Who can access your e-health record?

Australia’s Department of Health has refused to name which government authorities will be able to view a citizen's eHealth record, in an otherwise detailed response to a Privacy Impact Assessment of the PCEHR (Personally Controlled Electronic Health Record) scheme.

Access by law enforcement authorities was among a long list of issues explored in a Privacy Impact Assessment [pdf], prepared by law firm Minter Ellison and former deputy NSW Privacy Commissioner Anna Johnston. The report recommended 112 changes to the legislation and the technology that underpins the PCEHR system, currently under development.

The Department of Health has now accepted 75 of the 112 recommendations, accepting 20 more “in principle”, six more “in part”, “supporting” two”, and rejecting eight more, with one still under consideration.

The Department agreed [pdf] that it will, among other changes:

• Ensure that the scope of the PCEHR cannot be widened, nor its ‘opt-in’ premise changed, without legislative change, to protect scope creep via additional regulations or subordinate legislation.
• Design appropriate anti-hacking measures such as a maximum number of attempts before the PCEHR System 'locks out' the user, before asking the user to reset their password or be re-directed to an assisted channel (e.g. face to face or telephone).
• Report any data breaches or internal misuse of PCEHR data to the Australian Privacy Commissioner.
• Grant the Privacy Commissioner additional funding to deal with eHealth privacy complaints (but not a direct authority to revoke an individual or organisation's access to records.)
• Intermittently conduct privacy audits on the PCEHR system.

Who can access?

The privacy impact assessment (PIA) requested that users be presented with a PCEHR Privacy Policy to ensure citizens opting in to the service understand how their data might be accessed.

The Department in response agreed that it should make clear to users that law enforcement officers, for example, may be able to gain access, or that records can be subpoenaed to a court. It also agreed to provide users clarity on what constitutes an ‘emergency’ scenario that would enable privacy settings to be overridden, with specific examples attached.

Further, the Government agreed to developing a “preview” pane that allows the user to see how their record might appear (i.e. what data included) when presented to a specified third party.

But the Government rejected a recommendation that users be informed about precisely which law enforcement or other government bodies would be entitled to view a record. 

The Government argued that “naming specific organisations that may receive log data’” would be too prescriptive as legislation, and better suited to regulations that do not require the passage of a new bill to update.

Rules on the run

Several other recommendations were rejected on the same basis, revealing that the Department harbours some fears of security or privacy breaches.

The Department of Health refuses to specify within the eHealth legislation the precise questions that will be asked of users to verify their identity, as it wants the flexibility to change these questions once the system is live, presumably to respond to ID fraud.

“The Department considers that this framework is better supported by subordinate legislation or terms and conditions of participation, because these provide greater speed and flexibility in dealing with any emerging issues in the registration process,” it said in response.

If the legislation is too prescriptive it will “reduce the speed at which the system operator [The Department of Health] can act to address any emerging security or other problems with a registration channel."

Let’s be practical

The Department also felt it more practical to enforce PCEHR privacy using civil penalties, despite the PIA calling for certain intentional breaches of health records privacy a criminal act with a maximum two years imprisonment.

"Criminal penalties may be applicable to an individual employee, agent or contractor, or to a corporate person," one recommendation stated.

The Government said in response that the legislation allows for the Department to make a matter a criminal offence using a “regulations power.”

“The penalties in the principal legislation, however, are civil in nature," the Department noted. "Civil penalties have been chosen rather than criminal because there is a lower standard of proof required to convict a person of a civil offence. With imposition of a civil penalty being more likely, the Department considers that this both encourages enforcement of penalties by the PCEHR system operator, and acts as a significant deterrent to misuse.”