What we and others think of My Health Record

The Australian Privacy Foundation recognises that electronic records, carefully designed and implemented to support clinicians, can assist with health care.

These record systems need to enable health professionals to make better decisions, be intuitive to use, be adaptable and in no way make their jobs harder than they are already.

There are two major problems with My Health Record that are insurmountable i.e. the basic design is flawed. The first is that it is government owned, the second is that governments of the future can change the laws regarding the use of My Health Record Data. See our media release [6]. This is a good article that describes these risks [46]

Unfortunately, simplistic IT solutions that gather large amounts of raw, un-managed patient data, which can be matched with other data sources, which are onerous to use, and which are easily accessible over the internet, potentially by hackers, can create far more insidious problems than they solve. In our opinion the My Health Record falls into all these categories.

It is also worth noting that My Health Record is a summary system, is not a real health record like the ones your GP and hospital might hold. It is like comparing a bicycle with a 4+4 SUV. Both will get you to the local shops and back for a paper, but the SUV does far more.

Furthermore, the gung-ho attitude of technology specialists and the politically driven decision to make the My Health Record opt-out means that patient trust, patient choice and patient care are being put at major risk.

The risks to your privacy, confidentiality and information security need to be balanced by the value of your health records to you and your health care providers. In our assessment, because it is not really your health record but a less-reliable copy, the My Health Record has little value for either your clinicians or you as a patient: you both need the real thing. This means the risks to you may be high enough to question whether My Health Record is worth it.

In an article in the Guardian, [21] Julia Powles currently visiting UWA Law School says “legal authority does not necessarily command social legitimacy,” as explained in a superb analysis in the Journal of Medical Ethics. “A parliamentary majority may allow legislation to be passed,” the authors state, “but that does not equate to a societal seal of approval or to securing the trust and confidence of patients, citizens, healthcare professionals and researchers.” In other words, the government has not earned the right or trust to implement such a privacy invasive system.

Most clinicians already use an electronic medical record system. These can be improved by better communication between existing systems, not by introducing another, less useful, less secure copy in a system that has some of the hallmarks of a scheme designed for surveillance and less-controlled disclosure, rather than your healthcare.

It is not generally known but the government has several mechanisms by which they they pay GPs to upload your health data. In other words, GPs are selling your health data to the government. They do this at the expense of time available to attend to your needs you during consultations.  Just watch your GP next time you see them and observe how much time they spend with their eyes on their computer screen and not you. Do you feel like a patient or a product being sold?

There are many other things the government is not being open and transparent about. If you look at their advertising material or the government’s website myhealthrecord.gov.au there are many claims about the alleged benefits of having a My Health Record. What you won’t find is anything about the costs and risks.

Neither will you see anything that tells you that your are responsible for your My Health Record – nobody else is. It is up to you to ensure that it is accurate, up-to-date and fit for purpose – i.e. it does what you want it to do. If you are not comfortable taking on this responsibility, or are not able because of a lack of internet access or skills and doing it for the rest of your life. Then you would be well advised to seriously consider opting-out.

How to opt-out of My Health Record.

Go to this website and follow the instructions

You will need:

Your Medicare card or a Department of Veterans’ Affairs (DVA) card; and

One of the following forms of current Australian identification:

  • your Driver licence, or
  • your Passport, or
  • your ImmiCard

If you don’t have these, but still want to stop a My Health Record from being automatically created, you can call the Help line on 1800 723 471.

Why you might consider opting out:

The government is giving every impression of only being interested in getting its registration numbers up so it can claim it is a success. It is not concerned with the My Health Record being useful or being given to people who should really think carefully before allowing their details to be included.

Nowhere does it discuss reasons why you may be better off not having one, or at least why you should think about not having one.

Here are some reason why you should think twice about becoming involved:

  1. You do not feel comfortable, or are not able to, take responsibility for ensuring your My Health Record is accurate, up-to-date and fit for purpose;
  2. If you have a medical condition that can lead to discrimination (STI, AIDS, Depression / Mental Illness, Diabetes etc);
  3. Where you wish to keep your contact details confidential.This might be from someone who might do you harm if they know where you live. e.g. an abusive partner, someone subject to an AVO etc.It could also be because of your employment – a policeman/woman a government official etc;
  4. If you have, or have had, a medical condition that could cause embarrassment;
  5. If you are being treated for an addiction that might cause law enforcement agencies to investigate you.
  6. If you are a public figure and do not want your health and/or personal details made available;
  7. If there is a risk that an insurance company may wish to obtain your complete medical history;
  8. Where you feel you cannot properly manage your health record because of age, ability or economic circumstances; and
  9. If you believe that the government may link your health data, your census data and/or your telecommunication meta data.

The Flight Safety Group of VIPA, representing pilots from the Virgin Group (Virgin Australia Airlines, Tiger Airways and Virgin Australia Regional Airlines) has “issued a warning to all pilots to not participate in the My Health Record” [11]

Hepatitis NSW say [12]:

Some people may find their My Health Record places them at risk of stigma and discrimination or may cause safety issues.

You may wish to carefully consider whether you want your health records held or shared if you:

  • have a criminal record or are affected by the criminal justice system
  • use or have used drugs
  • live with a lifelong transmissible condition such as HIV or hepatitis B
  • have or had hepatitis C
  • are not on treatment after it was recommended
  • are sexually active and test regularly for STIs
  • are or have been a sex worker
  • are transgender or intersex
  • are bisexual, lesbian or gay
  • have lived with mental health issues
  • have been pregnant or terminated a pregnancy
  • are a health care worker.

Security

Not everyone believes the government’s claims regarding the security of My Health Record.

Media reports have the (Health) minister (Greg Hunt) assuring Australians that the national online health records database features “military-grade security”, but there’s no such thing as “military-grade security” [36]

Whatever the term might mean, it surely can’t take into account several aspects of My Health Record. Would the military countenance millions of potentially insecure end points? Who says every doctor observes good security practices? Or that all hospitals have state-of-the-art antivirus software? Or that Jane Public knows how to keep log-in credentials safe?

“Nigel Phair, Director of the UNSW’s Canberra Cyber told nine.com.au while the site itself might have the latest security, it’s the people using it who could be the problem.”

“The real issues come around things like, I go to my GP and there might be two receptionists and five or six doctors. The front desk isn’t always occupied – there might be a post-it note on the screen with log in details which I can look at,” he said.

“Hospitals is the next thing, particularly when you start looking a mobile devices, and lastly phishing where criminals spoof the website and get people to divulge their username and passwords.

“There’s nothing more sensitive in life than your health records.”

“You don’t want them falling into criminals’ hands but you also don’t want them to fall into the hands of insurance companies.” [6]

“The best security is to prevent it from accumulating information on you in the first place. Then there’s none to steal or to misuse. Opting out of My Health Record is the only sensible option.” [7] (Bernard Keene, Crikey)

Privacy

Controls

These are dubious at best. They are hard to set, especially if you are not familiar with technology. You can only put privacy controls on a document once it has been uploaded, so there may well be a gap between the document being uploaded and you discovering it and putting controls on it.

As soon as your data is downloaded to other systems, any privacy controls you may have set in My Health Record are no longer  in force.

Access by the Government

And then there is the government’s access to your health data: “there are a wide range of circumstances in which any privacy controls you set can be overridden without your consent, meaning that data can be disclosed without your knowledge. These include making information available to third parties for purposes that are unrelated to healthcare — such as law enforcement.”[8]

Information shared without your consent

The move to opt-out has meant that the government no longer has to get your informed consent to register you and to acquire and share your health data.

“(Consumers of Mental Health WA) has found My Health Record may not benefit everyone equally. There are a number of unresolved issues that raise concerns for people’s rights and may cause unintended consequences including people’s information being shared without their knowledge and consent.” [9]

The legal basis of My Health Record

It may be surprising to some that, in Australia at least, there is no fundamental right to privacy. There are laws that protect aspects of your confidential information, including the Privacy Act 1988 (Cth) and associated Privacy Principles, that impose sanctions on those who fail to properly deal with private data. Common law remedies also exist in theory, however there is no readily accessible statutory cause of action that allows a privacy breach victim to claim their emotional distress and other damages. This gap in our law was the subject of a 2014 Australian Law Reform Commission Report, to which the Australian government has never formally responded.

Instead, since late February 2018 we now have a mandatory requirement for various entities including government and larger businesses, to report breaches of privacy. If your data is compromised (accessed by those who are not authorised), you must be notified and suggestions offered on ways to mitigate any impact. If your credit card details are leaked, for example, a suggestion might be to cancel those cards to prevent unauthorised use.

Under this new law, you will know exactly when your privacy was compromised. Cold comfort perhaps, however the intent is that a process of reporting will ultimately lead to better protections.

Of course, not all private information is the same. It is hard to imagine what should be done to mitigate the impact of a breach of personal medical information. Once disclosed, such information cannot simply be cancelled – it remains true, sensitive and open to abuse no matter what is done in response.

One thing is clear: the law is not able to physically protect your private information. It can only respond to breaches that have already occurred. Allowing your private information to exist outside of your direct personal control then becomes a question of risk versus benefit.”

For more information about the legal issues of My Health Record see here: The law and My Health Record


Links to resources that you may use to decide if you wish to opt-out

The government is only giving you one side of My Health Record – what they think the benefits are. Have a look at what they tell you about the costs, risks and potential disadvantages to minority communities in Australia. Can you find anything? No. There isn’t anything.

To help you make an informed choice, here is more information to balance out the government’s spin.

Australian Privacy Foundation Material

  1. A summary of My Health Record APF
  2. For Sale – Your Privacy and Your Health Data APF Media Release
  3. The law and My Health Record APF
  4. The truth about My Health Record APF
  5. My Health Record: on a path to nowhere? APF
  6. The biggest risk to My Health Record – the government  APF Media Release
  7. Privacy, Trust and My Health Record, or The Spy in The Consulting Room APF

Other Media

  1. My Health Record an ‘abuse of trust’ InnovationAus
  2. Privacy in digital health: Matters of trust in a scandal-plagued era HealthCareIT
  3. ‘You can’t undo that damage’: How safe is your health data? SMH
  4. Important Overview Of The Pros, Cons And Questions About My Health Record Croakey
  5. PLHIV & My Health Record Positive Life NSW (an HIV support group) 
  6. Cyber security experts warn patients over online medical record plan for all Aussies 9news
  7. My Health Record could be our worst government data breach yet Crikey
  8. My Health Record National Association of People with HIV Australia
  9. Message from the CEO of Consumers of Mental Health WA COMHWA
  10. My Health Record Information Brief for Sex Workers Scarlet Alliance
  11. Virgin Australia Pilot’s Unions Concerned Over Data Breach medianet
  12. My Health Record: information about your options Hepatitis NSW
  13. What patients want from Digital Health APF
  14. If in doubt, opt OUT. My Health Record warning issued by leading mental health peak bodies
  15. The latest health data breach is one reason why I’ll be opting out of MyHealthRecord
  16. Union may urge e-health system withdrawal SBS
  17. Why I’m opting out of the government’s digital health record and you should too SMH
  18. My Health Record – Opting out  counterAct
  19. Top 10 most awkward questions about the MHR Medical Republic
  20. My Health Record opt-out debate is getting silly but government is at fault
  21. There is no social licence for My Health Record. Australians should reject it The Guardian
  22. ‘Once You’re On The System, You’re On There For Good’: My Health Record 101 an LGBTI on-line publication
  23. An Attempt At Nuance Regarding MyHealthRecord Justin Warren’s blog
  24. A digest of Trent Yarwood’s Twitter activity and articles (some overlap with links, above)
  25. ‘Errors and incompetence’: Australians split over government’s opt-out digital health records
  26. Why I am opting out of MyHealthRecord – for now. Kangaroo Island doctor blogging about Rural Medicine in Australia
  27. People Keep Finding They Have Online Health Records They Never Signed Up For BuzzFeed News
  28. My Health Record ‘identical’ to failed UK scheme, privacy expert says The Guardian
  29. ‘Zero confidence’: Labor MP in push for opt-in digital health records SMH
  30. Opt out of the national My Health Record database or face the consequences. Greg Barnes (Lawyer) The Mercury
  31. As a doctor, here’s why My Health Record worries me Dr Kerryn Phelps, ex president AMA
  32. Liberal Tim Wilson opts out of My Health Record and says it should be opt-in The Guardian
  33. The My Health Record story no politician should miss ZDNet
  34. My Health Record bombed by Singapore hack Medical Republic
  35. When nudge comes to shove: making e-health opt-out was always a risky venture The Manderin
  36. Why My Health Record can’t have ‘military-grade’ security Australian Financial Review
  37. MHR legislation contradicts agency InnovationAus
  38. Blind and low vision community neglected in My Health Record opt-out process Vision Australia
  39. ‘Significant privacy concerns’ over myHealth Record system  Parliamentary joint committee on human rights (2015)
  40. Australian Women’s Abortion Data At Risk Whimn
  41. ‘Serious’ risks of domestic violence in new online health system Brisbane Times
  42. Turnbull Government misinformation on My Health Record data. Independent Australia
  43. Privacy concerns on My Health Record need to be addressed. The Manderin
  44. Shetler: How to fix the MHR InnovationAus
  45. What could a My Health Record data breach look like? The Conversation
  46. My Health Record: it’s worse than you think Liberty Works
  47. My Health Record: Greg Hunt’s warrant claims contradicted by police union The Guardian
  48. GPs and social service providers demand My Health Record protections The Guardian
  49. My Health Record needs privacy improvements to restore public confidence: Human Rights Commissioner, Edward Santow
  50. My Health Record – Do the Risks Outweigh the Advantages? Matthew Setter. Security Researcher
  51. Freezing out the folks: default My Health Record settings don’t protect teens’ privacy The Conversation
  52. My Health Record – An Ethical Quagmire The Philososphere blog. Carley Tonoli
  53. My Health Record – More time, better information Inclusion Australia. The voice of those with an intellectual disability.
  54. The Data Sharing and Release Act is coming for your data Rosie Williams, investigative/data journalist
  55. To stay in or to opt out? That is the question! Grey Nomads
  56. A surgeon’s very real concerns about My Health Record Women’s Agenda
  57. My Health Record: former privacy head warned of dangers six years ago The Guardian
  58. Poor patching, lack of guidance leaving Australian healthcare data exposed CSO Magazine
  59. Canberra still in denial over My Health Record concerns ZDNet (Stilgherrian)
  60. Patients trust their secrets to doctors, not the government or the tax office The Guardian
  61. Majority of doctors say they won’t use My Health Record for their own care: survey Australian Doctor
  62. Don’t fall for My Health Record data binge Eureka Street
  63. Health Minister backs down on My Health Record SMH
  64. My Health Record a new battleground in family disputes SMH
  65. My Health Record: Deleting personal information from databases is harder than it sounds The Conversation
  66. E-health records opt out period extended news.com.au
  67. My Health concessions ‘woefully inadequate’, says former AMA president Kerryn Phelps. SMH
  68. The My Health Record debacle and the need for trust in communications Mumbrella
  69. Thriving on Dark Web: The My Health Record and Data Insecurity Dr Binoy Kampmark
  70. Alarming new My Health Record privacy flaw Daily Telegraph
  71. Doctor-patient privilege dies with My Health Record News Weekly
  72. My Health Record: Canberra is still missing the point ZDNet (Stilgherrian)
  73. Chronic care patients forced to have My Health Records to access government’s Health Care Homes program HealthcareIT
  74. The positives and perils of My Health Record The Saturday Paper
  75. My Health Record can store genomic data but critics say it’s not ready SMH
  76. We need new ways to protect people in the digital era SMH
  77. My Health Privacy Changes ‘Just A Few Band-Aids’, More Needed Ten Daily
  78. Security fears are still too high, so I’m opting out of My Health Record Australian Financial Review
  79. ‘At Risk’ Australians Blocked From My Health Opt-Out Ten Daily
  80. The troubling implications of My Health’s genetic info plans SMH
  81. Turning your health data into a “wellness score” might not be good for you The Conversation
  82. My Health Record – a flawed initiative Information Technology Professionals Association
  83. MyHealthRecord raises data privacy bar The Warren Centre
  84. Healthcare IT Security Worst of Any Sector With External Threats Health IT Security
  85. Cyber Insurance Recommended for All Physician Practices Physicians briefing
  86. The healthcare industry is in a world of cybersecurity hurt TechCrunch
  87. My Health Record: A further erosion of civil liberties? The Big Smoke Australia
  88. GP fed up with health record says ‘bring in a USB’ Gladstone Observer
  89. Patients And The Data Breach Notification Maze Dr Megan Prictor, University of Melbourne
  90. Former Pentagon cyber chief says hackers will exploit My Health Record flaws The Financial Review
  91. ​Labor promises inquiry into My Health Record ZDNet
  92. New data access bill shows we need to get serious about privacy with independent oversight of the law The Conversation
  93. Tell me again why the Turnbull Government is insisting My Health Record will become mandatory by the end of October 2018? North Coast Voices
  94. Five lessons from the #MyHealthRecord discussion for #PrecisionMedicine Declan Kuch. Medium
  95. Privacy concerns go beyond just My Health Record Medical Republic
  96. Firearms Registries, External data storage & MyHealthRecord Law Abiding Firearm Owners Inc
  97. My Health Record expansion: Why citizens’ data must be protected Australian Business Review
  98. MHR now set to face a Senate inquiry Medical Republic

The Parliamentary Paper

  1. Law enforcement access to My Health Record data Parliamentary Library Paper Original Version
  2. Law enforcement access to My Health Record data Revised  Parliamentary Library Paper Revised Version
  3. Down The Memory Hole Trent Yarwood’s Comparison

Alternative Solutions/Approaches to My Health Record

  1. Apple says iOS Health Records has over 75 backers, uses open standards
  2. Sweden
  3. Sweden
  4. Patient-Online UK
  5. Coordinate My Care UK
  6. Patient Portals to GP systems New Zealand

The Chaser Team deserve their own section:

The Shovel

And we can’t forget the odd political cartoon

Opt out! Cassandra the Information Technology Wobbegong on My Health Record

Hacked – Matt Golding

Audio

Government accused of not doing enough to persuade people to remain on My Health Report
ABC Radio National Breakfast
Wednesday 18 July 2018 6:51AM

Government accused of encouraging doctors to “sell” confidential patient data
By George Roberts on ABC PM
Mon 16 Jul 2018, 5:02pm

Other Resources

For the best source of current, well informed opinions and information on Digital Health and My Health Record in particular, go to the blog of Dr David More: Australian Health Information Technology. The comments are particularly useful as they give a voice to people with deep knowledge but who are not in a position to express their opinions publicly.


Contacts

Dr Bernard Robertson-Dunn
Chair, Health Committee
Australian Privacy Foundation
Bernard.Robertson-Dunn@privacy.org.au
Mobile 0411 157 113