Law enforcement access to My Health Record data
Note: This FlagPost was originally published on 24 July 2018. It has since been amended to reference the provisions of the Privacy Act 1988
relevant to the release of health information by private medical
practitioners. As an adjunct task, it has also been updated to reflect
developments since its original publication. The Library is committed to
providing the highest quality information and analysis to the
Parliament and always welcomes feedback on its work.
My Health Record (MHR) was introduced in June 2012 by the Gillard Labor Government originally as an opt-in system known as the Personally Controlled Electronic Health Record (PCEHR) before legislative amendments
in 2015 introduced by the Abbott Coalition Government renamed it and
laid the groundwork for it to become an opt-out system. Law enforcement
access to MHR data is among the privacy concerns raised about the
program, but this provision was in the original legislation and received
little attention when the Bill was debated.
The PCEHR/MHR has been operating for six years now since July 2012 and was characterised in 2015 by Labor politicians as a ‘proud Labor reform’ and a ‘natural extension’ of Medicare. The MHR system is operated by the Australian Digital Health Agency (ADHA) as a ‘secure online summary of an individual’s health information’.
However, under certain circumstances, the Act provides that MHR data
may be provided to an ‘enforcement body’ for purposes unrelated to a
person’s healthcare. An ‘enforcement body’ is defined in section 6 of
the Privacy Act 1988
as the Australian Federal Police, the Immigration Department, financial
regulatory authorities, crime commissions, any state or territory
police force, anti-corruption bodies, and any federal or state/territory
agency responsible for administering a law that imposes a penalty or
sanction or a prescribed law, or a law relating to the protection of the
public revenue.
Section 70 of the My Health Records Act 2012 enables the System Operator (ADHA) to
‘use or disclose health information’ contained in an individual’s My
Health Record if the ADHA ‘reasonably believes that the use or
disclosure is reasonably necessary’ to, among other things, prevent,
detect, investigate or prosecute any criminal offence, breaches of a law
imposing a penalty or sanction or breaches of a prescribed law; protect
the public revenue; or prevent, detect, investigate or remedy
‘seriously improper conduct’. Although ‘protection of the public
revenue’ is not explained, it is reasonable to assume that this might
include investigations into potential fraud and other financial offences
involving agencies such as Centrelink, Medicare, or the Australian Tax
Office.
This should mean that requests
for data by police, Home Affairs and other authorities will be
individually assessed, and that any disclosure will be limited to the
minimum necessary to satisfy the request.
Law enforcement access to health
records held by general practitioners is subject to Australian Privacy
Principle 6.2(e) in Schedule 1 of the Privacy Act 1988, which is cast in similar terms to section 70 of the My Health Records Act 2012,
as well as to relevant state and territory legislation relating to
privacy and to medical records. Typically, unless a person consents to
the release of their medical records, or disclosure is required for a
medical emergency or to meet a doctor’s mandatory reporting obligations,
access to these records is, as the president of the Australian Medical
Association has stated, ‘really only through a judge’s request, through the judicial oversight’. As the AMA’s existing Ethical Guidelines for Doctors on Disclosing Medical Records to Third Parties 2010 (revised 2015) note:
Trust is a vital component of
the doctor-patient relationship. Patients trust doctors to keep their
personal information confidential including their medical records.
…
The AMA believes that any
action by third parties, including Government, to compel doctors to
disclose patients’ medical records must overwhelmingly be proven to
serve the public interest. The public benefit of such disclosure must
outweigh the risk that patients may not seek medical attention or may
modify the personal information they disclose to their doctor because of
fears their privacy will be breached.
…
In cases where there is a
warrant, subpoena or court order requiring the doctor to produce a
patient’s medical record, some doctors and/or patients may wish to
oppose disclosure of clinically sensitive or potentially harmful
information. The records should still be supplied but under seal, asking
that the court not release the records to the parties until it has
heard argument against disclosure.
As the Law Council of Australia notes,
‘the information held on a healthcare recipient’s My Health Record is
regarded by many individuals as highly sensitive and intimate’. For its
part, the ADHA has stated that it ‘has not and will not release any documents without a court/coronial or similar order’, a point which the Health Minister has reiterated (while the ADHA has stated that ‘no documents have been released in the last six years’, it has also been reported as stating that no requests from police have yet been received). However, the My Health Records Act 2012 does not mandate this, and it does not appear that the ADHA’s operating policy is supported by any rule or regulation.
This has left different advocacy groups concerned. The Chief Executive Officer of the Sex Workers Outreach project has been reported saying
that warrantless law enforcement access to medical records was the main
reason sex workers were concerned about MHR, pointing out that ‘“Sex
work is criminalised in a number of states … So, if I’m in the ACT and
somebody suspects me of sex working, and they go into my medical record
and that proves it, I can end up in jail”’. Similarly, while the
Federation of Ethnic Communities’ Councils of Australia supports the MHR, it was reported that ‘it hopes My Health Record information will not be used for the purposes of immigration enforcement or decisions’. Until recently,
data-sharing arrangements in the UK between the National Health Service
and the Home Office meant that medical records were being used to track
down illegal immigrants:
Digital Minister Margo James
said the government had reflected on the concerns she raised—“and with
immediate effect, the data-sharing arrangements between the Home Office
and the NHS have been amended”.
She added: “The bar for
sharing data will now be set significantly higher, by sharing I mean
between the Department of Health, the Home Office and in future possibly
other departments of state, no longer will the names of overstayers and
illegal entrants be sought against health service records to find
current address details.”
Ms James told MPs that the
data would only be used in future “to trace an individual who is being
considered for deportation action having been investigated for or
convicted of a serious criminal offence”.
It is interesting to note that while disclosure of personal information under Australian social security law for the purpose of enforcing the law must satisfy a higher bar compared with the My Health Records Act 2012, the provisions permitting disclosure of Medicare information for the purpose of enforcing the law are actually broader than the My Health Records Act 2012.
A media release issued by the Australian Medical Association on 25 July states
that the Minister had ‘made a commitment to clear up any perceived
ambiguity’ in the legislation. On 26 July, the Prime Minister stated
that ‘the Government was absolutely committed to maintaining the
privacy of the My Health Record system’ and that concerns expressed by
the AMA and College of General Practitioners ‘will be addressed’.Here is the link:
https://www.aph.gov.au/About_Parliament/Parliamentary_Departments/Parliamentary_Library/FlagPost/2018/July/Law_enforcement_access_to_MHR_data
-----
Good to see that what has happened here is that he original report (only 2 days ago) has flushed out both public comment and Government response - as reflected in the last para. Could almost be seen as democracy in action! (Assuming you are a totally trusting and don't have a cynical bone in your body. There are one or two other explanations for what has happened here.)
We can only hope the Government will follow through - they are on notice!
David.
This is a welcomed outcome, odd though I still don’t see what was factually incorrect?
ReplyDeleteAs neither a yeah or a nay, although I do question the age of the technology and it’s limitations as a useful tool. That aside, if the government is now willing to admit that the legislation is not complete and present risk to inderviduals, should they be moving forward with this marketing campaign, is it no misleading the public? We don’t know yet what a legislative review will discover.
This is one thing that worries me, if the MyHR was a commercial product, the government would be all over it demanding a recall of sorts, be out there protecting the interests and safety of consumers. Is the government compromised, is this a case of conflict of interest? Where are all those departments setup to protect me?
If the police are stating it is to easy to access and now my premier is opening stating she most likely will optout I think it is time to roll this back and let COAG have a good look at what really is needed. I cannot imagine that COAG will be overly happy.
ReplyDeleteWith proposed change to the legislation and the pending replatforming perhaps this is the time to close down optout. We have seen many changes to the system, to legislation and a changing attitude to privacy in the community. I am concerned that the all this changes have been done without impacts assessments and holistic changes. Would the system need redesigning to ensure it can manage legislative change? I do not believe so, in fact it is clear the HI service adoption and the MyHR model does not support current expectations.
ReplyDeleteWe have lost a great oppertunity but to simply keep sticking plasters on a deep would will simply result in cost blow outs and damage to whatever party is in government. Sometimes it is better to cut your losses and go back to the drawing board.
The fact that the very issues that have caused so much damage have been known for so long is disgraceful. It is also evident the ADHA lacks any depth of knowledge and has been unable to engage in a meaningful dialogue beyond random inderviduals across our fine country. When questioned by people who understand their respective domains the ADHA cannot satisfy even the most basic questioning and in response the lash out like a wounded beast and cry blasphemy.
On behalf of the Australian tax payer I would like to thank Tim Kelsey for what has to be a historical failure.