The good, the bad and the PCEHR review

The belated release of the review into the PCEHR by the government this week has been lost somewhat in the more heated discussions over the federal budget, but the early signs are that many in the industry agree with the retention of the system for the foreseeable future and the overall thrust of the review panel's recommendations.

The possibility of making the system opt-out – one of the review's most important recommendations and one that Health Minister Peter Dutton said he strongly agrees with – generally received a positive reaction.

The Consumers Health Forum (CHF), which has long pushed for the opt-out option, said it agreed with the panel's call for a major revamp of the system, arguing that “the huge potential of eHealth to improve medical care for every Australian makes a vital advance” with the review.

“The new plan will inject fresh life into the eHealth project and we welcome the government’s positive response,” CHF CEO Adam Stankevicius said.

“The review has made the crunch call for the adoption of an opt-out provision which will make it automatic for all Australians to sign up unless they specifically refuse to join.

“The current 'opt-in' process has proved far too slow in building momentum for a scheme whose great value will be to provide better connected care for the vast majority of Australians."

Mr Stankevicius also welcomed the panel's recommendation that consumers retain control over the record, and the proposal that a document concealed by the patient would be flagged and only visible to the patient and the clinician who authored it.

Mr Stankevicius said the CHF also supports the recommendations that there be an education campaign on the opt-out plan for consumers and clinicians, the creation of the Australian Commission for Electronic Health (ACeH) in place of NEHTA, and the creation of a consumer advisory committee and consumer representation throughout the proposed new structure.

“However we are concerned to note that the review recommends that the System Operator responsibilities be simply transferred from the Department of Health to the Department of Human Services,” he said.

“CHF believes that this role would be best served by the appointment of a System Operator independent of government.”

The Australasian College of Health Informatics (ACHI) said the release of the report in addition to the budget announcement of continued PCEHR funding “provides greater clarity to the immediate future of the PCEHR”.

ACHI president Chris Pearce said the college believes that a move to opt-out, while preserving the existing patient controls, “would be a welcome move to increase adoption and enhance the usefulness of the PCEHR for patients, consumers and clinicians”.

However, Associate Professor Pearce said there remain two specific areas of concern to the college: the lack of a clear pathway to develop and implement clear coding standards for atomic data, and the lack of any clear structure devoted to clinical safety and minimising patient risk of harm through poor, missing, out of date or hard to find information.

"There are well developed systems for managing clinical safety in healthcare, and many examples of good governance of the special and very real risks associated with health IT in other nations," Associate Professor Pearce said.

"Australians using the [PCEHR] should do so knowing that it is a safe system.”

The college said that while the report emphasises useability and clinical workflows, it believes the benefits from having large amounts of information from discharge summaries, care plans and pathology will only come if the data is computer readable and therefore useable.

The Health Informatics Society of Australia (HISA) said that it welcomes the government’s commitment to shared electronic health records, agreeing that design and implementation challenges can be overcome with the right engagement of eHealth professionals.

“The report acknowledges the high priority to use professional associations and colleges in general, and health information professionals in particular, in the change management process,” HISA CEO Louise Schaper said.

“As Australia’s peak body in this field, our members are the e-Health and health informatics experts who are ready to play a greater role in implementation and engagement.”

Dr Schaper said that considering the money already spent on the PCEHR, HISA believes the much-needed productivity gains will only be realised by investing in people.

“We need to build our 500,000 health professionals into a powerfully skilled eHealth workforce,” she said.

Where the PCEHR and the review has failed

Consultant physician and University of Tasmania clinical associate professor Terry Hannan, who has a deep knowledge of electronic medical record implementations both here and overseas and who has been a fierce critic of the PCEHR, said one of the positives to come out of the review was the recommendation to change the consent model to opt-out from opt-in.

“As stated this will hopefully provide enhanced patient controls on the clinical information within the system,” Dr Hannan said. “Using ‘opt-out’ is consistent with documented international models of eHealth adoption.

“This functionality also facilitates a more appropriate representation of the national patient database and thus providing more accurate data for measuring healthcare. Those choosing to “opt-out’ must accept the failings of any non-eHealth based system.”

However, Dr Hannan said there were a number of areas of concern. The figures in the report showing levels of PCEHR uptake, documents loaded and views of the system by consumers and providers “tell a disturbing observation,” he said.

“Despite the rise in 'documents stored' the 'need to access and view them' would seem to be poor to say the least,” he said. “This strongly indicates that the stored documents do not readily support clinical decision making through effective information management. They are not formulated out of granular or atomic data.

“These graphic displays show distinct similarities with the pattern of the Gartner Hype Cycle and would fit with this cycle’s 'trough of disillusionment', characterising a poorly designed ‘technology’.”

Dr Hannan said the quotation from the University of NSW's Enrico Coiera was pertinent. Professor Coiera was quoted in the document as saying that “The PCEHR like any healthcare technology may do good or harm. Correct information at a crucial moment may improve care. Misleading, missing or incorrect information may lead to mistakes and harm. There is clear evidence nationally and internationally that health IT can cause such harm.”

Dr Hannan said that when a complex technology such as the PCEHR is “imposed” upon a highly independent, functionally resistant profession such as clinicians, “then failure is almost guaranteed”.

“There is much international evidence for this,” he said. “Professors Paul Biondich and Burke Mamlin of the Regenstrief Institute ... defined the design goals for complex eHealth systems.

“These goals must involve collaboration across the whole healthcare system. The system must be scalable to manage millions of patients and their data. It must have flexibility to meet the different care environment needs and this requires the ability to have rapid form design for [computerised physician order entry].

“To achieve this it must use standardised data elements and codes, which also facilitates high quality research. The system must preferably be open source and free and be sustained by continuous and intermittent web-based connectivity.

“Despite all these requirements the authors state the most critical requirement is that the system must be clinically useful and if not, it will not be used.

“I believe this review document and the PCEHR model fails to meet this final requirement.”

Security not good enough for opt-out

While many have welcomed the opt-out recommendation, some in the security industry are not so sure. The recent discovery of very serious – and fundamental – security flaws with the myGov website, which consumers must use to access the PCEHR, has horrified many security experts.

Steve Wilson, vice-president and principal analyst at Constellation Research, said that in his view, an opt-out PCEHR “is simply unconscionable”.

“We have not worked out to protect credit card numbers yet; there is no way can we protect EHRs on a population scale,” Mr Wilson said.

“The eHealth operator owes it to the patients to design and install unimpeachable security systems, but I don't see evidence of this.”

He said the weaknesses found in the myGov website are “excruciating” and it appears to be a trivial exercise for a determined attacker to circumvent the myGov log-on.

“Further, we have a sorry history of PCEHR security mistakes,” he said. “I have never got over the fact that on at least two occasions, dispensing records were uploaded to the wrong patient's record for an unrelated individual.

“The fact that such an error was possible reflects very poorly on the security basics. The threat and risk assessment should have picked up that scenario. Part of the problem appears to be that the IHI is not used in community pharmacy. If no, why not? This a stark system failure.”

Mr Wilson said he is a firm supporter of electronic health records in general, and that in acute settings and with dedicated databases, the clinical benefits outweigh the IT risks.

“But for large scale, joined-up records, where the clinical intensity is lower on average, the risks are swapped around,” he said. “A malicious attack is inevitable; the defences appear to be ill thought through; and the privacy damages are probably irrecoverable. Unlike money, you cannot get your stolen healthcare secrets back.

“I don't see that the PCEHR is anywhere near what I would call opt-out grade.”

Mr Wilson also criticised the review panel's venture into making privacy policy, saying it was mystifying that the review would do so without examining the implicit assumptions about security.

“In my opinion you cannot make far-reaching public health policy based on optimism about security; in fact we have to assume pessimistically that systems are flawed before we make policy like opt-out,” he said.

“You have to assume the security is imperfect and then adopt real world privacy policies.”

This story will be updated with more reactions from the industry. As Pulse+IT's commenting system is currently offline, please email any comments through to This email address is being protected from spambots. You need JavaScript enabled to view it..

Posted in Australian eHealth

You need to log in to post comments. If you don't have a Pulse+IT website account, click here to subscribe.

Sign up for Pulse+IT eNewsletters

Sign up for Pulse+IT website access

For more information, click here.

Copyright © 2017 Pulse+IT Magazine
No content published on this website can be reproduced by any person for any reason without the prior written permission of the publisher.