Health On-Line Summit - "Enhancing Privacy and Confidentiality in the World of E- Health"

Good afternoon ladies and gentlemen - it is a pleasure to be with you today to participate in debate on vital issues surrounding e-health.

In my presentation I will focus on the overwhelming significance of protection of privacy as a precondition for e-health to meet the promises it currently holds out to all those involved in health issues whether it be general practitioners, researchers, managers or policy makers.

I propose to demonstrate to you, particularly through reference to international experience, the urgent requirement for development of overarching Federal health information privacy legislation as a critical component of e-health.

I will outline some of the basic principles that the AMA believes should be at the basis of national standards that underpin such legislation. In addition I will highlight the dangers of a piecemeal approach to privacy legislation.

Proposed legislation to be specifically drafted for the Better Medication Management System (BMMS), we believe, reflects this highly risky approach to privacy.

The BMMS is a very positive initiative in many ways.

The AMA believes, however, that potentially one of its greatest weaknesses is that in the absence of overarching health information privacy legislation the BMMS, through the development of separate privacy legislation, provides a false sense of security.

I will be emphasising the significance of privacy issues to individual consumers in regard to health information. We may not have Australian data yet on patients concerns about privacy but they are there and they are growing.

It is important to understand that these issues have no less significance to medical practitioners as they relate to the philosophical and ethical basis of health care provision.

The inherent ethical and philosophical basis of health provision is based in the obligations to provide and maintain the confidentiality and privacy of individual health information.

Such obligations are also set down, to varying degrees, in law. Government has an obligation to ensure that health providers are given clear and consistent guidance on their responsibilities under law - particularly in the context of advances in information technology.

Most importantly health providers need to be confident that such law is consistent with the ethical and philosophical foundations of their profession.

I am very pleased to see that the Report to Health Ministers by the National Electronic Health Records Taskforce "A Health Information Network for Australia", that was released on 27 July 2000, generally reflects the views of the AMA in relation to privacy, security and confidentiality of health information.

The report states that effectively addressing the issues of privacy, security and confidentiality, and the development of national standards are two of the most import precursors to implementation of an electronic health information network.

The opportunities offered by advances in information technology to continually improve health outcomes for all Australians are unquestionable and their impact on health, from the individual patient to global issues, is as yet unimaginable.

The capacity to realise the opportunities that information technology can bring to health outcomes is necessarily based on access to a vast array of data on aspects of an individual's health and healthcare management - that is, access to what is undoubtedly the most intimate, personal and sensitive of any information maintained about an individual.

Information that is provided through a relationship which is intrinsically based on trust, intimacy and confidentiality - that between medical

practitioner and patient.

To neglect the significance of this relationship in the development of any electronic health records system is to doom it to failure for where "consent" of the individual is at the basis of credible data collection, "confidence and trust" is the basis for "consent".

The Government, in partnership with industry, is progressing towards the introduction of the electronic health record.

At the same time indications are that its precursor by stealth, the Better Medication Management, in the absence of overarching privacy legislation, will be inadequate in relation to issues protecting the privacy of health information.

Both the Government and the Standing Committee on Legal and Constitutional Affairs had some trouble understanding the grave importance of separate legislation on privacy related to health information.

Consumers, however, increasingly understand that access to data on their individual health history, its current status and, with advances in genetic research, its potential status, may provide the means to: exploit, stigmatise, discriminate and disadvantage an individual in every single aspect of their lives - employment, finances, insurance, housing, education, access to a range of private and public services and travel.

A recent survey showed that more than a third of all Fortune 500 companies in the United States check medical records before they hire or promote and 10% did not inform employees of this practice.

Over two hundred instances of loss of employment, insurance cover or benefits, as a direct result of access to personal genetic information, have been documented in the United States.

63% of the participants in a US 1997 telephone survey of more than 1,000 people reported that they would not take genetic tests for diseases if health insurers or employers could get access to the results. 85% felt that employers should be prohibited from obtaining information about an individual's genetic conditions, risks and pre dispositions.

In discussing the move towards implementation of electronic health records, including the earliest Australian example, Better Medication Management System objectives are consistently stated in general terms of improved delivery and quality of care and improved health outcomes for Australians.

However, the United States has discovered that inadequate, piecemeal approaches to policy and legislation and the absence of overarching Federal privacy legislation, specifically related to health information, has operated as a clear and critical obstacle to the realisation of the benefits to be derived through e-health.

A January 1999 survey by the California Health Care Foundation found that one out of every six people engages in some form of privacy-protective behaviour to shield themselves from the misuse of their health information, including lying to their doctors, providing inaccurate information, doctor hopping to avoid a consolidated medical record and - in the worst cases - avoiding care altogether.

Researchers conducting a multi-year Pennsylvania study designed to understand how to keep women with breast cancer gene mutations healthy reported that nearly one third of the high risk women invited to participate in the study refused because they feared discrimination or a loss of privacy.

In June this year the US House of Representatives and Senate Committee hearings on legislation related to privacy of medical records heard that the absence of enforceable privacy rules was a substantial barrier to improving the quality of care and access to care.

The clear message is that if we want e-health to work there needs to be an overwhelming focus on consumers and providers of health care and what they require as a pre condition of participation, not an afterthought.

So how do we balance the desire to realise the unimagined benefits of information technology in relation to health without compromising the confidence and trust which is the basis for the provision of quality health care?

In terms of electronic health records the critical issue is the capacity to demonstrate that privacy rights of individual consumers and the obligations of providers in this regard, are central to the philosophical, technical and legislative basis of the system.

It is in this context that there is a critical necessity for overarching Federal health information privacy legislation based on agreed national standards.

International experience clearly demonstrates that attempts to link a variety of State and Federal legislation, some of which directly relate to health information and some of which do not, is simply not the way to establish an environment of trust and confidence so necessary to make legislation work out there in the real world.

Recent international directions in regard to these issues are characterised by the establishment of consistent overarching standards.

In October 1995 the European Union adopted a "Directive on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Data" which required all member states to bring their national laws into congruence with the Directive.

In February 1997 the Council of Europe adopted a "Recommendation on the Protection of Medical Data", the principles of which the 39 members (which includes all EU countries) are urged to transpose into their national laws.

In late 1999 the Secretary of the US Department of Health and Human Services proposed regulatory standards related to national medical record privacy which marked the commencement of a regulatory process pursuant to section 264 of the Health Insurance Portability and Accountability Act of 1996.

In a statement by the US Secretary of Health and Human Services in late 1999 she noted that the Administration had called upon Congress to close the gaps in legislation and enact comprehensive national legislation to ensure that all medical records are protected.

Recent experience in other areas of advanced information technology has clearly demonstrated that governments must lead the way.

Allowing the market to lead on specific information technology issues in a policy and legislative vacuum places governments in a constant and cost inefficient run to catch up.

Fortunately the pivotal issue of privacy in the area of electronic health records means that existing privacy legislation provides some brake on market advances in this area ensuring access to an increasingly rare commodity - time.

Time the Government requires to ensure that comprehensive policies and legislation are established in a carefully considered and fully consultative manner.

The Government may say that the Privacy Amendment (Private Sector) Bill 2000 meets concerns in relation to health information.

It does not.

This Bill while valuable in its own right is completely inadequate in terms of addressing the immense complexities of privacy protection related to health information, particularly with massive advances on e-health on the horizon. A special health code, if it is agreed to the solution to the inadequacies must be in place before e-health proceeds

The House of Representatives Standing Committee on Legal and Constitutional Affairs Advisory Report stated that "…the arguments of those concerned about the limitations of the Bill have considerable merit and there will be serious problems because of the nature of the health sector."

Further the "… rules in the legislation, the Committee held, should therefore be explicitly recognised as interim."

So where does this leave us?

On one hand we have privacy legislation at Federal level, and a variety of legislation at State/Territory level that are on the whole inadequate in relation to health information, particularly within the context of new technologies.

On the other hand Government and industry are actively progressing the implementation of e-health, specifically the electronic health record, at a rapid pace.

Let me be clear - we want e- health to work.

Initiatives such as the Better Medication Management System do have the potential to bring vast improvements in the area of health.

We want to realise all the benefits to the health of Australians that e-health can bring.

We want to use the technology to bring improved health care and health outcomes to rural and remote communities.

The establishment of national standards that underpin Federal health information privacy legislation is the only way to ensure that these opportunities are not lost.

So what are the basic elements that should inform the development of national standards legislation?

While international experience in legislation of this type is varied it does provide some guidance and consistent themes are evident.

The legislation should establish the minimum of privacy protection at the Federal level for all types of health information and across all sectors to provide national consistency.

The legislation should clearly establish boundaries.

With advances in new technologies and new uses the boundaries between health information and other information are blurring and bring with them new issues and concerns.

As information technology evolves new uses for the information gathered will also evolve.

The issue of boundaries around use of information is essential in preventing the exploitation of consumer comfort or complacency down the track.

An individual's health care information should be used for health purposes, and only those purposes, and any limited exceptions must be clearly defined.

It should apply uniformly regardless of the setting in which the health care is provided and apply to all types of information: computer, paper or oral.

It should clearly establish limits not only on the use of identifiable information but also the use of de-identified information.

Legislation should establish clear limitations on the use and transfer of de-identified information to prevent data collected for a specific purpose being used for other purposes.

This is essential as the whole issue of consent in relation to exceptions to use of de-identified data is complex and one that must be addressed in terms of "informed consent".

In addition, the complex issues of consent in relation to third party use and limitations on the use of the information under legislation by that third party must be addressed.

This also goes to issues of coverage of the legislation to organisations not directly related to health care but which have access to health data.

Issues of consumer consent should incorporate the capacity for consumers to know who has accessed their information, when and for what purpose.

As a principle, the consumer should be aware of the uses and transfer of information that may not be clear and obvious.

The lack of "informed" consent creates significant risks to privacy.

There should be an enforceable obligation on the recipient to use the information only in accord with the agreement made with the patient at the time of the authorisation.

The issue is of even greater concern when it is considered in the context of the current climate of increasing corporatisation of medical practice.

The fact is, and have no doubts about it, that corporates are about business - and business is about profit.

Corporates are not made up of people who wish to provide the community with a service by investing in health.

Corporatisation in the absence of overarching privacy legislation, provides a significant risk to the unauthorised transfer and use of health information for commercial purposes.

A piecemeal approach to legislation cannot ensure that these complex issues are adequately addressed.

Legislation must address issues of security and the obligation of record holders to ensure that information is held and transferred to other parties, within the legislation, in a manner which protects the information from being used in a manner contrary to the basis of provision.

Security also relates to the basic principle that the best security is to limit access to "need to know" for specific purposes.

Consideration may also be given to the development of guidelines for assessing security capabilities of specific healthcare information technology under this legislation.

Lewis Lorton of the US Forum on Privacy and Security in Healthcare notes that in relation to motor vehicles, government and industry have developed a set of standards of structure and safety to encompass the technology that we can't see, can't control and don't necessarily understand.

That such a system does not exist for evaluating the security of the information technology portion of health care information technology systems is a major cause for concern in relation to privacy.

The legislation should be enforceable and establish real sanctions to provide consumers the confidence that the legislation will be applied.

In summary the legislation should establish a basic national standard necessary to protect the rights of patients and define the responsibilities for record keepers. It should authorise sharing of health information for health care treatment and should prohibit use of that information for most other purposes. Legislation should provide consumers with specific rights to know how their information will be used and to know who has used their medical information

I would like to turn now to the Better Medication Management System (BMMS) which is proposed to be available across Australia from July 2001.

The BMMS is an electronic system of keeping an individual's medication records, particularly records of prescription medicines and has the potential to provide considerable benefits to consumers and providers.

Recalling the issues I have raised earlier, I would like to outline some of the real concerns that the AMA has about this proposal, particularly in relation to basic principles which should apply to protect the privacy and security of individual patients' health information.

Firstly we believe the extremely short timeline allocated to consultation with stakeholders and a period of only 8 weeks to draft specific legislation related to the BMMS is incompatible with the complexities involved in ensuring that consumer privacy rights are central and that consent and access issues are adequately addressed.

As the Electronic Health Record Task Force report states, unless the Government gets the privacy issues right, consumers and providers simply would not use it.

The BMMS privacy sub-group is developing Principles to Guide the Legislation on the operation of the BMMS.

While the principles provide very broad indications on limitations of use of data by those who have access (prescriber and pharmacists), it so far appears to place no limitations on the use of aggregated, de-identified data and proposes that such data should be more widely available for the purposes of performance assessment, and for research and planning relating to the health system.

In our view this represents a somewhat open-ended approach and is inconsistent with the need to establish strict boundaries around the use and re-disclosure of the information.

While the principles indicate that the patient will be fully informed about the BMMS this does not extend far enough to ensure the issue of "informed consent", surrounding use of data, including de-identified data and use for other purposes, is adequately addressed.

The issue of "informed consent" must be considered in the context that the uses of data beyond that for which it is collected are unlikely to be obvious to the consumer, in particular.

Further, components of the principles which allow further use of data collected through the BMMS indicate that clearly defined and bounded objectives and purposes for the BMMS and the data collected have not been established.

The fact is that technology is evolving and as it does, so will the uses for the data collected within any electronic system.

No legislation should provide an open-ended approach to the use of data.

A basic principle for security of information relates to limitations on access and disclosure.

The BMMS, however, broadens access and disclosure beyond that which we believe is necessary to achieve the objectives of the scheme.

It proposes to provide access to the medication record beyond prescribers to pharmacists - in our view this provides a critical level of unnecessary access and disclosure until we have sorted out the privacy issues like ownership of data and patient permission.

We consider the additional and unwarranted access to represent a serious impediment to security and privacy of individual medication records.

In terms of the technical options being proposed by BMMS they relate to a distributive and a centralised system.

While the technical pros and cons of each of these systems have been put to the working group, the technical systems have not been tested against non-technical issues related to privacy and confidentiality issues.

The technical analysis must take into consideration the array of complex issues related to access and protection of privacy.

The BMMS for example proposes that clear individual identifiers be attached to data, that is a Medicare number, and while this in itself provides cause for considerable concern, the linking of such data into a centralised system may not preclude broader use of data and the introduction and testing of a broader system of electronic health records.

The BMMS was in the Federal Budget, Medicare numbers on prescriptions were in the budget now with out any discussion the two are being linked by stealth with the Medicare number used as a unique patient identifier for the BMMS with absolutely no debate around the UPI.

Dr William Lowrance, in a 1996 study on Privacy and Health Research for the US Department of Health and Human Services, states that while from a privacy protection perspective, there is a very wide distinction between personally identified data and truly anonymous data, in practice the demarcation between these extremes is not sharp.

In this context a centralised system poses the greatest risks to consumer privacy.

The proposed BMMS breaks the first rule in the context of privacy related to electronic health records - that of ensuring consumer and provider confidence through a demonstrated commitment to privacy.

As I have said the BMMS has the potential to bring great improvements in medication management.

What it needs to make it work is comprehensive overarching legislation which addresses the complexities, particularly the legal, related to access to and use of electronic health system data.

The AMA believes this may represent a serious underestimation of public and professional concern over privacy issues - although we are pleased to see that the Electronic Health Records Task Force report gives the issues of privacy, confidentiality and security very strong emphasis.

What we are saying today in relation to BMMS echoes views of the Task Force - get the building blocks, the non technical building blocks, right or it won't work.

In conclusion I would like to emphasise the AMA's commitment to working with government to improving health outcomes and health delivery through new advances in information technology - technology that is developing at an incredible pace and bringing with it rapid advances in health research.

I have given you a number of examples from the United States that illustrate the risks associated with compromises on individual privacy. Many people will be thinking - yes but that is the United States and Australia is a very different place.

Well I say think again.

Australian consumer focus group patients with long term diseases advised that they tended to get drugs from pharmacies where they were not generally known. This was especially the case for participants with diseases such as HIV, who felt that they were at high risk of losing their jobs or insurance if their condition became known.

Health is not an area where advances in technology can be simply superimposed. The real limitations of e-health relate to the non technical elements: the underlying philosophy and ethics of the health profession and the complexities of the human relationships that make it work.

The community, medical and broader health profession, and Government can and must find solutions that will enable the promise of e-health to become a reality.

These solutions lie in protecting the rights of individuals to privacy.

To echo sentiments expressed by the US Secretary of Health and Human Services last year "…the need for Federal protection is not theoretical; it is real and it is urgent".