The Health Department is amending its national e-health system My Health Record to deal with low engagement. But it’s being warned it still has work to do on security and privacy.
Only about 10% of the population is enrolled with the government’s opt-in My Health Record system and few health practitioners use it, The Mandarin reported last month.
Due to low engagement rates following its creation as an opt-in system in 2012, the Health Department plans to recommend the government adopt an opt-out policy from 2017. Transferring to opt-out was recommended by a December 2013 review into the Personally Controlled Electronic Health Record system, which is being rebranded as My Health Record.
While the overhaul attempts to address a number of key problems identified in a 2013 external review of the PCEHR, a number of experts have flagged concerns with the new My Health Record, which should be addressed prior to implementation.
There are a number of challenges that will need to be overcome in the move to an opt-out system — not least of which is low public support, with one survey finding only 27% of healthcare consumers and providers agree a consumer-controlled electronic health record should be compulsory.
The Deeble Institute argues the security and privacy aspects of the system have not been designed from the beginning to handle opt-out and that it must be redesigned so that security is “properly built in, not retrofitted”. It recommends to accelerate uptake and utility the government should conduct a:
“… comprehensive system security and privacy safeguard review with subsequent action plan to address concerns prior to opt‐out pilots, followed by proactive messaging to consumers and providers that technical security has been dealt with in the design of the record.”
The think tank, which is the research arm of health sector peak body the Australian Healthcare and Hospitals Association, has written an issues paper highlighting three key areas of ongoing implementation concern.
Lack of users, system use and clinical utility
On reaching a critical mass, system use and clinical utility it recommends:
- Comprehensive system security and privacy safeguard review with subsequent action plan to address concerns prior to opt‐out pilots, followed by proactive messaging to consumers and providers that technical security has been dealt with in the design of the record;
- Comprehensive communications and engagement strategy with targeted and sustained consumer‐ and provider‐specific education and registration activities leveraging consumer groups, peak bodies, professional colleges and software distributors;
- Comprehensive and best‐practice provider training based on an iterative process to develop training modules and the training platform with stakeholders;
- Registration incentives for both consumers and practitioners such as an increased Medicare rebate for system use as part of clinical activity;
- Technological and business support, including financial incentives to service providers nudging uptake and use;
- Software default settings linked into the interoperable national health record system;
- Flexible and clear policy and technical frameworks that are adaptable to clinical need; and
- Structural change to the data sharing model where information necessary to the current treatment of a consumer is shared among the care team.
Opt‐in versus opt‐out registration
To ensure a smooth transition from an opt‐in to an opt‐out consumer-controlled electronic health record with evidence‐based privacy and security protocols, the Deeble Institute suggests:
- Comprehensive system security and privacy safeguard review of the current architecture evaluated against a repurposed opt‐out functionality, which includes both threat and risk assessments as well as privacy impact assessments;
- Action plan stemming from the review to implement a mix of technology, policy and process mechanisms aimed at strengthening security and privacy controls — to be completed prior to My Health Record’s opt‐out trials;
- Public education campaign demonstrating system security and privacy safeguards;
- Engagement with software developers and distributors to ensure software compliance with necessary system changes and to ensure ongoing system interoperability; and
- Update current provider training due to opt‐out transition and work with the sector to develop and rollout revised modules.
And to ensure best practice and inclusive My Health Record governance arrangements, its recommendations are:
- Key national and regional stakeholders as well as consumers should be part of My Health Record’s governance arrangements in order to secure buy‐in from the health and community sectors and key consumer groups;
- Consideration should be given to the following building blocks for effective governance:
- Strong leadership, culture and communication
- Appropriate governance committee structures and clear accountability mechanisms
- Working effectively across organisational boundaries
- Comprehensive risk management and compliance systems o strategic planning, performance monitoring and evaluation
- Flexible and evolving principles‐based systems
- The Council of Australian Governments’ Standing Council on Health should play a leadership role to ensure these effective governance building blocks become more than aspirational.