home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Ian & Stuart's Australian Mac: Not for Sale
/
Another.not.for.sale (Australia).iso
/
Dr. Doyle
/
Health Card
< prev
next >
Wrap
Text File
|
1994-10-22
|
31KB
|
524 lines
OVERVIEW OF THE PROPOSED AUSTRALIAN HEALTH COMMUNICATIONS NETWORK (HCN)
Simon G Davies(1)
January 1993
An assessment of the HCN proposal based on interviews with government officials
, medical professionals and health planners, and on the following documents :
(1) "The Compelling Case" Joint Federal/State Steering Committee for healt
h information management and technology, February 1992
(2) Consultancy Brief, Health Communications Network and agency business
case, May 1992
(3) National Health Information Systems and Technology Strategy : workshop
held at the Sebel Townhouse, Sydney, December 16-18 1991 Summary document
(4) Standards Australia : Draft Australian Standard for (a) health informat
ics, (b) patient held medical record cards, and (c) security of patient
clinical data in electronic clinical information systems (DR 92 123 to D
R 92 125 : X) 16 July 1992
SUMMARY
The Commonwealth Government has embarked on an ambitious project to create a fu
lly integrated, national electronic health network. The project is a joint fede
ral/state initiative, with the majority of funding coming from the private sect
or.2
The project, called the Australian Health Communications Network (HCN) involve
s five components :
1. The development of national standards in :
(i) health data communications,
(ii) medical nomenclature,
(iii)workplace standards and practices 3
2. The creation of a national communications infrastructure that will conn
ect to 45,000 health care providers, government bodies, research organisations,
hospitals, and insurers.4
3. The development of terminals and facilities throughout the health secto
r to allow the free flow of data from any point in the health system to any oth
er point. 5
4. The computerisation of twenty million patient records 6
5. The establishment of a high integrity card, in all probability a smart
card or "patient held medical record" , to act as a "key" for the operation of
the information network. 7
Estimates of the cost of the system vary, but consultants to the federal govern
ment have informally put the cost at 5 per cent of the annual health outlay, i.
e. 1.5 billion dollars. The Federal Government sees its role as providing seedi
ng money and other support, but the main investment would be private . 8
The project planners hope to capture some of the current investment in the tele
communications infrastructure, and thus anticipate investment in the system fro
m telecommunications carriers. 9
GENESIS OF THE PROJECT
A number of government and academic reports have been issued over the past five
years calling for the development of "patient centred" medical records. These
records would involve a fundamental shift in record administration from a physi
cal base (recording the patient contacts at a particular location) to a patient
based model, in which the record would involve all movements of and contact wi
th a particular patient, wherever that patient moved. The claim made by health
planners was that such a change to record administration would create numerous
improvements in health efficiency.
In late 1991, senior officers of the Department of Health, Housing and Communit
y Services decided to explore the concept further. A team of consultants was en
gaged to develop a proposal. A joint federal and state steering committee was
formed to take the scheme to the next stage, and the proposal was then discusse
d and approved in April 1992, by the National Health Ministers Conference. Th
e ministers agreed to endorse the formation of a business plan for the creation
of the scheme, in which government and private organisations would be joint pa
rtners.
A document outlining the strategy was circulated by the steering committee on a
restricted basis. It advised "We have let a thousand flowers bloom; now we mus
t also plant and nurture an acorn".10
The project has received financial support through the Australian Health Minis
ters' Conference,11 and a sum of seven million dollars has been set aside over
the coming two years for the development of a business plan and strategy. 12 D
raft national standards for smart cards and related health information systems
have already been circulated.13
There appears to be no cost/benefit analysis or polling report to justify the f
easibility of, or likely support for the proposal.
Reaction to the proposal amongst doctors has, generally, been negative. The med
ical profession is moving steadily to oppose the plan. The ACT and Victorian Br
anch Councils of the AMA, for example, moved unanimously to oppose the proposal
, saying they were gravely concerned by the plan. The Victorian AMA moved in O
ctober 1992:
The Australian Medical Association expresses grave concerns about the planning,
lack of consultation and the implications for privacy and freedom for all Aust
ralians of a Universal Health Computer System.
If any such system were to be contemplated, then a Senate Committee should be e
stablished for the express purpose of fully investigating all the ramifications
of a Universal Health Computer System.
Privacy, civil liberties and AIDS organisations have also expressed concern at
the HCN proposal. The British Medical Association has also voiced opposition to
a similar plan in the United Kingdom : "The Health Information Strategy"14
RATIONALE
The proposal is purportedly based on the pursuit of improvements in health care
efficiency, and "better patient care". The Federal Government has expressed a
belief that the path to these reforms lies through the efficient collection and
use of health information. Currently, the health sector contains a vast amount
of data, much of which cannot be accessed throughout the system, or can be acc
essed only after technological barriers have been overcome. "This often results
in information users, including health care consumers, receiving information w
hich is late, of poor quality, and of sometimes questionable accuracy. All thi
s carries a cost - in terms of potentially compromised patient care, waste of h
uman resources, poor planning and the like." 15
The Government has identified several features of the current health care envir
onment which it believes compromise the aims of efficient health management :
• The health system is focussed more on administrative requirements rathe
r than being client focussed;
• The flow of information within the health system is complex and incompl
ete, and information flows between sectors is generally poor;
• Although a huge volume of data exists within the health system, there i
s very little sharing of relevant information (i.e.data relevant to a particula
r situation);
• Consumers and the general public are able to access only a limited spec
trum of information about health services, statistics and so on;
• Although substantial investments for information technology are underwa
y, there is no cohesive vision for this technology. 16
The joint Commonwealth State Working Party for Health Information Management an
d Technology responsible for the development of the project cited examples of e
xtreme delays in the receipt of test results, duplication of tests, lack of imp
ortant medical information in emergencies, and high administrative costs relate
d to locating or duplicating patient information. 17
In 1991, the Commonwealth Department of Health, Housing and Community Services
sponsored a three day meeting of leading health planners and researchers to exa
mine current health infrastructures, and recommend alternative solutions. The c
onference of 48 delegates reached general agreement that the current health sys
tem lacked efficiency of information flow, and that the entire basis of informa
tion keeping should shift to a "client centred" approach, instead of an institu
tion centred system. Currently, patient information is fragmented, and remains
at the point of collection. A client centred system would follow the patient wh
erever the health transaction occurred, thus maintaining a complete record of h
ealth data. 18
By all accounts, the atmosphere of the conference was upbeat and hopeful. The a
ttitude towards Information Technology (IT) was extremely positive, but there w
as no serious attempt to evaluate the downside or risks associated with a far m
ore extensive use of computer technology in the health industry. Most of the p
articipants were government or quasi-government experts, and no evaluation was
made of the risks of the system being abused by government, or whether the syst
em might be subject to extension beyond the health system. 19
The conference was aware of the difficulties which would be experienced in sell
ing the strategy, which, senior participants said, would involve a 'paradigm
shift', both to health providers (doctors, specialists etc) and to the general
public. However, in what could be regarded as a poignant insight into the mind
s of the planners, one organiser remarked :
"We have to plot and plan - we must identify the enemies, and suborn them, buy
them off and knock them aside to get this through..."20
The proponents of this scheme do not see their proposal as part of a conspiracy
. On the contrary, they see it as entirely logical that computer technology sho
uld be used for legitimate purposes within the health system. The problem in t
he view of privacy advocates and other concerned on-lookers is that peoples' mi
nds become captive to the technological dream, and they do not seriously believ
e that it will create any problems which knob twiddling or more technology cann
ot solve.
OVERVIEW OF PRIVACY PROBLEMS ARISING FROM THE PROPOSAL
There exist a number of grave privacy problems with the proposal. In effect, th
e HCN system entails the establishment of a repository of millions of patient f
iles. While there is appears to be no single central database, as such, the dis
tributed system provides the same features as a central storage and recovery sy
stem. This database will contain complete medical histories and profiles. As th
e project is envisioned as a private sector venture, it will not be covered by
privacy law. The planners of the HCN predict its use for large scale epidemeo
logical projects. 21
If the plan proceeds to the stage of development of a smart card, a range of ot
her concerns will surface. First, the data held on smart cards must be backed u
p in a series of "data repositories".22 These, as has been mentioned above, wou
ld be distributed rather than centralised, but would be linked in all probabili
ty through a common numbering system.23 Any additional security of information
held on the card itself would be well and truly outweighed by the added vulner
ability of the personal information held elsewhere on the system.
THE PLANNING PROCESS
The Federal Government appears to have chosen a closed planning approach in the
development of the HCN. An elite group of health planners and systems consulta
nts has been responsible for development of the proposal from the outset. A wor
kshop held in December 1991 in Sydney and hosted by the Department of Health br
ought together a wider spectrum of participants, although this group was almost
exclusively from the health planning arena. No consumer, community, privacy or
media representatives were present. No AMA involvement was sought for the wor
kshop.
In Senate Estimates Committee E in September, officers of the Department of He
alth advised "to the Department's knowledge, there are no confidential papers (
relating to the HCN)". According to the department's evidence all documents wer
e in the public domain.
The evidence at hand is at odds with this claim. Documents began leaking from t
he Government's Steering Committee in late June 1992. Until then, requests for
documentation were denied. Only one document was allowed into the public domain
, and this was a brief summary of the December planning seminar held in Sydney.
One senior ANU academic investigating the proposal in July 1992 was told by o
fficers of the Department of Health that no other document was available for re
lease. The closed nature of the HCN project has been a feature of its developm
ent from the outset There has been no consultation with consumer or civil libe
rties groups, and only limited contact with the medical profession. Only in the
last three months of 1992 did the Department consult with the AMA. The general
public has had no involvement. To the best of my knowledge, no press release h
as been issued prior to the entry in the second half of 1992 of the Australian
Doctors Fund as critics of the proposal.
KEY PRIVACY ISSUES ARISING FROM THE PROPOSAL
The HCN entails several major privacy and privacy related risks.
Security of information. Despite claims by the planners of the HCN that
their system will be secure from unauthorised access or hacking, there is a lik
elihood that such violations will occur. The revelations of the Independent Com
mission Against Corruption in NSW in 199224 showed that corruption amongst info
rmation users inside and outside the government had become endemic and epidemic
. Virtually all instances of privacy violation related to computer records. Th
e planners of the HCN system have admitted that security will be a compromise b
etween privacy and efficiency. The executive summary of a draft national standa
rd on health information security25 talks of a "trade off" between the interes
ts of confidentiality, and the ease of access to patient information. This "Zer
o sum" approach to privacy protection is unacceptable. Privacy and security are
not issues that can be resolved through a mathematical cancellation. The secur
ity of patient information cannot be traded off merely because computer systems
offer the potential to reduce administrative costs.
Access to patient information Planner os the HCN insist that only "authorised"
people will have access to patient medical information. However, there is a se
rious concern about the use of the word "authorised" in connection with informa
tion systems such as the HCN. Authorised persons might include people who docto
rs would regard as a threat to privacy (such as would be the case if government
officials, insurance companies or other non-medical people had access to perso
nal data stored in electronic systems). There appears to be a likelihood that
a large number of non-medical people will be authorised to access the HCN syste
m.
Function Creep. The history of major information systems in Australia is that t
hey are ultimately used for unintended purposes. The most well known example of
function creep is the Tax File Number. Despite a government promise that the T
ax File Number would remain the exclusive domain of the Tax Office, the system
has been extended progressively to include such facets as unemployment benefits
, pensioner benefits, and the Higher Education Contribution Scheme. The Law En
forcement Access Network (LEAN), a federal/state law enforcement database syste
m, has also experienced a massive escalation in growth of users since it was pr
oposed in 1990. There is a very serious risk that the HCN could mutate into a f
orm far different from anything currently being planned. The mere existence of
a multi-purpose system of this magnitude will create irresistible opportunities
to collect vast amounts of personal information.
Interference between doctor and patient Many doctors have a concern that the
imposition of information technology in the practice environment will produce
a tension in the relationship between doctor and patient. Concern amongst patie
nts about the negative aspects of computer technology, together with the appear
ance of a "dehumanising" effect, might lead to a reluctance by patients to be o
pen with their doctor.
The threat of data matching The information stored in the Health Communicat
ions Network may eventually be automatically matched against other files held b
y government departments and files on the private sector. A great many databas
es are currently being linked in this way, and it is only a matter of time befo
re such a link is proposed for health records More than forty major data match
ing programs are currently under way, many of which involve employers, banks, i
nsurance companies and government departments.
Dangers of the smart card There is a strong likelihood, as stipulated in
The Compelling Case that a smart card will act as a key to the HCN. If this is
the case, a number of concerns arise over the nature of information on the card
, and the uses to which that information may be put. Other concerns that have b
een raised, both about the smart card and about the HCN in general, are :
* That the system will vastly increase the power and scope of th
e Health Insurance Commission and other government agencies
* That policy changes may be "technology driven" and will occur
increasingly through the will of bureaucrats, rather than through law or pragm
atic development through the medical profession
* That, contrary to claims by the HIC, the HCN will undermine me
dical confidentiality as well as creating major privacy problems
* That practitioners will be directly liable for the maintenance
and integrity of health information on the smart card
* That major administrative problems will arise because of lost,
stolen or damaged cards (estimated at up to several hundred thousand per year)
* That practitioners will be liable for enforcement of identifica
tion procedures
* That the programmes embraced by the card system will require an
increasing volume of medical information to be entered by the practitioner,
* That the Smart Card will be developed as a high integrity docum
ent, and could thus be a fore-runner of a universal multi-purpose Identity card
.
PRIVACY AND SECURITY
One of the major concerns from a privacy perspective in the HCN proposal is the
apparent confusion amongst planners over the definitions of privacy and data s
ecurity. Security of personal information is a very small sub-set of privacy, y
et this basic principle appears to have been overlooked in the documents for th
e HCN. Data security is seen as being the same as privacy.
There is a view amongst privacy advocates that there has been a deliberate perv
ersion of the definition of privacy by many proponents of medical information s
ystems and smart card technology. The term "privacy/security" has been coined
as a device to imply that privacy is interchangeable with security. This is an
absurd notion. Fifteen years ago the architects of systems could be forgiven f
or such an implication on the basis of ignorance. There are grounds to believe
that is a deliberate misinterpretation of the nature of privacy. It is a use,
I believe, deliberately intended to confuse and even undermine the privacy int
erest.
Privacy is not the same as security. Far from it. Privacy relates to the manner
, purpose and use of data. Privacy is concerned with the way information is col
lected, the uses to which it is put, the relationship between the information u
ser and the information subject, and the overall informational environment crea
ted by all this movement. Security, on the other hand, is not concerned with th
ese larger concepts. Security is a narrow discipline, seeking to merely draw bo
undaries around access to information. Security is a fraction of privacy - perh
aps a tenth of it. While the distinction is unclear in the minds of bureaucrat
s and politicians, there is a very real risk that large computer systems will
be used for purposes that are essentially privacy invasive.
WILL THE COMMONWEALTH PRIVACY ACT PROVIDE ANY PROTECTION ?
In theory, at least, the safety valve against the creation of intrusive nationa
l surveillance system rests with the Privacy Act. This piece of legislation, pr
oclaimed in 1988, was intended to cover Federal Government agencies and departm
ents, including Telecom (which has since then dropped out of the Act because of
corporatisation). The law was extended in 1991 in the wake of controversy over
plans by the finance industry to increase the surveillance capability of credi
t reporting agencies. The Privacy Act now gives protection in that area. It ap
pears unlikely, however, that the Act will be extended in the foreseeable futur
e to other private sector areas.
Overall, therefore, the Commonwealth Privacy Act is an extremely limited law.
It does not give protection against privacy invasion by state governments, the
private sector, banking, telecommunications or the insurance industry. Nor does
it cover privacy issues relating to any of the professions. It is highly unlik
ely that the Act would cover the HCN if the network was in private hands.
Contrary to popular wisdom, the Privacy Act actually allows a great many privac
y violations to occur in its name. The most well known of these violations rel
ates to the recent extensions of the Tax File Number. Despite a government prom
ise that the Tax File Number would remain the exclusive domain of the Tax Offic
e, the system has been extended progressively to include such facets as Unemplo
yment benefits, pensioner benefits, and the higher education Contribution Schem
e. The Privacy Act or the Privacy Commissioner can do nothing to prevent such e
xtensions. If a scheme has been established to assist law enforcement or to pur
sue public revenue collection, the Act has only a limited application.
The Privacy Act stipulates in Principles 10 and 11 that information collected f
or one purpose should not be used or disclosed for any other purpose. Then the
Act goes on to say that purposes related to law enforcement or revenue protecti
on (the Tax Office) may ignore those principles. Since just about every gover
nment scheme is aimed at strengthening law enforcement or revenue, it makes som
ething of a mockery of legislative privacy protection.
Perhaps the gravest limitation of the Privacy Act is that it does next to nothi
ng to prevent or limit the collection of information. The Act merely stipulates
that information has to be collected by lawful means and for a purpose "direct
ly related to a function or activity of the collector". Thus, a virtually unlim
ited number of information systems can be established without any breach of the
Privacy Act.
The problem of impotence of the Privacy Act is likely to extend to the Privacy
Commissioner. In 1990, the Commissioner stated before a Senate Committee that
his functions did not include commenting on the privacy implications of govern
ment proposals. His role was slightly widened the following year, but, with onl
y rare exceptions, the Commissioner continues to avoid publicly commenting on t
he privacy implications of government proposals.26 This is despite the fact t
hat the Act now allows him "to examine (with or without a request from a Minist
er) a proposed enactment that would require or authorise acts or practices of a
n agency that might, in the absence of the enactment, be interferences with the
privacy of individuals or which may otherwise have any adverse effects on the
privacy of individuals and to ensure that any adverse effects of such proposed
enactment on the privacy of individuals are minimised".
A growing number of privacy advocates are coming to the conclusion that the gov
ernment is using the existence of the Privacy Commissioner's Office to legitima
te privacy invasion.27 28 The often heard claim by government ministers than
they have "consulted with" the Commissioner are deceptive. The Commissioner us
ually does not have power to stop the government from carrying out its intentio
ns.29 Planners of the HCN have also claimed that they have "consulted with"
the Commissioner - a claim denied by the Commissioner's office.
IMPLEMENTATION AND TIMING
The Compelling Case describes (p. 49) the ultimate goal by the year 2000 of rea
ligning the scope of health. The HCN will play an integral role in this process
. The Government hopes to have the HCN fully operational within five years, wit
h infrastructure development commencing in 1993.30 Other stages in the develop
ment of the HCN are :
July 1994 Full HCN charging and costing
Nov 1994 HCN operates as a licenced service
provider under the Telecommunications Act
July 1996 Export development begins
UNANSWERED QUESTIONS ABOUT THE HCN
The Federal Government clearly sees the HCN as the best way to harmonise and
streamline health administration. Bureaucrats and politicians find the HCN attr
active because it increases their scope for policy control. The idea can easil
y be sold to an unwitting public who may readily come to believe that it will g
ive them more say and more control in their dealings with the health sector. Th
e media, believing these things and failing to investigate, may conclude that t
he system is in the public interest. So far as media is concerned, the HCN may
be the simple answer everyone has been looking for. Indeed the media's role in
this proposal will be crucial, and the government is likely to capitalise on th
e complete inability of most media organs to independently evaluate these compl
ex proposals
There is a very significant question that looms over the method by which patien
t information will be backed up. Supporters of the proposal say that the back-u
p will occur in two locations. One is the computer of the last doctor seen by t
he patient. The second is a "decentralised" database run by a private company.
In the modern context, the term "decentralised" is irrelevant. The effect of se
veral databases in different parts of the country all communicating with one an
other will be effectively the same as one central database. The emergence of th
is central repository of personal medical information raises a great many conce
rns.
There are six major areas of concern that arise from the proposal to introduce
a health network. Any high integrity card system operating as the key to the s
ystem is likely to suffer major technical and human dilemmas, and the impact of
these flaws will be felt most obviously at the front line (i.e. the doctors).
Patients will respond in a variety of ways to this transfer of information. Som
e will resent or fear it, and thus try to pass responsibility back to the pract
itioner. Others will exploit their new rights, constantly ordering costly and l
engthy reconfigurations of the card system.
Perhaps more important, the HCN will be dependent on the correct functioning of
the hardware and software on the network. If any link in the chain breaks down
(the card, the doctor's machinery, the communications links or the back-up sy
stems) the whole mechanism grinds to a halt and health transactions simply cann
ot occur.
There are, first and foremost, questions that surround the use and purposes of
the card and the system itself. Will the HCN be used for medical purposes only
, or will it have general use within the broader sphere of health care (psychol
ogists, therapists, counsellors etc)? Will the system ultimately be used in con
nection with external sectors such as banking or beneftits ? Will the HCN and
any card associated with it be compulsory, or will patients and doctors be all
owed to opt for the existing manual system without penalty? To what extent will
doctors become police officers for the government - obliged by law to report
abuses of the system, false information on the card, or fraudulent use of the c
ard.
We then have to ask ourselves what sort of information may be stored on the HCN
. Will it be exclusive health information, or will it go beyond the health sphe
re ? We also have to ask how the information will be protected. Will this entai
l a series of mainframe computers. If so, how will this database be used, who c
an have access to it, and for what purposes ?
There are also a number of very important issues relating to the Doctor/patient
relationship. To what extent, for example, will a computer system failure or
a card error paralyse the consultation ? Will some patients with lost, damage
d or corrupted cards refrain from using health services ?
1 Honorary Associate, School of Law, University of New South Wales
Consultant, Australian Doctors' Fund
2 Commonwealth Government, "Health Care for all Australians" Budget rela
ted paper no. 8, p. 15
3 Joint Federal/state steering committee for health information managemen
t and technology; National Health Information and Technology Strategy. "The
Compelling Case", February 1992. p. 86
4 ibid p. 100.
5 Consultancy Brief; Health Communication Network and Agency Business Cas
e, AHMC Joint Commonwealth/ state working party for health information manageme
nt and technology, May 1992. attachment "A" p. 4.
6 "The Compelling Case" p. 100.
7 "The Compelling Case" pp. 101, 102
8 The Compelling Case, p. 28
9 ibid p. 133
10 Joint federal/state Steering Committee for Health Information Managemen
t and Technology "The Compelling Case", February 1992
11 Consultancy Brief, May 1992, p. 1
12 Commonwealth Government, Budget Statements, 1992-93, budget paper no. 1
, p. 3.58
13 Standards Australia; Draft Australian standards 92123 (Standards in He
alth Informatics), 92124 (patient held medical record cards) and 92125 : X
(Security of patient clinical data in electronic clinical information systems
). July 1992
14 The Times, London, December 11, 1992 p. 31
15 National Health Information and Technology Strategy. Summary paper of w
orkshop held at the Sebel Town House, Sydney, December 16-18, 1991,
16 The Compelling Case pp. 12, 13
17 Consultancy brief p.3
18 Workshop summary document
19 ibid
20 Remarks made in the summing-up remarks of the conference
21 The Compelling Case pp 96 - 119.
22 The Compelling Case, p. 32
23 Health Issues in General Practice in Australia, Discussion paper numbe
r 2, National Centre for Epidemiology and Population Health, Australian Natio
nal University, 1991, p.36
24 ICAC, Report on unauthorised release of government information, Vol 1-3
, 1992 Sydney
25 Standards Australia. Draft standard 92/125 : X, 1992
26 Roger Clarke, The resistible rise of the national personal data system
, Software Law Journal, Chicago, February 1992
27 ibid
28 Australian Privacy Foundation, submission to the House of Representativ
es Committee on Banking, Finance and Public Administration; Sub committee on fr
aud on the Commonwealth, 17 July 1992
29 ibid p. 58
30 The Compelling Case p.111