Patient privacy concerns ahead of E-Health unveiling

There was an elderly customer in the pharmacy where I used to work who felt comfortable enough to lift her skirt, unbidden, and demand that the pharmacist make his assessment of her conundrum right then and there among the racks of nicotine patches and umbrellas.

Privacy is not a top concern for every health care consumer. But for those who sign up for a Personally Controlled Electronic Health Record (PCEHR) next month, being indifferent to privacy will have a range of new ramifications.

In the default setting, users won’t be exposing themselves to a room of strangers but to a whole nation of approximately 400,000 authorised healthcare providers and their IT technicians – not to mention those who gain unauthorised access.

The potential benefits of the PCEHR are rather tempting.

The way it will work is that your existing Medicare history will be put on the record: healthcare workers (usually GPs) can add your health summary, which is then supplemented with reports and updates whenever you visit other clinical services.

Having immediate online access to a summary of your every healthcare interaction – including immunisations, blood test results, allergic reactions and medication history – could be a lifesaver, both for the chronically ill and for the chronically disorganised, especially in emergency or after-hours treatment.

Professor Siaw-Teng Liaw, director of the UNSW General Practice Unit, said this new medium was an opportunity to provide more control for the patient.

“I think it’s quite timely, especially for younger and more assertive people in the digital environment,” he said.

Everybody with a Medicare account will be able to sign up for the PCEHR in July, but participation is not mandatory.

And the good news in terms of privacy is that users will be able to specify the level of access they want to give provider organisations (such as GP surgeries, dental clinics and hospitals) with settings of general, restricted and revoked access.

Users will be able to hide certain documents from view and decide whether they want the existence of their PCEHR to be flagged when they turn up for care at an organisation. There will also be an audit trail so users can see which providers have accessed their record.

So why are experts up in arms about privacy concerns?

Dr Juanita Fernando, president of the Australian Privacy Foundation, points out that there is a lack of publicly available information on governance arrangements.

“How can consumers and clinicians provide informed consent for the PCEHR system implementation when they don’t know what they’re consenting to authorise?” she asks.

“I wonder whether key health authorities actually understand the system themselves.”

Marketing information provided to consumers by the Department of Health and Ageing (DoHA) is not transparent or precise enough to provide a clear idea of what we might be signing up for.

Privacy assessors and critics of the PCEHR have identified several issues that pose threats to patient privacy. When a record is created, for example, the default option allows that information to be viewed by all providers Australia-wide. Less computer literate users might not be aware their records are so widely available, or might not understand how to change the setting to restrict access.

Patients may also be unaware that their record will import all of their Medicare and Pharmaceutical Benefits Scheme information unless they object to that setting. As a result they might unknowingly reveal to their dentist or physiotherapist a condition they’d prefer not to share with all their healthcare providers – treatment for depression or a pregnancy termination, for example.

Because there is no restriction on how large a healthcare provider organisation can be in the PCEHR system, consenting to share a record with one doctor could actually mean giving access to a whole statewide hospital system in which the doctor works.

And if a patient chooses to revoke access for an organisation which then changes its Health Provider Identifier, there will be no SMS or email notification of the change. When access is revoked, there is the likelihood that the patient’s provider access consent code has been stored by the organisation, since consent must be gained only once for continuing access, so revoking access, as drastic as it sounds, might not be effective.

Then there is the possibility of internal unauthorised access by a rogue employee, say a receptionist who will have left the healthcare organisation by the time the inappropriate access is tracked down. This is particularly worrying in the case of celebrities whose private information could be leaked and sold.

Many commentators believe that these internal security weaknesses will be addressed as the system evolves.

But according to Graham Ingram, general manager of Australia’s national computer emergency response team AusCERT, it doesn’t matter how many complex privacy settings users are offered because the system is still vulnerable to external attack motivated by fraud and identity theft.

Since the database will be accessible from doctors’ computers, pharmacies, internet cafes and even smartphones, malware on our devices would allow hackers to penetrate the system.

“You can secure the backend systems absolutely. But if you allow insecure endpoints to connect to that system then that system is no longer secure. You can’t secure the data if you allow insecure machines to connect,” Mr Ingram said.

He warns that DoHA needs to acknowledge that Australians signing up for the PCEHR face the risk of identity theft.

“I think it’s going to be a disaster that will unfold and we seem powerless to stop it,” he says.

Dr Fernando is just as concerned.

“The PCEHR system is the largest and richest centrally managed database of private citizen information inAustralia. The breach of this information will affect thousands, even millions, of people in terms of the invasion of their privacy, potential identity fraud and unreliable medical records upon which to base future treatment,” she says.

As patients with sensitive health information to share, we need to be convinced that there are enough incentives for GPs, pharmacists and other time-poor health professionals to carry out constant maintenance and improvement of their data security software and procedures.

Any sound e-health system will require an enormous amount of extra data security policy training, as well as ongoing system maintenance and breach reporting, most of which must be shouldered by providers themselves because they are the ones handling sensitive information.

Absurdly, undertaking these important extra-clinical duties would mean healthcare workers would be too busy preventing, diagnosing and treating computer viruses to give proper attention to their human patients.

Already research shows that many clinicians are frustrated by slow and unreliable computer systems and some take measures to circumvent disruptive security procedures.

I asked Prof Liaw whether healthcare consumers should be consenting to the creation of a PCEHR in July. Despite his professional enthusiasm for the new medium, he demurred.

“I think they shouldn’t. Personally I wouldn’t if the regulatory environment is unclear,” he said.

Security and information management systems are still evolving and therefore the terms of engagement have been left open.

Dr Fernando answered on behalf of the Australian Privacy Foundation: “We would never tell people how to behave. I feel that individuals have the right to make their own decisions about the PCEHR system based on the facts.”

In every healthcare interaction, the element of trust helps patients find a balance of privacy and effectiveness. This trust is underpinned by the notion that healthcare providers have undertaken to first do no harm: primum non nocere. The altruism of healthcare workers is backed up by the fact that there are remarkably few instances of breach of this trust relationship.

But as we enter an e-health database the interaction is not a dialogue between patient and clinician but with a network of entities as yet undefined – provider organisations, database managers, government bodies and, it must be assumed, potential fraudsters.

The thing we each need to ask ourselves in pursuit of optimal health care is this: what is a tolerable risk when it comes to privacy? As long as patients are in the dark about the PCEHR’s privacy risks, signing up for an e-health record will be an act of trust indeed.