Rob Hosking wrote:
Dear All
I would be interested in other people's ideas to respond to this e-mail
from Pail Oppy at Austin Health.
Dear Dr Hosking,
Wendy has probably responded to you by now, letting you know that she
will remove your email address from her list, so that you don't receive
unencrypted email from Austin.
gee, that solves the privacy issue doesn't it ?
I'm responding to you, as Chairman of the Privacy and Security Committee
of the GPCG, on the wider issue of email encryption as it affects all
GP’s with whom Austin communicates via email.
As Director of Information Technology at Austin, I respect and share the
concern of the GPCG about the confidentiality of email messages.
However, I'd like to explain why Austin persists with unencrypted email
and ask your advice.
This issue was considered very seriously by Austin's Privacy Committee
before our current policy was adopted. The recommendations of the
Privacy Commissioner were considered. On balance, the Committee decided
that the benefit of rapid and reliable email communication to GP’s
outweighed the risks to patient confidentiality. Hence, GP’s were
offered the option of receiving messages via unencrypted email if they
preferred that to faxed messages. About 10% of GP's took up that offer.
Recently, Austin consulted the Health Commissioner's Office on this
issue. In brief, the response was:
The law does not state that you_ cannot_ email without
encryption, although we are required to take reasonable
steps to prevent patient information from being lost or
misused and we need to weigh up the benefits of emailing
information against the risks.
maybe not, but the racgp says
http://www.racgp.org.au/downloads/pdf/20021014privacy.pdf
5.3 Electronic transfer of information
The use of electronic means for transferring personal health information
will sometimes
make it easier to transfer large quantities of information. However, the
principles governing
the electronic transfer of information are no different from those
governing other means of
transferring health information. Secure encryption protocols must be in
place, and medical
practitioners must ensure that these are operating effectively.
perhaps they might be directed to the racgp for some education; i
believe their guidelines were based on legal requirements for privacy
yes, it would be easy to send unencrypted; a bit more googling would
probably find a federal statute forbidding the practice
Reasonable steps could include:
+ Have an email audit trail of emails that fail – Austin
has this.
+ Ensure that information on patients who have opted out
is not sent out – Austin also has this in place.
+ Have email guidelines that list certain precautions,
e.g. check email addresses, do not use distribution
lists to send patient information, etc. Austin’s
Privacy Committee approved our emailing guidelines
last year.
+ Ask GP’s if they prefer their patient information by
fax or email. We currently do this and our GP database
reflects their preferences.
The Commissioner’s Office thought that emailing is not
necessarily any more dangerous than faxing. It could even be
argued as safer and the risk of fraud or identity theft of
health information is low.
it could be argued that the commissioner's office is populated by
idiots; if they don't know the problem with transit interception of
e-mails (and their public nature, like postcards) versus a single
*wrong* recipient if the fax number is wrong, then they too need a swift
enlightenment, as their understanding is minimal
that said, i know of many instances where law firms flick plain e-mails
with disregard to privacy, relying on their marvellous presumption that
anyone silly enough to use that information unwisely will be sued to
oblivion
At about the time Austin offered GP’s unencrypted email, the hospital
also put considerable effort into setting up a PKI encryption service
for GP's who wanted to transmit outpatient referrals via encrypted
email. This service was promoted to GP's by the Northern Division of
General Practice and the North East Valley Division of General Practice.
The outcome was that three GP's took up the encryption offer, a minute
percentage.
Austin would have to invest substantial funds in software and
administration to extend encryption to admission and discharge notices.
With very little prospect of significant up-take by GP's, it's
impossible to justify this expense. So, for now, the hospital offers
only unencrypted email, fax or post as GP communication options.
no, they only need to generate a private key at the austin, and mail it
via post to any interested gp to use
gnupg will allow this free (but their consultant wouldn't advise that i
expect, as there is no money in it), and if they could extend themselves
to using thunderbird (instead of presumably outlook), it would be
*really* easy
There's a wide range of encryption options available but the hospital is
reluctant to pursue any of these options until it sees where GP
preferences lie. We simply can't afford to introduce multiple solutions,
or solutions which are adopted by only a very small percentage of GP's.
no, but see above
And, presumably, GP's will favour a solution which is common to all the
hospitals and other service providers with whom they communicate
electronically. I'd appreciate your Committee's advice on which
encryption/decryption mechanism would most likely attract a significant
proportion of GP's.
hahahaha; tell 'im 'e's dreamin' rob
after a long time on the gpcg i can assure hom that it's a tower of
babel, and nehta isn't neater than its predecessor
cheers
ash
_______________________________________________
Gpcg_talk mailing list
[email protected]
http://ozdocit.org/cgi-bin/mailman/listinfo/gpcg_talk
