Law enforcement access to My Health Record data

Note: This FlagPost was originally published on 24 July 2018. It has since been amended to reference the provisions of the Privacy Act 1988 relevant to the release of health information by private medical practitioners. As an adjunct task, it has also been updated to reflect developments since its original publication. The Library is committed to providing the highest quality information and analysis to the Parliament and always welcomes feedback on its work.

My Health Record (MHR) was introduced in June 2012 by the Gillard Labor Government originally as an opt-in system known as the Personally Controlled Electronic Health Record (PCEHR) before legislative amendments in 2015 introduced by the Abbott Coalition Government renamed it and laid the groundwork for it to become an opt-out system. Law enforcement access to MHR data is among the privacy concerns raised about the program, but this provision was in the original legislation and received little attention when the Bill was debated.

The PCEHR/MHR has been operating for six years now since July 2012 and was characterised in 2015 by Labor politicians as a ‘proud Labor reform’ and a ‘natural extension’ of Medicare. The MHR system is operated by the Australian Digital Health Agency (ADHA) as a secure online summary of an individual’s health information’. However, under certain circumstances, the Act provides that MHR data may be provided to an ‘enforcement body’ for purposes unrelated to a person’s healthcare. An ‘enforcement body’ is defined in section 6 of the Privacy Act 1988 as the Australian Federal Police, the Immigration Department, financial regulatory authorities, crime commissions, any state or territory police force, anti-corruption bodies, and any federal or state/territory agency responsible for administering a law that imposes a penalty or sanction or a prescribed law, or a law relating to the protection of the public revenue.

Section 70 of the My Health Records Act 2012 enables the System Operator (ADHA) to ‘use or disclose health information’ contained in an individual’s My Health Record if the ADHA ‘reasonably believes that the use or disclosure is reasonably necessary’ to, among other things, prevent, detect, investigate or prosecute any criminal offence, breaches of a law imposing a penalty or sanction or breaches of a prescribed law; protect the public revenue; or prevent, detect, investigate or remedy ‘seriously improper conduct’. Although ‘protection of the public revenue’ is not explained, it is reasonable to assume that this might include investigations into potential fraud and other financial offences involving agencies such as Centrelink, Medicare, or the Australian Tax Office.

This should mean that requests for data by police, Home Affairs and other authorities will be individually assessed, and that any disclosure will be limited to the minimum necessary to satisfy the request.

Law enforcement access to health records held by general practitioners is subject to Australian Privacy Principle 6.2(e) in Schedule 1 of the Privacy Act 1988, which is cast in similar terms to section 70 of the My Health Records Act 2012, as well as to relevant state and territory legislation relating to privacy and to medical records. Typically, unless a person consents to the release of their medical records, or disclosure is required for a medical emergency or to meet a doctor’s mandatory reporting obligations, access to these records is, as the president of the Australian Medical Association has stated, ‘really only through a judge’s request, through the judicial oversight’. As the AMA’s existing Ethical Guidelines for Doctors on Disclosing Medical Records to Third Parties 2010 (revised 2015) note:

Trust is a vital component of the doctor-patient relationship. Patients trust doctors to keep their personal information confidential including their medical records.

The AMA believes that any action by third parties, including Government, to compel doctors to disclose patients’ medical records must overwhelmingly be proven to serve the public interest. The public benefit of such disclosure must outweigh the risk that patients may not seek medical attention or may modify the personal information they disclose to their doctor because of fears their privacy will be breached.

In cases where there is a warrant, subpoena or court order requiring the doctor to produce a patient’s medical record, some doctors and/or patients may wish to oppose disclosure of clinically sensitive or potentially harmful information. The records should still be supplied but under seal, asking that the court not release the records to the parties until it has heard argument against disclosure.

As the Law Council of Australia notes, ‘the information held on a healthcare recipient’s My Health Record is regarded by many individuals as highly sensitive and intimate’. For its part, the ADHA has stated that it ‘has not and will not release any documents without a court/coronial or similar order’, a point which the Health Minister has reiterated (while the ADHA has stated that ‘no documents have been released in the last six years’, it has also been reported as stating that no requests from police have yet been received). However, the My Health Records Act 2012 does not mandate this, and it does not appear that the ADHA’s operating policy is supported by any rule or regulation.

This has left different advocacy groups concerned. The Chief Executive Officer of the Sex Workers Outreach project has been reported saying that warrantless law enforcement access to medical records was the main reason sex workers were concerned about MHR, pointing out that ‘“Sex work is criminalised in a number of states … So, if I’m in the ACT and somebody suspects me of sex working, and they go into my medical record and that proves it, I can end up in jail”’. Similarly, while the Federation of Ethnic Communities’ Councils of Australia supports the MHR, it was reported that ‘it hopes My Health Record information will not be used for the purposes of immigration enforcement or decisions’. Until recently, data-sharing arrangements in the UK between the National Health Service and the Home Office meant that medical records were being used to track down illegal immigrants:

Digital Minister Margo James said the government had reflected on the concerns she raised—“and with immediate effect, the data-sharing arrangements between the Home Office and the NHS have been amended”.

She added: “The bar for sharing data will now be set significantly higher, by sharing I mean between the Department of Health, the Home Office and in future possibly other departments of state, no longer will the names of overstayers and illegal entrants be sought against health service records to find current address details.”

Ms James told MPs that the data would only be used in future “to trace an individual who is being considered for deportation action having been investigated for or convicted of a serious criminal offence”.

It is interesting to note that while disclosure of personal information under Australian social security law for the purpose of enforcing the law must satisfy a higher bar compared with the My Health Records Act 2012, the provisions permitting disclosure of Medicare information for the purpose of enforcing the law are actually broader than the My Health Records Act 2012.

A media release issued by the Australian Medical Association on 25 July states that the Minister had ‘made a commitment to clear up any perceived ambiguity’ in the legislation. On 26 July, the Prime Minister stated that ‘the Government was absolutely committed to maintaining the privacy of the My Health Record system’ and that concerns expressed by the AMA and College of General Practitioners ‘will be addressed’.