Patient-centric Privacy


Overview and Context

The following is the American Health Information Management Association’s view on Patient-centric healthcare.

Patient-centric healthcare can be difficult to describe. There is not much evidence to define just what types of healthcare or health IT systems positively impact patients and engage them in their care, Rein says.
However, three characteristics of patient-centric care have emerged. A patient-centered healthcare system gives patients the ability to communicate effectively and immediately with their providers. It provides patients access to information that is important and useful for them, when they need it.
Finally, patient-centered health IT allows providers to look holistically at an individual and treat them through the coordination of other providers.

“There are a number of other things you can build onto that, but we are still at the very, very beginning of what I imagine will be a huge innovation curve,” Rein says. “At this point we are not exactly sure what, truly, patient-centered healthcare is. I think everybody just agrees that we don’t really have it.”

First Steps to Patient-Centered Care: Meaningful Use Focuses Industry on Baby Steps

In the light of the rapidly changing field of healthcare, in this submission the APF is concentrating on the privacy implications of Patient Centric health care and is largely informed by the above source.

Privacy in a Patient Centric environment means that there should be a recognition that privacy is a dynamic issue; the needs and constraints associated with a patient’s privacy can change according to circumstances. In general, risks to patient privacy should be commensurate with the value of sharing their data, as percieved by the patient.

APF suggests that any strategy or initative for eHealth in Australia should adopt a Patient Centric view; specific solutions and initiatives should comply with this perspective and they should have clearly defined purposes and value. If existing solutions do not comply with this perspective, they should be replaced or modified to comply.

We contend that in order to maximise the use of patient health data as well as for the patient to have proper input and control over privacy aspects of that data, the scope of Australian health record data should include that managed and stored by any Australian health service provider. The scope should also include any personal or health data provided by the patient (in addition to that provided by health care professionals) and integrated with other Australian health record data.

Recommendations regarding privacy in a Patient Centric Health environment

The following are essential health information data related privacy principles that should be applied to any and all eHealth initiatives in Australia.

  1. The patient owns their data;
  2. The patient should be able to decide who is (or are) to be the custodians of their health data;
  3. The patient owns and controls their data sharing policies. This control should extend to the patient deciding that no health data should be kept by a third party of any sort;
  4. Data sharing policies should be dynamic and context dependent;
  5. Patient health data must be capable of being treated as an integrated whole so that privacy can be managed and achieved on the basis of all health and related personal data, not just some;
  6. Patient Health data should be primarily managed from the perspective of the patient, their needs and their privacy;
  7. Patient health data, as perceived by the patient, should include all of their available health data;
  8. Notwithstanding the patient’s perspective, all health data created by pathology, specialists and other health service providers should be capable of being integrated into the patient’s health data in a way that is meaningful from a health care perspective;
  9. People who access patient data should have a health care based need to know and should justify that need to know at the time of access;
  10. The patient should be able to find out who (at the individual level) has seen their data and why;
  11. Patient health data should be stored, made accessible and have privacy controls imposed in as near real-time as possible;
  12. Patient health data should be as accurate and consistent as possible. This is obviously a difficult requirement; notwithstanding this difficulty, the system that manages the data should be capable of detecting inconsistencies and highlighting them to both the patient and health care professionals;
  13. Secondary use of patient data should only be done on an explicit consent basis;
  14. Specific and explicit consent should be sought if patient health data is to be linked to other personal data;
  15. Any data that is extracted from or used by non-healthcare third parties should have an explicit life and purpose, after which it is destroyed; and
  16. There should be a dispute resolution process, overseen by a body independent of government and health professionals which has the power to review and enforce privacy mitigation actions, correct data, as perceived by the patient and award appropriate compensation.

Note: The material on this page has been extracted from the APF’s submission to the Australian Dgital Health Agency as part of their consultation process in developing a national eHealth Strategy in 2016-17.

A full copy of the submission is available here.