CLAIRE: Welcome to today's webinar, part of our Practice Technology and Management Team’s Health Webinar Series, Medico-Legal Concerns and My Health Record. My name is Claire Pearson and I'm the Project Administrator for the RACGP Practice Technology and Management Team, and I'll be your host for today. Today we're joined by Dr Nathan Pinskier and Sophie Pennington who will deliver the presentation for you today.
So, a little bit more about our hosts, Dr Nathan Pinskier is a Melbourne-based GP with a long‑standing involvement in digital health and practice management. He is a co-owner of the Melbourne based group of general practice, Medi seven. Nathan is also a board member of Peninsula Health, where he chairs the Quality and Safety Committee and is an adviser to the Australian Digital Health Agency for Secure Messaging and Interoperability. Nathan is the Medical Director of the DoctorDoctor locum medical service in Melbourne, and the President of the General Practice Deputising Association. He recently completed his term as Chair of the RACGP Expert Committee for eHealth and Practice Systems, where he oversaw the My Health Record GP Awareness Program.
And Sophie Pennington… Sophie Pennington specialises in health law, and she's a partner with HWL Ebsworth Lawyers. She is acting predominantly for medical practitioners, through their medical defence organisations, and private hospitals. Sophie assists doctors with civil claims, disciplinary matters, coronal inquests, employment disputes, and some criminal matters. She assists hospitals with similar disputes, and also advises on policy issues. Sophie is passionate about health law and believes it’s imperative to find a balance between acknowledging the tremendous work done by health professionals in Australia with the need to ensure patient safety. And prior to returning to private practice, Sophie was the Head of Medical Defence and Service for Australia's largest medical defence organisation.
So, thank you Nathan and Sophie for joining us today, and just to let you know listening today… it is going to run a little bit differently as we'll be broadcasting Nathan and Sophie live in our head office in Melbourne today, and you'll be seeing them via a webcam. So, Nathan, Sophie, and myself, and the RACGP, we would like to thank everyone today for taking time out of your busy schedules to participate in our webinar. And before I begin I would like to make an acknowledgement to country. I would like to begin by acknowledging the traditional owners of the land that we are meeting on here today, and to pay my respect to their elders, past, present, and emerging. Okay and with that I'm actually going to pass over the presentation to Nathan and Sophie. I'll just get their camera up and you'll be able to see them here live.
NATHAN: Thanks, Claire. Hi, Sophie, welcome.
SOPHIE: Thanks, Nathan, lovely to be here.
NATHAN: Yeah, we had a number of workshops last year, we did together, and they were really informative.
SOPHIE: Mm, they were.
NATHAN: It was a really good opportunity to discuss where My Health Record was, and how was evolving…
SOPHIE: Mm.
NATHAN: …and it was certainly a very interesting period, with the change in the legislation foreshadowed, and it eventually went through the Parliament.
SOPHIE: Mm.
NATHAN: There were lots of medico-legal questions, and it’s fantastic to have you present to be able to assist and advise and provide some guidance. So, today's webinar, which is exciting because it's actually in a face-to-face format…
SOPHIE: Mm.
NATHAN: …provides us with an opportunity to explore some of those issues in a bit more detail, and we'll have time at the end to take some questions from the college members, and hopefully be able to answer those questions. If we can't answer all the questions, don't worry, the team will capture the questions and we'll respond either through the webinar directly, or face-to-face, or we'll send back information through our Frequently Asked Questions after the webinar.
So, the learning outcomes from today's session is to understand the medico-legal risks and benefits of participating in My Health Record as a healthcare provider; describe the medico-legal requirements for participating in My Health Record as a healthcare provider; identify scenarios where a system, such as My Health Record, may have benefited a healthcare consumer; and to be able to make an informed decision regarding participation in My Health Record.
So, most of you would be fairly well aware of what My Health Record is, but just to summarise the My Health Record system is a national system that aggregates healthcare information about a healthcare recipient, from various source systems, for the purpose of providing healthcare to a healthcare individual, or consumer, a patient, a recipient, any words that you like that make sense in your context. It's a record that is controlled by the individual consumer, or their authorised representative, and we'll go into some more detail about authorised representatives a little bit later on. Access is granted to a healthcare provider organisation involved in the care of the recipient who has a My Health Record, and we'll talk about standing consent a little bit later on. Today we’ll be essentially focusing on the medico-legal implications of My Health Record. We’ll not be discussing the technical processes associated with registration because of most of you should have hopefully gone through that process, or if you haven't you can find training tools and software simulations on the Digital Health Agency's website, and through other provider support organisations.
So, Sophie, let's kick off and talk about… what is… we talk about collection, use, and disclosure, so in other words who's actually allowed to access, legally access and see the information within a My Health Record.
SOPHIE: Well, you and I have discussed this before Nathan, that really, it's much the same as it's always been. So, the information in My Health Record, health information, can be accessed by health providers for the purpose of them providing healthcare. So, if you're a GP and you're providing healthcare to your patient, your patient comes in sits down, much the way they normally would in a consultation, you can access My Health Record to provide them with healthcare. In the same way as you'd open their paper record, when you had paper records before, if you're providing them with healthcare, if you're treating them, you can access My Health Record.
NATHAN: So, a common question that providers ask is do I need to obtain consent from the individual.
SOPHIE: No you don't. So, there's a standing consent model is My Health Record. So, you don't need to ask the patient for consent, much the same way as when a patient comes in and sits down, currently the GP doesn't ask for consent to pull up their record on Best Practice, Medical Director, or a paper file, it's implied consent.
NATHAN: Okay, or also what's known as standing consent.
SOPHIE: It’s standing consent. So, it's a given that a patient who has a My Health Record has consented to medical practitioners, who are treating them or providing them with healthcare, with accessing that record for that purpose.
NATHAN: So, that's primary purpose?
SOPHIE: That's the primary purpose.
NATHAN: And then there's a concept known as secondary purpose.
SOPHIE: Secondary purpose. So, a secondary purpose is in every other situation. So, where you're not… the primary purpose isn't providing healthcare, there are some exceptions to when you can actually also access that information and use that information. I’ll give the first example as where the patient consents, so, it's not for the purpose of providing them with healthcare. An example might be where you want to use the details in My Health Record to send them some marketing information and if they consent then that's fine. You're not providing them with healthcare but they've consented. Then there're some other exceptions which essentially mirror the current position at law, in fact if anything under My Health Record they're a little bit more stringent. So, for example, if there's a threat to an individual you can actually disclose that information. There's some circumstances around that though, if it's… if you can't get the patient's consent, or it would be impractical to get their consent, you have to notify the agency, and you have to disclose that information within five days of notifying the agency. That's if there's a serious threat to an individual. If there's a threat to the public, you don't need to notify the agency but you can again, make that disclosure, but it has to be a serious threat to the public. So, if you have information, contained in a patient's My Health Record, that could assist and you think there is a serious threat you can disclose that. It might be the address of a patient. So, in the first example if you're concerned about a patient who may be suicidal you can disclose information in My Health Record, for example their address to give that to the police so the police can go and assist them. That would be an extreme situation where that would be permitted.
NATHAN: So, what about disclosure to courts and government agencies? There was a lot of controversy about this late last year.
SOPHIE: There was a lot of controversy about that, and the Australian Digital Health Agency has made it clear initially that it actually hasn't disclosed any information to government agencies, but because of the concern, and you spoke about the legislative reform, it's now the case that it's legislated that they cannot provide information to the government agency without a court order, and they won't do so. There's some circumstances where they can provide some information to some people, for the purpose… but very limited, for the purpose of that. Whether it's an agency or governmental department actually seeking the court order, you can potentially… the Digital Health Agency can potentially disclose enough information so the agency can determine what patient, in respect of whom they need to seek the order, but otherwise it's only with a court order. So, that's a lot more stringent than the current position, say for example, in Victoria under the Health Records Act.
NATHAN: Sure, so what about indemnity insurers? I'm implying to have my insurance as a healthcare provider renewed, or there's a matter at hand.
SOPHIE: Yes, and that's the current position, at least in Victoria, and it's mirrored in most of the states, but Under My Health Record you can access My Health Record for the purposes, effectively, of anything to do with your professional indemnity insurance, and it’s slightly clunky wording, but what it means is if a patient makes a complaint against you, Nathan, in respect of treatment you provide…
NATHAN: Oh, no, never, never. (LAUGHS)
SOPHIE: …this is hypothetical only, and you need to respond to that, and there's information in My Health Record about that particular treatment episode, then you can go into My Health Record, for that purpose of responding to the complaint. It's not technically providing healthcare, but it is one of the exceptions where you need access to that information to respond to the complaint. Which is part of something to do with your professional indemnity insurance.
NATHAN: Okay, so that's fairly clear. So, there's a primary requirement…
SOPHIE: Yes, that’s right.
NATHAN: …and there's a secondary requirement. The primary’s fairly straight forward, standing consent applies…
SOPHIE: Yes, that’s right. Yes.
NATHAN: …and secondary, there's a whole lot of regulations that limit the usage or access by other organisations.
SOPHIE: Mm-hm. Exactly, exactly.
NATHAN: Okay. So, you mentioned… you mentioned the healthcare recipient’s consent, so we've talked about standing consent, is there anything else in the consent that we should be aware of when an individual signs up for a My Health Record?
SOPHIE: Um, there's a number of things… I guess probably the key thing is to understand that this is a personally controlled electronic health record. So, a patient might authorise you to look at their record, you… so they can control who sees the record, which healthcare providers see the record, and what they actually see within that record. So… and we'll discuss this a little bit later on, but just being mindful that being given access to My Health Record for a patient doesn't necessarily mean that you're given access to see everything that's in My Health Record. The patient may have put controls on what you can see, or on what other practitioners can see, it… they might have put controls on all documents, or just some categories of documents.
NATHAN: So, again this has been a fairly controversial area. What healthcare providers say is that if My Health Record has controls, if consumers can remove documents, or mask documents, when I access the record why aren't I told that there are documents that are hidden.
SOPHIE: Mm. Mm. It's a concern that a lot of practitioners have expressed. I think we use the example previously, if a patient currently, or before January comes to see you, they… and you're their GP, and they turn up to see you, they decide what information they give you. So, they may have pathology results that are relevant, but they don’t have to tell you. They don’t have to tell you that they've been to three other GPs who’ve told them to quit smoking. They don't have to tell you that they're a smoker. It's much the same thing, they get to control what you see because it's their own record. It does create some limitations and there is an argument perhaps to say it would be helpful if the system said, for example, you go into Joe Bloggs My Health Record and there's a notation to say some documents are redacted, or pathology results are redacted, so you have an idea as to what's been removed, or what you can't see, but again it's the patient's record, much the same way as they control the information they give you verbally, and it's just being mindful of the fact that it may not be the full record. I also think the circumstances, given the volume of people signed up, it's going to be quite limited circumstances where a patient will go in and change the controls, and have certain things they want redacted. I think patients aren't quite as concerned about that as perhaps we think they are.
NATHAN: So, I understand under the initial privacy impact assessments the Privacy Commissioner’s advice was that if there was a lock placed on My Health Record saying there's something behind here, additional information but you can't see it, that creates a potential privacy concern?
SOPHIE: It could be, that in and of itself could be a breach of privacy. So, if, for example, there's pathology results that the patient doesn't want seen, and the system was set up so it said pathology, and it was redacted, that in and of itself, if the patient doesn't want that there, the fact that they've had pathology tests done, disclosing that would be a breach of privacy.
NATHAN: So, we're living in a world where the record is consumer control…
SOPHIE: Yes. Yes. Mm-hm. Mm.
NATHAN: …the consumer has a right to either opt into the system or opt out of the system, and now the change in legislation in fact allows the consumer to opt in or opt out, which gives consumers substantial control, but it's not a clinical record in terms of that it's not controlled by clinicians.
SOPHIE: That's right. Mm. Mm. Mm.
NATHAN: Again that's probably a more of a clinical question, but in terms of the overall participation, 90% of Australians have chosen to participate in the system. Does that surprise you as being about the right number? Would have you expected it to be higher or lower, given all the privacy concerns that were raised?
SOPHIE: Look, I probably would have expected it to be slightly lower, given the privacy concerns, but I also hope that it will actually be slightly… it'll grow, because I think, perhaps those primary concerns have been mitigated over the last couple of months, with some of this legislative change, and then more education that's out there about really this is nothing more than the status quo that we have at the moment, and in fact if anything it's a helpful tool both for patients and for practitioners, I suspect from your point of view, did you think that was a sort of a reasonable number, or were you expecting more? Mm… (SOPHIE CONTINUES TO MUMUR AGREEMENT WITH NATHAN)
NATHAN: Oh yeah, look it was interesting going through the debate over the past 12-13 years, and I go back to 2008 when the Healthcare Identifier Legislation was introduced. there were quite specific concerns raised by the privacy lobby at that time, and there was a possibility that the actual individual healthcare identifiers were never going to be developed, the whole health identifier system. People were concerned about having a national number, which again is not something that is an issue in many other countries where you get numbers issued at birth. So, we've gone through this whole era of the access card, the Australia Card. The Healthcare Identifier Legislation was passed, and it was essentially a number that conferred no rights or entitlements, wasn't attached to any information, and that was mandated. Then we had this whole debate about My Health Record and whether it was going to opt-in, opt-out, or whatever. So, I think that the fact we got the 90% is probably a reasonable outcome. I think I agree with you, over time if we can demonstrate the value proposition, the used cases, the improvements in healthcare service delivery, and I would expect that number to increase over time. I think the important thing to know is consumers cannot change clinical information. They can choose to be in the system, not be in the system, hide a document, remove a document, but they can't change the provenance of information within the system.
SOPHIE: And I think that should give practitioners a lot of comfort. So, I think there's concerns that if it's personally control, and you can hide things, does that mean they do actually get to… patients do actually get to, you know, amend the information, and it's much the same as it is now, under the Health Records Act here, you can request that the information be changed, if you think that it's wrong, but a practitioner doesn't have to change it if they maintain that it's right, and the most you have to do is put a note to say the patient has said that they disagree with this but I maintain that it’s what it is. So, I think we can all take comfort in the fact that whatever is in the record, and I think in most cases it will be the full record, is at least an accurate reflection of the clinical history.
NATHAN: So, accurate at the time it was generated.
SOPHIE: Exactly.
NATHAN: So, in terms of standing consent, given that the model is around, is based on standing consent, so what does unauthorised access look like, and what type of legal penalties does the legislation allow for, or other components of other legislation such as the Privacy Act, what happens if you go wrong, something goes wrong, there's a breach?
SOPHIE: So, the penalties are really severe, and I think that since the amendments came there were penalties before, I think it was in November when the legislation was amended, but they've been strengthened considerably, and I think that was really because there was so much concern about privacy breaches, and so they've been… the penalties are extremely high. So, it's actually a criminal offense and a civil offense to access a My Health Record when you're unauthorised to do so. So, that would be five years imprisonment or $25,000 or both for the criminal penalty, you can have both of those provisions, or for a civil penalty there’s fines between $21,000 and $315,000. I think that's… they’re high. They're very high, and I think those fines would only be imposed in the most egregious circumstances. Generally speaking, privacy breaches aren't intentional, so it will be someone accidentally accessing the wrong record, it will be where a practice has got a system in place where they authorise practice nurses, or someone who's not the doctor, to look at the record and they inadvertently go in and print the wrong records. They're not intentionally going in to misuse a patient's information, or thinking that they can look at information when they're actually not providing healthcare, not understanding getting the patient's consent in those circumstances, then there's a couple of absolute outliers, where it's intentional. So, you've got cases where you… I've had a couple, say for example, where a work experience student has access to an electronic system, Best Practice, and this wouldn't happen so much today, I think, if you're implementing My Health Record in your practice, and you can talk about this in a minute, but you’ll have a fairly robust training procedure and won't, you know, you'll have controls around access, but a work experience student going in, looking up information, finding friends, teachers, relatives, posting that information on Facebook. There's been a couple of circumstances like that. They’re very very rare. There was recently a case, in the tribunal in New South Wales, of a nurse who was working in a hospital as a locum, went on, found that a couple of patients at the hospital were also parties to litigation he was involved in. He accessed their records, they were not patients of his in the hospital, and he used information that was personal to them, including the fact some of them had been drugs tested, to give his lawyers for use in the litigation. So, he was suspended for six months, which is a very severe penalty. I think the fact that the fines are so high has caused some concern amongst practitioners but, generally speaking, the agency's view is that if there's an unauthorised access it's likely to be unintentional, and their view is that they will just remind people of their obligations, and don't forget it's… with a civil penalties, at least, there has to be some damage that’s suffered. So, if someone inadvertently looks at a record because it was patient A instead of patient B and then they closed the record, it's unauthorised access, but there's been no harm in the sense that it hasn't been disclosed broadly, and you don't have to tell the patient when you do that, you do have to tell the agency. Under the current legislation you'd have to tell the patient, under the Health Records Act in Victoria, most patients would say, “That’s fine.”
NATHAN: Right, so we're dealing with a situation of unintentional access…
SOPHIE: Mm. That’s right. Exactly. Mm. (SOPHIE CONTINUES TO AGREE WITH NATHAN)
NATHAN: …which may happen from time to time. Things go wrong, we identify the wrong patient. You've got to Jenny Smith's in your practice, you select the wrong one, you look at the My Health Record you realise it’s the wrong one, that Jenny Smith hasn't been in your practice for five years, so information appears in her audit trail, and at some point in the future she sees that, and you get a letter then with a please explain.
SOPHIE: Yes. Yes. (SOPHIE CONTINUES TO AGREE WITH NATHAN)
NATHAN: So, that one understandable, manageable, versus deliberate or nefarious. So, you mentioned, for example, the work experience student, or the medical student that might be in your practice, who doesn't actually have access to your system, but your practice processes that when someone logs on, a doctor logs on, there are no screensavers, the password allows them to stay logged on for the whole day, forever maybe, who knows, and the work experience student is maybe even told to use that doctors login, that happens, or that healthcare professionals logon, that certainly happens in some practices, so that is potentially an issue because you’ve now created a opening, an opportunity…
SOPHIE: Exactly, exactly. and it is much the same as, you know I work in a law firm, you work in general practice. If you're seeing a patient and then you're finished seeing the patient you don't leave… so 20 years ago you’re dealing with paper records, you wouldn't leave that patients file on the reception desk open. Much the same as I wouldn't leave my files with my doctors’ names and patients’ names on my desk open, the cleaner might look at it, it’s the same thing. You close it, you take care of the information, it’s much the same way you would. It’s stored electronically now, used to be stored on paper, some of it’s in My Health Record, some of it’s in Best Practice, none of those different, you take care of the information to protect it as best you can. And so the same thing is… you would have to ensure, and it's not difficult with the software that's available now, and the training that's available now, to make sure that you've got robust procedures. And most practices now do not authorise any work experience students to have access to any medical… there's no needs for them to have access to medical records. Practice nurses, yes, but you just make sure you have authorised controls, and you have your own audit trail as well, and make sure that your doctors are adhering to those sorts of controls, and policies, and procedures, so that there can be no unauthorised access.
NATHAN: So, if you follow the principles of good data protection…
SOPHIE: Yes.
NATHAN: …the same principles, irrespective of whether you have a My Health Record access or not, then again you should be reasonably well protected.
SOPHIE: Absolutely, absolutely.
NATHAN: And in terms of the fines, who are the fines levied at, are they at the individual or the organisation, because it’s the organisation who’s granted access to the My Health Record system, that's the registered entity, not the individual.
SOPHIE: Yes, yes. So, I think it depends, well you can probably answer that better than I can, to be honest, but there's… also don't forget this fines here, but there's also fines which are personal under the Health Records Act and under the privacy legislation as well, but there's a criminal offense, and then there's just civil penalty fines. and I think they can probably be either, but you can probably answer that better than I can.
NATHAN: Yeah, so the primary obligations with the organisation but it can devolve down to the individual.
SOPHIE: It can. So, but because, as you say, because the organisation is the one which actually has the… is the provider and has the number, but it can be both, and I guess part of that will then depend, as well, on whether or not the individual was acting well outside the scope of their authority that the organisation has given them, then it might devolve down to the individual.
NATHAN: Okay, so, I think that's a reasonably good conversation, and we’ll provide additional guidance, found through the frequently asked questions, so just watch out for those.
So, the other big topic that's come up frequently is My Health Record exists, it's something that I know nothing about, I may actually not want to know anything about it. I have a great record system, I have my own regular patients and I have great notes in my system, everything works for me. All of a sudden this newfangled toy appears with a flashing light that says, “My Health Record, My Health Record”. I'm really busy, I'm already overworked, I can't cope with the workload I’ve got, what obligations do I have to access My Health Record?
SOPHIE: I think… so there's no obligation to access My Health Record. There's nothing in the legislation that says as a general practitioner, or a health practitioner, you have to access My Health Record. I think it really comes back to what is your role in treating your patients, and so, you know, I guess it's the peer professional test as well, but as a GP, in a lot of circumstances, unless you're doing locum work, for example, you probably have the least need for My Health Record out of anyone else practicing in the health profession. So, you generally have time, you have the patient in front of you, and you have a history, too.
NATHAN: So, regular patient, regular provider…
SOPHIE: Regular patient, regular provider, I can see that a lot of GPs, and a lot have said to me, I've seen this… all of my patients I've had 15-20 years, families, children, grandchildren, there is no need for me to have this, and that may well be true, but then think about other people who are providing healthcare. So, you've got a patient, Mrs X, and she’s 80 and you've seen her for 30 years, you know everything about her, but if she goes to the Emergency Department at the Alfred because something happens and you haven't completed information in My Health Record, she’s got a My Health Record there, but you haven't uploaded a clinical summary, that could put her healthcare at risk, potentially, it might be a disadvantage to her because people at the Alfred don't have to same information that you have.
NATHAN: So, let me give you a example which works in my after-hours world…
SOPHIE: Mm. Mm-hm. Mm. Yes. (SOPHIE CONTINUES AGREEING WITH NATHAN)
NATHAN: One of our afterhours doctors is called to see someone at 11-12 o'clock at night, 80 year old person who’s a bit confused, Webster pack spilt on the floor, lives alone, was previously well, but you know unable to give you a coherent history, what is the obligation of that afterhours doctor, knowing that My Health Record exists, and having the capability to access My Health Record, is there an absolute requirement, is it something that's currently recommended, potentially recommended, or is something, a must do?
SOPHIE: So, it's not a must do… it's not a must do, but the first thing I would say is if you're a locum doctor in that position, My Health Record would be a godsend, because it would be somewhere you could turn and potentially get relevant information immediately. Secondly, it's going to come to a stage, I think, where, it's a bit like electronic records now, if everybody’s using them, and there's potentially valuable information in there, by making a decision, and if we think now of 90% of people actually having a My Health Record, whether it’s active or not, by making a decision to not look at that information, is that providing an appropriate standard of care? Bearing in mind, that if you think of what’s in My Health Record, which is really a short but hopefully quite pertinent summary of the key issues pertaining to the patient, the question might be, not that you're mandated to look at it by the legislation, but the question might be well this existed, you knew it existed, it's only a couple of minutes to look at it, and it could contain key information, yet you didn't, is that reasonable? I would think it's really not so much about convincing doctors that they should but for doctors to understand that this actually could be really helpful. I know a lot will say, “Well, is it really helpful if it's not the complete record?”, but in most cases I presume it probably will be, it's a short period of time to look at it, because it's not a lengthy extensive record, and it could contain some really key information, and again it's not so much about you as the regular GP but as the locum GP, as the Ambulance Service, as the Emergency Department, as the doctor who's looking after a patient interstate, having an up-to-date My Health Record, that’s been completed by your GP, can be really invaluable.
NATHAN: So, My Health Record works on a principle that individual healthcare providers provide information, which may be of benefit at a future point in time…
SOPHIE: Yes.
NATHAN: …for another healthcare provider.
SOPHIE: Exactly, exactly.
NATHAN: Okay, so let's say over time as the system matures and lots of healthcare providers are accessing the record and finding benefit because it's additional information they didn't otherwise obtain through their normal communication channels, but the system grows and, let’s say, it's hard to find information over time.
SOPHIE: Mm. (SOPHIE CONTINUES TO AGREE WITH NATHAN)
NATHAN: I've looked at it, I’ve spent 5-10 minutes trying to find something, I couldn't find it, what happens then? Am I at risk because I didn't see something that was there? What's my defence under those circumstances?
SOPHIE: It's really, like… it's really like anything now, it's whether it's reasonable. So, if you if your defence is, “Well, I've looked at My Health Record over the course of two years, it's clunky, I can’t… it’s got old information in it, the information’s unwieldy, then… and I didn't look at it for that reason because I find it unhelpful, then there might be, or that ostensibly would be, a number of people in the same position, if that’s how the system ultimately works, and so your peers, technically would be, assisting you in a defence to say, “Well, we don't look at it either because it's fairly useless.” But if the majority of people, majority of GPs are using it and finding it to be helpful, and you say, “Well, I looked at it once and it was no good so I never looked at it again”, that might not be reasonable. If a significant number aren't using it, because they're finding it unhelpful, then that will be fine, arguably, but, again, if most people are finding it useful then I think there will become a point where not using it will be potentially exposing yourself to some risk, and it's really no different to the transition between paper records and electronic records, when a lot of practitioners, quite recently said, “I'm really used to this, I'm familiar with this, I'm nervous about technology.” Whereas now, are you providing the best healthcare when you actually can’t plug it in to all of this electronic transmission? Getting pathology results online, having the beautiful recall systems in place that come through your software, now there's very few practices using paper records, and if things were to go wrong there might be a question as to why they hadn't transferred to a system that's actually better and safer.
NATHAN: So, suddenly amongst my colleagues in general practice the figures 98-100% of GPs are using clinical systems…
SOPHIE: Yes. Yes.
NATHAN: …and would be unlikely to go back. Not sure about the specialist world, or the allied health provider world, l think that figure’s a lot lower…
SOPHIE: Yes, a lot lower, a lot lower. Yes.
NATHAN: …from what I understand, and there's probably some work to be done in that space.
All right, well let's get on and move on then to some of the other controversial areas. So, late last year we had quite a big discussion around minors, mature minors, or 14-18 year olds, and there were some different perspectives enunciated. The legislation was changed, as a result of the significant concerns raised by people in that space, of working with 14 to under 18 year old’s.
SOPHIE: Yes, yes.
NATHAN: So, just can you just outline what those changes were, and what the potential benefits were, and how it works today?
SOPHIE: Okay, so there's a couple of provisions. So, the first is looking at healthcare recipients who are aged under the age of 14, and a person who has parental responsibility, which is defined in various pieces of legislation, predominantly in the Family Law Act, and it generally means a parent, both parents, can access My Health Record for the child, they actually have control of the My Health Record for the child, the child under the age of 14, and they're the authorised representative. That's no different to the current provisions under the Health Records Act, and other legislation in states and territories, that if you're a parent, and in fact it's not defined as a particular age under the legislation in the other legislation, other than My Health Record, you have a prima facie right to access your child's health information. There's now a provision for, so that's for under 14, there's now a provision in My Health Record that deals with children aged between 14 and 17, and effectively between that period, that three-year period, the My Health Record becomes dormant for those children. There's been a number of reasons for that, some pertain to concerns about access, a parent accessing information, and there might be a case of domestic violence, and the child might be living with one parent and not the other, the difference here I think that's important to point out, is where you have My Health Record now and it can be accessed by a parent, it's immediate, the previous situation of accessing a child's health information it always went through the GP. So, the GP, often familiar with both parent and the situation of the children, and might, if there was a case of concern about family violence, the GP might be able to refuse access to one or either of the parents because they were aware of that. The concern arose, “Well, if it's My Health Record and there's this blanket access, there's no GP or anyone coming in to stop that access, so what do we do?” And they say we’ll just have it dormant for those years, between 14 to 17. Now, during that period, a child between 14 and 17 can actually nominate either themselves or their parents to be an authorised representative, but otherwise information stops uploading for that period. So, the Medicare information, PBS information, immunisation information will stop. And… a parent can also make an application if their child doesn't have the capacity to make that decision for themselves, so either if they're not a mature minor, or if they have an intellectual disability, a parent can make the application and give reasons to the agency for that. So, I think it's… that should give a comfort to parents, who were concerned about… and to children between that age, and to practitioners about, “Well, what am I going to put in this record if I'm not sure who can see it”, and if the parents can still see it, at this sort of critical age, where you have 14 to 17 some might be mature minors and some might not.
NATHAN: So, the critical change that has occurred is that between 14 and under 18…
SOPHIE: Yes. No longer have access.
NATHAN: …the parents can no… have no longer authorised access to the My Health Record, and that change has now occurred.
SOPHIE: That’s right. Yes. Yes. Yes.
NATHAN: A child, at the age of 14, can take control, upon production of valid evidence of identity, and information will then start to flow again…
SOPHIE: Yes, that’s right. Yes.
NATHAN: …back up to the record. So, that's a critical change, and also there's… there's also change in terms of custodial versus non-custodial parents.
SOPHIE: Yes, yes. So, a noncustodial parent doesn't have access, a custodial parent does. There was some concerns in relation to… parties can have parental responsibility but being warring parents and there may not have been any orders made about who's got custody, and even if you… under the… before My Health Record, even if you don't have custody you still have parental responsibility, under the law, so you could be accessing that information, and that was causing some concerns because, if you don't have custody there could be a question about a reason that you don't have… a parent doesn't have custody, and there was there was no provision to stop that person having access to medical records, except the GP being the one that had to intervene and say there's a reason here. Whereas, now a non-custodial parent, there's limitations on access there as well.
NATHAN: Okay, and what about where there's a risk to the child, or a risk to the health and well-being of an individual, what steps can be taken then?
SOPHIE: So, I think that's where the Digital Health Agency can… you have to remind me of that one… but the parent can approach the Digital Health Agency and ask for action to be taken, and that's, I think, to counter the fact that sometimes the family court proceedings, that might make orders with respect to custody, can be slow and, it could be six months, and steps need to be taken immediately so a parent, or somebody else, arguably, can approach the Digital Health Agency and ask them to intervene and put certain blocks on the record.
NATHAN: And the agency has authority to make changes without actually notifying that authoriser of the individual.
SOPHIE: Without notifying the authoriser, because the concern was that if you make a change you have to notify the authorised representative, and if you're notifying a parent that you're not giving them access that obviously defeats the purpose of trying to… deal with a difficult situation.
NATHAN: So, most people would have thought that this was quite a positive change, because it helps stop a potential abuser from exploiting their parental access rights…
SOPHIE: Yes.
NATHAN: …or they can… they’re using My Health Record to obtain other information, demographic information such as addresses or…
SOPHIE: Yes, that was the main concern.
NATHAN: …other identifying information. So… so, I think they were positive changes. There were a few people who are concerned as parents, and I understand this, that as a parent that’s got a 14-18 year old child all of a sudden you're losing access to their healthcare information and you're the person that pays the bills, they live under your roof, so it’s a complex area.
SOPHIE: It is, but don't forget they're losing access to information contained in My Health Record, so they can still ring the GP and say I want health information for my child, which would be the information contained in the medical record…
NATHAN: And the GP makes a determination…
SOPHIE: …and the GP makes a determination, as they do now, as to whether that's appropriate, whether the child's a mature minor or not, whether the child can or can't consent. So, the GP may make a decision that a child who's 16 is still not a mature a minor and the parent can have access to that information. So, there was a lot of concern about parental access to information and this strengthening law has ameliorated some of those concerns, but the concern is actually real and existing, as it stands now, with respect to children's information, because it's a very hard area to legislate. You can't serve… so the minute a child doesn't reside with one parent, the other parent automatically shouldn't have access, because now often that's not the case, so it's actually much tighter under My Health Record than it is… it does not stop a parent still ringing up and saying, “Well, I want the health record for my child”, and under the current legislation the GP really ought to provide that, unless there's a reason that they can't.
NATHAN: So, they were some of the major changes that occurred, but some of the other areas that were tightened were around private health insurers, employers…
SOPHIE: Yes.
NATHAN: …other government agencies having access…
SOPHIE: Yes, so I was hoping that you might be able to elaborate on some of those for us as well.
NATHAN: Sure. So, private health insurance, insurers, can no longer ask for access, an individual may choose to provide that information, but they can't mandatorily ask that as part of assessing your insurance claim or making an application for insurance.
SOPHIE: For insurance, that’s right. Yes. (SOPHIE CONTINUES AGREEING WITH NATHAN)
NATHAN: And the same, employers have no rights to access, again this was a fairly big issue. The unions started raising this as an issue, saying, “Oh, this might prejudice our workers, our members.” So, that's a very specific change, again an employer cannot ask a healthcare provider to provide access through My Health Record.
SOPHIE: That’s exactly right.
NATHAN: Now again, the individual may choose to provide…
SOPHIE: The individual can, but employers and insurers they can't ask for the information. The healthcare provider can't provide it, even with the patient's consent. The patient themselves can provide it, but even if I say to my doctor, “If my employer calls I'm happy for you to release everything in My Health Record”, they still can't do it. That's how a tight the safeguarded is. I can actually do it myself but I can't authorise you to release my information to anybody else that's an employer or an insurer.
NATHAN: So, that makes it a lot clearer, around what the primary purpose is. Yes.
SOPHIE: A lot clearer, and it makes it easier for doctors…
NATHAN: Absolutely.
SOPHIE: …as well, to say, “Okay, well I just can't… I just can't do that.”
But what about monitoring all of this, Nathan? How do practices best go about monitoring and implementing controls to make sure that, first that doctors understand what they can and can't do, and they're aware if there's any breaches?
NATHAN: Yeah, so again, it's kind of a change in your thinking, in terms of how you manage and oversee your practices, around the good governance, and…
SOPHIE: Mm. (SOPHIE CONTINUES TO AGREE WITH NATHAN)
NATHAN: …it's a challenge in smaller organisations, it's easier when you've got a large big organisation. If you come from a hospital you've got lots of people in place who deal with governance on a day to day basis, it’s easy to set up policies. In the smaller practice you’ve really got to leverage resources that are available through your peak body. So, the RACGP put out a whole range of resources, and if you work your way through those resources, as part of registering for access to the My Health Record system, that provides you with a guidance. The accreditation standards also support it. Essentially, it's really around best practice, around privacy controls, privacy and confidentiality. So, when you set up your systems make sure that only those people who are authorised to have access have access. Access to My Health Record will generally be through an accredited or conformance software program. Those programs are designed to track movement, track access. They won't necessarily identify an individual whose accessed My Health Record, but they'll have an audit log of when the record was accessed. You need to setup systems in your own practice around the education, and training, and support. I know that in my practice we've had a few small issues that have occurred because, understandably, not everyone is familiar with the nuances of legislation, not everyone exactly understands how the consent model works.
SOPHIE: Can you give us an example of some of those sort of minor teething problems that you've had?
NATHAN: Well, probably the classic ones were before we moved to the current model of opt-out. We've had instances and practices where individuals have been registered for a My Health Record without being fully aware that they were being registered…
SOPHIE: I see. (SOPHIE CONTINUES TO AGREE WITH NATHAN)
NATHAN: …understandably, because there are a whole lot of programs that link off it, like the ePIP program, which supports funding to general practice to upload a Shared Health Summary, so we've had staff who have misunderstood what consent actually meant, and there were individuals who are registered not always with their full consent. Again, was there any harm? That’s a good question, if you get registered that nobody's actually accessed the information is there any harm?
SOPHIE: Mm. Is there any harm? (SOPHIE CONTINUES TO AGREES WITH NATHAN)
NATHAN: And it's easy… relatively easy to resolve under those circumstances. Issues where information was posted, for example a Shared Health Summary, no requirement to seek consent, again it was a bit of a confusing area the Shared Health Summary. Some of the initial advice, provided by many people in the space, including our own College, was that you should obtain consent to upload the Shared Health Summary because it was a new and unique document, so standing consent notwithstanding, it’s probably good idea to have a conversation, which I think still holds true, and then… see, but then the question became to seek consent to upload and that wasn't required. So… but some patients still think their consent is required to upload a document during that process, and then that might lead to a complaint, so that's about then re-education, creating awareness…
SOPHIE: I think that’s right. (SOPHIE CONTINUES TO AGREE WITH NATHAN)
NATHAN: …updating your information leaflets, or your online web information. So, it's about trying to align current practice with new systems, and consumer and provider awareness, but most of those get solved over time. I know of practices that have receive letters from the Digital Health Agency and generally they’re, whilst they come across as a please explain, that generally, they’re resolved fairly quickly. I note that's something that you've had an interest in, what do you do if you get a Please explain letter?
SOPHIE: Well, that's right, and I think that the view was that people would be terrified if they get a please explain letter, but that the view of the agency is, I think I'm right in saying, that the agency sees all unauthorised access and must actually respond to all instances of unauthorised access, so they simply want an explanation. 99% of the time it's going to be a very benign explanation, it's going to be where, as you say, “I've inadvertently access Jenny Smith when I thought it was this Jenny Smith”, the agency’s not going to be concerned about that. The public, generally speaking, aren't concerned about that. If someone, in my GP clinic now, is looking at my record, inadvertently because there's another Sophie Pennington, I'm not fussed about that. It's more if someone's intentionally doing it, and I think it’s… it’s what you're saying, we've discussed this before, if you, in your practice, whether you’re a solo practitioner or a bigger group, if you've got a fairly good, robust system now, which most will, or ought to have, for maintaining and storing electronic information, it's really just an extension of that. I think the other concern, which you might want to talk a little bit about as well, is there's a concern about what is uploaded, and I think there's been a concern expressed by some GPs is what will people get to see because my notes are a little bit of a mess and is this Shared Health Summary kind of a big synopsis of everything I've got? Is it drawn out of the data and just uploaded there, and am I going to have to do a reconciliation of all of my data to make it clean? Can you…?
NATHAN: Sure, so look again it's a great question. It certainly came up on the road shows last year…
SOPHIE: It did, it did. (SOPHIE CONTINUES TO AGREE WITH NATHAN)
NATHAN: …around it is if my practice is connected to My Health Record does that mean everything in my local system’s now exposed to the consumer. Well, it's… against it’s an interesting issue. In the My Health Record system it's essentially a summary of information, or a collection of documents and some key data, so for a general practice that's about sending a Shared Health Summary, which contains a number of key elements, but it's not the progress notes, it’s just allergies, adverse events, medicines, history, immunisation data, and you actually review that before you send it up, so it's fairly well controlled, and fairly defined. You could send up a referral letter, specialists can send us specialists’ letters, and hospitals can send up Discharge Summaries. They're predominantly the main types of documents that go up there, but the actual system that you using, your clinical system or EMR, all the other information in there is not exposed to My Health Record. Now, in other parts of the world, it's interesting because it's different, and if you look at the OpenNotes movement… the OpenNotes movement actually says that a consumer should be able to see everything…
SOPHIE: Everything. (SOPHIE CONTINUES TO AGREE WITH NATHAN)
NATHAN: …that's in an individual's health record. Some hospital systems are now opening up patient portals which are providing access to everything in that record. So, we're going to go through an evolution of some data, potentially all data, and it’s that broad change that's occurred over the last 20 or 30 years, from health information being essentially the doctor’s information and an aide memoire, to now being the consumer’s information, or the consumer having a right to access that information.
SOPHIE: And you could use this, really, as an opportunity to, for each of your patients, as an opportunity to make sure that everything is up-to-date. So, if you're concerned that your records aren’t up‑to‑date, and you have patients that you see relatively infrequently, sometimes you’ll look up patient notes and you'll see that the history hasn't been updated in 10 years time and they only come in once a year for something routine, it's a good opportunity, with creating a Shared Health Summary, to actually have a discussion with the patient about their… whether they're now 45 and might want to have a regular health check, or a bowel screen, or something like that, to use this as a chance to get everything up-to-date, so that moving forward you're actually providing better clinical care ‘cause you've had that discussion.
NATHAN: Absolutely, and if you do it as part of your clinical workflow then it makes it easier. So, in a lot of practices, many practices now have practice nurses who see the patient before or after, in‑between the doctor, and they access the record, and they update the information. So, in my practice we use the nurses to do a lot of the curation.
SOPHIE: Yep. (SOPHIE CONTINUES TO AGREE WITH NATHAN)
NATHAN: The nurse can… a registered nurse can actually send to My Health Record, or the GP could do it, so it's really about the policies, and the process, and the training, and review of the system you have in place. So, all those things are possible.
Just in terms of the breaches… you've required to notify the Office of the Australian Information Commissioner, and you’re required to notify the Australian Digital Health Agency, and I guess that's a bit confusing…
SOPHIE: It is.
NATHAN: So, why are both agencies involved, given that that Digital Health Agency is actually responsible for managing, and is the system operator for My Health Record?
SOPHIE: I guess as the Privacy Commissioner has oversight as to what might… what remedies might be available, and the Agency, in respect of monitoring the data, and looking at its security systems, and what systems it can put in place to mitigate that. So, privacy perspective, in respect of looking at what, I guess, penalties could be imposed as well, and what… they've gone into community concerns about unauthorised access. I think what's interesting to note here though, as well, is there might be some sort of duplication there, but under the current local legislation you have to notify a patient when you’ve accessed their docu… their health information without authority, and I think most doctors don't appreciate that, it's not particularly well publicised, but you technically do have to notify a patient. Whereas you don't, in respect of My Health Record, so that's actually a little bit less stringent, but I think it's a good quality control measure, and even if, it's quite clear that, even if you've resolved the breach, so if there's been some lapse in the technology and there's been unauthorised access as a result of that, and that has been fixed, your IT systems has been fixed, you still have to notify the Digital Health Agency and the Privacy Commissioner of that breach.
NATHAN: So, essentially the Digital Health Agency it looks at the system…
SOPHIE: That’s right. Yes.
NATHAN: …and… in regard to whether there needs to be any changes to the system, whereas the Office of the Australian Information Commissioner deals with the individual, and the actual data.
SOPHIE: The data, and what flows from any breach of that, or misuse of that data. That's right.
NATHAN: Sure. So, one of the other issues that’s currently concerning healthcare consumers, healthcare providers often talk about, is that a consumer accesses My Health Record, sees some information in there, that… the one… the classic one that comes up is pathology results, they see result and they interpret it in a certain way, and that this… they've lost the follow-up.
SOPHIE: Mm.
NATHAN: What's my risk as a healthcare provider, under those circumstances?
SOPHIE: So, we had this question a lot, I think didn’t we, when we were doing this show…
NATHAN: Absolutely.
SOPHIE: …and I think this is a great opportunity for you to remind everyone about the RACGP standards, particularly the criteria in relation to follow-up. So, if there's any… as a health… where I'd say if there's any policies that you are going to look at and properly implement in your practice it’s the follow-up policies and procedures. If you have a good follow-up policy and procedure in place none of this matters. The only thing you have to be aware of, yes, is that you might have a patient who finds that there's pathology results, and those results are bad results, and they will be distressed, and there is a concern of what will they potentially do? Will they decide to cancel the appointment with me because they think they've got a terminal illness and there's no point and they don’t want treatment. Do I have to be more acutely aware of that? But you should be anyway. So if there's a result that's urgent, or that's a critical result, irrespective of what the patient might be thinking about it, you will ordinarily have in place your follow-up systems and procedures. Some of… there's been a recent Coroner's case where they’ve said it's good for patients to have this information, because it's yet another way to ensure that things don't get lost. I'm not sure that I necessarily agree with that, because we shouldn't really have patients being, sort of another means of capturing those missed opportunities, but it's not going to hurt.
NATHAN: The safety net. Yeah, yeah.
SOPHIE: The safety net, whether the patient can be the safety net, because I think it could potentially be very distressing for patients to get that information and still have three days until there's got to be their GP, but, you can probably answer this from the clinical perspective, in situations where the results are critical results they're not necessarily, from what I understand, a lot of the time they're not unexpected bad results. So, it's not as common that you will have a result that’s a critical result that was completely unexpected. If you do have that result then you would have… it would come back to your practice and you would look at that and say, “That was completely unexpected, that the melanoma that I expected was just a mole, and it's urgent and I will put in place assistance to speak to my patient.” Yes, I have to be aware that they've probably also seen that as well.
NATHAN: And they may or may not have because the system actually allows, with the seven-day delay…
SOPHIE: Yes, the seven-day delay. Exactly.
NATHAN: …there’s plenty of time from when the result is created to actually suspend that from further upload. So, if you've got a good tracking and tracing system…
SOPHIE: If you've got a good system in place, that has the critical results, it has certain time frames that you would impose, there's no specific time frames to impose, but your own practice will have a time frame imposed as to when you respond to those results, then you should mitigate most of that risk, in any event, and there's also the opportunity, which we spoke about before, if you're sending… if the symptoms are serious, and you've got an inclination as to the results being potentially critical, there's a discussion you can have with the patient about, “How about we don’t upload any of this, how about you just come back and see me in three days time we'll chat.”
NATHAN: Sure. Well, Sophie, we are starting to run out of time, I think we’ve got a couple of minutes left. There are lots of other questions that have come in, and we've tried to identify some of them.
SOPHIE: Yes.
NATHAN: We’ll deal with others, I think, through the FAQ process. Subpoenas is one. Just in 30 seconds, I get a subpoena what do I do about that, Sophie?
SOPHIE: You don't have to download what's in My Health Record, if you've looked at anything in My Health Record it will automatically be downloaded, as understand it, into your software, and form part of your record and you print it off, but you don't have to go separately to that tab, open it, print it. No need to do that.
NATHAN: So, only when it forms part of the record
SOPHIE: Only when it forms part of their record.
NATHAN: I don’t have to go in… because it's the consumers record, it's not my record. It’s only if it’s got a light on it that I should download it, and it becomes…
SOPHIE: Exactly. So, you get a specialist letter that comes in, you open it, you look at it, you download, that’s part of your record, you want that in your record…
NATHAN: Yep.
SOPHIE: …then you hand it up on subpoena, but you don't separately have to go into My Health Record.
NATHAN: So, whether I get it by snail mail, by unsecured email, secure email, by fax, or by My Health Record, once it's in my records it forms part of my record.
SOPHIE: Once it’s in your record, it’s your record, and just to be clear, that includes, we have this question a lot, that includes specialist letters where it says at the bottom, “Do not disclose without my consent, do not disclose for a third party without my consent”, that doesn't stand the test, the legal test, if it's your… it becomes part of your record once it’s sent to you and you are obliged to hand it over if a subpoena is issued, it’s part of that record.
NATHAN: Does it? So, that's a fairly legal, meaningless statement there.
SOPHIE: It’s a fairly legal, meaningless statement. (CHUCKLES)
NATHAN: Okay. Well, I think we're now coming to the end of our time. So, Sophie, thank you very much. I hope everyone's found that informative. There are lots of other questions, and I'm sorry we haven't had time to go through most of them. We will update the Frequently Asked Questions, and I know that we've been also sending our responses through the webinar. If there's a specific question that you'd like answered that we haven't addressed, that's not only frequently asked questions, feel free to send that through to the RACGP at ehealth@racgp.gov.au and we will deal with that over the next few days. So, Sophie, thank you very much.
SOPHIE: Thank you, Nathan.
NATHAN: We are repeating this webinar again on Thursday. It will be available online within a few days, so feel free to advise your friends and colleagues to have a look, and please provide us with feedback. Thank you, everybody.
SOPHIE: Thank you.