Nationwide citizen access to their health data: analysing and comparing experiences in Denmark, Estonia and Australia

The basic information about the Danish health care system can be seen in Fig. 2. The Danish National eHealth Portal is called “sundhed.dk” was launched in 2003 and was based on IBM WebSphere technology. In 2009 the eHealth portal was upgraded and re-launched on a new technical platform. It provides access to information in existing databases for citizens as well as health care professionals. In addition, the portal also gives free access to directories of health institutions in Denmark and a number of health related encyclopedia.

The official aims of the eHealth portal are [6]:

All Danish citizens have access to sundhed.dk, enabling patients to get an overview of what health care data that exist in a number of specific databases.

Upon identification, the citizens can find accurate and updated health care information, e.g.:

In addition the eHealth portal offers a number of services where the citizens can:

In this study, we focus on E-Record and the Shared Medication Record.

The basic information about the Estonian health care system can be seen in Fig. 3. The Estonian Patient Portal is part of the wider national e-Health framework in Estonia. In 2005, the Estonian Ministry of Social Affairs developed a strategy to create a more citizen-centric health care system through shared data across different levels of health care. The e-services aimed to improve quality by enabling better access and use of relevant health data as well as enhance health reporting and cost calculations [7]. The Estonian E-health Foundation is the central agent in charge of standardization and the development of digital medical documents. Relevant legal foundations of the system were set in 2007 with the regulations for data protection in electronic transmission.

The Patient Portal (PP) was created to enable citizens’ access to their data collected through the different e-Health services. The PP was established to enable patients to view the data gathered through the other four e-health services [8].

The Estonian Patient Portal (PP) enables people to view and modify personal information gathered from different public databases. The PP also includes information about one’s general practitioner and health insurance. It is possible to supplement and change existing information, however it does not change the information anywhere else but the Patient Portal.

The PP also enables to communicate permissions and requests to the government and health care providers, for example to allow to accept blood transfusions or becoming an organ donor. In addition, people assign others to become their trustees, allowing them to view personal medical information or purchase prescribed medicine on someone else’s behalf. All information about prescribed and bought medicine is available through the PP.

One of the central functionalities of the PP is the in- and outpatients care summaries that health care providers are obliged to send to the central platform. The deadlines for sending the information are five workdays for inpatient and one workday for outpatient care summaries. The health care providers send a summary for every outpatient case, not necessarily for every visit to the physician. Outpatient care summaries also include services provided in day surgery centres.

The PP also includes information about immunizations performed at the GP’s office and school. The birth summary is the first document inserted in the PP for a new-born. On top of outpatient summaries, children and young adults aged 0–19 have additional information in the PP concerning mandatory regular check-ups performed at the GP and in school.

The laboratory diagnostic test results are sometimes presented within the care summaries but a specific data standard is in place only since mid 2014. This means that as of mid 2015, all laboratory test results are included in the PP. Diagnostic images are stored in a separate database and accessible only for physicians. However, the image results with radiologist’s descriptions are available in the PP.

The latest functionalities added to the PP include a self-reported Health Declaration that each citizen should fill out. This includes information about one’s health status and health related behaviour. The document is compulsory to fill out for renewing one’s driving licence as additional information for the physician during the mandatory check-up. Moreover, as of 2015 national screening programs for breast and cervical cancer use the central health information data to develop their yearly sample population and send invitations for screening.

The future developments of the PP include services enabling patients to find the first available time for a primary or secondary care provider across the country. The patient will be able to book and cancel appointments through the PP. In the future, the PP will also include critical care summaries concerning contacts with the ambulance care team. The patient can also order reminders for appointments and send updated contact details to all health care providers from the PP.

The basic information about the Australian health care system can be seen in Fig. 4. The Australian electronic health record, formally named the Personally Controlled Electronic Health Record (PCEHR), renamed My Health Record (MyHR) 2015, was launched in 2012. The MyHR system and associated infrastructure was developed using a combination of ‘bottom up’ lead implementation projects and ‘top down’ national initiatives [9]. The architecture relies on a business-to-business gateway that provides the link between disparate systems and ensures interoperability [10]. MyHR integrates web based personal health records with a clinical electronic health record system and allows shared access to summary data for both consumers and healthcare providers based on shared responsibilities [11].

MyHR aims to ensure that the citizen is located at the centre of their healthcare by enabling them to access health information when and where it is needed. It is “an important systemic opportunity to enable person-centered care, support informed consumer decision making, improve quality and safety of care, reduce waste and inefficiency, and improve continuity and health outcomes for patients” [12].

Citizens have access to summary information about their medical history, medications, test results and allergies, which provide critical information for informed decision making about their healthcare. Records are available nation-wide and citizens are able to give permission for health professionals anywhere in the country to access their relevant history.

All Australian citizens, healthcare providers, and healthcare organisations are able to register to gain access to MyHR, but all parties must be registered for the benefits to be realized.

MyHR provides citizens with the opportunity to access summary health care data and share information with their health care providers. It is intended that citizens will have access to read, in full, everything that is added to their eHealth record by their health care providers. However, some functionality, such as access to diagnostic imaging, is still under development.

Citizens have their own section in the eHealth record where they can record personal information and notes for their own use. Some personal information, which typically includes information about allergies, adverse reactions, and current medications, are accessible by healthcare providers. However, personal notes are intended for patients’ private use and are not accessible by healthcare providers except if they are shared during a consultation through the personal portal. This information can contain, but is not limited to, information for monitoring health progress, non-prescription medications and other information relating to the individual’s health or healthcare.

Information held in Government registers including Medicare, Pharmaceutical Benefit Services, Organ Donor Status and the Australian Childhood Immunization Register can be linked, with MyHR and viewed by citizens and their health care providers.

Medication prescribing and dispensing information is available to individuals within their MyHR, it requires the prescribing clinician and the dispensing pharmacy to be registered and using MyHR. The medication information facility provides details of the medications prescribed, including the date, brand and generic names, the dose, and specific directions for use.

Parents of children under the age of 14 years can register and view their child’s MyHR. The child record is similar to the adult record but includes additional information regarding a child health development section where parents can add information pertinent to their child’s health, growth and development. There is a link to the immunization information.

There is also provision for “non- professional” carers to register, view and add to their family member or clients details.

The top drawing in Fig. 5 shows the basic architecture of the Danish citizens’ access to health data. Data is created at the GP or specialist’s office, in the hospital patient administrative systems (PAS), and the hospital EHR systems. Data from the majority of the GPs are submitted to the Danish Quality Unit of General Practice (DAK-E), who makes it available to patients via Sundhed.dk. Data from hospital PAS and EHR systems are transferred to a repository database – the E-Record database and made available to citizens, GPs and other hospitals. Patient data are delayed two weeks for ethical reasons, and health care providers are only allowed to access data on the patients they treat. The citizens and the GPs get access to data via the Sundhed.dk and the hospitals access the E-Record browser via the secure National Health Data Network.

In Denmark, all hospitals are by law obliged to send care summaries to the central repository and this data is also visible in the patient portal. All medicine prescriptions except drugs prescribed during hospital admissions are all available through the Patient Portal.

The center drawing in Fig. 5 illustrates the architecture of the Estonian Health Information System. Data is created either in hospitals or GP/specialist information systems and stored in the national EHR. Prescription data is stored in the Prescription Centre. Additional information about the citizen is collected from other state registries and accessible to both the health care providers and citizens through the PP, for example contact details and existing health insurance.

All document transfer uses HL7 v3 (extended) standard, medical documents are kept in the XML format (HL7 CDA). Moreover, all structured data fields have object identifiers (OIDs). The X-road infrastructure with the smart ID-card provided authentication is the backbone of e-health services in Estonia used by both citizens and health care providers alike.

In Estonia, all health care providers are by law obliged to send care summaries to the central repository and this data is also visible in the patient portal. Digital prescriptions are all available in the Patient Portal.

The bottom part of Fig. 5 shows the basic architecture of the Australian MyHR. Clinical data are generated and held in GP, specialist, and hospital systems, with summary data then transferred to the MyHR system. A range of different data sources, both public and private, is used to provide a comprehensive summary record. The central MyHR infrastructure manages the location and transfer of data from the distributed system. There are a number of repositories that have been established to collect and store that clinical data but also there are links to other organizational repositories but there is no ability to directly query individual organizational EHRs, only the summary data exchanged with the repositories is provided through MyHR [10].

In Australia obligations to submit data to the central repository is currently limited but pressure from consumers is increasing.

Every Danish citizen has since 1968 been given a unique personal identifier at birth (CPR-number). It consists of the 6 digit birthdate and a 4 digit check number where the last digit indicates the gender – uneven for male and even for female. After entering the CPR number as username and a self-chosen password the user is asked to enter an additional six-digit security number, called NEM-ID. Citizens can obtain a NEM-ID by personal appearance in a Bank, the municipal administration, or on-line by submitting their passport number for identification. The NEM-ID code is read from a (paper or electronic) token. This two-factor authentication is used for log-in to a number of public e- services and net-banking. Health professionals also have access to the personal health data via the portal Sundhed.dk, but are only allowed to access it when they are treating the person.

In Estonian public and private e-services are based on a common data transport middleware called the X-road. It is an organizational and technical environment that enables to connect multiple data sources and securely exchange data between institutions and people [13]. All citizens and health care providers can access the Patient Portal using the Estonian public key infrastructure (PKI). It provides every citizen with an encrypting key pair. The first, public is for encryption and the private one is for decryption. The PKI is in turn connected to an electronic identity, i.e. ID card or mobile ID. Every Estonian can have an ID-card from the first day they are born. ID cards are used for both regular and electronic identification as well as digital signatures. The ID card is the electronic key to using all Estonian public and private e-services based on the X-road [13].

In Australia, accessing the portal is only possible for those that have opted-in to the service. A person, above the age of 14, is eligible to be registered if they have been assigned a healthcare identifier and they have provided suitable proof of their identity to the System Operator. People can apply to register for an eHealth record via: telephone; face-to-face at Department of Human Services service centres; mail; online (www.​ehealth.​gov.​au); and assisted registration by healthcare provider organisations. For minors under the age of 18, a parent or guardian can apply to register by providing evidence of their parental responsibility. Additionally, a ‘person responsible’ can apply to register an adult who is deemed not capable of making their own decisions by providing evidence of their authority to act on behalf of that person. Health care providers and their organisations are also required to register to access MyHR. Once registered a unique identifier is assigned to each user.

In all three countries all activity is logged and the log files are accessible to the citizen. The patients can to monitor their log file and report any irregularity. In Denmark, a letter is sent to the citizen if a GP or specialist without any treatment relation has accessed the citizen. Treatment relations are detected as 1) hospital admission (PAS system), 2) general practitioner (reimbursement data), or 3) specialist visited after referral (record in national referral database). To supplement this, a bi-annual audit is performed in Denmark where a random sample of log files is checked for irregularities. A low number of cases of abuse are detected every year, and a fraction of these are so serious they lead to a sentence. In Denmark citizens have the right to block any information from access by health professionals - e.g. specific drugs prescribed or specific diagnosis.

In Estonia patients are also able to opt out of having their information in the Patient Portal. It is possible to close individual documents, for example information about a visit to a certain health professional or a diagnosis. Alternatively, the patient can close the entire medical record. The only data that the patient is not able to close is the so-called time-critical data - this includes allergies, medical procedures over the past month, last visit to the doctor or hospitalisation.

In Australia, the MyHR system is opt-in so patients, health care providers and health care provider organisations all need to register for their information to be included in the MyHR. Patients can manage access to their records through the patient portal, that is grant or deny others access. The documents and information stored on My Health Record are completely under consumer control. Consumers have the ability to hide clinical or Medicare documents and restore hidden documents. If documents are hidden from My Health Record, by a consumer, this information will not be accessible, even in an emergency. Audit of all access is logged in the system and this is available to the patient through the patient portal, but only at an organisational level so does not show which individual clinician has accessed the record. Patients can also set up notifications via SMS or email when certain activities occur.

For all countries, it is only possible to close the access to data, which can be reopened. It is not possible to erase data.

In Denmark, the public health portal “Sundhed.dk” provides help desk to users with questions to technical and navigation problems. Questions regarding health issues are directed to the health professional or institution that entered the data. Similarly, the E-Health Foundation in Estonia has a user support phone and e-mail address available for citizens. However, no online helpdesk service is currently provided. The E-Health Foundation website has additional materials available for people to educate themselves on safe online behaviour and security matters. These include recommendations about not leaving the computer unattended when logged in to the PP or not leaving one’s ID-card unattended.

In Australia, a help desk facility is available for users who are experiencing technical difficulties. There is a range of learning modules, help functions and links to frequently asked questions and further information available within MyHR and on the website www.​ehealth.​gov.​au .