Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Consultation on the Privacy Blueprint for the Individual Electronic Health Record; Submission to the National E-Health Transition Authority (August 2008)

August 2008 Executive summary 1. The Office of the Privacy Commissioner (the Office) supports the development of an individual electronic health record (IEHR) system to enhance the delivery of healthcare through improved sharing of selected health information. In the Offices view, the assurance that privacy is protected will be a ke...

pdfConsultation on the Privacy Blueprint for the Individual Electronic Health Record; Submission to the National E-Health Transition Authority (August 2008)

August 2008

Executive summary

1. The Office of the Privacy Commissioner ('the Office') supports the development of an individual electronic health record ('IEHR') system to enhance the delivery of healthcare through improved sharing of selected health information. In the Office's view, the assurance that privacy is protected will be a key element of the overall success of such a system.

2. The Office notes its support for the express consent approach to IEHR participation proposed by the National E-Health Transition Authority's ('NEHTA') Privacy Blueprint on the IEHR ('the Blueprint'). This approach offers important privacy benefits to individuals by ensuring that individuals' active and express consent is required before they are enrolled in the system. The Office also welcomes individuals being able to consent to specific episodes of care being entered into their IEHR record.

3. While recognising the attention paid to privacy as part of the IEHR system's development and the constructive approach taken to consent, the Office believes there are some key issues which require further consideration. These issues are:

  • the need for enabling legislation for the system
  • whether individuals will have sufficient choice as to who may access their IEHR, that is, individual health care workers or entire health care organisations
  • whether individuals will be given the choice to limit access to particularly sensitive information by way of a 'privileged care' mechanism
  • the suggestion that audit records may not be available to individuals and
  • the need for further detail on how secondary uses of IEHR information will be managed, particularly with regards to uses beyond medical research.

4. In this submission to NEHTA, the Office provides input on these key privacy issues and other aspects of the IEHR system raised in the Blueprint.

About the Office of the Privacy Commissioner

5. The Office of the Privacy Commissioner ('the Office') is an independent statutory body whose purpose is to promote and protect privacy in Australia. The Office, established under the Privacy Act 1988 (Cth) ('the Privacy Act'), has responsibilities for the protection of individuals' personal information that is handled by Australian and ACT Government agencies, and personal information held by all large private sector organisations, health service providers and some small businesses. The Office also has responsibilities under the Privacy Act in relation to credit worthiness information held by credit reporting agencies and credit providers, and personal tax file numbers used by individuals and organisations.

Background

6. The Office welcomes the release of the Privacy Blueprint for the Individual Electronic Health Record ('the Blueprint').[1] In particular, the National E-Health Transition Authority's ('NEHTA') consultation on the Blueprint provides an opportunity for the development and refinement of the key privacy features of the proposed Individual Electronic Health Record ('IEHR') system.

7. The Office understands that NEHTA seeks feedback on the Blueprint so as to inform an IEHR business case to be presented to the Council of Australian Governments ('COAG').[2] Further consideration of the matters raised in this submission will assist in ensuring that the business case contains adequate privacy protections for the system.

8. Previously, the Office has commented on NEHTA's Privacy Blueprint for Unique Health Identifiers.[3] Representatives from the Office have also participated in workshops and meetings arranged by NEHTA including the IEHR Privacy Roundtable in June 2007, the Secondary Use Roundtable in November 2007, and the Clinician and Consumer E-Health Consultation in June 2008.

9. The Office notes the Australian Law Reform Commission ('ALRC') is scheduled to release its final report of its inquiry into privacy law on 11 August 2008. The Office notes that the Government's response to the ALRC's report may have a bearing on the development of the IEHR system.

Fundamental privacy considerations for IEHRs

Legislation to regulate the IEHR system

10. The Office believes that it is essential that a national IEHR system be accompanied by specific enabling legislation.

11. The Blueprint makes several references to the possibility of introducing legislation to regulate the IEHR system. In its introduction, the Blueprint states that 'In assessing IEHR policy objectives and Australian privacy requirements, it is apparent that legislative support for IEHR may be desirable.'[4] At other points, the Blueprint lists the elements that could be covered by legislation.[5]

12. The Office submits that supporting legislation is not only desirable but essential to an IEHR system. As outlined in the Blueprint, legislation could usefully provide for:

  • identification of an entity with clear responsibility for management of the IEHR and the health information held in it
  • authorised and permitted information flows
  • prohibitions on specific uses and disclosures of IEHRs to avoid function creep
  • provisions for managing secondary uses
  • specific sanctions and remedies for privacy breaches
  • transparent and accountable governance mechanisms
  • requirements for unique health identifiers in the IEHR
  • minimum terms and conditions for participation in the IEHR and
  • uniform complaint-handling mechanisms.[6]

13. The Blueprint appears to contemplate an IEHR system initially introduced using 'mass contracting', with the possibility of specific supporting legislation in the future.[7] The Office believes that legislation is of sufficient importance that it should accompany implementation of the IEHR system.

The role of legislation in encouraging community confidence

14. Gaining the trust and confidence of individuals in the IEHR system is vital to its success. The Office submits that specific legislation to regulate the IEHR system is an important element in establishing and maintaining that confidence in the long term.

15. While many individuals are likely to welcome in-principle the benefits associated with electronic health records, there may be reluctance to participate if key privacy protections are lacking.

16. For example, research commissioned by Health Canada found that 88 percent of Canadians supported the development of electronic health records.[8] However, despite this strong indication of support, many individuals were concerned about how their personal information would be handled in an electronic health system. Notably:

  • 45 percent were concerned that their information could be accessed for malicious or mischievous reasons
  • 42 percent were concerned that it could be used for purposes not related to their health and
  • over one in three (37 per cent) were worried that privacy and security procedures would not be followed by those with access to their records.[9]

17. Notably, 74 percent of respondents to the Canadian study said that introducing new legislation that made unauthorised access to personal health records a serious criminal offence would make them 'more comfortable'.[10]

18. Similarly, studies undertaken in the United States also suggest strong in-principle support for electronic health records. However, in one such study, 80 percent of respondents were very concerned about such systems posing risks of identity theft or fraud and 77 percent were very concerned that their health information would be used for marketing purposes.[11]

19. The Office strongly recommends that NEHTA's business case to COAG presents legislation not as a desirable but integral element of the IEHR system, both for the protections it introduces (such as the matters outlined above at paragraph 12) and the assurances it provides to participating individuals that protection of their privacy is taken seriously.

The importance of PIAs in ensuring privacy protection and encouraging community confidence

20. The Office notes that during the development phase of the IEHR system, privacy impact assessments ('PIA') will be critical to identifying the scope of enabling legislation and the privacy protections that need to be built into the operating system.

21. The Office welcomes NEHTA's commitment to undertake a full PIA on the IEHR system. The Office recommends that NEHTA makes public its preliminary IEHR PIA and its upcoming PIA when it has been carried out.

22. As the Office notes in its PIA Guide, publishing PIAs 'helps to demonstrate to stakeholders and the community that the project has been critically analysed with privacy in mind.'[12] The Guide also points out that 'Publishing ... represents good practice by contributing to the transparency of the project.'[13]

IEHR participation agreement

23. Page seven of the Blueprint outlines a model for an IEHR participation agreement which sets out terms and conditions for those individuals and healthcare organisations participating in the IEHR system. It goes on to state:

In the absence of legislative support at this stage, the IEHR participation agreement will be developed as a mass contract based solely on common law requirements.[14]

24. While the proposed participation agreement contains a number of important information handling obligations, the Office is concerned that this approach may lack the certainty that could be achieved through legislation.

25. In the Office's view, the participation agreements should supplement rather than substitute the protections offered by specific legislation. On its own, the participation agreement may not adequately offer the robust oversight and remedial mechanisms that can be specified in legislation.

26. In particular, the Office is concerned that a 'mass contracting' approach may:

  • create uncertain standing for individuals to be able to enforce agreements between providers and the governance body, and thus possibly hinder their ability to seek remedies where their information is handled inappropriately
  • not guarantee the application of administrative law principles to the complaint handling process, including procedural fairness and
  • offer no external review mechanism for decisions made concerning complaints, such as appeal rights to merits tribunals, the Courts or Ombudsmans.

27. Further, it is also not clear what steps would be taken to conduct audits of institutions to ensure compliance with the participation agreement. In contrast, legislation could establish a power or function in an appropriate accountability body to conduct proactive audits of compliance with privacy obligations. Such powers are currently available to the Privacy Commissioner in regard to Australian and ACT Government agencies, as well as businesses that handle credit information and could form a model for IEHR specific legislation.

28. The Office suggests that these considerations clearly illustrate the benefits of enacting specific legislation to accompany an IEHR system. Such law could specify strict protections as to how personal health information may be handled.

Participation agreements for healthcare provider organisations

29. While participation agreements should not be the primary source of privacy obligations for IEHRs, the Office agrees that they are likely to be of value in setting out matters of detail.

30. In particular, the Office notes that participation agreements might address obligations regarding security and potential breaches of security.

31. While security principles in the Privacy Act offer general protections against misuse, loss and unauthorised access, modification and disclosure,[15] the specific information technology and architecture of the IEHR system may warrant specific security protections and standards. Such details, which could make allowance for different types of organisations, might be appropriate matters for participation agreements.

32. The Office notes the Blueprint proposes that participation agreements include information about 'The status of entries made in the IEHR'. Office is uncertain what 'status of entries' refers to and suggests that this point could be clarified.

Participation agreements for individuals

33. The Blueprint states that both individual consumers and healthcare provider organisations will enter participation agreements with the IEHR organisation. The Office agrees that 'In relation to individuals, the IEHR participation agreement must provide a user-friendly, streamlined approach that ensures fair and just terms and conditions.'[16]

34. The Office suggests that it may be useful to separately list the items that will be included in the consumer and organisation participation agreements to make it clear what would be addressed in each.

35. More generally, the precise status and purpose of these individual agreements is uncertain and could usefully be clarified.

Healthcare provider access to individual personal health information

Types of healthcare providers eligible to access the IEHR system

36. The Blueprint states that for healthcare provider organisations to be able to participate in the IEHR, they must meet a number of criteria, including registration for a HPI-O (health provider identifier - organisation). The Office is unclear as to the eligibility criteria that will apply to the issuance of HPI-O numbers and, in turn, the breadth of healthcare provider organisations that will be eligible to participate in the IEHR system.[17]

37. Under the subheading 'Healthcare Provider Access', the Blueprint states:

In the longer term, consideration will be given to providing access to all healthcare providers, or if necessary to healthcare providers that meet specific eligibility criteria.[18]

38. The Office notes that the potential breadth of the term 'healthcare provider' is unclear. The Office suggests that this term be clarified and specific eligibility criteria defined so as to provide a clear understanding of the potential scope of the IEHR system.

Managing access to the IEHR system

39. The Blueprint suggests that access by a healthcare provider to an individual's records should be predicated on the individual having consented to such access.[19]

40. The Blueprint notes that healthcare provider organisations can range from sole traders to large health departments and hospitals.[20] In the case of a large hospital, it remains unclear whether, in granting consent to a doctor within that hospital to access their IEHR, the individual is consenting to everyone in the hospital having access to their IEHR.

41. The Office suggests that greater clarity is required about how individual healthcare workers are identified when interacting with IEHR records. Similarly, requiring specificity in such identification would facilitate more sophisticated access control measures and provide for detailed audit trails. By way of example, the Office understands that health workers in the United Kingdom's National Health Service are issued with individual identifiers.[21] Similarly, the Office understands that Alberta's 'NetCare' electronic health records system restricts access based on '...that individual's role in the health care system' and that 'Each user must go through two levels of authentication each time they access Alberta Netcare EHR.'[22]

42. The Blueprint says that 'Individual healthcare providers will be required to have both a smart card for authorising their access as well as a HPI-I...'[23](health provider identifier - individual) and later that the participation agreement will set out the requirements for providing access to individual healthcare providers.[24] However, it remains unclear to the Office what form those requirements for internal access are likely to take. In the context of individuals granting access to their IEHR to the full healthcare organisation, these internal access mechanisms will be critical to ensuring that only the appropriate healthcare workers within an organisation access the system.

Access to IEHR records in multidisciplinary care contexts

43. As noted in previous submissions, the Office recognises that providing high-quality health services increasingly involves sharing information across members of care teams.[25] Similarly, information flows may occur in a health context which do not readily lend themselves to individuals being able to specifically consent to particular providers handling their health information.

44. These realities need to be balanced with the need to ensure individuals retain appropriate control of their health information. This is especially pronounced in the context of IEHR systems, where information may technically be widely available. The challenge is to permit necessary flows of personal information to occur within organisations, which do not require individuals to provide broad consents to whole organisations accessing their records.

45. While the Office supports individual consent being the primary source of authority for specific providers to access health records, there may be occasions where further provision of consent is unnecessary for other parts of the same organisation to access the IEHR.

46. The Office suggests that the Privacy Act may offer an appropriate regulatory model for managing access rights within healthcare organisations. National Privacy Principle 2 provides that health information may be used or disclosed for a purpose other than why it was initially collected if:

  • the individual consents or
  • the secondary purpose is directly related to the primary purpose of collection and the individual would reasonably expect that use or disclosure for that secondary purpose.[26]

47. This model permits for consent to be the primary source of authority for health information to be used or disclosed, though also permits handling without consent in certain limited circumstances. Notably, the co-tests of 'directly related' and 'reasonable expectations' ensure that there are meaningful limits on how information may be handled and in turn, accessed.

48. An example of how such a mechanism may apply is where a person who is being treated for diabetes gives consent for a diabetes educator at a hospital to access their IEHR. At the same hospital, this person may also be seeing a dietician, a podiatrist and an endocrinologist as part of a multi-disciplinary care plan to treat diabetes.

In this case, access to the IEHR by the dietician, podiatrist and endocrinologist may be allowable (without seeking consent for each of these departments to access the IEHR) as these healthcare workers are using the IEHR for a directly related purpose (the treatment of diabetes) and this is likely to be within the reasonable expectations of the individual involved.  Where there is any uncertainty about the individual's reasonable expectations, consent should be sought.

49. On the other hand, it may be inappropriate for the podiatry branch of a hospital to access a person's IEHR, when that person originally granted access to the dietetics branch of the hospital to treat a different health issue. This is because the secondary use of the IEHR for podiatry is (in this case) not directly related to the person's dietetics healthcare and therefore may be outside their reasonable expectations.

50. The Office has issued an Information Sheet on this issue - see Information sheet 25 - Sharing health information to provide a health service.[27] This sheet notes that the 'directly related/reasonable expectations' test can be applied to electronic health records, though suggests that it should be applied conservatively.

'Key issues' raised in the Blueprint

51. The comments below follow the structure of the 'Key Issues' chapter of the Blueprint.

Governance

52. The Office welcomes the recognition of the importance of clear governance arrangements for any national IEHR system.

53. Importantly, as the Office has stated previously, management and rule-setting functions of the governing body should be separated from accountability and oversight functions. These functions could possibly be undertaken by existing regulatory and accountability agencies such as the Ombudsman and the Office of the Privacy Commissioner and equivalent state government oversight bodies in regard to state government practices.

54. Therefore, while the governing body should have responsibilities to monitor day-to-day operations of the system, the functions of system audit and oversight would be carried out within existing accountability structures. Similarly, the governing body should attempt to resolve individuals' complaints in the first instance. However, it should not be the final arbiter of such complaints.

55. It is the Office's view that it should retain jurisdiction for privacy complaints emerging from an IEHR system where such complaints fall under current jurisdiction (that is, excluding State and Territory government agencies).

Sensitivity labels

56. The Office supports the use of sensitivity labels also known as 'sealed envelopes' or 'privileged care information' in the IEHR system as offering individuals greater choice and control over how their health information is used and disclosed.

57. Two sections of the Blueprint are devoted to the issue of sensitivity labels, with NEHTA noting that 'Intuitively, people request that "special protection" be available for information they feel is more susceptible to misuse or which may result in stigmatisation.'[28] However, the Blueprint also raises some doubts over sensitivity labels and their feasibility, particularly in the short term.[29] It is also stated that 'there are genuine difficulties in providing this capacity in the current context and it is likely that a series of "transition states" will need to occur over time.'[30]

58. While recognising the challenges that may be involved in developing sensitivity label functionality, the Office believes that if this option is not functional from the initial implementation, some individuals may choose not to enter information into their IEHR or not participate in the system. In many cases, these individuals may have stigmatised, chronic or complex conditions that may be better treated through improved information handling.

Sensitivity labels make privacy sense

59. Over the course of a lifetime, a significant proportion of people may experience conditions which they view as highly sensitive and for which they need extra assurances that related information will be handled privately. For example, it is estimated that around 20% of Australians will experience mental illness during their lives and most will experience a mental health problem.[31]

60. Individuals are likely to have particular concerns over the handling of such especially sensitive health information and seek to minimise the risks of it being mishandled. For example, research in the United States has revealed that one in six adults (17 percent) withholds health information from their health providers due to worries about how it might be disclosed.[32]

61. The Office suggests that sensitivity labels assist in providing choice, control and privacy protection to individuals, ensuring comfort and confidence that their information will be handled appropriately and will be viewable only by those healthcare providers they have nominated.

62. Sensitivity labels are also likely to promote equitable access to IEHRs. For example, some individuals may wish to take part in the IEHR system, and gain the benefits which it stands to offer, but may not want every event or medical condition accessible to every provider. The option to either have the information available to all nominated providers, or to none, may not be a reasonable choice where the system would aid in the treatment of complex or chronic conditions.

63. A 'privileged care' section also has the potential to serve a valuable symbolic function. While an individual may never elect to use the option, the mere fact that it is available should they chose provides a clear indication that an IEHR is part of a responsive, privacy-enhancing system.

Addressing potential issues raised in the Blueprint about sensitivity labels

64. The Blueprint notes that there is considerable support for a privileged care label among consumer groups and privacy advocates. However, other stakeholders have suggested that the proposed label is:

...potentially unsafe (because it hides information from a healthcare provider's view unless the individual chooses to reveal it) and that it will result in an unworkable administrative environment.[33]

65. The Office submits that the option to withhold some information from some providers accurately mirrors choices currently available to health consumers. While such choices may not always align with clinical best practice, they nonetheless reflect how individuals may wish to interact with the health system.

66. The Office also notes that the IEHR is not intended to be a comprehensive record, but rather to provide summary information that complements existing record-keeping arrangements. In the words of the Blueprint:

The IEHR is not a comprehensive record and its objective is very different to that of a primary care record. [...] It is important in this context to note that the IEHR represents an additional new channel of communication that is not intended to replace local records...[34]

Therefore, the Office suggests that in assessing the option of sensitivity labels, an IEHR should be seen as an additional source of information centred on the needs and choices of the individual, rather than as a complete clinical record.  As the Office understands it, an IEHR is not intended to replace detailed clinical records, nor effective clinician-patient communication.  For example, providers would still be required to ask new patients about prior diagnoses and family history.

67. At the same time, the Office recognises that it is important that individuals understand the potential clinical risks involved with restricting access to information using a sensitivity label. Such choices should, therefore, be accompanied by clear information to ensure individuals are sufficiently informed of the possible consequences of their choices. It may also be necessary to explain any emergency override mechanism that may apply to privileged care records.

68. Affording individuals the choice to restrict access to some information may increase the likelihood that they will include in their IEHR information that they may otherwise have withheld completely. In the Office's view, this is likely to be a better outcome for privacy and clinical care than individuals withholding particularly sensitive health information entirely or avoiding treatment completely.[35]

69. In regard to the suggestion that sensitivity labels 'will result in an unworkable administrative environment', the Office is of the view that sensitivity labels justify the time and effort required to ensure a system that meets individuals' privacy expectations.

Sensitivity labels need to be introduced at the outset

70. Finally, with regard to the proposal of a series of 'transitions states' to introduce sensitivity labels progressively, the Office submits that privacy features need to be built into the system from the start and not developed afterwards.

71. While the Blueprint proposes that the functionality for sensitivity labels be allowed for in the IEHR design, the Office suggests that failing to introduce sensitivity labels at the start may jeopardise individual confidence in the system. It may also mean that sensitivity labels are not accorded the same rigorous testing and refining processes in the design phase as the rest of the system to ensure smooth interoperation of system components. There is also the risk that once the IEHR system is in operation there may be a disinclination to change it to accommodate sensitivity labels.

72. For these reasons, the Office suggests that sensitivity labels be in operation from the start.

Individual control of personal health information

Individual control over granting of access to their IEHR

73. In the key issues section of the Blueprint, NEHTA states that individuals will be able to 'Choose to provide a healthcare organisation with access to their IEHR'.[36] The Office supports consent as a primary source of authority to access IEHR records, and that this access should be as specific as possible. Additionally, the Office's earlier comments regarding multidisciplinary care environments should be noted (paragraphs 43-50).

Audit functionality

74. The Office supports plans laid out in the Blueprint for an audit trail function to record who accesses the IEHR system. However, the Office notes the uncertainty expressed in the Blueprint as to whether audit trails should be made available to individuals.

75. Providing individuals with access to audit trails is an important accountability measure that increases the transparency of the IEHR system.

76. It may also help allay consumer fears and garner confidence in the IEHR system by providing individuals with the ability to monitor and control their IEHR. Research commissioned by Health Canada on electronic health records found that 77 percent of respondents said that having the ability to find out who accessed their health record and when would make them 'more comfortable.[37]

77. The Office submits that for the system to be fully transparent, the audit mechanism will need to log individual healthcare workers accessing the system, rather than just the healthcare organisation.

78. Finally, and as noted in the Office's submission to NEHTA's Privacy Blueprint for Unique Health Identifiers, audit is a form of oversight. While it may provide a useful deterrent effect and may hold individuals accountable for the misuse of personal information, auditing needs to be undertaken in conjunction with proactive privacy protection measures.[38]

Secondary uses of information stored in IEHRs

Community expectations regarding secondary use of health information for medical research

79. The use of health information for medical research is generally accorded a high level of importance by the community. However, given the sensitivity of the information, even this type of secondary use must be carefully balanced with individual privacy.

80. Sensitivity around secondary uses of health information is illustrated by qualitative research conducted by AC Nielsen which indicated a strong preference for health information to be only used for the direct clinical care of the individual, with any other uses being premised on obtaining the individual's informed consent.[39]

81. This is supported by quantitative research from New Zealand, which found that:

  • only 23% of respondents were willing for their general health information to be shared with researchers.
  • only 12% of respondents were willing for their 'sensitive' health information (in this context, meaning related to sexual health) to be shared with researchers.[40]

82. The Office's own community attitude research has found sensitivity around the handling of even de-identified health information for research purposes. Fifty-one percent of all respondents holding the view that consent should be sought.[41]

83. Qualitative research conducted in the UK on community attitudes to using health data for medical research without consent concluded that 'Public acceptability regarding the use of medical records in research cannot simply be assumed.'[42] Other research supports this position, noting that 'Patient consent to access their medical record should not be taken for granted'.[43]

84. US research indicates a clear consumer preference for consent to be sought to use medical records for research.[44] This is supported by other research.[45]

85. Individuals generally expect to be asked to consent to the handling of their health information for secondary purposes unrelated to their immediate care.[46] Research from both Canada and the UK has found that, in many cases, individuals would be willing for their health information to be used for medical research, but still expect to be asked for their consent.[47]

86. Research conducted in the US, using patients of the Department of Veterans' Affairs, found that 73% of respondents believed it was critically or very important to get consent for each research study.[48] At the same time, 83% of this same sample believed such research was critically or very important. Put another way, even though these individuals recognise the importance of such research, they still believed that consent should be sought.

87. In addition, research has found that support for the use of humans in research, may not translate to a willingness to participate.[49] That is, individuals may support health information being used without consent for medical research, but not their own.

88. Therefore, in general, the Office submits that individuals expect to be given the opportunity to consent to the handling of their health information for research purposes.

Secondary uses not related to health research

89. Sections of the Blueprint dealing with secondary use tend to emphasise use of IEHR information for medical research. The Office suggests further consideration could be given to identifying and limiting secondary uses unrelated to research, such as those related to direct marketing, insurance or law enforcement. It is these types of secondary uses that individuals may have particular concerns about and for which it will be important to set strict boundaries in law.

90. For example, research undertaken in New Zealand found that individuals were less inclined to share their health information with government agencies (such as the police) and private health insurers than with healthcare researchers.[50] Therefore, individuals' comfort with secondary use of their health information for medical research should not be used as a yardstick for their comfort with secondary uses generally.

91. Similarly, Canadian research found that 76% of consumers expected to be able to 'opt-in' to having their health information handled for secondary purposes.[51]

The IEHR Secondary Uses Service

92. NEHTA asks in the Blueprint whether potential secondary uses be managed via a purpose-built IEHR Secondary Uses Service.

93. The Office believes that an IEHR Secondary Uses Service may send the wrong message about how available information in the IEHR system is for other purposes. The Office recommends that secondary uses be managed by the IEHR organisation and regulated by law (with oversight by prescribed regulatory bodies such as this Office).

94. Specific enabling legislation will allow for prescribed secondary uses of information held by the IEHR system while also ensuring a framework of Parliamentary scrutiny for the expansion of secondary uses of the IEHR system to prevent function creep.

95. To ensure adequate oversight of expansion of secondary uses in the future, the legislation should also require consultation with appropriate regulatory bodies including this Office.

[1] National E-Health Transition Authority, Privacy Blueprint for the Individual Electronic Health Record, 2008, (the Blueprint) available at http://www.nehta.gov.au/index.php?option=com_docman&task=doc_details&gid=495&Itemid=139&catid=130.

[2] See the Executive Summary of the Blueprint.

[3] Submission made in March 2007 and available at http://www.privacy.gov.au/materials/types/submissions/view/6752.

[4] The Blueprint, p3.

[5] See 'Governance', the Blueprint, p 15.

[6] See the Blueprint, p15-16.

[7] The Blueprint, see p 3 and p 7

[8] Health Canada (research prepared by Ekos Research Associates) Electronic Health Information and Privacy Survey: What Canadians Think - 2007, survey of 2469 Canadians available at http://www.hc-sc.gc.ca/ahc-asc/pubs/_atip-aiprp/survey-sondage/index-eng.php#suhi.

[9] Ibid, Health Canada.

[10] Ibid, Health Canada.

[11] Government Technology News, Americans Have Serious Concerns About E-Health Privacy, Says Survey, 8 December 2006, http://www.govtech.com/gt/articles/102771.

[12] Office of the Privacy Commissioner, Privacy Impact Assessment Guide, August 2006, p 9 available at http://www.privacy.gov.au/publications/pia06/index.html

[13] Ibid., p 9.

[14] The Blueprint, p 7.

[15] See Information Privacy Principle 4, s 14 of the Privacy Act 1988, and National Privacy Principle 4, Schedule 3 of the Privacy Act 1988.

[16] The Blueprint, p 7.

[17] Information sheets on NEHTA's website, including the Healthcare Provider Identifier (Organisations) Fact Sheet do not appear to provide further detail on exactly which types of healthcare provider will be eligible to participate in the IEHR.

[18] The Blueprint, p 6.

[19] See pages 6 and 7 of the Blueprint.  In addition, as the Office understands it, the provider must possess a HPI-O and have agreed to enter a participation agreement.

[20] The Blueprint, p 6.

[21] See http://www.connectingforhealth.nhs.uk/systemsandservices/nhscrs/scr/security/role.

[22] See http://www.albertanetcare.ca/11.htm.

[23] The Blueprint, p 6.

[24] The Blueprint, p 7.

[25] Office of the Privacy Commissioner, submission to NEHTA's Privacy Blueprint on the Unique Health Identifier.

[26] See National Privacy Principle 2.1(a), Privacy Act (1988).

[27] Available at http://www.privacy.gov.au/materials/types/download/8737/6558.

[28] The Blueprint, p 5.

[29] See the Blueprint, p 5 and 16.

[30] The Blueprint, p 5.

[31] Australian Government Department of Health and Ageing What is mental illness?  Available at http://www.health.gov.au/internet/main/publishing.nsf/Content/mental-pubs-w-whatmen-toc~mental-pubs-w-whatmen-what.

[32] Harris Poll #25, Many U.S. Adults are Satisfied with Use of Their Personal Health Information, 26 March 2007, survey of 2337 Americans, available at http://www.harrisinteractive.com/harris_poll/index.asp?PID=743.

[33] The Blueprint, p 16.

[34] The Blueprint, p 5.

[35] For example, Goldman & Hudson 2000 'Virtually exposed:  Privacy and e-health' Health Affairs Volume 19, Number 6, p 141 note 'Without trust that their most sensitive health information will be safeguarded, patients are reticent to fully and honestly disclose personal information and may avoid seeking care altogether - both online and off'.

[36] The Blueprint, p 13 and 17.

[37] Health Canada, Electronic Health Information and Privacy Survey, op.cit.

[38] Office of the Privacy Commissioner, Submission to NEHTA's Privacy Blueprint - Unique Health Identifiers, March 2007, available at http://www.privacy.gov.au/materials/types/submissions/view/6752.

[39] AC Nielsen, Community Consultation: Health Information Privacy: A Research Report, 1998, p 8.

[40] R Whiddett, I Hunter, J Engelbrect,J and Handy, (2004). Sharing Patient Information: A Survey of Patients' Views. Health Informatics Conference 2004, pages 59-64. 

[41]Community Attitudes to Privacy 2007, page 46, available at http://www.privacy.gov.au/aboutprivacy/attitudes/#1b.

[42] M Robling et al (2004) 'Public attitudes towards the use of primary care patient record data in medical research without consent: a qualitative study' Journal of Medical Ethics, available at http://www.bmj.com/.

[43] H Schers et al (2003) 'Continuity of information in general practice: patient views on confidentiality' Scandinavian Journal of Primary Health Care, pp 21-26.

[44] A Gallup Survey from 2000 found "67 percent oppose researchers seeing their medical records without the patient's permission" [available at http://www.forhealthfreedom.org/Gallupsurvey/index.html ].

[45] National Health Service, Share with Care Final Report (October 2002); Whiddett, R, Hunter I and Engelbrecht J (2004) 'Patients' attitudes towards sharing their medical information' paper presented at the Australian Psychological Society 39 th Annual Conference 29 Sept-3 October.

[46] UK National Health Service (2002) Share with care;  People's views on consent and confidentiality of patient information, p.10.

[47] S Page and I Mitchell (2006) 'Patients' opinions on privacy, consent and the disclosure of health information for medical research' Chronic Diseases in Canada, vol 27, pp. 60-67; UK National Health Service (2002) Share with care;  People's views on consent and confidentiality of patient information.

[48] L Damschroder (2007) 'Patients, privacy and trust:  Patients' willingness to allow researchers to access their medical records' Social Science and Medicine vol 64, pp.223-235.

[49] J Trauth (2000) 'Public attitudes regarding willingness to participate in medical research studies' Journal of Health and Social Policy, Vol 12, pp.23-43.

[50] Whiddett et al, op. cit., pp 4-5.

[51] Willison D et al 'Patient consent preferences for research uses of information in electronic medical records:  interview and survey data' British Medical Journal 15 February (2003) Volume 326.