13 min read Featured Sticky July 18, 2018 at 8:35am
I've been doing a bit of media about myHealthRecord this week, and have been burning up Twitter with my posts, so I thought I'd compile a summary post as a reference - particularly as I'm back at work next week and won't be as available.
2018-07-16: The case for opting out of myHealthRecord [radio 2GB]
2018-07-17: myHealthRecord: should you opt out? [radio 2SER]
2018-07-15: My Health Record: Your questions answered [backgrounding only - ABC Online]
2018-07-15: Breach 'inevitable' in digital health records [Fairfax]
2018-07-16: My Health Record opt-out period begins, but privacy concerns remain [ABC Online]
2018-07-17: Why would a doctor not be in favour of myHealthRecord? [Croakey]
2018-07-26: Reprint of the Croakey story at Inside Story, which is worth a read because of the extensive commentary on the events of the week at the top.
2018-07-28: The positives and perils of the myHealthRecord [Saturday Paper, $]
As part of my work with Future Wise, I have been the lead author on a number of our submissions in the area of digital health and privacy:
- Submission[pdf] to the senate inquiry on Circumstances in which Australians' personal Medicare information has been compromised and made available on the 'dark web' 2017
- Submission[pdf] to the consultation on Development of a framework for Seconday use of my Health Record Systems Data in Australia 2017
And have written blog posts at Future Wise on:
- the intersection of IT and healthcare
- update on digital health news
- the Productivity Commission's data use and availability report
- a response to the myHR secondary use framework
And on this blog about the Digital Health Strategy.
[nb: this post has been updated a number of times with additional articles and various bits and pieces and some typos to fix]
Frequently Asked Questions
What is your position on opting out of myHealthRecord?
I have opted out personally, and for my family, including my children. This is based on the fact that none of us have chronic medical conditions where I feel myHR would be beneficial, as well as my significant concerns about the privacy and security of the myHR system. For us, the risks greatly outweigh the benefits. If the system subsequently proves to be robust, and any of us were to develop an issue where I think having a shared record would be beneficial, I am open to reconsidering, however I think this unlikely.
For others, I recommend a well-informed assessment of the risks and benefits you face from myHR. I do believe that there are definitely some benefits to be had - for some patients - in having a shared record.
How should I decide whether to opt-out or not?
I maintain that it is difficult for patients considering a myHR to obtain an accurate appraisal of the risks and benefits because most of the information on the Internet comes strongly from one side or the other.
I am very sceptical that your GP will have a sufficiently detailed understanding of computer security to be able to give you truly informed consent on the risks. However, unlike some privacy advocates also campaigning for opt-out, I do believe that there are benefits, which IT/privacy wonks may have lesser understanding of.
You should read widely on both sides of the argument, and discuss with your GP and any other healthcare staff who look after you, bearing in mind that if you already have a myHealthRecord, opting out is more challenging.
If in doubt about the privacy of your medical information, then opting out is a safer option. You can always opt-in later, but if your data is compromised, then you can't get that back.
Are there groups who this doesn't apply for?
If you have something in your medical history you absolutely don't want shared with anyone except your doctor, you should opt-out. If you are concerned that something in your medical history could be used against you, then you should opt-out.
For example, I will be advising my patients who are living with HIV to opt-out.
If your medical record includes information which may land you in trouble with the law (injecting drug use, you have committed violence or sexual assault (note that some of these may already be subject to mandatory disclosure by your doctor, for example if children are involved), then you should opt-out, because the myHealthRecord act allows the use of shared health data for investigation of criminal activity.
If you have been less-than-entirely-honest on government or other forms relating to immigration visas, sickness or unemployment benefits or workers compensation, then you should opt-out, as the myHealthRecord act allows the use of shared health summaries for investigations which protect public revenue or "detecting or investigating...seriously improper conduct".
What are the benefits of myHR?
A good shared health summary is extremely useful when there is a transfer of care between different providers, and having access to this electronically is more convenient for your healthcare provider. An up-to-date letter from your GP would be much the same - as long as it's up to date, you don't forget to bring it with you, and assuming you can get it back from the hospital when they borrow it to copy/scan it into the computer.
There may be some benefits in an emergency situation if you are unable to provide a history to hospital staff, however:
- these events are rare
- you need to be able to be identified (ie: have ID on you, not be "UNKNOWN UNKNOWN")
- it generally doesn't matter that much if a significant other comes with you who can provide some info instead
- if the situation is truly emergent, then you will receive the necessary care regardless of what it says in your myHealthRecord
You are able to set access controls on the health data in your record, and access is logged, however
- these may be over-ridden in an emergency
- delegations of these permissions are unclear (ie: other staff in the practice / hospital may be able to see them)
- the controls don't prevent the government from accessing your data for administrative / enforcement purposes
- I believe they currently require you to set them manually for each uploaded document, which may include many hundreds of records
- logging may only reveal that "Public Hospital X" accessed your records, and doesn't provide any information on which staff from that hospital accessed your records
Secondary use of data in myHealthRecord may be able to provide material for important health research, including operational research looking at improving health service delivery and quality and safety of care. There is also the potential for other medical advances, like the much-talked-about discovery of the link between folate and neural tube defects by Fiona Stanley in Western Australia. You can opt out of this sort of secondary use even if you keep a record for clinical reasons.
Some of my medical colleagues are rather upset with me for downplaying the benefits of myHR, however an evaluation of the trial sites found that the majority of doctors did not get any more clinical benefits from the system than I have.
The Commission for Safety and Quality in Healthcare (CoI: I was contracted to The Commission as a senior medical advisor for 6/12 in 2017, this is no longer the case and I didn't work in the same section as produced this report) have also published a clinical safety review of the myHealthRecord, with a number of concerns and complaints.
What are the risks of having a myHealthRecord?
Sharing by design
Making it easier to share your health information means that improper access is also easier. There is no way around this; safeguards can reduce the risk of improper access, but as any IT security person will tell you, data breaches are a "when, not if" phenomenon.
Unauthorised ("hacking") or Improper access
Contrary to what you might think from media stories, the greatest risk is not malicious "hackers" stealing your health information for identity theft (although this is certainly possible, and health data would be very fertile ground for identity thieves to target).
Improper access is much more likely to occur via people who already have access to the system. This could include:
- access to the system for commercial gain (eg: the selling of medicare numbers from HPOA)
- healthcare workers having a sticky-beak in your record because they're curious because
- your record has been downloaded legally to your GP's practice software, but their system is targeted by ransomware
Ease of personal control
An additional issue from a privacy point of view is the difficulty in personally controlling access to your documents. If you want to conceal your HIV status completely, will you remember to log in every two months to hide the PBS record that you were dispensed a HIV antiviral? Granular privacy controls should include an option to hide all records by default.
And even if you do successfully hide all the documents you're concerned about, hiding them doesn't necessarily remove them completely from the system. This would prevent their routine access and secondary use, but it's unclear what would happen to them in the event the system was hacked - or if there was a law enforcement request for access.
Unequal social distribution of risks
It is also very likely that people with poorer health- or technology-literacy will be less likely to access the privacy controls. This means that poor, remote-living, culturally-diverse or other minority populations may be disproportionately at risk of privacy breaches; despite these people being - in many cases - those with the most to gain from the benefits of myHR.
Administrative access for government
My greatest concern as a clinician is that the My Health Records Act includes the authority for Digital Health Australia to disclose information for law enforcement purposes, including: (s70(1))
(a) the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law;
(b) the enforcement of laws relating to the confiscation of the proceeds of crime;
(c) the protection of the public revenue;
(d) the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct;
(e) the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal.
These broad criteria allow a wide range of bodies access to My Health Record data, without there necessarily being a requirement for a warrant – and unlike the primary records held by your healthcare staff, ADHA does not need to notify clinicians (or patients) that their records have been accessed.
If as a healthcare worker you are seeing a patient involved in illicit activity (for example, injecting drug use) will you upload a summary in the name of improving their shared healthcare?
(above section taken from the piece I wrote for Croakey)
What makes you qualified to talk about this?
I've been a public hospital doctor since 2003, and the hospital I work in was one of the first in Queensland to introduce electronic records. I also live in a myHR trial area, so have attempted to make use of myHR in a clinical setting. I look after patients living with HIV - a number of whom have had their confidentiality breached and who have then suffered severely as a result of this. I have also worked in population health for five years, and am familiar with the use of big data in health through personal experience working on state and national surveillance programs, and have post-graduate training in epidemiology and biostatistics as well as being most-of-the-way through additional specialist training in public health medicine. I work in a regional hospital, which receives a lot of patients from remote areas of north Queensland, so am well aware of issues in health in remote areas.
I have no formal IT qualifications, but consider myself to have a high level of knowledge (for an amateur), and work closely with a number of IT professionals.
Update 26th July
This week has been a rapidly moving feast. President of the AMA, Dr Tony Bartone gave the National Press Club address (available on iView until 24th August) on Wednesday 25th July, where privacy was a hot topic, and Professor Kerryn Phelps has also been active in the media (saying much the same stuff I've been saying above but with a much higher profile)
Although I'm a bit grumpy about the bandwagon-jumping, the AMA and RACGP have about-faced and are now seeking assurances from the Health Minister. I'm unsure of the value of this, as the Health Minister continues to maintain, against what the Act says, what legal advice to the Queensland Police Union says and what all the privacy advocates has been maintaining.
To try and help clarify, I have lodged a Freedom of Information request for ADHA's work instructions surrounding section 70 access to myHealthRecord, although based on usual government form, this unlikely to be back prior to the end of the Opt-out period.
There's a longer (but even more pro-opt-out) list over at the Australian Privacy Foundation's website.
Australian Parliamentary Library This is a quite extraordinarily direct contradiction of the media position of both the Health Minister and Digital Health Australia - coming from the Parliamentary Library of all places, which completely supports my concerns about section 70 and if you only read one of the articles on this ever-expanding list, then this has to be it.
This article has, to quote Stilgherrian, been dropped down the memory hole. Because it's such a good article, and I'd hate for you to miss it, you can read it at the Internet Archive, or as a pdf from Stilgherrian, which I will also mirror here.
Crikey: ‘No one who uses a public service should be allowed to opt out’: My Health Record head
MJA: My Health Record: on a path to nowhere?
Conversation: myHR: the case for opting out
ABC: Govt accused of not doing enough to persuade people
Guardian: There is no social licence for myHealthRecord
Fairfax: Errors and Incompetence
Guardian: myHR identical to failed UK scheme
News[$] : Doctors outraged police, ATO can access myHR
Twitter: Cracker of a thread from tech journo Richard Chirgwin outlining his concerns
Crikey: Soon there may be no escape from Govt and Corporate surveillance
ZDNet: Stilgherrian nails the risk and consequences of a health data-breach. Must read.
AFP: Why myHR can't have 'military-grade' security
Twitter: A very insightful thread from Noely Neate on the "citizens as a product" attitude that seems to be pervasive in Government
ABC: myHealthRecord undermines teens' rights to medical privacy, critics fear.
Conversation: Freezing out the folks: myHR settings don't protect teens' privacy
Womens' Agenda: A surgeon's very real concerns about #myHealthRecord - this one is great, by a doctor and is a bit better at quoting evidence for some of the stuff above than I have been.
Crikey[$]: Here's how Turnbull can fix the MyHealthRecord mess.
Medical Republic: Police can access medical data MHR or not
ZDNet: Stilgherrian - Canberra still in denial about myHR concerns
Eureka Street: My Future Wise colleague Kate Galloway on the change that myHR presents to the social contract between government and individual.
IT Technology Professional's Association: myHealthRecord - a flawed initiative
Medical Republic: 10 Awkward questions about myHR
Eigenmagic: A longer form, but excellent (and balanced) discussion of issues from Justin Warren
Mandarin: Making myHR opt-out was a risky venture.
Guardian: Dr Ranjana Srivastava is typically excellent
Croakey: An important overview of the pros, cons and questions about My Health Record
Conversation: myHR: the case for opting in
Twitter: comprehensive thread from Dr Jill Tomlinson on her thoughts about the benefits