Update: Health Minister Greg Hunt has released a statement on his official Twitter account that the opt-out period for My Health Record has been extended to 31 January 2019.
In 2018, every Australian will receive a My Health Record profile – unless they choose to opt out by 15 October 2018. You may have heard industry professionals and everyday Aussies alike discussing its argued pros, cons and security concerns.
We’ve broken down not only how it works, but the top discussions surrounding My Health Record so you can make a more informed decision about whether you’d prefer to receive a profile automatically, or if you’d like to opt out by the deadline.
- What’s My Health Record?
- Which information will appear on your record?
- What if you don’t want certain information on your record?
- Who can access and view your record?
- Can you see who accesses your record?
- Is My Health Record secure?
- The next step: will you opt in or out?
What’s “My Health Record”?
Originally launched as the Personally Controlled Electronic Health Record (PCEHR) in 20121, My Health Record is an initiative run by the Government’s Australian Digital Health Agency (the Agency) and is an online snapshot of your key health information2.
This online digital record of your health information makes it possible for medical practitioners (e.g. your GP, hospital staff, emergency services and other registered health practitioners) to access your medical information all in the one place.
Australasian College for Emergency Medicine (ACEM) President Dr Simon Judkins believes My Health Profile can help improve quality of patient care3.
Your profile can also help you better keep track of your medications, immunisations and test results – among other health information.
Currently, there are thousands of registered healthcare organisations that can access your My Health Record with your permission. In fact, you may have already set up your online profile; almost six million Australians have registered for My Health Record across the country4. Perhaps you’ve registered yourself or your children through your myGov account, or even signed up your newborn while you enrolled them for Medicare.
You can opt out at any time after the deadline, however, documents can be stored for 30 years after your death, or up to 130 years after your date of birth if your date of death is unknown5. Watch this space though, as Health Minister Greg Hunt said the Government was working to amend Labor’s 2012 legislation to ensure health records were deleted, if someone decided to opt out6.
Which information will appear on your My Health Record?
My Health Record stores a snapshot of your medical and health history, including information about the following:
- Doctors’ appointments
- Test/scan results
- Medication history/prescription records
- Family medical history
- Medical conditions
- Medicare data and Pharmaceutical Benefits Scheme (PBS) information
What if you don’t want certain information on your profile?
Some Aussies may be concerned about storing sensitive medical information on a digital platform. This worry is especially evident in the debate over the platform’s security.
The My Health Record profile has measures in place where you can restrict certain medical information from certain specialists. Australian Digital Health Agency CEO Tim Kelsey said privacy control is the core feature of the My Health Record system7.
You may, for instance, decline certain pathology reports from being uploaded onto your health record by ticking “opt out” on your pathology form. Furthermore, you can restrict healthcare provider access to specific medical information with three separate access codes. These access codes work as follows:
- Record access code (RAC) only allows certain health care provider organisations to view your record
- Personal access code (PAC) only allows your nominated representative to access your record
- Limited document access code (LDAC) will enable you to control which healthcare provider organisation can access specific documents.
You can also inform your doctor if there is something you don’t want added onto your My Health Record. It’s important you are clear with them and that you understand your privacy rights; in addition to the My Health Records Act 2012, there are other protections you’re entitled to, including existing privacy legislation. If someone doesn’t comply with the My Health Records Act, they can face civil and criminal penalties.
Who can access and view your profile?
Aside from yourself and (if applicable) a nominated representative (e.g. spouse or carer), only registered health practitioners who are directly involved in your care are authorised to access and view your record. These registered practitioners include GPs, pathology labs, pharmacies, hospitals and allied health professionals.
Registered healthcare organisations
|General practice organisations||6,510|
|Other categories of health care providers**||1,591|
|Public hospital organisations*||815|
|Organisations with a cancelled registration||358|
|Aged care residential services||187|
|Private hospital organisations*||178|
|Pathology and diagnostic imaging services||58|
|* There may be more than one facility within an organisation|
** Includes allied health
Source: My Health Record
These registered professionals must have compliant software to access the My Health Record system. If these healthcare providers download your record information to their system, they are subject to confidentiality laws that already govern the healthcare system8.
You are also able to see who has viewed your health record with an audit log. This audit log shows:
- The healthcare organisation that viewed the record
- When your information was accessed
- Information about how your information was accessed (i.e. viewing and uploading)
- The role of the person who accessed your file where available (e.g. your GP).
Can you see who accessed your My Health Record?
You aren’t able to see which registered individual accessed your health records in the audit log; you can only see the registered organisation as a whole and the role of the person who accessed your record.
Some may not be comfortable with this, as it can seem like a lack of transparency. You also may not want certain practitioners within the organisation to see certain medical documents.
Is My Health Record secure?
My Health Record’s security is the central area of contention for critics. Aussies are concerned that their sensitive medical information could fall into the hands of a third party through security breaches or data sharing. Some have pointed to the Medicare privacy law breach in 2017 as an example of a security breach, as well as HealthEngine sharing medical data with law firms.
Digital platforms aren’t 100% foolproof
When it comes to My Health Record specifically, the Australian Privacy Foundation (APF) says that while electronic health records can help with healthcare when they are “carefully designed and implemented to support clinicians”, the security for these systems isn’t foolproof9.
Health Minister Greg Hunt assured Australians that the health records database features “military-grade security”10, however, APF says there’s no such thing. They say that with digital security systems, there is no guarantee that sensitive medical information will be 100% safe.
My Health Record data is attractive to criminals
Digital Rights Watch Chair Tim Singleton Norton warns that our health information could be sought after by criminals11:
“Health information is incredibly attractive to scammers and criminal groups. Creating such a massive database of Australian[s’] personal, private health information is highly likely to become a target in the future,” said Mr Singleton Norton.
Unless you opt out, your health data can be used for research purposes
Additional concerns stem from the Australian Digital Health Agency (the Agency) using medical data for research purposes, even if said medical information is de-identified. Unless you opt out on your profile, medical data will be used for research purposes to provide “insight into Australia’s health system”, and how the Government can improve health outcomes for Aussies.
The Agency says they believe most applications may be for the use of de-identified data, where your data does not link back to your identity. If you don’t want your data to be used for research, you need to opt out in your My Health Record privacy settings by:
- Logging into your My Health Record the via myGov website
- Clicking “Profile and Settings” menu
- Selecting “Profile”
- Scrolling down to “Secondary use of data”
- Clicking “Do not participate”.
There are argued benefits of this data collection, though. In particular, Public Health Association of Australia President David Templeman says My Health Profile holds potential for preventative health12:
“…the My Health Record program will allow for significant data collection which will help us to map out hotspots of chronic disease…” Mr Templeman said.
How does My Health Record approach security?
On the My Health Record website, the Agency says the system is managed through the Australian Government Protective Security Policy Framework, and data is stored in Australia and is safeguarded by “high-grade security protocols to detect and mitigate against external threats”.
The My Health Record system also has certain security measures in place, including encryption, firewalls, secure login, authentication mechanisms, and audit logging.
FAQ: Security + access
There are safeguards in place to protect information in #MyHealthRecord such as encryption, firewalls, secure login processes + audit logging. You can also control which healthcare organisations can access your record. Details: https://t.co/OheZOatu0z
— My Health Record (@MyHealthRec) July 17, 2018
The Agency addresses specific concerns over the system on their website, with a particular focus on health data hacking and data sharing. While we encourage you to read through the frequently asked questions, here is an idea of the types of concerns they address:
“My health information could be hacked.” The Agency says the My Health Record system features the “highest level of security” and that it “meets the strictest cyber security standards”. With a multi-tiered security system to protect your My Health Record from being attacked, the Agency says the system has been built and tested to protect your confidentiality.
In its “Get the facts – Your privacy is protected” article, the Agency says it wasn’t hacked in its six years of operation13. Aside from stating the system has the “highest level of security and privacy”, they also say:
- it’s monitored “around the clock” by Australian Digital Health Agency’s Cyber Security Centre;
- the Defence Department’s Australian Signals Directorate has tested the system;
- Your My Health Record can only be accessed through secure and conformant software by authorised and registered healthcare providers; and
- Your profile isn’t accessible on the open internet (e.g. a Google search).
Here are a few other concerns that Australians may have.
- “The police, Centrelink and the ATO can access my records.” The police or any government department won’t be able to access your health record unless they are required to by a court order. This is something Health Minister Greg Hunt confirmed “will be enshrined in legislation” after the public voiced their concerns14.
- “Information could be sold to, or accessed by, insurance companies.” The Australian Digital Health Agency says insurance companies can’t access your My Health Record data, nor can your data be sold to these companies. The Agency also says some of the My Health Record system data may be used for research from 2020. However, you can opt out of this by selecting the “withdraw participation” option in your online profile.
- “Third party apps could access my health information.” Only you can agree to connect your My Health Record to a third party app. The Agency says these apps are “view only” and aren’t able to store information from your record. These apps are, however, prohibited from using your My Heath Record for secondary purposes (i.e. sharing information to law firms).
- “Anyone can access and view my record.” Only registered healthcare providers looking after you directly can access your record. The Agency says any unauthorised access can result in certain penalties, including up to two years in jail.
The next step: Will you opt in or out?
With many opposing opinions surrounding My Health Record, you may find it difficult to know which path is best for your individual needs. Thankfully, you can always opt in or opt out at any time – even after the 15 October deadline.
Depending on what you decide, you can follow these options:
I want a My Health Record profile
If you’re on board for a My Health Profile, you’ll be automatically provided with a profile after 15 October 2018. Be sure to register a login and review your privacy settings on your profile as soon as possible, though.
It’s crucial that you clearly communicate with your healthcare professional by letting them know which information you do and don’t want on your record. If you’re concerned with certain information being accessible by your specialists, consider restricting documents with access codes.
You can find further information about how you can protect your information on the My Health Record website.
I want to opt out of My Health Record
If you’d like to opt out of My Health Record, you’ll need to follow the prompts on the My Health Record website. You’ll need some form/s of identification (i.e. your driver’s licence, Medicare card) to process this. You don’t need to create a myGov account to opt out.