Australian government promises changes to My Health Records following widespread opposition
2 August 2018
In a sign of growing problems for the Turnbull government, Health Minister Greg Hunt has been forced to pledge to amend the My Health Records (MHR) legislation governing the collection, storage and release of the medical records of millions of people in Australia.
No details of the changes have been provided, but Hunt said they would stipulate that a “court order” would be required to release any health details to law enforcement agencies and government departments. This contradicts his many statements over the past week insisting that this was already enshrined in official policy.
Hunt also promised a person’s records would be deleted if they withdrew from the scheme once their file had been created. Previously, once the file was created it would remain on the system for 30 years following death even if the owner opted out. Hunt also broached the possibility of extending the opt-out period for a further month.
This turnaround follows growing opposition from ordinary people, doctors and IT specialists to the government’s July 16 announcement that the entire population’s health records would be placed in a central data bank unless individuals “opted out” of the scheme within three months. After the opt-out period ended on October 15, a My Health Record would be automatically created for every man, woman and child.
Public concern mounted after it became known that the records could be made available to the police and other government agencies, including the Australian Tax Office and Centrelink, which controls welfare payments.
The government’s Australian Digital Health Agency (ADHA) administers the data. Over the past six years, it has collected the health records of six million people in a trial called the Personally Controlled Electronic Health Record. The legislation governing the scheme was introduced in 2012 by the Gillard Labor government, with the support of the now-ruling Liberal-National Coalition.
While the trial was purportedly a voluntary “opt-in” scheme, some people were unaware they were participating and only discovered they had a health record when they tried to opt out during the past week. In 2016, with Labor’s backing, the Turnbull government proposed to shift the scheme from opt-in to opt-out.
In the face of the public outcry, Labor leader Bill Shorten lobbied the government to suspend the scheme, extend the opt-out period and ensure the privacy of patients’ files. This is an attempt to deflect attention from Labor’s role in initiating and supporting the legislation.
The government evidently hoped the cut-off date would go relatively unnoticed. No advertising campaign was launched to explain the need to opt out or the consequences of not doing so. Nevertheless, on July 16, the first day of the opt-out period, 20,000 people left the scheme despite some having to wait more than an hour on the phone due to problems with the online opt-out features.
The Australian Medical Association (AMA) and the Royal Australian College of General Practictioners (RACPG), two major doctors’ groups, provided initial support for the scheme. However, together with the Law Council, which represents lawyers, they later raised concerns that the legislation allows access to individual files by police and government agencies without a warrant. Hunt’s promise to draft legislative amendments followed emergency meetings with the AMA and the RACPG.
Until it is amended, Section 70 of the Act provides that the ADHA can disclose health information if it “reasonably believes that the use or disclosure is reasonably necessary for…
(a) the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty….
(b) the enforcement of laws relating to the confiscation of the proceeds of crime;
(c) the protection of the public revenue;
(d) the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct;
(e) the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal.”
In a revealing development, the Queensland Police Union advised its members to opt out. It warned them that access would also be available to the immigration department, anti-corruption commissions, financial regulators and other agencies that impose fines or are tasked with “protection of the public revenue.”
Centrelink could use the data to cut pensioners, disabled workers and the unemployed off welfare payments, and the immigration department could deny visas to anyone assessed as not passing health tests.
Sections 64 and 68 of the Act also permit participants to disclose a person’s health information if it is “necessary to lessen or prevent a serious threat to public health or public safety” or “for purposes relating to the provision of indemnity cover for a healthcare provider.”
Another sweeping provision evidently not slated for amendment is Section 98. It provides that the ADHA may, by writing, delegate one or more of its powers to the chief executive of Medicare, an Australian Public Service employee in the health department or “any other person with the consent of the Minister.” This would provide anyone approved by the health minister access to the entire system.
IT specialists and privacy advocates also raised concerns that data could be hacked, sold or provided to third parties, including insurance companies and private health funds. One private health insurer, NIB, already declared: “We desperately need this data to make the world a better place.”
Health insurers have been lobbying for access. Rachel David, the chief executive of peak body Private Healthcare Australia, said Hunt had agreed to discuss a framework with the sector.
On July 17, Prime Minister Malcolm Turnbull defended provisions allowing insurance companies to request My Health Records for claimants. Turnbull said people had an obligation to make “full disclosure” when applying for insurance.
Paul Shelter, a former head of the government’s Digital Transformation Agency, noted that individual users must arrange their own security settings. The default setting established by ADHA is that all data is shared. Most MHR holders would be unaware that to secure their records they have to manually change their security setting.
With an estimated 900,000 medical professionals and more than 12,000 organisations accessing the system, the danger of security breaches is high. Singapore, which operates a centralised digital medical storage system, last week suffered a cyber security breach. The health records of 1.5 million people were copied—a fact that authorities took a week to discover.
ADHA chief executive Tim Kelsey led what has been described as an “almost identical” program in Britain—Care.data. It was suspended in 2014, then axed in 2016, after patient data was sold to insurers.
Minister Hunt also said patients’ sensitive and private health data will be made available for public health and research purposes, unless patients indicate that their records cannot be used.
Hunt claimed the data “cannot be used for commercial and non-health-related purposes, including direct marketing to consumers, insurance assessments, and eligibility for welfare benefits.” However, the legislation allows entities to be handed data if they can show it is in the “public interest.”
The ADHA has scrambled over the past week to tighten data access by mobile phone apps, but companies such as Telstra, HealthEngine, Tyde and Healthi already have access to patients’ records. Last month it was revealed that HealthEngine had shared patient information with personal injury lawyers.
Centralised health records have clear benefits—they may provide doctors with access to crucial health details in circumstances where the patient is unable to convey such information. Under the capitalist profit system, however, the harvesting and storage of such information is liable to serve corporate purposes.
Moreover, the access given to police and security agencies has no health benefits whatsoever. The handing over of patients’ sensitive physical and mental health records can be explained only from the standpoint of enabling mass surveillance and intervention against targeted individuals.