Concerns about the safety of sensitive health data stored in the Government’s My Health Record initiative may be well founded.
“It’s impossible to make any online database entirely bullet proof,” admitted the head of the Australian Digital Health Agency (ADHA), Tim Kelsey, in a Q&A published on www.abc.net.au.
The Australian Government’s My Health Record initiative has been under scrutiny for some time, with public fears about personal information being exposed or accessed by insurers, commercial organisations and third parties.
As of today and for the next three months, Australians can opt out of having an online summary of their health information shared by doctors and health professionals, otherwise a record will be automatically created.
While the project aims to give health professional access to important patient information, including test results, scans, treatments and prescriptions, concerns about the safety of our most personal data have not yet truly been addressed.
The good news for those on the paranoid side, you can opt out in one of three ways:
- online: by visiting visit www.myhealthrecord.gov.au
- phone: by calling 1800 723 471
- on paper: by completing a form available in 2385 rural and remote Australia Post outlets, through 146 Aboriginal Community Controlled Health Organisations and in 136 prisons, then mailing to the return address.
Those who opt out can opt in at any time.
But even for those who opt in initially, there is still a way to control the information processed by doctors. In fact, doctors will upload health information unless you ask them not to.
You can control whether any medical documents, a summary of prescribed medications or referral letters are loaded onto the database. Doctors will upload information about prescribed medications, unless you request otherwise, so if you don’t want this included, make sure you speak with your doctor each time you visit.
However, ‘tailoring’ your medical records could come at the expense of your health, as the quality of the overall health summary could be skewed to leave out important information that may one day save your life.
When you first access the system, you’ll be also asked to decide whether you want two years of Medicare Benefits Schedule, Pharmaceutical Benefits Scheme, Australian Immunisation Register, and Australian Organ Donor Register data added to the register.
But if your doctor accesses your record first, this information will automatically be uploaded, although you can delete or restrict access to those documents at a later date.
My Health Record information will be held for 30 years after you die, or 130 years after your birthdate.
While most Australians know having such a record could be good for their health, it’s the security of this information that concerns them most.
Mr Kelsey told the ABC: “Insurers shouldn’t be able to access your record – it’s reserved for people who work for a registered healthcare provider and who are authorised to provide you with care.”
However, the Department of Health says My Health information can be used for research and public health purposes, in either a de-identified form or in an identified form, if the use is expressly consented to by the consumer, and users can tick a box to opt out of secondary use.
Secondary users are supposed to be of public benefit and cannot be ‘solely’ commercial, but Australian and some overseas organisations, including pharmaceutical companies, will be able to apply for approved secondary purposes.
The ADHA is also discussing ‘re-platforming’ the system, which will require independent third parties to audit the system’s security and undertake penetration testing.
And any information may also be stored on your doctor’s local hard drive, which could also be susceptible to hacking.
According to Mr Kelsey, if you have privacy concerns, you can log onto My Health Record and restrict who sees it:
- you can set a Record Access Code and give it only to healthcare professionals you want to access your record
- if you want to restrict certain documents, you can set a Limited Document Access Code
- these controls may be overridden in an emergency
- if a document is removed from the My Health Record system, it’s beyond the reach of your access controls.
If anyone accesses your information without authorisation, civil and criminal penalties may apply.
You’ll also be able to check your access history to see who has been looking at your records, and you can set up an SMS alert any time someone accesses your record. To do this, call the ADHA on 1800 723 471.
The ADHA is also required by law to give access to your data to police and law enforcement agencies, if there is a reasonable belief that it’s necessary for preventing or investigating a crime or protecting public revenue.
You can opt out of My Health Record from 16 July to 15 October. After 15 October, there will be a one-month reconciliation period before new My Health Records are registered.
Are you worried about your health records being made public? Will you opt out?