The Senate Standing Committee on Community Affairs report into the My Health Record system was released last Thursday. It has recommended several substantial changes to the way My Health Record operates that attempt to address security and privacy concerns raised about the system.
Key recommendations were supported by Labor and Greens committee members, but not by Coalition committee members. Health Minister Greg Hunt has also rejected the recommendation to extend the opt-out deadline. There is less than four weeks until the opt-out period ends on November 15.
My Health Record is a centralised digital repository of individual health information. It was originally proposed as an “opt-in” system in 2011. But in a process originally planned to be complete by October 2018, it was switched to “opt-out”, meaning records will be created for all Australians unless they explicitly choose not to have one. This change has generated controversy.
Experts in information technology, high-profile doctors (including the apparent member-elect for Wentworth Kerryn Phelps) and privacy experts have all expressed reservations about the security and privacy protections of the system. Hunt announced several changes to My Health Record in late July in response, including delaying the opt-out date until November 15.
But the Standing Committee has recommended further substantial changes.
Secondary use of data and access by insurers
The Committee takes the view that My Health Record has considerable potential to improve health care if it’s widely adopted by practitioners and recipients, so it doesn’t recommend the abandonment of the system. Nor does it propose switching back to an opt-in system.
Of its 14 recommendations, 11 were supported by the entire committee. These can be summarised as:
- an outright prohibition on the secondary use of My Health Record data for commercial purposes
- requiring explicit consent for secondary use of identifiable data from an individual’s My Health Record, such as for public health research purposes
- prohibiting employers and insurance companies from accessing My Health Record data
- prohibiting access to a deleted My Health Record stored in backups
- extending the ability to suspend a My Health Record for longer periods to protect victims of domestic violence
- better education about the system, particularly for vulnerable users.
Coalition members don’t accept key recommendations
The Labor and Greens members making up a majority on the committee made several further recommendations, which weren’t accepted by the Coalition committee members.
The committee recommended that record access codes should be required as the default. A record access code is roughly akin to a PIN code on your My Health Record, which a health care provider ordinarily requires to gain access. At present, the vast majority of My Health Records do not have a record access code set, as they are only set if you explicitly choose to do so.
This recommendation also proposed tighter restrictions on the ability of practitioners to “break glass” and access a My Health Record in an emergency without a record access code.
Under the current system, parents of children between 14 and 17 years of age have access to My Health Record information about their children. The committee recommended changing the policy to require that parents only have access if explicitly requested by the child.