*UPDATE: The deadline to opt out of My Health Record is now 15 November 2018
The hottest healthcare debate in Australia right now is about something that sounds relatively innocuous. Would you like your health providers to be able to access all of your medical records online from a central database? On the surface, the recently revamped, government My Health Records system sounds like a great idea, so what’s the problem? As you delve into the debate, you’ll find a raging controversy about privacy, the ethics of an automatic opt-in system and confusion around what “opting out” really means.
The privacy debate
The original digital health record scheme was launched six years ago but if you’ve spent little or no time in public hospitals or GP clinics, you might not have noticed. This was an entirely voluntary scheme. If you didn’t actively sign up, your health records were not included in the database.
This year the Australian government launched a revamped version, My Health Record (MHR). The updated scheme now gives consumers (patients) the ability to personally control their electronically recorded health data, allowing you to delete some of the information your health providers have uploaded to your file. But it also changed participation in the digital record scheme from voluntary to mandatory, unless consumers go through the process of opting out.
This has raised major concerns around privacy and the ability of the agency to prevent sensitive personal details being misused or hacked.
It’s also been revealed that the government intends to share (or potentially sell) your health data to third parties. This “secondary use” of data may be used to for public health or research, and while not specifically permitted for commercial purposes it allows commercial organisations to request access to your data if “consistent with ‘research and public health purposes’ and is likely to generate public health benefits and/or be in the public interest.” While some information is “de-identified” for research purposes, secondary use also allows for identifiable data to be shared.
This clause has understandably raised a lot of issues. While technically consumers can restrict some third party access to their individual records, they are automatically opted into the secondary use, unless they’ve logged into their MHR and selected the appropriate option.
But currently even this process doesn’t restrict non-medical government agencies, such as the police and ASIO, from accessing your data (though due to a public outcry the mechanism of this is under review).
Third party access issues aside, skepticism regarding the agency’s ability to protect your data from privacy breeches remain, as similar digital records schemes outside Australia have so far failed to do so. In fact, buried in the lengthy My Health Records privacy statement, the agency accepts “in any online platform, including the My Health Record system, there are inherent risks when transmitting and storing personal information.”
What do doctors think of My Health Record?
Perhaps the biggest surprise is that the medical profession is among the loudest detractors of the scheme. Considering digital records are designed to make your doctor’s life easier and ultimately provide you with greater care, why are so many urging their patients to be cautious about participating in MHR?
Neela Janakiramanan, a reconstructive plastic surgeon, is one of many medicos who has voiced her opposition. She is especially concerned about the risks this digitalised record system can expose some vulnerable patients to. Specifically, she mentions the at risk and disadvantaged patients who may not have easy access to controlling their records. Also parental access to other family members’ data (what teenager wants their parents to know they’ve just had an STD check, and would knowing this make them less likely to get tested in the first place?) and partner access if women are in abusive or controlling relationships.
After following the privacy debate for many weeks, I’ve only come across one article published within the medical community that unreservedly is in favour of the scheme.
However, the glowing article published on the Medical Journal of Australia’s Doctor Portal, is written by Clinical Professor Meredith Makeham, the Chief Medical Adviser of the Australian Digital Health Agency, the organisation responsible for My Health Record.
The comments on the MJA article, largely by medical doctors, tell another story. All of the published responses to Makeham’s article have been overwhelmingly damming and raise these concerns:
- Despite Makeham’s claims that there have been no privacy breaches, there is strong evidence to the contrary.
- As patients can edit and remove some of their medical information, these resulting omissions may render the digital records inaccurate and potentially dangerous.
- The time required by doctors to keep patient records current is excessive and inadequately compensated.
- Patients mightn’t be aware that their doctor will be paid (or “bribed” as one commenter suggested) to participate in the scheme, which could make their opinion biased if a patient asks their opinion as to whether they should opt out.
Could opting out put your life in danger?
But what if you get hit by a bus and arrive at the hospital unconscious? If the emergency staff can’t access your digital health history, will this put your life at risk?
Janakiramanan dismisses this conundrum raised by the Australian Medical Association (who are basically in favour of MHR). “Patients already arrive in hospitals in a compromised state, with no documented health history. The specialist who work in Emergency settings already have many ways and means to take care of people who can’t provide a medical history, including those with allergies and concurrent health conditions. Years of training in diagnostic skill comes into play when assessing someone who is unconscious or critically unwell, and so the argument that a My Health Record is absolutely essential really undervalues the skills of our paramedics, emergency physicians, trauma surgeons and anaesthetists, who daily just keep people alive”.
You’re automatically in, if you don’t opt out
What if you’ve missed the controversy and never heard of My Health Record? Until now, registration was voluntary. You needed to sign up to allow your information to be part of the digital records system. But currently MHR is in the process of changing from “opt in”, to “opt out”, and you may only have three months to make your decision.
If, like me, you’ve spent some time hanging around hospital waiting rooms in the past six years, you might have been approached by a person with a bright smile and a clipboard. By previously declining to sign up, you might rightly believe that you’ve already chosen to not participate in sharing your health data. But all this is changing.
From now on, everyone is in the system, unless they go online and opt out (or call the relevant agency to assist them with this process). While earlier reports stated that Australians currently have three months to opt out of the scheme, recently the agency issued a statement that the three-month deadline has not yet been officially activated. Despite this, the official My Health Record website still states that you must complete the opt out process online by
15 October 15 November 2018.
Regardless of the date, one fact remains. The agency is currently capturing all digitalised health records to create your online record, and it’s up to you to remove it if you don’t wish your data to be accessed in future.
Are you ever really out?
Having voluntarily opted in four years ago, after receiving cancer treatment in Melbourne prior to moving interstate, I was interested to see what data was on my file. During these years I’ve had regular outpatients’ appointments in public hospitals, prescriptions on the PBS, referrals for x-rays and scans, blood tests, and other services.
When I finally navigated access to MHR, there was disappointingly little on file. The only health provider who had added any information was the hospital outpatient’s clinic that uploaded a copry of their standard letter to my Melbourne team and referring GP. There were no additional pathology or radiology records, PBS data, referral letters nor a single GP update.
I wondered, as there is so little data, why bother opting out? But the paltry information that currently exists on my file (including date of birth, full name and address) is more than sufficient to provide a hacker with enough personal data for identity theft. Concern over “secondary use” of my information, also remains.
However, the problem is that once the data exists on file, even after you opt out it will remain there. Your record is not wiped and ongoing health data will continue to be added. Only the access to viewing the information on file is suspended.
According to the Agency, once you’ve opted out:
- your My Health Record may still be accessed by us (the Agency) for the purposes of maintenance, audit and other purposes required or authorised by law
- all other documents that are held by registered repository operators will be subject to local state or territory retention requirements.
Ultimately, the decision to remain in the scheme or opting out is a personal one. Your health record may facilitate better health care in the future but it might also compromise your privacy.
The Conversation’s My Health Record article archive includes extensive research on the subject, including the cases for and against staying in the system.
Issues around third party access.
Disclaimer: The author asserts no opinion as to how clients should manage their health data.