pdf (275.78 KB)

 

Table of contents

INTRODUCTION.

GOVERNING ARRANGEMENTS.

Functions of governing body.

Privacy Advisory Group.

Privacy Impact Assessment

COMPLAINTS AND OVERSIGHT

Complaint handling.

Audit and oversight

CONSUMER PARTICIPATION.

Consent

Providing uniform choice across jurisdictions.

Ensuring voluntary participation and engagement

Future evolution of consent models.

Handling specific event information: ‘opt-in’ and ‘opt-out’

Recognising individual choice preferences.

Protected consumer trust by protected options.

Registration and the proposed Medicare smartcard.

SECONDARY USES FOR HEALTHCONNECT INFORMATION

Secondary uses approval process.

Informed consent and secondary purposes.

Protections afforded to secondary purposes.

LAW AND REGULATION.

Proposed National Health Privacy Code (NHPC)

Legislative protections.

Comparative privacy law analysis.

HealthConnect legislation.

Provider Agreements.

Privacy Protocols

PRIVATE SECTOR INVOLVEMENT

Commercial use of data.

Private sector privacy obligations.

Software-enabled data harvesting.

SUMMARY.

INTRODUCTION

1. The Office of the Privacy Commissioner (OPC) welcomes the opportunity to comment on the HealthConnect Business Architecture (BA) version 1.9 (marked as ‘version provided for comment’).

2. HealthConnect is expected to deliver financial savings to the health sector as well as facilitating improved electronic linking of health information for clinical and health research purposes. It is expected to improve the efficiency for individual providers by reducing the amount of time they spend obtaining patient information. Most importantly, it may improve clinical treatment by enhancing information flows between health service providers.

3. In recognising these potential benefits however, it is essential to pay equal attention to the risks of such a system, particularly if they could undermine these benefits.

4. This submission does not necessarily address all privacy issues raised by the BA. It focuses on:

• governance arrangements;
• complaint handling and other oversight functions;
• consumer participation in HealthConnect;
• the handling of HealthConnect records for secondary uses;
• law and regulation; and
• the role of the private sector in HealthConnect development and implementation.

5. Electronic health records (EHR) systems are not simply electronic versions of paper-based records. HealthConnect, as an example of such a system, would vastly increase the capacity to collect, store, copy, transmit, share and manipulate health information, and perhaps in ways not expected by individuals. There is greater potential for health information collected for one purpose, to be used or disclosed for other purposes increasingly unrelated to the reason for which it was initially collected (the “function creep” phenomenon). This potential is enhanced by the IT-enabled ability to link data from disparate sources, including possibly from beyond the health sector. Examples of risks raised by electronic health records are provided at Attachment A.

6. Many individuals’ willingness to engage in the health sector is affected by their perception of how their personal health information will be used and how much control they have over it. If HealthConnect is to meet its objectives, which are partly reliant on achieving a significant critical mass of participants,[1] then it must inspire the trust of the Australian community that personal health information will be kept private.

7. A HealthConnect system that does not engender trust may result in individuals withholding important health information from providers or, in some cases, avoiding medical treatment altogether.[2] Privacy is a fundamental necessity for an effective EHR system.

8. For the full implementation of HealthConnect to commence, it is essential that underlying policy and other matters which may affect privacy be addressed in detail.

GOVERNING ARRANGEMENTS

Functions of governing body

9. As noted in our February 2004 submission,^[3] the OPC is concerned that the roll-out of HealthConnect is proceeding to implementation without the establishment of an overarching governance body. The BA states that this matter is progressing and we are aware that the matter was considered as part of the Clayton Utz project.

10. This issue has become increasingly significant given the pressing need to develop a comprehensive and detailed framework for privacy protection in HealthConnect. The BA includes references to privacy protocols or privacy rules which will apply to HealthConnect, though their substance and standing is unclear. Similarly, the BA suggests the body will determine access rules for secondary uses of health information held in HealthConnect, an area likely to be of considerable importance to many in the community. A governing body may help to progress the development of these important matters.

11. Resolving the question of the HealthConnect governing body may also resolve uncertainty surrounding obligations parties may have under the Privacy Act 1988. This submission notes at Paragraph 114-115, for example, that the status of the governing body may have important implications for private sector contractors involved in HealthConnect.

12. Importantly, as the OPC has argued previously, it is important that management and rule-setting functions (to be undertaken by the governing body) be separated from oversight functions (presumably to be undertaken by existing regulatory and accountability agencies such as the Ombudsman and the Office of the Privacy Commissioner).

13. Therefore, while the governing body should have responsibilities to monitor day-to-day operations of the system, the functions of system audit and oversight would be carried out within existing accountability structures. Similarly, the governing body should attempt to resolve individuals’ complaints in the first instance, however, it should not be the final arbiter of such complaints. Existing external regulatory and complaint handling bodies should be mandated to investigate complaints both concerning the operation of the system, as well as the decisions made by the governing body itself.

Privacy Advisory Group

14. The BA sets out key elements of the current project implementation governance structure, including the expected appointment of “expert advisory groups”. These groups would advise the HealthConnect Board and, eventually, the governing body on clinical, technical and implementation evaluation issues.[4]

15. Privacy considerations have not been identified as an immediate focus of an advisory group. Rather, a Privacy Advisory Group is described as something that “may be required” during implementation to “…provide input on issues such as establishing and monitoring privacy protocols, refining consent options and rules; [and] approval of research requests.”^[5]

16. Addressing privacy issues is fundamental to gaining trust and integral to the development and implementation of processes or policies involving the handling of personal health information. Health information requires a higher level of privacy protection due to its sensitive nature and its potential value for a range of uses, including commercial uses.

17. The early appointment of a Privacy Advisory Group appears vital to the development and implementation of HealthConnect. Such an appointment, at the earliest possible stage, increases the likelihood that privacy protections will be “built-in” to the system, rather than “bolted-on” at a later date. Such a strategy can help to avoid embarrassing adverse privacy risks, and unforseen costs or delays for the project while these issues are addressed.

18. The example of the Canadian Longitudinal Labour Force File Databank project illustrates the risks of considering privacy issues after implementation.[6] In that case, community privacy expectations were not addressed during implementation and led to the dismantling of a national database on 34 million Canadians (at a cost of many millions of dollars) and a greater appreciation of the need for “transparency and accountability, and the application of privacy-protection rules for the use of such information”.[7]

19. A “built-in” approach to privacy would also seem to fit with the BA’s stated requirement of “a robust privacy framework”^[8] which suggests a supporting, integrated structure.

20. A Privacy Advisory Group may also be a useful addition to the development and implementation of the HealthConnect privacy protocols^[9] and guidelines for providers, including in such areas as privacy guidance for consumer registration.

21. The BA also states that the proposed governance structure is still being finalised and that the model for delivering HealthConnect may “change over time”^[10] although … “ensuring that HealthConnect functions and operations remain accountable … to the public”.^[11]

22. Care is required to ensure that governance flexibility does not encourage unregulated system flexibility and “function creep”, where information is used in ways that go beyond the original expectations of individuals or beyond the original policy settings without appropriate scrutiny and community consultation. The gradual expansion in the functions for which the Australian Tax File Number,[12] US Social Security Number and Canadian Social Insurance Number[13] are used illustrates the process of function creep. Building privacy into HealthConnect governance structures may help to manage this risk, and in turn minimise the possibility that consumer trust and confidence could be undermined.

Privacy Impact Assessment

23. In the OPC’s previous submission on the HealthConnect Draft Systems Architecture and Interim Research Report, it was recommended (in recognition of the scope, technical complexity and fundamental importance of the project) that a “formal comprehensive Privacy Impact Assessment (PIA) of HealthConnect be undertaken by a recognised independent expert.”^[14]

24. The OPC has recently released for public consultation a draft document, Managing Privacy Risk–An Introductory Guide to Privacy Impact Assessment for Australian Government and ACT Government Agencies.^[15] This document highlights the benefits of conducting a PIA at an early stage in system development. Given HealthConnect implementation is progressing, a PIA should be done as soon as possible.

25. A PIA can identify adverse privacy risks at the development stage, thus allowing the HealthConnect Project Office and Board to address them prior to implementation. A PIA would also likely increase the community’s confidence in the transparency and openness of the development and implementation of the HealthConnect project.

 

COMPLAINTS AND OVERSIGHT

Complaint handling

26. Assuring individuals that robust and transparent structures and processes exist to remedy the mishandling of health information is an important part of gaining community trust. Enforceable rules are required (discussed at paragraphs 89-92), against which a competent body can investigate and offer remedy to an aggrieved individual.

27. The complaint handling framework for addressing HealthConnect privacy breaches appears vague and incomplete. It is difficult to offer the community assurances that protections exist, when they are only formative or are inconsistent across jurisdictions.

28. The BA suggests possible frameworks for a complaints process and states that the “complaints process will be based on current practices”.[16] This includes that:

• private sector privacy complaints be directed to the Office of the Privacy Commissioner; and
• public sector privacy complaints be directed to the Health Care Complaints Commissioner or state/territory body authorised to deal with privacy and health complaints in each jurisdiction.

29. The OPC also notes that privacy complaints concerning Australian Government agencies’ handling of HealthConnect information falls within its jurisdiction. There may be merit in making this clear in the BA.

30. The BA then suggests a Memorandum of Understanding (MOU) between the respective Health Care Complaints Commissions (or equivalent) to enable the investigation of privacy complaints in the public and private sectors.^[17]

31. It is our understanding that a MOU may provide a framework describing a relationship between entities for a particular purpose, such as exchanging information about issues of mutual interest. It would not however have legal status as a form of primary or delegated legislation. A MOU, therefore, seems unlikely to lawfully enable State and Territory Health Care Complaints Commissioners to handle privacy complaints which fall within the jurisdiction of the Privacy Act 1988. Nor would a MOU remove the obligation of the Privacy Commissioner under section 40 of the Privacy Act 1988 to investigate a complaint about an interference with privacy. Such an arrangement seems unlikely to provide individuals with legal recourse in the event of interferences with their privacy.

32. This Office maintains its previously expressed view that it was the Government’s intent when implementing the Privacy Act 1988, and subsequent amendments, that to the degree permitted by the legislation there should be consistency in the regulation of privacy in the Australian Government public sector and the private sector, including by making this Office the regulatory body for such matters. The OPC should retain jurisdiction for privacy complaints emerging from HealthConnect where such complaints fall under current jurisdiction (that is, excluding State and Territory government agencies). To do otherwise would increase regulatory complexity, in that privacy complaints in the private health sector would be investigated by different regulators depending on whether or not they occurred in a HealthConnect context.^[18]

33. The BA notes that privacy regulatory schemes vary between states and territories.[19] These arrangements include the rules which apply, and also the powers available to regulatory bodies to investigate and resolve complaints and provide remedies, some of which may offer consumers either greater or lesser protections. In the absence of uniform complaint handling mechanisms, consumers should be informed that protections they are afforded may vary between jurisdictions; such information may be a factor for an individual in deciding whether to enrol in HealthConnect.

Audit and oversight

34. In addition to complaint handling, the community should be informed of what other oversight activities exist for HealthConnect, including powers of independent audit. The BA envisages that the HealthConnect governance body may have functions in regard to “monitoring of compliance throughout the network”.[20] As discussed above at paragraph 11, while the HealthConnect governance body would conduct management of operations, including ensuring provider compliance with participation agreements, there should also be arrangements for complaint-handling and regular independent external audits of the HealthConnect system, including of the governing body, through existing regulatory and accountability agencies.

35. We also note that the HealthConnect governance body may be responsible for setting access rules and making decisions surrounding secondary uses of health information. This highlights the importance of a separate entity tasked to oversight and review these and other important activities.

CONSUMER PARTICIPATION

36. Many individuals expect to be able to exercise a considerable degree of control over what happens to their health information. It is appropriate for consumer enrolment in HealthConnect to be voluntary and dependent on an active decision by the consumer to ‘opt-in’ at the outset and for each subsequent event. Whether an individual enrols in HealthConnect, and how they engage during that enrolment, should be determined by the free and informed choice of the consumer.

Consent

37. An important aspect of consumer control over their health information is the provision of choice and the opportunity to consent to how that information will be handled.

38. Any consent model for HealthConnect must adequately balance the needs of key stakeholders, primarily including consumers and health providers. While the consent model proposed does include elements which promote privacy, it does not appear that this balance has yet been achieved, as consumers do not appear to have a sufficient degree of choice and control over their personal health information (discussed below at paragraphs 51-68).

39. The opportunity to generate trust in HealthConnect by building privacy enhancing mechanisms into HealthConnect at the design stage should not be lost.

Providing uniform choice across jurisdictions

40. It is our understanding that HealthConnect may incorporate state or territory based EHRs in some jurisdictions. The degree of control offered to consumers by the HealthConnect consent framework should afford a uniform minimum degree of choice mirrored across all jurisdictions, to promote certainty and engender trust.

41. As an example, a consent model offering participation on an opt-out basis (that is, the individual is enrolled unless they say otherwise) and which offers no choice regarding specific event uploading seems unlikely to match the protections afforded by the BA.

42. The Project Office should work toward ensuring that, where local consent models are developed in jurisdictions, these models do not undermine privacy protections afforded by the policies guiding HealthConnect.

Ensuring voluntary participation and engagement

43. We welcome the Project Office’s ongoing commitment to HealthConnect operating on a voluntary basis, whereby an individual’s access to health services is not dependent on whether they enrol. This is emphasised at several points throughout the BA.[21] However, measures may be required to ensure this policy intent is fulfilled. For example, we note a media report quoting a health sector representative suggesting that:

"With HealthConnect, doctors would be able to say they cannot prescribe unless they have the patient's permission to view the patient's records.”[22]

44. The above quote seems to test the principle of voluntary participation in HealthConnect.

45. The HealthConnect Board should consider what steps will be required to prevent practices incompatible with the policy of voluntary participation and engagement. Such measures may include HealthConnect specific legislation enshrining individual choice and prohibiting coercion, as well as education programs for the medical profession and community which explain individuals’ rights regarding voluntary participation.

Future evolution of consent models

46. The BA states that consumer consent has been the subject of extensive research and trials. The OPC acknowledges the work done by the Project Office to engage with stakeholders on this issue. However, it is our view that field trials of different consent models have been limited, with few options considered.

47. For example, based on the findings of the ‘fast-track’ Hobart HealthConnect trial, an ‘opt-in’ approach to event uploading has been deemed inappropriate for broader HealthConnect implementation. This trial, however, only explored one method of implementing an ‘opt-in’ model, and as such its findings may not be broadly applicable. This submission suggests that event-level ‘opt-in’ could be operationalised in simple and efficient ways so as to ensure adequate consumer choice and control, and without imposing a burden on providers. (discussed below at paragraphs 58-62).

48. It is particularly notable that the Tasmanian and Northern Territory trials have not explored any complexities which may emerge where secondary uses (other than trial evaluation) are envisaged for the health information. Without this important element, it seems difficult to finalise a consent model for broad implementation.

49. On page 52, the BA states that changes to the consent model will not be considered if the change would require consumer re-consent.[23] It would be valuable for the BA to further explain the types of changes which could be precluded by this policy. For example, the BA proposes that a ‘secret envelope’ could be made available in a future enhanced version of HealthConnect, [24] though it is not clear whether this would impact on the consent model. The extent to which future enhancement of the consent model will be limited by this statement is not clear.

50. The OPC also notes that the forward work program of the National E-Health Transition Authority (NEHTA) includes consent,[25] though it is not clear how this ‘no re-consent’ policy will restrict the application of this work to HealthConnect.

Handling specific event information: ‘opt-in’ and ‘opt-out’

51. A challenge in designing consent models is that individuals wish to be informed and to give consent to the handling of their health information, though they do not necessarily agree on how this should be done. The OPC generally supports an opt-in approach to all consent decision-points in any system involved significant handling of individual’s personal information. Given its sensitive nature, this is especially important where health information is involved.

52. However, all individuals may not desire such control. For example, some individuals may not wish to be asked whether their HealthConnect record is updated at each event, but are happy for the information to be entered unless they say otherwise. An ‘opt-in’ approach may unintentionally burden such consumers. Research conducted by the UK National Health Service found that 29% of respondents would be happy to provide one-off consent to the sharing of their electronic health record.[26] Also, depending on how it is implemented, it may unreasonably impact on providers’ business practices, as was found during the Hobart HealthConnect trial.

53. Alternatively, other individuals may wish to exercise a high degree of control over their personal health information. These individuals may want to be asked for their consent for each event, particularly if, as some have suggested, ‘opt-out’ models of consent are “not regarded as consent by consumers”.[27]

54. Possible limitations to ‘opt-out’ models were discussed in the HealthConnect consent workshop of 8 May 2002. The ‘Outcomes’ document notes, for example, that:

“…unequal power dynamic between parties would often make it harder for a consumer to raise an objection without prompting than to say ‘No’ if asked directly about whether they wanted the particular material included.”^[28]

55. In this regard, we note the hypothetical example used on page 54 concerning a teenage girl who may not want certain information to be included in her HealthConnect record because her parents may see it. While the girl may feel sufficiently empowered to voice dissent and ‘opt-out’ of event upload, research suggests she could choose to avoid treatment altogether.[29]

56. The potential for such consumer disempowerment does not seem to sit comfortably with a stated purpose of HealthConnect being to empower consumers.[30]

57. Consent models should recognise the differing health privacy needs of consumers.

Recognising individual choice preferences

58. In the OPC’s 2004 submission on the HealthConnect Draft Systems Architecture and Interim Research Report, a consent framework was proposed to overcome a ‘one size fits all’ approach to consent, by recognising that different individuals may have different attitudes and expectations regarding the handling of their personal health information. A form of this model is discussed below.

59. This model is envisaged to provide the individual with the option to elect whether they interact with HealthConnect on an ‘opt-in’ or ‘opt-out’ basis at the event level.

60. At registration, the individual could indicate their preference for how they would interact with HealthConnect in the future. If the individual elected to enrol on an ‘opt-out’ basis, then future events would be entered into HealthConnect unless they stated otherwise.

61. Alternatively, if an individual prefers to be asked before information about a particular event is uploaded, then this could be operationalised by a simple on-screen prompt for the health provider which would appear when the consumer’s HealthConnect record is opened for pre-consultation review. This prompt would simply indicate to the provider that the consumer’s consent should be sought before uploading information about the current event.

62. We understand that the Brisbane Southside HealthConnect trial will explore the value of on-screen prompts and reminders to providers in certain circumstances.

Protecting consumer trust by protected options

63. Over the course of a lifetime, a significant proportion of people may experience conditions which they view as highly sensitive and for which they need extra assurances that related information will be handled privately. For example, many people believe that information concerning mental health may be particularly private. It is estimated that 20% of Australians will be affected by mental health problems during their lifetimes.[31] Typically, the individual can choose to withhold information from a certain provider, including if it is particularly sensitive.

64. The BA provides that consumers have limited choice regarding the handling of their health information for a specific event. The only available choices are that information is entered for all nominated providers to view, or it is not entered at all.

65. In many cases, an individual may not want all aspects of their HealthConnect record to be accessible to all health service providers with which they interact for a range of conditions. They may, however, want that information to be able available to some of their providers.

66. Giving consumers the opportunity to decide that some information should only be available to some providers mirrors how individuals currently interact with the health sector. The BA does not provide such an option, hence some consumers are likely to feel that they can exercise less control over their health information than is currently the case.

67. The OPC contends that HealthConnect should incorporate the capacity for individuals to have greater choice and control over information they believe is especially sensitive and which warrants higher degrees of protection. There are various methods available to operationalise these choices, including the proposed ‘sealed envelope’ approach in the UK[32] and forms of ‘masking’ as implemented in Alberta, Canada.[33] The merits of these options vary depending on preferred implementation, though they share the general benefit that consumer control is enhanced.

68. The OPC is aware of concerns surrounding such proposals, including that they may contribute to incomplete records (for some providers), they raise uncertain liability questions, and may provide a false degree of assurance to consumers. To the extent these concerns are valid, they seem neither insurmountable nor do they necessarily outweigh the significant benefits likely from empowering consumers to interact with HealthConnect in a comprehensive way.

Registration and the proposed Medicare smartcard

69. There is some ambiguity in the BA surrounding registration for consumers who have a (proposed) Medicare smartcard. On page 58 there is a discussion of a Medicare smartcard holder enrolling for HealthConnect via the web. On page 115 there is a further reference to a Medicare smartcard holder enrolling online, in this case by using the Medicare smartcard and a PIN. It is the OPC’s understanding that the Medicare smartcard will not have a PIN or other attributes which could be used by consumers for secure online authentication.

70. Further information of how this online registration would occur seems necessary. In particular, and in absence of a PIN, if a Medicare smartcard is stolen, it is unclear what would prevent an individual from enrolling another person in HealthConnect (in itself, perhaps a relatively benign act), and then obtaining health information on that person by instigating the process of establishing the initial health profile, as described on page 59. Such a possibility may also raise identity theft risks.

71. In addition to online registration, the BA states that consumers will also use Medicare smartcards at their first presentation at a provider, though notes that “[a]lternate processes will be put in place in the absence of a smartcard”.[34] We encourage the earliest possible consideration and clarification of these processes so to allow individuals without Medicare smartcards to interact with HealthConnect. As Medicare smartcards are intended to be voluntary, individuals without them should not be disadvantaged in accessing HealthConnect.

72. We also note that the Medicare smartcard proposal is an emerging one subject to further policy development.

 

SECONDARY USES FOR HEALTHCONNECT INFORMATION

73. The OPC understands that it is intended for information collected into HealthConnect to be used for secondary uses, drawing on data from the National Data Store.[35] Some secondary uses may have clear benefits to the community and can be performed without affecting the privacy of an individual.

74. A challenge for policy makers when considering the handling of health information is to balance the public good with individual interests. While claims for the secondary use of health information may have public benefits, there is research evidence which suggests that individuals have particular needs regarding their degree of control over the handling of their health information for purposes other than their clinical treatment.

75. For example, OPC research found that 64% of respondents felt their consent should be sought before de-identified information derived from the health information collected from or about them was used for the secondary purpose of research,[36] a result very similar to US findings.[37]

76. Other research supports the view that consumers expect to be able to exercise some control over the handling of their information for secondary purposes.[38] Canadian research found that 76% of consumers expected to be able to ‘opt-in’ to having their health information handled for secondary purposes.[39]

77. Consumers have frequently expressed particular discomfort at the possibility of their health information being used for commercial gain.

78. Accordingly, considerable care should be taken to ensure that individuals’ health information is not used in such a way as to make the individual feel that they have lost control over that information. If trust in HealthConnect is lost due to unexpected, unwanted or inappropriate secondary uses of information, it may be difficult to regain.

Secondary uses approval process

79. The current approach to approving secondary uses appears to underestimate community sensitivities. Section 7.4.2 says “[t]here are also expected to be reasons for secondary uses not yet envisaged and the process and procedures [to approve secondary uses] will need to be enhanced over time to accommodate this”.[40] This statement is in contrast with the statement on page 52 that the consent model is largely fixed (see paragraph 49).

80. In addition, this approach to secondary uses could encourage function creep by permitting uses for the system increasingly unrelated to the delivery of health care to the individual.

81. Section 7.4.2 goes on to explain that “…proposals for secondary uses... should be assessed against ethical and legal principles… [italics added]”. The OPC suggests “should” be replaced by “must”. This sentence concludes by explaining that these principles will operate rather than “…specifying categories of permissible use”. The effect of this sentence seems to be that it will be impossible for consumers to know even broad categories of potential secondary uses, let alone specific uses. Paragraphs 84-87 below consider this further in terms of informed consent.

82. Further, the section explains that proposals for the use of identified data “for research purposes” will be assessed through a rigorous process, though no details of this process are provided. We suggest the word “medical” should be inserted before “research” to mirror the existing limitations generally applied to the disclosure of identified data.

83. Additionally, there is reference to HealthConnect not providing “support” to certain categories of secondary uses, including in contravention of laws or where cell sizes are too small. We suggest that the word “support” should be replaced by “permit”.

Informed consent and secondary purposes

84. The BA envisages that consumers will, at registration, consent to their health information being handled for unspecified secondary purposes, subject to various protections.[41] This may not be sufficient to constitute informed consent in that the consumer will not know to what it is they are consenting.

85. Secondary uses should be clearly stated and underpinned by law or regulation. Regulatory instruments changing or expanding secondary uses should be subject to Parliamentary scrutiny and consultation with key stakeholders, including the Privacy Commissioner.

86. Defining secondary uses may help to address the question of informed consent, in that consumers can specifically be informed what these uses will be. Further, such transparency is important in ensuring community trust that individuals’ information will be handled in ways they either are aware of or can find out about.

87. For example, the OPC notes that secondary uses of personal information collected in the Australian electoral roll are prescribed in Schedule 3 of the Electoral And Referendum Regulations 1940.[42] Section 91A (1) of the Commonwealth Electoral Act 1918 imposes a penalty for the use of electoral roll information for non-prescribed purposes.

Protections afforded to secondary purposes

88. The privacy protections afforded to the secondary use of health information seem incomplete in the BA. As discussed at paragraphs 93-97, references to ‘strict privacy protocols and appropriate legislation’[43] reflect an appropriate underlying intention, however, more detail is required as to the specific protections afforded by such instruments.

LAW AND REGULATION

89. Effective privacy protection requires a multi-faceted approach and can be achieved by a mix of appropriate technologies, security arrangements, organisational processes, and training and education programs. Protections offered by law are another necessary element.

90. It appears that there is further work to be done toward providing a robust and comprehensive legal privacy framework for HealthConnect.

Proposed National Health Privacy Code (NHPC)

91. It is noted that a core component of the proposed regulatory framework for HealthConnect is the implementation of the NHPC. The OPC stated in its submission of February 2004 that “[t]he proposed code has already experienced quite a lengthy gestation period to reach its current form. It seems likely that this code may not become law for some time, possibly years, thus raising the prospect that its protections may be unavailable as HealthConnect is implemented”.[44]

92. In reiterating this, the OPC again cautions against over-reliance on the yet to be realised National Health Privacy Code. Given the magnitude of the HealthConnect project and the sensitive nature of health information, a robust privacy framework needs to be established as a priority. In absence of the NHPC, other arrangements are needed, if only in the interim, which provide strong privacy protections.

Legislative protections

93. The OPC welcomes the intent expressed in the BA that privacy regulation is important and will be supported by legislative protections of some form. However, while this intent is supported, greater detail is required, particularly as broad implementation for HealthConnect approaches. There are numerous references throughout the BA to “privacy protocols” and HealthConnect “privacy rules”;[45] however, it seems timely that these take some form.

94. At Page 57, there is a comment that further information on privacy protocols is available in Part E of the BA. However, the relevant section of Part E (12.2.3) provides little detail other than to list broadly what areas could be subject to protection (for example, access).[46] The content or status of mentioned “privacy rules” is unclear.

95. The BA notes there are a number of regulatory and legislative regimes across many jurisdictions.[47] The OPC regulates the entire private health sector and any handling of personal information by Australian and ACT[48] government agencies. The privacy of health information contained within, and handled by, the state or territory public sector is regulated by those jurisdictions. Some jurisdictions have also passed legislation seeking to regulate private sector health providers.

96. This is problematic for HealthConnect, as not all jurisdictions afford enforceable legal privacy protections to consumers. Other arrangements are necessary to ensure that all consumers have uniform privacy rights which afford them the highest degree of privacy protection; such arrangements do not appear to be in place.

97. The BA notes that provider responsibilities include “[p]articipation in line with the HealthConnect confidentiality and privacy arrangements [and] [p]roviders must abide by privacy legislation and by specific HealthConnect privacy protocols”.[49] This statement suggests that all providers are covered by some existing privacy legislation. As discussed above, this is not necessarily the case. Without specific HealthConnect legislation or the implementation of the proposed National Health Privacy Code (NHPC), there are gaps in the protection of health information contained within HealthConnect. If left unresolved, individuals should be made aware of possible gaps in their privacy protection.

Comparative privacy law analysis

98. It appears from the BA that there is an understanding of the need to address the weaknesses in the current privacy arrangements. At section 6.2.8, reference is made that “privacy arrangements will be tailored to suit each jurisdiction for each implementation.”[50] This seems to show that there is recognition of the differences and gaps existing and likely in the future across jurisdictions. However, it is unclear what these privacy arrangements will be, or what is meant by “to suit each jurisdiction”. The OPC is hopeful that this means enforceable privacy protections will apply uniformly to at least the standard of protection offered by the Privacy Act 1988.

99. There appears a need for a thorough and detailed analysis of privacy law relevant to HealthConnect, including comparative work on the protections afforded in each jurisdiction. While there is some consideration of this topic in the draft legal issues report prepared by Clayton Utz, the OPC understood that detailed analysis of privacy law was outside the scope of that project and would be subject to separate consideration.

100. The OPC suggests that such an analysis is completed ahead of the further implementation of HealthConnect, and before any legislative or consent protocols are settled. This would provide important insight into where privacy protections may be lacking and other arrangements required.

101. In the BA, it is suggested that a series of MOUs could be established creating relationships with State and Territory Health Care Complaints Commissioners to handle privacy complaints. As discussed above at paragraphs 30-32, such a system of MOUs seems unlikely to be an adequate substitute for a comprehensive and robust privacy framework.

HealthConnect legislation

102. The OPC suggests that given the particular nature of HealthConnect, specific HealthConnect legislation could usefully be implemented to address specific privacy concerns. As argued previously, “specific establishing legislation for HealthConnect setting out primary uses of data, authority and processes for approval of secondary uses of data, consent processes, penalties and sanctions and complaints mechanisms”[51] is needed.

Provider Agreements

103. The OPC supports the initiative to impose obligations on providers through the use of legally enforceable provider agreements. The OPC encourages the Project Office and Board to ensure that these agreements include provisions which require strict privacy standards and that they are actively enforced.

104. One item which may usefully be prescribed in the agreements is provider security obligations. Page 33 outlines that:

“Providers are responsible for the security of any EHR information integrated into their clinical information systems. Once HealthConnect EHR information has been entered into a local system, the owner of that system has responsibility for the security of the information”.

105. Similarly, at page 32, “Each provider organisation will be responsible for controlling its personnel’s use of HealthConnect information”. These statements seem to invest sole responsibility for these matters on the provider, whereas the OPC suggests that the governing body could usefully prescribe minimum standards and set these in provider agreement.

106. The OPC encourages provider agreements which require minimum standards be met by providers with respect to the security of health information and access to this information by employees.

107. The issue of audits arises on page 32, in that “all access will be audited and providers may be requested to provide reasons for an access event”. Again, we trust that providers will be required to accept such audits as terms of provider agreements (including audit by any appropriate, independent third-party body).

Privacy Protocols

108. Greater clarity is sought with respect to the “specific HealthConnect privacy protocols”.^[52] The OPC assumes that the protocols discussed are not the same as the various HealthConnect Trial Protocols. The Trial Protocols were trial specific and may not be suitable for broader implementation. Considerably more detail on the likely content and standing of these protocols would be valuable.

109. It is assumed that these protocols by themselves are not intended to be enforceable in law; however, the OPC recommends that they should be included in the enforceable provider agreements discussed above. Alternatively, there may be merit in considering whether the protocols could be set out under legislation as delegated instruments. This again may require HealthConnect specific legislation.

PRIVATE SECTOR INVOLVEMENT

110. The BA envisages at several points that the private sector will likely be involved in the ongoing development and implementation of HealthConnect. This is likely to raises a number of issues.

Commercial use of data

111. As discussed above concerning secondary uses for HealthConnect data, the community is likely to have strong views regarding the commercial use of health information. If it is envisaged that HealthConnect may be used for commercial purposes then this must be made clear and subject to community debate and discussion. It is essential that there be such transparency during the development of HealthConnect.

112. The BA is unclear as to the envisaged status of the private sector. For example, the comment is made on page 28 that “…the private sector is likely to invest in HealthConnect only after a proven business case for the private sector has emerged”. It is unclear what is envisaged by this statement. For example, it could refer to the provision of contracted services by the private sector (such as IT services), or the use of data for commercial purposes or something else.

113. Community trust may be undermined if there is a lack of transparency regarding the private sector’s role in HealthConnect and the handling of health information.

Private sector privacy obligations

114. Depending on how HealthConnect is structured, there are likely to be obligations on private sector service providers stemming from either the Information Privacy Principles or National Privacy Principles. For example, if the governing body is not an Australian Government agency, then in the absence of the NHPC it is likely that private sector contractors will be bound by the NPPs.

115. For example, NPP 7 concerning the handling of Australian Government identifiers, such as Medicare numbers, may affect how the private sector provides services to HealthConnect. The effect of NPP 7 will depend on other decisions currently pending, including the form of the governing body, the HealthConnect identifier and the types of functions performed by the provider. "

Software-enabled data harvesting

116. The OPC has previously raised with the Project Office the emerging issue of personal computer software which ‘harvests’ information from networked computers for commercial purposes.[53] This can be done with or without software licences agreed to by the health provider. It is less clear whether individuals agree to or are even aware of such practices.

117. As HealthConnect, by its nature, increases the amount of health information which can be accessed electronically, this issue is one which requires consideration. It should be made clear to the public whether such data harvesting will occur with HealthConnect data. If so, this would seem to affect and alter commitment to be made concerning protections afforded to secondary uses of health information.

118. Both legal and technical measures may be required to address this issue.

SUMMARY

1. Privacy is a fundamental necessity for an effective Electronic Health Record (EHR) system. If a system such as HealthConnect does not engender trust, then individuals may withhold important health information from providers or, in some cases, avoid medical treatment altogether. For the full implementation of HealthConnect to commence, it is essential that underlying policy and other matters which may affect privacy be resolved. (Paragraphs 7-8)
2. The early appointment of a Privacy Advisory Group appears vital to the development and implementation of HealthConnect. Such an appointment, at the earliest possible stage, increases the likelihood that privacy protections will be “built-in” to the system, rather than “bolted-on” at a later date. (14-22)
3. In a more general context, the Office of the Privacy Commissioner (OPC) has highlighted the benefits of conducting a Privacy Impact Assessment (PIA) at an early stage in system development. In light of the pending implementation of HealthConnect, OPC suggests a PIA be done as soon as possible (23-25)
4. The OPC should retain jurisdiction for privacy complaints emerging from HealthConnect where such complaints fall under current jurisdiction (that is, excluding State and Territory government agencies). A system of Memorandums of Understanding (MOUs), as has been suggested in the Business Architecture Version 1.9 (BA), between regulatory bodies seems unlikely to be an adequate substitute for a comprehensive and robust privacy framework (30-33)
5. While the HealthConnect governance body would conduct management of operations, including ensuring provider compliance with participation agreements, there should also be arrangements for complaint-handling and regular independent external audits of the HealthConnect system, including of the governing body, through existing regulatory and accountability agencies. (12-13, 34-35)
6. The degree of control offered to consumers by the HealthConnect consent framework should afford a uniform, minimum degree of choice, mirrored across all jurisdictions, to promote certainty and engender trust. (40-42)
7. The HealthConnect Board should consider what steps will be required to prevent practices incompatible with the policy of voluntary participation and engagement. Such measures may include HealthConnect specific legislation enshrining individual choice and prohibiting coercion. (43-45)
8. The BA states that changes to the consent model will not be considered if the change would require consumer re-consent. It would be valuable for the BA to indicate the types of changes which could be precluded by this policy. The extent to which future enhancement of the consent model will be limited by this statement is not clear. (49)
9. The HealthConnect consent model should recognise the differing health privacy needs of consumers, and provide choices which meet such needs. (51-57)
10. HealthConnect should incorporate the capacity for individuals to have greater choice and control over information they believe is especially sensitive and which warrants higher degrees of protection. (58-68)
11. Medicare smartcards are intended to be voluntary and individuals without them should not be disadvantaged in accessing HealthConnect. The OPC encourages the earliest possible consideration and clarification of HealthConnect processes to allow individuals without Medicare smartcards to interact easily with HealthConnect. (69-72)
12. Community views on secondary uses should be recognised in any arrangements for the use of health information for purposes other than the treatment of individuals. (73-78)
13. Secondary uses should be clearly stated and underpinned by law or regulation. Regulatory instruments changing or expanding secondary uses should be subject to Parliamentary scrutiny and consultation with key stakeholders, including the Privacy Commissioner. (85-87)
14. The OPC suggests that a full analysis of privacy regulation in all states and territories should be completed ahead of the further implementation of HealthConnect, and before any legislative or consent protocols are settled. (98-100)
15. The OPC encourages the Project Office and Board to ensure that provider participation agreements include provisions which require strict privacy standards, with these standards to be actively enforced. (103-107)
16. The role envisaged for the private sector is not clearly stated in the BA. The potential involvement of the various private sectors should be more clearly defined so that the community can understand and discuss this issue in an informed manner. (110-118)