PCEHR data will be safe: NEHTA
The National E-Health Transition Authority (NEHTA) has moved to allay fears over the security of the PCEHR system and who has access to personal health information.
Addressing the joint select committee on cybersafety for senior Australians in Sydney on March 23, NEHTA's head of architecture David Bunker said that in the design and development of its eHealth systems, NEHTA is implementing risk controls to safeguard both services and those who will be using them.
Mr Bunker told the committee that NEHTA had developed a National eHealth Security and Access Framework (NeSAF) to support both public and private organisations in national eHealth.
“The framework encourages business to adopt a consistent approach to the application of health information security standards and provides better practice guidance in relation to eHealth-specific security and access practices,” Mr Bunker said.
“The PCEHR system will also support the receipt, tracking, management and escalation of enquiries and complaints.
“Individuals who are unhappy with the way their health information is being handled will have the ability to make a complaint to the PCEHR system operator and if they are not satisfied with the response they may escalate their complaint to a range of regulators including the Australian Information Commissioner and state or territory privacy or health service regulators where relevant.”
NEHTA national clinical lead Mukesh Haikerwal said the PCEHR would be more secure than the current process, in which paper and electronic health records are typically unsecured.
Asked by committee member Graham Perrett if the current system was rather ad hoc with healthcare providers transferring records by hand, Dr Haikerwal agreed.
“Where we are going is from an ad hoc world to a much more coordinated world where we've got information flow at the right time, not when it happens to turn up,” Dr Haikerwal said.
“From a security point of view, we are going from a system where nobody knows who is looking at the record in a general practice or hospital or wherever to one where we know if someone has been there.
“We've seen cases in Melbourne where footballers' records have been found so that sort of thing happens today. But in the electronic world only those people with the right levels of authority can get into the system, use the system and look at a patient's record, and the next piece of the work is that they need the patient's permission to access that.”
Committee chair Catryna Bilyk said she was concerned that while a complaints process was being developed, “if there is a need for a complaint it is probably all a bit too late”.
Mr Bunker explained the encryption and digital signature elements of the PCEHR and said there were technology options available to manage intrusion detection so that inappropriate interactions were monitored.
“We will be deploying a range of technologies to assist us in those processes to be able to understand where inappropriate access is occurring, where we can identify that and ensure we have good auditing and evidence trails to ensure investigations where there is a breach or when someone suspects a breach, we can manage that,” he said.”
He said he understood that the federal and state governments were developing proposals for a single entry point for PCEHR privacy complaints.
“The PCEHR operator will provide the enquiries and complaints mechanism and there is an expectation that there is a mechanism that a single entry point be developed,” he said.
He said NEHTA had been “blessed” as an organisation with a number of world-class experts in the field of both security and clinical informatics.
“We have a number of people in our organisations who are literally world-class experts and sit on various organisations internationally around standards development both from a security point of view and from a clinical terminology perspective.”
Asked about recent calls for the introduction of the PCEHR be delayed for a year after its proposed start date of July 1, 2012, Mr Bunker referred the question to the federal government.
He said that from NEHTA's perspective, “at the moment our project is on plan and we are expecting to have the capabilities that have been declared in terms of the PCEHR for day one. Other concerns about the process are probably best addressed by the Commonwealth.”
Mr Bunker took on notice a question from committee member Nola Marino about exactly how many general practices in Australia had the technology and capability to “rock and roll” on the PCEHR.
Posted in Australian eHealth