Digital health records provide an array of benefits. Emergency care can be enhanced through quick access to important patient information. The duplication of diagnostic tests can be avoided and patients no longer need to recant their medical history and pharmaceutical prescriptions to every new health professional they see.1
Australia, along with other countries, has acknowledged the significant improvements in efficiency, quality and delivery of healthcare services that shared digital health systems can provide. My Health Record (MHR) is Australia's version of such a digital health system, acting as a national e-health record system operated and maintained by the Australian Digital Health Agency (ADHA). Although the window to ‘opt out’ of the MHR system has closed, Australians are still able to choose whether they maintain their MHR, restrict access to certain information or delete their online record entirely. Universal issues regarding data privacy, security, use and participation continue to undercut the utility of the MHR platform, with the Australian public maintaining a healthy sense of caution regarding the Government’s ability to safeguard some of Australia’s most sensitive personal information.
Australia's My Health Record program
MHR is Australia's national eHealth record system, operated and maintained by ADHA. Implemented initially in 2012 as the Personally Controlled Electronic Health Record (PCEHR), the system operated on an opt-in basis whereby individuals voluntarily registered for a PCEHR and consented to their health information being uploaded.2 In 2018 the Australian Government announced the PCEHR would be renamed 'My Health Record' and legislation was introduced to transform the model to an opt-out program.3 Under the new system, an MHR is created for every Australian unless he/she elects to opt-out. The deadline for opting out was originally mid November 2018 but was extended to 31 January 2019 due to widespread controversy regarding data security, privacy and how the MHR system will operate,4 as well as the delayed release of a Senate Inquiry report into the MHR system (MHR Inquiry).5
Notwithstanding such controversy, the Australian Government's decision to migrate across to an opt-out model was well-intentioned, with aims of increasing the number of individuals and healthcare providers participating in the system.6 Further, the transition formed part of Australia's broader National Digital Health Strategy with the strategic outcome of ensuring that health information is available whenever and wherever it is needed.7
1. What is MHR?
Described as a 'drop box' for medical information, MHR is a centralised, online repository of documents and data relating to a person's health and healthcare, accessible only by healthcare consumers and their nominated healthcare providers.8 MHR may include important health information for an individual regarding any allergies, prescribed medicines, diagnosed or hereditary medical conditions, pathology and test results.9 Individuals can choose which health information is shared with certain practitioners by altering individual privacy and security settings, however healthcare providers caring for a person in an emergency are able to utilise "break glass" functionality to access that person's MHR without obtaining consent.10 This feature is only available where there is a serious threat to the individual's life, health or safety or the public's health or safety (i.e. to restrict the spread of an infectious disease) and their consent cannot practically be obtained.11
2. MHR Benefits
Proponents of MHR argue that having a personal e-health record provides a number of potential benefits.12 Perhaps the most obvious is the potential life-saving effect MHR could have in an emergency, where access to important personal health information is critical to provide the individual with the correct treatment. Use of MHR is also expected to improve patient care, safety and medical communication. Independent advisory firm Future Wise states that a common source of medical error is the current lack of interoperability between hospitals and general practitioners.13 In enabling shared access to patient discharge summaries and important test results including pathology or diagnostic imaging, MHR may see these errors avoided. Further, some general practitioners stress that improving the flow of information between health specialists is particularly important for vulnerable patients such as the elderly and those with disabilities or from culturally diverse backgrounds.14 Such patients may struggle with English or be unable to recall important information regarding diagnosis or prescriptions. For these individuals, the need is acute for healthcare providers to be informed and coordinated and therefore able to provide better quality care.
Similarly, in dispensing medicines, the Pharmacy Guild of Australia has acknowledged the beneficial patient outcomes that can be achieved in allowing pharmacists and health practitioners access to a person's MHR. The Guild states that every year 230,000 people are admitted to hospital and many more experience pain and a reduced quality of life, as a result of unintended side effects of their medicines.15 These outcomes can be prevented to the extent that information on allergies, medicines history, diagnosed conditions, etc., are first made available to the prescribing health professional.
Despite these benefits, not all Australians are convinced by the MHR initiative. A number of concerns have been raised over the privacy and security implications of storing and transmitting Australian's personal health data, with individuals particularly wary of the Government's role and capabilities in safeguarding MHR data.
1. Unclear parameters
One of the main concerns with the MHR program is a lack of public understanding on who can access the health information contained in MHR and the purposes for which that data may be used. Despite repeated assurances from ADHA16 and Australia's Health Minister Greg Hunt that MHR data is only accessible by registered healthcare providers and will not be automatically shared with the police and other departments like the Australian Taxation Office, consumers remain sceptical.17
Part of this concern stems from what former Australian Privacy Commissioner, Timothy Pilgram has described as 'function creep', being the shift in boundaries around who can access the data and unintended and evolving purposes for use of that data.18 In the case of MHR, it is unclear where these limits lie as MHR data has the capability to extend beyond just therapeutic imperatives into law enforcement and commercial territory.19
This is a valid concern given the Government's proposal for MHR data to be used for secondary purposes, including research, policy and planning as outlined in their Secondary Use Framework.20 By law, the ADHA as system operator of the MHR program, is empowered to collect, use and disclose health information "for any purpose" with the consent of the healthcare recipient.21 MHR consumer access settings can be changed where an individual wants to withdraw their consent to secondary use of their data, however to the extent that a person does not actively withdraw, their consent is by default implied.22 The Law Council of Australia has also taken issue with this point, explaining that such secondary use is at odds with underlying principles in both Commonwealth and state privacy laws which require express patient consent to secondary use or disclosure.23
Australia is not the only country grappling with issues surrounding the secondary use of consumer health data. Reports from the US cite that most Americans are completely unaware that their anonymised health information is routinely traded for commercial purposes unrelated to their specific treatment.24 Even where data use is well-intentioned (i.e. the development of new treatments) without open dialogue, this hidden data exchange threatens to erode public trust in health care systems as patient confidentiality is no longer paramount.25 Further, England has also struggled to build trust and confidence in e-Health record systems with previous attempts in implementing the 'care.data' scheme failing due to confidentiality issues and a lack of consumer transparency around how the data would be used.26 The position is drastically different in Nordic countries where a high degree of public trust in research and strong values of social equality contribute to the view that medical data sharing for research is part of the social compact.27
Against these examples, Australia's MHR sits somewhere in the middle, with consumers at least engaged in public debate and the Government's proposed Secondary Use Framework prohibiting the use of health data for "solely commercial purposes."28
2. Data security concerns
A further public concern with MHR is the security around consumer health information. Although the Government states that patient information will be safe, numerous security and IT professionals have warned that no online system is completely secure, especially given that MHR data will be accessible by many healthcare providers, who may have weak cybersecurity.29
MHR was designed as a centralised database, enabling broad access to MHR data by registered healthcare providers. However, with systems only as strong as their weakest link, many potential access points render the MHR database less secure and more vulnerable to hacking and unauthorised use.30 The effectiveness of MHR's security is therefore dependent on the cyber resilience of each healthcare provider's own systems which understandably gives cause for concern when we consider that many local health practitioners may not be equipped with the technology or security required to protect against malicious actors. Notwithstanding this design, the Government maintains that MHR adheres to Australian Government security requirements and is protected by high grade security protocols in accordance with the Government's comprehensive Protective Security Policy Framework.31
Yet even with this security framework, the Australian public are sceptical of the Government overstating its cybersecurity capabilities when Government systems have proven to lack proper security protections in the past. The incident of Medicare card details being sold on the dark web as well as successful attempts to hijack and access personal tax, Medicare and health information through myGov user accounts, are just two examples of Government systems failing to prevent unauthorised access. 32
Worldwide, cyber attacks and security issues are proving to be a reoccurring problem in the implementation of secure digital health sharing systems. The Wannacry ransomware attack that crippled Britain's National Health Service and other nations' hospitals, highlights the weaknesses of online systems that house citizen's most sensitive information.33 This issue is exacerbated by the fact that most nations' data governance frameworks are "gravely inadequate"34 and national laws supporting e-health records do not utilise specific rules for institutions hosting such records, but rely instead on adapting general security requirements for all types of data controllers.35
3. MHR model coercive and incomplete
Industry commentators are also critical of MHR's design, stating it deprives individuals of personal autonomy in their decision to share sensitive health information.36 While there are strong policy reasons for transitioning to an opt-out model, namely, achieving meaningful participation to render MHR useful, a commonly held view is that this this message was not clearly conveyed to the Australian public. As a result, privacy and security are the overriding public concern and the requirement to take action to safeguard individual information has occasioned greater mistrust of MHR.
As mentioned above, MHR settings do allow consumers to restrict access to certain health information for particular healthcare providers. However where consumers utilise these privacy controls, MHR is effectively an incomplete record which according to some commentators, undercuts the purpose of the whole system and may even prove dangerous where restricted information is important.37 For this reason, countries such as Denmark, only allow e-health record data to be edited by the institution or healthcare providers that registered that information. If the patient finds their information is incorrect, they must contact the provider or hospital who registered the data in order to change it.38 Acknowledging patient privacy concerns, Denmark's system does allow patients to limit access to certain aspects of their health data, however this is not encouraged and is prohibited for specific types of data such as referrals, laboratory results and details of hospital treatments.39
Success with any initiative is dependent on widespread adoption and trust that systems function in the intended way. So far, mistrust in the Australian Government's ability to use MHR data for the intended purpose of improving Australian healthcare and keep this data secure has resulted in Australians being divided in whether they remain enrolled in the MHR program.
MHR has its share of data privacy and security concerns that are common issues for e-health record systems worldwide. Until the Australian government can present a robust framework for data management there will continue to be criticism of MHR. Nevertheless, with clear benefits to the healthcare system and open public dialogue surrounding privacy and security concerns, Australians should at least be satisfied that MHR is heading in the right direction.
Originally published on DataGuidance by OneTrust. Please use the link to view the sources.
With thanks to Rowena Baer, Associate, for her assistance in drafting this article.