My Health Records Blow Up
The digital revolution was
promised to bring about improved coordinated and better healthcare outcomes for
our populations. Privacy and notions of consent were given some consideration
at the start. Recent changes to Australia’s My
Health Records from voluntary Opt-in
to Opt-out is proving a disaster. In
fact, the term Opt-out is misleading as
the window to opt-out is limited – after which, you are forced to remain in the
system by default!
So even if you never agreed with
anyone in healthcare setting to store, transmit or share your data into the My
Health Records system, if you don’t take steps to opt-out, authorities will
keep you in the system as required by Government legislation.
Whatever happened to choice? When
did we change our assumed shared understanding of what constitutes consent? Is
this consent, let alone informed consent? Listening to one Radio or TV Station,
they claimed 20,000 people exited the system (opted out) on Monday last week
alone. First thing though, the system offers some benefits.
Benefits
In principle My Health Records has a lot to offer especially people with chronic
conditions, those with transient lifestyles, the remotely-located and in
emergencies. Longer term, it saves public money too as doctors/ healthcare
providers upload patient summaries on the PCEHR system that can be accessed by
a treating provider. Provided medical info is promptly uploaded and the internet
connectivity is up to scratch! But it is now clear the system has incorporated
new objectives – this has brought the integrity of the system into question.
Enforcement Bodies to Access Data
Surprisingly under this Act, the
government has included enforcement objectives not necessarily related to individual
healthcare. My Health Records Act makes it clear it will be used for purposes
of prevention, detection, investigation, prosecution and enforcement of
criminal matters. And that enforcement bodies can also access data for
preparation, conduct, proceedings and implementation of tribunal and court
orders. It gets more disturbing as the Act also allows enforcement bodies to
access a person’s centralised data for ‘the protection of the public revenue’.
It seems like too many
governmental objectives have been lumped together. The end result is that
notions of individual consent and privacy have been weakened. As we are
learning more about this, it is pity as this is the sort of thing likely to
demoralise some vulnerable people who could have benefited from the system.
They may not have much to hide, but most sensible people would agree that
embedding surveillance regimes within a healthcare system compromises the
pursuit of healthcare objectives.
Government Responsibility
There is also a provision under
My Health Records Act which says ‘This Act does not
make the Crown liable to be prosecuted for an offence’. I read this and
thought what does this legal jargon mean? Are they saying the Government is not
legally liable for any breaches? Given the extent of freedom the Government has
in accessing this data, is it sensible that there are no corresponding
responsibilities? e.g. where data is misused or conditions breached by a
Government entity to the detriment of an individual, is the Government saying
there is no legal remedy? There are many players in the healthcare provision –
government, private entities, profit and not-for-profit entities.
It is just not clear within which
parameters the Government then becomes exempt from being subject to liability? I
am thinking that given that the Government is doing away with notions of
consent connected to permission to opt-in, if something is later proved to have
resulted in serious harm to an individual because the Government took away
consent, how can the Government not take moral and legal responsibility?
The list of institutions whose
data is being hacked or plainly misused is rising all the time. From Banks,
social media organisations, recruitment agencies, big and small businesses, you
name it. In inserting other non-healthcare objectives, it means in some cases
patient data will not simply be accessed by professionals who can be tracked
through their Healthcare Provider Identifiers.
What means has an individual of
keeping accountable anyone else accessing their healthcare data without one’s
knowledge and without any understanding of the purposes for which such access
is being made?
.
Interaction with Privacy Act
Although some supporters of My Health Records system say that we are
protected by the Privacy Act, this is hardly reassuring as no one really seems
to have strong privacy oversight over PCEHR. What a year it has been to reflect
on the weaknesses of our regulatory institutions like those regulating Banks
and financial institutions. Okay forget ASIC and Banks. My Health Records Act requires all PCEHR actors to abide by requirements
set in the Act in interaction with the Privacy Act.
The legislation indicates that
the Privacy Commissioner would regard as breach a situation where an approved
entity within the PCEHR system infringes provisions under the Act.
However, following the recent My Health Records opt-in blow up, we
have to be asking if the current legislation gives enough powers to the Privacy
Commission in protecting privacy, let alone promoting privacy. The issues are just
so many – and they cover multiple aspects of peoples’ lives. The concerns are
not just medical, they are not just about coordinated care or better health
outcomes – as important as these are. They go so far beyond. If someone gets it
wrong and information goes in the wrong hands there is so much at risk.
Who thought we will need to be
highlighting that hey, let’s not throw away a highly prized Western libertarian
value called privacy. It is almost feeling like a parallel universe – like,
‘how did we get here?’ But times are changing.
Erosion of Trust
Like many commentators, I
question the wisdom of doing away with an Opt-in arrangement. The consequences
of this change may erode more trust. Worse still, some people that are likely
to benefit the most from PCEHR, are likely to be among those opting-out. This
may be unfortunate as in my view some of the benefits from these e-Health
records cannot be dismissed. In weakening the PCEHR framework, a lot more is
lost.
Institutional Policy Framework Lacking
Given the level of unprecedented
data breaches in many sectors, it is concerning the glaring lack of an
overarching institutional policy framework governing data collection,
processing, transmission, sharing, storage and such in Australia.
This is not simply about clinical
and ICT governance. The issues that have left people frightened and running to
exit My Health Records system go well beyond healthcare delivery. Privacy has a
bearing on every aspect of a person’s life from employment, wellbeing, and
equitable participation in society, to name some.
Whether you are tuning on TV,
Radio or social media, the My Health Records blow up is shedding light on
community concern rightly or not that data matching is being consolidated
without debate. From My Gov, to ABS info, location tracking survey(s), cameras,
government face-recognition and voice-recognition technologies, and so forth. People
are also concerned that business entities do collect data without always
disclosing upfront who they are sharing with and what for purposes.
So maybe it is not just the
social media that is contributing to a trust downward trend? Although the
Government should try to do all it can to ensure third parties (providers,
transmitters, repository agencies of PCEHR) maintain data security, we also
know there is still a measure of risk in all system.
Given the data consolidation
trajectory in many areas of our lives, and given many businesses, government
and non-government players that require collecting data for their operations,
it makes sense for Australia to formulate a clear institutional policy
framework to address the big picture.
Besides, if we simply take a
laissez faire approach to all this data sourced from multiplicity of areas, we
should be questioning who is making decisions on algorithms that go into making-meaning
of data that is collected? And what does this mean for democracy and our
freedoms? In terms of big picture, we don’t have a Bill of Rights that guarantees
our right to privacy. It seems we don’t even have a fundamental broader
framework to fall upon to protect in our favour simple values such as consent.
It is also critical that future
policy and legislative reviews must ensure genetic information produced or
synthesized from PCEHR sources is not misused by authorities and private
entities to the disadvantage of any specific groups in society e.g. ethnic
groups and many others. Learning from past history, it is essential that a
guiding policy framework embeds in future legislation.
Perhaps as significant numbers of
people try to opt-out of My Health Records system, some good could still come
out of this if it leads to a building and strengthening a clear broader policy framework
governing things data well beyond the healthcare settings.
Hopefully, we can even be
pro-active in pursuit of this rather than just wait to respond individually
when a breach occurs. It remains to be seen if the Federal and State Governments
decide to take leadership in this matter or if we will remain stuck with a
laissez faire approach for much longer.
Key words:
My Health Records; Personally
Controlled Electronic Health Records; PCEHR; Health Records Privacy; Data
Matching
Postscript:
As we go to press, it is
understood from media info that the Government will be revising the legislation
in a bid to restore confidence. To what extent integrity in My Health Records
can be restored, much may depend on the fine print. It still remains that
without a broader institutional policy framework to govern digital data, the
public is left vulnerable.
