Ð 1 Ð From: Juanita Fernando Date: Thu, 14 Feb 2013 10:08:59 +1100 Subject: More feedback on the "fact sheets" To: natasha.roberts@oauc.gov.au Hi Natasha, I have received further feedback re the ÒFactsheetsÓ from a concerned group of stakeholders. Feedback # 1: The legislation underpinning the PCEHR (http://www.comlaw.gov.au/Details/F2012L01703) seems to be a bit of a worry. At least, to me it is. Nowhere does it a) define an authorised user b) say that only authorised users are permitted to access a person's PCEHR. It would at first look, appear that there is nothing, legally, stopping anyone in the government from being given access to the PCEHR and looking at any data. They may even have intended that so as to legalise research and analysis or something else more nefarious. Paranoid little me. Or am I just cynical? Question 1: Does the audit log show when the system operator (in this case it would seem to be DoHA and APIS) accesses a citizen's eHealth record? And that includes the help desk and system admin staff. Question2: which maybe answers the first: Re the PCEHR Rules 2012 at: http://www.comlaw.gov.au/Details/F2012L01703 This appears to me to be the legislation under which the PCEHR operates. Looking at the access rules it says: 4. Default access controls For the purposes of paragraph 15(b) and (c) and subsection 109(6) of the Act, the System Operator must establish and maintain default access controls that: (a) permit all registered healthcare provider organisations involved in the care of a registered consumer to access the consumerÕs PCEHR; (b) include an access list of the registered healthcare provider organisations that are permitted to access the consumerÕs PCEHR because the organisation is involved in the care of the registered consumer; The interesting thing is that the rules only apply to registered healthcare provider organisations and the consumer. If you are not in either of these groups, the rules do not apply to you. The rules do not explicitly state that only these groups should be allowed to access a PCEHR. So, technically it seems that anybody who can get access to the PCEHR system, provided they are not part of a registered healthcare provider organisations, can legally access anybody's PCEHR. Could someone please tell the community if and why I am wrong? Feedback #2 1. It will appear to many people that the mandatory requirement to follow what seems to be an unnecessary and unexplained next step i.e. One is told: ÒTo register for an eHealth record you need to create an Australia.gov.au account, or logÓ. No explanation is given for this. Because it apparently connects to other government departments and is said to have been designed by the ATO, it is being often seen as a backdoor recreation of the ÒAustralia CardÓ. What is its purpose from the consumersÕ point of view? 2. The Parliamentary Inquiry into ÒCyber Security for Senior CitizensÓ is due to report in April. Its recommendations need to be considered as part of this review. 3. The hacking of IT records is a serious ongoing issue. However, there is an increasing incidence of computer theft or wrongful access to the expanding use of complex mobile phones, IPads etc. throughout the health system. 4. Discussion with industry about the development of data repositories/warehouses and the consequent inter-operability operation is just commencing. This is a very challenging and broad issue, a significant part of which will relate to privacy and security. This area is not widely understood and needs independent inquiry and ongoing oversight. 5. The major issue is quality implementation without which we are unlikely to have a useful system. Without appropriate Governance and Operational Management armed with a quality Business Case, Meaningful use implementation is unlikely to occur. Can I once more ask for a receipt showing you have received the feedback please? Best wishes Juanita -- Dr. Juanita Fernando Academic Convenor BMedSc(Hons), Faculty of Medicine, Nursing and Health Sciences Member of the global M8 Alliance Ranked 33 and 36 in the world by Times Higher Education and QS for 2011 Chair, Health Sub-Committee, Australian Privacy Foundation Fellow, Former Chair, Membership Sub-Committee (2009-2010) & former Council Member (2008-2010, Australasian College of Health Informatics Electronic and Mobile Medical Education Research Group (EMMERG), Faculty of Medicine, Nursing & Health Sciences. Mobile Health Research Group,Faculties of Information Technology and Medicine, Nursing & Health Sciences Mail: Room 221, Bld 15, Monash University Vic 3800 Phone: 990 58537 Fax: 990 58134 Email: juanita.fernando@med.monash.edu.au Web page: https://users.monash.edu.au/~juanitaf/ CRICOS code: 001450K