Govt moves to reinforce My Health Record privacy

The government will redraft part of the My Health Record legislation to make it harder for agencies and police to gain access to the contents of an electronic health record.

Health Minister Greg Hunt announced the change on Tuesday night following an emergency meeting with the Australian Medical Association (AMA) and the Royal Australian College of General Practitioners (RACGP) over mounting privacy concerns that threaten to derail the My Health Record project.

Hunt said that police and government agencies wanting to access any health record information would now need a court order to access it.

The extent to which the My Health Record legislation allowed warrantless access to the records and health data they contained has been in the spotlight over the past week.

Hunt had previously denied that access without a warrant or court order was possible, however parts of the legislation underpinning the health records said otherwise.

“No documents will be released without a court order,” Hunt said in a statement.

“This will be enshrined in legislation, [which] will therefore remove any ambiguity on this matter”.

Hunt also said the legislation would be changed so that “if someone wishes to cancel their record, they will be able to do so permanently, with their record deleted from the system”.

Presently, an individual's e-health record isn’t deleted from the system to make it easy to reinstate the record should the individual later change their mind.

Hunt also indicated that there would be “additional communications” made to the public on “the benefits and purpose” of the My Health Record scheme “so they can make an informed choice” on whether to opt out.

Fairfax reported that this could also mean Australians are given an extra month in which they can opt out of the scheme; elsewhere, the ABC suggested the opt-out period could become “indefinite”.

The proposed changes met with a lukewarm reception from privacy advocates, who argue that there are still too many weaknesses in the enabling legislation.

“Don't be fooled by the Minister's backdown on a couple of aspects of the #MyHealthRecord privacy concerns, there are bigger problems remaining. Like the 900,000 users with too-easy access to patient records,” Salinger Privacy director Anna Johnston tweeted.

The 900,000 users is a reference to the number of health industry practitioners expected to interact with the records. Their security practices and postures make them the most likely vector through which breaches or misuse could occur.

There also remain concerns at how My Health Record data could be accessed by other third parties such as health insurance providers.

Former Digital Transformation Office chief Paul Shetler - who recently branded the My Health Record rollout as “significantly flawed” - said in a tweet that the government’s changes amounted to “excellent first steps from the Dept of Health.”