THE girl was rushed to hospital with complications following an abortion. She begged staff to shield her from a relative working in the hospital who might tell her conservative Indian family.Staff put the girl in a different ward to where the relative, a nurse, was stationed, but failed to tell the girl she had the right to a “manual” admission, with her details kept in an old-fashioned paper file. Instead, her case was recorded on the hospital’s computer database. Here it was found by her relative, who was allegedly in the habit of trawling the system for familiar names.
The result, says New Zealand Privacy Commissioner Bruce Slane, was “a complete breakdown in family relations”. He tells the story to illustrate the sensitivity of health information and the sometimes devastating consequences of its improper release – as well as the ease with which health databases can be violated.
It is a New Zealand story, but it has implications for Australia. The computer revolution is about to hit your doctor’s surgery – and link it with your pathologist’s lab, your local hospital’s emergency room and even those discreet clinics where you might seek treatment following a less-than-discreet sexual encounter.
A Federal Government taskforce is investigating what form this country’s national “E-health” records system should take, and the Victorian and NSW governments have already launched pilot programs for cyberspace sharing of information between doctors and hospitals at a state level.
The information age has opened up Orwellian possibilities for the detailed tracking of individuals’ use of health-care services and the linking of all their medical encounters on one electronic health record (EHR). It could contain all the clinical information now recorded on paper: the symptoms that led you to seek a consultation, the doctor’s diagnosis and the treatment offered.
There are potentially great benefits. Patients should face fewer unnecessary repeat tests or medical accidents. Doctors would be able to get a complete patient history at the press of a button. Researchers could scan the experiences of millions of people to identify nationwide trends in illness and the effectiveness and safety of treatments. And governments hope to cut costs and better assess the performance of doctors and hospitals.
But computerisation raises big questions about how to mediate the sometimes competing goals of all these “stakeholders” in the health system.
Who decides what should and shouldn’t go on to an electronic record? How should privacy be protected, and to what degree must patients relinquish it to satisfy goals identified as being “the common good”? Should organisations collecting information patients reveal as part of their confidential health care encounters be able to use or sell it for profit?
Bureaucrats keen to contain costs and researchers hungry for mass data are among those who have pushed for a centralised database to which every Australian would be connected lifelong. Such a database would be overseen by the Health Insurance Commission, which administers Medicare and the Pharmaceutical Benefits Scheme.
The centralised model was supported by a 1998 report of the House of Representatives Standing Committee on Family and Community Affairs inquiry into health information management. It recommended that individuals carry health “smart cards” and that the medical details on the cards be backed up in a national data warehouse.
“Centralised” has since become the “C-word” of the debate because of concerns that it might arouse public alarm. Parties privy to discussions on the issue privately say there are still some in Canberra who want the centralised model. Publicly, however, stage proponents are talking now only of a system for linking multiple databases.
This means that your separate carers – GP, specialist, chemist, hospital – would each keep their own computerised file on you, but it would be possible for each to access material from the others electronically.
If you arrived in casualty unconscious, hospital staff could call up your GP’s notes to check on your history of blood-clotting problems or allergies to medication; if you needed a new prescription from your GP, he could call up your hospital records
to confirm that today’s prescription would not react adversely with medicine you were given last time you were admitted.
Theoretically, doctors would need your authorisation, and perhaps your smartcard, to do so, although they would probably have the right to override lack of permission in an emergency. And more sensitive information might be “masked” so that a higher level of access was required to read it. “There’s no need for the GP at the 24-hour clinic to know about the three abortions you had when you were 15,” says Dr Sandra Hacker.
Hacker is the AMA representative on the National Health Information Management Advisory Council, the organisation charged with assessing the options. Its Electronic Health Records Taskforce is due to report to health ministers on the issue in July.
Hacker says the AMA is opposed to a central warehouse because of privacy concerns, and she believes the public would be outraged by it. But while she thinks it an unlikely option, she cannot rule it out. “If that’s what the Government legislates, that’s what will happen.”
Patient advocates are not even reassured by the more moderate alternative of links between databases. “The effect (on privacy) may be much the same either way,” warns Meredith Carter, executive director of the Health Issues Centre.
Supporters of a comprehensive system, such as Dr Chris Kelman, a researcher with the National Centre for Epidemiology and Population Research, point out that computer systems containing sensitive information are already in use in banking and the military.
In an article he co-authored in the Medical Journal of Australia , it was suggested that an EHR could even be stored as a secure web page. He says, “The technology is capable of maintaining privacy. Look what’s happening with encryption.”
But if computer hackers can turn a NASA satellite in space, how safe is even the most highly encrypted health records system?
“Scary, isn’t it?” says Dr Sam Heard. Dr Heard, director of the general practice education and research unit at the Northern Territory clinical school of medicine, Flinders University, is not opposed to e-health. He has been working for 13 years on a project called the Good Electronic Health Record. He favors what he calls the “radical” model, where patients themselves would carry their record or choose a trusted third party to store it for them.
Databases worry him. “The more people have access (to a system) and the larger the database, the more valuable it is and the more at risk it is,” he says. “How many people would be using it at any one time? Imagine the security nightmare.”
Dr Heard warns that hackers can download from the Internet “Trojan horse” software that allows them to infiltrate a system and force it to spit out information. It is possible to make a system completely secure, he says, but that would also make it close to unusable.
A less sinister but equally worrying problem is internal computer glitches. Last year, several thousand Americans’ patient records were accidentally displayed on the Internet for two months. A gremlin in the database of the University of Michigan Medical Centre left records detailing treatments for specific medical conditions, employment status and social security numbers available to anyone tapping into the centre’s website.
While the debate about the security of the technology is important, patient-advocate Carter sees it as a secondary one. The real point is that “any system you build is going to rely on human beings to operate it, so you will always get human corruption and human error”.
Carter says the NSW Independent Commission against Corruption reported in 1992 that it had found “a widespread commercial trade in personal information, including Medicare data, between officers of government agencies and other institutions which should know better such as banks, insurance companies and debt collectors”.
Dr Heard worries about the potential for celebrities or even ordinary individuals who have aroused animosity to be targeted and blackmailed or humiliated by the exposure of their health history. “How much would knowledge that (a former prime minister) had cirrhosis of the liver due to alcohol be worth?” he says.
Violation of computer systems by government employees is still being reported. In February, a Queensland inquiry into the misuse of that state’s police database was told that more than 30 officers at one station had given individuals’ details to the station’s cleaner, who moonlighted as a debt collector.
In January, the Melbourne Magistrates Court was told that a customer service officer for the Health Insurance Commission, Mieng Tang, had used his position to access the Medicare histories and personal details of up to 90 people a day. Most were Asian women and women who had been on IVF treatment. His defence was that he had been “bored”.
Here was illustrated both the blessing and the curse of computerisation: Tang was able to flick through many more files than would have been possible if he was handling more cumbersome paper folders, but it was the audit trail of the computer system that detected his illicit access.
Carter points out that these audit trail safeguards were set up because the law requires it of databases held in the public system. But she says the private health sector, which will self-regulate privacy matters under legislation currently before Parliament, will not face the same stringency.
Lastly, there is the potential for deliberate privacy “breaches” for reasons that those controlling the data think justifiable. There was an outcry in 1987 when teenage girls were listed to testify about their under-age abortions in a court case against a disreputable Melbourne gynaecologist. “People said, `Forget the charges; what are you doing to these girls?”‘ Carter says.
In America, pharmaceutical companies have bought health insurance companies so that they can access patient records and direct market to both patients and doctors. Hacker says Australian doctors are now being approached by companies looking to buy their practices.
In Canada, the Privacy Commissioner, Bruce Phillips, reported that information technology also puts a great deal of power into the hands of public servants. He told of an Ontario woman who, supported by her doctor, sought breast reduction surgery to alleviate chronic pain in her back and shoulders. “The health bureaucrats responded by demanding photographs before agreeing to foot the bill,” Mr Phillips said.
On a bigger scale, the greater political acceptance of the role of market forces has led to widespread “data mining”, the sale of mass health information for commercial use. In Iceland, every citizen was tested so that their genetic makeup could be recorded on a DNA databank now managed by a commercial biotechnology company.
Medical data originally given by patients to Britain’s National Health Service in good faith is now under the control of organisations free to sell it to the highest bidder, according to Professor Stuart Horner, the 1998 chairman of the British Medical Association ethics committee.
And Australia’s Health Insurance Commission is already examining how best to sell “de-identified” material from the Medicare and PBS databases. “They are going to do whatever they can within the bounds of their political ability to exploit and mine that resource to get revenue,” says Stephen Millgate, executive director of the Australian Doctors’ Fund.
He says the HIC’s sales aims, expressed in its 1998-99 annual report, “are written in hard-core commercial language; it’s aggressive, it’s about customers and marketing and being competitive”.
Millgate is the greatest doomsayer in Australia’s EHR debate. He is convinced any model adopted by government will be a disaster because its goals will be administrative and budgetary rather than patient-focused. “And there will be no savings; the cost of putting up a system which is accurate is enormous. It will chew its own head off in costs in the first two or three years.
“There are some moral issues here too. Half the world doesn’t have basic health care, while we’re going to spend millions in Western democracies to know everything about everybody’s health. What groups will be unfunded so you and I can have a continuous record of every ache and pain?”
Millgate doubts promises that patients will remain free to choose whether to “opt in” to the system. “What you will find happening is that if you don’t `opt in’, you won’t get certain rebates. It’s quite easy for governments to say something’s not compulsory and then change the financial incentives to make it crazy for someone to resist it.”
A spokeswoman for the federal Health Minister, Dr Michael Wooldridge, says the Government knows that Australians are very protective of their health privacy and that any system would have to be voluntary, with information kept only in summary and patients having the right to edit their records. “If they didn’t want to admit that they were on a psychiatric drug, for instance, they could just take that off.”
While protecting privacy, this raises its own problems. A patient might suffer an adverse event because doctors acted on the assumption that the EHR was complete when, in fact, essential information had been left off it. Who is then legally responsible: the patient who requested the information withheld from the record, the doctor who agreed to withhold it, or the doctor who made a mistake because he was uninformed?
But accurate, accessible records could be invaluable for the chronically ill. Dr Wooldridge’s spokeswoman points out that almost a third of hospital admissions are of elderly people, and most of them have been made seriously ill by interactions between their many medicines.
It is these people that Hacker predicts will use and benefit from linked EHRs. But groups such as her own customers, psychiatric patients, are likely to avoid them, she says. Electronic records of therapy consultations accessible to anyone other than the treating doctor “could make psychiatry almost unworkable. I see politicians, judges, other doctors: they’re not going to want to reveal things to me if they think others will see it”.
Slane, New Zealand’s privacy advocate, is concerned that systems in that country have too often been set up to spread an unjustifiably wide net over patients whose views have not been taken on board. “It seems to be assumed that having people’s health information is a jolly good thing and a use will be found for it sometime in the future … with public opinion a risk to be managed later,” he says.
This ignores the central issue. “The essence of privacy is respecting what other people think is important to them as private, rather than us saying what the values are and that they should apply to everyone always.”
Health Records: The upside
While away on work, Mr Smith, a truck driver, sees a GP. He complains of severe headaches and asks for strong pain relief. What the doctor sees is an unkempt man from out of town requesting a drug of addiction. With Mr Smith’s permission, the GP calls up his medications history to check that Mr Smith has not been misusing prescribed painkillers. He hasn’t.
But a prompt pops up on the screen telling the doctor that the national adverse events register has recently detected an interaction between two drugs Mr Smith is taking for other conditions. Surveillance of the national health records system had found that people taking both often suffered hypertension and severe headaches. The GP prescribes alternative medication for Mr Smith.
– An imaginary scenario from “An integrated electronic health record and information system for Australia?” Medical Journal of Australia.
Health Records: The downside
At the height of Western Australia’s abortion law row in 1997, a woman who had suffered several traumatic childbirths and miscarriages, followed by a severe stroke, found herself pregnant again. Her husband’s vasectomy had failed. She feared another difficult pregnancy might kill her and booked a termination.
The following day, an elderly man phoned and asked for her by her full title, including her middle name. He told her he knew she was due for a termination and sterilisation at the hospital concerned, and that she would rot in hell. More abusive calls followed and a poem “written” by an aborted child to its mother was hand-delivered to her home. An investigation failed to discover how her details were accessed and leaked, although it noted that a staff member had phoned an anti-abortion group from the hospital during the relevant time-frame.
First published in The Sunday Age.