Michelle Grattan, University of CanberraMore than $500 million of a $1.2 billion digital economy strategy in Tuesday’s budget will be spent on overhauling the federal government’s myGov and My Health Record sites.
The initiatives, to be announced by Scott Morrison on Thursday, include $200.1 million for myGov, which is the main portal for people to access government services on line.
Changes will make it easier for people to find services, from childcare providers to disaster support, as well as to manage payments and claims.
The government says the time saved by the enhancements will generate benefits across the economy worth an estimated $3.6 billion over a decade.
The package will put $301.8 million into what the government describes as the “next wave” of My Health Record, expanding the system, which has 23 million registered users. My Health Record contains summaries of people’s health information. It is managed by the Australian Digital Health Agency.
Some of this spending will assist the vaccination rollout, such as giving people alerts when vaccinations are due. There will be funds to help the move of aged care into a digital system that can link in with My Health Record to make safer and more efficient transitions between aged care and hospitals and other health facilities.
In other initiatives, $124.1 million will be provided to build Australia’s capability in Artificial Intelligence. This will include a National Artificial Intelligence Centre, to promote the adoption by business of AI technologies, supported by a network of AI and digital capability centres.
More than $100 million will go to boosting digital skills including a pilot program for work-based digital cadetships.
Business will benefit from investment incentives. There will be a digital games tax offset of 30% to help Australia obtain more of the $250 billion annual global video game development market.
The Interactive Games and Entertainment Association says Australia could generate a $1 billion games industry within a decade. In 2018-19, the Australian games sector earned $144 million.
Changes to the way businesses can claim depreciation on intangible assets such as intellectual property and in-house software, and help for small businesses to build digital capacity are also in the measures.
The government will invest $111.3 million to support the Consumer Data Right (CDR) rollout. The CDR helps consumers to compare and switch between products and services. This sharpens price and service competition between providers.
The $1.2 billion in spending on the digital strategy package is over six years.
Morrison said: “We need to keep our foot on the digital accelerator to secure our economic recovery from COVID-19”.
Treasurer Josh Frydenberg said: “Greater digital adoption will improve our competitiveness and lift our productivity – driving job creation and higher wages”.
In a pre-budget speech on Thursday opposition leader Anthony Albanese will distance himself from the big spending Labor proposed at the last election.
He will say money was tight when he was growing up and his mother taught him “the value of a dollar”.
“That’s why, when it comes to thinking about government spending, I am cautious”.
In response to the public outcry against the potential for My Health Record data to be shared with police and other government agencies, Health Minister Greg Hunt recently announced moves to change the legislation.
The laws underpinning the My Health Record as well as records kept by GPs and private hospitals currently allow those records to be shared with the police, Centrelink, the Tax Office and other government departments if it’s “reasonably necessary” for a criminal investigation or to protect tax revenue.
If passed, the policy of the Digital Health Agency (which runs the My Health Record) not to release information without a court order will become law. This would mean the My Health Record has greater privacy protections in this respect than other medical records, which doesn’t make much sense.
Under the proposed new bill, state and federal government departments and agencies would have to apply for a court order to obtain information stored in the My Health Record.
The court would need to be satisfied that sharing the information is “reasonably necessary”, and that there is no other effective way for the person requesting it to access the information. The court would also need to weigh up whether the disclosure would “unreasonably interfere” with the person’s privacy.
If granted, a court order to release the information would require the Digital Health Agency to provide information from a person’s My Health Record without the person’s consent, and even if they objected.
If a warrant is issued for a person’s health records, the police can sift through them as they look for relevant information. They could uncover personally sensitive material that is not relevant to the current proceedings. Since the My Health Record allows the collection of information across health providers, there could be an increased risk of non-relevant information being disclosed.
Although we share all sorts of personal information online, we like to think of our medical records as sacrosanct. But the law underpinning My Health Record came from the wording of the Commonwealth Privacy Act 1988, which applies to all medical records held by GPs, specialists and private hospitals.
Under the Act, doctors don’t need to see a warrant before they’re allowed to share health information with enforcement agencies. The Privacy Act principles mean doctors only need a “reasonable belief” that sharing the information is “reasonably necessary” for the enforcement activity.
Although public hospital records do not fall under the Privacy Act, they are covered by state laws that have similar provisions. In Victoria, for instance, the Health Records Act 2001 permits disclosure if the record holder “reasonably believes” that the disclosure is “reasonably necessary” for a law enforcement function and it would not be a breach of confidence.
In practice, health care providers are trained on the utmost importance of protecting the patient’s privacy. Their systems of registration and accreditation mean they must follow a professional code of ethical conduct that includes observing confidentiality and privacy.
Although the law doesn’t require it, it is considered good practice for health professionals to insist on seeing a warrant before disclosing a patient’s health records.
In a 2014 case, the federal court considered whether a psychiatrist had breached the privacy of his patient. The psychiatrist had given some of his patient’s records to Queensland police in response to a warrant. The court said the existence of a warrant was evidence the doctor had acted appropriately.
In a 2015 case, it was decided a doctor had interfered with a patient’s privacy when disclosing the patient’s health information to police. In this case, there no was warrant and no formal criminal investigation.
Unfortunately, there are recent examples of medical records being shared with government departments in worrying ways. In Australia, it has been alleged the immigration department tried, for political reasons, to obtain access to the medical records of people held in immigration detention.
We can’t change the fact different laws at state and federal level apply to our paper and electronic medical records stored in different locations. But we can try to change these laws to be consistent in protecting our privacy.
If it’s so important to change the My Health Records Act to ensure our records can only be “unlocked” by a court order, the same should apply to the Privacy Act as well as state-based laws. Doing so might help to address public concerns about privacy and the My Health Record, and further inform decisions about opting out or staying in the system.
Since the period for opting out of My Health Record began on July 16, experts in health, privacy and IT have raised concerns about the security and privacy protections of the system, and the legislation governing its operation.
Now federal health minister Greg Hunt has announced two key changes to the system.
First, the legislation will be amended to explicitly require a court order for any documents to be released to a law enforcement agency. Second, the system will be modified to allow the permanent deletion of records:
In addition, the Government will also amend Labor’s 2012 legislation to ensure if someone wishes to cancel their record they will be able to do so permanently, with their record deleted from the system.
But while this sounds like a simple change, permanently and completely deleting information from IT systems is anything but straightforward.
The My Health Record database is designed for the long-term retention of important information. Most IT systems designed for this purpose are underpinned by the assumption that the risk of losing information – through a hardware fault, programming mistake, or operator error – should be extremely low.
The exact details of how My Health Record data is protected from data loss are not public. But there are several common measures that systems like it incorporate to greatly reduce the risks.
At a most basic level, “deletion” of a record stored in a database is often implemented simply by marking a record as deleted. That’s akin to deleting something on paper by drawing a thin line through it.
The software can be programmed to ignore any such deleted records, but the underlying record is still present in the database – and can be retrieved by an administrator with unfettered permissions to access the database directly.
This approach means that if an operator error or software bug results in an incorrect deletion, repairing the damage is straightforward.
Furthermore, even if data is actually deleted from the active database, it can still be present in backup “snapshots” that contain the complete database contents at some particular moment in time.
Some of these backups will be retained – untouched and unaltered – for extended periods, and will only be accessible to a small group of IT administrators.
Permanent and absolute deletion of a record in such a system will therefore be a challenge.
If a user requests deletion, removing their record from the active database will be relatively straightforward (although even this has some complications), but removing them from the backups is not.
If the backups are left unaltered, we might wonder in what circumstances the information in those backups would be made accessible.
If, by contrast, the archival backups are actively and irrevocably modified to permit deletion, those archival backups are at high risk of other modifications that remove or modify wanted data. This would defeat the purpose of having trusted archival backups.
Backups and the GDPR’s ‘right to be forgotten’
The problem of deleting personal information and archival backups has been raised in the context of the European Union’s General Data Protection Regulation (GDPR). This new EU-wide law greatly strengthens privacy protections surrounding use of personal information in member states.
The “right to erasure” or “right to be forgotten” – Article 17 of the GDPR – states that organisations storing the personal information of EU citizens “shall have the obligation to erase personal data without undue delay” in certain circumstances.
How this obligation will be met in the context of standard data backup practices is an interesting question, to say the least. While the legal aspects of this question are beyond my expertise, from a technical perspective, there is no easy general-purpose solution for the prompt deletion of individual records from archived data.
In an essay posted to their corporate website, data backup company Acronis proposes that companies should be transparent about what will happen to the backups of customers who request that records be deleted:
[while] primary instances of their data in production systems will be erased with all due speed … their personal data may reside in backup archives that must be retained for a longer period of time – either because it is impractical to isolate individual personal data within the archive, or because the controller is required to retain data longer for contractual, legal or compliance reasons.
Who might access those backups?
Data stored on archival backups, competently administered, will not be available to health professionals. Nor will they be available to run-of-the-mill hackers who might steal a practitioner’s credentials to gain illicit access to My Health Record.
But it’s not at all clear whether law enforcement bodies, or anyone else, could potentially access a deleted record if they are granted access to archival backups by the system operator.
Under amended legislation, such access would undoubtedly require a court order. Nevertheless, were it to be permitted, access to a deleted record under these circumstances would be contrary to the general expectation that when a record is deleted, it is promptly, completely and irrevocably deleted, with no prospect of retrieval.
In my view, more information on the deletion process, and any legislative provisions surrounding deleted records, needs to be made public. This will allow individuals to make an informed choice on whether they are comfortable with the amended security and privacy provisions.
Getting this right will take time and extensive expert and public consultation. It is very difficult to imagine how this could take place within the opt-out period, even taking into account the one-month extension just announced by the minister.
Given that, it would be prudent to pause the roll-out of My Health Record for a considerably longer period. This would permit the government to properly address the issues of record deletion, as well as the numerous other privacy and security concerns raised about the system.
Last week marked the start of a three-month period in which Australians can opt out of the My Health Record scheme before having an automatically generated electronic health record.
Some Australians have already opted out of the program, including Liberal MP Tim Wilson and former Queensland LNP premier Campbell Newman, who argue it should be an opt-in scheme.
But much of the concern about My Health Records centres around privacy. So what is driving these concerns, and what might a My Health Records data breach look like?
Data breaches exposing individuals’ private information are becoming increasingly common and can include demographic details (name, address, birthdate), financial information (credit card details, pin numbers) and other details such as email addresses, usernames and passwords.
Health information is also an attractive target for offenders. They can use this to perpetrate a wide variety of offences, including identity fraud, identity theft, blackmail and extortion.
It’s important to note that not all data breaches are perpetrated from the outside or are malicious in nature. Human error and negligence also pose a threat to personal information.
The federal Department of Health, for instance, published a supposedly “de-identified” data set relating to details from the Medicare Benefits Scheme and the Pharmaceutical Benefits Scheme of 2.5 million Australians. This was done for research purposes.
But researchers were able to re-identify the details of individuals using publicly available information. In a resulting investigation, the Privacy Commissioner concluded that the Privacy Act had been breached three times.
The latest data breach investigation from US telecommunications company Verizon notes that health care is the only sector where the threat from inside is greater than from the outside. Human error contributes largely to this.
There are promises of strong security surrounding My Health Records but, in reality, it’s a matter of when, not if, a data breach of some sort occurs.
My Health Record allows users to set the level of access they’re comfortable with across their record. This can target specific health-care providers or relate to specific documents.
But the onus of this rests heavily on the individual. This requires a high level of computer and health literacy that many Australians don’t have. The privacy control process is therefore likely to be overwhelming and ineffective for many people.
With the default option set to “general access”, any organisation involved in the person’s care can access the information.
Regardless of privacy controls, other agencies can also access information. Section 70 of the My Health Records Act 2012 states that details can be disclosed to law enforcement for a variety of reasons including:
(a) the prevention, detection, investigation, prosecution or punishment of criminal offences.
While no applications have been received to date, it is reasonable to expect this may occur in the future.
There are also concerns about sharing data with health insurance agencies and other third parties. While not currently authorised, there is intense interest from companies that can see the value in this health data.
Further, My Health Record data can be used for research, policy and planning. Individuals must opt out of this separately, through the privacy settings, if they don’t want their data to be part of this.
What should you do?
Health data is some of the most personal and sensitive information we have and includes details about illnesses, medications, tests, procedures and diagnoses. It may contain information about our HIV status, mental health profile, sexual activity and drug use.
These areas can attract a lot of stigma so keeping this information private is paramount. Disclosure may not just impact the person’s health and well-being, it may also affect their relationships, their employment and other facets of their life.
Importantly, these details can’t be reset or reissued. Unlike passwords and credit card details, they are static. Once exposed, it’s impossible to “unsee” or “unknow” what has been compromised.
Everyone should make their own informed decision about whether to stay in My Health Record or opt out. Ultimately, it’s up to individuals to decide what level of risk they’re comfortable with, and the value of their own health information, and proceed on that basis.
Australians have just under three months to decide whether they want a My Health Record, which would allow the various health professionals who look after them to access and share their health information. From October 15, those who haven’t opted in or out will have a record automatically generated.
In emergency situations, access to information from My Health Records about allergies, medicines and health conditions can save lives. Day to day, it will provide benefits such as reminding us when we last had a tetanus shot, or allowing a back-up GP to access the results of a recent blood test so we don’t need another.
Efficiencies generated by My Health Records, including reduced duplication of tests, are projected to save more than A$300 million over three years.
Most arguments for opting out revolve around the security of health data in centralised record systems. But if you’re opting out of My Health Records, you’re opting in to “business as usual”. So it’s important to know what the current system looks like.
As you read this, reams of medical data are being sent between health professionals in the mail, through conversations (on the phone or in person), and in small pockets of secure messaging. This includes emails, text messages and faxes.
In 2016, the Royal Australian College of General Practitioners recommended ceasing the use of fax machines within three years, noting that slow communication between health providers could result in significant medical errors.
Tragically, ten months earlier, Victorian man Mettaloka Halwala died after his cancer test results showing signs of potentially fatal lung toxicity were faxed to the wrong number.
Health services and systems have long known the limitations of paper records – which is why you already have several electronic medical records.
When you visit your GP, your consultation data will typically be stored electronically in a GP computer practice system such as Medical Director.
Any prescriptions will be stored on another computer system at your local pharmacy. Data on all dispensing transactions is also sent to higher-level government repositories.
If you are unwell enough to need a visit to hospital, more of your health data will be stored in another separate hospital system. This system may be mainly paper, fully electronic, or somewhere in the middle, which is the situation for most hospitals across most of Australia. Only three Australian hospitals have highly automated medical records.
In hybrid paper-electronic systems, paper documents may be scanned into your electronic record – creating two copies of the same information and thus doubling the opportunity for data breaches.
Many people would assume that these software systems are in some way compatible. They’re not. There isn’t even one software platform for each of these parts of the health-care system; there are multiple platforms available to GPs, pathology labs, hospitals and other practices.
Your My Health Record will contain summaries and subsets of all these types of data that are critical to your health care – if you maintain the general setting – as well as more detailed sources of the electronic data that already exists today in multiple locations.
Australians are understandably concerned about hackers breaching the government’s aggregated data system. But there is comparatively little concern about their local GP clinic, pharmacy, imaging centre or hospital being hacked. Yet these systems have far less financial investment, no overarching governance authority and, at times, limited IT support.
True, each of these systems contains only a piece of your medical history. This means that if any one of them were to be hacked, you wouldn’t have all of your medical information accessed. But any argument about vulnerabilities in My Health Record data security can be more convincingly made for the present system.
It’s important to have all the facts about the status quo of health records, and what might be lost or gained through My Health Record, before deciding whether to opt in our out. If the considerable investment in My Health Record comes to nothing, the opportunity to address the limitations of the current system will have been lost.
The My Health Record (MHR) opt-out period begins today and you have until October 15 to decide whether or not to be part of the scheme. You can read the case for opting in to My Health Record here.
Unless you take action to remove yourself from the My Health Record (MHR) system, the federal government will make a digital copy of your medical record, store it centrally, and, as the default, provide numerous people with access to it.
If you don’t opt out during this period and later choose to cancel your record, you will no longer be able to access that record but the government will continue to store it until 30 years after your death. You will need to trust that it will not be breached.
There are three main problems with the MHR scheme.
Contrary to what many Australians may believe, MHR is not a clinically-reliable medical record, and was not designed to be. It is not up-to-date and comprehensive. As the Office of the Australian Information Commissioner (OAIC) points out:
The My Health Record system contains an online summary of a patient’s key health information; not a complete record of their clinical history.
If, for example, a doctor were treating a child in an emergency, the doctor could not rely on an MHR to know what medications the child has been prescribed up to that date. In an emergency, an unreliable record is a distraction, not a help.
Many doctors have in fact objected to the incompleteness and lack of utility of the MHR. A recent poll on the AMA’s doctors portal suggests 76% of respondents think the MHR will not improve patient outcomes while 12% think it will.
Notwithstanding this fundamental deficiency, the government is pushing ahead with an inherently risky scheme.
2. It creates a security risk
Health data is prized by hackers
We have witnessed a stream of health data breaches in Australia and overseas, and the incentives for these breaches are only increasing.
Storing records digitally with online access greatly increases their accessibility for criminals, hackers and snoopers. Health records are valuable as a means of identity theft due to the wealth of personal information they contain. They are a huge prize for hackers, fetching a high price on the Dark Web.
It won’t just be your doctor who has access to this centralised digital record of your personal health information. The default position is that numerous people will have access – doctors, pharmacists, physiotherapists, nurses, and unidentified staff of various organisations.
MHR’s access-logging system does not track which individuals are accessing records, only institutions, which means you won’t be able to tell who has seen it. Even without a technical hack, that will make it almost impossible to keep your information secure in this system.
De-identification is risky
The government is also planning to allow access to your health information for research purposes by “de-identifying” your information. That means the data should not be able to be linked to a particular individual.
But the national government has a bad record for successfully de-identifying health information.
In 2016, the government released a data set that included information on a large number of patients spanning 30 years. It was meant to be de-identified.
IT researchers at Melbourne University quickly demonstrated it could be re-identified and linked to the individuals concerned. Such re-identification risk will only grow, as data sets proliferate and tools get smarter.
Third-party access jeopardises security
MHR also permits external health apps to access your records. According to the legislation, this should only be done with your consent.
Unfortunately, and predictably, health apps are already securing “consent” through obscure, standard form contracts so you might not be aware the app owner could sell your sensitive medical information to others.
Last month, the ABC revealed one such health app (HealthEngine) was selling patient information to law firms, so patients with serious conditions and injuries were contacted repeatedly by strangers pushing them to pursue legal claims. Many didn’t know how their sensitive medical information was revealed.
The ADHA’s website has published a report on the woefully inadequate privacy policies of mental health apps, and yet these apps might be authorised to access your MHR data with your supposed consent.
Critically, the opt-out consent mechanism for MHR flies in the face of global best practice for informed consent – and our own federal privacy regulator’s guidelines on the sort of consent necessary for use of health information.
Consent for use of personal information should be express, fully informed, easy to understand, and should require action on the part of the individual.
MHR disregards all of those principles.
MHR does not seek your express consent. Instead, if you do not take the necessary steps before 15 October, your health records will automatically be copied, stored and shared.
You will also not be fully informed. There will be no national television, radio or print media campaign to advertise the MHR scheme, which many Australians have misunderstood in the past. The government will not even send you a letter to tell you about this scheme, let alone its very serious risks.
By contrast, the OAIC says organisations seeking individual consent to use personal information should generally:
… ensure that an individual is properly and clearly informed about how their personal information will be handled, so they can decide whether to give consent.
… seek express consent from an individual before handling the individual’s sensitive information, given the greater privacy impact this could have.
Even if implied consent were acceptable (and it is not), the OAIC states further that an organisation:
… should not assume that an individual has consented to a collection, use or disclosure that appears to be advantageous to that person. Nor can an entity establish implied consent by asserting that if the individual knew about the benefits of the collection, use or disclosure, they would probably consent to it.
MHR is likely to create very limited benefits for many, if not most, Australians. It creates unacceptable security risks for our most sensitive personal information. And the government’s method of obtaining “consent” goes against international best practice.
If the MHR scheme were properly advertised, fully explained and Australians given a choice whether to opt-in, Australians could make an informed choice about whether the limited benefits justify the substantial risks to their sensitive information.
Those concerned about the security of their health information will need to take steps now to remove themselves from the MHR system.
This article has been updated to reflect that the ADHA report on the privacy policies of health apps focused on mental health apps.
Katharine Kemp, Lecturer, Faculty of Law, UNSW, and Co-Leader, ‘Data as a Source of Market Power’ Research Stream of The Allens Hub for Technology, Law and Innovation, UNSW; Bruce Baer Arnold, Assistant Professor, School of Law, University of Canberra, and David Vaile, Teacher of cyberspace law, and leader of the Data Protection and Surveillance stream of the Allens Hub for Technology Law and Innovation, UNSW Faculty of Law, UNSW
The My Health Record opt-out period begins today, and you have until October 15 to decide whether or not to be part of the scheme. You can read the case for opting out of My Health Record here.
The My Health Record (MHR) system promises to make Australia a leader in providing citizens with access to their own health records.
The scheme gives health care professionals access to information on your medications and allergies, immunisation records, summaries of hospital and GP care, investigation reports, and advance care plans.
This information could save lives in emergencies by providing health workers with information about drug allergies, medications, and medical history. Better continuity in the management of this information would help reduce the 27% of clinical incidents in Australian hospitals currently caused by medication (mis)management.
This mirrored international experience. Many countries suffered expensive disasters in building e-health systems from the top down. E-health appeared to serve the interests of administrators, not clinicians and patients.
Not surprisingly, patients showed little interest. British critics of a similar expensive failure warned:
We need fewer grand plans and more learning communities.
The Australian experience has run the full gamut from failed top-down “grand plan” to a version that is more responsive to consumers and health professionals.
Linking up the fragmented health system
Large trials in the Nepean-Blue Mountains and North Queensland Primary Health Networks tested a more user-friendly system. In both trials, the opt-out rate was low: less than 2%. The engagement of clinicians also increased.
In the Blue Mountains fewer than 15% of GPs had registered with the PCEHR. By the end of the trial, with extensive education and training, this figure has risen to 70%.
MHR offers new possibilities for linking up the fragmented health system, making it easier to navigate. Just as importantly, it can help you to become more informed and engaged with your own health care. And better health literacy is a necessary step in shifting the balance of the system towards patients.
The Consumers’ Health Forum – a supporter of MHR – has stated that patients are:
…more likely to give permission to share their data if they understand how their data will be used and any benefits that will come from its use.
However, active participation in MHR will remain a challenge for many people, especially those who struggle with digital literacy.
Addressing security concerns
Any system that contains health information must be built on trust. Most of the criticisms of MHR rest on fears of inappropriate use or hacking of data.
However, critics have not pointed to any breach of the PCHR in its five years of operation. Rather, examples are often drawn from commercial operations which have succumbed to the temptation to commercialise data – an offence that could lead to prison under MHR.
Uncertainty is inherent in many facets of modern life, such as the use of credit card information for online purchases. Most surveys of popular attitudes towards the use of digital health information has shown a consistent, but nuanced concern.
Concerns identified in the two major trials were mainly focused on individuals’ lack of computer skills. But almost all consumers thought the benefits greatly outweighed any potential privacy risks.
The system will only succeed if concerns about protection of confidentiality are respected. A weak link is the digital skills and awareness of health practitioners, particularly GPs.
A large amount of health data is already out there in Medicare Benefits Schedule (MBS) and Pharmaceutical Benefits Scheme (PBS) data, the Australian Immunisation Register, and the Australian Organ Donor Register. These data are increasingly linked together, with great potential benefits. Data from Medicare, hospital records and other sources can be linked to improve our knowledge of causes of diseases and risk factors, and the best forms of intervention.
Rather than protesting about a horse that has long since bolted, we need more scrutiny and improvement of current systems.
MHR is a small step towards empowering patients with greater knowledge about their health. Pressures to present records in terms that are comprehensible to consumers may even take us towards interactive “learning communities” – the basis of a more people-centred health system. Better-informed patients can enable more effective communication and mutual learning from health professionals.
If you choose not to opt out of MHR, a record will be created for you automatically. You can log into the system here to set controls on who has access to your data and set restrictions on the types of data that will be included. You can change your mind at any time and close access to your data.