The PCEHR Review

The Federal Government requested a review of the PCEHR last year. It was completed in December and has just been released to the public.This is the report

I posted a couple of comments on Dr David More’s blog. My first comment:

Recommendation 17: Clarify that the MyHR is a supplementary source of information that may, but does not always need to be, used by clinicians in caring for their patients.

This has two parts. The first is a statement that the MyHR /PCEHR is a supplementary source of information. The second is that this should be “clarified”.

$1billion is a lot of money to spend on a secondary source of information. Given that the recommendation recognises that clinicians need/may not use the information in it, how about someone does a study to find out if this massive and costly imposition will actually deliver value. Recommendation 21 seems to assume that it will.

My second comment:

Towards the back of the document is Addendum 3 “Key Themes from stakeholder feedback in detail.”

On page 88 is section 15 Legal /Liability. It is a set of 24 bullet points taken from various submissions on legal and liability risks and issues.

These seem to have been summarised into one of the “Key Concerns From The Submissions” – #4 “Value proposition for users if data sets are unreliable or incomplete, and the liability and indemnity that flows from this”.

This Key Concern (which doesn’t seem to address all the Key Themes under Legal / Liability) appears to be dealt with by recommendation 6. “Establish a Privacy and Security Committee to ACeH” and recommendation 16 is “Commission an Information Security Risk Assessment of the end-to-end flow of consumer information to and from the MyHR platform. Findings and mitigation actions to be reviewed and agreed by the Privacy and Security Committee”

This is an attempt to address some of the legal /Liability issues but IMHO, such issues are not all matters of privacy or security.

On pages 30/31 is an interesting couple of paragraphs.

“In order to understand and to mitigate the risk of interacting with the MyHR clinicians need to be reminded that they are not legally compelled to open and use the MyHR. Clinicians need to be confident that they will be meeting the appropriate professional standard if they make decisions, in good faith, based on information in the MyHR even if they turn out to be incorrect because a patient has removed or restricted access to data. As with other forms of clinical information clinicians are expected to meet appropriate professional standards when interacting with the MyHR, but that is unlikely to extend to opening each and every document for every patient. MyHR clinical interface needs to be designed to present clinicians with easy access to important data that is relevant to the care being provided at the time rather than endless list of documents. Opening of a record in error or uploading a document in error if done in good faith should not result in sanction.

Use and adoption by the profession should be surveyed and reported by the Privacy and Security Committee so that practitioners are kept abreast of peer professional opinion in relation to participation in the MyHR. This should extend to beyond merely signing up for use but be measured by actual use.

The security and use of important and private consumer information is important to review and understand from an end-to-end process of how customer information is supplied to MyHR (ie: via Clinical Information Systems and other integrated software as part of standard workflow events) and also how information is obtained from MyHR and stored in interfacing systems. Compensating controls, standards and compliance requirements are mitigations that may be required to be implemented to deal with ensuring the ongoing confidence in the platform and how customer’s information is protected. The Privacy and Security Committee will have ongoing responsibility for the development, and regular review of an Information Security Risk Assessment.”

The reviewers seem to have recognised that there are outstanding legal and liability issues but their proposal that they be identified, addressed and managed by the Privacy and Security Committee is IMHO totally wrong.

And unless the legal and liability issues are properly dealt, with and dealt with first, the system will be of no use to anyone.

Leave a Reply