Privacy and confidentiality

Of high importance to psychologists is one of the central pillars of the eHealth record system - that the consumer receiving health services will have final say over access to, and use of, their electronic health record.

The documentation released by NEHTA and the proposed legislation all indicate that there will be ways in which the consumer can exercise personal control over the electronic health record. This is the ‘personally controlled’ aspect of the eHealth record:

  • The Nominated Provider (in most cases the consumer’s GP) must seek agreement from the consumer regarding what will be placed on the Shared Health Summary
  • All health providers must seek approval from the consumer regarding what will be included in an Event Summary
  • Consumers will be able to indicate which health providers will have open access to their eHealth record and to whom it may be limited
  • Consumers will be able to engage in a process to ‘effectively remove’ a document if they no longer want it to appear on their eHealth record.

These provisions have clearly been matters of considerable discussion as they constitute a significant limitation to the completeness of the record. However consumers who have been subject to trauma, sexual assault or who experience mental health disorders and have received treatment for these may justifiably want to limit the access to such records.

It has also been established that under emergency circumstances when the consumer is not able to be fully engaged in the consent process, the eHealth record may be opened, including those sections that have been subject to limited access. This will not include those documents that have been effectively removed.

Information from psychologists that may be in an individual’s eHealth record

  • An event summary of services or events of importance to the individual from an approved psychologist
  • Reference to an event report from an approved psychologist in the shared health summary
  • A psychologist’s formal assessment report (if the individual consents) in the specialist letters section
  • Reference to a psychologist’s entries in general organisational files in the discharge summary of that organisation

What the eHealth record will NOT contain

  • A psychologist’s personal client files
  • Any report sent to a GP or specialist in relation to the individual where this has not been consented to by the individual
  • Any reports of psychological services prior to 2012

Authentication and security

It is also of utmost importance to psychologists that storing and sending information online will not affect the security, confidentiality and trust with their clients.

The National Authentication Services for Health (NASH) is a system under continuing development which will allow healthcare providers and organisations under the eHealth system to be accurately identified before they are able to access secure health information electronically. NASH will ensure that all requests come from a legitimate healthcare provider by requiring either a HPI-I or a HPI-O, and will then check and authorise the HPI-I or HPI-O that has been supplied.

To enable use of the eHealth record system from 1 July 2012, individual health service providers and organisations will be issued with an authentication token with a NASH certificate to enable authentication when accessing an eHealth record. At this stage it is still under discussion whether the authentication token will be a smartcard/swipe card or a USB stick. It will be the responsibility of participating health service organisations to register the HPI-I of all individual health service providers to enable the authentication token with NASH certificate to be issued.

You may already be familiar with authentication certificates if you use the Public Key Infrastructure (PKI) service and HPOS system with Medicare.