yet flexible consent model, such as the layered approach proposed in this submission.

i) In regard to organisational practices, the various documents suggest that these will include measures such as staff training, although there is little discussion of other possible organisational measures that could be implemented to enhance privacy, including creating organisational cultures that enhance privacy. While many may argue that such cultures are already prevalent in the health sector, this submission will suggest that while confidentiality and ‘security’ are important elements of privacy, and are generally well understood in the sector, they are not synonymous with privacy, which includes such concepts as individual control over one’s own personal information.

j) Further consideration of the privacy implications of elements of the implementation approach is required in relation to: the roll-out; the involvement of the private sector; and the external pressures for HealthConnect.

k) Specific points made in this submission are summarised at the end of the Submission.

 

Introduction

1. The Office of the Federal Privacy Commissioner welcomes the opportunity to comment on the HealthConnect Interim Research Report[4] (the Interim Report) and Draft Systems Architecture. These documents encompass the research and development undertaken to date on the concept of a national health information network, as proposed by the National Electronic Health Records Taskforce. Australian, state and territory Health Minister agreed on a set of seven key research questions for the project to address about the value, feasibility, implementation and governance of the HealthConnect concept. This submission will focus on only one of those questions - what will be necessary to manage privacy? In addressing this question, however, it is necessary in places, to examine privacy implications reported upon and affected by the remaining six research questions.

2. The Interim Report explains that privacy arrangements for HealthConnect are likely to comprise a multi-layered approach incorporating:

• legislation and policy rules;
• technical and security measures; and
• organisational practices.^[5]

3. The legislative measures discussed in the Interim Report include the proposed National Health Privacy Code and specific establishing legislation for HealthConnect. The Interim Report also makes occasional reference to the Commonwealth Privacy Act 1988, in particular to explain that state and territory government health service providers do not fall within its jurisdiction. It is proposed that the technical measures will be addressed by way of a security framework covering matters such as identification/authentication, access control mechanisms, message protection, monitoring and detection mechanisms, and audit/logging processes. In regard to organisational practices, the various documents suggest that these will include measures such as staff training, although there is little discussion of other possible organisational measures that could be implemented to enhance privacy.

4. Under the proposed model, with the individual’s consent their health related information would be collected in summary form in standard electronic formats (as “event summaries”) at the point of care, for example a hospital or general practitioner’s surgery. With the individual’s consent, health providers would be able to access information for subsequent episodes of care, regardless of their location, and enter additional event summaries. Similarly, the individual themselves would have access to the information.^[6]

5. This submission focuses on the need to ensure that privacy protections are achieved on a practical level, in addition to being enforced by legislation. To be achievable in practical terms, privacy must be designed into both the systems architecture and the implementation model. While this is presumably what is meant where privacy is referred to as a “building block” and a “Common Service”, it is not always clear that privacy is inherent to the structure and implementation strategy for HealthConnect. The issues to be discussed in this submission have been loosely arranged into three semantic categories:

• Regulatory Measures: which will discuss the reliance on legislation, privacy rules or protocols for privacy protection;
• Technical Measures: which will consider technical issues and the implications of the proposed HealthConnect Draft Systems Architecture for privacy protection; and
• Implementation: which will examine the privacy issues raised by the proposed implementation approach and other practical measures necessary to ensure adequate privacy protection.

6. While the above categorisation is useful for the purpose of structuring this submission, many of the matters will inevitably cut across more than one category: for example, issues such as ‘consent’ and ‘secondary uses’ could arguably fall into two or all categories.

7. While this Office recognises that the documents under discussion represent a significant drafting effort, it is notable that they seem to contain some internal inconsistencies. This is best evidenced, for example, in the discussion of complaint handling (see para. 56). Given the need to distil a clear picture of how the system is intended to operate, there appears to be merit in the HealthConnect project being exposed to a formal Privacy Impact Assessment (PIA). Such an assessment could be conducted by a recognised, independent third-party expert with experience in such large scale projects. The value of a PIA for HealthConnect could be to effectively ‘unpack’ these issues in a rigorous manner, combining both the requisite technical and policy considerations. Such an assessment would be invaluable in gaining community trust in this project. The Office is currently developing guidance material on PIAs.

Regulatory Measures

Regulation of Privacy and HealthConnect

8. One of key research questions in the HealthConnect project is Question 6: “What will be necessary to manage privacy?”. The Interim Report states that a robust privacy framework will be a critical component of the HealthConnect model, to ensure adequate privacy protection for both consumers and providers,[7] with privacy arrangements expected to comprise a multi-layered approach incorporating:

• legislation and policy rules;
• technical and security measures; and
• organisational practices.[8]

9. However, consideration of the privacy question in the Interim Report tends to focus largely on regulatory arrangements, such as legislation and other codified rules. While there is some consideration of technical security measures, there is little substantive attention to the structural and organisational measures needed to ensure privacy protections. This Office submits that while legislation may be useful in regulating what activities should not be done, other measures, including technical measures, are equally necessary to determine what activities cannot occur.

10. This Office proposes that a more balanced and coherent framework for protecting privacy requires consideration of:

• legislative measures;
• technical measures, including but not limited to data security initiatives;
• organisational practices and culture; and
• mechanisms which promote confidence in the system by encouraging transparency and openness, including provision for audit and independent complaint handling.

The approach to privacy

11. The manner in which privacy is regulated in HealthConnect is intrinsically linked to how the concept is defined and understood. The documents make repeated references to privacy and the need to ensure adequate privacy protections. The Interim Report acknowledges that in order to be successful, health consumers’ concerns about privacy need to be adequately addressed.^[9] In discussing these concerns, the Interim Report suggests that inappropriate handling of personal information is problematic due to the possible adverse consequences for the individual, such as being socially ostracised, embarrassed or experiencing difficulty gaining employment.[10] These and similar concerns are valid, but by themselves they do not serve to promote the creation of the desired privacy-enhancing HealthConnect system. What this approach to privacy suggests is that, in effect, “privacy” is important only insofar as its potential abuse could result in some consequence, determined solely by the presence or absence of adverse effects.

12. In contrast, there seems much merit in building HealthConnect from a foundation where the understanding of privacy is less contingent on the possible direct outcomes of the system. Privacy is a key element of human dignity, often encapsulated by the phrase ‘the right to be let alone.’[11] Inherent in privacy are the notions of respect and of freedom from interference or intrusion, thus making it an important human right, regardless of the functional design of systems and processes. Intrusive or intentionally beneficent uses of personal information can offend an individual’s sense of their privacy, even if there are no external negative consequences.

13. Recognising the breadth of privacy may be helpful to ensure that HealthConnect genuinely allows individuals to fell that their human dignity is being respected. This starts with genuine empowerment of individuals in regard to their personal information an where this is not possible or appropriate (for example, emergencies or reduced patient mental capacity), confidence that their human dignity will still be respected. This point also has and impact on clinical outcomes. Individuals need their personal health information handled in a private manner. Where this need is not met, there is a chance that they may elect not to participate in the HealthConnect system, or even to avoid health services more generally. If HealthConnect takes such an approach to privacy, then it is more likely that individuals will be able to actively participate in the handling of their personal information, and thus gain confidence and trust in the system. It is axiomatic that an individual’s willingness to engage in the health sector may be affected by their perception of how their personal health information will be used and how much control they can affect over it.

14. It should be noted that Research Report 5 (‘What will be necessary to manage privacy’) appears to confuse “confidentiality” with “privacy”. Confidentiality is an element of privacy, but the two are not the same. Confidentiality is primarily about not disclosing information to other parties, or outside an organisation. Generally, it does not address how information is dealt with inside an organisation. Also, common law obligations of confidentiality may cover information which is not personal, such as financial information about a company. Where personal information is concerned, confidentiality is important, but privacy is a broader concept, covering matters such as:

• collecting personal information in a respectful and non-intrusive way;
• ensuring that personal information is accurate and up-to-date;
• only using and disclosing information appropriately and in most instances in ways the individual would reasonably expect or to which the individual has consented;
• allowing the individual concerned to access their information and correct it if necessary; and
• ensuring that an organisation has clear and understandable policies on the way it handles personal information.

15. The references to privacy protection throughout the documents appear to focus heavily on maintaining confidentiality” within the health system, without sufficient consideration of these broader dimensions of privacy. For example, in Research Report 5, the discussion under heading 2.1 (‘Common law and ethical obligations in relation to privacy’) refers only to the concept of confidentiality. The documents also tend to emphasise dealing with the HealthConnect record itself, rather than the implications for the system upon the broader life-cycle of health information from the time it is collected and added to a record, including the uses and disclosures of the information from health records.

16. The Interim Report states that concerns about privacy can be addressed by providing an ‘acceptable level of individual control’ over:

• access to the record;
• access to specific information held in a record;
• processing of the record;
• movement of the record;
• amendment of the record; and
• the degree of automatic notification to the consumer of who has accessed, processed or moved the record.[12]

17. This list of matters covers access privileges, structure and communication of an existing record. However, it does not cover the way in which personal information is originally obtained or how and when the record is created, nor does it cover acceptable or appropriate uses and disclosures of information held within a record. In addition, the notion of ‘acceptable level of control’ raises the question - acceptable to whom? For example, what is deemed reasonable by the health service provider, health managers, policy makers, or the HealthConnect authority, may not be acceptable to the individual. The report notes elsewhere that:

There is some evidence that the general approach of some researchers has been focused much more on the information needs to pro-actively take a health topic forward than the privacy needs of the subjects of their research.[13]

18. Other sections of the Interim Report provide some discussion of controls on the use of personal information. Such discussions assume that it is inherent and unavoidable that the personal information collected into HealthConnect will be available for secondary purposes, such as clinical governance and research. At first glance, this may seem obvious as medical research is among the other important social considerations that may compete with privacy. Often, however discussions regarding secondary uses of personal information, especially for research, highlight the perceived conflict between important competing interests, including privacy. A more sophisticated view is to recognise that individuals’ privacy and public health/clinical research need not be mutually exclusive. This Office believes that such research should routinely be designed so that it is conducted openly and transparently, in ways that guarantee the anonymity of data and prevent re-identification, and thus without undermining individuals’ privacy. Only on those relatively few occasions where it may not be possible to conduct research in a way where anonymity is assured, will it be necessary to make judgements as where the balance is achieved and what other protective measures are needed in undertaking research in an identified manner. However, the starting point should never be the assumption of the need for such a trade off. The Guidelines issued under sections 95 and 95A of the Privacy Act are formulated in a way that reflects this kind of sequential testing.

19. Report 5 also highlights the potential ‘marketing and related commercial uses’ that constitute such secondary use.[14] Although noting elsewhere that such uses are unlikely to be acceptable to individuals, there does not appear to be any express statement that they will be prohibited.

20. More broadly, the Interim Report states that ‘HealthConnect seeks to make significant change and be a catalyst for even more change, in the way health services are delivered’.[15] Similarly, the HealthConnect system will be technically designed to be ‘future proofed’ to allow for ‘…changing definitions of specific event summaries’.[16] However, the privacy implications of such a change process, both external and internal to the system, for the handling of the individual’s personal information does not appear to have been considered in great depth. Consideration of the broader context, including how HealthConnect will impact on the handling of health information both within and outside the health sector, will be necessary to ensure that personal privacy for health information is not eroded with a subsequent loss of public trust. In addition, there seems merit in requiring that stakeholder consultation is undertaken before any new operational directions are pursued.

Recognising risks and benefits

21. Consideration of the broader context for HealthConnect is needed to draw a clearer picture of the privacy risks and benefits. The Interim Report states in number of places that HealthConnect could be expected to bring about significantly improved privacy arrangements for health records.[17] This finding is based on the potential for HealthConnect to:

• allow individual consumers easier access to their health records; and
• log access to records and provide audit trails that would enable individuals to ascertain who has accessed their HealthConnect record.

22. These are potential privacy benefits for individuals. However, there are also significant privacy risks associated with any electronic health records system. The Interim Report notes that both consumers and providers have expressed concerns about the degree to which privacy can be protected including who would be able to have access to these records using emerging information and communications technologies.[18] Exploration of the risks does not appear to have been given due weight in the discussion of risks and benefits. The perception of these risks is likely to affect individuals’ attitudes to the privacy of their personal information and, consequently, whether they elect to participate in the system.

23. Research published in 2001, for example, disclosed that 1 in 10 respondents to a South Australian survey were not confident that health care providers keep and use information responsibly,[19] while US research concluded that ‘[o]ver half of all US adults… say the shift from paper record-keeping systems to computer-based systems makes it more difficult to keep personal medical information private and confidential’.[20] Such concerns raise the possibility that individuals may either refuse to participate in the HealthConnect system or be hesitant to fully disclose information about their condition out of fear that it may become known to an unintended third-party.[21]

24. HealthConnect could vastly increase the capacity to collect, store, copy, transmit, share and manipulate health information. Electronic information can flow much more rapidly and widely than paper based information. Increasing interconnections between information networks allows personal information to be collected, matched and used for many purposes by many more people in both public and private institutions. Consequently, as more potent and connected data is created, more data uses will be generated.

25. The increase in the ease of movement and levels of connection of health information can create benefits in greater efficiencies in the public and private health sectors. It can also pose risks to privacy. There are significant risks that an individual’s health information could be used or disclosed in ways they would not expect. . For example, a well known Canadian case exposed the potential for electronic health records to be accessed by individuals without just cause. In this 2002 case, electronic health records of two well-known patients were improperly accessed by non-authorised staff of the University Health Network in Toronto.[22] .

26. Other listed potential privacy benefits of HealthConnect could be eroded without careful consideration of how those records fit into and shape the larger flows of personal information throughout the health system. For example, audit trails could be bypassed if there are no technical or organisational protections to prevent printouts of HealthConnect records being used for unauthorised uses or disclosures, or to prevent electronic copies being created and distributed in an unauthorised manner. Only recently, the Office handled a complaint were precisely this kind of event occurred.

27. Further, it should be recognised that an audit trail of an individual’s interactions with HealthConnect may itself be incompatible with privacy, in that it could constitute a rich form of data forming the monitoring and recording of the individual’s behaviour toward their health information and their use of the health system. Consideration is needed regarding whether each individual’s interaction with the system should not be recorded, except anonymously or pseudonymously.

Ensuring privacy protection

28. Throughout the documents, there are a number of general assurances made about how privacy will be protected, such as the following:

• Privacy and informed consent to ensure that only that information that the customer wants stored and available for access is supported.[23]
• Key principles that should underpin the HealthConnect consent policy are:

  a) participation in HealthConnect is voluntary and informed; and

  b) individuals will be able to control who has access to what information about them, in accordance with the agreed privacy framework for HealthConnect.[24]

• The design principles provide that the consumer shall determine who has access to their electronic records data and the duration of that access. [25]

29. The health records systems (‘HRS’) service requirements list the Privacy and Consent Service as a top level functional requirement. As key business requirements the service must:

• work within the bounds of relevant laws and specifically the Privacy Framework that is developed for HealthConnect;
• enable customers to grant, view and revoke consent to access EHR records for specified periods to specific providers and/or provider organisations and support the concepts of guardianship, carer and health team roles; and
• provide an audit trail that enables reporting on the consent history for each consumer’s EHR.[26]

30. These assurances suggest that there is a strong commitment to privacy protection and to ensuring that individuals can exercise choices about how their health information would be handled in HealthConnect. However, in a number of places in the report there appear to be inconsistencies concerning these general assurances, and more substantive analysis is required to ensure that this commitment is fulfilled. For example, throughout the documents there is an assumption that personal information in HealthConnect will be used for secondary purposes, with managers, policy makers, clinical leaders and researchers identified as key secondary users.[27] The consent models canvassed in the trial appear to only address use by providers, notwithstanding the recognition in the Interim Report that consumers are likely to be wary of secondary uses.

Consent Models

31. Consent must be both free and informed. The individual should not be coerced to participate in, or agree to various uses/disclosures, nor should access to services be sufficiently dependent upon participation as to make consent effectively mandatory. The choice to give consent (and indeed to participate in the system) must be a genuine choice. A genuine choice means unfettered by undue moral or financial suasion or penalties. The individual should have a clear understanding as to what it is they have consented to, and whether that consent may be withdrawn. The requirement of informed consent raises the issue of ensuring that an appropriate balance is reached between providing the individual with sufficient information to make a decision, and not overloading the individual’s capacity to absorb and consider the details.

32. A range of consent models have been proposed for HealthConnect.[28] These models vary in the sense of providing more or fewer options to the consumer from which they may choose when determining access rules for their personal information. There is a need to ensure that consent models are not onerous for individuals and providers but still give full and meaningful choice and control to the participant. We note, for example, the mixed results concerning consumers’ understanding of consent choices during the Tasmanian trial, and the suggestion that the literature may have required too high a level of literacy.[29]

33. Some envisaged uses of identified health information may not be consistent with the expectations and wishes of the participating individuals. The Interim Report acknowledges that consumers generally expressed strong reservations about the use of personally identifying information for any purposes other than their own clinical care.[30] This view is supported by the research on community attitudes to privacy conducted by the Office, which found that:

• 66% of respondents believed that individual inclusion in a national health database should be voluntary;
• 61% of respondents thought that an individual’s permission should be sought before using their unidentified health information for research purposes; and
• 41% did not agree that their doctor should be able to discuss identified medical details with another health professional to order to assist treatment without their consent.[31]

If the privacy arrangements are intended to define a standard set of allowable uses and disclosures, which would be difficult or impossible for individuals to opt-out of, then reliance on consent to opt-in to HealthConnect overall is not likely to be sufficient to allow genuine choice. The implications for the individual of opting-in need to be carefully considered before it could be said that the individual has a genuine choice.

34. The Interim Report also raises concerns in that there are repeated suggestions that consent models, and hence the degree of an individual’s control over what happens to their personal health information, may be mitigated by the need for timeliness and system efficiency.[32] It is not clear how much individual choice and control over records would be allowed under the proposed privacy and consent framework, as it is yet to be developed. In the ‘lessons learned’ sections on electronic health records systems case studies, the Interim Report suggests that a more ‘simplified’ or ‘pragmatic’ approach to consumer consent should be considered for HealthConnect.[33] This is a welcome aim, but cannot be achieved at the cost of less choice and less controls for individuals.

35. In the Tasmanian trial, consent protocols included the pre-requisite that consumers provide blanket consents for all authorised health providers within the Royal Hobart Hospital to view their records and to the private pathology practice to view a specific set of information. The consent protocol obliged health care providers to ensure consumer consent for each occasion on which the provider sent an event summary to HealthConnect. The early evaluation findings of the Tasmanian fast-track trial raise some concerns regarding consent, particularly the suggestion that ‘…[c]onsumers are not yet empowered to control the extent to which their information is being shared between participating providers…’ and that ‘[…[g]eneral practitioners tend to presume consumer consent has been given [to update event summaries]’.[34] This finding was reflected in consumer focus groups, where it is concluded that ‘there was little evidence of providers seeking consent to submit event summaries to HealthConnect.’[35] In contrast to this practice, ‘…[c]onsumers believe[d] that access to and update of HealthConnect should occur whilst they are present’.[36]

36. While the HealthConnect project deserves credit for considering a range of consent models, which may provide either fewer or greater options (ie simpler or more complex decision making) from which the individual may chose to consent, there is a risk that the outcome of this process may be a single consent model applied uniformly, regardless of the circumstances of the individual. This may not be the most effective way to empower individuals and encourage their trust and participation in HealthConnect. In contrast, this Office proposes that consideration be given to a form of consent model that permits a more nuanced approach to dealing with consent. In turn, this approach reflects the reality that different people will relate to the system in different ways. A layered-consent model may provide a solution to the problem of designing an appropriate approach.

37. In developing such a model, the design of HealthConnect could usefully draw on facilities common in internet web browsers which permits a security level to be defined by the individual according to broad categories, each of which then specifies security settings at a more refined level (for example, whether to enable or disable plugins, active scripting, automatic downloads and so on). Under such a system in HealthConnect, the individual could elect to apply pre-defined levels of privacy protection (ie ‘low’, ‘medium’ or ‘high’) to a given event. Each level of protection, in turn, applies predefined default values to various constituent parts of the system. An individual may, however, elect to refine the degree of protection, or the scope of consent. This approach would permit the individual to override the default values of each level if there is some specific need or concern.

38. For example, in HealthConnect a routine consultation with a general practitioner for a common cold may be allocated a ‘low’ privacy setting by the individual, indicating that the individual is comfortable with that event summary being available to all or most potential users of their health record. This ‘low’ setting would automatically apply the appropriate privacy consents to the various elements of the system. However, the individual may elect, for their own reasons, to refine the standard default values of the ‘low’ level by denying consent for a particular person or for a particular use.

39. This system could be further enhanced where HealthConnect facilitates choice depending on the nature of the event. Matters which are likely to be highly sensitive to most individuals, such as sexual health and mental health, could carry default privacy protection levels of ‘high’, which the individual could elect to amend if desired. Such a level would equate to a more limited consent for that information to be accessed, disclosed or used.

40. This system could permit a broad range of options to be available for the individual to consent to, while reducing the necessity for the individual to routinely consent to each option (ie who has access and for what purposes), in each event (ie consultation, treatment etc). This is potentially a useful way to build a relatively simple consent model which retains flexibility for an individual who has specific sensitivities or concerns. The HealthConnect project would not be required to choose between relatively static consent models, which fail to take into account that individuals vary in their degrees of sensitivity toward health information, their level of concern regarding privacy and their capacity or willingness to consider complex decision choices.

41. In addition to the use of analogous models in internet browsers, this Office also notes that AT&T has developed a privacy-specific application structured along similar lines to that proposed here, which is used to notify individuals of the privacy status of viewed websites which meet the P3P standard (see http://privacybird.com).

Legislative measures for privacy protection

42. Any system of protections on the use and disclosure of personal health information needs to recognise that there will be considerable pressure over time for increasingly wider range of uses both within and outside the health sector. For these reasons, legislative protections are unlikely to be sufficient in themselves. Consideration is needed regarding the interaction of proposed legislative, technological and the organisational mechanisms, and the broader social environment, to ensure that effective privacy protection can be delivered in practice. In addition, any privacy protection scheme will require independent oversight mechanisms with the power to deal with individuals’ complaints, conduct investigations and ensure compliance with the privacy rules.

43. The Interim Report says that legislative privacy protections are expected to include the National Health Privacy Code and specific establishing legislation for HealthConnect setting out primary uses of data, authority and processes for approval of secondary uses of data, consent processes, penalties and sanctions and complaints mechanisms. The report acknowledges the need for technical and organisational measures in addition to legislative protections, however it is unclear whether these proposed measures are adequate and it appears there may be too much reliance on legislation. As mentioned above, the proposed technical measures focus on IT-security issues such as identification/ authentication, access control mechanisms, message protection, monitoring and detection mechanisms and audit/logging processes.

44. The organisational practices are expected to include staff training and organisation level privacy and security standards. While there is some discussion of staff training, this tends to be in regard to HealthConnect generally. Accordingly, legislative measures seem to form the substantive element of proposed privacy protections for HealthConnect. This is likely to be inadequate. Legislative measures provide rules as to what should happen, though equally, or perhaps even more importantly, design elements may determine what can and cannot happen. It seems that there is a need for further consideration and elaboration of the technical design elements and organisational practices that will support privacy.

45. The Interim Report highlights that an aim of the HealthConnect system is to be both an agent of change, as well as to be responsive to change. Legislative measures should recognise the possibility of such change. Provision should be built into the establishing legislation ensuring that any future amendment to the scope of the system including the rules governing privacy (for example, affected through primary or delegated legislation), should be reviewable by parliament and subject to mandatory stakeholder consultation, including by the Federal Privacy Commissioner.

National Health Privacy Code and HealthConnect

46. The proposed National Health Privacy Code which is currently under development incorporates a set of National Health Privacy Principles (NHPPs).[37] These principles are based on, but differ from, privacy principles that currently apply in the private health sector and Commonwealth public sector. The NHPPs allow for the collection of health information without consent for the purpose of providing a health service to an individual. This raises the question of how an individual’s consent for recording the information on HealthConnect would be ascertained for the purpose of specific entries into HealthConnect.

47. The provision under the NHPPs to allow the collection of personal information by a health service provider without consent, unlike the higher requirements of the NPPs, in combination with some of the technical specifications, raises questions about the adequacy of the proposed privacy protections. This is discussed below under the heading ‘Interaction with other systems’.

48. The proposed code has already experienced quite a lengthy gestation period to reach its current form. It seems likely that this code may not become law for some time, possibly years, thus raising the prospect that its protections may be unavailable as HealthConnect is implemented. Careful consideration will be needed regarding what arrangements will be in place prior to the National Code coming into force. In particular, HealthConnect should not be implemented without the prior operation of an effective privacy regulatory scheme, including both appropriate privacy protection rules and regulatory and oversight bodies.

Specific HealthConnect legislation

49. The Interim Report suggests that HealthConnect specific legislation would need to be consistent with broader privacy legislation but would address access control measures such as:

• rules about the release of HealthConnect data, including authorisation processes;
• consent arrangements;
• obligations for participating health care providers;
• complaints mechanisms, investigatory powers and sanctions; and
• capacity for legislative review over time.[38]

50. Further, such legislation will likely also include reference to ‘…the circumstances under which health information can be collected by HealthConnect and subsequently used and disclosed’, as well as prescribing penalties for misuse of individuals’ health information maintained on HealthConnect.[39]

51. The Interim Report draws on the example of the exposure draft of the BMMS Bill 2001 as possibly providing a guide concerning how such legislation may evolve. In this discussion however, the report states that ‘[i]n general, penalties could apply to deliberate actions in breaching privacy… rather than relating to accidental access or disclosure’[40] [italics added]. This Office submits that, in the case of HealthConnect, a combination of effective legislative, technical and operational measures should also significantly help to prevent accidental breaches.

Oversight mechanisms

52. The Interim Report canvasses three governance options: a separate unit within the Commonwealth Department of Health and Aging; a statutory authority under Australian Government legislation; or a corporation (either wholly government owned or a profit or not-for-profit organisation).[41] It recommends either a statutory body or a government owned company and suggests the need for two additional bodies

• a Clinical Review Committee; and
• an ethics committee to assess requests for researchers which reports to another independent body such as the Office of the Federal Privacy Commissioner or a similar body set up specifically to oversee HealthConnect access control arrangements.[42]

53. The Interim Report also proposes a separate access control body, which would be responsible for matters such as:

• rules about release of individuals’ health information maintained on HealthConnect and authorisation processes;
• consent arrangements;
• obligations for participating health care providers; and
• complaint mechanism and investigatory powers[43]

54. It is essential toward gaining community trust that HealthConnect be built within an accountability framework whereby:

• the Australian community is told clearly what the system is intended to do;
• the system, once implemented, does what is intended and nothing more or less; and
• the system operates in an open and accountable way, including by way of audit and mandatory reporting to demonstrate that it is continuing to meet its commitments.

55. To achieve this, it is necessary that powers regarding how the system functions (that is, the management of the system), should be separate from powers of oversight (independent accountability). The proposal to have the same oversight body setting the rules for matters such as access and consent arrangements and also acting as the ‘independent complaints handling body’ appears to be an inappropriate combination of responsibilities. To ensure a genuinely independent oversight body it would be necessary to separate these functions between two different bodies.

56. There is some apparent inconsistency in the Interim Report regarding oversight functions. Volume 1 refers to privacy complaints being dealt with by existing regulatory agencies in each jurisdiction and states that ‘it would be essential to ensure that the role of such a body did not overlap with existing federal or state/territory bodies dealing with health care or privacy complaints.’[44] Volume 2 suggests that ‘[o]ne mechanism could be to establish an independent body, for example an Office of the HealthConnect Commissioner, who could handle both privacy and non-privacy complaints’[45] [italics added].

57. This Office maintains its previously expressed view that it was the Government’s intent when implementing the Commonwealth Privacy Act 1988, and subsequent amendments, that to the degree permitted by the legislation there should be uniformity in the regulation of privacy in the Australian Government public sector and the private sector, including by making this Office the regulatory body for such matters. This Office should retain jurisdiction for privacy complaints emerging from HealthConnect where such complaints fall under current jurisdiction (that is, excluding State and Territory government agencies). To do otherwise would increase regulatory complexity in that privacy complaints in the health sector would be investigated by different regulators depending on whether or not they occurred in a HealthConnect context.

58. This Office also notes that the creation of an additional regulatory body would likely be in opposition to Australian Government policy advocating the non-proliferation of regulatory agencies and the promotion of less-complex, stable and predictable regulatory environments.[46]

59. The discussion of implementation approaches in the Interim Report refers to the gradual roll-out of HealthConnect through the expansion and extension of trials. This implies that the implementation HealthConnect could precede the establishment of the governance mechanisms. This would be a matter of concern. The Office is strongly of the view that the governance arrangements need to be complete before HealthConnect is implemented.

60. This Office also notes that a governance model for HealthConnect is still under consideration. It is critical that the governance structure provide for the efficient and effective protection of privacy, and it is apparent that further attention is needed in this area. This Office would welcome and expect the opportunity to be provide further comment as this matter is progressed.

Technical Measures

HealthConnect Systems Architecture

61. The Draft Systems Architecture proposes a technical model for HealthConnect which would include a storage system that consists of three layers:

• a national co-ordination layer;
• a federated records system layer that comprises up to 10 nodes, each of which is an independent HealthConnect Records System (HRS) for a defined population; and
• a user layer which comprises the individual’s and provider’s local information system which they use to access the HealthConnect service.[47]

62. The National Co-ordination Layer would tie the HealthConnect nodes into a common national network of HealthConnect Records Systems and would comprise two services:

• a national directory service to facilitate co-ordination between the nodes by mapping each registered individual’s identifier with the HRS that holds that consumer’s electronic health record; and
• a national data store of all the electronic health records to provide a data recovery service and allow for complete sets of HealthConnect data to be used for population research and management purposes.

HealthConnect technical model and privacy issues

63. The Interim Report notes that an objective of HealthConnect is to employ ‘… available technical options that pose minimum implementation risk to the business’.[48] While this has some merit, it should not be used as an excuse to avoid technologies which enhance or enable privacy. This Office submits that providing individuals with assurances as to the privacy of their personal health information is essential to the generation of trust in HealthConnect and their willingness to participate in the system. Privacy enhancing technologies should be built into the system at the design phase, rather than retrospectively added after community concerns about privacy emerge. It is cheaper and more effect to build such technologies into the system as it is being built.[49]

64. In particular, consideration should be given to pseudonymous and anonymous systems for handling personal health information. Such systems disguise or remove identifying personal information for data collected by organisations, and promote individuals’ privacy by allowing them to interact anonymously with organisations and exercise greater control over their own personal information. Cavoukian, in discussing the application of such systems to health information networks, has suggested that:

… the creation of anonymous databases of sensitive information, linked only by encryption means to the personal identifiers associated with them, removes the need to routinely attach nominal identifiers to the actual records, thus addressing both privacy and security-related issues.[50]

65. This proposal recognises that there will be circumstances where anonymity is not possible in a clinical context, however where identification is not necessary then anonymity should be acceptable and available. This is in line with the notion of privacy enhancing technologies, which seek to eliminate the use of personal data altogether or to give direct control over the handling of personal information to the individual.[51] For research purposes, where there seems little justification in most instances for identifying an individual, anonymity should be the standard.

66. There may also be value when developing the technical model to consider the implications of other privacy enhancing technologies, such as appropriately implemented biometrics (for example, used as an individual’s private encryption key linking de-identified data to identifying information when necessary).[52]

National co-ordination layer

67. The proposed use for the national co-ordination layer is predicated on a framework which assumes that information held in HealthConnect will be used for secondary purposes such as clinical governance and research. One of its primary functions appears to be to provide proposed secondary user groups for HealthConnect (managers/policy makers/clinical leaders and researchers) with a complete set of the health records of all registered individuals.[53] The existence of a single national store will raise considerable pressures for broader uses of this information. There is a significant risk of function creep, with pressure for the information to be used for an increasingly broad range of purposes over time. It is not clear that the proposed governance mechanisms would be adequate to ensure appropriate privacy protection for the identified information at the national co-ordination layer.

68. Also, it is not clear what is meant by a ‘de-identified view of the HealthConnect data set to support population reporting for research and management users’.[54] If it is simply intended that name and address be removed from an individual’s EHR this may not be sufficient to ensure that the record is de-identified. A record would be considered to be ‘personal information’ for the purposes of the Privacy Act 1988 (Cth) if the information is ‘… about an individual whose identity is apparent, or can reasonably be ascertained, from the information …’. It has been noted elsewhere that ‘[d]eidentifying data does not guarantee that the result is anonymous… [e]ven when information shared with secondary parties is deidentified, it is often far from anonymous’.[55] For example, in the case of some illnesses, it is possible that an individual may be identifiable from the health information in their EHR. It is also possible that health information grouped by geographical data (for example information about a particular condition by postcode) could also be identifiable where there may only be one individual with the particular condition within a postcode area. The Interim Report notes that consumers do not want de-identified data to be re-identifiable.[56]

69. Further consideration is needed to ensure that any ‘deidentified view’ of HealthConnect data is genuinely deidentified and does not allow information to be re-identified. In addition to effective de-identification processes, there will need to be appropriate legal and technical safeguards to prevent the matching of de-identified and identified views of the national co-ordination layer.

Messaging Models

70. Three models of data access have been developed for HealthConnect in the draft systems architecture:

• Messaging model – where a user sends a message to a central system for either submission or retrieval to the electronic health record. The central system processes the message and sends results back to the user but does play any part in the compilation or presentation of the electronic health records.
• Transactional model – Central system would control the request, view and update the electronic health record.
• Batch (distributed subscription) model – Each provider organisation would subscribe to the electronic health record of their regular customers and automatically receive copies of updates to the consumer’s electronic health record and store them on a local system.[57]

71. The Interim Report states that the batch model is expected to be preferred as it offers ‘…the best solution from both performance and cost perspectives.’[58] This Office suggests that further clarity is necessary as to the implications of this model on how consent is managed. In particular, before a commitment is made to this model, assurances should be provided that the batch messaging model does not limit or undermine individual choices regarding which views should be made accessible to which providers, as the description of the model tends to suggest that a subscriber to a given record is automatically provided with all information in that record.

Multiple system owners

72. The proposed design for HealthConnect assumes there would be multiple system owners and information technology vendors involved in providing various parts of the HealthConnect system.[59] The Interim Report acknowledges that this raises the need for a governance structure to ensure conformity. It also raises the question of responsibility for compliance with privacy protection measures across multiple parties.

73. One of the challenges will be ensuring that individuals have accessible means to address privacy issues without having to approach multiple parties or face the problem of ‘slipping through the cracks’.

Interaction with other systems

74. To ensure adequate privacy protection for individuals participating in HealthConnect it will be necessary to address not only the handling of electronic health records within HealthConnect, but also the interlinking, data-matching and interaction that could be expected to occur between HealthConnect itself and other systems.

Data linkage and other systems

75. HealthConnect is envisaged as a back-end system, with the expectation that the user’s IT system will provide the interface with shared electronic health record. It is also expected that vendors of IT health systems will seek to add additional functionality and capacity to their products beyond the minimum common set of EHR functionality required for HealthConnect.[60] This raises the question of whether other information about the individual will be linked to their HealthConnect electronic health record information on the information systems used by providers or other users of HealthConnect. Such linkages could be outside the expectations of the individual and inconsistent with the basis on which the individual has consented to participate in HealthConnect.

76. As seems reasonable, the Statement of Strategic Vision[61] for HealthConnect provides that over time, new systems and capabilities will be added with the intention of building a complete picture of an individual’s health history. However, it is not clear how the consent process as currently envisaged will be managed to ensure that individuals are fully informed if the handling of their information will expand and change as new capabilities are added to the system.

Automatic uploads to HealthConnect

77. The Draft Systems Architecture envisages that providers will continue to use the clinical information systems within their practice as the primary repository for their detailed electronic patient records. It is expected that clinical information system vendors will develop capability in the products to locally store copies of electronic health record views and will develop systems to interface with HealthConnect so that data entry, validation and upload of new event summaries could occur automatically as part of the process of updating the local electronic patient record.[62] As noted in paragraph 73, this raises the question of how consent would be managed where the individual wants control over what information is included on HealthConnect.

78. The expectation of automatic uploading needs to be considered not only in relation to protocols for HealthConnect but also in combination with the proposed NHPPs. The proposed NHPPs would allow for the collection of health information without consent for the purpose of providing a health care service. There is a risk that this combination could override the consent protocols for inclusion of personal information in HealthConnect if the practitioner can collect the individual’s health information without consent, as permitted under NHPP 1, and enter it into a local clinical information system, which then uploads to HealthConnect. Individual consent would be bypassed.

79. The functional requirements for the Privacy and Consent Service for the Health Record Service (HRS) states that it must enable customers to grant, view and revoke consent to access electronic health records for specified periods to specific providers and/or provider organisations and support the concepts of guardianship, carer and health team roles[63]. However, it is not clear whether this will operate effectively in the above noted context of automatic uploads.

Implementation

Implementation plan

80. The proposed general approach to implementation is to develop and build specific components of HealthConnect to integrate with existing and planned systems rather than building the whole system. The rollout is proposed to occur in a serial manner such as the expansion and extension of existing trials.[64]The implementation plan also involves establishing agreed standards and protocols for a range of matters including identification and registration systems and secondary uses.

Expansion and extension of trials

81. The proposed implementation model involves expanding and extending the existing trials and supplementing existing infrastructure. In our view, the proposal to graduate from trials to fully operational HealthConnect sites will require attention to issues such as a new consent process. Consents obtained for participation in a trial of limited time and prescribed uses of the health information would not be sufficient for an operational roll-out. For example, one basis of the Northern Territory trial is that the information collected will only be used for the provision of health care and not for secondary uses such as research.[65]

82. The implementation approach indicates that there is still remaining work to be done on identification and consent.[66] Concerns about privacy, security and confidentiality” of information in the system are listed as issues to be ‘overcome’ before embarking on implementation of HealthConnect .[67]

Identification and registration systems

83. The Draft Systems Architecture states that the key business requirements for the Registration and Identification service are that the service must:

• support a process for registering providers and consumers which will include the basic capture of personal information and may include verification of identity of each individual – the process must allow consumers and providers to opt-in and out as often as they like;
• support the unique identification of customers and providers, which will include the issuing of a PIN or password and may support token based identification; and
• provide an audit trail to enable the reporting on registration and identification history for each user – including details of failed identification requests, for which alerts must be generated.

84. The implementation model proposed in the Interim Report would have a ‘secure and affordable system of identifying consumers and providers within HealthConnect.’[68] In considering the process for ascertaining proof of identity at registration, the Interim Report focuses on cost and primarily for this reason appears to endorse using an existing identifier. This raises significant privacy concerns.

85. The only specific option advocated is to use an identification system based on the Medicare number. The Interim Report suggests that as the Medicare number already has authentication processes then this would overcome large additional costs for HealthConnect to have its own proof-of-identity processes.[69]

86. This is echoed in the Draft Systems Architecture which sets out the HRS functional requirements, and provides that the Registration and Identification Service must support the unique identification of providers and consumers, which will include the issuing of a PIN or password and may include support for token-based identification and that: ‘[t]he service should utilise established health industry sources of identification where these exist …’[70] While the example given is a National Provider Number, these statements also appear to lean towards an identifier for consumers based on the Medicare Number.

87. This Office is of the view that such a proposal is problematic on a number of grounds, possibly irreparably so. It can easily be envisaged that the use of Medicare number for such identification purposes will lead to pressure for the number to be used for other purposes, increasingly distant and unrelated from its original function.

88. Further, it is inherent to such comparatively dated technology, that frequently there can be problems with the integrity of such cards, thus rendering them less than adequate for such purposes. The documented problems with the Tax File Number system provides ample evidence that putatively unique numbers are susceptible to corruption, whether by malfeasance or simple system failure,[71] while anecdotal evidence suggests similar problems may already exist with the Medicare number.[72] In an environment as important as the management and handling of health records, it seems unlikely that the Medicare number engenders sufficient confidence to function as a unique identifier for primary data, especially in the clinical context, where life and death decisions might be made.

89. While appropriating the Medicare number (and card) may be a relatively inexpensive option, this Office submits that, given the financial savings expected from the implementation of HealthConnect (the Interim Report cites a figure of at least $300 million per year), then investment in identification systems that genuinely enhance and protect privacy are likely to be highly justified, perhaps even necessary to ensure community confidence and trust. This argument becomes more compelling as technologies improve and the savings to the system increase further. HealthConnect requires proof of identity measures which are of the highest integrity. In our view, the Medicare number is not adequate for this purpose.

90. The Interim Report also suggests that HealthConnect may be a provider of national identification services or a receiver of those services. Further work by the Australian Health Information Council (AHIC) is planned to identify suitable identification processes to support e-health initiatives including HealthConnect. Any consideration of identification systems should be deferred pending the outcome of this work by AHIC.

Registration

91. The emphasis on keeping costs low has also led to a proposal for a self-managed approach to registration. It is not clear how adequate notification and valid consents will be obtained through such an approach, particularly if a self-registering system is implemented. The Tasmanian trial had simplified consent arrangements, with no secondary purpose provisions, and thus with a limited range of choices and options. Registration was done face-to-face with the Doctor present and, on average, took 30-45 minutes, however the early findings from the Tasmanian trial suggest that individuals found the consent information too complex to understand. This raises questions as to how best to ensure informed consent, without potentially undermining one of the key building blocks of HealthConnect.

92. Consent is not valid if it is not informed. The difficulties with the Tasmanian trial suggest the need for significantly improved community education initiatives to accompany registration, including more accessible consumer information. The disconnection between the stated consent protocol and the actual practice of the Medical Practitioners during the trial may have contributed to the consumer confusion about the consent arrangements. This suggests the need to consider more training and follow-up with health practitioners involved in the registration process. Consideration should also be given to the layered consent approach proposed in this paper.

Role of the private sector

93. The Interim Report proposes that initial funding will be from public sector sources. However, the report states that it is likely that viable funding models that draw on private sector funds and generate income will become evident.[73] The question of where the value will be found from a commercial perspective is not clearly addressed. It raises questions of how the private sector participants will generate income and whether the health information of individuals could be used for commercial purposes by private sector infrastructure providers. This would be a matter of some concern and the need for very careful assessment, consultation and evaluation.

94. It is not clear how the model allowing ‘the private sector to take an expanded role’ will also ensure ‘efficient controls are in place to maintain stakeholder trust’.[74] (p.8 Overview). The Interim Report itself acknowledges the significant concern amongst consumers and providers about health information being used for commercial purposes, and it is unlikely that vague assurances will prove adequate to allay these concerns.

95. In considering the precedents to follow in private sector information technology involvement in the health record initiatives, the Interim Report proposes that e-commerce and e-government initiatives in other sectors would be instructive. However, this does not appear to take account of the particular sensitivities associated with health information.

96. Also, in the discussion on interfacing with existing provider systems, the Interim Report proposes a head agreement with relevant industry bodies such as the Medical Software Industry Association to ‘encourage’ all vendors to maintain HealthConnect compliance. Merely, “encouraging” compliance is not sufficient, particularly on issues such as security and privacy protocols where there may be a conflict between the commercial interest of the vendor and good privacy practices. Consideration should be given to other compliance approaches, such as mandating minimum standards for software, developing guidelines on interfacing with other systems and appropriate monitoring and review mechanisms to ensure private sector compliance.

External Pressures

97. HealthConnect is intended to store event summaries throughout an individual’s life-time. How would withdrawal of their consent to participate be handled? What, if any, mechanisms have been developed to ensure that the voluntary nature of participation in HealthConnect is not gradually eroded in favour of a more coercive scheme, as happened in the space of only a decade with the Tax File Number?

98. The principle of opt-in participation is referred to as fundamental principle for HealthConnect. Careful consideration of the implications for individuals of not participating is needed if participation is to remain genuinely voluntary. If the consequence of not opting-in are that the individual faces significant disadvantage, such as higher charges, longer waiting time for treatment or some other reduction in access to health care, then individuals may not consider they really have a choice. The example of Tax File Numbers is a relevant one in that a principle of voluntary participation in the system has progressively been eroded by the necessity of requiring a number so as to receive government assistance.

99. Another issue which is not specifically addressed is the significant risk that would be raised by releasing manipulable data sets that can be cross-matched with other data, including non‑health data and used for other purpose that were neither expected, nor intended. This submission has highlighted that valuable health research can be done by data-linking de-identified data in a way that does not undermine privacy, however this is not to say that all data-linking is grounded in such good public policy. In particular, this Office would oppose such data being used for many commercial purposes. There may be some commercial uses that are of benefit to individuals and within the community expectations, but this is a highly sensitive area and great care would need to be taken to ensure adequate privacy protections are in place. This is particularly the case where advances in data-linking technology could result in future data-linking of de-identified and identified records (including publicly available records) in ways not possible with current technology.

100. The Interim Report acknowledges that consultations have consistently shown that consumers are concerned that information and communication technologies could make their personal health information much more accessible not only to health providers but also a wide range of interested third parties such as government agencies, insurers, employers and commercial interest such as pharmaceutical companies. They are also concerned that the information could be used to discriminate against them in employment, insurance or housing. However, it is not clearly acknowledged that any data rich national health information system will inevitably face significant pressure for a range of other non-health sector uses and how these pressures will be handled.

Summary

101. The HealthConnect Interim Research Report and, to a lesser degree, Draft Systems Architecture, provide a number of assurances that the HealthConnect system will be built and operate in a manner that protects the privacy of Australians’ personal health information. Further work is required to ensure that these assurances have practical application and will be fulfilled.

102. Privacy should be understood as a need held by individuals. Whether individuals choose to participate in HealthConnect will be influenced by how effectively this need is met in practical terms (see, paragraphs 11-13).

103. This submission has stressed the importance of informed and free consent, whereby access to a health service is not dependent upon agreeing to participate in HealthConnect (paragraphs 31-35) A model of layered consent has also been raised as being worthy of further consideration (paragraphs 36-41)

104. Legislative measures are important to ensure privacy is protected in HealthConnect, though they should not be the only or predominant basis for such protection (paragraphs 42-44). At least equal attention should be devoted to technical (in its broadest sense) and organisational factors. Further, there is a need to consider what arrangements would be made in the likely event that the National Health Privacy Principles do not come into effect for some time (paragraphs 46-48).

105. An effective, coherent oversight and accountability system is essential in gaining community trust in HealthConnect. It is a concern that some ambiguity remains in how these systems will be implemented, particularly as to whether there will be effective separation of operational and independent oversight elements of HealthConnect. Such separation is imperative to credible oversight (paragraphs 55-60).

106. It is essential in gaining community trust that HealthConnect be accompanied by complete openness and transparency. Clear commitments should be articulated as to what the system will do, and practical measures be taken, including attributing independent oversight and accountability functions to appropriate agencies (paragraph 55).

107. In addition to IT-security protocols, it is important to explore other technical measures which may enhance privacy, as well as organisational level measures, the latter of which are given particularly scant attention in the Interim Report. The community is likely to expect HealthConnect to be built to such a standard that privacy breaches do not occur, neither by accident or intention, and such an expectation can only be met where privacy protections are multifaceted. While the Interim Report advocated the use of low risk technologies, this should not exclude more sophisticated and cutting-edge technologies which are becoming increasingly valid, and reliable as methods of enhancing privacy (paragraphs 63-66).

108. Secure and robust identification and authentication processes are fundamental to the integrity of the HealthConnect system. This Office repeats its previous assertion that it does not believe that appropriating the Medicare number for the purposes of HealthConnect is a viable option for enhancing privacy (paragraphs 85-89).

109. This Offices recognises that the Interim Report is not intended to be a final document. Notwithstanding this, it would seem that there is considerable further work required before many of the fundamental issues raised in this submission are adequately addressed. Further, the community will expect that general assurances regarding such matters as the role of the private sector, how change will be managed and the role of the NHPPs, will be given substance in the form of tangible and meaningful measures (legislative, technical and organisational), rather than well-intentioned commitments.

110. The scope, technical complexity and fundamental importance of the project to Australians’ privacy, lead to the conclusion that a formal, comprehensive Privacy Impact Assessment be undertaken by a recognised independent expert. Such an assessment would describe the HealthConnect project, in a coherent, single voice, capable of articulating specific privacy risks to the system and, most importantly, tangible steps that can be taken to enhance the system. Commissioning such an independent assessment is likely to do much to increase the community’s confidence in the transparency and openness of the system.

 

Index