It seems inevitable that we will have a largely electronic health record sooner rather than later. Sensitive information which might otherwise have been buried in a paper file somewhere will be electronically accessible forever. To quote US security expert Bruce Schneier, ‘we are embarking on a grand experiment of never forgetting’.
And where information sticks around forever, then the risk from ‘employee browsing’ increases sharply. It’s easy enough to imagine a politician or an All Black having a mental health episode. What if a GP’s notes about it were leaked in electronic form by a hospital employee who stumbled on it while flicking through the file late one night?
Employee browsing presents significant risk that need to be managed. District Health Boards routinely fire staff caught accessing records without proper authority. Given the trust that has been placed in them I don’t think this is an excessive consequence.
A different kind of safeguard would be to use electronic patient information portals, letting patients see who’s been looking at or adding to their file. Patient alerts could let people know when a file appears to have been improperly accessed, or when a ‘break glass’ access has been made. As a nation we are pretty comfortable with electronic banking, not least because detailed information is available to us whenever and wherever we want. Why not use that accessibility in health with patient health information portals?
Knowing that I could look up who has seen my records, whenever I want, is a truly transparent approach. And transparency and trust go hand in hand. Not to mention acting as a handy deterrent on health provider employees who might otherwise consider having a poke through the medical records of a friend, neighbour or VIP.
Where an agency has clearly been getting it wrong, audit is another possibility. The Law Commission has recommended that I be given audit powers in the new Privacy Act that is likely to be heading to Parliament next year. Being able to investigate agencies that have demonstrated problems with keeping information safe and managing it properly is a way of keeping the sector on its toes.
Audit can help health agencies too. It can show them weak spots in the way they hold information. This makes it easier for them to improve their processes by showing them where to start. Because ultimately it’s not about blame, it’s about getting it right to keep patients’ trust.
I thought about all this when I visited my GP a while back. There was a computer screen he showed me, information was taken, medical care was given, and it all seemed to work out. But to be honest, I didn’t really worry too much about what was going on behind the scenes because I trusted my doctor to take care of the details.
Medicine requires trust in many senses of the word, at all levels of the health sector. As a patient, you trust your doctor will do their best to make you better. As a doctor you trust your colleagues and staff will do their best to give you the information and support you need. GPs trust that patient information they pass to their PHO, their DHB and the Ministry is not misused. And finally we trust in public health information that comes back down the chain and tells us how to best manage disease risks and improve public health. Trust is very circular.
But what sort of circle are we talking about? Is it like a soccer ball that can take a good kicking? Or more like a soap bubble that might leave nothing but a soapy spray when poked? As a doctor you might look at your own procedures and think ‘yes, that’s fine’, but what about other clinicians? What happens to the information you give them?
This issue was thrown into sharp relief by my most recent UMR survey. The survey showed high levels of public trust in the health sector, but also growing concern about health information being shared more widely. And a recurring issue that I have encountered is how many of the changes are happening without the public knowing about them.
The National Health IT Plan is moving ahead and various projects like the Health Identity reform and Maternity Shared Care Project are coming to fruition, but by and large people trust – that word again – that it is all ticking along as usual. And, though the Ministry of Health has put some commendable effort into involving consumers in the changes, I’m not sure they’d be able to tell if it wasn’t.
Where the customers of a service are unable to accurately judge its quality there is a risk of a ‘lemon market’ developing. Lemon markets drive down quality; the truly good providers can’t afford to keep operating at that level, and consumers can’t tell the difference between good and bad, so what they get inevitably tends towards the latter.
Now, I should say that medicine doesn’t fit this model when it comes to patient care. There is a strong ethical tradition, backed by law and regulators, peer review and an overriding concern for the patient. But I’m less confident when it comes to information governance and security in the health sector. A lack of good governance or security can cause and foster problems like employee browsing.
One way is for GPs and other people in the health sector to avoid the lemon market is to keep doing what they’re doing but better. Monitor their own and each other’s practices, behaviour, investigate complaints carefully, have clear policies. Be open about what how and why they’re using patient information, make sure your staff know the rules, Have consequences when those rules are broken.
However that’s not all it takes. To quote a canny health consumer advocate I talked with a few years back – “I trust a system when I’ve had a hand in its development, I trust a person when I can look them in the eye”. GPs need to be willing to get to grips with the changes that are coming, so they can look people in the eye when they talk about them. That might be the only way we’ll get trust strong enough to survive in a world that may have forgotten how to forget.