Chapter 5

Conclusion and recommendations

5.1        The My Health Record (MHR) system is a significant healthcare reform with the potential to improve the quality of healthcare and health outcomes for many Australians. To achieve this, the system needs a high degree of support from both the public and medical practitioners. For this to happen, both the public and medical practitioners need to have a high degree of confidence in the integrity of the system.

5.2        However, the MHR system presents considerable operational complexity given its application in a wide variety of healthcare settings, and the diverse healthcare and privacy needs of the healthcare recipients using it. The committee considers that the transition to an opt-out participation model has highlighted some significant tensions within the system.

System utility at the expense of patient privacy and security

5.3        The committee notes evidence received from inquiry participants regarding a need for balance between access for clinicians and privacy controls for healthcare recipients. The committee received evidence that highlighted the significant clinical benefits that could be achieved through the MHR system. The ability to ensure that clinically important medical information is available at the point of care, where ever that might be, should result in improved patient care and patient safety, improved  medical communication and improved continuity of care between providers.

5.4        To achieve an appropriate level of utility within the MHR system, it is important to have broad participation in the system, that the information held within the system is as accurate and complete as possible, and that those medical practitioners who need to access a healthcare recipient's MHR are able to do so in a timely, efficient and secure manner. However, this level of utility should not to be achieved at the expense of a healthcare recipient's privacy or security.

5.5        Healthcare information is a particularly sensitive category of information, and requires significant protection within the health system. Some evidence received during this inquiry suggests that an unreasonable compromise has been struck between ensuring the utility of the system, through an opt-out mechanism and low default access settings, and safeguarding the privacy and safety of healthcare recipients.

5.6        The committee notes that amendments currently before the Senate[1] have the potential to strengthen some of the privacy and security protections within the MHR system. However, the committee considers that further amendments are necessary if the Australian public is to have confidence in the MHR system.

Informed consent

5.7        Evidence to the committee suggests that a level of implied consent is implicit in an opt-out participation model. However, the committee is not persuaded that this can be assumed. The fact that an individual does not opt-out of the MHR system, or does not take steps to restrict access to part or all of their MHR, does not necessarily mean that they have understood the risks and benefits of the MHR system and made a considered decision based on this. As a number of submitters indicated, it could simply mean that they do not fully appreciate what a MHR is, or who has access to it and in what circumstances.

5.8        While the committee appreciates that the opt-in participation model was not successful in delivering the critical mass necessary for the success of the MHR system, it considers that the current opt-out model has swung too far in favour of ease of access and has not focussed enough on the importance of ensuring that the public is able to make an informed choice about whether to participate in the system and the level of security they might require if they do.

Default access settings

5.9        It is the committee's view that the responsibility of the System Operator to apply considered and robust default settings that protect the privacy of all registered healthcare recipients is considerably increased under an opt-out model.

5.10      The committee appreciates that a strong rationale exists for designing the MHR system in favour of reasonable access for clinicians. However, the committee notes that when healthcare recipients' MHRs are created, the default access settings applied to their records will be, as many submitters described, 'open'. Evidence to the committee does not support a high degree of confidence that individuals are aware of this and recognise that they should review the access settings applying to their MHR to ensure that they reflect their personal circumstances. However, the committee notes evidence that where healthcare recipients have received an explanation of the risks and benefits of the system and the mechanisms available to them to control access to their MHR, they have reacted positively to the MHR system.

5.11      In this context, the committee considers that the default access settings should be considerably higher and should only be relaxed when the healthcare recipient explicitly consents to this.

Recommendation 1

5.12      The committee recommends that record access codes should be applied to each My Health Record as a default and that individuals should be required to choose to remove the code. The committee further recommends that the ability to override access codes in the case of an emergency should only be available to registered healthcare providers for use in extraordinary and urgent situations.

Protecting the privacy and security of vulnerable people

5.13      The committee is mindful that MHRs will be used by a diverse range of Australians, some of whom may have unique circumstances or vulnerabilities that make the information in their MHRs particularly sensitive. The committee considers that having a MHR should not compromise the safety of vulnerable people and/or jeopardise their ability to confidentially seek medical advice. The committee is deeply concerned by evidence that perpetrators of domestic violence may be able to legitimately gain access to MHR records and exploit this to the detriment of their former partner or children.

5.14      The committee considers that careful consideration must be given to the use of MHRs by vulnerable people, particularly young people aged between 14–17 years or people escaping from domestic violence, and the protections offered to address their particular circumstances. The committee urges the Australian Digital Health Agency (ADHA) to work closely with service providers who support young people and people experiencing domestic violence. However, the committee considers the seriousness of these concerns warrants a legislative response.

Recommendation 2

5.15      The committee recommends that the Australian Government amend the My Health Records Act 2012 to protect the privacy of children aged 14 to 17 years unless they expressly request that a parent be a nominated representative.

Recommendation 3

5.16      The committee recommends that the Minister for Health amend the My Health Record Rule 2016 to extend the period for which a My Health Record can be suspended in the case of serious risk to the healthcare recipient, such as in a domestic violence incident.

Secondary use of MHR data

5.17      The committee recognises that information held within the MHR system has the potential to create a valuable data set.  The committee notes evidence that MHR data could make a significant contribution to public health research, providing insights into population health issues and patterns of use of the health system.

5.18      At the same time, the committee notes that the default setting for secondary use of MHR data is that an individual is assumed to have consented to the use of their data, unless they actively withdraw this consent. The committee considers that while such an assumption may have been reasonable under an opt-in participation model, where an individual chose to create a MHR, it is not reasonable under an opt-out model.

Recommendation 4

5.19      The committee recommends that data which is likely to be identifiable from an individual's My Health Record not be made available for secondary use without the individual's explicit consent.

5.20      The committee also notes concerns that MHR data could be made available for commercial purposes, by insurers and other commercial entities. The committee considers that in order for the Australian public to place their trust in the MHR system, there must be no doubt that MHR data, including de-identified data, will not be used for commercial purposes. The committee notes that the current Secondary Use Framework prohibits the use of data for 'solely commercial purposes'. The committee recognises that there is a lack of clarity around this prohibition.

Recommendation 5

5.21      The committee recommends that the current prohibition on secondary access to My Health Record data for commercial purposes be strengthened to ensure that My Health Record data cannot be used for commercial purposes.

Access by third parties

5.22      The committee notes concerns regarding third party access to information within the MHR system. In particular, the committee is concerned by evidence suggesting that MHR data could be made available to employers by employer nominated health practitioners or that employers may ask employees to consent to the release of information in their MHR. The committee notes evidence from the Department of Health and the ADHA that it is not intended that information contained in an individual's MHR could be accessed for any purpose other than the provision of health care to that individual. The committee considers that this intention should be made explicit in the legislation.  

Recommendation 6

5.23      The committee recommends that no third-party access to an individual's My Health Record be permissible, without the explicit permission of the patient, except to maintain accurate contact information.

5.24      The committee is concerned by evidence indicating the protection provided by the current prohibition in the Healthcare Identifiers Act 2010 on healthcare providers disclosing a healthcare identifier in an employment context could be circumvented. The committee is also concerned by evidence suggesting that employees may be coerced by an employer into providing their consent for access to their MHR. The committee considers that the legislation must be strengthened to ensure that an employee's right to privacy is protected in the context of employer-directed health care.

Recommendation 7

5.25      The committee recommends that the Australian Government amend the My Health Records Act 2012 and the Healthcare Identifiers Act 2010 to ensure that it is clear that an individual's My Health Record cannot be accessed for employment or insurance purposes.

Recommendation 8

5.26      The committee recommends that access to My Health Records for the purposes of data matching between government departments be explicitly limited only to a person's name, address, date of birth and contact information, and that no other information contained in a person's My Health Record be made available.

Deletion of records

5.27      The committee notes concerns regarding the practicality of measures providing for the permanent deletion of records. The committee recognises that amendments contained in legislation currently before the Senate will require the permanent destruction of any record upon request from a healthcare recipient.[2] Evidence to the inquiry has expressed concern about the extent to which such a request can be satisfied, noting that it is standard practice to create backups of databases and create cache files. The committee considers that the MHR system must include measures to ensure that any saved version of a person's MHR record is permanently destroyed in such circumstances and that cached or back-up versions of MHR records cannot be accessed by third parties, even after they have been deleted.

Recommendation 9

5.28      The committee recommends that the legislation be amended to make explicit that a request for record deletion is to be interpreted as a right to be unlisted, and as such, that every record is protected from third-party access even after it is deleted, and that no cached or back-up version of a record can be accessed after a patient has requested its destruction.

Supporting individuals and practitioners to engage with the MHR system

5.29      The committee is concerned that the current communication campaign has been insufficient to communicate a clear understanding of the MHR system and the significance of the change to an opt-out participation model. The committee considers that the campaign to date has focussed on achieving a broad level of awareness of the MHR system and the ability for individuals to opt-out and that this is insufficient to enable people to understand and consider their options.

5.30       The committee considers that, in an opt-out system, it is more important than ever to ensure that individuals understand the benefits of the system, the privacy and security implications of participation in the system and the degree of control they can exercise over access to their MHR before they decide whether or not to opt-out. Without a commitment to a comprehensive communications campaign, many individuals will be denied the opportunity to make an informed choice regarding their involvement in the system and many of the system's important security features will be rendered redundant.

5.31      The committee is concerned that the ADHA's tracking of the campaign is not adequately identifying the extent of the public's awareness of the security and privacy measures within the system and what they need to do to activate them. As already discussed, the default settings for controlling access to a MHR have been deliberately set to provide an 'open' level of access to maximise the utility of the system. The committee has already noted its concerns regarding the implications of this for some vulnerable groups.

Recommendation 10

5.32      The committee recommends that the Australian Digital Health Agency revise its media strategy to provide more targeted comprehensive education about My Health Record.

5.33      The committee is particularly concerned for those in the Australian community who may experience difficulty accessing and using the MHR system. Many Australians face a range of practical impediments to their engagement with the MHR system. For example, the committee heard that the system assumes a level of connectivity and digital literacy that many individuals living in rural and remote communities simply do not have. Many groups within the community will not be able to readily access the identity documents needed to opt-out. The committee also notes evidence that people living with disability may have limited access to the MHR portals.

5.34      The committee recognises that the ADHA has developed strategies to ensure certain groups of 'hard to service' individuals, such as adult prisoners and juvenile detainees and defence personnel deployed overseas. However, the committee is concerned by evidence that suggests some vulnerable or hard to reach individuals may not have received timely and appropriate information and support to enable them to exercise their rights in relation to the MHR system.

5.35      At the same time, the committee considers that the Australian Government and the ADHA must redouble efforts to ensure that the Australian public has a clear understanding of the benefits and risks of the MHR system and the steps they can take to manage their privacy and security within it.

Recommendation 11

5.36      The committee recommends that the Australian Digital Health Agency identify, engage with and provide additional support to vulnerable groups to ensure that they have the means to decide whether to opt out, whether to adjust the access controls within their My Health Record and how to do this.

Recommendation 12

5.37      The committee recommends that the Australian Government commit additional funding for a broad-based education campaign regarding My Health Record, with particular regard to communicating with vulnerable and hard to reach communities.

Recommendation 13

5.38      The committee recommends that the Australian Government extend the opt-out period for the My Health Record system for a further twelve months.

Ongoing parliamentary oversight of the MHR system

5.39      The MHR system has the potential to revolutionise the quality and continuity of healthcare in Australia.

5.40      Any system that draws together personal health information on this scale involves a level of risk. In assessing the measures in the system to manage these risks, the committee has been mindful of what the MHR system seeks to replace. Under the current system, there is a lack of interoperability and a lack of sophistication in the transfer of medical records between practitioners that does not meet the expectations of either healthcare recipients or medical practitioners. For example, the committee notes that there is still a high reliance on fax machines to transmit medical records.

5.41      The ability for multiple doctors and allied health practitioners, treating the same patient, in different places over a period of time, to access relevant patient clinical data at the time of treatment should result in safer, faster and more efficient health care and better health outcomes. However, it is important that the patient safety considerations in this equation are not neglected in the interests of speed and efficiency, either within the system itself, or in its implementation.

5.42      This inquiry has identified a number of key areas where the committee considers patient security appears to have been compromised in favour of the needs of health practitioners. It has made recommendations to address these concerns. At the same time, it is acutely aware of the need to continue to strive for an appropriate balance between patient privacy and security and the utility of the system for health practitioners.

5.43      The committee considers that the importance of this task and the significance of the privacy and security concerns identified with the implementation and administration of the MHR to date, warrant a level of ongoing parliamentary oversight.

5.44      The committee considers that public confidence in the integrity of the system would be enhanced by greater transparency in its administration. This includes greater transparency in tracking and evaluating understanding of and engagement with the system by individuals and medical practitioners.

Recommendation 14

5.45      The committee recommends that the My Health Record system's operator, or operators, report regularly and comprehensively to Parliament on the management of the My Health Record system.

Senator Rachel Siewert
Chair

Navigation: Previous Page | Contents | Next Page

Top