The Senate’s Community Affairs References Committee yesterday delivered its report into the My Health Record system recommending a raft of changes to help balance access and privacy concerns with the benefits of centralised electronic health data. Most notably, the Committee did not recommend making access to the scheme on an opt-in basis.
The Committee recommended that:
- record access codes should be applied to each My Health Record as a default and that individuals should be required to choose to remove the code. The committee further recommended that the ability to override access codes in the case of an emergency should only be available to registered healthcare providers for use in extraordinary and urgent situations;
- the Australian Government amend the My Health Records Act 2012 to protect the privacy of children aged 14 to 17 years unless they expressly request that a parent be a nominated representative;
- the Minister for Health amend the Rules to extend the period for which a My Health Record can be suspended in the case of serious risk to the healthcare recipient, such as in a domestic violence incident;
- data which is likely to be identifiable from an individual’s My Health Record not be made available for secondary use without the individual’s explicit consent;
- the current prohibition on secondary access to My Health Record data for commercial purposes be strengthened to ensure that My Health Record data cannot be used for commercial purposes;
- no third-party access to an individual’s My Health Record be permissible, without the explicit permission of the patient, except to maintain accurate contact information;
- the Australian Government amend the My Health Records Act 2012 and the Healthcare Identifiers Act 2010 to ensure that it is clear that an individual’s My Health Record cannot be accessed for employment or insurance purposes;
- access to My Health Records for the purposes of data matching between government departments be explicitly limited only to a person’s name, address, date of birth and contact information, and that no other information contained in a person’s My Health Record be made available;
- the legislation be amended to make explicit that a request for record deletion is to be interpreted as a right to be unlisted, and as such, that every record is protected from third-party access even after it is deleted, and that no cached or back-up version of a record can be accessed after a patient has requested its destruction;
- the Australian Digital Health Agency (ADHA) revise its media strategy to provide more targeted comprehensive education about My Health Record;
- the ADHA identify, engage with and provide additional support to vulnerable groups to ensure that they have the means to decide whether to opt out, whether to adjust the access controls within their My Health Record and how to do this.;
- the Australian Government commit additional funding for a broad-based education campaign regarding My Health Record, with particular regard to communicating with vulnerable and hard to reach communities;
- the Australian Government extend the opt-out period for the My Health Record system for a further twelve months; and
- the My Health Record system’s operator, or operators, report regularly and comprehensively to Parliament on the management of the My Health Record system.
The full report is available here.