Patient portal is not a solution to privacy issue EHR
Minister Schippers' new EHR law has been creating confusion in the Senate for a year. For neither patient nor doctor is it clear who will soon be able to access medical data after giving permission. After two years of murky debate, the minister wants to let patients sort it all out themselves. In doing so, she wrongly avoids the fundamental privacy discussion.
The bill to form the legal basis for the privately relaunched Electronic Patient Record (bill 33509) has now been held up by the Senate for a year. The Senate has well-founded doubts about the bill, which is supposed to regulate, among other things, how a confidential treatment relationship is to be guaranteed when medical data are made digitally accessible. Early last April, Senate members invited a panel of experts for the second time to comment on the bill. SpecificAuthorisation.co.uk was one of the invitees at this recent expert meeting and provided written input prior to the meeting (PDF).
SpecificAuthorisation.co.uk is an independent campaign that was launched after the bill was introduced in 2014 launched initiated by the Privacy First Foundation and the Civil Rights Protection Platform. The core of this campaign is that specific consent should (again) become the guiding principle in the exchange of medical data. The campaign will be supported by numerous civil society organisations, healthcare providers and other professionals.
SPD still given legal basis
Minister Schippers' current bill is primarily intended to provide a legal basis for the LSP (National Switch Point) system for which the Senate unanimously rejected legislation in 2011. SpecificAuthorisation.nl spokesperson Vincent Böhre stated at the expert meeting, "The infrastructure of the SPD was continued by private parties in the form of the National Switch Point. That's how we saw it at the time and that's largely how we still see it, with all the defects that were in the infrastructure at the time and are still there. In our view, the infrastructure is too large-scale and inherently insecure, with generic, undirected and indeterminate permission."
SpecificAuthorisation.co.uk has been highlighting the lopsided consent that patients can give under the new EHR law since the bill was introduced. Partly due to pressure from this campaign, giving generic (broad, undirected) consent was removed from the law by the House of Representatives in 2014. A step in the right direction.
However, since the Lower House deleted generic consent, the law only became more complicated. Minister Schippers introduced a new form of consent called "specified consent", which raised many questions during the Senate debate and expert meetings held there. Anyone looking closely at the section of the law (15a) on "specified consent" should conclude that this could still mean a very broad, lopsided consent that does not address the original objections to generic consent.
Moreover, as Minister Schippers herself was later to note, current systems (read: the LSP) are not equipped in their design to enable anything other than generic consent - including her own "specified consent". Until that happens, the minister wants "for a three-year transition period, a generic 'yes' or 'no' will suffice", she wrote to the Senate in December 2015. In other words, if it is up to the minister, generic consent will still become the standard way of giving consent.
Sensitive point hit
SpecificAuthorisation.co.uk wrote a letter to the Senate about this, pointing out that generic consent, even for three years, was unacceptable, referring to the House of Representatives' amendment deleting generic consent from the bill. In response stated on the contrary, the minister reiterated that there was no intention to ask for generic consent at all: "It is not that the consent question is generic. [...] However, the answer to the consent question can be generic," the minister said. According to specifiekeToestemming.nl, this is an incomprehensible line of reasoning, which illustrates the twists and turns in which the interpretation of this bill must be twisted in order to still legitimise the lopsided consent that Minister Schippers wants to introduce. After all, a generic answer to a specific question is a contradiction in terms. SpecificAuthorisation.nl spokesman Vincent Böhre said at the expert meeting: "With all due respect, her letter comes across to me as juggling terms, which only makes things more unclear. We find the minister's position on this incomprehensible. We had apparently hit a sensitive point with our letter to the Senate."
According to minister Schippers, the question "may I make your medical data accessible to all healthcare providers connected to the system?" is incidentally a specific question, so appears from her letter. SpecificConsent.co.uk strongly disagrees. After all, when a patient answers "yes" to such a question, they are giving broad, unfocused consent where it is not clear in advance who can access what data for what reason - in short, little specificity.
Patient portal introduced in haste
However, the whole discussion about generic, specified and specific requesting or giving consent is left for what it is by minister Schippers. In her last detailed letter she is striking out in a new direction when it comes to the ultimate goal of this law: in the future, patients should have full control over who has access to what medical data. This is to be done through an online patient portal, according to the minister's proposal.
"We think this is an irresponsible shift of responsibility and also liability in some cases," Böhre stated during the expert meeting. According to SpecificConsent.com, control over the content and access to the healthcare file should first and foremost remain with doctor and patient jointly, as required by medical confidentiality and patient privacy legislation. If the patient has to arrange all this himself, he is given (too) much responsibility, which in practice can quickly turn out to be wrong - both in terms of accessibility of data, but also the non-accessibility of data while this is necessary.
Current legislation regulates that the doctor asks the patient for specific consent, and that should remain the starting point according to SpecificAssent.co.uk. The healthcare provider is almost always better informed about what data is relevant to a care request, and is also legally and disciplinary liable for the quality and confidentiality of this information. This is a responsibility you cannot simply hand over to a patient - certainly not every patient. By setting a self-managed portal not as an additional option but as the norm, the benefits of patients benefiting from it are undercut by the risks of irresponsible management.
Moreover, by focusing entirely on self-direction, Schippers avoids the fundamental discussion on the scope and clarity of consent, which, incidentally, is also necessary when introducing a patient portal. For such an application, which takes place outside direct care, a separate bill alone would have to be written. After all, the bill as Minister Schippers has now presented it does not contain a protective framework for developing "patient confidentiality" and all the issues of responsibility and liability necessary for such a system.
Letter and covering letter From minister Schippers dated 8 March 2016 to House of Representatives in response to Letter SpecificAuthorisation.co.uk to Senate dated 18 January 2016.