Quote Of The Year

Timeless Quotes - Sadly The Late Paul Shetler - "Its not Your Health Record it's a Government Record Of Your Health Information"

or

H. L. Mencken - "For every complex problem there is an answer that is clear, simple, and wrong."

Wednesday, May 20, 2009

Should Doctors Sell Information Derived from Their Electronic Health Records?

The following article appeared in the Australian IT Section a day or so ago:

Grab for patient records

Karen Dearne | May 19, 2009

Article from: The Australian

MEDICAL market research firm AsteRx plans a grab for doctors' prescribing records with an offer of powerful business intelligence software free to GPs who sign up.

AsteRx managing director Jon Marshall says de-identified patient data provides valuable insight into healthcare trends -- including the spread of infectious diseases -- for which drug companies, pharmacists and others are prepared to pay.

"We essentially want to build a large network of GPs so that we can provide data that can be called on in times of need," he said. "If we were extracting data from every GP in Australia, we would be able to track the swine flu, for instance.

"From the data we already collect I can tell you whether there has been an increase in immunisations, or increased incidences of flu, right up to yesterday's figures."

In return, doctors would benefit from clinical and business insights into their own systems and activities that the software would give them.

The business intelligence application -- accessed through a dashboard -- is based on Inside Info's QlikView product and designed so users can quickly query information and create reports.

"Basically, we have built a platform that allows us to gather data from any GP software package, and run it through a layer to create common data elements that we then aggregate up," he said. "From there, you can put QlikView over the top and begin to perform the analytics, data mining and reporting."

Mr Marshall said the business involved collecting millions of lines of data from individual doctors, but until now it had been difficult to access data already in clinical and practice software.

"With QlikView, we're starting to build some really neat reports," he said.

The dashboard approach means doctors can query things like the number of patients on an asthma care plan in their practice, or identify which diabetic patients are overdue for a review.

More fascinating information here:

http://www.theaustralian.news.com.au/story/0,25197,25502296-23289,00.html

As I read the article three thoughts came to mind. The first was how would I feel as a patient if my GP was doing this sort of thing, second just what are the implications of this sort of data gathering and third I wondered what say or awareness individual patients had of their involvement in this so called ‘research’.

A visit to the web site provides some answers:

http://www.asterx.com/Corporate/AboutUs.aspx

About Us

asteRx is an Australian company that develops a number of solutions for the healthcare industry.

The lead asteRx product provides a fast and secure channel for the doctor to participate in market research. asteRx is currently on the desktop of over 16,000 Australian Doctors, and can be accessed via the scriptwriting software of Medical Director. If a doctor likes to participate in market research, then asteRx provides a fast and effective channel for that to occur.

The doctor can select which research they would like to participate, what their involvement would be, and the incentive they will receive, before actually commencing an activity.

asterx uses modern web services technology to quickly transfer data, with all data transfer performed using SSL encryption to ensure the security of all information.

Ethical Approach

asteRx is committed to strict adherence to its privacy policy and the principles of the privacy act.

We are committed to ethical and appropriate practices to maintain the expectations of the community for the security, privacy and integrity of personal health information.

asteRx is committed to ensuring that any complaints are dealt with efficiently and effectively

The Company respects doctors' clinical independence and decision-making abilities.

----- End Page:

Elsewhere it is mentioned that the fee paid to doctors for one month’s participation (and data) is a $25 cheque to the doctor and that what it is all about is the collection of prescribing data linked to an individual doctor or practice.

The privacy policy on the Web Site makes interesting reading:

http://www.asterx.com/Corporate/Privacy.aspx

Thank you for visiting www.asterx.com. Your privacy is important to us.

To better protect your privacy, we provide this Privacy Policy to explain our online information practices and the choices you can make about the way your information is collected and used at this site. If you have any questions or concerns about our Privacy Policy for this site or its implementation you may contact us by emailing to support@asterx.com

POSITION STATEMENT ON PRIVACY POLICY

asteRx recognises, that the capacity of information technology to capture and transfer information electronically, has heightened community concerns about privacy in relation to the handling of personal health information.

Personal health information is personal information:

* about a person's health, medical history or past, present or future medical care

* collected in the provision of health services to an individual; or

* about any health service provided to an individual

Personal health information is sensitive. The secure transfer, storage and disposal of personal health information are paramount to protecting and maintaining privacy. To this end, asteRx is committed to ethical and appropriate practices to maintain the expectations of the community for the security, privacy and integrity of personal health information.

asteRx takes into consideration the:

* Privacy Commissioner's Report on the Application of the National Principles for the Fair Handling of Personal Information to Personal Health Information (Crompton, 1999)

* RACGP Code of Practice for the Management of Health Information (1998)2

POSITION ON PRIVACY ON EMERGING TECHNOLOGIES

asteRx supports the use of public key and Secure Sockets Layer (SSL) technology which uses asymmetric and symmetric encryption techniques to optimise the confidentiality and integrity of information transfer through authentication of users and non-repudiation of transactions.

Consistent with asteRx's commitment to continuous quality improvement, asteRx will develop position statements on privacy for new technologies as they emerge.

REFERENCES

1. Crompton M. Privacy Commissioner's Report on the Application of the National Principles for the Fair Handling of Personal Information to Personal Health Information. Office of the Federal Privacy Commission. December, 1999.

2. Royal Australian College of General Practitioners. Code of Practice for the Management of Health Information, 1998. Authorised by Sue Phillips. http://www.racgp.org.au/policy. Accessed 13 April, 2000.

----- End Policy.

What is clear from all this is that asteRx is able to collect data which identifies the doctor, the illness for which they are prescribing and the age and sex of the patient. It is also clear they do not see there is any need for the Doctor to seek any form of permission of consent from the patient.

A few points:

First – even at the payment offered there is clearly someone seeing this information as valuable – and you can be sure that is the major drug companies – who will pay for this data and then design marketing campaigns to doctors to change prescribing behaviour. If it was not working they are smart enough business men to not pay!

Second – noting the web site is date 2005 I would venture to suggest that patient concerns might have moved on a little – and that given there is a review of how health information is to be handled underway at present – what is being done here is sailing rather close to the wind.

The comments of the Privacy Commissioner (from 2001) on such issues are relevant –but not referenced by asteRx.

See here:

http://privacy.gov.au/publications/IS9_01.html

I small communities I would doubt there could be any confidence that all data collected was indeed properly de-identified given this comment.

“Taking reasonable steps to de-identify information before it is disclosed

This means that where an organisation has collected health information without consent for the purposes listed in NPP 10.3, the organisation must ordinarily de-identify the information before it discloses it. The information should be de-identified in a manner that does not allow it to be re-identified.

For example, health information collected for a research project should be modified so that the identities of the subjects are not reasonably apparent when the results of the research are published or otherwise disclosed.

Organisations should note that simply removing the person's name may not be enough to satisfy this criterion. In some circumstances a person's identity may reasonably be ascertained from other information - for example from an identity number, or other details held about the person, or from the context in which the information is collected.

Tip for compliance

Determining what are reasonable steps will depend on the circumstances. Considerations that may be relevant in determining what steps are reasonable include: whether unit or aggregate information is being released; the 'cell size' of aggregate data; the context into which the information is being released; the capacity of the collecting organisation to re-identify the information; and the content and nature of any assurances given by, or agreement with, the receiving organisation about not attempting to re-identify information.”

Third I see this sort of activity as potentially damaging public trust in moves to adoption of e-Health – given a common concern many express is that they are unhappy as soon as they have any sense their information is not under the direct control of themselves or their clinician.

Fourth – my answer to the question posed in the title is a clear cut and definite NO!

Legislatures in a number of US States are acting to outlaw this sort of data mining and Australia should follow suit in my view!

David.

5 comments:

Anonymous said...

Collecting data which identifies the doctor should not be permitted.

It should be apparent to all that when the illness for which the doctor is prescribing is linked to the age and sex of the patient it is quite a simple matter to collect and compare similar information available through the local pharmacy dispensing system.

All this underpins powerful community focused marketing campaigns aimed at increasing awareness in that community of the particular medication and associated illness. The end result is obvious. The national PBS expenditure costs will increase dramatically.

Government should be very concerned.

Anonymous said...

So under what circumstances do you reckon health data mining should be able to occur?

Do you have similiar concerns about the APCC methodology?

Dr David G More MB PhD said...

In short no. It is the 'for profit and marketing aspects' of this type of activity I and others are not comfortable with.

The APCC is about quality improvement and practice consistency - good things in my view - assuming proper data handling methodology.

David.

Anonymous said...

Under what circumstances you ask?

Let’s put it this way - if the purpose of data mining is to increase the sophistication and effect of marketing techniques to better target doctors and modify or change their prescribing habits it should not be permitted.

If the doctors ID and location is removed from the data collected and the data is pooled into a central ‘statewide’(not regional or postcode related) bucket or even pooled into a nationwide bucket then a form of data mining which provides trends and usage that cannot be linked in anyway to individuals, be they doctors or patients, or cross linked to pharmacies, would be permissible.

The data bucket, so called, should be under strict legislative controls, regularly audited by a public authority and supervised by an independent Board of Governance. If circumstances arise from time to time where, in the Government’s opinion, it is in the national interest for security or other reasons to collect more granular and specifically identified data tied to doctor ID in nominated geographies or post codes, such as for control of an impending pandemic, then it should be permitted.

What are your objections to this approach?

You also ask if I have similar concerns about the APCC methodology? I am not familiar with the APCC Methodology but you are. Please enlighten us

Jay Andrews said...

POSITION ON PRIVACY ON EMERGING TECHNOLOGIES
how far is the privacy assured?i think it is always good to keep the records very safe.And what if some "Malignant" user changes the datas after collecting them?is there any method to identity and compare with orginal data that are collected?