EHRs: Safety vs Privacy & the ETTO Principle

A little while back I posted about the challenges a family member faced after forgetting to bring their medications when they came to visit us. In that post, I referred to the Electronic Transfer of Prescriptions  (eTP) and I’ve now taken a closer look at this system and discovered some useful features, but also significant room for improvement and expansion.

First up, the broader system is referred to as “eMedication Management” (eMM), of which the eTP is a part. Essentially any script that is printed out by a doctor should include a barcode or QR code, and the script information is uploaded into the cloud (aka “Prescription Exchange Service” or PES) as an “ePrescription”. This eScript can then be retrieved at any participating pharmacy by using the code on the script. This is to reduce the risk of transcription errors between doctor and pharmacy, and between subsequent pharmacies for repeat scripts, as well as to save dispensing time. Unfortunately, the patient still requires the paper script with the code in order to access the eScript at a pharmacy. Many people leave their scripts with their regular pharmacist for reasons of convenience or not wanting to lose it. This means that to get a script filled at a different pharmacy, they are dependent on phone calls, faxes and their GP or pharmacy being open at that time. Surely in this day and age when we can pay for a coffee with our smartphones, there should be a way we can access our eScripts with a “Smart Medicare Card” or via the Wallet app on our iPhones?

QR code from an “ePrescription” in the eRX “Prescription Exchange Service” (PES)
Barcode from an “ePrescription” in the MediSecure PE

And there has actually been some progress in this direction. Around the same time I was looking into eMM, I made another interesting discovery related to these eScripts and PESs. I was started on a new medication called Humira, which is a fortnightly injection. When I went to fill the script, the pharmacist said they would need to order it in, and suggested I download an app called MedAdvisor . Once I had registered, it would then notify me when the medication arrived. So I downloaded it but then forgot to activate it. But I remembered to get the medication anyway and went on my merry way. A little while later, I noticed the app on my phone and decided to take a closer look at it. I entered my details and registered, and then BAM! The screen quickly filled with ALL my current medications, not just Humira. I gather it had tapped into my details in the PES, and now I had in my hand a list of my current medications including strengths, doses, estimated days left, number of repeats left, and you can even set up notifications & reminders, and request your pharmacy to fill a script for pick up or delivery. It should be immediately obvious for anyone who’s on multiple medications like myself, or have family members or care for people who are, how potentially useful such an app could be. However, there is still no way to use this app to fill one of my scripts unless the pharmacy has the hardcopy.

Screenshot from the MedAdvisor app showing some of my medications

Of additional interest to me as a doctor is that this cloud-based PES can also feed eScripts into the “My Heath Record” (MHR) system. The MHR is an interesting beast in and of itself, and I hope to do a post focusing on it specifically soon, but for now, all you need to know is that it is an “opt-in” Electronic Health Record” (EHR) set up by the federal government.  So, if you have opted-in, and most people haven’t, you can log into your MHR and view your prescriptions including drug name, date it was prescribed, strength, form and the directions for consumption. This also means that if you give permission to another healthcare provider, carer or family member, they can also access your list of prescriptions. Again, at this point, any healthcare practitioners should be able to see the potential value of this kind of system. Especially for those working in Emergency Departments and pre-admission/pre-operative clinics, but pretty much any situation where you may be seeing a patient for the first time and need an accurate medication history.

But, while these eMM & MHR systems already have this extremely useful data within them, accessing them can be problematic. I suspect this may be due to concerns around data breaches and privacy slowing the development, roll-out, advertising, and adoption of these systems. The fact that the MHR is opt-in rather than opt-out (although that is about to change) is probably related to these concerns. People have heard horror stories of data breaches and have legitimate concerns about their privacy, but have probably heard little if anything about the benefits these systems can provide, and that they may one day save their life. Patient confidentiality is important, but almost inevitably, trying to prevent illegal access to a system, will also make it harder for legal access as well. In the same way that making it harder for someone to break into your house may also make it harder for you to get out during a fire, by improving patient privacy you may also jeopardise patient safety.

As I thought about this issue, it occurred to me that it has some parallels with the “Efficiency-Thoroughness Trade-Off” (ETTO) principle that Erik Hollnagel uses to describe variations in human and organisational performance. Hollnagel describes how, because of this principle, it is never possible to maximise efficiency and thoroughness at the same time.. Does a similar concept apply to privacy and safety in the setting of EHRs? How do we balance efficient access when needed to optimise patient safety (and reducing Patient Work), with having thorough systems in place to maintain privacy? Is it possible to maximise both at the same time? If not, which do we prioritise? And should the trade-off decision be built into the system, or up to the individuals using the system?

My opinion, as both a doctor and a patient, is that as things currently stand, we have swung too far towards privacy, and need to rebalance back towards safety. The concerns of some individuals about protecting privacy has resulted in systems that prioritise preventing illegal access, thus making timely, legitimate access more difficult, thereby compromising patient safety. Patients who would gain from increased sharing of their information unwittingly miss out on these benefits, and extra work and expense is required for healthcare providers that need this information to treat patients, quickly, effectively and safely. I think we can do a better job of explaining the issues to the general public, showing them how beneficial these systems can be, and also that they can still retain significant control over who can see what information, though realising no system can ever be 100% secure. If some people are determined to maximise their privacy and are prepared to forgo the benefits of such a system and potentially jeopardise their safety as a result, they can then choose to opt-out completely, while those that are happy to share their data and accrue the benefits that come from it, remain free to do so.

But privacy isn’t the only issue. There are also some usability problems. To access the MHR, you need to go through the myGov portal. But when I first setup MyGov, it gave me what seemed to be a randomly generated username that I had little chance of remembering. Subsequently, I was able to set up my mobile number or email address as my username, but it took me a while to realise this and make the changes.

Another issue was discovered when I went to log in recently and was taken to the two-factor authentication screen. However my phone was in for repair at this time, and when I clicked on the “I-did-not-receive-my-code” link, I was presented with the following:

So I was unable to login to myGov without my phone and my only option was to go through the process of creating a new account. I suspect this significant usability issue is again due to an overemphasis on privacy. And not having an alternative means to access the MHR is a significant issue, especially in an emergency, or if the patient is unconscious. And does this requirement to create a new myGov account increase the risk of “Duplicate Patient Records” within MHR, further compromising patient safety?

I encountered further usability issues once I successfully logged in. Menu headings and descriptions weren’t always intuitive, and even when I found the information I was looking for, often I wasn’t able to remember where I found it, and I had to discover it all over again during subsequent logins. And it seems my eScripts weren’t located where I expected them to be. I had seen some mention of consent being required for this option, and I don’t explicitly recall giving it (though I would’ve if I’d been asked) so that may explain the empty “Prescription and Dispense Records” page which is where eScript information should appear:

But then, somewhat strangely, I discovered this information was available elsewhere in my MHR. There was another page which included a “Medicines Preview” that had the “Latest Dispense” information for all my medications:

And also a page in the Medicare section that displayed “Prescription information” from the Pharmaceutical Benefits Scheme (PBS):

So even in a system that seems to have an overemphasis on privacy, here was some of my personal health data for which I don’t recall giving my consent. Not that I minded, but the whole experience made me question the planning, design and implementation of the whole system.

So yes, there are definitely some issues that need to be ironed out, and usability testing and user-centred design can help with that. But the potential gains for patient safety and healthcare efficiency are enormous, so we need to find a way to capture these improvements, while still trying to protect patient privacy. Given we are heading towards an opt-out system, I’ll finish with 5 suggestions, derived from my experience as both a provider and consumer of healthcare services, to try and improve the system, and to hopefully provide some necessary flexibility and choices that can help manage the trade-off between privacy and safety:

  1. Promote the benefits of the MHR and associated systems, and how impaired access to medical records can contribute to poor health outcomes
  2. Provide well-designed options for patients to control what information goes into the MHR, who can see it, and through which systems, devices and apps it’s available.
  3. Encourage further adoption of the MHR system by healthcare providers, especially hospitals, so that they can both contribute data to their patients’ records, but also utilise the existing data that is available
  4. Greater investment by government and software developers in usability testing and user-centred design, and engage patients & carers in co-design to make Patient Work more efficient.
  5. Develop a “Smart Medicare Card” or app, with due attention to, but significant user control over, security such as PINs, fingerprint recognition and two-factor authentication. This can then be used, for example, to fill scripts, present referral letters, access scan reports and blood test results. In the meantime encourage patients and carers to take advantage of apps like MedAdvisor

I think there will always be some tension between the goals of privacy and safety in relation to EHRs, but I would prefer to see a system develop where patients have significant control over how that tension is resolved for the various components of their own medical records, rather than having it imposed on them by the system. My suggestions are by no means perfect, nor exhaustive, and I’m always concerned about unintended consequences, but I’m hopeful that they, and my experiences described above, might help stimulate some further discussion on this important topic. And I’m keen to hear suggestions and experiences from others too.

[Edit 26/7/2018: I’ve written a follow-up post here, discussing the problems that have arisen since the opt-up period began]

Hollnagel, Erik. The ETTO Principle: Efficiency-Thoroughness Trade-Off.
Print Friendly, PDF & Email

Leave a Reply

Your email address will not be published. Required fields are marked *