Glitch in PCEHR allows allied health to upload SHSs
An apparent glitch in the security arrangements for the PCEHR means that allied health practitioners are able to upload shared health summaries through general practice software, contrary to the rules of the PCEHR Act.
The act states that only medical practitioners, registered nurses or Aboriginal health workers, as the patient's nominated healthcare provider, are allowed to create and upload a shared health summary. Allied health practitioners are restricted to viewing the record and uploading event summaries.
Pulse+IT has learned that despite this restriction, it is still possible for an allied health practitioner to upload a shared health summary through GP software, using their own Healthcare Provider Identifier – Individual (HPI-I).
A general practitioner who wished to remain anonymous told Pulse+IT that an exercise physiologist working with his practice had been able to achieve the feat.
The GP, who is also the designated responsible officer (RO) for the practice, was sitting with the exercise physiologist and training him on the system. He decided to test it by getting the physiologist to write and post a shared health summary. The physiologist is registered within the practice software and had recorded his HPI-I in the system.
The GP used his own PCEHR as a test. The shared health summary was created and uploaded, and it appears in the record's audit log with the physiologist's name and HPI-I.
Under the GP's supervision, the physiologist removed the document immediately after posting it. GPs are allowed to remove a document that they themselves have created, although they are not allowed to remove one created by anyone else.
The GP said that as the RO, he was actually trying to show the physiologist what he couldn't do, so tested the software to see what would happen.
He said the only safeguard was a challenge screen, which required the physiologist to attest that he was a treating health professional and the nominated healthcare provider for the patient, and that he had prepared the shared health summary in consultation with the patient.
“All you need to do is tick the box that says yes and it went up,” the GP said. “A healthcare provider would have to knowingly tick the box [in contravention of the PCEHR Act] but it is still a problem because if you get a health professional who is busy, they might do the usual thing that people do when they come across a wall of text that says 'I agree to the terms and conditions'.
“Everyone just ticks the box and says 'yes I agree with them'. It is a poor design basically.”
The GP said both he and the physiologist were technically in breach of the act, but as the RO, the GP is the responsible party. “It seems to be relying on the honour system, which I suppose is always going to be the safeguard.”
A former clinical lead with NEHTA told Pulse+IT that during the consultation phase on the design of the system, the clinicians had requested that a technical conformance point for the shared health summary be added to all PCEHR-compliant clinical software to restrict the ability to upload them to those healthcare providers authorised under the PCEHR Act.
“The clinicians argued strongly some two years ago, early in the design phase, that the system and the software required technical constraints and conformance points to ensure that only those classes of healthcare provider authorised under the act could upload a SHS,” the former clinical lead said.
“This is technically achievable by use of the [Australian and New Zealand Standard Classification of Occupations (ANZSCO)] codes that classify HPI-Is.”
The former clinical lead said this was not supported by either NEHTA or the system operator, namely the Department of Health, so did not go ahead.
Clinical software vendors working on the project had instituted a safeguard in their systems in which all HPI-Is used to enter the PCEHR from within the software were verified against the name registered against the HPI-I in the Healthcare Provider Directory (HPD).
Pulse+IT understands that as the HPD was at the time largely unpopulated, NEHTA instructed the software vendors to remove that feature, despite having originally insisted upon it.
The GP said that while the honour system would work as a safeguard, he was concerned that the glitch could be dangerous in large, multi-doctor practices that employ many allied health practitioners. “They'd definitely have liability issues,” he said.
A spokeswoman for the Department of Health said the PCEHR Act 2012 “provides that a shared health summary must be prepared by an individual's nominated healthcare provider.
“This is not intended to include allied health practitioners. If a healthcare provider organisation inappropriately uploads a shared health summary, this is a breach of their registration conditions.”
The spokeswoman said a range of sanctions are available to the PCEHR system operator, “including suspending the registration of the organisation until it demonstrates that it complies with its obligations or cancelling the registration of the organisation”.
The DoH spokeswoman said the PCEHR system design was signed off by the NEHTA clinical safety unit, and that clinical software includes a screen prompt when a provider is uploading a shared health summary which refers to the relevant requirement.
This requirement is an obligation of a registered healthcare provider organisation rather than a technical restriction, she said.
In a clinical safety case report from NEHTA's clinical safety unit published in April 2012, the unit accepts there is a risk of unauthorised access to the PCEHR as authorisation is an organisational or practice responsibility.
“There is a risk that the PCEHR could be accessed inappropriately with the possibility of a PCEHR document being withdrawn or a new document posted, that may result in harm to an individual,” the report states.”
It recommended that organisations develop management protocols for access in accordance with Commonwealth and state legislation.
It also recommended that NEHTA “continue to work towards the adoption of individual certificate tokens to ensure high levels of assurance of the authors of clinical documents in consultation with the clinical community”.
In March 2011, NEHTA contracted IBM to develop the National Authentication Service for Health (NASH), which was intended to design provider-level authentication.
However, NEHTA terminated that contract in June 2012 and instead worked with the Department of Human Services/Medicare to deliver location certificates for PCEHR access, which they branded as NASH certificates to differentiate them from existing Medicare Online location certificates.
NEHTA has been contacted for a response.
This article has been updated to include comments from the Department of Health and some background on the NASH program.
Posted in Australian eHealth