A legislative ban on storing data for personally controlled e-health records (PCEHR) overseas could inadvertently prevent consumers from accessing their records while abroad, according to IT services company CSC.
The legislation currently before parliament that will enable the PCEHRs has a requirement "not to hold or take records outside Australia". This is designed to prevent Australian customer data to be held outside of the country where there is less control over privacy of the data held, but, as CSC Healthcare Australia New Zealand national director Lisa Pettigrew noted, it could effectively ban patients who are overseas from accessing their own data because data from the records may be cached outside of Australia.
"CSC understands the intent of this section to limit storage of records in repositories overseas; however, as written, this section will evolve to become problematic with the proliferation of devices used by consumers. Consumers will access their data via mobile devices overseas, and this will result in data, de facto, being accessed and potentially held or cached, outside of Australia," she said in a submission (PDF) to the parliamentary inquiry on the legislation.
"This may be more effectively managed through the repository operator registration processes."
While Pettigrew said that it was not the intent of the legislation to prevent access overseas, that could be the implication of the wording of the legislation.
CSC also said that the legislation needs to have flexibility built into it, as technology advances at a rapid rate. While the legislation allows for updating of records as they would be entered manually today, Pettigrew said that it doesn't account for possible future transaction possibilities, such as via Bluetooth.
While the company said it was "noble" that the intention was that only healthcare providers would be able to modify the health summary in a PCEHR, it said that for busy healthcare providers, this would lead to delays in uploading information about patients, and instead suggested that consumers should be able to update their records with a summary approved by that healthcare provider.
Security for e-health records has been a strong focus of the implementation ahead of the 1 July deadline. The records are not stored centrally, instead by "registered repositories" that are located in Australia. These repositories provide a summary view of a consumer's information to the PCEHR system. NEHTA has said that this is designed to avoid a "honey pot" of centrally stored data. These repositories have mandatory breach-reporting conditions well above the reporting obligations in current privacy legislation.