My Health Record: what you need to know

Australians who do not want a personal electronic health record created for them have three months from today to opt out of the federal government’s My Health Record scheme.

Individuals will have until October 15 to withdraw their consent from the scheme that switched from opt-in to opt-out last year to address poor rates of adoption.

After this date – and 30 days for the reconciliation of paper opt-out forms – an e-health record will be created for every Australian by default.

The official date being given for the creation of records is November 13.

Those who don’t opt out during this period will be able to cancel their e-health record at any time, although those records won't be deleted.

The My Health Record is an online summary of health information that allows individuals to access and control their own medical history and how information on treatments like medical tests and vaccines are shared healthcare providers.

The obvious benefit of this is having all your medical information easily available in one place, particularly in emergency situations.

However the e-health record scheme has also been persistently dogged by privacy and security fears, which are particularly salient given the number of recent data breaches.

One of the biggest issues facing the scheme is the potential for healthcare data to be uploaded onto a record unbeknownst to an individual.

Such a scenario could arise where a newly created record is not personally activated following the three-month opt-out period.

Below is a guide of what iTnews has been able to ascertain about the My Health Record.

Who will get a record on November 13?

Anyone with a Medicare or DVA number that does not already have a My Health Record will receive a record on November 13, unless they opt out by October 15.

This includes children, though parents can choose for a record not to be created if they are on their Medicare card.

Individuals who registered for a record and then subsequently cancelled it will not receive another record.

It will also not be possible to have a record automatically created prior to November 13.

How can a record be activated?

After a record is created it will need to be activated.

It is possible for a record to be activated either by the individual – in the process of logging in for the first time – or by a healthcare provider when they access the record for the first time in the course of treating a patient.

What data is uploaded when a record is activated?

Records will remain empty until activated.

At this point individuals are able to choose whether they want two years of Medicare Benefits Schedule (MBS) and Pharmaceutical Benefits Scheme (PBS) data uploaded.

Australian Immunisation Register (AIR) and Australian Organ Donor Register (AODR) data will also be uploaded at the express consent of the individual.

Data older than two years will not be uploaded to the record.

Is is better to activate my account personally?

While individuals can choose to have two years of data uploaded if they activate the account themselves, this is not the case if activated by a healthcare provider.

The Australian Digital Health Agency says MBS, PBS, AIR and AODR data “may be uploaded” automatically if the healthcare provider accesses the record first.

Healthcare providers are also able to upload “information on allergies, medical conditions and treatments, medicine details, test results and immunisations”.

Can I delete a record once activated?

No. While it is possible to cancel and close a My Health Record, it is not possible to delete a record entirely.

The ADHA suggests this is so a record can be easily reinstated should an individual change their mind.

It will not be possible for a healthcare provider to upload data to a cancelled record.

Is the data deleted if a record is cancelled?

No. Any data in a My Health Record will be retained for 30 years after your death.

In any instance where the date of death is unknown, the data will be kept for 130 years after the date of your birth.

Healthcare providers such as GPs will also be unable to upload documents to the record or access the record at this point.

Can I choose what information is uploaded to my record?

Yes. Individuals can choose what kinds of information is stored in the record and who views it.

This can happen both at the time of consultation or after the record has been uploaded.

Is my information secure?

The ADHA - as they system operator - claims not to have been breached since the My Health Record system launched in 2012, with outsider threats addressed by the agency’s dedicated cyber security centre.

Third party apps that an individual has allowed to connect to the My Health Record such as online doctor booking service Health Engine, which recently suffered a data breach, are also not permitted to hold any information on their systems.

They are similarly unable to pass information onto another party.

Are ADHA required to notify me if a data breach occurs?

Yes. ADHA is required to abide by the notifiable data breach scheme and privacy principles in the Privacy Act, My Health Records Act and the Healthcare Identifiers Act.

Will any information by disclosed or stored overseas?

There is a legislative requirement for ADHA, repository operators, portal operators or service providers that hold My Health Record data to keep it onshore.

Will my de-identified data be shared by default?

Yes. De-identified data will be shared for public health policy, planning and research purposes from 2020 unless you opt-out within the record.

Individuals will be able to opt-out of sharing data for secondary uses by using the “consumer access control mechanism and clicking on the ‘Withdraw Participation’ button”.

De-identified data under the plan will not be made available for commercial and non health-related purposes.

Data in a cancelled record would also not be accessible for secondary purposes.

What privacy controls will I have access to?

In addition to data permission features, the record also has a number of other built-in privacy protections, including the ability to set up an access code and to view an audit log.

Individuals can also set an SMS or email alert that tells them if someone else viewed the contents of their health record.

How do I opt out?

Individuals who wish to opt out will be able to do so through the My Health Record website or by calling the enquiry phone line on 1800 723 471 until October 15.

ADHA has built a standalone portal to facilitate the opt out process, avoiding the need for individuals to interact with government’s myGov online services portal.

Paper forms will also be available to those living in rural and remote areas, Aboriginal and Torres Strait Islanders, people with limited digital literacy and people from non-English speaking backgrounds.