PS I changed the title (last updated 15/8/18)
In case you haven’t heard, you will have to decide whether you want to opt-out of the Government My Health Record (MyHR) before the 15 October 2018 or you will be have one created for you.
MyHR is a great idea.
MyHR allows your GP to write a shared health summary and collates data from a disparate number of sources. These will eventually include blood tests, radiology reports, medication and allergy lists and discharge summaries. It is also a spot where track immunisations and keep your achievement diary!
I have one. For those living in North Queensland and the Blue Mountains you probably already have one too. Didn’t you recall getting a note from the Government that you could opt out about 2 years ago. Don’t worry a lot of people didn’t hear you had to either. I use MyHR for my patients several times a week. “I take those little blue tablets, doc”
There are however some issues with MyHR. A lot of my colleagues have decided to opt-out because of privacy and security concerns. There is a lot of media reports pushing the the opt-out option for example this article in Sydney Morning Herald by Ben Grubb. Ben was interviewed by Marc Fennel on Download This Show
There are legitimate questions about how secure the data will be, who will be able to access, will it be sold on for commercial use. Will insurance companies be able to access the data? Third party use of data is obviously controversial as discussed in this post.
For a run down of the negatives, the Australian Privacy Foundation may be a good site to have a look, although I suspect they have a bias.
ABC has a series of articles worth reading before you decide.
My Health Record: Your questions answered on cybersecurity, police and privacy
Here is a sensible discussion from ABC radio about its utility.
The Conversation has run an opt in and opt out article.
The Guardian has run a couple of articles, mostly pushing the opt-out line. The What is My Health Record is worth watching. A link to their commentary is below.
There is no social licence for My Health Record. Australians should reject it
My Health Record: privacy, cybersecurity and the hacking risk
There are obvious real concerns about any information stored on the internet. recently Singapore Health was the victim of sophisticated hacking. Just to not reassure you Wikipedia has a list of known data access breaches!
You will find other useful information about MyHR at the website of the Australian Digital Health Agency.
So, if you feel you are now better informed, go and either opt out of MyHR or opt-in and explore what is there and please don’t forget the privacy settings.
I’ll try to keep a list of opinions as they spring forth from various sources.
Staying in or opting out: My Health Record goes viral for all the wrong reasons by Dr Ruth Armstrong and Dr Trent Yarwood from Croaky
This is an opinion blog from Dr Trent Yarwood myHR Secondary Use Framework
Why I am opting out of MyHealthRecord – for now by Dr Tim Leeuwenburg of Kangaroo Island
Top 10 most awkward questions about the MHR from Jeremy Knibbs at the Medical Republic.
My Health Record ‘identical’ to failed UK scheme, privacy expert says, a Guardian report which suspects MyHR and the failed UK care.data may be evil twins? Tim Kelsey who has been involved in both projects suggests otherwise. Here is his address to the National Press Club in May 2018.
Australian Health Information Technology is also a useful site to peruse. According to its author, it intends to inform readers of news and happenings in the e-Health domain, both here in Australia and world-wide. To provide commentary on e-Health in Australia and to foster improvement where he can. And, thirdly to encourage discussion of the matters raised in the blog so hopefully readers can get a balanced view of what is really happening and what successes are being achieved.
If you want to read the report on the Opt-out North Queensland/Blue Mountains trial have a look here.
The key outcome measures for this trial were;
- increased awareness and understanding of the My Health Record system
- increased confidence to use the My Health Record system
- increased participation in, and use of, the My Health Record system
- increased understanding of the effectiveness of different approaches for driving participation and use of the My Health Record system.
The outcomes were
- the opt-out approach to increase both individual and healthcare provider participation and use is the preferred option (which is what have now)
- continuation of current or accelerated opt-in approaches is considered to be unsustainable
- the opt-out trial sites achieved better outcomes, in terms of participation, understanding and some aspects of use of the My Health Record system
- key lessons were learned to inform Government’s understanding of the effectiveness of different approaches for driving participation and use of the My Health Record system
As a doctor, here’s why My Health Record worries me by former AMA President, Kerryn Phelps.
If you want to read the My Health Record Act 2012 you can find it here.
Section 70 is a controversial part which permits access to your record without the need for a court warrant. I have copied the section below. Many believe that this part needs to be changed to require a court warrant prior to anyone aside from you and your doctor accessing the MyHR.
Disclosure for law enforcement purposes, etc.
(1) The System Operator is authorised to use or disclose health information included in a healthcare recipient’s My Health Record if the System Operator reasonably believes that the use or disclosure is reasonably necessary for one or more of the following things done by, or on behalf of, an enforcement body:
(a) the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law;
(b) the enforcement of laws relating to the confiscation of the proceeds of crime;
(c) the protection of the public revenue;
(d) the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct;
(e) the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal.
(2) So far as subsection (1) relates to paragraph (1)(e), it is subject to section 69.
(3) The System Operator is authorised to use or disclose health information included in a healthcare recipient’s My Health Record if the System Operator:
(a) has reason to suspect that unlawful activity that relates to the System Operator’s functions has been, is being or may be engaged in; and
(b) reasonably believes that use or disclosure of the information is necessary for the purposes of an investigation of the matter or in reporting concerns to relevant persons or authorities.
(4) If the System Operator uses or discloses personal information under this section, it must make a written note of the use or disclosure.
(5) This section does not authorise the System Operator to use or disclose healthcare recipient-only notes.
For reference the system operator is defined as the Secretary of the Department; or if a body established by a law of the Commonwealth is prescribed by the regulations to be the System Operator–that body.
From ZDNet, The My Health Record story no politician should miss written by Stilgherrian a freelance journalist. ZDNet is a tech website, not health. Another of his opinion pieces is entitled My Health Record opt-out debate is getting silly but government is at fault.
The list of politicians opting out seems to be growing Liberal MP Tim Wilson opts out of e-health record. (worth also looking through the comments for this article. I do hear that Malcolm Turnbull has opted in and favours access by insurance companies!
Why My Health Record can’t have ‘military-grade’ security, an opinion pieces by Peter Moon, technology lawyer calls out Minister Greg Hunt on discussion about MyHR security and the difference between no breaches versus no known breaches.
Crikey adds Peak GP body’s alleged support for My Health Record called into question. Here Ben Grubb gets me a little confused about the RACGP position on MyHR.
On Monday last week, the Australian Digital Health Agency (ADHA) issued a statement claiming “Australia’s peak GP, pharmacy, and healthcare bodies support My Health Record and the government’s decision to move the system to an opt out model”, listing various groups below it which included Australia’s peak GP body, the Royal Australian College of General Practitioners (RACGP). But when asked if it supported opt-out, the RACGP initially said in a statement: “The RACGP has never established a position on My Health Record being an opt-in or opt-out service.”Shortly after I put the RACGP’s response to Health Minister Greg Hunt’s office on Friday, who reiterated the RACGP’s incorrect statement of support of opt-out, the peak GP body contacted the author to issue an additional statement “clarifying our position”, which said: “The RACGP has never said that it does not support the opt out model of My Health Record.”
My Health Record agency adds ‘reputation’, ‘public interest’ cancellation options to app contracts.
From the article
“My Health Record is scrambling to put tough new restrictions on mobile phone apps that use its sensitive patient data, including an option to cancel if the companies damage the system’s reputation. Companies Telstra, HealthEngine, Tyde and Healthi already have access to My Health Record information such as Medicare records, test results, scans and prescriptions, for their app users to view on mobile phones.”
Personally, I don’t think I would trust accessing my personal health information through a smart phone app. HealthEngine is also facing a massive crisis of confidence when users find adverts from lawyers pop up in their app. An article in the Guardian by author and oncologist Dr Ranjana Srivastava discusses some of the concerns of on-selling private data. It pays to read the fine print.
AMA president, Dr Tony Bartone, suggest that maybe your MyHR may save your life one day! Technically it would be the health care professional, doctor, nurse paramedic who does the actual saving. But if your MyHR contains vital information about a critical allergy or health problem, and if it can be seen by the doctor , nurse paramedic and they take heed then yes it may save your life.
Cassandra Cross a Senior Lecturer in Criminology from Queensland University of Technology discusses What could a My Health Record data breach look like? And, although Cassandra talks about how to upgrade you security in this article, obviously if the government is in charge of your data, having cryptic and regular password changes may not help.
Australia’s Human Rights Commissioner, Edward Santow, has urged the Federal Government to make changes to the My Health Record to restore confidence in the privacy and security of the system.
Now I don’t think comment from our Health Minister is real (it is from The Shovel), but then again maybe?
Article in the Guardian reinforces that Section 70 implies a court order is not necessary to access MyHR. This is at odds with what the Health Minister says. I think that is one of the biggest issues safeguarding MyHR and maintain public confidence that the Minister won’t know about your herpes.
This is also discussed by Nigel Brew in an article entitled Law enforcement access to My Health Record data on the Australian Parliament website. I agree with his suggestion that medical records registered in the MHR system need to be legally protected from access by law enforcement agencies to at least the same degree as records held by a doctor.
I am sure that Section 70 can be changed to assure security. This would mean that police investigating a crime, etc would need a court order to access data. I do wonder how often the judiciary deny a court order to police in this setting? Then all we need to keep identifiable data out of third party users like health insurance companies.
Dr Edwin Kruys, recently RACGP Chair for Queensland is a keen blogger. In his latest Blog, Doctor’s Bag he highlights how much the Government wants your data.
Dr Tim Leeuwenburg is a rural GP who I used to work alongside on Kangaroo Island. We often had conversations across the hall when our doors were open about life, politics and healthcare. He is an active blogger and to be honest probably inspired me to join in. He is an active advocate for the “Opt Out until its fixed” group of citizens. His Blog KI Doc is worth looking reading.
Dr Tony Bartone, AMA president has suggested AMA says it will do ‘whatever it takes’ to ensure privacy. Dr Bartone revealed the Minister Greg Hunt, and the Australian Digital Health Agency had given him written undertakings that “without a court order … there is no way of access to the system for anyone other than the people nominated by the patient”. Which of course is great but not binding, while Section 70 of the Act stands unchanged (see above).
In the same article, Greens leader, Dr Richard Di Natale, has been quoted as saying “If you want to access someone’s medical records, you should have to have a warrant, simple as that.”
The digital health project My Health Record could undermine the ability of young people to access confidential medical care, critics have warned in this ABC Science article. Access may be difficult for kids whose parents have split, particularly if parents are not on talking terms, or if there are domestic violence issues. The other question can a 14 year old navigate My Health Record?
Dr Harry Nespolan, new to the job as RACGP President has made public that he has opted out as highlighted in this article form The Advertiser. News from the Australian that Tanya Plibersek is not Opting out!
Malcolm Turnbull is try to bolster support for MyHR, and hopefully the politicians will be perusaded to make MyHR more secure.
Opting means business as usual. This article from The Conversation suggests there are benefits to the Health care system with MyHR which I think we can all agree on. Now if Section 70 can be reframed and some other issues sorted out well. Maybe the NQ trial wasn’t asking the right people the right questions?
The Police Union have expressed concern to their members about the lack of warrant to access MyHR. The Queensland Police Union told Guardian Australia it has “legal advice that there is nothing in the legislation that requires any enforcement body to obtain a warrant to access My Health Record”.
The article mentioned on the 25/6/18, has been edited as described in this Guardian article. Sorry if you click on the link to Nigel’s Brew’s paper you get a 404 message now. Dissent will not be tolerated? But can be found here…..nothing ever disappears fully on the internet!!
As the opt-out period for the My Health Record continues, so too does the debate surrounding issues of confidentiality. While possible data breaches have generated widespread concern, for one group – teenagers – it may not just be hackers they want to keep out. It may be their parents. Drs Mellisa Kang and Lena Sanci explain in an article from The Conversation. They are calling for a campaign to educate young people aged 14 to 18 to explain what the My Health Record will mean for them and how they can have the benefits of a record, without losing their rights to confidential health care.
This article by James Bullen publised by the ABC explains one of the potential benefits from data mining. A summary of the article mentioned in the news article
Heritability is essential for understanding the biological causes of disease but requires laborious patient recruitment and phenotype ascertainment. Electronic health records (EHRs) passively capture a wide range of clinically relevant data and provide a resource for studying the heritability of traits that are not typically accessible. EHRs contain next-of-kin information collected via patient emergency contact forms, but until now, these data have gone unused in research. We mined emergency contact data at three academic medical centers and identified 7.4 million familial relationships while maintaining patient privacy. Identified relationships were consistent with genetically derived relatedness. We used EHR data to compute heritability estimates for 500 disease phenotypes. Overall, estimates were consistent with the literature and between sites. Inconsistencies were indicative of limitations and opportunities unique to EHR research. These analyses provide a validation of the use of EHRs for genetics and disease research.
This Saturday paper article (which can be the one free article you read in this newspaper, unless you subscribe), discussed the the positives and perils of My Health Record.
MHR debacle week 2, electric boogaloo, is an article by Pulse IT to summarise the last week in the MyHR story.
If you are interested in looking how the Government deals with privacy before MyHR and Section 70, the Privacy Act 1988, can be accessed here. If you want to see the specifically how health information and medical research is managed go here. The whole Act can be accessed here. This is not just about one’s health but all about what privacy we have from organisations that employ or services, represent us professional, sell stuff, buy stuff, insure against mishaps, fund our needs and wants or interact with us on a daily basis.
A number of Unions have advised members to Opt out. These include Mark Burgess, the chief executive of the Australian Police Federation, The Queensland Police Union, and the Electric Trade Union. Here is a responce from Tim Kelsey to Electric Trade union trying reassure that there are adequate securities in place. The Australian Council of Social Service has added its voice to change.
From earlier this month, this article was published on the MJA INsight. It’s title probably tells the opinion of the author, My Health Record: on a path to nowhere? by Bernard Robertson-Dunn from the Australian Privacy Foundation.
Here is a power point on the interaction between My Health Record, Pathology companies and several contentious issues, such as standing consent, and what to do if you do not wish to have your pathology tests uploaded to My Health Record. The default approach as per the ADHA is to have a standing consent to upload pathology results. Healthcare providers do not need to explicitly obtain permission from the patient before accessing or uploading information to their My Health Record. However controls need to be in place to prevent information (such as a diagnostics report) being sent to the My Health Record if the patient tells their provider that they don’t want it sent. You may notice a new tick box on pathology request forms. If you don’t want to upload, tick the box.
Remember not to read just the headlines WHY AMA CHIEF REFUSED TO GET A MY HEALTH RECORD shouts the Herald Sun . In fact if you read the article it actually says
“I don’t have a My Health Record because I haven’t had the time or opportunity and there hasn’t been the inclination to use it until now,” he said. Dr Bartone said he will automatically get a My Health Record when the opt out period ends in October.
Australia’s former privacy commissioner, Malcolm Crompton, warned government officials about the dangers of an opt-out My Health Record system six years ago, but said his cautions were ignored. Mr Crompton now runs a private consultancy firm dealing with data protection. The article suggests, Mr Crompton, who has himself opted out, said he had little faith in the government’s ability to resolve the myriad of privacy and security issues. He would also like an audit on close to the million private practice computers that would link into My Health Record. He however didn’t comment on the 10 million of so that may link in from people’s homes as they review their My Health record.
Also in the Guardian, Ranjana Srivastava oncologist and author, writes patients trust their secrets to doctors, not the government or the tax office.
COAG health ministers are meeting in Alice Springs on Thursday and Qld Health Minister Steven Miles said a suspension of the three-month opt out period should be on the table, with the roll out to resume when concerns about the current legislation, which provides access to My Health Record by law enforcement agencies without warrants, have been resolved. This is fine, but he seems to forget that a big chunk of his state was opted in and has been for 2 years. And dare I say the system seems to be working pretty good at the coal face.
A surgeons opinion. Although I think drawing a parallel between Dutch records, Nazi Germany and My Health Record is a bit tenuous. Remember, the Government has a lot of data already and the basis of MyHR will be a shared health summary and drawing in health information already stored on disparate computers. Australian’s are not unique in having concerns about a centralised repository of health information. The Dutch have expressed angst over their model.
A rundown of MyHR data breaches in 2017. “This year we received six data breach notifications from the My Health Record System Operator,” the Office of the Australian Information Commissioner’s annual report says.
A predictable left wing opinion in Red flag. “My Health Record a sick joke”
And just to show others have the same idea here is a compilation of opinions and articles from Trent Yarwood.
For broken families, there are concerns raised about who can access and what information may be gleaned from a child’s My Health Record. Terese Edwards, chief executive of the National Council of Single Mothers and their Children, said she had “serious concerns” about the privacy and safety of vulnerable women under the My Health Record system, “especially if they have had an abusive or controlling person in their life and particularly if there’s children involved”.
How may you My Health record be breached. As above, one unknown is how secure your health care provider or home computer may be. This ABC article explained why health service providers suffer the most data breaches. Private health insurer’s data is not necessarily safe either as discussed in these ZDNet and HealthcareIt article . And remember private insurance companies are salivating after access to your My Health Record.
As an aside consider how secure your fitness app may be. It may not transmit your medical history but the data shared may put some users at risk as this article explains, Fitness tracking app gives away location of secret US army bases.
Well, it seems the work of the AMA, RACGP amongst others have helped sway the politicians when it comes to strengthening My Health Record. My Health Record will need a court order for access, Greg Hunt says. This is also discussed in this Guardian article. The RACGP president-elect Dr Harry Nespolon said Hunt’s amendments were necessary. “Changes to the legislation that remove any questions about who may be able to access the records ensure that the records will be able to be used in line with the RACGP’s position statement on My Health Records”
Says Minister Hunt in his media release dated 31/07/2018
From The Conversation, My Health Record: Deleting personal information from databases is harder than it sounds. By Robert Merkel, a software engineer from Monash University in which he calls for a much longer hiatus to the opt out period. He explains what “deletion” may really mean, whilst the record may be kept in original state in a system backup and who may have access to this information.
The ABC has an article entitled, My Health Record still isn’t safe enough to proceed. It needs more than a band-aid fix. Suggesting that “medical records are far more valuable than credit card details as a means of identity theft, due to the massive amount of personal information they contain about you, your family and your life history. They are a jackpot for hackers, fetching a high price on the dark web.” Whilst also appearing on an ABC JJJ website it the story of medical being found in a derelict building. The documents contain deeply intimate information of more than 400 vulnerable patients’ personal profiles, medical conditions, behaviours, accidents, treatments, and medical history. This is a much richer source of information that anything contained on your My Health Record. In recent past there have been several incidents were record have been found discarded. In Alice Springs, Sydney, Adelaide and Sunshine Coast.
My Health Record: Canberra is still missing the point by Stilgherrian who has written several criticisms on My Health Records continues in Zdnet. In this article he focuses on the potential for misuse by the 900,000 healthcare workers who can access the system, ill-thought privacy controls, complex access control that will be difficult for ordinary humans to operate and the as-yet-unspecified “secondary use” of the data. “Even if the Commonwealth department that looks after My Health Record is locked down to the nth degree, and it probably is, a GP in any GP office throughout Australia can access that data and do whatever they want with it. Or any disgruntled dentist, nefarious nurse, or enraged endocrinologist.” Will have to watch out for those enraged endocrinologist wielding syringes of insulin!
Dr Kerry Phelps who has publically spoken out against the MyHealth Record hasn’t been convinced by Minister Hunt’s prospective changes. My Health concessions ‘woefully inadequate’, says former AMA president she suggests in this SMH article.
How are GP’s using MyHR was a title for a Norman Swan podcast with Dr Ewen McPhee is a rural general practitioner who says My Health Record is invaluable to his practice. He says it helps to provide continuity of care to people moving across the region who see multiple practitioners and don’t necessarily keep good records. Dr McPhee says there are legitimate concerns around privacy issues, especially for minors and people with dementia, and argues there’s a need for further careful thought around how those areas are addressed.
The SMH is trying to scare people by raising the spectre of linking your genetic information to MyHR in this article. That is not to say that ADHA plans on collecting a swab from all Australians and hosting the results on MyHR, but if you have a genetic test done then the pathology company will upload it to your MyHR, unless you tell them not to by ticking the option on the pathology form. This raises the question as to why you want to have genetic testing done. It may open a can of worms which if insurance companies get hold may prejudice future health-related policies and lead to discrimination. This was discussed by Jane Tiller and Paul Lacaze in an article in The Conversation.
David Hunter write Using My Health Record data for research could save lives, but we must ensure it’s ethical in this article also in The Conversation.
Great news you now have longer to opt-out. My Health Record opt-out period extended to November 15th, which will be a Thursday if you wanted to know. More time to procrastinate, but hopefully more time to sort out Section 70.
Meanwhile more unions are advising members to opt-out. Although I don’t see a media release on the ACTU wesbite, the Rail, Bus and Tram union does say post this media release.
ADHA had posted a media release reinforcing that access by insurers and employers My Health Record is prohibited. The relevant legislation, states
Healthcare Identifiers Act 2010
14 Collection, use and disclosure—providing healthcare to a healthcare recipient
(2) This section does not authorise the collection, use or disclosure of the healthcare identifier of a healthcare recipient for the purpose of communicating or managing health information as part of:
(a) underwriting a contract of insurance that covers the healthcare recipient; or
(b) determining whether to enter into a contract of insurance that covers the healthcare recipient (whether alone or as a member of a class); or
(c) determining whether a contract of insurance covers the healthcare recipient in relation to a particular event; or
(d) employing the healthcare recipient.
Meanwhile in Denmark, their citizens, we are told are embracing the Viking version of My Health Record. This was the take on the Danish system printed in the Medical Republic last year. And an article detailing the differences and similarities in the Australian and Danish system from prior to the opt-out change. Denmark and Estonia were both opt-out.
Reports suggest a Parliamentary inquiry will be undertaken to examine security of My Health Record system have been in the latest news. This follows on calls from the opposition for a senate inquiry. HealthcareIt has a post of the twitter conversation between the health minister Greg Hunt and and his shadow Catherine King. Catherine King said these changes don’t go far enough, and a senate inquiry is needed to investigate the myriad problems surrounding My Health Record. You would of course remember that both parties have contributed to setting up of My Health Record. The respective legislation was written in 2012 when Labour, under Julia Gillard was leading the government. Still politicians like to do what they do best , and that is blame each other rather than fix the problem. We shall see what comes from the Senate inquiry, and we’ll just foot the bill for the cost of that.
Meanwhile, a former Pentagon cyber chief says hackers could exploit My Health Record flaws. Jonathan Reiber hasn’t suggested he would be doing the hacking, but like all computerised databases, My Health Record would have attractions to criminals, just like your bank account, Facebook details, etc. Not that the Pentagon computer system has been safe. From a 2016 report, Meet the 18-Year-Old Who Hacked the Pentagon. Although apparently this hacker was encouraged to reveal security deficiencies.