This is a copy of a paper produced by the Parliamentary Library.
It has been removed from the Library’s website. This is taken from a cached copy available on Google:
Law enforcement access to My Health Record data
Posted 23/07/2018 by Nigel Brew
My Health Record (MHR) was introduced in June 2012 by the Gillard Labor Government originally as an opt-in system known as the Personally Controlled Electronic Health Record (PCEHR) before legislative amendments in 2015 introduced by the Abbott Coalition Government renamed it and laid the groundwork for it to become an opt-out system. Law enforcement access to MHR data is among the privacy concerns raised about the program, but this provision was in the original legislation and received little attention when the Bill was debated.
The PCEHR/MHR has been operating for six years now since July 2012 and was characterised in 2015 by Labor politicians as a ‘proud Labor reform’ and a ‘natural extension’ of Medicare. The MHR system is operated by the Australian Digital Health Agency (ADHA) as a ‘secure online summary of an individual’s health information’. However, under certain circumstances, MHR data may be provided to an ‘enforcement body’ for purposes unrelated to a person’s healthcare. An ‘enforcement body’ is defined in section 6 of the Privacy Act 1988 as the Australian Federal Police, the Immigration Department, financial regulatory authorities, crime commissions, any state or territory police force, anti-corruption bodies, and any federal or state/territory agency responsible for administering a law that imposes a penalty or sanction or a prescribed law, or a law relating to the protection of the public revenue.
Section 70 of the My Health Records Act 2012 enables the System Operator (ADHA) to ‘use or disclose health information’ contained in an individual’s My Health Record if the ADHA ‘reasonably believes that the use or disclosure is reasonably necessary’ to, among other things, prevent, detect, investigate or prosecute any criminal offence, breaches of a law imposing a penalty or sanction or breaches of a prescribed law; protect the public revenue; or prevent, detect, investigate or remedy ‘seriously improper conduct’. Although ‘protection of the public revenue’ is not explained, it is reasonable to assume that this might include investigations into potential fraud and other financial offences involving agencies such as Centrelink, Medicare, or the Australian Tax Office. The general wording of section 70 is a fairly standard formulation common to various legislation—such as the Telecommunications Act 1997—which appears to provide broad access to a wide range of agencies for a wide range of purposes.
While this should mean that requests for data by police, Home Affairs and other authorities will be individually assessed, and that any disclosure will be limited to the minimum necessary to satisfy the request, it represents a significant reduction in the legal threshold for the release of private medical information to law enforcement. Currently, unless a patient consents to the release of their medical records, or disclosure is required to meet a doctor’s mandatory reporting obligations (e.g. in cases of suspected child sexual abuse), law enforcement agencies can only access a person’s records (via their doctor) with a warrant, subpoena or court order.
The Australian Medical Association’s existing Ethical Guidelines for Doctors on Disclosing Medical Records to Third Parties 2010 (revised 2015) note:
It seems unlikely that this level of protection and obligation afforded to medical records by the doctor-patient relationship will be maintained, or that a doctor’s judgement will be accommodated, once a patient’s medical record is uploaded to My Health Record and subject to section 70 of the My Health Records Act 2012. The AMA’s Guide to Medical Practitioners on the use of the Personally Controlled Electronic Health Record System (from 2012) does not clarify the situation.
Although it has been reported that the ADHA’s ‘operating policy is to release information only where the request is subject to judicial oversight’, the My Health Records Act 2012 does not mandate this and it does not appear that the ADHA’s operating policy is supported by any rule or regulation. As legislation would normally take precedence over an agency’s ‘operating policy’, this means that unless the ADHA has deemed a request unreasonable, it cannot routinely require a law enforcement body to get a warrant, and its operating policy can be ignored or changed at any time.
The Health Minister’s assertions that no one’s data can be used to ‘criminalise’ them and that ‘the Digital Health Agency has again reaffirmed today that material … can only be accessed with a court order’ seem at odds with the legislation which only requires a reasonable belief that disclosure of a person’s data is reasonably necessary to prevent, detect, investigate or prosecute a criminal offence.
This uncertainty has left different advocacy groups concerned. The Chief Executive Officer of the Sex Workers Outreach project has been reported saying that warrantless law enforcement access to medical records was the main reason sex workers were concerned about MHR, pointing out that ‘“Sex work is criminalised in a number of states … So, if I’m in the ACT and somebody suspects me of sex working, and they go into my medical record and that proves it, I can end up in jail”’. Similarly, while the Federation of Ethnic Communities’ Councils of Australia supports the MHR, it was reported that ‘it hopes My Health Record information will not be used for the purposes of immigration enforcement or decisions’. Such fears are possibly not without foundation. Until recently, data-sharing arrangements in the UK between the National Health Service and the Home Office meant that medical records were being used to track down illegal immigrants:
It is interesting to note that while disclosure of personal information under Australian social security law for the purpose of enforcing the law must satisfy a higher bar compared with the My Health Records Act 2012, the provisions permitting disclosure of Medicare information for the purpose of enforcing the law are actually broader than the My Health Records Act 2012.
Although the disclosure provisions of different agencies may be more or less strict than those of the ADHA and the My Health Records Act 2012, the problem with the MHR system is the nature of the data itself. As the Law Council of Australia notes, ‘the information held on a healthcare recipient’s My Health Record is regarded by many individuals as highly sensitive and intimate’. The National Association of People with HIV Australia has suggested that ‘the department needs to ensure that an individual’s My Health Record is bound to similar privacy protections as existing laws relating to the privacy of health records’. Arguably, therefore, an alternative to the approach of the current scheme would be for medical records registered in the MHR system to be legally protected from access by law enforcement agencies to at least the same degree as records held by a doctor.