My Health Record data could be uploaded without consent

Confidential healthcare data could be uploaded onto a My Health Record unbeknownst to an individual if activated by a clinician, bypassing otherwise stringent mechanisms to ensure the scheme is consent-based.

The potential for two years of Medicare Benefits Schedule (MBS) and Pharmaceutical Benefits Scheme (PBS) data to be uploaded to e-health records automatically was confirmed by Australian Digital Health Agency chief Tim Kelsey last week.

The scenario could arise where a newly created record is not personally activated following the forthcoming three-month opt-out period between July 16 and October 15.

The My Health Record scheme allows for “records to be activated when individuals login for the first time or when healthcare providers access record in treating their patients”.

On activation, individuals are afforded the option not to have two years of MBS and PBS, as well as Australian Immunisation Register and Australian Organ Donor Register data, included on their record.

But consent is waived if a healthcare provider activates the account first, which could occur at the first interaction with a provider after the opt-out period.

“[A My Health Record is activated at] the point at which the software in that clinician's practice searches the Department of Human Services database to identify your unique health identifier, to which is attached your My Health Record,” Kelsey told a senate estimates hearing last week.

“It’s the moment that that software interaction takes place.”

The Australian Digital Health Agency's chief operations officer Bettina McMahon said activation would typically occur “when a clinician tries to view the information or when a document is uploaded”, such as when a dispense record is sent from a community pharmacy.

An agency spokesperson told iTnews that two years of data “may be uploaded” if the healthcare provider accesses the record first, but that this was at the provider's discretion.

“If the healthcare provider accesses the record first, two years of MBS, PBS, Australian Immunisation Register (AIR), and Australian Organ Donor Register (AODR) data may be uploaded," the spokesperson said.

There is currently no way for clinicians to know a record has been activated by an individual before they try to access it.

In addition, if a healthcare provider's action does activate a record, there is no legislative requirement for the provider to tell an individual this has occurred.

“An individual healthcare provider is unlikely to know whether a record has been activated or not until they view it,” McMahon told senate estimates.

Still fully consent-based?

This could see records activated without a person’s knowledge or before they have the chance to personally activate it, bypassing the “fully consent-based system” Kelsey claimed My Health Record to be during a recent speech to the National Press Club.

He pitched the record as “an offer to every Australian to take control of their health information whenever they want to and decide who else sees it”, but was repeatedly forced to defend the scheme's privacy and infosec credentials, as well as its limited window to opt out.

“There is no big brother, and people may be surprised that when ... their records are created, there is literally nothing in the record until its activated, at which point two years of your MBS [Medicare Benefits Schedule] and PBS [Pharmaceutical Benefits Scheme] data – if you consent – will be uploaded,” he said at the time.

While individuals will still have the option to cancel any documents from their record at any time after upload, those records won’t be deleted.

The department revealed last year that the data in cancelled records will simply be made unavailable to healthcare providers, so that it can be reinstated should the individual later change their mind.

Individuals will also be able to limit access to their record to only those healthcare providers who have been given a record access code or RAC.

Users also have some control over secondary uses of "de-identified" data drawn from the records.

Although sharing is on by default, there are privacy controls that an individual can use to specify or withdraw consent.

However, estimates also revealed that "less than a tenth of one percent of [all 5.8 million] people have applied privacy controls within their record".

Kelsey said this was consistent with similar programs internationally, whereby people had opted to keep their records open to "make sure their medical information is available".