Nola Marino (Forrest, Liberal Party) Share this | Hansard source

I rise to speak on the Healthcare Identifiers Bill 2010 and the Healthcare Identifiers (Consequential Amendments) Bill 2010, which will see the introduction of a 16-digit identifier for every Australian and every healthcare provider. The introduction of these individual healthcare identifiers is a part of establishing a national e-health system for the future. Healthcare identifiers are just the first step in establishing this system to ensure a more cohesive, coordinated healthcare system for Australian patients.

The coalition is supportive of the concept of e-health. However, we, and I particularly, have very serious concerns and issues about the security of information under the system. An e-health system would provide an opportunity to improve health care in Australia. We have a healthcare system that we know is under pressure. For this reason, it is important to continue to improve health care in Australia across the board. As we know, Australia is behind countries such as Great Britain, Germany and Canada in the implementation of e-health measures. The systems introduced in these countries share diagnostic imagery between providers and e-prescription services and facilitate communication between providers, reducing the silo method of treating patients—important to each patient.

However, as I mentioned earlier, while I believe that a national system will provide for greater consistency of health care, I have a number of concerns surrounding the privacy and the security of patient information. In introducing the system, the government must categorically guarantee the security of patients’ information under this system. There are no ifs and buts—it must guarantee that. My questions arise because the government is yet to really outline the stringent regulatory framework to ensure absolute security of health information further into the future.

I note that, in an article in the Sydney Morning Herald, the National E-Health Transition Authority has admitted it is yet to decide how access control would work, yet we have the bill before the House today. To further compound the problem, the system is due to start on 1 July, yet the software makers have not yet been provided with the specifications to design an appropriate IT framework or to integrate healthcare identifiers into existing software packages. This alone should be of concern to everyone in this parliament. We have previously seen firsthand the problems of rushed and bungled legislation—the tragic Home Insulation Program, for example.

I have very genuine concerns about exactly how the government will guarantee the security of this patient information. That and the lack of thoroughness of this legislation have also been raised by doctors and others. An article in the Australian on 19 January stated that doctors and other experts have raised concerns about breaches of patient privacy and criticised the rushed and limited one-month consultation period for the new laws—conducted over a holiday period. The article quoted the Royal Australian College of GPs as stating that greater clarity was needed about who would have access to patient information and whether doctors needed their patient’s consent before using a healthcare identification number. Recently we have heard that Medicare has investigated over 1,000 employees for potential unauthorised access to client records in the past three years. If Medicare is going to be the handler of Australian patients’ personal information, then clearly we have very serious concerns about the security and integrity of these processes.

The National E-Health Transition Authority’s Dr Haikerwal also raised concerns over the Labor government’s proposed e-health legislation, but this time in regard to the costs of the system. In the Herald Sun, Dr Haikerwal said:

If you look at e-health systems around the world, the cost falls on to the shoulders of the healthcare providers; the benefits are reaped by the patients and Government.

The government released a discussion paper in June 2009 and drafted this legislation in December 2009. Fifty-five organisations and individuals made submissions on the draft legislation and while most were supportive of the legislation they raised a number of technical points, including the possibility that doctors may be in breach of legislation by disclosing healthcare recipients’ identifiers, the exclusion of private health funds from using the new healthcare identifiers and the compliance costs of an extra level of privacy legislation.

As I have stated previously, we continually see examples of the Labor government rushing health legislation without serious, detailed and inclusive consultative processes. We saw the government’s attempt to target thousands of Australians by proposing that the most vulnerable, those needing cataract surgery, would have to pay hundreds of dollars more for life-changing cataract surgery. As we know, the majority of those are seniors—the very people who can least afford to pay more. There was the IVF debacle where the minister was forced to backflip on the government’s proposed halving of the Medicare rebate for IVF treatment. The WA Liberal government has also expressed concerns about the rollout of GP superclinics in Western Australia, and we have also seen the Labor government continue its attack on those with private health insurance. Fortunately for those holders of private health cover in my electorate, the Senate voted against that legislation two days ago.

Australians deserve a national system that will provide for greater consistency of health care but, in such a system, they also must have absolute confidence in the government guaranteeing complete security of their private information. I am particularly interested in, but extremely concerned with, the processes that the government will use to provide this guarantee of privacy and the penalties for those who access, use, pass on or sell the information.

An article in the Medical Observer referring to Medicare staff who had accessed patients’ information illegally quotes a Medicare spokesperson as saying:

… there would be an audit log of all access to healthcare identifier systems, which would be used to identify potential inappropriate access.

Well, this is no deterrent at all. This is like shutting the gate after the horse has bolted. And I have no doubt that those seeking to access the information will still do so. The Medicare spokesperson went on to say that ‘customers would also be able to use the log to learn when their UHI record had been accessed’. Again, this is too late. Who has it? Where is it? What is being done with it? You might be able to identify that someone has accessed it, but they have already got it and it has gone. I do not know what sort of comfort that will be to people. If you can tell your UHI record has been accessed, it is already too late. Whoever wanted that information, such as someone with potential commercial gain, already has it. And, in a broader e-health sense, I would suggest that no Australian would want their personal medical information broadcast to the world or used for any purpose without their express permission. I can only imagine the concerns of someone who may be suffering from depression or any member who has any particular personal or private medical condition—and such conditions are often extremely sensitive—and the trauma for those same people if those details are publicised or used illegally.

The very same article in the Medical Observer quoted Dr David More, a health IT consultant, as saying:

If Medicare can not manage its own staff, and not have them snooping, then we have to wonder about trusting them with the UHI numbers, and eventually with e-health records …

I share Dr More’s concern and hope that he is one person whom the Senate inquiry takes evidence from. I want to see the security measures for the storage and transfer of e-health details and the regulatory framework in which e-health is set to operate.

As a member of the House of Representatives Standing Committee on Communications, which is currently investigating cybercrime, I make a very, very strong recommendation also that the Senate inquiry take evidence and information from those involved in investigating cybercrime, such as the Australian Federal Police, state based technology crime investigation units, security organisations and various cybercrime agencies. Given the evidence we have taken during the hearings into cybercrime, I think there is a serious issue in relation to the capacity of government to guarantee the security of patients’ information from both domestic and international hackers, from organised crime elements in time and from those who seek to profit from the information contained in patients’ records—and there will be many who have a very direct and significant commercial and vested interest in e-health records. There are also those, I would suggest, who would be prepared to pay, and pay well, for perhaps Medicare staff, or whoever has access to the healthcare identifier systems, to allow them to access information. We do not need another rushed program. The potential for misuse and harm is too great. The Senate inquiry must fully explore and expose any and all of the potential flaws in this proposal.

See this speech in context