Using My Health Record
Throughout the inquiry, submitters and witnesses provided evidence which
emphasised that My Health Records need to be usable for both healthcare
recipients and healthcare providers if the My Health Record (MHR) system is to
A MHR will be created for every Australian by the end of 2018 unless
they chose to opt-out. Following a 'trigger' event, a healthcare recipient's MHR will commence being
populated with health information. Unless a healthcare recipient has requested
otherwise, the MHR system's default access controls will be applied to their
MHR. These controls, in part, enable healthcare providers to access MHR
information for the purpose of providing healthcare.
This chapter considers the population of healthcare recipients' MHRs
with health information following a trigger event, and the default access
settings that will be applied to those MHRs when created by the System
Operator. The chapter considers healthcare providers' use of MHRs, and, in particular,
the balance which exists between MHR information being usable in clinical
settings and the privacy controls afforded to healthcare recipients.
Populating a MHR
When a registered healthcare recipient's MHR is created it will be empty. A MHR will start to be populated with certain health information when a
healthcare recipient first interacts with the health system, or when they first
log on to the MHR system to access their record. The Royal Australian College of General Practitioners (RACGP) described this
activation of healthcare recipients empty MHRs as 'trigger events'. Following a trigger event, two years' worth of a healthcare recipient's Medicare
Benefits Schedule (MBS) and Pharmaceutical Benefits Scheme (PBS) data will be
uploaded to their MHR, unless the recipient has applied a control that prevent
this from occurring.
The Australian Digital Health Agency (ADHA) outlined some of the health
information which will be uploaded following a trigger event:
...certain types of documents then start flowing into the
record – medicine prescription and dispense records, hospital discharge
summaries, pathology test results and diagnostic imaging reports, specialist
letters, event summaries and a curated shared health summary by a consumer's
GP. Medicare data such as the Australian Immunisation Register, Organ Donor
Register and MBS/PBS data also go into the record.
Some submitters raised concerns that many healthcare recipients are not
aware of what the MHR system's trigger events for populating a MHR are. Some submitters considered that healthcare recipients should have more notice
before this data is uploaded. It was argued that more should be done to alert healthcare
recipients to this. For example, Dr Nathan Pinskier, Chair, Expert Committee – eHealth and Practice
Systems, RACGP suggested that:
The consumer may not always be aware of that, so we believe
that the system should be strengthened so that the consumer is made aware that
when the trigger event occurs it's actually occurring: 'I see you have a shell
record. I see that nothing's been uploaded to it yet. Sending up a shared
health summary, an event summary, a pathology request—whatever—will create the
trigger event.' A positive consent flag should then get entered into the
system, and the consumer should be advised that they should log on to their My
Health Record through MyGov and the consumer portal and consider whether they
want to strengthen their controls.
The Health Workers Union expressed concern that, following a trigger
event, PBS and MBS data may be uploaded for people who may not have voluntarily
registered for a MHR, or for people who do not have a level of digital literacy
that would allow them to access their MHR to amend their default access controls
to prevent the upload.
The committee notes evidence from the ADHA that healthcare recipients'
past health information, such as older tests and medical reports, will not be
available in new MHRs.
Default access controls
The MHR system's consumer privacy controls are mandated by the My Health
Record Rule 2016, which, in part, specifies the default access controls applicable
to MHRs when created by the System Operator. The default access controls which must be enabled by the System Operator are as
- permit all registered healthcare provider organisations involved in the
care of a registered healthcare recipient to access the healthcare recipient's
My Health Record;
- include an access list of the registered healthcare provider
organisations that are permitted to access the healthcare recipient's My Health
Record because the organisation is involved in the care of the registered
- permit registered healthcare recipients to view the access list for
their My Health Record;
- remove a healthcare provider organisation from the access list for a
healthcare recipient's My Health Record if the organisation has not accessed
the healthcare recipient's My Health Record for a period of three years;
- permit registered healthcare recipients to:
- effectively remove records
from their My Health Record; and
- authorise the System
Operator to restore records which have previously been effectively removed; and
registered healthcare provider organisations that uploaded records to a
healthcare recipient's My Health Record to access those records, but only by
request to the System Operator, if the healthcare provider organisation is no
longer on the access list for the healthcare recipient's My Health Record.
RACGP observed that the default access controls of a MHR '...effectively
allow any healthcare provider with access to My Health Record to view, upload
and download from a consumer's My Health Record for the purposes of providing
healthcare.' RACGP recommended that consumers be prompted to review their access controls on
activation of their MHR.
Submitters expressed concern that the level of access to MHR information
enabled by the default access controls was too extensive. For example, Maurice
Blackburn Lawyers submitted that whilst the default access settings allowing
all registered MHR healthcare providers to access recipients' MHRs may have
been appropriate in an opt-in system, '...the same cannot be said of an out-out
system.' The Australian Council of Trade Unions similarly suggested that, given the MHR
system had transitioned from an opt-in to an opt-out system, the default access
controls should provide greater protection to individuals who may not be aware
that a MHR is being created for them.
The NSW Privacy Commissioner urged further consideration be given to the
default settings applied to MHRs:
Consideration should be given to altering the default
settings to ensure that individual privacy is protected. Access to health
information should remain limited until the individual record holder chooses to
allow a healthcare provider to have access to their health information.
Considering the impact the MHR system may have on vulnerable groups, the
NSW Privacy Commissioner informed the committee that the setting of access
controls will be central to managing the risk of inappropriate access to MHR
information and, given this, default privacy settings should be set at the
highest level. Positive Life NSW (PLNSW) and National Association of People with HIV Australia
(NAPWHA) explained sharing sensitive health information with all members of
their healthcare teams via the default settings applied to MHRs would
particularly effect people living with HIV, or people who inject or use drugs. PLNSW
and NAPWHA suggested this could potentially expose people who may not have the
capacity to adjust their MHR privacy settings to an unnecessary risk of
Similarly, the Federation of Ethnic Communities' Councils of Australia
...default settings for the MHR should be set at maximum
security and privacy with a prompt that offers individuals the choice to allow
for their health data to be shared with others including caregivers and medical
professionals should they wish.
Several other submitters expressed support for strengthening the default
privacy settings applied to healthcare recipients' MHRs.
Some submitters noted that MHRs included other privacy controls which
were not enabled by default. For example, the Consumers Health Forum of
Australia pointed out that healthcare recipients are able to set an access
control so that they are notified when their MHR has been accessed, however
this control is not applied by default. The ADHA informed the committee that the notification control was active in 136
644 MHRs, as at 2 September 2018.
To increase registered healthcare recipients' understanding of the MHR
system's default access settings, and broader privacy implications and controls
available, submitters and witnesses suggested that improved public information
and education is necessary. The need for better awareness of the MHR system's privacy implications are
considered in further detail in Chapter 4.
Record access code
In response to the open nature of the MHR system's default access
controls, some submitters suggested that the, currently optional, Record Access
Code (RAC) control should be applied to healthcare recipients' MHRs by default. Healthcare recipients are able to apply a RAC to the MHR to restrict a
healthcare provider from accessing their MHR without a code managed by the
recipient. A 'limited access document control' can also be enabled by healthcare
recipients to restrict healthcare providers' access to individual documents
within their MHRs. Ms Bettina McMahon, Chief Operating Officer, ADHA, informed the committee that,
2 September 2018, healthcare recipients had applied 16 848 RACs to their MHRs,
and 4109 limited documents access codes.
Some submitters suggested that the use of a RAC could provide security
benefits. For example, Dr Robert Merkel suggested that by using a RAC a
healthcare recipient could reduce the potential for unauthorised access to
...you can set a PIN on your My Health Record so that any new
healthcare provider who wants to see your My Health Record needs to ask you
what your PIN is, but that's not compulsory, and in the opt-out trial of the My
Health Record system only a very small percentage of people set a PIN. That
means that, if a hacker got access to a doctor's log-in credentials, for
instance, they would be able to access the My Health Record of the vast
majority of people, because they hadn't set an access code. If instead having
an access code was the default rather than the exception, the range of people
whom that hacker would be able to get access to would be very much reduced.
Mr Grahame Grieve, Principal, Health Intersections Pty Ltd, echoed the
view that potential unauthorised access to the MHR information through a
clinician portal could be negated through the use of a record code by default.
However, Mr Grieve noted a potential side effect of this protection could be
limitations to the accessibility of MHR information.
The Australian Medical Association (AMA) expressed similar concerns:
A decision to impose maximum security settings as a default
for all new My Health Records created by government under an opt out model,
would mean all clinical information uploaded to the patient's My Health Record
would remain invisible to the patient's treating healthcare providers unless
the patient creates myGov account and opts into their Record to relax these
privacy settings. The opt in approach has demonstrably failed in Australia to
achieve a critical mass adoption necessary to create a self-sustaining My
Health Record System with all the potential clinical benefits it offers.
The AMA suggested that the default application of record access codes to
all MHRs would, in effect, cause the system to operate more on an opt-in basis. RACGP suggested that there is a balance which exists between the two MHR
system's privacy requirements and system utility.
The committee recognises that MHRs will contain sensitive and
confidential health information. As such, it is the committee's view that the
MHR system's default access controls, which significantly impact how healthcare
recipients' MHR information is used, require further consideration. The
committee notes that following the creation of a MHR record by the System
Operator, a trigger event will cause significant health information to be
uploaded to the record. The committee also notes registered healthcare
recipients may not be aware that they can vary the access controls for their
MHRs, or may not have the ability to readily change those controls.
Many submitters expressed concern that the default access controls
applied to healthcare recipients MHRs are too 'open'. Submitters stressed that more
restrictive access controls should be applied to MHRs. The committee
acknowledges the evidence from some submitters that restricted access controls are
important for protecting vulnerable groups. The committee found this evidence particularly
compelling, and considers that the call for strengthened default access
controls is justified.
After a healthcare recipient's MHR has been created, healthcare
providers are able to commence using those records in the provision of
healthcare, subject to the healthcare recipient's MHR access controls.
Access to patients' health
MHRs have potentially significant clinical benefits through increasing
clinicians' access to patients' health information to improve the quality of
health care. The AMA summarised some of the clinical benefits in its submission:
Many of the greatest failures in patient care and safety
result when patients are required to move across the health system but their
clinical information does not follow them.
The My Health Record (Record) has the potential to circumvent
these limitations to ensure clinically important patient information is
available at the point of care, irrespective of the health care setting and the
location of the treating doctor. The result is better connected care, reduced
medical harm from avoidable medication complications and allergic reactions.
Some submitters noted that an MHR could be a significant advance on the
lack of information that practitioners may currently be contending with. Without
an electronic health record, the AMA explained that emergency doctors are
effectively 'flying blind' when treating the patient in front of them:
In plain terms, that's what they're doing, they're flying
blind and they're giving medications... There are 230,000 medication events
leading to hospitalisation in Australia every year, many due to lack of
The AMA also explained that for healthcare recipients who change
doctors, it can be very difficult to obtain proper information about that
Only 61 per cent of general practitioners, and 79 per cent of
pharmacists, who have used the MHR system reported '...one or more actual
benefits from use.' The most common benefit reported by general practitioners was the ability to
view information about a patient which was previously unknown, and 29 per cent
of pharmacists reported having avoided a potential adverse medicines event
through having access to patients' MHR information.
The Royal Australian College of Physicians (RACP) highlighted the
benefits of the MHR system's review function, which allows '...clinicians to read
and review opinions and decisions made by other clinicians on the same
patient'. Whilst noting imperfections of the MHR system, RACP suggested the review
functionally is an improvement to the current system where there can be
complete lack of visibility for clinicians who are not the patient's main
consulting clinician. RACP commented:
...the review and information repository functions are one of
the key characteristics of MHR that makes it an important building block for
better integrated care. Even though interactive functionality of the MHR is
currently limited, having this infrastructure in place can be an important
first step for adding more sophisticated functionality to the platform later.
The benefits of improved access to clinical data through patients' MHRs
may also assist patients in better understanding and engaging with their
clinical care. As observed by the AMA:
Research indicates 40-80 per cent of medical information
provided by healthcare practitioners is forgotten immediately by patients. If
patients have access to their clinical data in their My Health Record, they are
more likely to understand their health conditions, adhere to treatment advice
and engage more actively with their treating clinicians in their ongoing care.
This will also assist in increasing overall patient health literacy which will
improve long term health outcomes and indeed improve prevention and education
The Australian Healthcare and Hospitals Association submitted that MHRs,
with active use and updating, have the potential to be very empowering for both
clinicians and patients.
Submitters to the inquiry raised concerns regarding the utility of the
MHR system in clinical settings.
A concern frequently raised by submitters was the issue of how
comprehensive the information in healthcare recipients' MHRs will be, and the
potential consequences of incomplete information in clinical settings. MHRs are
designed to be personally controlled by healthcare recipients. This means that
they can effectively hide or remove clinical records from their MHR. Submitters
noted that the personally controlled nature of the record contains an inherent
limitation, in that a MHR can only be considered a component or summary of a
person's broader health information.
The RACP submitted that the usefulness of the MHR system will ultimately
depend on the quality and comprehensiveness of the information uploaded. RACP
explained the elements of information comprehensiveness and the risks to
patient safety that could arise from the potential incompleteness of patient
There are two dimensions to comprehensiveness. There is
firstly the extent of coverage of the MHR (of both patients and clinicians).
Secondly there is the question of the completeness of the patient record.
However, there will realistically be limits on this comprehensiveness because
some people may choose to opt-out. In addition, under current provisions,
people are also able to limit which healthcare provider organisations can access
their MHR or restrict access to selected part of their record. These choices
must be respected as a matter of patient autonomy. However, the possible
incompleteness of the patient record introduces some risks to patient safety if
clinicians treat it as a complete record and use it as a substitute for having
an appropriate conversation with the patient or pursuing further investigations
Some submitters expressed concern that the MHR system's privacy controls
available to registered healthcare recipients could adversely impact the
completeness of their MHR. For example, the Australian Psychological Society
The reliability of health information held in MHR is further
reduced by inconsistent approaches to uploading health information by providers
and the ability for consumers to remove or restrict access to important
information. There is currently no requirement for health providers to upload
all clinical information to the MHR. Thus, a person's MHR may omit significant
amounts of relevant information. This means that even in an emergency, treating
practitioners cannot rely on the information contained in a MHR when making
The AMA NSW, whilst acknowledging that patients have the fundamental
right to determine what health information is included in their MHR and who can
access it, suggested that a patient-controlled electronic system may lead to
omissions of information which may undermine the usefulness of MHRs. The University of Melbourne echoed this view, noting that whilst the privacy
rationale for general practitioners' uploading of health information to MHRs
only with patients' explicit consent is clear, incomplete information in MHRs
is an inhibitor to the clinical utility of those records.
A number of other submitters noted that if an MHR is incomplete or out
of date, the record's utility as a clinical tool is reduced. Mr Paul Shetler, the former head of the Digital Transformation Office,
questioned whether MHRs were being regularly updated. Based on a briefing he
received in 2015, Mr Shetler told the committee that only a minority of
healthcare recipients actually updated their records:
Of the 10 per cent of the Australians who had My Health
Record, 10 per cent of them were having their health records updated with any
kind of regularity. That was one per cent of the population
To access the MHR system through a clinical information system (CIS),
health providers need to:
be using conformant software which has a secure and encrypted
connection to the My Health Record system;
- be authorised to access the system by the healthcare provider
- be providing healthcare to a patient of the practice who has had
a record created on the local Clinical Information System (with patient name,
Medicare card number, date of birth and gender as part of the local record).
The ADHA noted that healthcare provider organisations must be registered
to access the MHR system, and indicated it was important providers use
up-to-date version of their CIS.
Some submitters noted that the software currently used by clinicians may
not be well-integrated with the MHR interface and that this may lead to
information gaps in MHRs. For example, the APS said in its submission:
Currently, psychologists are unable to write data to the MHR
as the MHR interface is not compliant with the practice software for
psychologists. This means that essential health information will not be
included in a person's MHR. The absence of this important health information
dilutes the continuity of care for consumers and reduces the reliability of
The RACGP noted a similar concern that if a CIS used in a general
practice was not the latest version, then the MHRs functions may not fully
integrate with their CIS. RACGP noted that such compatibility challenges pose
significant barrier to adopting the MHR.
Dr Andrew Magennis, a general practitioner with extensive experience in
medical software, noted that the MHR system is currently operating as a
document management system, which, on viewing by a clinician, presents a list
of documents which the clinician then has to open to determine contents and
repeat this process with other documents until an understanding of the health
context is determined. This view aligned with that of an individual submitter, who noted that there
does not appear a way for the data from a health-related document in their MHR
can be summarised for the use of healthcare professionals.
The Australian Privacy Foundation was particularly critical of the
document management capability in MHRs and suggested little clinically useful
data would be included.
Break glass (override functionality)
Some submitters noted that access codes could inhibit practitioners from
accessing information that could be clinically necessary. For that reason, MHR
includes a 'break glass' feature that allows practitioners who are in emergency
situations and need to access the information to do so.
The break glass functionality will, in an emergency situation, allow a
healthcare provider to access the record or documents which a healthcare
recipient had applied an access code to. The ADHA, the current System Operator,
submitted that each break glass event would be investigated.
Consumers of Mental Health WA observed that provisions are not made to
restrict which health professionals can use the break glass function. Multiple Sclerosis Australia noted that healthcare recipients can elect to
receive a message or email when the break glass function had been used.Dr
Donald Rose, Summerdale Medical Practice, considered that the inability for
healthcare recipients to block the break glass function from overriding a
record access control is a major system flaw.
Additional administration and costs
for healthcare providers
Some submitters expressed concern that the MHR system may lead to
additional work that would be passed on to the healthcare provider, or that the
provider would not be appropriately remunerated for the additional work that
the MHR system requires. For example, MIGA commented that excessive
administrative and time burdens can pose challenges for health providers using
the MHR system:
...the investments needed by practitioners and healthcare
organisations in time, finances and understanding to use My Health Record
effectively are significant. The capacity to do this varies significantly
across professionals and locations.
The Royal Australian and New Zealand College of Radiologists (RANZCR) noted
that, at present, only a small number of radiologists are uploading clinical
radiologists reports to MHRs and that this was due, in part, to costs. RANZCR argued that, due to radiology providers treating a large number of
patients, the '...administrative costs associated with digital health, while
relatively minor per patient, can become burdensome and costly in aggregate.'
The Law Council of Australia (LCA) suggested that healthcare providers
who assist patients with their MHR registration may not be able to bill
Medicare for that time, and was conscious that, for some providers, MHRs could
be perceived as a burden on their limited consulting time. The LCA recommended:
The Inquiry consult further with health practitioners about
assisting patients with their MHR in a way that provides health practitioners
with reasonable remuneration for their expertise and time to do so.
Currently, the Practice Incentives Program (PIP) eHealth Incentive program
provides financial incentives for general Practitioners who meet set targets
for uploading shared health summaries to healthcare recipients' MHRs. The PIP eHealth Incentive program does not, however, provide incentives for
general practitioners to update healthcare recipients' MHR information. Submitters noted that a similar incentive program is not in place for other
health professions. RACP recommended that provider readiness incentives should be provided to
hospital and community-based specialist physicians.
The Australian Association of Social Workers also expressed concern that
the implementation of the MHR system may create a financial burden for accredited
mental health social workers:
...the [Australian Association of Social Workers] shares the
concerns of other allied Health professions that the cost of conformant
software is prohibitive, especially for Accredited Mental Health social workers
who are mainly in practice as sole operators or as part of small practices.
Compared with the situation of general practices and other health services,
social workers in private practice face significant financial burden in
participating in My Health Record.
The committee recognises that access to patient information is currently
problematic for healthcare providers in clinical settings and that poor
information can cause serious adverse impacts for patients' healthcare. In the
committee's view, the MHR system provides an improvement to the information
currently available to healthcare providers, which should improve the quality
of care provided to healthcare recipients. The committee notes that some
submitters anticipate MHRs will provide healthcare recipients with a better
understanding of, and engagement with, their clinical care. The committee
considers that MHRs, if managed correctly, can empower both healthcare providers
and healthcare recipients.
However, the committee strongly believes that realising the benefits of
MHRs in clinical use will involve overcoming some widespread issues. For
example, the comprehensiveness of healthcare recipients' MHR information was a
concern raised by many submitters during the inquiry. Healthcare providers submitted
that, whilst healthcare recipients have a fundamental right to determine how
their information is used, recipients using increased privacy controls in their
MHRs can make providers' access, and contribution to, their MHR information
difficult. Submitters stated that incomplete information in healthcare
recipients' MHRs will reduce the clinical utility of those records.
Healthcare providers have also reported experiencing difficulty in
accessing MHR information through their clinical information systems. Some
submitters were concerned that healthcare providers face an administrative and
cost burden in engaging with the MHR system. The committee believes that such
issues could undermine the efficiency of the MHR system, and that the System
Operator should take a lead role in investigating these issues. Where
necessary, the System Operator should develop solutions which maximise the MHR
Navigation: Previous Page | Contents | Next Page