Personally Controlled Electronic Health Record System: Legislation Issues Paper

Transcription

1 Personally Controlled Electronic Health Record System: Legislation Issues Paper Introduction The AMA has reviewed the Personally Controlled Electronic Health Record System: Legislation Issues Paper. The AMA s response to selected questions posed therein is set out below. Medical practitioners are already subject to a vast and complex array of regulatory and administrative requirements for the provision of medical services, the authoring of medical documents and the security of that information. The PCEHR legislation should seek to impose as few additional obligations on medical practitioners and other healthcare providers as possible. Where existing legislation or common law is applicable to medical information, additional legislative measures specifically for the PCEHR are not warranted. The AMA notes and supports the statements in the Issues Paper that support this principle. Fundamentally, the purpose of the legislation for the PCEHR should be to ensure that only people who have a genuine need and are authorised to do so are entitled to access a person s PCEHR. The legislation should also set out the framework under which the PCEHR system operator will function and the requirements on the repository operators. The Issues Paper specifically seeks feedback on how the legislative proposals support a PCEHR system as described in the PCEHR Draft Concept of Operations. Given that the Government recently sought submissions on the Draft Concept of Operations and a further draft incorporating those submissions has not been released, the AMA is concerned that the legislative proposals in the Issues Paper may pre-empt the final design of the PCEHR. The AMA has responded to the questions in the Issues Paper as asked, but refers to its submission on the Draft Concept of Operations in which important objections to the proposed design of the PCEHR are expressed. Question 3 What possible barriers are there to the participation of individuals through their authorised representatives? Medical practitioners need to be confident that the PCEHR system operator has carried out all the necessary checks before verifying the identity of a person claiming to be an

2 authorised representative of their patient. This obligation should be included in the legislation. In practice, medical practitioners will need to satisfy themselves that the person accompanying the patient is the authorised representative when decisions are being made to access information on the PCEHR and to post information onto the PCEHR about the health care event. Question 4 What other circumstances might need to be accommodated in the administrative arrangements for minors? We propose the following revision to Proposal 7 at the last 3 lines: Requests by minors under 14 years of age to manage their own PCEHR will be accepted by the PCEHR system operator on the written assurance of the individual's treating practitioner or other treating health professional that the individual is a mature minor whose circumstances warrant that the individual manages their own record. Question 5 What are the possible risks related to the creation and use of a pseudonymous PCEHR? A pseudonymous PCEHR will not provide any medical benefit to a patient in an emergency situation if that patient is identified under another name. Question 6 Are there other terms and conditions that should apply to healthcare provider organisations in regulating the eligibility of authorized users? In respect of Proposal 9 it is not clear to us whether the obligations for a registered healthcare provider that have been proposed are a barrier to using the PCEHR if the provider does not meet them, or whether the provider will incur penalties for failing to meet them after registering as a healthcare provider organisation. We do not support Proposal 10 for the legislation to provide a framework for standards with which healthcare provider organisations must comply. As stated above, we see no reason why this legislation should include a framework for yet another entity to set standards for the provision of medical services, the authoring of clinical documents, or the obligation for the safekeeping of medical information. Any standards imposed by legislation should apply only to the PCEHR system operator and repository operators. We note proposal 35 to not set requirements to support the security of the PCEHR system. Page 2

3 We assume Proposal 11 contemplates an audit process. The legislation should clarify what would need to be produced by the healthcare provider to prove that contracted service providers and administrative staff, must be identifiable in the healthcare provider organisation s local system. It should be within the healthcare provider s discretion to determine who within that organisation has a legitimate need to access the PCEHR system. The practicalities for some medical practices or hospitals mean that shared computer resources for administrative staff are often logged onto using generic identifiers such as User1. Constant logging on and logging off by individual staff each time they use the computer and access the PCEHR system will cause significant disruption to current workflow arrangements. To help minimise the administrative burden on healthcare providers the legislation and audit arrangements should allow healthcare providers to authorise users within their organisations by position title. In drafting the legislation it is important to be mindful that health practitioners access patient information every day, every time they treat a patient. The law should not create a disincentive to health practitioners in performing this activity. Similarly, administrative staff have access to patient information and the legislation should not disrupt current workflow arrangements. Question 7 What are the essential rules and standards with which a nominated healthcare provider should comply in relation to authoring and managing a shared health summary? In previous consultations with the Department of Health and Ageing and NeHTA the AMA has been assured that the PCEHR legislation would describe criteria for who could be the nominated provider. The requirement proposed in the PCEHR Draft Concept of Operations, that the nominated provider possesses an IHI is too broad. This category includes all healthcare professionals which all have significant differences in skills and knowledge. For medical practitioners to be able to rely on the shared health summary they need to be able be confident that another medical practitioner has considered and moderated the clinical information. The legislation should specify that the nominated provider could only be a medical practitioner or Aboriginal health worker. We do not agree with Proposal 12 or 13 to provide a framework for rules and standards for the nominated provider. The medical profession is already subject to regulation about authoring medical documents and good medical practice and is well versed in determining the clinically appropriate information to be included in a shared health Page 3

4 summary. There is no reason to treat authoring and managing a shared health summary in the PCEHR differently to other medical documents. Question 9. What are the essential obligations that should be met by repository operators? Repository operators should be obliged to use systems that are interoperable across the healthcare sector. It would be inappropriate for repository operators to influence the medical practice software market by the use of systems that have limited interoperability. Question 13 Are you aware of specific examples of information for which intellectual property rights might present a significant barrier to the use of the information in the PCEHR system? Medical practitioners have invested a significant amount of time in the production of health summaries for their patients. The current proposals for the PCEHR ask medical practitioners to voluntarily upload that work onto the system. Practitioners may view this as a request to give up their intellectual property for nothing. The AMA believes that medical practitioners should be properly remunerated for contributing to the PCEHR. Question 14 Can you identify any other options for records retention and can you identify any other issues regarding records management that have not yet been considered in this paper? The AMA considers the requirement for PCEHR repositories and portals to adopt the longest minimum jurisdictional requirement of 15 years to be reasonable. However, we question the consequent obligation on medical practitioners who practise in jurisdictions with lower minimum retention requirements in respect of documents downloaded from the PCEHR and incorporated in a patient s paper or local electronic record. The Issues Paper states that in many respects records on the PCEHR will be treated for legal purposes in the same way as currently existing medical records. We anticipate there may be situations where medical practitioners might need to produce PCEHR records in the course of Medicare Benefits Schedule, Pharmaceutical Benefits Schedule and Medical Board investigations and seek further discussions with the Department on this issue. Page 4

5 Question 15 Are there additional access functions for individuals that need to be included in legislation? The Draft Concept of Operations describes a PCEHR where these functions will be built into the system. Presumably, the system will not allow the individual to perform any other actions with their PCEHR. There appears to be no reason to also legislate these functions unless it is to provide a range of actions from which to create a sub-set of allowable activities by authorised representatives. Question 16 Should any specific restrictions apply to the extent to which an authorised representative can act on behalf of the individual within the PCEHR system? An authorised representative of a patient verified by the PCEHR system operator (see response to Question 3) should be able to carry out all the functions of the individual they represent. Question 20 Are there additional issues in relation to authorised users that should be addressed in the legislation or regulations? In order to answer this question it is necessary to understand what a healthcare provider would need to provide to prove during an audit that contracted service providers and administrative staff, must be identifiable in the healthcare provider organisation s local system. The proposed legislation should specifically include medical students as a category of authorised users who can access a PCEHR. It is important for medical students to have access to the PCEHR, so that they can access and contribute to a patient's e-health record as part of the medical team, just as they currently do with hospital records. Question 21 Should there be additional legislative provisions for emergency access to PCEHR information? Providing any additional legislative provisions for emergency access to PCEHR information would unnecessarily further complicate the legislative provisions. The proposal for an audit trail for accessing the PCEHR will allow individuals to pursue inappropriate use of the emergency access provisions through the existing channels for breaches of privacy. Page 5

6 Similarly, no additional offences or penalties should be created by the PCEHR legislation or related legislation in respect of emergency access to PCEHR information. Question 24 Are there any reasons why clinical information downloaded from the PCEHR system should be required to be handled differently to other information held by a healthcare provider in their local records? No, there should be no additional requirements on the healthcare provider for handling PCEHR information. However, the legislation should provide protections for healthcare providers from any legal consequences flowing from retaining a document downloaded from a PCEHR in their local records if the patient subsequently disallows that healthcare provider s access to the patient s PCEHR. Question 29 Is it appropriate to impose a penalty on the individual who requests a record from the PCEHR system when not entitled to do so? The offences proposed in Proposal 36 refer to registered healthcare providers. While we note Proposal 9 for healthcare providers to register with the PCEHR system operator, it is not clear what the purpose and effect of the combination of Proposals 9 and 36 will have. These proposals need more detailed consultation with healthcare providers about their intended purpose and what administrative obligations they will place on healthcare providers. We have taken the word request to include the conduct of a search of the PCEHR system for a patient s PCEHR. The current wording of this proposed offence would appear to capture events likely to be common in everyday medical practice when dealing with the PCEHR. It is probable that medical practitioners and their administrative staff will routinely request records from the PCEHR system to which they have not yet been granted access by the individual. This activity should not attract any penalty, particularly given the Government s desire that healthcare providers make use of the PCEHR. The system itself should prevent anyone who is not authorised to access an individual s PCHER from viewing the PCEHR. Consultations with Departmental officials have assured the AMA that this proposed offence is not intended to capture anything done in normal clinical practice. Accordingly, the wording of the offence should be changed to reflect the intention to capture cyber Page 6

7 crime or other fraudulent activity and be expressed to be applicable to all people and entities rather than focusing on healthcare providers. Finally, if the offences contemplated are in relation to cyber crime and fraud it should be sufficient to rely on existing legislation that makes those activities criminal offences. Question 33 What are your views about the preferred governance structures for the PCEHR system and national e-health elements more broadly? The governance arrangements must be transparent, accountable and developed in collaboration with key stakeholders. The legislation should set out the structure of the roles and functions of the PCEHR system operator. The legislation should also set out the structure and membership of the PCEHR system operator s board, including a requirement for the inclusion of practicing medical practitioners on the board. The AMA does not support the inclusion of compliance framework for standards or clinical governance proposed as issues to be managed by the PCEHR system operator on p.37 of the Issues Paper. As stated in responses above, it must not be a function of the PCEHR system operator or any other entity created under this legislation to set standards or monitor compliance with standards for healthcare provider organisations or healthcare providers. The PCEHR system operator should have functions related to the monitoring and regulation of the repository operators. The legislation should not contemplate a broader role for the body tasked with governance of the PCEHR in the broader ehealth sector in the future. Question 34 What would be your preferred single entry point for PCEHR privacy complaints? The AMA does not support the single entry point proposal for PCEHR privacy complaints. Privacy complaints about the PCEHR should be treated in the same way as any other privacy complaint. AUGUST 2011 Page 7