11 min read May 13, 2018 at 10:16am
Following hot on the tail of my post about data reuse, the Department of Health has released the "Framework to guide the secondary use of My Health Record system data" (hereafter "the Framework" - link[pdf]).
There was a public consultation last year, run by Healthconsult, and you can read the submission from Future Wise here. I'll go through some of the points that jump out at me from reading through the document, and highlight some concerns I have.
The first issue is noting that the document explicitly states its principles are consistent with those outlined in the Productivity Commission's Data availability and use report, so many of the same concerns from my previous post still apply. At least the issue of the risks of unsuccessful de-identification are explicitly discussed in this document. However, the section on policy context notes that
"where MHR data has undergone an appropriate and robust de-identification process, it is not considered health information and is therefore not subject to the MHR Act or Privacy Act"
--Framework, pg 7.
Future Wise disagrees with this exemption, and called for it to be corrected in our submission.
Giving the Department some credit, however, they have built in a review plan - to occur not more than two years after the first release of data for secondary use (although, one hopes it could be much earlier than this if required).
I was going to give a list of list of pros and cons, but reading through the Framework, it requires a bit more nuance than that. Apologies for the narrative review; the good news is that this second revision is much shorter than the first one I lost in a crash (save early AND save often, people!).
The Australian Institute of Health and Welfare (AIHW) is considered the Data custodian for the purposes of the Framework. Given their role in dealing with Australian healthcare data, this is a good choice. AIHW already have procedures in place about data governance and privacy.
Australian Digital Health Authority (ADHA) are the System Operators for myHealthRecord, and are appropriately being kept at arm's-length from the procedures relating to data access, except through a seat on the Board.
The Board is required by the framework to include representatives from:
- population health/epidemiology
- health service delivery
- data science
- data governance and privacy
- consumer advocacy
- the Chair of the Aboriginal and Torres Strait Islander People's Advisory panel
which, other than sounding like it exceeds a sensible number of people for a functional Board, all seems very reasonable.
One concern that kept jumping out at me (as a technology-interested consumer advocate who works and researches in health-service delivery and population health) is that the Board, while having access to a number of technical advisory bodies, seems to have a lot of "executive" role in approving research and maintaining best-practices in data security, which seems to me to be more of an operational function, than the sort of high-level oversight usually associated with Boards.
The "simple" flow chart for approval processes looks like only a Federal Government bureaucratic document could:
...but is actually much less complicated than it appears, because all of the functions are carried out by:
- The data use applicant
- The Board
- ADHA as the System operator
- AIHW as either the data custodian for approvals; or as the data integrator (for linkage research)
This chapter, to the Department's credit is early in the Framework, and leads on the summary page highlighting the way that consumers can (or will be able to) opt-out of secondary use; in small print down the bottom is the fact that "consumers who have a MHR can also cancel it at any time". The opt-out process has been fiendishly difficult to get information on, and independent journalist Asher Wolf has detailed on twitter that even if you opt-out of future data being added, the records may be auto-populated with data unless you manually delete them.
I don't really see true "consumer control" as equating "I don't want this" with "I don't want any more of this but I'm still happy for you to make one and put stuff in it". At least any data that you personally mark as restricted access will not be available; they also explicitly state that any document you remove will also not be available for secondary use; I should think not!
On the plus side, however, the Framework does discuss dynamic consent, so that people who decide they still want a myHealthRecord for the clinical benefits it may provide can selectively opt-out of secondary use research, and there is further discussion later on about the eventual addition of further dynamic consent control allowing users to choose to opt-in for potential recruitment into clinical trials.
The best news to me in this section is that the Framework explicitly acknowledges that level of health literacy will have an impact on the consent processes; I have written on this blog, and on my own that doctors (who will largely be the gatekeepers to myHR, lets face it) are terrible at technology and are unable to be able to provide patients with truly informed consent on the detailed technical aspects of data security in secondary use.
Another way that health literacy affects the data is through differential participation. This was one of the alleged problems that Opt-in for myHR was supposed to solve, as those with poor access to healthcare or poor health literacy are often under-represented in large population health datasets. I recommend the book Personalized Medicine by Prof Barbara Prainsack (twitter) for a more detailed discussion of this issue. Opt-out from secondary use may also have the potential for biasing the dataset, as it is extremely likely that those who opt-out are those with greater health literacy.
It will be the responsibility of the Board to make determinations "as to whether those who will be accessing the data can be trusted to use it appropriately". It's not clear to me from reading the Framework what systems are in place for when this breaks down; does the Board then carry some portion of liability if the data is misused based on their assessment?
Access will not be permitted for overseas-based applicants unless they are working in collaboration with an Australian-based researcher. This does not seem to take into account academic mobility - what will happen if a principal investigator relocates overseas? Furthermore, the data for secondary use is required to be stored in Australia, which would seem to preclude the use of any cloud-based storage providers, or online data analytics tools.
Access to data
"The Framework does not propose to release any MHR unit-level data about individuals to the world at large"
--Framework, pg 26 [I'm glad we got that out of the way; and thank goodness everything always goes according to plan]
Other than the rather fatuous quote from the opening of the chapter, I have some concerns with this section. Again, as above, all the responsibility for decision-making rests with the Board.
More concerning is the idea that data access principles should be applied consistently to across other data sets. The specific example given is the Medicare and Pharmaceutical Benefits Scheme (MBS/PBS) data; these are available through separate channels with the Department of Human Services as the data custodian. We have already seen how well the principles of data access were applied to this dataset. Will DHS be strengthening their protocols to provide the same level of access security as the myHR set? Or will the Framework be selectively applied so researchers don't cherrypick their data custodian to be the least red-tape-strewn path to the data they want?
The next section highlights the need for approval from AIHW's Human Research Ethics Committee (HREC) prior to access to identified data, and that ethical approval may be required to be obtained before de-identified data be accessed.
Readers not familiar with the HREC process may be concerned that there is any mention of access to data without ethical approval. For truly de-identified datasets, it is not unusual to apply for (and receive) a waiver from full HREC approval for studies without identified data. The issue for the myHR data, of course, is that it requires a high degree of confidence in the successful de-identification of the data.
The remainder of the section on processes seems to have an unfortunately large focus on reducing duplication of effort, cost, or delays - which in this case, may not be ideal; even as someone who frequently swears about the complexity of the HREA form, it has a valid role to perform in the protection of research subjects from exploitation of their data, and risks to their privacy.
This chapter was the most pleasantly surprising to me of the Framework, as it deals sensibly with some of the risks of linkage, some of which I discussed in my presentation. Even better, it applies a sensible risk mitigation approach (are there alternate methods, or is there a lesser level of linkage that would suffice?) and requires the involvement of an expert with experience in data linkage to critically assess the application. All linkage projects require ethical approval, which I think is required.
I'm no fan of Bureaucratic weasel-words, and this section features them in abundance - "...render the risk of re-identification as very low....balanc[ing] maximising the benefits of using the data with the risk of breaching an individual's privacy".
The first principle of the chapter also places the onus for "ensur[ing] that contemporary de-identification methods...are appropriately applied" - which would seem to me to be more an issue for a technical advisor, or linkage expert rather than the general Board itself. As part of this process, the Board will "obtain...assurance from an expert that the risk of re-identification is very low"; what if the expert disagrees? What is the definition of "very low"?
Despite these concerns, it is positive to see that the contracts for access to data will include mandatory notification of data breaches to the Office of the Australian Information Commissioner. In addition, the higher risk a project is deemed to have, the more detailed monitoring activities and reporting will be required as part of the Conditions of Use agreement.
Unfortunately, the risk mitigation penalties fall under the MHR Act and the Healthcare Identifiers Act - both of which allow exemptions for accidental misuse. Furthermore, the Privacy Act does not consider de-identified healthcare data as healthcare information, and therefore not sensitive personal information under the Australian Privacy Principals. Future Wise would like to see these loopholes removed; sure bad things can happen, but sanctions for "inadvertent" misuse may help sharpen the focus of those using the data.
Also, as we have discussed, breaches of confidentiality are one-way doors, and any sanctions imposed will not put an individuals leaked healthcare data back into the box.
I alluded to some of the issues surrounding data quality with the example in my previous post. It is pleasing to see that consideration is also being given to how the changes in dynamic consent models as the technology matures will be scrutinised for their effect in biasing the data.
Unsurprisingly, Australia's biggest big-data win - Fiona Stanley's linking of folate levels to neural tube defects is listed as first in the chapter of amazing examples. I have had words about the generalisability of this example before on my personal blog.
Possibly equally unsurprisingly given current political circumstances, the second example was the analysis of statin prescribing following the now-retracted story on Catalyst (also previously discussed on my blog).
Moving into the realm of more speculative future planning includes a fairly sensible example about enhancing post-marketing surveillance of new medicines or medical devices; this would hopefully allow earlier signals on potentially unsafe medicines or devices (for example the transvaginal mesh for incontinence which has recently been the subject of a senate inquiry).
More concerning is the third example on one of the current "trendy" areas in health services research - patient pathways:
MHR system data will be one of the first datasets to allow analysis around how a person moves through the Australian health system. The application of time series analyses or multi-service provider analyses upon MHR data is likely to yield new insights and even enable a degree of ‘forecasting’ capacity for health system
planners in the future.
As a hospital clinician, I appreciate the potential utility of better health service planning. However, this is a dual-use research if ever I've seen one.
Inclusions and Exclusions
Use by insurance companies is specifically excluded, however, there are a gamut of other health-related organisation who would not be covered - like pharmaceutical companies, for example.
The use of myHR data by Centrelink or the ATO is specifically disallowed, however, I am still not reassured by the security clause:
"criminal and/or national security investigations [are not permitted], except as required by law (e.g. use to investigate the interactions of individuals with the health system as part of assessing their behaviour)."
Given the expansion of National Security apparatus over the last few years - and the warrantless access to Telecommunications Data, I think that "except as required by law" is the legislative equivalent of "unless we feel like it".
Overall, I am a little surprised to say that the Framework is actually better than I expected it to be. There are still a number of areas for improvement, and (as someone who would, time-permitting, probably consider applying for a position) the Board seems to carry too much direct responsibility.
Future Wise will engage with the Data Use and Availability Commissioner, when one is appointed, and will continue to be involved in discussions about the best use of our data.
Image credit : Copyright 2018, Commonwealth of Australia (Department of Health) - believed fair use