Thursday, July 26, 2018

This Important MyHR Document Seems To Have Been Taken Down By Someone. Take A Copy To Keep.

This is no longer findable on the Parliament web site…

Law enforcement access to My Health Record data

Posted 23/07/2018 by Nigel Brew
Parliamentary Library
My Health Record (MHR) was introduced in June 2012 by the Gillard Labor Government originally as an opt-in system known as the Personally Controlled Electronic Health Record (PCEHR) before legislative amendments in 2015 introduced by the Abbott Coalition Government renamed it and laid the groundwork for it to become an opt-out system. Law enforcement access to MHR data is among the privacy concerns raised about the program, but this provision was in the original legislation and received little attention when the Bill was debated.
The PCEHR/MHR has been operating for six years now since July 2012 and was characterised in 2015 by Labor politicians as a ‘proud Labor reform’and a ‘natural extension’ of Medicare. The MHR system is operated by the Australian Digital Health Agency (ADHA) as a ‘secure online summary of an individual’s health information’. However, under certain circumstances, MHR data may be provided to an ‘enforcement body’ for purposes unrelated to a person’s healthcare. An ‘enforcement body’ is defined in section 6 of the Privacy Act 1988 as the Australian Federal Police, the Immigration Department, financial regulatory authorities,crime commissions, any state or territory police force, anti-corruption bodies, and any federal or state/territory agency responsible for administering a law that imposes a penalty or sanction or a prescribed law, or a law relating to the protection of the public revenue.
Section 70 of the My Health Records Act 2012 enables the System Operator (ADHA) to ‘use or disclose health information’ contained in an individual’s My Health Record if the ADHA ‘reasonably believes that the use or disclosure is reasonably necessary’ to, among other things,
·         prevent, detect, investigate or prosecute any criminal offence, breaches
·         of a law imposing a penalty or sanction or breaches of a prescribed law;
·         protect the public revenue; or prevent, detect, investigate or remedy
·         ‘seriously improper conduct’.
Although ‘protection of the public revenue’ is not explained, it is reasonable to assume that this might include investigations into potential fraud and other financial offences involving agencies such as Centrelink, Medicare, or the Australian Tax Office. The general wording of section 70 is a fairly standard formulation common to various legislation—such as the Telecommunications Act 1997—which appears to provide broad access to a wide range of agencies for a wide range of purposes.
While this should mean that requests for data by police, Home Affairs and other authorities will be individually assessed, and that any disclosure will be limited to the minimum necessary to satisfy the request, it represents a significant reduction in the legal threshold for the release of private medical information to law enforcement. Currently, unless a patient consents to the release of their medical records, or disclosure is required to meet a doctor’s mandatory reporting obligations (e.g. in cases of suspected child sexual abuse), law enforcement agencies can only access a person’s records (via their doctor) with a warrant, subpoena or court order.
The Australian Medical Association’s existing Ethical Guidelines for Doctors on Disclosing Medical Records to Third Parties 2010 (revised 2015) note:
Trust is a vital component of the doctor-patient relationship. Patients trust doctors to keep their personal information confidential including their medical records.
The AMA believes that any action by third parties, including Government, to compel doctors to disclose patients’ medical records must overwhelmingly be proven to serve the public interest. The public benefit of such disclosure must outweigh the risk that patients may not seek medical attention or may modify the personal information they disclose to their doctor because of fears their privacy will be breached.
In cases where there is a warrant, subpoena or court order requiring the doctor to produce a patient’s medical record, some doctors and/or patients may wish to oppose disclosure of clinically sensitive or potentially harmful information. The records should still be supplied but under seal, asking that the court not release the records to the parties until it has heard argument against disclosure.
It seems unlikely that this level of protection and obligation afforded to medical records by the doctor-patient relationship will be maintained, or that a doctor’s judgement will be accommodated, once a patient’s medical record is uploaded to My Health Record and subject to section 70 of the My Health Records Act 2012. The AMA’s Guide to Medical Practitioners on the use of the Personally Controlled Electronic Health Record System (from 2012) does not clarify the situation.
Although it has been reported that the ADHA’s ‘operating policy is to release information only where the request is subject to judicial oversight’, the My Health Records Act 2012 does not mandate this and it does not appear that the ADHA’s operating policy is supported by any rule or regulation. As legislation would normally take precedence over an agency’s ‘operating policy’, this means that unless the ADHA has deemed a request unreasonable, it cannot routinely require a law enforcement body to get a warrant, and its operating policy can be ignored or changed at any time.
The Health Minister’s assertions that no one’s data can be used to ‘criminalise’ them and that ‘the Digital Health Agency has again reaffirmed today that material … can only be accessed with a court order’ seem at odds with the legislation which only requires a reasonable belief that disclosure of a person’s data is reasonably necessary to prevent, detect, investigate or prosecute a criminal offence.
This uncertainty has left different advocacy groups concerned. The Chief Executive Officer of the Sex Workers Outreach project has been reported saying that warrantless law enforcement access to medical records was the main reason sex workers were concerned about MHR, pointing out that ‘“Sex work is criminalised in a number of states … So, if I’m in the ACT and somebody suspects me of sex working, and they go into my medical record and that proves it, I can end up in jail”’. Similarly, while the Federation of Ethnic Communities’ Councils of Australia supports the MHR, it was reported that ‘it hopes My Health Record information will not be used for the purposes of immigration enforcement or decisions’.
Such fears are possibly not without foundation. Until recently, data-sharing arrangements in the UK between the National Health Service and the Home Office meant that medical records were being used to track down illegal immigrants:
Digital Minister Margo James said the government had reflected on the concerns she raised—“and with immediate effect, the data-sharing arrangements between the Home Office and the NHS have been amended”.
She added: “The bar for sharing data will now be set significantly higher, by sharing I mean between the Department of Health, the Home Office and in future possibly other departments of state, no longer will the names of overstayers and illegal entrants be sought against health service records to find current address details.”
Ms James told MPs that the data would only be used in future “to trace an individual who is being considered for deportation action having been investigated for or convicted of a serious criminal offence”.
It is interesting to note that while disclosure of personal information under Australian social security law for the purpose of enforcing the law must satisfy a higher bar compared with the My Health Records Act 2012, the provisions permitting disclosure of Medicare information for the purpose of enforcing the law are actually broader than the My HealthRecords Act 2012.
Although the disclosure provisions of different agencies may be more or less strict than those of the ADHA and the My Health Records Act 2012, the problem with the MHR system is the nature of the data itself. As the Law Council of Australia notes, ‘the information held on a healthcare recipient’s My Health Record is regarded by many individuals as highly sensitive and intimate’. The National Association of People with HIV Australia has suggested that ‘the department needs to ensure that an
individual’s My Health Record is bound to similar privacy protections as existing laws relating to the privacy of health records’. Arguably, therefore, an alternative to the approach of the current scheme would be for medical records registered in the MHR system to be legally protected from access by law enforcement agencies to at least the same degree as records held by a doctor.
This is the link as it was:
https://www.aph.gov.au/About_Parliament/Parliamentary_Departments/Parliamentary_Library/FlagPost/2018/July/Law_enforcement_access_MHR_data
Important to keep it available given all the discussion of S70.
David.

16 comments:

  1. I am sure it is just a broken link, it is a public record after all and cannot be simply destroyed

    ReplyDelete
  2. Well it has vanished from the Flagpost Table of Contents...

    David.

    ReplyDelete
  3. Maybe we should check the Parlimentary Service departments Health records to see if anyone has distructive tendencies.

    ReplyDelete
  4. https://www.theguardian.com/australia-news/2018/jul/26/parliamentary-library-deletes-post-confirming-warrantless-access-to-my-health-record?CMP=share_btn_link


    This is just getting beyond bizarre. Turnbull needs to step in stop it, they can leave it optin and sort the issues out. The ADHA needs to be split, send back to the department operations of the MHR and let’s have a coag driven entity with proper leadership

    ReplyDelete
  5. This is certainly turning into a fiasco

    Taken from crikey.com

    Current concern around the government's My Health Record roll-out could have been avoided had the Department of Health addressed the issues raised in its own consultation period. Almost all of the system's privacy, security and health issues were anticipated as far back as 2015. However, those who made submissions were left in the dark because the analysis report was effectively buried.
    An exclusive report, obtained by Crikey via freedom of information, shows that extensive communication to consumers and ease of opting out were identified as necessary elements of the scheme. However, the government branch responsible for the roll-out of My Health Record, the Australian Digital Health Agency (ADHA), has failed to follow through on these points.
    Many of the consultation submissions stipulated only conditional support for an opt-out approach. Indeed, the report observed that privacy and security were recurring themes of the submissions and that communication and education were consistently highlighted, especially with regard to marginalised populations.

    ReplyDelete
  6. Gee, a Federal Government Agency run by an historian turned journalist turned opportunist, who doesn't know how to run a government agency, stuffs up running an agency.

    Nobody knew health care could be so complicated (Trump).

    Nobody knew running an agency could be so complicated (Kelsey)

    Anyone running a book on how long he's got? He's in Perth at the moment swanning around having his picture taken.

    ReplyDelete
  7. I would not have believe this if I had been told in conversation. Attacking the Parlimentary Services is pretty serious stuff. They have a leg standing reputation of being a well respected and trusted arm of government. I look forward to seeing the online page restored. Having read the article that you kindly preserved David, I cannot find anything misleading or fictitious..

    This is a troubling sign, I think the Health Minister should step back and perhaps distance himself from the ADHA CEO.

    ReplyDelete
  8. "I think the Health Minister should step back and perhaps distance himself from the ADHA CEO."

    A bit difficult considering that, legally, the ADHA reports to the Minister for Health and is part of his portfolio.

    ReplyDelete
  9. @404, that is a bit of an insight, not sure this Dr Steve Hambleton they are pushing out there should have a job. Was he not the chair of NEHTA when this report would have come out? He has known and done nothing. Glad I am not a patient of his.

    ReplyDelete
  10. The emergence of this ‘report’ is of serious concern, the NEHTA board at the time would have known but they were exiting, the Department would have known and did nothing, the Agency board might have known, the ADHA would definitely known about this report, especially the one executive who was inherited from NEHTA. The ADHA had two years to address this and it would appear as evident they did nothing and happily sacrificed Australians privacy and wellbeing at risk. The MyHR has the potential to cause all sorts of stress related illnesses, financial and reputations ruin for inderviduals, practices and the Government.

    I am not for or against the MyHR concept, I am displeased the way this has been ignored to the point it has scuttled the project and the outcomes being sort. Trust cannot be maintained as it is hard to believe the ADHA management. Interoperability is a trust based model, built on agreements and an understanding and appreciation of divergences. The ADHA has demonstrated it is lacking even the basic qualifications.

    It clearly ignores advice and evidence and is unwilling to address challenges before they become issues

    They have demonstrated that rather than unify the community the have fragmented the community, preferring to hide and seek comfort in those who embrace the whatever is in fashion

    There is a long and published history of mismanagement, staff bullying and a culture of fear (no one is allowed an opinion)

    They have instilled a culture of precieved retribution if people speak out, as evident in the rise of anonymous commentators and issue of gaging orders and similar actions against anyone who forms a view.

    Then there is the ability to run an IT systems, the MyHR and the associated websites and portals all fail numerous performance usability and scalability tests.

    ReplyDelete
  11. Last week was the biggest media week for the Agency since we began, with the start of My Health Record opt-out and the intense media publicity that followed. Thank you all for your response to what was both an exciting and difficult few days. We were squarely in the spotlight, as we expected and had planned for.

    Particular thanks goes to our media team, to Mark Kinsela and to the rest of the leadership team and staff who are involved in coordinating our various responses and correcting inaccurate stories, as well as our call centre staff and My Health Record communications team – all of you have been working extraordinarily hard.

    We welcome the public debate that is taking place – our objective is to ensure that Australians are able to make an informed choice about the benefits of My Health Record, its privacy protections and their rights to opt out. There has been much negative sentiment expressed – and some misreporting – but the important outcome is wide- ranging awareness prompted by the discussion. We have had more opt ins last week than ever before and unprecedented levels of consumer document uploads. More than 20m Australians have been reached in all the various media channels during the first week of opt out. I’d like to thank our partners in clinical and consumer leadership in Australia who have been active on the airwaves and in print – in all, we supported more than 100 interviews last week. On Tuesday of this week Michael Kidd, former president of the RACGP, told Sky News that ‘it’s time’ for My Health Record.

    ReplyDelete
  12. 9:01am

    What I heard was

    "ADHA has been shocked by the response – calling it a firestorm.

    They do not see their failure to inform may be at the core of the confusion"

    ReplyDelete
  13. @ 9:01 AM to all you naysayers, media skeptics, troublemakers, readers of this blog and blog commentators understand this - we know what we are doing, we have developed the world's best national health record system which is the envy of many countries (Canada, UK and USA). We are striving to reach the summit and by 16 Oct 2018 we will be there. Every Australian will have a My Health Record, lives will be saved, and Australia will be the richer for it.

    ReplyDelete
  14. 10:43, out of interest who is the “we” you speak or? And what do you mean by Australia will be richer for it? Does the MYHR mine for bitcoins? Could you point to national census that indicate Canada UK and USA envy any of this?.

    ReplyDelete
  15. 11:18 AM, it matters not that you do not know, we do. We have received funding to do the job, nothing else is of any consequence.

    ReplyDelete
  16. @10.43 what statistic for “lives will be saved” are you using to compare with the ones saved every day for years and now without a digital summary?

    In my experience of hospital admission, even the ED, the last thing anyone thinks of is looking up info on a computer system that may or may not be working. Medical staff do what they’re trained for and that’s not operating computers, most of them hate that, which is why I’ve yet to see anything on my HS or discharge letters that’s correct. That is one reason, amongst many others, why I’ll never be convinced to be a part of this - and I was there from the start.

    ReplyDelete