Individual Health Identifiers and Privacy

StephenWilson's picture

What's to be done to ward off healthcare identity theft?

Last week, Australian Health Ministers met in Melbourne; a comminique has been released by the Department of Health and Ageing. A range of matters were discussed, including the planned Individual Health Identifier (IHI).  The communique says:

Privacy consultation and individual healthcare identifier
Consistent with the [COAG] agreement that all Australian residents will be allocated an individual healthcare identifier (IHI), Health Ministers agreed to continuing consultations on privacy...
The IHI will support better linkage of patient information and communication between healthcare providers, but will not need to be declared for an individual to receive healthcare. The IHI will not replace the Medicare number, which is used for claiming government healthcare benefits.
Implementation of the IHI will be supported by a strong and effective legislative framework that includes governance arrangements, permitted uses and privacy safeguards.
Strong privacy protection for patient health information is fundamental to delivering high quality individual and public health outcomes ... Government consultations are currently underway about the recommendations contained in the report by the [ALRC] of its review of Australian privacy laws, including health privacy protections.
Further consultations are now planned ... More work will have to be done on this before an IHI can be implemented.

It is good that consultations are ongoing on privacy protections. 

One aspect of privacy relating to health identifiers that gets relatively little attention is how to protect IDs against theft and abuse.  As I understand it, the envisaged IHI will be basically a number, and how it will be used is to be left to jurisdictions to decide.  We need a consistent approach to how people are asked to present their IHI, and how it is verified.  And there must be protection against the number being used behind one's back, lest we face a number of risks relating to phishing and pharming.  Perhaps the worst privacy invasion of all would be to have your medical identity taken over and health records stolen.

Stephen Wilson is Managing Director of the Lockstep Group.
Lockstep Consulting provides independent advice and analysis on identity management, PKI and smartcards. Lockstep Technologies develops unique
new smart technologies to address transaction privacy and web fraud.