Monday, March 07, 2016

The Privacy Foundation Weighs In On The mHR Announcement From Friday 4 March.

Here is the press release:

MEDIA RELEASE of 6 March 2017


Government announces opt-out trials for health record
but forgets to explain how to opt-out

The Federal Government has announced that it is trialling a new registration system for the old PCEHR, now called the My Health Record.
The new registration system is called opt-out. Instead of allowing people to elect if they want or need another health record, the Federal Government has decided that it will try and create a new one, for everybody.
Unfortunately, in the media release they haven’t mentioned what you should do if you want to opt-out, neither do they even mention why you should seriously consider opting-out. There are many people who should be very careful about letting the government put lots of identifying information into a central database. But when you are selling something you never offer up reasons for not buying.
Almost makes you think they don’t want anyone to opt-out. That would make analysis of the results easier and boost the numbers.
As it happens, the Department of Health, in the depths of its website hidden from all but the most persistent, allows you to let them know that you are thinking about opting out. Sometime after 4 April you will be able to opt-out and they will remind you of this.
It is also mentioned in the letters to be sent out but once again no information on why you might want to consider opting out.
What this all means in terms of identifying yourself, or if you need a myGov account or if you don't have the internet or if you are away from home and don't get your all important letter, it doesn't say.
In fact there is a lot the government isn't saying about the my Health Record, starting with the fact that it isn't designed to be used for primary health care. However, it can be used by law enforcement and revenue protection agencies. What that means is that the police, ASIO, ATO and Border Protection, amongst others can all request to see your health data. You won't know about it because the government won't tell you.
Why is it doing all this? The government, in its eagerness to sell you something you probably don't need and which is a risk to your privacy, hasn't explained.

What the APF has said about the PCEHR/MyHR

eHealth Bill – Senate Committee on Community Affairs Report, Letter to Senators (10 Nov 2015)
Health Legislation Amendment (eHealth) Bill 2015, Submission to Senate Standing Committee On Community Affairs (28 Oct 2015)
Opt-Out and the PCEHR, Letter to Senators (30 Oct 2015)

Contact for This Media Release

Dr Bernard Robertson-Dunn
Chair Health Committee
Australian Privacy Foundation
Bernard.Robertson-Dunn@privacy.org.au

-----

Interesting and important perspective in my view - as I had a minor part in putting the release together.

David.

8 comments:

Bernard Robertson-Dunn said...

Thank you David, for this site and for posting this media release.

I came across something while browsing the legislation, which may be of interest to your readers and which is worth highlighting, This is in the PCEHR legislation:

"68 Collection, use and disclosure for indemnity cover

(1) A participant in the PCEHR system is authorised to collect, use and disclose health information included in a consumer’s PCEHR for purposes relating to the provision of indemnity cover for a healthcare provider."


So, the Act permits insurance companies to legally get at your health record,
- and nobody has to tell you that they have been given it,
- and you have no control over it,
- and they don't need a password to get at it,

... as long as they can justify that it is for indemnity purposes. And you don't need to be as devious as CommInsure to do that.

And unlike Section 70, which covers law enforcement and revenue protection, nobody has to keep a record of it.

So much for Sussan Ley's claim "... patients would have ultimate control over who accessed their information, including adding additional password protections."

If she ever said that in parliament she would probably be in deep trouble. Or at the least have a lot of explaining to do.

Anonymous said...

on what grounds do you claim that this access is exempt from the patient's control, and exempt from auditing? It doesn't say either of those things. Are you just making it up like so many other people?

Bernard Robertson-Dunn said...

re "on what grounds do you claim that this access is exempt from the patient's control, and exempt from auditing?"

The legislation says that

a) the System operator is permitted to supply information from your health record to law enforcement and revenue protection agencies.

b) A health care provider can download information to their clinical systems.

c) Health care providers are permitted to supply information from your health record for purposes relating to the provision of indemnity cover (I assumed that to be insurance companies - correct me if I am wrong)

There is nothing in the legislation that says any of this is subject to patient access control.

The first one has absolutely no controls at all - the System Operator does it.

b) and c) assume that the health care provider has access to your record but the patient cannot control what they do with it.

An audit log is only created when someone looks at a health record. Once a document has been downloaded there is no control, no audit log.

There used to be advice on the Health website telling healthcare providers to only download what they need. IMHO, this is a bit wimpish and is most definitely not "control". Even that advice seem to has disappeared. It may well be in the provider portal, but I don't have access to that. I do have cached versions of the old participants' agreements though.

But you are right - Sussan Ley doesn't say any of all that.

And I try very hard not to make anything up. Wherever possible my claims and assertions are based upon publicly available information.

Anonymous said...

There is nothing that says it isn't subject to patient control either. So unless someone can provide solid information, we should simply conclude that it may or may not be possible to do that without patient control, but it is certainly possible to do it with patient control, and it's not clear how well the patient will be informed.

Anonymous said...

As I read it section 68 refers to the provision of indemnity cover for the health professional themselves, not the patient.

In what scenario are medical defence insurers going to be trawling through data unrelated to actual specific claims against a health professional?

Bernard Robertson-Dunn said...

re: "There is nothing that says it isn't subject to patient control either".

The issue is that the legislation permits such disclosures and does not specify that they must be or even could be controlled.

re Section 68.

An insurance company might want to know if a health professional is in the habit of treating more high risk patients than is normal. In which case they might ask to see all the health records of the patients who have been treated by the health professional or the organisation for which they work for the previous year.

They would be trying to assess future risk in order to set premiums.

And once again, the issue is that the legislation permits it.

And experience shows that if something is legal there is a very good chance that it will be exploited and/or used for purposes not originally intended.

Bernard Robertson-Dunn said...

And a further thought.

The questions are not why would anyone want to do these things? can these things be done now? has anyone done any of these things?

The big questions are:

1. Why has the government made these things legal? They greatly increase the risk to privacy with no benefit to the patient.

2. What are the implications with respect to Sussan Ley's claim about the patient having ultimate control? IMHO, it looks very much like she is being casual with the truth. Not a good look for a politician coming up to an election.

Anonymous said...

I would think the answer is yes - people probably do these things now with (non PCEHR records). As in, insurers of health professionals may ask for access to certain patient records in certain circumstances for the purposes of providing indemnity cover (and defending claims etc).

But they surely do it under pretty strict contractual/legal/privacy agreements between themselves and the health professional - otherwise they wouldn't stay in business very long.

Which is why I don't think the fact the PCEHR Act is broadly worded in this one section means it is suddenly going to be some sort of backdoor insurance company free for all.