My Health Record: Sensitive health information could be made available to more than your GP
Sue Dunlevy,
National Health Reporter, News Corp Australia Network
Daily Telegraph
August 3, 2018 10:00pm

A major privacy flaw has been identified in the $2 billion My Health Record which means podiatrists and dietitians will be able to see if you have a mental illness or sexually transmitted disease.

The former deputy privacy commissioner of NSW and privacy consultant Anna Johnston says she is very concerned the default setting of the My Health Record is open access and it needs to be changed.

Every Australian will get an online My Health Record that will reveal if they have had an abortion, a mental illness, a drug addiction or sexually transmitted disease unless they opt out by November 12.

Tens of thousands of Australians are racing to opt out of the record, enduring telephone queues as long as 82 minutes to do so.

To ensure it is only their GP who gets to see their sensitive health information patients have to set a PIN number or access code on their My Health Record and until then any of the 900,000 registered health practitioners can see the information.

The vast majority of the population won’t even know they have a My Health Record, they  won’t understand it is set on open access and many won’t have the technical proficiency to set access controls, Ms Johnston says.

Ms Johnson’s firm Salinger Privacy was part of a group that did a privacy impact assessment of the My Health Record for the government before the shift to opt out.

The group made numerous recommendations to the government about improving privacy settings on the record but many were not followed, she says.

Ms Johnston is opting out of the record because the health benefits do not outweigh the privacy risks for her, she says.

Former AMA president Professor Kerryn Phelps has echoed her concerns and says “nobody seems to know how to set these access controls, particularly older people who are not computer literate”.

Both Professor Phelps and Ms Johnston say the record must shifted back to an opt in system until all the privacy problems are fixed.

A spokesperson for health Minister Greg Hunt said “the protection of patient information and privacy is critical and we have strong safeguards in place to protect health information in Australia”.

“Only a patient’s registered health provider can access their record and it is wrong and false to describe it as a searchable system,” he said.

Health Minister Greg Hunt bowed to public pressure and announced changes to the My Health Record legislation after meeting doctors earlier this week.

As a result police and the government agencies will now require a court order to access the record, when a record is cancelled it will be expunged from the system, not kept for 130 years, and the opt out period has been extended by one month.

Ms Johnston says the minister needs to meet with privacy experts, not just doctors, to ensure the all the privacy problems with the system are fixed.

Professor Phelps says the fact that eight out of ten doctors plan to opt out of the record shows the profession does not support it and is unlikely to use it.

The former head of Prime Minister Malcolm Turnbull’s Digital Transformation Agency Paul Shetler says when he was briefed on it he found the system had very limited functionality and was not a “great user experience”.

Doctors have not been using the system and even when the government paid doctors to use the record many gave up tens of thousands of dollars in incentive payments because they preferred not to use it, he said.

“This is horrible. The government has spent all this money and citizens won’t sign up, they don’t see the benefit and GPs won’t use it,” he said.

“They can’t pay people to use it so they are dragooning them into it through opt out,” he said.

The privacy settings on the system do not meet the new standards set by the European Union and he says “there is no reason why Australians should expect less privacy protection than the governments of Europe expect from their companies”.