Trading privacy for lives
Author Justin Pierce Published 21 September 2009
Reform of the national health system has long been on the agenda for both the major political parties. Advances in information and communications technology (ICT) – particularly in the last ten years – has underpinned protracted and sometimes passionate debate on the merits and perils of a national e-health scheme and the use of a national electronic health record (EHR).
Proponents of such a scheme highlight the efficiency gains to be had where multiple healthcare practitioners are involved in any one patient’s care – say, for example, a chronic patient suffering rheumatoid arthritis with hypertensive complications. In this example all treatment would be recorded in one central EHR and all treating physicians and other healthcare professionals able to view and update the record. If the patient arrived at the emergency room the triage nurse would then be able to retrieve the EHR for the attending physician to diagnose and administer treatment. The alternative is to sit with the patient while they recount details of their medical history, remember results of previous tests and recall substances that have caused allergic reactions in the past. All the while they would be in pain.
Clearly there are compelling arguments for the EHR scheme, including:
- increased speed of response to critical patients
- reduced errors, especially in prescribed medication
- streamlined treatment across multiple treating healthcare professionals
- better allocation of health resources.
For all the advantages of the proposed scheme, however, there are vehement concerns from the community on the confidentiality, privacy and security of individuals’ health information. Healthcare information pertains to profoundly personal aspects of a person’s life. It can include treatment notes, nurses’ observations, post-operative reports, x-ray and other diagnostic images, physical examination results, diagnoses, details of prescriptions and information gleaned from the patient. Healthcare information can also contain subjective reports about the reasons for certain conditions, based on the opinions, impressions and assessments of healthcare professionals. It is certainly reasonable that people expect their health information to be confidential, private and secure.
Medical records are increasingly electronic and stored in an information system (IS). Gone are the days of often multiple, often illegible paper records stored in a filing cabinet. But the storage of healthcare information in electronic form creates distinctly new challenges concerning the management of authorised access to that information, its accuracy and persistency. Some characteristics of EHR follow:
- computerised databases make data entry easy
- storage requirements are small
- linking multiple databases is made easy
- potential exists for ‘invisible theft’ where data can be stolen without anything physical actually being ‘stolen’
- potential exists for ‘invisible modification’ where data can be changed without trace
- multiple simultaneous access sessions is facilitated
- opportunities exist for use of healthcare information beyond its original intended purpose.
The debate, then, is attracting impassioned objection from some groups who demand appropriate controls and legislation to be built around the proposed scheme. The Australian Privacy Foundation (APF), for one, in a policy submission document [1] , reminded the government that a national EHR scheme should be used for its intended purpose only. It suggests the primacy function of such a system is to facilitate healthcare for patients and that other functions, such as public health, and administration, insurance, accounting and research are secondary and tertiary uses. (Indeed, the secondary and tertiary uses of the EHR scheme are not as clearly advised as the primary advantages purported by advocates of the scheme.) In fact, whereas one side of government is proposing the national scheme, the other suggests the role of government is to build frameworks for schemes such as these to evolve on their own, rather than prescribe them as aggressively. But the APF suggests calls for a national general purpose health record are for the benefit of tertiary uses, not for patient benefit.
Couple the potential misuses of the system with other threats to the security and the issue becomes quite an interesting dilemma. It has been suggested that consolidation of health data is inherently risky, and that it creates a ‘honey pot’ that attracts break-ins and unauthorised secondary uses and creates additional risk of identity theft (APF, 2009). The security risks to any information system apply to the proposed national EHR scheme. They include:
- interception relates to an unauthorised entity gaining illegitimate access to protected data
- interruption occurs when legitimate access is disallowed due to accidental or malicious loss or damage
- modification occurs when an unauthorised entity tampers protected data
- fabrication refers to creating counterfeit objects in an IS.
Readers may recall an incident in late 2008 when an AFL footballer’s medical records were ‘obtained’ by the press: these were paper-based records. It is clear that threats to the security of individual EHR need to be addressed. Further user consultation, community liaison, cross-disciplinary research and stress testing are needed before a national EHR scheme can be accepted.
I recently spoke with a healthcare professional who suggested that prescription errors have less to do illegible handwriting and more to do with the knowledge gaps of treating physicians. The example given was ibuprofen and aspirin: both thin the blood, so prescribing them to post-operative patients carries increased risks. A national EHR can't bridge knowledge gaps but if it can save lives, would you give up a little privacy?
[1] Australian Privacy Foundation (2009) ‘Policy Position: eHealth Data and Health Identifiers’, [online] http://www.privacy.org.au/papers/ehealth-policy-090828.pdf, updated 28th August 2009, accessed 11th September 2009.