My Health Record

There has been a fair bit of media commentary on the My Health Record (MyHR) system.

If you do not ‘opt out’ before 15 November 2018, a MyHR will be automatically created for you. If you then ‘delete’ it, your data will still be stored for 30 years after you die (or 130 years after your birthdate).

MyHR is strikingly similar to the UK’s ‘care.data’, shut down after 2 years in operation because of widespread problems, not least that (as it turned out) the data was being sold to pharmacy and insurance companies.

The person in charge of implementing MyHR in Australia is Tim Kelsey – who was also in charge of setting up care.data.

What is My Health Record?

MyHR is an online, government-based record of your medical history.

The first person to access your MyHR will be yourself or your GP. You can choose to add two years of data from the the Medicare Benefits schedule, Pharmaceutical Benefits Scheme, and Immunisation and Organ Donor Registers.

You can ask your doctor to include (or exclude) information from your medical history but an authorised health professional can access your MyHR and add information at any time (which can then be deleted by you).

You can also restrict access to certain data on MyHR with a security PIN, but this can be overridden in an emergency. Health conditions that are personally embarrassing or may lead to discrimination can be withheld, deleted or restricted.

Also, the system’s integrity relies on users having the time and resources to regularly check MyHR for accuracy and unwanted access.

What are the Privacy Concerns?

In the last few months alone, there have been the following incidents –

  1. Medicare card details were discovered as being sold to criminals to facilitate identity fraud on the ‘dark web’ (a portion of the internet generally only available to hackers and tech-savvy individuals);
  2. Private database HealthEngine was hacked, compromising patient’s personal information (contact details, address, reason for visit); and
  3. Facebook discovered an error in its coding (coding that was designed to allow users to ‘log in’ to third party Apps seamlessly) that allowed hackers to access the Facebook profiles of 50 million people and potentially access information stored within those third party apps.

While MyHR logs access by ‘authorised’ users, there is no way of tracing who viewed the data or how they used it. Anyone with a doctor’s security PIN can access their patients’ MyHR, and if an MyHR is left open and unattended on a computer screen, passers-by can view its contents.

Just as with the UK’s care.data, the Department of Human Health says that de-identified MyHR data may be used for ‘research and public health purposes’ with prior consent but there is always the possibility that de-identified data can be traced back to the individual.

So should you opt out? It’s not for us to say, but there are clearly a lot of concerns to be answered.

Please contact John MacPhail if you would like to discuss this or any other privacy or intellectual property related issues or problems.