The federal government has responded to a parliamentary inquiry into My Health Record more than two years after it was tabled, rejecting a recommendation to make passwords the default setting and to strengthen protections against the commercial use of sensitive health data.
The Labor-led Senate Community Affairs References Committee tabled its report in the My Health Record (MHR) system in October 2018, calling for a number of changes to be made to the electronic health record in order to shore up security and privacy and block access by employers and insurance companies.
The federal government did respond in part by introducing a handful of amendments, including allowing for the permanent deletion of MHR data and strengthening of privacy for young people, to the MHR scheme later in that year.
But for more than two years the government did not respond to the other recommendations included in the Senate committee report, until late last Friday afternoon.
In its response, the government notes or rejects most of the recommendations from the report that it has not already implemented, including for a PIN to be in place for a MHR by default.
The Senate committee had called for record access codes to be applied to a MHR by default, and only removed with express permission from its user, or by registered healthcare providers in “extraordinary and urgent situations”.
This is because shifting MHR to an opt-out model meant its default access settings should be “considerably higher”.
The federal government said it does not support this, saying it would prevent doctors from accessing a health record without the patient being present, and leading to “wasted time” trying to remember passwords.
“The MHR system has a range of mechanisms that support consumers to protect their privacy, and control who has access to their healthcare information. Healthcare providers require timely access to their patients’ key health information,” the government response said.
“There would be significant implementation challenges to provide all Australians with access codes. To realise the full benefits of the MHR system, an individual’s multiple healthcare providers need to have timely and comprehensive access to their patients’ medical history to better make a diagnosis and provide treatment.”
Requiring a PIN by default would “interrupt the clinical workflow and impede use of record”, the government said.
The government “noted” the committee’s recommendation that data which is likely to be identifiable from an individual’s MHR not be made available for secondary usage without that individual’s explicit consent.
Personally identifiable information from MHR can only be used for public health or research purposes, with consent, the government response said. The use of contemporary de-identification methods will also be applied, it said, and expert assurance will be required that the risk of de-identification is “very low”.
“Consumers retain control over whether their MHR data can be used for research and public health purposes at all times,” the government said.
The recommendation that the existing restriction on secondary access to MHR data for commercial purposes should be strengthened to ensure that info cannot be used for commercial purposes was also noted by the government, which said that sometimes the use of data for public health benefits can also have a commercial interest.
MHR data cannot be used for purposes that are solely commercial or non-health related, it said, and the Data Governance Board is required to assess applications for the use of data for public health purposes on a case-by-case basis.
There are now nearly 23 million active MHR records after the system was made to be opt-out in 2018.
The Australian Digital Health Agency, which oversees the MHR scheme, revealed in its annual report that there were two incidents compromising the system in the last financial year.
It comes as the agency has just gone to the market to find a cyber threat intelligence service, including an off-the-shelf threat intelligence platform.
The procurement will include technical cyber threat intelligence products and services that will be integrated into the ADHA’s security monitoring capabilities to help it to “detect and manage threats posed by malicious actors against” MHR, and also allow it to search, explore and investigate specific threats.
The ADHA has also posted a tender for a cyber threat intelligence sharing expert to provide assistance and guidance on this new project on a three-week contract.
Do you know more? Contact James Riley via Email.
The inquiry was garbage to begin with – they “deemed confidential” everything new that was embarrassing to them, so they never covered the full breadth of the problems in the first place.
It really doesn’t matter whether or not they “implement” any recommendations anyhow – practically no government department actually complies with the rules (especially anything to do with security), there’s no penalties for anyone if they do not, and there’s no mechanism for whistleblowers or the public to draw attention to non-compliance, and no means to enforce it.
They should re-name all legislation that applies to the public service “pirate code” – since its all more of a recommendation than actual rules…
Exactly. The clerisy seem to work on the Ali G principle: “All your data belong to us.”