Industry calls for more caution over MHR system


As the Federal Government today pushes the button to create My Health Records for every Australian who wants one, the industry has stepped out asking for more transparency around security and secondary use of the records to enable people to make more informed decisions about it. 

The industry has also voiced out about data de- and re-identification, a global approach to cybersecurity issues as healthcare digitises, information security requirements of the future and blockchain as a way to alleviate some of the challenges associated with the My Health Record system.  

On 26 November 2018, the Federal Parliament passed legislation to strengthen privacy protections in My Health Records Act 2012 without debate or division.

The new legislation means that Australians can opt in or opt out of My Health Record at any time in their lives. Records will be created for every Australian who wants one after 31 January and after then, they have a choice to delete their record permanently at any time.

The date of 31 January follows much deliberation from the Federal Government to extend the opt-out date. Australians initially had until 15 October 2018 to opt out of the national health database, or a My Health Record was to be created for them by the end of that year. 

But following the opposition calling for an extension to the opt-out period, the public outcry against the potential for the data to be shared with police and other government agencies, a leaked government document detailing the Australian Digital Health Agency’s response to concerns and a raft of changes recommended by the Senate Inquiry into My Health Record, the Federal Government pushed this date back and relaxed its stance on when Australians can opt in or opt out of the system.  

Australian Academy of Technology and Engineering (ATSE) President Professor Hugh Bradlow said the collection of health data across the population will result in better health outcomes as it not only shows how effective interventions are, but also allows treatments to be personalised based on the experience of thousands of other patients.

“New forms of measurement (based on artificial intelligence) will also give patients far more significant information about institutional performance, practitioner performance, the outcomes of specific interventions, etc.” he said. 

The Society of Hospital Pharmacists of Australia (SHPA) Chief Executive Kristin Michaels said the My Health Record debate highlighted the need for an integrated ehealth system, accessible only to health professionals and set up at the request of health organisations, for the benefit of all Australians.

"All Australians, regardless of any illness or condition, deserve to get the highest-quality care,” Michaels said. 

“More often than many would think, patients are unable to explain the medicines they are already taking and for what conditions they are already being treated, particularly after a seizure or if unconscious. Many of these patients are unaccompanied. Sometimes this lack of information leads to errors that have serious impacts on people’s lives. 

“[Hence] hospital pharmacists have long called for a shared, electronic patient data system that links up a fragmented health system and empowers patients in their own care."

The issue of security 

However, University of Melbourne Department of Computing and Information Systems Cybersecurity Senior Lecturer Associate Professor Vanessa Teague expressed her concerns around the privacy implications of secondary uses of My Health Records not being accurately explained.

"The My Health Record privacy policy says: ‘It is expected that most applications which are assessed will be for the use of de-identified data. This is where your personal details are removed from the dataset and you cannot be identified.’ Unfortunately, removing obvious personal details (such as name, location, and date of birth) does not securely de-identify the data,” Teague said.  

“Both doctors and patients can be easily and confidently identified in a dataset… In the case of patients, this means that a few points of information, such as the patient's age and dates of surgeries or childbirths, is enough to identify the person and thus, retrieve all their Medicare bills and PBS [Pharmaceutical Benefits Scheme] prescriptions for many years.  

“Easy and confident re-identification has been demonstrated on numerous other datasets that were shared in the mistaken belief that they were de-identified. It is probably not possible to securely de-identify detailed individual records like My Health Records without altering the data so much that its scientific value is substantially reduced.” 

[Read more: My Health Record system data breaches rise | Game changer: Creator of FHIR writes about approaching critical mass and a growing data sharing revolution]

Teague said patients may choose to opt out of secondary uses of their data but are unable to make a “genuinely informed decision” if they are inaccurately told that their detailed record cannot be identified. 

“Even more importantly, those whose identifiable MBS [Medicare Benefits Schedule]-PBS records were already published in 2016 should be notified, because the earlier release could make re-identification of their My Health Records much easier,” she said. 

Harvard Medical School International Healthcare Innovation Professor Dr John Halamka also previously criticised the system for relying on outdated technology, saying that the $2 billion My Health Record was nothing more than “digitised paper” as it uses such “out-of-date” technology that crucial patient information on test results and diseases are unable to be read or shared by computers.

University of Wollongong School of Computing and Information Technology Professor Katina Michael said health data breaches, for some, could have a huge impact. 

She used the recent example from Singapore, where 1.5 million Singapore health records were breached in a highly targeted effort on SingHealth. Among the breached health records was Singapore Prime Minister Lee Hsien Loong's personal records.

“What does this tell us when one of the world's most advanced cybersecurity nations suffers such a large-scale attack? Plainly, that no one's personal information is safe, no matter the measures in place,” she said. 

"If we have learnt anything over the last four months, it is that electronic health records are hackable. We need not have to look too far to see that no system is impenetrable.” 

Michael also speculated that there is the possibility of a ramp up of blockchain initiatives to beef up on My Health Record security.  

“We will likely be told in the not too distant future that we wildly underestimated our security requirements and as such, must go one step further and protect our credentials,” she said. 

According to Professor Michael, this involves the implant of a 16-digit Personal Health Record (PHR) ID number into people that also reads vital signs while embedded. This technology then alerts first responders of ailments and medications without the need for the person to provide any information. 

[Read more: Australia leads the world in personal control of electronic health records | Is the My Health Record technology out of date?]

ATSE’s Bradlow said the industry needs to be “realistic” about it as the danger of data leaking due to cyber hacking is as true as hacking any other data system. 

“Let’s remember that many [healthcare professionals] have easy access to today’s paper-based health records – an electronic record is actually a step up in privacy. Within My Health Record, we can make it the default to require a patient access code,” he said. 

“A well-designed record system which is managed by a professional security organisation and has a clear audit trail, for example, provided by blockchain, can mitigate this risk significantly."

Source: Hafizah Osman, 31 January 2019, “Industry calls for more caution over MHR system”,

Note: Thank you Hafizah Osman— interestingly I was referring to the VeriChip experiment of the PHR that Dr John Halamka trialled for a short time and wrote about in 2006 here:

What might MyHR mean for workers in Australia?

Unions are claiming employers could potentially get access to the record through third parties under the default clause and the government says this section below overrides the default clause.


Pilots and GPs are just two candidate job types where employers may seek access to health records under the guise of "duty of care" or "due diligence" using the "third parties" clause. 

We are living in a society where people are being routinely socially sorted into "at risk" categories based on various digital and physical chronicles. Should a pilot who seeks help to manage stress levels be stood down? Should a GP who has gone through relationship problems due to long work hours and is mildly depressed have their license to practice suspended?

The government is backpedalling on claims that third parties will not have access to health records based on seemingly contradictory legislation (section 70).

Fundamentally, what is new here? Is that while law enforcement has ALWAYS had the right to over-ride someone's privacy based on the proportionality principle from the very beginning of the enactment of the Privacy Act of Australia, letting third parties have access to sensitive information (of which health is) is a completely different proposition. The fact that the legislation is seemingly contradictory leaves Australian workers second guessing whether their individual case will be dealt with differently based on their employer's interpretation of the law.

It is one thing for an existing employee to have their license to practice revoked based on MyHealthRecord, and an almost completely different circumstances when a candidate is not hired for a job based on their MyHealthRecord. How would they ever know? It used to be that social media profiles of potential employees were screened for "best fit", but the future might be: "show us how mentally and physically healthy you are, and we will tell you how likely we are to hire you".

There are many GPs who have deleted their electronic health record to ensure they don't fall victim to such retrospective uses of the MyHealthRecord. 

Section 14(2) of the Healthcare Identifers Act 2010 :

(2) This section does not authorise the collection, use or disclosure of the healthcare identifier of a healthcare recipient for the purpose of communicating or managing health information as part of:
(a) underwriting a contract of insurance that covers the healthcare recipient; or
(b) determining whether to enter into a contract of insurance that covers the healthcare recipient (whether alone or as a member of a class); or
(c) determining whether a contract of insurance covers the healthcare recipient in relation to a particular event; or
(d) employing the healthcare recipient.

MY HEALTH RECORDS ACT 2012 - SECT 61 Collection, use and disclosure for providing healthcare
Collection, use and disclosure for providing healthcare
(1) A participant in the My Health Record system is authorised to collect, use and disclose health information included in a registered healthcare recipient's My Health Record if the collection, use or disclosure of the health information is:

(a) for the purpose of providing healthcare to the registered healthcare recipient; and
(b) in accordance with:
(i) the access controls set by the registered healthcare recipient; or
(ii) if the registered healthcare recipient has not set access controls--the default access controls specified by the My Health Records Rules or, if the My Health Records Rules do not specify default access controls, by the System Operator.

MY HEALTH RECORDS ACT 2012 - SECT 5 Definitions[2]
"healthcare" means health service within the meaning of subsection 6(1) of the Privacy Act 1988 .

PRIVACY ACT 1988 - SECT 6FB Meaning of health service[3]
Meaning of health service
(1) An activity performed in relation to an individual is a health service if the activity is intended or claimed (expressly or otherwise) by the individual or the person performing it:

(a) to assess, maintain or improve the individual's health; or
(b) where the individual's health cannot be maintained or improved--to manage the individual's health; or
(c) to diagnose the individual's illness, disability or injury; or
(d) to treat the individual's illness, disability or injury or suspected illness, disability or injury; or
(e) to record the individual's health for the purposes of assessing, maintaining, improving or managing the individual's health.

So a provider can assess, diagnose and record information subject to the “access controls” set by the user. This is where the issue of default settings comes into play.

Default Settings of My Health Record
How is consent managed in the My Health Record system?
By default, when an individual registers for a My Health Record they give standing consent for all registered healthcare provider organisations to access and upload information to their My Health Record. Healthcare professionals working in healthcare provider organisations can:
Access the individual's My Health Record during, or in regard to, a consultation or clinical event involving the individual; and
View all documents in the My Health Record system and upload documents to the My Health Record, unless the individual specifically requests the healthcare professional not to upload the document.