Conclusion and recommendations
The My Health Record (MHR) system is a significant healthcare reform
with the potential to improve the quality of healthcare and health outcomes for
many Australians. To achieve this, the system needs a high degree of support
from both the public and medical practitioners. For this to happen, both the
public and medical practitioners need to have a high degree of confidence in
the integrity of the system.
However, the MHR system presents considerable operational complexity
given its application in a wide variety of healthcare settings, and the diverse
healthcare and privacy needs of the healthcare recipients using it. The
committee considers that the transition to an opt-out participation model has
highlighted some significant tensions within the system.
System utility at the expense of patient privacy and security
The committee notes evidence received from inquiry participants
regarding a need for balance between access for clinicians and privacy controls
for healthcare recipients. The committee received evidence that highlighted the
significant clinical benefits that could be achieved through the MHR system.
The ability to ensure that clinically important medical information is
available at the point of care, where ever that might be, should result in improved
patient care and patient safety, improved medical communication and improved
continuity of care between providers.
To achieve an appropriate level of utility within the MHR system, it is important
to have broad participation in the system, that the information held within the
system is as accurate and complete as possible, and that those medical
practitioners who need to access a healthcare recipient's MHR are able to do so
in a timely, efficient and secure manner. However, this level of utility should
not to be achieved at the expense of a healthcare recipient's privacy or
Healthcare information is a particularly sensitive category of
information, and requires significant protection within the health system. Some
evidence received during this inquiry suggests that an unreasonable compromise has
been struck between ensuring the utility of the system, through an opt-out
mechanism and low default access settings, and safeguarding the privacy and
safety of healthcare recipients.
The committee notes that amendments currently before the Senate have the potential to strengthen some of the privacy and security protections
within the MHR system. However, the committee considers that further amendments
are necessary if the Australian public is to have confidence in the MHR system.
Evidence to the committee suggests that a level of implied consent is
implicit in an opt-out participation model. However, the committee is not
persuaded that this can be assumed. The fact that an individual does not
opt-out of the MHR system, or does not take steps to restrict access to part or
all of their MHR, does not necessarily mean that they have understood the risks
and benefits of the MHR system and made a considered decision based on this. As
a number of submitters indicated, it could simply mean that they do not fully
appreciate what a MHR is, or who has access to it and in what circumstances.
While the committee appreciates that the opt-in participation model was
not successful in delivering the critical mass necessary for the success of the
MHR system, it considers that the current opt-out model has swung too far in
favour of ease of access and has not focussed enough on the importance of
ensuring that the public is able to make an informed choice about whether to
participate in the system and the level of security they might require if they
Default access settings
It is the committee's view that the responsibility of the System
Operator to apply considered and robust default settings that protect the
privacy of all registered healthcare recipients is considerably increased under
an opt-out model.
The committee appreciates that a strong rationale exists for designing
the MHR system in favour of reasonable access for clinicians. However, the
committee notes that when healthcare recipients' MHRs are created, the default
access settings applied to their records will be, as many submitters described,
'open'. Evidence to the committee does not support a high degree of confidence
that individuals are aware of this and recognise that they should review the access
settings applying to their MHR to ensure that they reflect their personal
circumstances. However, the committee notes evidence that where healthcare
recipients have received an explanation of the risks and benefits of the system
and the mechanisms available to them to control access to their MHR, they have
reacted positively to the MHR system.
In this context, the committee considers that the default access
settings should be considerably higher and should only be relaxed when the
healthcare recipient explicitly consents to this.
The committee recommends that record access codes should be applied to
each My Health Record as a default and that individuals should be required to
choose to remove the code. The committee further recommends that the ability to
override access codes in the case of an emergency should only be available to
registered healthcare providers for use in extraordinary and urgent situations.
Protecting the privacy and security
of vulnerable people
The committee is mindful that MHRs will be used by a diverse range of
Australians, some of whom may have unique circumstances or vulnerabilities that
make the information in their MHRs particularly sensitive. The committee
considers that having a MHR should not compromise the safety of vulnerable
people and/or jeopardise their ability to confidentially seek medical advice. The
committee is deeply concerned by evidence that perpetrators of domestic
violence may be able to legitimately gain access to MHR records and exploit
this to the detriment of their former partner or children.
The committee considers that careful consideration must be given to the
use of MHRs by vulnerable people, particularly young people aged between 14–17
years or people escaping from domestic violence, and the protections offered to
address their particular circumstances. The committee urges the Australian Digital
Health Agency (ADHA) to work closely with service providers who support young
people and people experiencing domestic violence. However, the committee
considers the seriousness of these concerns warrants a legislative response.
The committee recommends that the Australian Government amend the My
Health Records Act 2012 to protect the privacy of children aged 14 to 17
years unless they expressly request that a parent be a nominated
The committee recommends that the Minister for Health amend the My
Health Record Rule 2016 to extend the period for which a My Health Record can
be suspended in the case of serious risk to the healthcare recipient, such as
in a domestic violence incident.
Secondary use of MHR data
The committee recognises that information held within the MHR system has
the potential to create a valuable data set. The committee notes evidence that
MHR data could make a significant contribution to public health research, providing
insights into population health issues and patterns of use of the health
At the same time, the committee notes that the default setting for
secondary use of MHR data is that an individual is assumed to have consented to
the use of their data, unless they actively withdraw this consent. The
committee considers that while such an assumption may have been reasonable
under an opt-in participation model, where an individual chose to create a MHR,
it is not reasonable under an opt-out model.
The committee recommends that data which is likely to be identifiable
from an individual's My Health Record not be made available for secondary use
without the individual's explicit consent.
The committee also notes concerns that MHR data could be made available
for commercial purposes, by insurers and other commercial entities. The
committee considers that in order for the Australian public to place their
trust in the MHR system, there must be no doubt that MHR data, including
de-identified data, will not be used for commercial purposes. The committee
notes that the current Secondary Use Framework prohibits the use of data for
'solely commercial purposes'. The committee recognises that there is a lack of
clarity around this prohibition.
The committee recommends that the current prohibition on secondary access
to My Health Record data for commercial purposes be strengthened to ensure that
My Health Record data cannot be used for commercial purposes.
Access by third parties
The committee notes concerns regarding third party access to information
within the MHR system. In particular, the committee is concerned by evidence
suggesting that MHR data could be made available to employers by employer
nominated health practitioners or that employers may ask employees to consent
to the release of information in their MHR. The committee notes evidence from
the Department of Health and the ADHA that it is not intended that information
contained in an individual's MHR could be accessed for any purpose other than
the provision of health care to that individual. The committee considers that
this intention should be made explicit in the legislation.
The committee recommends that no third-party access to an individual's
My Health Record be permissible, without the explicit permission of the
patient, except to maintain accurate contact information.
The committee is concerned by evidence indicating the protection
provided by the current prohibition in the Healthcare Identifiers Act 2010 on healthcare providers disclosing a healthcare identifier in an employment
context could be circumvented. The committee is also concerned by evidence
suggesting that employees may be coerced by an employer into providing their
consent for access to their MHR. The committee considers that the legislation
must be strengthened to ensure that an employee's right to privacy is protected
in the context of employer-directed health care.
The committee recommends that the Australian Government amend the My
Health Records Act 2012 and the Healthcare Identifiers Act 2010 to
ensure that it is clear that an individual's My Health Record cannot be accessed
for employment or insurance purposes.
The committee recommends that access to My Health Records for the
purposes of data matching between government departments be explicitly limited
only to a person's name, address, date of birth and contact information, and
that no other information contained in a person's My Health Record be made
Deletion of records
The committee notes concerns regarding the practicality of measures
providing for the permanent deletion of records. The committee recognises that
amendments contained in legislation currently before the Senate will require
the permanent destruction of any record upon request from a healthcare
recipient. Evidence to the inquiry has expressed concern about the extent to which such a
request can be satisfied, noting that it is standard practice to create backups
of databases and create cache files. The committee considers that the MHR
system must include measures to ensure that any saved version of a person's MHR
record is permanently destroyed in such circumstances and that cached or
back-up versions of MHR records cannot be accessed by third parties, even after
they have been deleted.
The committee recommends that the legislation be amended to make
explicit that a request for record deletion is to be interpreted as a right to
be unlisted, and as such, that every record is protected from third-party
access even after it is deleted, and that no cached or back-up version of a
record can be accessed after a patient has requested its destruction.
Supporting individuals and practitioners to engage with the MHR system
The committee is concerned that the current communication campaign has
been insufficient to communicate a clear understanding of the MHR system and
the significance of the change to an opt-out participation model. The committee
considers that the campaign to date has focussed on achieving a broad level of
awareness of the MHR system and the ability for individuals to opt-out and that
this is insufficient to enable people to understand and consider their options.
The committee considers that, in an opt-out system, it is more
important than ever to ensure that individuals understand the benefits of the
system, the privacy and security implications of participation in the system
and the degree of control they can exercise over access to their MHR before
they decide whether or not to opt-out. Without a commitment to a comprehensive
communications campaign, many individuals will be denied the opportunity to
make an informed choice regarding their involvement in the system and many of
the system's important security features will be rendered redundant.
The committee is concerned that the ADHA's tracking of the campaign is
not adequately identifying the extent of the public's awareness of the security
and privacy measures within the system and what they need to do to activate
them. As already discussed, the default settings for controlling access to a
MHR have been deliberately set to provide an 'open' level of access to maximise
the utility of the system. The committee has already noted its concerns
regarding the implications of this for some vulnerable groups.
The committee recommends that the Australian Digital Health Agency
revise its media strategy to provide more targeted comprehensive education
about My Health Record.
The committee is particularly concerned for those in the Australian
community who may experience difficulty accessing and using the MHR system. Many
Australians face a range of practical impediments to their engagement with the
MHR system. For example, the committee heard that the system assumes a level of
connectivity and digital literacy that many individuals living in rural and
remote communities simply do not have. Many groups within the community will
not be able to readily access the identity documents needed to opt-out. The
committee also notes evidence that people living with disability may have
limited access to the MHR portals.
The committee recognises that the ADHA has developed strategies to
ensure certain groups of 'hard to service' individuals, such as adult prisoners
and juvenile detainees and defence personnel deployed overseas. However, the
committee is concerned by evidence that suggests some vulnerable or hard to
reach individuals may not have received timely and appropriate information and
support to enable them to exercise their rights in relation to the MHR system.
At the same time, the committee considers that the Australian Government
and the ADHA must redouble efforts to ensure that the Australian public has a
clear understanding of the benefits and risks of the MHR system and the steps
they can take to manage their privacy and security within it.
The committee recommends that the Australian Digital Health Agency identify,
engage with and provide additional support to vulnerable groups to ensure that
they have the means to decide whether to opt out, whether to adjust the access
controls within their My Health Record and how to do this.
The committee recommends that the Australian Government commit
additional funding for a broad-based education campaign regarding My Health
Record, with particular regard to communicating with vulnerable and hard to
The committee recommends that the Australian Government extend the
opt-out period for the My Health Record system for a further twelve months.
Ongoing parliamentary oversight of the MHR system
The MHR system has the potential to revolutionise the quality and
continuity of healthcare in Australia.
Any system that draws together personal health information on this scale
involves a level of risk. In assessing the measures in the system to manage
these risks, the committee has been mindful of what the MHR system seeks to
replace. Under the current system, there is a lack of interoperability and a
lack of sophistication in the transfer of medical records between practitioners
that does not meet the expectations of either healthcare recipients or medical
practitioners. For example, the committee notes that there is still a high
reliance on fax machines to transmit medical records.
The ability for multiple doctors and allied health practitioners,
treating the same patient, in different places over a period of time, to access
relevant patient clinical data at the time of treatment should result in safer,
faster and more efficient health care and better health outcomes. However, it
is important that the patient safety considerations in this equation are not
neglected in the interests of speed and efficiency, either within the system
itself, or in its implementation.
This inquiry has identified a number of key areas where the committee considers
patient security appears to have been compromised in favour of the needs of
health practitioners. It has made recommendations to address these concerns. At
the same time, it is acutely aware of the need to continue to strive for an
appropriate balance between patient privacy and security and the utility of the
system for health practitioners.
The committee considers that the importance of this task and the
significance of the privacy and security concerns identified with the
implementation and administration of the MHR to date, warrant a level of
ongoing parliamentary oversight.
The committee considers that public confidence in the integrity of the system
would be enhanced by greater transparency in its administration. This includes
greater transparency in tracking and evaluating understanding of and engagement
with the system by individuals and medical practitioners.
The committee recommends that the My Health Record system's operator, or
operators, report regularly and comprehensively to Parliament on the management
of the My Health Record system.
Senator Rachel Siewert
Navigation: Previous Page | Contents | Next Page