24 June 2015
PCEHR/HI Discussion Paper Feedback
Department of Health
MDP 1003
GPO Box 9848
CANBERRA ACT 2601
[email protected]
LEGISLATIVE PROPOSALS: PCEHR SYSTEM AND HI SERVICE
Silver Chain Group supports the legislative proposals for the PCEHR System and HI
Service in principle.
We seek clarification and make recommendations that have been raised previously and will
continue to be raised as the PCEHR continues to be developed. These concerns need not
hinder the development of the system, but do need to be addressed within the system.
We raise concerns for consideration around the themes of individual choice, control, safety
and privacy.
Responses to individual components of the document “Legislative proposals: PCEHR
system and HI Service” can be found below.
3.1.1 Name of the PCEHR system
We support the name change to ‘My Health Record’. The change is reflective of a
consumer owned record, simple and easy to remember and more empowering to the
individual.
3.1.2 Definitions
Alignment between HI and PCEHR Acts
We support the alignment between the HI and PCEHR Acts. The term ‘Health Care
Recipient’ is appropriate. We also promote the term ‘individual’ as it reflects a more proactive, empowered consumer base.
Clarification of “healthcare”
The WHO definition of Health, in place since 1948 is ‘Health is a state of complete physical,
mental and social wellbeing and not merely the absence of disease or infirmity’
World Health Organisation definition of health
Consistent with this definition, ‘healthcare’ could include services that attend physical,
mental and social wellbeing. Therefore, inclusion of aged care and disability providers
aligns well with the WHO definition of Health.
Distinguishing between healthcare providers and organisations
Clarification is sought for the following:

Do individual providers retain autonomy with their own unique identifier, whilst the
organisation also retains its own identifier?
Silver Chain Group Limited ACN 077 082 725 ABN 77 119 417 018
PCEHR/HI Discussion Paper Feedback
24 June 2015
Page 2


How will individual and aggregated data/information be managed to ensure privacy
protection for both individual providers and organisations when shared for other
purposes?
How will organisational risk be managed under this change?
Expanding “identifying information”
We agree to expanding “identifying information” in principal whilst recognising that it
increases the risk of a security breach.
Clarification is sought for the following:

The scope of how this additional information is used

Safeguards for information passed through non-secure means such as email and
mobile phone messaging

Safeguards against sending information to the wrong person through changed phone
numbers and email addresses

Safeguards against third parties securing documents and seeking opt-out options over
the phone without visual identification

Safeguards to ensure access equity across all populations, eg frail elderly who do not
have a driver license, passport or Immicard.
3.2 Governance
We support this change to address current problems for end users.
Clarification is sought for the following:

The structure around consumer representation and input

The clinical oversight in place for clinical information

The national health and quality standards associated with the governance of the
PCEHR
3.2.1 Establishment of ACeH
We support the change to governance arrangements for eHealth.
Clarification is sought for the following:

Safeguards that there will be sufficient input from end-users

Structure of process ownership – eg previously GPs were held responsible for data
lost during e-transfer process – a process they did not have an ability to influence,
change or monitor

Process for assuring accurate information prior to up-loading information
3.3 Participation
3.3.1 An opt-out PCEHR system?
We support a well-constructed and managed opt-out model. Anticipated benefits include
greater utility of PCEHR in practice, better supported healthcare providers and notionally
enhanced individual patient outcomes.
We seek consideration of the following:

Protection of the principles of choice and control of individuals

Opt-out provisions are protected and communicated with ethical rigour much as
research withdrawal is (see NH&MRC National Statement on Ethical Conduct for
Human Research
NHMRC National Statement on Ethical Conduct for Human Research)

Opt-out process is transparent, simple and clear
Silver Chain Group Limited ACN 077 082 725 ABN 77 119 417 018
PCEHR/HI Discussion Paper Feedback
24 June 2015
Page 3







Opt-out process is widely advertised and communicated
Partial opt-out in the form of choice to delete or prevent information to be up-loaded is
equally widely advertised and communicated
Clarity about what happens to information that is deleted by an individual – is it held
elsewhere? If it is, who has access to it, and who owns it? Can it be re-instated at a
later time?
Safeguards and processes are developed to support those that may not have the
ability or struggle to follow the process to opt-out on their own behalf but wish to
Safeguards and processes are developed for vulnerable populations to have a strong
voice in the choice and control of their health record
Restrictions for representatives to have authority to act on behalf of an individual such
as Power of Attorney or Power of Medical Attorney be presented in person to further
safeguard vulnerable individuals against fraud.
Notification capability to prevent changes to the health record by third parties who are
currently under investigation or have been reported to care providers for abuse of an
individual eg elder abuse.
We recommend that Medicare local offices become an access point for opting-out of
PCEHR to assist access equity and improve simplicity for those who are unable or unwilling
to use electronic means.
Opting out in trial regions
Clarification is sought for the following:

How does someone who is computer illiterate, have cognitive dysfunction and is
otherwise vulnerable opt-out with ease?

What will be the mechanisms for notifying individuals that they are in a trial region?

What will be the backup communication and media messages to ensure that every
individual has the information necessary to exercise their choice and control?
We recommend that the impact of the opt-out system on individual health and wellbeing is
included in the evaluation of the opt-out trials.
Individual consent
We strongly support individual consent as part of protecting choice and control.
Clarification is sought for the following:

When an individual asks a provider not to upload a piece of information, how is that
recorded?

What safeguards will there be to prevent or discourage a provider uploading
information contrary to the request of an individual?

Is consent expected to be given at the time of a consult? Or through other means at
another time?

How will this process be communicated to the community?

How will coercion be avoided in marketing and education, and by the healthcare
provider?
Self-monitoring by an individual of their consent being respected requires a proficiency in
digital media.

How does an individual who is computer illiterate or lacks on-line access monitor
breach of consent in their uploaded documents?
Silver Chain Group Limited ACN 077 082 725 ABN 77 119 417 018
PCEHR/HI Discussion Paper Feedback
24 June 2015
Page 4

How does an individual who is computer illiterate or lacks on-line access set
appropriate access to their information?
Inevitably there will be communication breakdowns between individuals and the healthcare
provider.


Who will handle complaints from individuals?
How will the complaints process be handled to protect individual choice and control?
We recommend that individual consent is given in writing at every consult in a similar
manner to how a Medicare rebate is transferred to a provider at the time of service.
Secondary use of information
We support secondary use of information with the following considerations:

Individuals are informed and give their consent to their information being used for
research and evaluation purposes

All data used is de-identified in line with national standards for privacy in research

All secondary use of information is subject to ethical approval to ensure good
justification and rigour.
Registering healthcare provider organisations and other entities in opt-out trials
Ethically and logically, we support an opt-out model for healthcare providers in line with the
expectation for individuals.
3.4 Obligations of parties
Intellectual property
It is unclear who owns an individual’s PCEHR:

The individual?

The System Operator?

The healthcare providers who populate the PCEHR?

Does an individual own their own health records when they are transferred to the
PCEHR, or does the healthcare provider?
When a document is uploaded:

Does it populate the system permanently?

Can a healthcare provider amend a document if necessary?

Is it a legal document that can be used in court?
Liability
We support this change.
Data breach notifications
We support the changes to data breach notifications.
Clarification is sought for the following:

Who has the responsibility of notifying an individual of a breach to their PCEHR?

What support will be provided to an individual whose PCEHR has been subject to a
breach?

What considerations have been made to notify providers that data they have provided
has been subject to a breach?

What happens if a provider has multiple breaches?
Silver Chain Group Limited ACN 077 082 725 ABN 77 119 417 018
PCEHR/HI Discussion Paper Feedback
24 June 2015
Page 5
3.4.3 Obligation for organisations to have PCEHR policy
We support the obligation for organisations to have a PCEHR policy.
We recommend that the expected policy content is defined, and management of breaches
and support for individuals who have suffered a breach are a compulsory inclusion.
3.4.6 Obligations to use PCEHR system
Circumstances that healthcare providers should not be required to upload data:

When a client does not have a PCEHR

When a client expresses that they do not wish for the report to be uploaded

If the client openly rejects the report and opinion of the healthcare provider

An organisation or healthcare provider has opted out of the PCEHR arrangements

When information is of such a private nature that it may cause harm to the individual if
the information became more widely known even within the treating healthcare
community (eg mental health plan detailing PTSD, but leaving out the traumatic
reason for the safety of the individual).
3.4.7 Obligation for System Operator to notify decisions
We recommend that a notification by the System Operator includes a clear pathway for
objection by the individual or healthcare provider notified and a transparent method for
handling that objection by the System Operator.
3.4.8 Obligation for System Operator to retain records
Clarification is sought for the following:

Does this comply with all the current requirements for retaining records (eg Aboriginal
and Torres Strait Islander health records to be held indefinitely)?

If an organisation does not hold records for 30 years, are they obliged to do so if using
PCEHR?
3.4.9 Obligation for System Operator to provide system testing
We support the development of a testing environment.
3.5 Privacy
3.5.2 Temporary suspension of access to a PCEHR
We ask consideration of the following:

That mechanisms for third parties to report known breaches, or increased risk of
misuse are developed eg:

A family member with power of attorney and access to an individual’s PCEHR is
suspected of elder abuse against an individual and is currently before the
guardianship board, but a decision has not yet been handed down

Police report a domestic violence situation, where an abuser may have reason
to alter records in some way

A child custody case comes before the court, one or both parties have access to
the child’s PCEHR and medical records have been tendered as evidence to the
court.
Third party information
We acknowledge the potential benefit to an individual’s care by having third party
information uploaded.
Silver Chain Group Limited ACN 077 082 725 ABN 77 119 417 018
PCEHR/HI Discussion Paper Feedback
24 June 2015
Page 6
We ask consideration of the following:

An upload only occurs with consent of the third party and the individual

An upload relates directly to the care delivered (informing, planning, delivery,
consultation etc)
Healthcare provider organisations’ use of healthcare identifiers
We support this change which will improve individual privacy and safety by decreasing the
number of duplicated and fragmented records.
We ask that safeguards are in place to ensure that information an individual did not want to
share is not compromised in the resolution process.
3.5.4 Penalties for misuse of information
We support a graded response and enforceable criminal penalties as there is the
opportunity for negligence, gross misconduct and fraud in the use of health information in
the PCEHR. Healthcare identifiers should also be treated similarly to health records as they
are a gateway to enable fraud to occur.
The principles of privacy, choice and control should be upheld and violation of these treated
with gravity.
However it is inappropriate to be prescriptive without knowing the context, impact or any
mitigating circumstances.
We recommend misuse be heard by a tribunal (for possible referral to the judicial system).
3.6 Reviews
3.6.1 Review of the legislative changes
We support a review of the legislative changes. We support inclusion of individual
consumers and healthcare providers to be part of the reviewing team (not just interviewees)
to ensure a robust evaluation.
Thank you for the opportunity to respond to the proposed legislation and your consideration
of the feedback we have provided.
Dr Penny Lynn
Manager, Health Innovation
Silver Chain Group Limited ACN 077 082 725 ABN 77 119 417 018