Is My Health Record secure?
Throughout this inquiry, submitters have raised concerns about the security
of the My Health Record system (MHR). This chapter will consider the design of
the system and the protections it includes, what individuals can do to enhance
the privacy of their own records and whether those protections are sufficient
to protect vulnerable members of the community. The chapter will then examine
whether the record can be legitimately accessed by employer nominated doctors
or law enforcement agencies and what secondary or tertiary purposes MHR data
could be used for.
Is the design of the system secure?
Submitters and witnesses to the inquiry expressed concerns about the
risks of unauthorised access to MHR data. Submitters who raised these concerns
commonly referred to the way the system was designed.
There are two broad ways of designing a data management system: the
first is a distributed or federated model where data is stored in decentralised
repositories. The second model is a centralised repository or database. MHR is a form of
Mr Grahame Grieve from Health Intersections explained the difference
between a centralised database like MHR and a distributed system:
In a centralised database, all the information flows up to
the central repository and then out of it. It's like a hub-and-spoke model with
public transport: everyone goes to the city to get anywhere. Whereas a
distributed system means you go directly to the source of the information and
hold it there.
Mr Grieve explained to the committee that there is a balance that needs
to be managed between utility and privacy when considering which model should
As you build a single repository, you have the benefits of
scale and the problems of broad access. That's why there's space for multiple
scales of repository to choose the optimal point for a particular context. For
some people there is an issue that we want everybody's medications to be
available for drug-to-drug interaction testing. On the other hand, making
everyone's medications available for that has privacy concerns...
As an example of the clinical benefits that can come from having a
centralised database with lower privacy restrictions, Mr Kelsey from the
Australian Digital Health Agency (ADHA) explained that the Northern Territory's
experience with its e-health record indicated that having no privacy
restrictions meant that clinicians could obtain the information that they
needed at the time it was needed and that citizens could obtain the clinical
benefits of having an electronic health record without needing to engage with
Risk of external unauthorised access
Some submitters raised concerns that having broad access to a
centralised database makes it hard to secure. The Centre for Digital Business
described the design of MHR as 'a centralised database with widespread access
at the edge'. That means that the data for MHR is held in a centralised database but that a
large number of healthcare providers are granted access to records in the
database. Most submitters considered that there would be approximately
900 000 health practitioners who would have access to the central
The Centre for Digital Business explained that having so many potential
access points was a potential source of vulnerability for the system if those
access points could not be properly secured:
A system is only as resilient as its weakest link. Even if
"military grade" security applies to the centralised database...
securing access at the edge involving some 900,000 individuals in a great
variety of environments, is a far greater almost impossible challenge.
A number of other submitters and witnesses, such as information
technology specialists Dr Robert Merkel and Mr Paul Power, were also concerned
that keeping the log-in mechanisms and passwords of 900 000 health
practitioners secure may be a challenge.
This concern is particularly acute in health professions where existing
practices can be lax. The Information and Privacy Commission of New South Wales told the committee
that poor information practices, such as passwords being kept next to access
terminals, keeping systems logged in for faster access, failing to limit access
to only essential staff and using generic logins, were becoming more common.
Against that backdrop, the Centre for Digital Business considered that
the security challenge facing MHR was 'practically unresolvable'.
The ADHA advised the committee that healthcare organisations must
connect to the network through conformant software with a secure and encrypted
connection that requires two-factor identification in addition to any local
Concerns that the system may not be able to be secured at the health
practitioners' point of access was given greater prominence because a
centralised database is also potentially a more substantial target for
cyber-criminals because it contains a large amount of valuable data.
Medical data is considered to be valuable to health recipients and to
clinicians, but it is also potentially valuable for commercial and identity fraud purposes. Some witnesses described the aggregation of valuable data in one database as a
'honey pot' that may attract criminals.
Dr Merkel told the committee that he believed that the number of people
with legitimate access increased the possibility of a successful attack by
criminals because it was inevitable that not all of the health practitioners
will be able to keep their accounts secure:
...if you have that many people with legitimate access, the
odds of somebody electronically impersonating that person by stealing their
passwords and gaining access to their account—the other things you need to get
on the system—it's inevitable that criminals will find ample people who, for
whatever reason, have not kept their accounts secure. This is what hackers do.
They're very skilled at it.
Dr Merkel said that it may also be reasonable to assume that some of the
groups who may seek to attack a central database will have sophisticated
Some of those individuals and organisations are extremely
well resourced, skilled and determined, so the data in My Health Record needs
to be extremely well protected. And, while the core system may well indeed be
well protected, my understanding is that hundreds of thousands of health
practitioners will have access to My Health Record information, and the log-in
mechanisms for some of the ways you can get in and access that data are
considerably less hacker-resistant than they should be.
Some submitters considered that if the central database is breached, the
attacker is likely to obtain broad access to the database.
For this reason, some submitters favoured a federalised or decentralised
model. One of the benefits of a decentralised model is that less information is
contained in each system, making the risk of disruption or unauthorised access
However, the committee heard that when the MHR system was first
designed, a federated model was not really possible and the system that exists
is limited by those initial design choices:
The design of the system and the standards it is based on were
state of the art in 2007. Although a more distributed design was initially
planned, it is now, unfortunately, a centralised national database of static
summary documents. This was an inevitable consequence of the technical
standards used at the time...
Professor Chris Bain, a digital health expert, told the committee that
whilst a distributed model might be preferable from a technical perspective, it
is not the model that currently exists and it would be a substantial investment
to change it:
Some people have put forward technical architectures where
the information isn't actually held all in one place. You might have
demographic data held in one repository, general practice data held in another
repository and hospital data held in another repository and you bring it
together in a virtual view, if you like, but it never actually sits in one
large database. There are arguments for that, but we don't have that in front
of us at the minute.
Protecting the system
The ADHA accepts that the system needs to be able to protect Australia's
health information for the system to have legitimacy:
The Agency understands that healthcare information is some of
the most private information people have, and that the success of Australia's
digital health program is reliant on secure digital operations and respecting
people's rights to privacy.
The ADHA advised the committee that it is aware that certain safeguards
are vulnerable and so it has developed a security design called 'defence in
depth'. This security design employs a range of security measures that operate
simultaneously to protect the data that has been entrusted to it. This includes
comprehensive security monitoring, process and technology security controls,
security assurances and a dedicated security operations management team.
The ADHA informed the committee that the system has been certified and
accredited under the Australian Government Information Security Manual and the
Protecting Security Policy Framework by an independent assessor.
The ADHA also notes that there are stringent penalties and criminal
penalties attached to the misuse of MHR information.
Future Wise noted that this is an important area to get right because
medical privacy, once breached, cannot be restored:
Privacy of medical confidentiality is a one-way door;
penalties and sanctions may serve as deterrents, or as compensation for the
loss of privacy, but neither give individuals their privacy back if it is
Is MHR less secure than the
In determining how much weight to afford to the above concerns, some
submitters stressed that they should be considered against the status quo that
exists for the current circulation of medical information.
A lack of interoperability between clinical systems means that
Australian health practitioners still largely rely on transmitting documents by
fax. Dr Chris Moy from the Australian Medical Association explained that fax is
not a very private or effective method of communicating important health
...I get a call in the middle of a consultation, I have other
patients in front of me, I try to rustle together a few bits of information and
I fax it away. This isn't particularly private, because I don't know whether it
ends up where it is [needed], and it's absolutely no use if I'm not there after
Dr Moy told the committee that he believed it was important for the
discussion about privacy to start from an understanding of the vulnerabilities
in the current system:
The problem is that the current debate so far has not been an
apple versus apple situation. Really, we've had a debate about My Health Record
versus this sort of mythical utopia of perfect privacy: it's not been a debate
about My Health Record versus the sad reality of this fax land and all the harm
that goes with it.
The current system is vulnerable to unauthorised access. One submitter
In 2018 there has been well-publicised disciplinary action
against healthcare workers in South Australia and Western Australia for
inappropriately accessing individual records to which they had no clinical need
to access, highlighting the importance of the "insider threat" to
With the current procedures for handling medical records, healthcare
recipients have no way of knowing who has viewed, accessed or shared components
of their health information.
Proponents of MHR note that the new system will have an electronic audit
trail that means that the healthcare recipient can see who has accessed their
information. The ADHA noted that these audit logs are updated in real time and
that healthcare recipients can elect to be notified when someone accesses their
Every access to every health record is logged in an audit
trail and immediately visible to the consumer. A consumer can elect to get a
text message or email when a new healthcare provider accesses the record or
when certain things happen to the record such as a new shared health summary
being uploaded, or when someone 'breaks the glass' to access their record.
Professor Chris Bain noted that where people have inappropriately
accessed records, an electronic audit trail means that the offenders can be
caught and punished:
it's very clear and visible to the patient, most importantly,
who's accessing it. Patients, unless they go through a whole lot of rigmarole...will
struggle to know who in any given hospital has looked at their records and
whether it was just the treating team or others who sniffed around. We've had
examples in South Australia of people who were caught out because they sniffed
around. That's only because there's an electronic system and an audit trail.
However, some submitters, such as the Office of the Australian
Information Commissioner noted that these audit logs only show access at the
organisational level. This means that if a healthcare recipient wants to know who within the
organisation access their record they need to contact the organisation
Separate arrangements apply for the System Operator which, in most cases,
can track access at the individual practitioner level. Some submitters noted that it would be desirable for consumers to be able to
have access logs at an individual level.
The committee understands that there are potential security
vulnerabilities associated with having a centralised database with broad
access. The committee acknowledges that having a system that is able to be
accessed by such a large number of health practitioners provides opportunities
for external unauthorised access by actors who may wish to take advantage of
the data for their own purposes.
However, the committee also acknowledges that there are some clinical
benefits to the model that has been adopted. A centralised database provides
clinicians with the ability to access information as it is required, unless the
healthcare recipient has activated one or more of the privacy settings.
While a federated model may have been preferable if the system was to be
designed today. The committee acknowledges that a substantial investment has
been made in the current system and that fundamentally redesigning the system
would involve additional investment.
The committee notes that the ADHA has undertaken considerable work to
secure the information held within the MHR system. However, the committee notes
that the system may become a more substantial target as the number of records
held within the system increases.
Additional security protections for individuals
MHR was designed to be a system that could be controlled by the
healthcare recipient. To add to the security of their records, healthcare
recipients can apply a number of privacy settings to their MHR.
These privacy controls include a record access control, which protects
the entire record, a document access code, to restrict access to a particular
document, or a healthcare recipient could set up an email alert when a new
organisation first accesses the healthcare recipient's record. The Health Workers Union told the committee that restricted controls only
appear to apply to organisations, and that individual health providers are
'exempt' from those settings.
Applying a record access code would mean that the code would have to be
provided every time the MHR was accessed. Similarly, the document access code would need to be provided each time the
document was accessed.
Security and vulnerable groups
For some groups there are serious security concerns that do not appear
to be able to be addressed by the current privacy settings. These apply
especially to young people and women and children who have experienced family
Young people aged 14–17 years
Until a person is 18 years old, a person with parental responsibility
can be an Authorised Representative. The Authorised Representative is empowered under the My Health Records Act
2012 to do anything that the healthcare recipient would be able to do. This includes seeing all of the young person's clinical information except from
their Medicare Benefits Schedule (MBS) and Pharmaceutical Benefits Scheme (PBS)
data. A person ceases to have an authorised representative when they turn 18 or they satisfy
the System Operator that they want to manage their own MHR and can demonstrate
that they are able to do so. Under ADHA policy, this requires the young person
to obtain a letter from a health professional or a court.
Some submitters expressed concern that these settings may restrict the
ability of young people aged 14 to 17 to confidentially access healthcare.
Dr Robert Walker, a general practitioner from the Lindisfarne Clinic who
runs a clinic at a high school in Tasmania, told the committee that he no
longer believed that he could guarantee the absolute confidentiality of
clinical work. In his submission, Dr Walker explained that many students are unaware they may
have a MHR or that their parents may be able to see parts of their record, such
as pathology tests or pharmacy dispensing records, unless they had taken
control of their own record.
Dr Walker noted that while most parents are supportive, disclosure of
certain information could be detrimental to the student if the parent is not
Most parents are supportive but not always. There are risks
of poor outcomes if confidential data appears on a teenager's MyHR for others
to view. Students will be frightened and may not seek help in times of crisis.
Imagine the risks they face when their sexuality or their mental health issues
are exposed to unforgiving parents or religious orders! Some may be injured or
become homeless and self-harm is a constant concern.
One 17 year old told the committee that they were unaware that a record
had been created for them and that their parents were able to see the
information that was added to it:
I live away from home because my mother and I don't get
along. I didn't know I needed to take control of My Health Record to stop her
from seeing and controlling all of my personal information in My Health Record
and talking to my doctor.
A number of submitters and witnesses noted that there may be legitimate
reasons to seek medical advice, such as obtaining mental health or sexual
health information that a young person may prefer their parent did not know
To ensure that young people in this age group are aware of the MHR and
what it means for them, a number of submitters recommended that the ADHA
specifically tailor communications to target this demographic.
The ADHA advised the committee that specific material has been developed
to communicate information about MHR to young people and their parents which
had been reviewed by young people in coordination with Orygen Youth Health. The ADHA also noted that it had engaged heavily with social media, reaching 127
million social media accounts with over 127 000 pieces of content in accordance
with feedback received during the 2016 participation trials.
Orygen, The National Centre of Excellence in Youth Mental Health
(Orygen) explained that, as an organisation, it facilitated feedback on two
draft information sheets but that some of its other concerns have not been
addressed to its satisfaction. In particular, Orygen was not satisfied that timely and age-appropriate
information has been provided about opting out during the opt-out period.
The Australian Privacy Commissioner, Ms Angelene Falk, advised the
committee that she has asked the ADHA and the Department of Health (DOH) to
conduct additional consultation with a view to striking the right balance
between utility of the record and the privacy of people in the affected age
There have also been issues raised regarding the access by
parents to younger people's My Health Record parents after age 14 and concerns
relating to individuals at risk from family violence. I've asked the agency and
the department to give further consideration to these issues during the opt-out
period and to consult with affected stakeholders as to whether these settings
continue to strike the right balance between the utility of the record and the
protection of privacy. Strategies to address issues affecting vulnerable people
may include further education and engagement. Consideration may also be given
to whether further adjustments are required to these default settings.
Women and children in family
Submitters raised serious concerns that the system may be vulnerable to
unauthorised access, including by individuals who might have parental
responsibility for a child and may have been perpetrators of family violence.
The Law Council of Australia (LCA) explained that it may be possible for
a person's former partner to become an Authorised Representative on a child's MHR
because the broad definition of parental responsibility in family law
...a person who merely has an order that a child spend time
with that person. Frequently, a parent may retain parental responsibility for a
child whilst simultaneously being subject to an interim or final parenting
order made under the Family Law Act 1975 or the law of a state or territory.
As noted above, an Authorised Representative can see all of the clinical
information except for MBS and PBS data.
In particular, submitters were concerned that an individual may use the right
of access they may have as the parent of a child to obtain access to data that
may disclose or narrow down the possible residential address of their former
partner and child.
Submitters noted that potentially identifying information may range from
the name of a pharmacy or doctor that the child attended to letters from
specialists or other document that are uploaded to the MHR may include the
actual residential address of the former partner and child.
One submitter who had left a violent partner explained to the committee
that her child's MHR may disclose their location. The submitter noted that the
shared health summary includes an address field and that the activity log
reveals that the name of the only medical centre in suburb and the name of the
doctor that opened the record. The submitter's experiences of the navigating the system are set out in the
case study below.
Case Study—Escaping family violence
I am a separated parent, who has escaped family violence.
As far as I am aware, my ex-partner does not know where I currently live.
However, that may now have been compromised by the establishment of a My
Health Record for my son, because under the current legislation, my
ex-partner will be permitted to access all information in my son's record,
including documents that reveal our location – even if I try to remove them
from the system...
I was shocked to learn that my son's My Health Record
includes information that identifies our location. Specifically:
The activity log reveals which medical centre established the record.
There is only one medical centre in our small suburb. It is across the road
from my son's school, just a few blocks from our house. This effectively
gives away our location.
A shared health summary names the practitioner who authored it (and
whom google reveals is working in that same medical centre). This information
remained even when I tried to permanently remove that shared health summary
from the record.
The same shared health summary included a form field detailing our
home address. Fortunately for me, it was an outdated address. However, it
does raise the question of why an address has been included at all.
Currently, the only way to restrict his access to the
record is to get an order for sole parental responsibility. However, this
process could take months or even years, and going to court is not guaranteed
to result in such an order...
Without an order naming the child, the maximum period the
digital health agency can suspend my son's record is one month. This is
patently inadequate time to secure an order for sole parental responsibility,
or to add a child to a family violence order should the defendant choose to
challenge it. So, this offers very little protection to victims of Family
Violence. Furthermore, even though I have been told that my son's record is
currently suspended, I am still able to access it.
Submitters with experience of domestic violence noted that many perpetrators
of domestic violence are controlling and may have access to all of their
partner's passwords and constantly monitor where they go and what information
Women's Legal Service Queensland told the committee that these
tendencies meant that the system could inadvertently place women and their
children in danger:
We believe the "opt-out" requirement is
particularly dangerous if victims are unaware they have active My Health
Records, the types of information contained on these records, and the potential
for perpetrators to access this information. It is not uncommon for highly
dangerous perpetrators to constantly monitor women's lives including who she
communicates with, where she goes and her access to information. Perpetrators
often have access to (and in fact demand) access to all such accounts including
her passwords, controlling every aspect of her life. The media and controversy
around the roll out has not only alerted victims to potential safety concerns
but will also inadvertently alert perpetrators to a new possible way to enhance
control over their victims and children.
They noted that some of the information in a MHR could potentially be
used to escalate physical or verbal abuse toward the victim.
To ensure that all members of the community remain safe, many submitters
called for a greater level of education to be provided to the community.
The LCA suggested that one way to fix the problem might be to amend the
definition of 'parental responsibility' in the My Health Records Act 2012 to read that 'the child is to spend unsupervised time with the person'. According to the LCA, this amendment would have the effect that a person who
was subject to a restraining order or personal protection order that prevented
them from spending time with the child would not be considered to have
The DOH considered that the concern had been addressed by the privacy
settings that are already in the MHR system:
That's why there are all sorts of mechanisms for people to go
in and change the access environment in their records. But we are very
interested in what the Law Council and others have to say and we are always
interested in hearing these things and we are continually reviewing those
settings and so on.
The ADHA also explained that it had processes in place to suspend the
account of a child if there were concerns about family violence:
Practically speaking, the agency has operational processes in
place to respond to those situations so that a consumer—potentially a mother
fleeing a violent situation—could contact us and raise concern about safety for
herself or the child. The ex-partner would not be able to see the mother's
record but could see the child's. We would immediately suspend that record in
terms of stopping the authorised representatives from accessing it. We do that
immediately and then we undertake an investigation to ensure that any sort of
access is not putting the child at risk and those records can remain suspended
while there's any risk of that occurring.
However, as the above case study demonstrates, those restrictions appear
to apply for a period of 30 days, which may not be enough time to find a more
The committee is concerned by the possibility that the MHR system may
jeopardise the ability of young people and women to confidentially seek medical
advice without posing further risks to their physical or emotional wellbeing.
The committee notes that young people aged between 14 and 17 years may
have legitimate reasons to seek medical advice and may prefer that their
parents did not know about it.
The committee notes that the Australian Information Commissioner and
Privacy Commissioner and others have called on the ADHA to revise its strategy
for engaging with young people and how the default settings are currently
The committee is deeply concerned about the prospect that perpetrators
of domestic violence may be able to legitimately gain access to the records of
their children and potentially exploit that access to the potential detriment
of their former partner and their children. The committee is not satisfied that
women and children are adequately protected and believes that further work is
required to ensure that MHR is not used by perpetrators to gain access to
records. The committee notes the recommendation of the LCA as one way this
issue may be addressed. The committee understands that the ADHA is conducting
work to improve its response in this area. The committee urges them to continue
with that work and to engage more fully with providers of domestic violence
Who else could find out what is in MHR?
Employer nominated doctors
Some submitters raised concerns that an employer nominated health
practitioner could obtain access to the healthcare recipient's MHR and
potentially disclose information that the healthcare recipient would prefer was
kept confidential in the context of a pre-employment medical or workers
While this might seem like a remote possibility, Ms Leigh Svendsen from
the Health Services Union advised the committee that the union was aware of
cases where health information has been passed on to an employer by a health
The concern raised by unions and others was that the way the My Health
Records Act is drafted may make it entirely permissible for that information to
be passed to an employer.
The unions' concern is that access to information in the MHR is
dependent upon the provision of 'health care' which is broadly defined in the
Privacy Act 1988 to include 'assessing, maintaining, improving or managing the
individual's health'. Mr Christopher Watts from the Australian Council of Trade Unions noted that it
was his interpretation that such a broad definition could include examinations
of the individual for medical relating to a person's employment.
The DOH advised the committee that the information could not be used in
that way because subsection 14(2) of the Healthcare Identifiers Act 2010 prohibits
a healthcare provider from disclosing a healthcare identifier as part of
employing the healthcare recipient or examining the healthcare recipient in
connection with a contract of insurance.
The joint submission from the DOH and the Department of Human Services
(DHS) stated that it was not possible to access a MHR without collecting, using
or disclosing a healthcare identifier.
However, some witnesses disagreed with the departments' assessment. Mr Thomas
Ballantyne, a principal at Maurice Blackburn Lawyers told the committee that if
the MHR could be accessed using the individual's Department of Veterans'
Affairs file number or their Medicare number, then the restriction in the
Healthcare Identifiers Act did not apply:
I think the key thing is effectively whether you need to use
the healthcare identifier to access the My Health Record of a particular
patient. I went again on the digital health portal—the training for
providers—this morning, and it's clear that you can access a patient's My
Health Record with their healthcare identifier or a Medicare number or a DVA
I think that, on plain reading of section 14 of the
Healthcare Identifiers Act, it has to be the most likely outcome that, unless
you use that particular number, the offence doesn't apply—the exclusion doesn't
Other submitters, such as the Public Health Association of Australia and
Unions NSW noted that employers may ask employees to consent to the release of
information in their MHR. Under section 66 of the My Health Records Act, a participant may disclose for
any purpose health information included in the MHR with consent of the
DOH and the ADHA have made clear that it was certainly not intended that
the legislation would facilitate access to information contained in a MHR for
any purpose other than the provision of health care to the recipient.
A number of submitters, including Maurice Blackburn Lawyers, have
recommended that a provision similar to section 14(2) of the Healthcare
Identifiers Act 2010 be added to the My Health Records Act to clarify the
Some submitters raised concerns about whether information in a MHR could
be used for law enforcement purposes.
Section 70 of the My Health Records Act currently provides that information
may be disclosed for the purposes of law enforcement or the protection of
Whilst the committee was conducting this inquiry, the Community Affairs
Legislation Committee (Legislation Committee) was conducting an inquiry into
the My Health Records Amendment (Strengthening Privacy) Bill 2018 (Bill).
That Bill will, if passed, remove section 70 from the My Health Records
Act and replace it with a requirement that a 'designated entity' may apply to a
judicial officer for a warrant to obtain information in a MHR from the System
Operator, other than 'healthcare recipient-only notes'.
Submitters to this inquiry endorsed the measures in the Bill directed at
strengthening privacy provisions.
The committee considers that the MHR system should only be used to
provide access to information for the purpose of providing healthcare to the
healthcare recipient. The committee considers that where there is doubt about
whether information contained within the system may be used for that purpose, the
legislation should be clarified to ensure that the integrity of the system is
The committee notes the recommendation proposed by the unions and
Maurice Blackburn Lawyers that to avoid doubt, a provision similar to
section 14(2) of the Healthcare Identifiers Act 2010 should be
inserted into the My Health Records Act.
How else could information in the MHR system be used?
In addition to the provision of healthcare, MHR has the potential to
provide information that could be used in public health research. This is known
as secondary use.
Submitters broadly acknowledged that MHR data has the potential to have
significant public health research benefits, including improving insights into
population health issues and how people use the health system.
The default setting is that all people consent to the use of their
information for secondary use. However, they may withdraw this consent by
selecting the 'Withdraw Participation' button in their MHR.
Some submitters noted that this default setting was originally conceived
of in the context of an opt-in model. On that basis, it was reasonable to
assume that people who provided information made an informed choice when they
consented to their information being placed in the MHR system and that it may
include the secondary use of that data.
That informed consent is not necessarily true in an opt-out model. Some
submitters considered that healthcare recipients should be asked to provide
explicit consent to the secondary use of their data.
The LCA explained that the secondary use of data was at odds with
privacy laws because the healthcare recipient had not provided consent for
their data to be used in that way. Therefore, the LCA recommended that explicit
consent should be obtained:
The secondary use of their data is at odds with the
underlying principles in both Commonwealth and state privacy laws. These
principles provide that a health entity that holds information about a patient
can only use or disclose the information for the particular purpose for which
it was collected, unless the patient has explicitly consented to secondary use
or disclosure. The Law Council therefore recommends the patient must provide
explicit consent if their health information is obtained for a secondary
purpose or disclosure.
Whilst it is not currently possible, the Framework to guide the
secondary use of My Health Record system data (Secondary Use Framework)
notes that in time a dynamic consent model will be explored to allow consumers
to decide whether to participate in a research project on a case-by-case basis.
Whether healthcare recipients would be prepared to provide consent may
depend on the nature of the research projects under consideration.
Consumers Health Forum of Australia told the committee that its research
has found that consumers are more likely to give permission to projects if they
understand how their data is going to be used and what benefits might flow from
we believe there is a place for secondary use of
de-identified—that's a key word—My Health Record data. On the whole, so do
consumers. Our research shows that Australians want ownership and control of
their own health data and want to give consent when it is used by governments,
private companies and researchers. The same research also found that consumers
are more likely to give permission if they understand how their data will be
used and the benefits that will come from its use. There is a level of comfort among
the majority of consumers in data being used to support health providers to
improve care or make better policy. But consumers are significantly less
willing to share their data if it's to be used for commercial gain.
To ensure social license for the use of secondary data there is a need
to make sure that the data is used in a manner that the community would feel
To ensure that secondary data is used appropriately, the DOH has
developed the Secondary Use Framework which sets out the guiding principles for
the use of secondary data from the MHR system. The principles detail the
governance model, consumer control of data, applications and access to
secondary data, the process for requesting and accessing data, linkage privacy
protection, making data available, assurance processes and risk mitigation.
The Secondary Use Framework was developed after public consultation and
was supported by submitters to the inquiry. In particular, submitters were supportive of the principles that prohibited
insurance agencies from applying for data and that prohibited the release of
data for 'solely commercial purposes'.
DOH and DHS advised the committee that two examples that would be
prohibited were access to data for direct marketing to consumers or for the
assessment of insurance premiums or claims.
Some submitters raised concerns that secondary data, if it was released,
may be re-identified.
Whilst the DOH understood the concern, it noted that the linkage and data
custodian arrangements administered by the Australian Institute of Health and
Welfare are stringent and different from a previous case where Medicare data
was re-identified by some Melbourne based researchers.
The researchers who conducted the re-identification, Dr Chris Culnane,
Associate Professor Benjamin Rubinstein and Dr Vanessa Teague told the
committee that, while they welcomed the approach to not publish MHR data as
open data, they did not consider that would be sufficient to prevent
re-identification of datasets.
These researchers told the committee that they believed that the
technical difficulty of finding patients was low and that 'the presence of the
identifiable MBS-PBS data for 10% of the population is now a resource that an
attacker could leverage in My Health Record identification'.
The Privacy Commissioner told the committee that valuable lessons had
been learned from the previous experience and that the Secondary Use Framework
has been drafted to take account of those lessons:
Only to note that that matter was the subject of an
investigation by my office, and we did find that there was a breach of the
Privacy Act. What it brings to light, of course, is that with de-identified
information there needs to be very strict safeguards around that information.
In that case, it was around making information publicly available. That's not
what is envisaged by the secondary use framework as I understand it.
Third party access
Some submitters were concerned at the prospect that MHR data could be
made available, either now or in the future, to insurers or other commercial
These submitters raised concerns that while the Secondary Use Framework
currently prohibited access by third parties, the Secondary Use Framework would
only be in place in the short term, noting that health insurer access may be
prioritised in the first review.
Some submitters considered that a legislative amendment may be required
to ensure that insurers would not be able to access the data and to ensure that
their data is permanently protected from such interests.
The committee considers that there is great potential for data in the MHR
system to be used for population health research purposes, however, the
committee also recognises concerns that personal data be used for commercial
The committee notes that the current Secondary Use Framework does not
permit secondary data to be used for 'solely commercial purposes'. The
committee considers that this prohibition is appropriate but notes that there
is public interest in a more permanent solution being found to ensure that a healthcare
recipient's MHR data is only used for the purposes for which it was originally
Navigation: Previous Page | Contents | Next Page