The Government agrees to amend My Health Records Act and provide greater privacy protections. It would be better to ditch the legislation entirely.

July 31, 2018 |

The My Health Records Act 2012 is a dreadful piece of legislation.  Privacy professionals have known this for some time.  They have been saying it for some time.  While the system involved voluntary placement of records onto the systems the Government could avoid grumblings from various groups.  The Privacy Commissioner was on an extended tea break on the issue.  Nothing new there. So the legislation was untouched and the agency responsible for its management, the ADHA, filled forms, ignored complaints and generally kept a low profile.

Then the opt out provisions came into effect and various commentators “discovered” the privacy invasive aspects of the system. Janet Albrechtson took up the cudgels as did Peter Van Onsolen at News Ltd.  Similar negative treatment came from the Guardian on a few occasions.  Technical journals/writers looked at the issue and gave the system a big thumbs down on a few occasions.  It was serendipitous that as the debate heated up the Singaporean Health system suffered a data breach involving 1.5 million health records.  To add to the pressure a Government backbencher, Tim Wilson, publicly opted out.  Of course he could have done a lot more than this very visible gesture.  He has been in Parliament for a few years now and the legislation was a dud all that time.  Gesture politics is of limited utility generally.  And on 23 July 2018 Kerryn Phelps, a previous high profile president of the AMA, weighed in against the system as did other doctors.

It reached a point where even the most laggardly operator, the Privacy Commissioner, raised questions about the My Health Record.  It is more than passing strange that the Commissioner has a legislative role in the operation of the Act in the event of a data breach.  Where was it before this Damascene moment?

Even I was quoted opposing the Act with the Medical Republic magazine.  It provides:

An examination of the legislation underpinning Medicare Australia has revealed that the precedent for the police accessing MyHealthRecord without a warrant was set a long time ago.

Medicare Australia is legally allowed to share linked PBS and MBS data with law enforcement without a court order, so long as the disclosure is “reasonably necessary” to enforce criminal law, a law imposing a pecuniary penalty, or the protection of the public revenue.

Once linked, PBS and MBS data can tell a very detailed story about an individual’s medical history.

It was possible to infer from item numbers and prescription codes whether a patient had a mental health condition, an STI or had undergone an abortion, said Dr Chris Culnane, a cybersecurity expert at The University of Melbourne.

“So, releasing that information is very similar to releasing someone’s medical records, which is obviously not something that should occur without appropriate oversight,” he said.

Two legal experts contacted by The Medical Republic confirmed that Medicare Australia could legally pass health information onto law enforcement without judicial oversight under the National Health Act 1953.

Medicare Australia was contacted for comment but did not provide a response prior to going to press.

The revelation came as fear and confusion mounted in response to reports that the Australian Digital Health Agency (ADHA) could disclose MyHealthRecord documents to police, Centrelink, Medicare, or the Australian Tax Office without a court order.

Currently, the police cannot access medical data held privately in a GP clinic without a warrant or a subpoena.

But under Section 70 of the My Health Records Act 2012, the ADHA can share health information if it reasonably believes it is necessary for, among other things, the prevention, detection, investigation, prosecution or punishment of criminal offences, or the protection of the public revenue.

“You could drive a reasonably large truck through those provisions and not hit the side,” said Peter Clarke, a barrister at Isaacs Chambers in Melbourne. “They are drafted in such broad and vague terms that it is easy to justify access. It is a big gift to the police.”

Lowering privacy protections could put vulnerable patients at risk if, for instance, their Centrelink payments depended on their health status, or they were technically breaking the law by undergoing an abortion in Queensland, said Professor Kerryn Phelps, a GP and past president of the AMA.

“Who in their right mind puts the ADHA in charge of deciding whether this precious information is handed over to a third party?” she said.

Assistant Professor Bruce Baer Arnold from the School of Law at the University of Canberra said the drafting of the legislation was a “deliberate privacy creep” and that bureaucratic convenience had trumped the rights of citizens.

The ADHA said it would never release documents without a court order, and had not done so in six years of operation.

But legal experts said requests for private health information should be subject to judicial review.

“It is a big deal in our society, and it has been for about 400 years, to be able to enter someone’s private domain,” said Mr Clarke.

By not embedding judicial oversight in the legislation, the government was effectively asking the public to trust every individual in every agency that might have control over MyHealthRecord information in the future.

This was a flawed approach because “people are inherently fallible and subject to various temptations and various biases,” said Jonathan Crowe, a professor of law at Bond University.

And now the Minister and the Government have agreed to make changes to the legislation to protect privacy or even tear up the My Health Record legislation.

The media reports that the legislation is going to be one of redrafted (Guardian) , torn up (SMH), amended to protect privacy or have security changes included.  The best approach would be to redraft the legislation from scratch,

This is a good result. The legislation has many defects in terms of protections for individuals. That said the Privacy Act also has similar problems but little is being said of revamping and taking more seriously the privacy protections generally. It even prompted a general and slightly twee article calling for a broader look at privacy issues.

Leave a Reply

Verified by MonsterInsights