Not many GPs have a great idea of what happens to their patient data once it gets sucked out of their system by a Pen CS or equivalent software data extraction tool, in what manner it is sucked, and even what is actually sucked out.
It wasn’t long ago that one GP practice in Victoria worked out that, having agreed to have its data sucked away for the purpose of chasing a PIP quality improvement (QI) incentive payment, which required just a few key data fields, that every single field on every patient was taken by the data extractor.
It turned out that this was happening with a lot of practices at the time.
Most practices around the country were lured into this eclectic manner of patient data sharing by the PIP QI payment scheme, which was launched in a hurry and without any formal framework for data governance (that got published by the Australian Institute of Health and Welfare only last year, amid the covid mayhem).
We sort of just fell into the whole PIP QI program without really thinking at all about issues of data governance, audit, reporting and management.
Practices agreed because all practices need more money and it was easy money. They were being assured that everything would be OK by their primary health network (PHN), by the data extractors and by the government.
Two years down the track from that disorganised start and the power dynamics of controlling GP-sourced deidentified patient data is starting to shift radically into the hands of PHNs, something that many GP practices may probably not be entirely comfortable with, without some better government assurances and oversight.
The shift has been assisted significantly by the Department of Health, which has funded the PHNs in the past few years to build their own data-extraction software to compete with the commercial extractors, to build a giant centralised “data lake” of nearly all the PHN-collected data across Australia (Primary Health Insights), and even to apply to the ACCC for, and be granted, the right to exercise monopoly-type powers over this GP data in Australia.
The DoH provided Western Australian Primary Healthcare Alliance (WAPHA) a $10 million grant about three years ago to build the infrastructure for a giant centralised data lake (on the cloud but out of WA), and then a further few million to a couple of other Queensland-based PHNs in the past year or so, to build new extraction software so the PHNs could go around the commercial providers, mainly PEN CS.
The government ignored the argument put to it by the Medical Software Industry Association (MSIA), on behalf of many of its members, that granting not-for-profit government quangos money to compete with private-sector companies, which had built and established their businesses based on private investment and fair competition, was inherently unfair (it was) and that the track record of PHNs building and running their own software was abysmal (it was).
The reasons provided by WAPHA (and we guess by default the DoH, which controls them) for building a giant data lake to hold GP data in one spot, using an alliance of 27 PHNs to collect and manage the data, and assuming a monopoly position on GP de-identified patient data by centralising systems into one giant facility out of WA servicing all 27 PHNs, actually make sense.
Rather than have 27 inexperienced and differently constituted and governed PHNs try to build and run data extraction, conduct governance, and perform complex analytics on the data, all separately, WAPHA, in agreement with those 27 PHNs, decided it was best to pool resources and build one giant and modern facility with the appropriate centralised expertise to help all 27 PHNs manage their data.
That is a good idea.
But if you scratch the surface of this idea, and start to understand the power dynamics of this data ownership, the “good” starts to unravel pretty quickly in the not-too-distant future, at least as far as GPs are concerned.
“Great, now I have to worry about what my PHN is actually doing with my patient data? How do I do that, my day job, restructure the practice for payroll tax compliance in between, deal with the idiot in Room 7, stay married, and afloat?”
Good point, so bear with me just a little here, as I think this is more about awareness of what is going on at this point than having to take time out to fix anything immediately.
It’s worth knowing what is going on a bit better as this data is owned by you and your patients, not the PHNs or government, and at some point, there might be some opportunity for practices and their representative organisations to address some of the obvious issues that are likely emerge from this loosely-cobbled-together initiative.
Is a giant data lake of all GP data, run by a WA-based PHN, a safe bet?
Easy answer: “No, not really.”
Rule number 1 of big data governance these days is, “don’t put all your eggs in one basket … it’s not a matter of if you get hacked these days, it’s just a matter of when”.
Which is why you don’t centralise data with lots of loosely governed access points. Oops, there goes the My Health Record.
Modern data security architecture for high level stuff such as patient records mandates using cloud-based “distributed data architectures”, which use secure, standards-based means of sharing data on the cloud, and cloud security protocols.
In a lay person’s terms, have your data in a lot of places, so if one spot does get hacked, you don’t lose it all in one go.
If everyone with a smaller data pool runs their data to modern web-based data-sharing protocols, the data will be more secure, still securely shareable and, usually be of better quality because “locals” will be managing the input quality control with greater owneship.
Setting up an ecosystem for sharing like this requires a lot of co-ordination and agreement among service providers. We haven’t managed to do it in Australia yet, but countries such as Israel, Denmark and the US have, so it is feasible.
One issue some organisations subconsciously have with such a distributed setup is that if you allow the data to sit distributed (but accessible) in regionally run and controlled data hubs, you distribute power (along with risk).
If you centralise a dataset, as WAPHA are doing, you centralise investment, money and power.
WAPHA describes the architecture of PHI as being “locked box” with each PHN only being able to access its own data. But it’s all in the same “lake” and WAPHA indicates in its marketing spiel that in an ideal future world, PHNs will be sharing the data with each other to solve various population health issues across the country.
Read the paragraphs below on the Primary Health Insights (PHI) project out of WAPHA, which only formally started taking data last year, and see if it makes you feel like your data is going to be safe
Remember, prior to a few years ago, when WAPHA first got in a big C consultant to do them a data strategy that recommended they build a mega data lake and spend lots on experts – more consultants likely from the same firm – and try to rope in 27 other PHNs, none of whom had any significant big data management experience, this PHN and its senior management knew virtually nothing about data governance, analytics, management and security. Today, they are apparently high-level experts we can all trust.
“Robust and stringent data security and access controls are in place for both cyber security and data governance purposes. Individual PHN staff use multi-factor authentication processes to use only those data sets to which they have been granted authorised access. PHNs have responsibility for enforcing the rules applying to data access.
“PHI is subject to annual independent security reviews and penetration tests. These have reported the platform to be of a ‘mature security design’ with ‘no suitable attack paths for an unauthenticated user’.”
Those last two sentences should send a mild chill up your spine. If you look for who does those independent reviews, you can’t find the information anywhere. Who is overseeing the data governance set up and running of this project?
If you check to see if maybe the Department of Health has some sort of governance or audit mechanism for the project in place, then you won’t find that anywhere either.
The PHNs are in full control of this project. With pretty much no experience in doing this sort of thing in the past, and pretty big day jobs doing all those other things PHNs are actually supposed to be doing.
If you visit the Primary Health Insights website and read it all, what you quickly realise is that it’s a brochure ware site.
It’s all marketing.
There are no references to who are the actual experts running the show and what their experience and qualifications are to run a big data project such as this. Worse, the site points to a PHN data governance framework – PHNs National Data Governance Framework – as a key document of operational guidance and this appears to have been developed by PHNs in isolation from the rest of our key healthcare system stakeholders (GPs included) in the last year or so .
Notably, the Australian Institute of Health and Welfare (AIHW), which has a completely different data governance framework for managing the very same data, is not referenced.
Both frameworks were published only last year, during covid, so both haven’t come in for much scrutiny so far.
But why do we have two separate frameworks, one for government (AIHW) and one for PHNs, which are entirely funded by the government anyway, to run the same data?
What experience and qualification do PHNs have, and who has vetted them to develop their own data-governance framework, start gathering masses of data from across the country in one place, and start manipulating that data?
They may have a great consultant with many years of experience behind them in building data lakes helping, but as far as GPs are concerned, its all pretty opaque as to what has actually happened in the past year or so on this project.
The DoH may have funded WAPHA to build a giant data lake, and approved the idea behind it (again, it’s not a bad idea), but data is a very tricky long game. You don’t see public data like this being handled loosely by second tier government funded community groups in the finance sector for good reason.
There are a range of complex issues around GP generated patient data in terms of the ability of third parties to be able to re-identify the data using analytics and other data sources.
GP patient management systems are not standardised on their clinical coding, so the data can be all over the place between PMSs.
Importantly, the vendors have never been charged with optimising data formats in their systems in a manner that will make it much tougher to ever re-identify.
Its never happened because patient data is literally hacked out of these systems by third party extractors, something the patient management vendors have never been comfortable with, and in the early days often tried to actively prevent.
Remember, almost all the data being used by the PHN project is sourced from GP practices, and the practices are giving their data mostly over because the government has been paying them to give it up, on the understanding that it is being centralised under the AIHW for PIP QI.
Yes, some PHNs have convinced their practices to give up more of their data under separate cover as well, on the promise that they will send it back as useful insights.
But most of the data we are talking about started to build in serious volume after PIP QI came into play. And PIP QI only wanted a few fields. This PHN data lake is taking most of every data field they can get their hands on.
Twenty-seven PHNs without any data experience in a loose alliance – what could go wrong?
The PHI project is jointly owned and governed collectively by 27 PHNs (there are 31 in total), according to WAPHA, through an unincorporated joint venture, “operating within the PHN Co-operative”, a reasonably loose agreement that is up for renewal in 2023.
Can’t see much that could go wrong here?
Except perhaps:
- Unincorporated joint ventures are a very weak governance arrangement, with little ability to enforce undertakings across the venture
- At least half our PHNs have potentially serious individual issues of governance and conflict of some sort, similar to that revealed for NQ PHN and Gippsland PHN in this article a couple of weeks back. Are we really OK for a PHN like Northern Queensland to be managing our data while they are under review by the DoH for potential serious breaches of their governance, and conflicts of interest of board members?
- The whole arrangement is up for grabs sometime in early 2023. What happens if the co-op decides to break apart?
- Very few PHNs individually have expertise in data management, governance or data analytics. Some are trying to build it now, but most do not have any experience or history with data, so it will to take some time to build any level of expertise. Even if they do, it’s going to be 31 different versions of expertise and implementation, as every PHN is a separately constituted and run company.
Again, the idea behind all this is not a bad one.
But PHNs and WAHPA, are in essence, “faking it” at this stage, in the hope of “making it”. Which might be OK, except you don’t get a good feeling that the DoH is keeping an eagle eye on what is going on in case something goes wrong.
Are GPs really the beneficiaries of PHN data, as they are being promised?
A final headache for GPs reading this and wondering what is actually going on.
In a couple of surveys over the past two years, it is apparent that at least half of GP practices don’t like or trust their PHN in a substantive way, and this half tends to be concentrated in rural and remote areas (although it’s not exclusive to those areas).
One reason GPs have had it with PHNs is that they’ve evolved into starting to do a lot of work around GPs, and sometimes to the detriment of GP practices. Most have a majority of members (local health organisations that act as shareholders), such as local hospital organisations, or pharmacy based groups, which have never practically engaged with the GP sector.
Why did Gippsland PHN award a $100,000 contract for after-hours work in the remote community of Mallacoota to a Sydney-based corporate telehealth setup that had until then been concentrating on infilling ED shortages not GP shortages, when the local GP practice had been the only tenderer in the original tender? Incidents like this erode the confidence of GPs significantly in the PHN networks.
GPs and their colleges need to be wary of what PHNs really might end up doing with their data.
Here’s a promise made by the WAPHA on its PHI website to GPs that you may want to keep a keen eye on, and report on regularly to make sure it happens. If it doesn’t start happening regularly and productively soon, someone needs to start asking hard questions.
“The platform (PHI) provides PHNs with highly secure storage and access to some of the latest technology to analyse their data and generate new insights into population health and quality improvement for general practices. This enables practices to deliver better patient care, leading to improved health outcomes.”
It’s a very specific and important promise. PHNs need to be held to it.
If they don’t fall over as a result of poorly constituted joint venture arrangements, lack of expertise and poor individual governance, conflicts of interest in their management or boards, political infighting or a requirement to all agree regularly on key objectives of a complex and difficult project, and they deliver on this promise, then fantastic.
But someone needs to keep a close eye on what is going on here because not only can a lot go wrong in trying to deliver this promise (it’s a big, hairy-assed promise), but also, PHNs aren’t focusing on GPs so much as focusing on patients. They all have a remit which doesn’t necessarily align with the betterment of their local GP population.
What if the population data they collect tells their management they should be engaging a lot more outside the local GP networks to gain better effect on what they focus on or, that the government should be reallocating GP resources outside this particular PHN region?
Will every PHN actively engage with the RACGP, ACRRM and the AMA, in a meaningful discussion that includes the DoH, if they interpret their data in this manner?
Data is power these days.
Ironically, the data that the PHNs are starting to platform their new found power and influence on comes almost exclusively from GPs.
But GPs aren’t on the inside the patient data tent any more.