My Health Record Changes: Too Little, Too Late?Amendments to the Law Seek to Douse Privacy, Security Concerns
Australia's Parliament on Monday passed legislation that strengthens privacy protections for My Health Record, the country's embattled digital medical records program. But questions remain about whether the changes go far enough to restore confidence in electronic health records.
See Also: The Global State of Online Digital Trust
The new changes, included in a bill called the My Health Records Amendment (Strengthening Privacy) Bill 2018, aim to assuage concerns that entities outside of care providers, such as employers and insurers, could gain access to records. Also, there were lingering questions about whether law enforcement agencies would need a court order to be allowed to obtain any records.
The amendment will allow individuals to delete their record at any time, reversing the original policy that allowed people to deactivate their record, although the government would retain a shadow copy of it for decades.
"These changes are in response to the Australian community's calls for even stronger privacy and security protections for people using My Health Record," says the Australian Digital Health Agency in a statement.
My Health Record is intended to speed delivery and quality of healthcare by allowing providers to quickly access data on such patient care essentials as prescriptions, allergies, immunizations and organ donation decisions. The government also hopes to gain broad insight into the health of the nation via large-scale studies that use anonymized, aggregated data.
But the program ran into trouble soon after Parliament passed the My Health Record Act in 2012. Uptake of the system among clinicians was slow, and the general public didn't enthusiastically opt-in to the program.
In response, the government decided to create a digital record for everyone, unless they opted out.
Justin Warren, a board member of Electronic Frontiers Australia and managing director of the IT consultancy PivotNine, says that decision has proved problematic. My Health Record was designed with the belief that its users were those who actually wanted a digital record, he says.
"Making this system opt-out instead changed the core assumption that everything else was built on, which is like suddenly deciding to use salt instead of sugar when baking a cake," Warren says.
The switch to having to opt out generated fierce criticism. Privacy campaigners, medical practitioners and the public took issue with being pushed into a complex program with no way out.
The opt-out period ran from mid-July through mid-October. By the end of July, however, the public outcry caused Health Minster Greg Hunt to propose changes to My Health Record.
The changes passed by Parliament resolve several, but not all, key concerns that have been raised. One of the major concerns remains who else besides healthcare providers may access records.
The law has been strengthened to forbid the release of My Health Records to third parties except when it is related to the "provision of healthcare or is otherwise authorized or required by law," says the Australian Digital Health Agency.
That's important because Australian health insurance companies were keen to access anonymized data, as the Australian Financial Review reported in June. In the U.S., health insurers are enthusiastic about big data collection, with an eye to refining how they price insurance, NPR and ProPublica reported in June.
The amendment also ensures that "My Health Record system cannot be privatized or used for commercial purposes," ADHA says.
By default, however, anonymized My Health Record data will be shared with researchers, which has rankled some privacy advocates. While patients can opt out of default sharing of data with researchers, Warren of Electronic Frontiers Australia contends that for research purposes, having to opt in should instead be the default.
"Turn all the security controls on by default so that people are not opted in to sharing their data," he says. "The fact your data is shared with researchers by default undermines the government's assertions that this system is about having more control over their own data."
Another concern is law enforcement access. The original My Health Record Act was ambiguous about how and when government agencies could access health data. The latest changes now mean that My Health Records cannot be released without either "oversight" or an order from a judicial officer, ADHA says.
There are also key changes to how the government retains and deletes records.
Under the original plan, records could be deactivated, but the data would be retained for 30 years after a person's death, or if the date of a person's death was unknown, for 130 years after birth.
Although the government will still automatically create records, patients will also be able to permanently delete their record at any time. The government will also no longer retain an inactive, archived copy, and the data will be deleted in such a way that it can't be recovered, according to the ADHA.
Whether the changes will restore confidence in the program, however, remains to be seen. Parliament's policy-focused changes may be a start, but there are still several nuts-and-bolts security and usability issues with My Health Record.
Some 13,000 healthcare providers will have access to the My Health Record system. That has raised concern that records could be improperly accessed or that the incidence of data breaches might increase.
Parliament has attempted to address the improper access concern via its new amendment, increasing the penalties for unauthorized use. Violators will face a maximum civil fine of $315,000 Australian dollars ($227,000) and five years in jail.
There are several access controls that patients can use to restrict access to their record. But the success of such security controls is linked to how users apply them, and the defaults don't encourage maximum security.
Users can set a personal access code for access to all of their files and then turn over the code as needed to providers. If someone is unconscious, however, practitioners can override that setting. This personal access code feature is disabled by default.
There are also more granular settings. For example, there's a record access code, for allowing access by specific organizations to a person's record. There's also a limited document access code, which meters access to specific documents within a record.
Healthcare Data Breaches Dominate
A concern for any Australian electronic records program is that most of the data breaches reported to the country's regulator have concerned the health sector. For the last two quarters, healthcare service providers have reported the most data breaches under the country's mandatory breach notification law, according to the Office of the Australian Information Commissioner's quarterly reports (see: Australia's Biggest Breach Offender: Healthcare Sector).
With My Health Record, Warren says that he "suspects that we'll see a breach in the future that we were told couldn't happen."