Really, you want me to share THAT! The minefield of shared access to patient data

+Print Archive
Just wondering

Really, you want me to share THAT! The minefield of shared access to patient data

Lucy O'Hagan photo

Lucy O'Hagan

Elderly woman looks through blinds
Patient notes contain information patients consider very private, so why is it being shared beyond the practice?

Lucy O’Hagan looks at the thorny issue of increased digital access to patients’ notes

For 10 per cent of patients with multiple chronic conditions and multiple providers, sharing information is great, and if I was one of them, I would c


Dr Hagan this is an area of extreme interest to me - maybe at a cost to my professional life. My PHO was hostile toward me when I asked what they needed my personal health information for each month, complete with identifiers: NHI, name, age and address. My GP said she was as concerned as I was about it and the fact that GP performance fees from the PHO were linked to that provision of personal information. Others in the sector have challenged that and asked the privacy commissioner to rule on it. Despite legal opinion to the contrary, the commissioner did not think PHOs were breaching privacy legislation by demanding these e-records. He said no individuals had complained. I challenge him to ask any member of the public if they really understand what they are signing away at the GP practice and if they are aware of the extent to which their information is being shared - and not just by GPs but by owners of health apps and who knows who else. There is an important balance to strike with the sharing of information and who it benefits and there should be more widespread public debate and open discussion about its pros and cons and how to deal with those, before we lose all our rights and damage is done. One day chickens will come home to roost and just listen for the fuss it creates with all sorts of people ducking for cover. Thank you for bringing it up in a public arena.


My GP was reprimanded and threatened by "Medical Authorities" when he refused to computerize my notes.  I did not want my notes computerized (I am a physician and know the value of privacy).  

I think we need to differentiate between access to Medical Records through a system such as HealthOne and what happens with regards to what PHOs are doing. Firstly HealthOne requires that the host GP has bothered to keep an up-to-date list of patient long-term conditions, medications and allergies on their Practice data-base for this information to even be available. Secondly accessing HealthOne requires identification of the provider accessing the information and the reason for accessing this information through a secure site with login and password. Thirdly accessing this information is traceable and auditable. And finally, if the information is up-to-date it significantly improves patient safety if they are seen by another provider. You cannot willy-nilly log into HealthOne and view all and sundries health information, nor can you view information that simply isn't there - and you will be surprised at just how poorly many things are documented by the patient's GP. Furthermore it allows you to confirm that a patient has a hospital appointment and to view other results on Eclair (when it in fact works - which is not often). It can be very useful and conforms with privacy and security of patient information by restricting access to those with a need to know for the benefit of the patient. 

What PHOs are doing - and claiming they have consent to do as a consequence of the signing of an enrollment form (they don't) - is 1) accessing practice data-bases and obtaining personal information, supplying that information to a third party and that third party using that information to contact patients for the purposes (but not technically restricted to these purposes) of conducting "patient satisfaction surveys". The Privacy Commissioner has said this is OK because Practices are responsible for the security of this personal information (and hence, I assume, if it is mis-used then the Practices will be held accountable); and 2) apparently using patient-identifiable information for "health research". The use of information for the latter has strict guidelines around access and use and requires the informed consent of the patient each time it is used for a different purpose other than the specified research. What we have is University-based researchers regarding this information as fair-game for research and apparently getting approval from an Ethics Committee (a fundamental requirement) when these researchers cannot even specify what their question for their research project is! What the PHOs and these researchers are doing or proposing is wholly unethical and morally unacceptable let alone a breach of the patient's privacy. If you are concerned about this Lucy then you are right to be concerned as it is a minefield. I am simply appalled at the laissez-faire attitude of PHOs and these researchers - and the Practices that have allowed access.