Update on Personally Controlled Electronic Health Records - Legal and Privacy Issues
Monday 21 October 2013 / by Alison Choy Flannigan posted in Business, Corporate & Commercial Health Aged Care & Life Sciences Technology Law

As part of the 2010/11 Federal budget, the Government announced a $466.7 million investment over two years for a national Personally Controlled Electronic Health Record (PCEHR) system for all Australians who choose to register on-line, from 2012-2013. This initiative has the potential to be a revolutionary step for Australian health care, in terms of both consumer's access to their own health information and improvement in information which will be available to health professionals when they treat a patient.

To date, the uptake has been slow.  The National E-Health Transition Authority (NeHTA) scorecard as at July 2013:

  • The total number of people who registered for an eHealth record as at May 31 2013 was 612,391.
  • More than 4,502 healthcare provider organisations have signed onto the eHealth Record system.
  • 6567 individual doctors, nurses and other healthcare providers throughout Australia has been authorized by their organisations to access the PCEHR system;
  • More than 15.25 million documents have been uploaded into the PCEHR system.

Aims of PCEHR include:

  • Reduce risks in the health system;
  • Fewer patients will experience adverse events
  • Improve access to health records and thereby reduce medication errors.

Some key concepts are:

  • Individuals are able to choose whether or not to have a PCEHR and will be able to set their own access controls and may withdraw at any time.
  • The PCEHR will contain clinical documents such as Shared Health Summaries, Discharge Summaries, Event Summaries, Pathology Result Reports, Imaging Reports and Specialist Letters. It may also include key health information entered by the individual such as over-the-counter medicines and allergies and access information from Medicare Australia such as an individual's organ donor status, dispensed medications funded under the PBS, information about healthcare events from an individual's Medicare claiming history and a child's immunisation history. The PCEHR may also contain an individual's advance care directives (if any). The PCEHR is, however, not a comprehensive health record.
  • Healthcare organisations can choose to participate and will need a healthcare organisation identifier (HPI-O). They must agree to use appropriate authentication mechanisms to access the PCEHR and use software that has been conformance tested to be used with the PCEHR system.
  • Health information within the PCEHR system is protected through a combination of legislation, governance arrangements and security and technology measures, including under the Personally Controlled Electronic Health Records Act 2012 (Cth).

The PCEHR legislation imposes penalties for intentional or reckless unauthorized collection, use and disclosure of health information; Fines up to 120 penalty units for individuals (AUD$20,400); and x 5 penalties for bodies corporate AUD$102,000. One Commonwealth penalty unit is currently AUD$170.

There are a number of medico-legal and privacy issues which arise with the PCEHR. Some of these are summarised below:

Medico-legal
  • If a medical practitioner consults with a patient and is negligent in entering information onto the PCEHR, there are more clinicians relying upon it, so the potential for liability from a negligent assessment of a patient or negligently prepared medical record increases.
  • Health professionals must be mindful that the PCEHR is not a complete medical record and must continue to be vigilant in continuing to obtain independent information from patients. Information may be excluded from the PCEHR at the request of a patient and missing information is unlikely to be flagged.
  • If a medical practitioner has relied upon information on the PCEHR which is incorrect, then the medical practitioner will need to track the author of the original information to join as a cross-defendant.
  • If a patient instructs a medical practitioner not to include information on the PCEHR then the medical practitioner will be under an obligation to inform the patient the risks and consequences of this.
  • Direct access to a medical record may be denied if providing access would pose a serious threat to the life or health of any individual. In those cases, the patient is usually provided access through another medical practitioner. If consumer access requests are dealt with centrally, measures should be implemented to ensure that a clinical assessment is made in relation to whether or not a patient's request for access or information could pose a serious threat to the life or health of any individual. Arguably such information should not be included in the PCEHR.
  • Often a request for access can be an indicator of a potential claim which can be resolved quickly by the clinician by early discussions with the patients. There should be a mechanism so that relevant clinicians are informed if there is a potential claim early.
Privacy issues
There are also a number of privacy issues, including:
  • Obtaining adequate privacy consent from patients;
  • Ensuring that the systems can accurately implement the consent options of patients, such as limiting access or prohibiting access to the PCEHR to health professionals nominated by patients.
  • Ensuring that only information which is required to provide treatment for the patient is collected.
  • Privacy issues if the system involves a number of system vendors and subcontractors or cloud computing.
  • Uniformity of the usage of medical terms and abbreviations and clear handwriting is preferred to protect data quality.
  • Clear understanding of the information flows and potential for leakage of personal health information to unapproved persons or overseas.
  • Data security issues.
  • Patient and participating health professional identification and verification issues.
  • Education and training of participating health professionals.

This article is provided for general information purposes only and should not be relied upon as legal advice.


Recent Posts