Citation: Katina Michael with Nancy Notzon, December 7, 2018, “Rushing Through the Encryption Bill Means Watering Down National Security”, ABC Radio: The World Today, https://www.abc.net.au/radio/adelaide/programs/worldtoday/the-world-today/10573620 8.30-11.30min
Unions are claiming employers could potentially get access to the record through third parties under the default clause and the government says this section below overrides the default clause.
Pilots and GPs are just two candidate job types where employers may seek access to health records under the guise of "duty of care" or "due diligence" using the "third parties" clause.
We are living in a society where people are being routinely socially sorted into "at risk" categories based on various digital and physical chronicles. Should a pilot who seeks help to manage stress levels be stood down? Should a GP who has gone through relationship problems due to long work hours and is mildly depressed have their license to practice suspended?
The government is backpedalling on claims that third parties will not have access to health records based on seemingly contradictory legislation (section 70).
Fundamentally, what is new here? Is that while law enforcement has ALWAYS had the right to over-ride someone's privacy based on the proportionality principle from the very beginning of the enactment of the Privacy Act of Australia, letting third parties have access to sensitive information (of which health is) is a completely different proposition. The fact that the legislation is seemingly contradictory leaves Australian workers second guessing whether their individual case will be dealt with differently based on their employer's interpretation of the law.
It is one thing for an existing employee to have their license to practice revoked based on MyHealthRecord, and an almost completely different circumstances when a candidate is not hired for a job based on their MyHealthRecord. How would they ever know? It used to be that social media profiles of potential employees were screened for "best fit", but the future might be: "show us how mentally and physically healthy you are, and we will tell you how likely we are to hire you".
There are many GPs who have deleted their electronic health record to ensure they don't fall victim to such retrospective uses of the MyHealthRecord.
Section 14(2) of the Healthcare Identifers Act 2010 :
(2) This section does not authorise the collection, use or disclosure of the healthcare identifier of a healthcare recipient for the purpose of communicating or managing health information as part of:
(a) underwriting a contract of insurance that covers the healthcare recipient; or
(b) determining whether to enter into a contract of insurance that covers the healthcare recipient (whether alone or as a member of a class); or
(c) determining whether a contract of insurance covers the healthcare recipient in relation to a particular event; or
(d) employing the healthcare recipient.
MY HEALTH RECORDS ACT 2012 - SECT 61 Collection, use and disclosure for providing healthcare
MY HEALTH RECORDS ACT 2012 - SECT 61
Collection, use and disclosure for providing healthcare
(1) A participant in the My Health Record system is authorised to collect, use and disclose health information included in a registered healthcare recipient's My Health Record if the collection, use or disclosure of the health information is:
(a) for the purpose of providing healthcare to the registered healthcare recipient; and
(b) in accordance with:
(i) the access controls set by the registered healthcare recipient; or
(ii) if the registered healthcare recipient has not set access controls--the default access controls specified by the My Health Records Rules or, if the My Health Records Rules do not specify default access controls, by the System Operator.
MY HEALTH RECORDS ACT 2012 - SECT 5 Definitions
MY HEALTH RECORDS ACT 2012 - SECT 5
"healthcare" means health service within the meaning of subsection 6(1) of the Privacy Act 1988 .
PRIVACY ACT 1988 - SECT 6FB Meaning of health service
PRIVACY ACT 1988 - SECT 6FB
Meaning of health service
(1) An activity performed in relation to an individual is a health service if the activity is intended or claimed (expressly or otherwise) by the individual or the person performing it:
(a) to assess, maintain or improve the individual's health; or
(b) where the individual's health cannot be maintained or improved--to manage the individual's health; or
(c) to diagnose the individual's illness, disability or injury; or
(d) to treat the individual's illness, disability or injury or suspected illness, disability or injury; or
(e) to record the individual's health for the purposes of assessing, maintaining, improving or managing the individual's health.
So a provider can assess, diagnose and record information subject to the “access controls” set by the user. This is where the issue of default settings comes into play.
Default Settings of My Health Record
How is consent managed in the My Health Record system?
By default, when an individual registers for a My Health Record they give standing consent for all registered healthcare provider organisations to access and upload information to their My Health Record. Healthcare professionals working in healthcare provider organisations can:
Access the individual's My Health Record during, or in regard to, a consultation or clinical event involving the individual; and
View all documents in the My Health Record system and upload documents to the My Health Record, unless the individual specifically requests the healthcare professional not to upload the document.