Stream: australia
Topic: Government Identifiers
Stephen Royce (Sep 28 2016 at 00:00):
Houston, we have a problem.
Stephen Royce (Sep 28 2016 at 00:07):
Following discussion on the HL7 Aus Patient Admin group, we looked further into to the legality of using government-issued identifiers such as the Medicare Card Number. It turns out that principle 9 of the Australian Privacy Act is pretty clear that you cannot do so although there is a small loophole in that you can persist or share them as "identifying information" (the same applies to name, address, &c., by the way). The question now arises: does putting a Medicare Card Number in Patient.identifiermake it an identifier, or does that still only qualify as identifying information?
Stephen Royce (Sep 28 2016 at 00:07):
Incidentally, it's also illegal for the receiver to harvest such identifiers from the data.
Grahame Grieve (Sep 28 2016 at 03:34):
clearly only qualifies as identifying information.
Grahame Grieve (Sep 28 2016 at 03:34):
you can't use medicare number as the logical id - that's what it means
Shovan (Sep 28 2016 at 03:45):
if I read it correctly, then Medicare Card Number can be used as Business Identifier (Patient.identifier) of the Patient and it's not conflicting with the Privacy Act 9.. is this a right assumption ?
Stephen Royce (Sep 28 2016 at 03:48):
I don't think it's at all clear that a business identifier is "identifying information". It is, after all, an identifier, albeit in this case, someone else's.
Stephen Royce (Sep 28 2016 at 03:49):
If we share it as an identifier then it's arguable that we're using it as such.
Stephen Royce (Sep 28 2016 at 03:51):
Is the IHI also identifying information even though it's explicitly an exception to the government-issued identifier rule and can be used as an identifier?
Grahame Grieve (Sep 28 2016 at 04:12):
no one else but the MyHR can use it as an identifier. The rest of us can only use it as identifying information
Grahame Grieve (Sep 28 2016 at 04:13):
MyHR has special access to allow it to use the IHI as an identifier
Grahame Grieve (Sep 28 2016 at 04:13):
which is why we can use it as the logical id on the MyHR
Grahame Grieve (Sep 28 2016 at 04:13):
it is quite clear that a bsusiness identifier is 'identifying information'
Grahame Grieve (Sep 28 2016 at 04:14):
there can more than one record in the system with the same drivers's license, medicare number etc
Grahame Grieve (Sep 28 2016 at 04:14):
ergo, it's identifying information
Stephen Royce (Sep 28 2016 at 05:48):
You need to have a look at this page: https://www.oaic.gov.au/agencies-and-organisations/app-guidelines/chapter-9-app-9-adoption-use-or-disclosure-of-government-related-identifiers.
Stephen Royce (Sep 28 2016 at 05:49):
Where does it say that Patient.identifier is identifying information? I'd love you to be right, but I need indisputable proof, otherwise we're gonna have to tell everyone to put such things in an extension.
Stephen Royce (Sep 28 2016 at 05:51):
Incidentally, looking at the legislation, anyone is allowed to use an HI number as their own healthcare identifier, not just the My Health Record system.
Stephen Royce (Sep 28 2016 at 05:52):
And that's part of the problem. If I use the same field to send an IHI and a Medicare Card Number, then it can be argued that I'm treating them both the same and since one is a legal healthcare identifier, I could be deemed to be treating the second as such even though I had no intention of doing so. 
Stephen Royce (Sep 28 2016 at 05:53):
(And not necessarily in the same resource instance, either.)
Rebbecca Matthews (Sep 28 2016 at 06:00):
If you read chapter 9 in the link Stephen provided, it states:
9.5 An ‘identifier’ of an individual is defined in s 6(1) as a number, letter or symbol, or a combination of any or all of those things, that is used to identify the individual or to verify the identity of the individual.
I would expect that Patient. Identifier would come under that use - you are using it as a way to identify or verify the patient's identity. I would tread very carefully in providing advice that any government related identifier - including medicare number, drivers license number, DVA number etc, can be used in this instance. It might be worth while getting legal advice on this area.
Stephen Royce (Sep 28 2016 at 07:15):
Incidentally, this is not about the persisted resource, it's about the resource when it's sent to someone else. When it's persisted you can clearly argue that the Patient.id is my identifier and Patient.identifier is simply additional identifying information. However, when I choose to send the resource to someone else, all that context is gone (even though the distinction between id and identifier remains). Now, all I have is a single piece of data with a Medicare Card Number, say, in a field named "identifier". Furthermore, in practice, it's very unlikely that there'd be "more than one record in the system with the same driver's license, medicare number etc."
Reuben Daniels (Sep 28 2016 at 13:42):
Interesting discussion. Does the legislation say anything about using medicare card numbers in things like entitlements as specified in the NEHTA CDA IG specs and, in fact, used/implemented by DHS themselves?
Stephen Royce (Sep 28 2016 at 23:00):
Yes. That's okay because you are using the number to identify their entitlement to Medicare services, not to identify the person. It's a very subtle, but crucial, difference.
Grahame Grieve (Sep 29 2016 at 01:00):
I think you're being unrasonable to demand proof in an official international standard definition in order to conform to Australain regulartory issue. If you're really that bothered about it, you just document it clearly in the Australian profile. That's what we've done everyewhere else
Stephen Royce (Sep 29 2016 at 02:30):
It's not really me who's being demanding; it's the Australian privacy legislation and the advice from the Office of the Australian Information Commissioner. I'm certainly happy to write this up in the Australian profile -- indeed, I intend to do so at length! -- but our reading of the legislation and the advice is that even if we're explicit in that documentation that Patient.identifier is strictly identifying information only, the fact that the underlying standard does not say that could be deemed to invalidate our documentation. Furthermore, and _very_ sadly, even the name of element could be deemed evidence that the data is an identifier irrespective of what any documentation might say.
Grahame Grieve (Sep 29 2016 at 02:36):
well, I guess we'll just not have to exchange it in any standard then, because all of them call it 'identifier'
Stephen Royce (Sep 29 2016 at 04:16):
I understand that it seems totally crazy, but that is actually what our legal folks are starting to suggest. We obviously don't like it, but there are already e-mails circulating stating that we need to change all our specifications (v2, CDA, XDS, everything) that even hint that you can do this! 
Stephen Royce (Sep 29 2016 at 04:23):
Unfortunately, simple good sense is unlikely to prevail on its own, so what I need is ammunition to fight back this wave of insanity!! 
Brett Esler (Sep 29 2016 at 04:34):
What does this mean from the act?
Brett Esler (Sep 29 2016 at 04:34):
the use or disclosure is for the purpose of communicating or managing health information as part of:
(a) the provision of healthcare to the healthcare recipient; or
(b) the management (including the investigation or resolution of complaints), funding, monitoring or evaluation of healthcare; or
(c) the provision of indemnity cover for a healthcare provider; or
(d) the conduct of research that has been approved by a Human Research Ethics Committe
Brett Esler (Sep 29 2016 at 04:35):
basically a healthcare provider can supply IHI for these purposes
Brett Esler (Sep 29 2016 at 04:38):
i am pretty sure I could make a case for a patient administration system identifying a patient is part of the 'provision of healthcare to the healthcare recipient'
Brett Esler (Sep 29 2016 at 04:39):
happily there seems to be no definition of 'provision of healthcare'
Brett Esler (Sep 29 2016 at 04:43):
I think the definition of Identfier in the FHIR specs is a pretty good match to IHI usage
"A numeric or alphanumeric string that is associated with a single object or entity within a given system. Typically, identifiers are used to connect content in resources to external content available in other frameworks or protocols. Identifiers are associated with objects, and may be changed or retired due to human or system process and errors."
Brett Esler (Sep 29 2016 at 04:50):
Believe the usage question is up to the implementing heathcare system operators legal framework - especially as ALL material in a health record has privacy rules associated with it and we are not questioning the usage of that. Systems implemented delivering health care need to address usage concerns all the time. HI is just another one with it's own set of rules. Having a representation of one form of another does not change the legal usage issues. Putting HI in an extension does not seem to change anything and just makes things more difficult for implementers.
Brett Esler (Sep 29 2016 at 04:56):
anyhow - right now i'm off to finish up a project that explicitly uses FHIR representation of IHI to enable healthcare providers in the 'provision of healthcare to the healthcare recipient' ;)
Stephen Royce (Sep 29 2016 at 04:57):
IHI is explicitly excluded in its legislation from the general rule governing use of government-issued identifiers, so there is no problem whatsoever with putting an IHI in Patient.identifier.
Stephen Royce (Sep 29 2016 at 04:58):
The same is true for all HI numbers, i.e. HPI-I and HPI-O as well.
Stephen Royce (Sep 29 2016 at 04:58):
The problem is with Medicare Card Numbers, DVA Numbers, Military Health Numbers, &c., &c.
Brett Esler (Sep 29 2016 at 04:59):
What about the thousands of pathology messages each day... this is pretty kooky...
Stephen Royce (Sep 29 2016 at 05:00):
I'm telling you that if anyone actually bothered to look into this, there could be trouble.
Stephen Royce (Sep 29 2016 at 05:01):
But who knows? Maybe they'll decide it's okay (whoever "they" are; perhaps the courts).
Stephen Royce (Sep 29 2016 at 05:01):
But without a ruling the Agency (and HL7 Australia, I suspect) have to be whiter than white.
Stephen Royce (Sep 29 2016 at 05:02):
We cannot be seen to be even hinting at encouraging something that _might_ be illegal.
Brett Esler (Sep 29 2016 at 05:02):
Australian Standards used for procurement already have a specification of representations - so every juisdiction would be the first target - think this is about usage.
Stephen Royce (Sep 29 2016 at 05:03):
So unless someone can show me incontrovertibly that it is legal, I'm stuffed!
Stephen Royce (Sep 29 2016 at 05:04):
I know, but what the standards say is irrelevant; they don't trump the law.
Stephen Royce (Sep 29 2016 at 05:05):
Which, incidentally, is why we could still be in trouble even if our documentation clearly states that the data is "identifying information" only. (Because our documentation doesn't trump the law either.)
Brett Esler (Sep 29 2016 at 05:05):
I don't think you need to define usage for the representation - can just state follow the usage laws for your jurisdiction - which after all can change anyway... that is true of any piece of information...
Stephen Royce (Sep 29 2016 at 05:06):
We can tell people how to represent a Medicare Card Number, we just can't tell them "Put it in Patient.identifier."
Stephen Royce (Sep 29 2016 at 05:07):
In fact, we may be obligated to tell them "Don't put it in Patient.identifier."
Brett Esler (Sep 29 2016 at 05:08):
why not? it is just a representation - if I share you personal medical history on a web site then my usage is illegal regardless if it is FHIR, CDA or a word document
Stephen Royce (Sep 29 2016 at 05:08):
Because there's a risk that it could then be deemed that the Medicare Card Number is being used as an identifier of the person which is illegal.
Brian Postlethwaite (Sep 29 2016 at 05:10):
You could make that assertion if you put it in an extension also.
Might also consider that there are more uses than just sharing between external organizations where these cases are.
There are plenty of uses where you want to share this content internally within an organization between applications, and these need these represnetations also.
Stephen Royce (Sep 29 2016 at 05:11):
That risk does indeed exist, but there's a _lot_ you can do to mitigate against it so that the risk is virtually nil.
Stephen Royce (Sep 29 2016 at 05:13):
The same rules still apply to internally sharing the data within an organisation. in fact, the risk is probably greater there. Between organisations, it's easier to argue that I'm just sharing some data I know about this person; within an organisation you have much greater control of how things are said and so you have less wriggle-room.
Brett Esler (Sep 29 2016 at 05:14):
all information is under a legal framework of usage; where it ends up in a representation is irrrelavant in court....don't get why we need to police this in the representation especially as the rules can change from scope of use, jursdiction and also by changes to legislation
Brett Esler (Sep 29 2016 at 05:15):
i am not saying ignore the rules; just don't need to enforce them here...
Stephen Royce (Sep 29 2016 at 05:15):
That's not the advice we're getting. We are being told that where "it ends up in a representation" is one of the key pieces of evidence used to determine whether a breach has occurred.
Stephen Royce (Sep 29 2016 at 05:17):
The argument is that if it represented in a data item named "identifier" it _might_ be hard to argue that it's not being used as an identifier.
Stephen Royce (Sep 29 2016 at 05:17):
But again, who knows. Until a case goes to court, we're in the dark.
Brett Esler (Sep 29 2016 at 05:17):
As long as the jurisdictions get sued first i'm happy...
Stephen Royce (Sep 29 2016 at 05:18):
And for us, being a government agency, we have to walk well clear of any possible lines here.
Stephen Royce (Sep 29 2016 at 05:18):
Re jurisdictions being sued first: 
Stephen Royce (Sep 29 2016 at 05:21):
The really annoying thing is that it's quite likely that no-one will ever care, but we still have to go to all this trouble just in case someone might.
Grahame Grieve (Sep 29 2016 at 06:21):
strictly, medicare number is a coverage identifier
Grahame Grieve (Sep 29 2016 at 06:21):
not a person identifier
Grahame Grieve (Sep 29 2016 at 06:21):
but we're not proposing to use it in person.identifier, but in patient.identifier.
Grahame Grieve (Sep 29 2016 at 06:22):
you should explain the difference
Stephen Royce (Sep 30 2016 at 00:10):
You're quite right; a patient is either not a person (e.g. animal) or it's a person strictly for the purposes of receiving healthcare and so, ontologically, they are not equivalent. And that might've been a way round this whole mess, but unfortunately the legislation (or maybe the OAIC advice, I can't remember) explicitly mentions healthcare identifiers as an illegal use and it would be challenging to claim that Patient.identifier is not a healthcare identifier.
Stephen Royce (Sep 30 2016 at 00:12):
And yes, in our discussions with NIO, we have already decided the (very limited) use made of Medicare Card Numbers will be treated as coverage identifiers.
Stephen Royce (Sep 30 2016 at 00:12):
In fact, that was one of the things that prompted this discussion.
Grahame Grieve (Sep 30 2016 at 00:35):
given what you've said, I don't see how associated the coverage identifier with the patient directly - whether by using Patient.identifier, or an extension - is going to allowed in agency specs. But HL7 Australia need not to be so conservative; we can quote the regulations and say that if you still want to use it as identifying information, it goes in Patient.identifier
Stephen Royce (Sep 30 2016 at 01:26):
We can certainly use it as a coverage identifier -- there's no question about that -- because that identifies the coverage, not the patient or person. We've done this for a long time and is one of the main reasons that we have Entitlements in our Participation specification. (We also handle Prescriber Number in this way.)
Stephen Royce (Sep 30 2016 at 01:28):
I think, as well, you may find that the HL7 Australia Board may not agree that they can be less conservative. (Just saying; and I hope I'm wrong about that.)
Rebbecca Matthews (Oct 03 2016 at 05:05):
I think there may be too much overthinking the situation. It is not the role of the Agency or HL7 AU to enforce the APP legislation, but neither can either encourage people to breach legislation. This means not providing examples of how government related identifiers, including but not limited to Medicare Nos, drivers license numbers, passport numbers, DVA or even tax file numbers, can be used to identify patients in healthcare systems. Whether vendors etc currently do this or will do so in the future is not for us to police. Only to provide appropriate guidance in the correct use within the Australian domain.
Rebbecca Matthews (Oct 03 2016 at 05:09):
Actually I would disagree with that comment Graham that the HL7 AU Board need not be so conservative. Given the legal obligations healthcare providers have around APP, should a system be developed that causes breaches of the APP, and a provider and/or vendor is sued, as a member of the Board, I would not want to be held accountable due a recommendation we made. As you have mentioned, this can be managed in the Australian profile, but making any recommendation that promotes the breaching of legislation is not something HL7 Australia should consider.
Grahame Grieve (Oct 03 2016 at 05:17):
of course not. But Stephen is advocating an extremely conservative position, where putting these identifiers in an element named 'identiifer' is somehow inferred to imply that the Agency is approving using these as primary identifiers, not just as identifying information. HL7 Australia should not be constrained in this fashion. while of course, HL7 Australia should still point out the difference
Grahame Grieve (Oct 03 2016 at 05:18):
for HL7 Australia, this should not be an issue; we've been doing this for ages with the other specifications
Brett Esler (Oct 03 2016 at 05:25):
The FHIR description of an Identifier would seem to make sense for Medicare Number; it is connecting the Patient to the Medicare usage... which has it's own framework and set of protocols... this seems to be a very good description...
"A numeric or alphanumeric string that is associated with a single object or entity within a given system. Typically, identifiers are used to connect content in resources to external content available in other frameworks or protocols. Identifiers are associated with objects, and may be changed or retired due to human or system process and errors."
Brett Esler (Oct 03 2016 at 05:26):
Who wrote that? It is a very well considered description....
Grahame Grieve (Oct 03 2016 at 05:26):
thx
Stephen Royce (Oct 03 2016 at 23:05):
The problem here is not just that it's named identifier; indeed, if that were the only problem, I don't think we'd be having this discussion. The problem is that the identifier element is used to carry both identifying information, say a Medicare Card Number, and primary identifiers, say an MRN. Unfortunately, that muddies the waters and means it's arguable that since one is primary identifier, all are. Furthermore, not that I have anything against Grahame's description, but it equally applies to primary identifiers, so you cannot use it to rule out the fact that the Medicare Card Number is being used as such.
Grahame Grieve (Oct 03 2016 at 23:24):
I think you are wrong to expect a policy question to be reflected in the content model. All of these things *are* identifiers. There are applicable policies that define when and how they should be used to identify things. Since the policy applies to the identifier by definition, it's neither here nor there whether the representation has a flag on it. Say we added a flag - would the absence of the flag affect whether you could use the identifer in a particular way? No, it wouldn't, and shouldn't. So it should - in any rational world - be enough to say 'this is how to represent it as an identifier and, don't forget, there's policy restraints on it's use' (as we always have done). However I'm aware that we are rapidly leaving the rational world
Grahame Grieve (Oct 03 2016 at 23:25):
e.g. a new mooted law to make re-identification illegal....
Stephen Royce (Oct 04 2016 at 00:15):
I totally agree with you. This all seems big-time overkill/overreaction to me, but unfortunately the risk is real.
Andy Bond (Oct 04 2016 at 02:15):
I'm assuming none of us are privacy lawyers here. Seems we have at least three realms of potential specification use ... international, national, and agency specific. I agree that we (Australian use) shouldn't give examples or recommendations for use that explicitly breaks australian law. However, I also don’t think we should prohibit a mechanism that may be used quite appropriately. Separation of policy and mechanism comes to mind. Any Australian profile should appropriately reference any known and pertinent policy constraints.
Last updated: Apr 12 2022 at 19:14 UTC
