Future of NEHTA and PCEHR still undecided

The federal government has not made a decision on funding the National E-Health Transition Authority (NEHTA) beyond the end of the financial year.

It is also still considering the governance arrangements for eHealth that were recommended by the Royle review into the PCEHR, with no word yet as to whether it will continue funding its operations beyond June 30.

Pulse+IT understands from two independent sources that NEHTA staff expect the agency will be closed from July 1 or its activities folded into a new organisation.

The office of the new Minister for Health, Sussan Ley, passed on questions about NEHTA's future to the Department of Health (DoH), which said no decision had been made by the government regarding its funding beyond June 30.

On the PCEHR, a DoH spokeswoman said, "there were recommendations regarding the future governance arrangements for eHealth included in the review of the PCEHR which are currently under consideration."

The Royle review was commissioned by the former minister for health, Peter Dutton, on November 3, 2013, with a direction to inquire into the level of use of the system and whether what had been promised had been delivered.

Mr Dutton requested that the review panel report back to him by mid-December 2013. Mr Dutton made a brief announcement that the review had been delivered on December 20, but it was not released publicly until May 19, 2014, a week after the federal budget.

That budget made provision for one extra year of funding for the operation of the PCEHR to the tune of $140 million, which also included the Commonwealth's share of funds for the operation of NEHTA for another year.

The Department of Health was then requested to run a series of consultation meetings facilitated by Deloitte in August and September 2014.

The former minister's office did not respond publicly to either the review or the consultation meetings, although Mr Dutton told a conference in May last year that he supported most of the recommendations from the PCEHR review, including the opt-out model. The review originally recommended that this be adopted from January 1 this year.

“I need to see whether there is community support for opt-out arrangements, and I sense that there is, and I think from there we can provide a response fairly quickly,” Mr Dutton said.

He said the funding for the PCEHR and NEHTA for a further year would give the government time to make changes to the operation of the system, but also admitted there were contractual obligations with private sector partners that meant there would be a cost to government if the system was shut down.

“[The $140m] is essentially providing certainty around the funding arrangements now and then we will allocate money in a contingency reserve and look at next year's budget to see if the funding will be ongoing,” he said.

“We have allowed ourselves this financial year with the additional funding because there are recommendations around structural change in relation to NEHTA and in relation to other aspects of the governance arrangements … so I’m hoping that from there we can respond quickly and in the next few months I’m hoping that we will have a better map going forward in terms of what we have accepted by way of the recommendations.”

Mr Dutton was moved to the immigration portfolio in the December 21 cabinet reshuffle, with Sussan Ley promoted to the health ministry.

The development of technical standards and specifications for eHealth is also unclear. In addition to the indecision over NEHTA, Standards Australia last year decided to defer any unfinished work from the IT-014 technical committee's 2012-2014 work program.

New standards development for eHealth will now be required to go through Standards Australia's regular proposed projects process.

The Royle review recommended that a new Australian Commission for Electronic Health (AceH) be established to oversee governance and compliance with standards, which would report directly to the Council of Australian Governments' (COAG) Standing Council on Health (SCoH).

Posted in Australian eHealth

Comments   

# Terry Hannan 2015-02-12 12:58
As a voter, clinician, patient, health informatician what the government needs to VALIDATED input into the PCEHR as to its MAJOR failings and INABILITY now and in the future to meet the needs of the Australian health care delivery system.
It needs STRONG clinician, informatics,res earch, patient and administrative inputs that are BASED on current (and evolving) KNOWLEDGE on eHealth implementations.
There are MANY projects from around the world that meet many of the needs of health care and Australia is NOT unique in these needs.
We have a LOT of catching up to do.
We now have signficant research based organisations that can help in the national eHealth projects e.g ACHI. So ASK most of these organisations WANT to help.
# Ayse Ekinci 2015-02-12 13:49
Should the government also consider an opt-out model for GPs?
# Simon James 2015-02-12 13:58
Hi Ayse,

GPs don't work for the government and aren't getting paid by the government to use the PCEHR, so I'm not sure how you would opt them in en masse in the first place before then giving them the opportunity to opt out.

Cheers,
Simon
# Steve Wilson 2015-02-12 14:14
The Royle Review recommendation to shift to Opt-Out seems ill-advised. The PCEHR is an elaborate system designed over many years and subject to multiple Threat & Risk Assessments and Privacy Reviews. The backdrop to all PCEHR design and analysis is that the permissions model is Opt-In. The fact that patients need to make an informed decision to participate in an intrinsic privacy protection, and it is one of the built in mitigations to many security and privacy threats. This cannot be changed suddently without going back and revisiting all Threat & Risk Assessments and PIAs. We should expect significant design changes too.
Further, the authentication mechanism for PCEHR -- the DHS MyGov single factor Single Sign On system -- has a cloud hanging over it; see http://www.pulseitmagazine.com.au/index.php?option=com_content&view=article&id=1886:sleepwalking-into-catastrophe-with-mygov-and-the-pcehr. An Opt-Out PCEHR coupled with less than the very best logon technology leaves great numbers of people vulnerable to privacy breaches. There will be many people who have their medical records in a system they have never heard of, and who are vulnerable to ID theft or takeover.
Using a single factor authenticator to access personal health records is frankly reckless. At least with an Opt-In system, people who are alert to the dangers are safe by default.
# Terry Hannan 2015-02-12 14:39
The security and access issues are critical however if the system does not approriately and adequately support Clinical Decision Making it will not work. In the now and future CLINICIANS means ALL involved in health care from the doctors, nurses, pharmacists, allied health and the patients.
The literature abounds with successes and failures and we need to learn from both. IMHO the PCEHR-Australia n model-is unable to meet the health care delivery requirements.
# Ayse Ekinci 2015-02-12 15:00
Hi Simon,

I recently read the Royle review and was a little perplexed as how a consumer opt-out model could increase the usage of PCEHR without some dramatic intervention at the General Practice end.

I am genuinely interested in your 'readers' response.

Cheers
Ayse

PS: I acknowledge GPs do not work for the government, however, the government does compensate / provide "monetary incentives" to participating practices.

PPS: I do not necessarily support an opt-out model.
# Brendon Wickham 2015-02-12 15:11
@Steve MyGov introduced two-factor authentication a while ago. PulseIT reported on it here: http://www.pulseitmagazine.com.au/index.php?option=com_content&view=article&id=2232:dhs-adds-two-factor-authentication-to-mygov-website&catid=16:australian-ehealth&Itemid=328
# Simon James 2015-02-12 15:47
Quoting Ayse Ekinci:

I recently read the Royle review and was a little perplexed as how a consumer opt-out model could increase the usage of PCEHR without some dramatic intervention at the General Practice end.


The argument as I understand it is that if GPs had a reasonable amount of relevant, well organised data available to them in the PCEHR section of their clinical software, they would be more inclined to open it up and have a look, and compare with their own records for the patient. I think that's a reasonably fair argument but the adoption curve by GPs would still be pretty slow, I feel, owing to the frustrating time practices have experienced getting the system in place, and the ongoing attempts by the government to fix its budget woes by hammering the business side of general practice.

As it stands, the chance of a GP that's interested in accessing the PCEHR colliding with a patient that has (and knows they have) a PCEHR with useful information in it is pretty low, so ignoring all the other issues, an opt-out arrangement will only help adoption of the system, assuming the government concludes that is a desirable outcome (they haven't said anything definitive since the review was handed to them 14 months ago, so who knows!).

As far as a "dramatic intervention at the GP end"...

As always, the latest round of ePIP requirements for general practice were pretty poorly crafted, were delayed several times, and ultimately don't pay for outcomes. Perhaps a future ePIP revision will provide practices with an incentive to engage with the system (and hopefully with other more established and useful eHealth systems such as secure messaging), and payments for GPs on a per meaningful interaction basis with the PCEHR still haven't been tried...so it seems that everyone has had a chance to get their snouts in the PCEHR trough except the people upon whom the success of the system hinges upon. Go figure.
# Steve Wilson 2015-02-12 16:16
Quoting Brendon Wickham:
@Steve MyGov introduced two-factor authentication a while ago. PulseIT reported on it here: http://www.pulseitmagazine.com.au/index.php?option=com_content&view=article&id=2232:dhs-adds-two-factor-authentication-to-mygov-website&catid=16:australian-ehealth&Itemid=328


Sending SMS codes as a second factor has been deprecated by the telecomms industry itself; see http://www.itnews.com.au/News/322194,telcos-declare-sms-unsafe-for-bank-transactions.aspx. Phone porting is too easy. But if you're the victim of such scams with Internet banking, you get your money back. With EHR the stakes are higher and identity theft recovery is nearly impossible. You can't get your medical records confidentiality back once it's breached.
Note too that banks are much better placed to detect fraud in progress by business intelligence systems making use of decades of patterns and a very tight set of transaction parameters. The risk profile is different for health, and the anti-fraud tools are so immature, which is partly why Opt-In is so important. We shouldn't be simply aping tired old banking logon technology; we should be doing something new and innovative, A few years ago, Nicola Roxon got on the right track with the idea of using a smart Medicare card for holding the IHI. A smartcard (or phone) plus digital signature technology in something like the FIDO Alliance protocols, would be much better way of securing patient access.
# Ayse Ekinci 2015-02-13 14:13
Quoting Steve Wilson:
Quoting Brendon Wickham:
@Steve MyGov introduced two-factor authentication a while ago. PulseIT reported on it here: http://www.pulseitmagazine.com.au/index.php?option=com_content&view=article&id=2232:dhs-adds-two-factor-authentication-to-mygov-website&catid=16:australian-ehealth&Itemid=328


Sending SMS codes as a second factor has been deprecated by the telecomms industry itself; see http://www.itnews.com.au/News/322194,telcos-declare-sms-unsafe-for-bank-transactions.aspx. Phone porting is too easy. But if you're the victim of such scams with Internet banking, you get your money back. With EHR the stakes are higher and identity theft recovery is nearly impossible. You can't get your medical records confidentiality back once it's breached.
Note too that banks are much better placed to detect fraud in progress by business intelligence systems making use of decades of patterns and a very tight set of transaction parameters. The risk profile is different for health, and the anti-fraud tools are so immature, which is partly why Opt-In is so important. We shouldn't be simply aping tired old banking logon technology; we should be doing something new and innovative, A few years ago, Nicola Roxon got on the right track with the idea of using a smart Medicare card for holding the IHI. A smartcard (or phone) plus digital signature technology in something like the FIDO Alliance protocols, would be much better way of securing patient access.


Agree and the following article (one of many) is a timely piece on why the need for strong controls

Healthcare data and data breaches: A second opinion:
http://www.cso.com.au/article/566179/healthcare-data-data-breaches-second-opinion/

Bearing in mind that threats not only include your run of the mill 'hackers' but also insiders and legal entities, the article is very tame on the potential consequences of a breach. The stats however are sobering:

According to the Identity Theft Research Center 2013 report, the healthcare sector accounts for more than 44 percent of reported major data breaches -- higher than the business sector, which accounts for about 32 percent.

Please note, the report was last updated on 5/2/2015

Ayse
# Taras 2015-02-14 15:05
I agree with Terry Hannan's comments 2015-2-12 regarding validated and accurate input of data. A consultation involves a fine balance between a patient's medical concerns, making an accurate record of the consultation and the requirements of updating 3rd party records. In addition, the 3rd party record includes information from 4th parties and can be altered by the patient. As a society we are not prepared to pay for the basic consultation. How can we afford the more challenging PCEHR?
Why can't we give patients a copy of their past medical history, medications and allergies whether on a paper copy or electronically and they can be responsible for this information.

Taras

You need to log in to post comments. If you don't have a Pulse+IT website account, click here to subscribe.

Sign up for Pulse+IT eNewsletters

Sign up for Pulse+IT website access

For more information, click here.

Copyright © 2017 Pulse+IT Magazine
No content published on this website can be reproduced by any person for any reason without the prior written permission of the publisher.