9 August 2019

Rushed PIP QI scheme could create data and governance mayhem

Insights

The formal launch of the Federal Department of Health’s (DoH) new Quality Improvement Practice Incentive Program (PIP QI) regime on August 1 was accompanied by some strongly worded protests from senior thinkers in the GP sector and even some in  the digital health sector, but  it has  otherwise passed with little fanfare around the digital health world.

Some of the questions raised which are obvious and concerning include:

  • If the Australian Digital Health Agency (ADHA) has spent a fortune on a governance framework for secondary use of patient data for the My Health Record (MHR), why is none of that work in play in rolling out this secondary use scheme, given both schemes ultimately roll up to the Federal DoH?
  • Without a well defined regime in play, who is ultimately responsible for ensuring governance in a system which exposes patient data (non identified) to the relative competence of all 31 Primary Health Networks (PHNs) in the country, which have huge variance in their performance and management capabilities?
  • Who is responsible for overseeing any compliance from private data extraction suppliers, who are separately contracted by each PHN, and who are largely non transparent to the system because of commercial in confidence restrictions?
  • What guarantees do GPs and GP owners have that the information being collected, won’t morph towards being used by PHNs and other parties to manage more GP compliance, over time? It is a natural use for such data after all.
  • Are there any guarantees that GPs personal and billing data will not end up identifiable in some way by third parties and used for purposes well outside the remit of the scheme? Upstream data matching firms can do a lot with de-identified data to create actual matches, especially around geo collected data.
  • Who manages the conflict now created between GP contractors and employees and their owners and managers in the matter of consent of the release of patient data, especially given owners and managers are now conflicted by a $50,000 per annum incentive to upload this data?
  • Are owners and managers obliged in anyway to outline what they are taking from contractor and employee patient management systems in order that they understand any potential downstream implications for such data extraction?
  • Who looks after a GP who, after being directed by their practice owner to enter this data in the format required by the program, has their contractor status made ‘grey’ by such specific and repetitive direction, and therefore exposes the GP to significant potential tax issues, even if the contractor is not being rewarded by the owner for the activity?
  • Who is indemnifying GPs against breaches of the Privacy Act, which has severe financial penalties, especially given uploading of this data out of their patient management system, which is their responsibility, is automatic and they have no oversight of what actually is going out of there system?
  • What binds all PHNs to a single, workable and accountable data governance regime, in the manner that the MHR is?

The DoH responded to concerns raised in Health IT newsletter PULSE IT, not all of which are on the list above, on August 1 by saying that:

  • The design was based on longstanding existing arrangements for data extraction between PHNs and its GPs (which it is)
  • Already 55% of practices are participating in such data exchange activities with their local PHN
  • There is a governance framework (the PIP Eligible Set Data Governance Framework) which specifies that storage requirements must align with the ADHA requirements and that aligns to a National Data Storage and Analysis Solution (NDSAS), which is still under development, but which PHNs will use
  • That PHN data will over time be aggregated up to the Australian Institute of Health and Welfare (AIHW) “for the purposes of informing national health policy”
  • Patients are able to opt out of having their de identified data used based on existing compliance requirements for GP practice accreditation

All of which doesn’t really answer most of the bigger questions being raised over the program. Certainly PHNs do collect data on a voluntary basis for local QI purposes on an ad hoc basis now but PIP QI is not adhoc. It is being industrialised, especially with the use of a large practice based incentive to provide the data. But it being started without the right health and safety protocols for a data program of this size in place. For instance:

  • The NDSAS, which will underpin storage and collection is still being developed yet the scheme has already started.
  • There isn’t anything in place binding all PHNs to a single regime other than a protocol saying they should comply with ADHA requirements.
  • Patient opt out ability is a part of practice accreditation but these are principals not advice on implementation. There is nothing in place to audit this properly, and it’s unlikely patients would appreciate the before and after difference in the data collection reasoning of PIP QI, especially that their data will now end up in a nationally aggregated database.
  • There is no actual compliance regime documented formally that exists…it’s being made on the fly by the look of the DoH responses so far, despite them giving it a formalised name and acronym.

With so much left unanswered and unspecified and with quite senior GPs prepared to put their heads over the parapet and risk political and brand damage, you’d think the peak bodies would be thinking a bit harder about the issue. It’s going to be hard for them given they were part of the process of approving the scheme but they seem to have all underestimated the angst of their members.

In a speech to the Press Club last week AMA president Dr Tony Bartone touted  the privacy credentials of the MHR, ironically pointing out that the privacy protections of the system made it more secure than data residing in an individual practice management system. If that is the case, why is the AMA comfortable with not responding to GP concerns about how that data is obtained, governed and ultimately used in this scheme, which doesn’t have the ADHA MHR protections at all?

So far the RACGP hasn’t formally responded to concerns raised either, despite requests.

On spec the potential for the public eventually feeling misled is far higher and more serious than the current public furore over Health Engine’s data breaches.

Individually, it’s almost impossible for a GP within a practice to meaningfully question being put in this system.

A practice owner or manager is conflicted by the not insignificant incentive of up to $50,000 per annum to be uploading the data, and potentially by pressure placed on them by their local PHN. Remember, after such a long period of MBS freeze, the revenue pressure on owners and managers is more than it has ever been.

That leaves the peak bodies to point out the issues facing their individual members, and seek some clarification on the issues. But nothing is happening.

The average GP is too busy to understand the implications of what the DoH’s new QI PIP scheme might be creating for them in the future, so the powers that be probably aren’t too concerned that it will become a member issue, at least in the short term.

Most of the peak bodies try their best to stay in step with the government these days on programs like these, regardless of what individuals think personally at the top. The underlying issues are complex to understand and to explain. The big picture is that the government and the peak bodies are doing something about ‘quality’ and  ‘outcomes’, which is a major push and indeed, needed if general practice is to make a successful transition to blended funding and outcomes based payments. Those seen to be opposing such progress stand a good chance of being branded as the ‘usual suspect naysayers’.

The line between what is ‘quality’ and what is ultimately ‘compliance’ in this scheme is not well drawn. It feels easily subject to potential drift, or even abuse as people move on, different regimes move into government, and different agendas are established up stream of the GP.

Under the circumstances – something very complex and therefore not well understood by anyone including GPs – it would be easy to let this issue through to the keeper as a senior power broker in general practice and healthcare. It’s not like there aren’t other major issues at hand which are far more front of mind, politically correct and rewarding to be working on.

The speed with which this new program has been developed and implemented has not ultimately been thought through in the detail needed and may go to some aspects of disorganisation and a desire for speed.

The objectives of the program are well aligned with how most people see the system should  be moving and would be agreed to by most GPs. Better quality care, measurement and meaningful data to help us move towards measured and well deployed outcomes based payment schemes. There isn’t much argument that this is where everything needs to head.

But fundamental issues don’t seem to have been thought through, a fact emphasised by the common sense underlying the recommendations made by the GPs who are concerned directly to the DoH. They include:

  • Thata single, trusted, national data repository be established with a robust and transparent governance framework
  • A data governance framework must be established prior to the release of any aggregate data sets to third parties (a la MHR)
  • That practices be provided with choices regarding the upload tools including direct upload from native desktop software
  • That the only data elements uploaded to the national repository are the 10 agreed PIP QI requirements
  • That MBS data must be excluded from the collection (surprising that this isn’t already clear)
  • That patient’s should be provided with transparent advice regraded the process and their ability to opt out
  • That commercialisation of the uploaded QI PIP data sets must be prohibited under law
  • That data is made available to PHNs and other interested parties via a secondary use framework
  • That a privacy impact assessment should be undertaken

 

Despite getting buy in from the peak bodies, the general population of GPs has been left in the dark and is highly concerned about the rushed nature of the scheme and its possible implications for individual GPs.

What happens if a court does decide at some point in the future that being directed in a systematic and detailed manner to enter data into their PMS changes the status of a contracted GP to that of a employed GP?

Who will wear the blame for a serious data breach, either of patients, or GPs themselves, should the variables currently in play with 31 differently operating PHNs with several differently operating private data extraction suppliers, on contracts negotiated presumably with that potential number of different outcomes, goes seriously wrong?

And what does such a program say about what our intentions are with the MHR, and with all the good work done to make the MHR privacy compliant, and subject to a well defined governance regime?

This program needs to be slowed down and looked at far more carefully in the short term.

At the very least GPs should understand what we are getting them into and have the chance to have meaningful input and guidance as it moves forward.