Unless you studiously avoid reading, listening to or watching any sort of news organ you will know that by 15 October 2018 you need to have decided about the My Health Record (MHR). Very often when you decide to do nothing then nothing happens. But in the case of MHR, if you do nothing then something will happen. And it’s best that you should be well-informed about the decision you need to make.
The purpose of MHR is to create a set of data for each of us that can be used by health professionals to provide healthcare services. In principle, we would probably all agree that anything that improves healthcare is a good thing. But as with anything, there is a “but.”
This isn’t the first time that the government has tried to create an electronic health record. The Personally Controlled Electronic Health Record (PCEHR) was launched in 2012. It was not very successful, it was very expensive, and it wasn’t very reliable. After 5 years only 20% of us had opted in and there was not a lot of support from healthcare professionals. So, they’re having a second shot and spending yet more of money … the government is one of the few organisations where you can cock something up and get away with it. But such is the way of things. PECHR was budgeted to cost $466.7m but costs had sky-rocketed to $766m before launch and the final figure is still to be calculated
This time the government, in its wisdom (and I accept that it is questionable whether it has any or much wisdom), has decided that this will be something that you need to opt out of. What that means is that your electronic health data will be stored somewhere and can be used for whatever purpose is facilitated by the terms of conditions of MHR unless you say that you do not want that to happen. This means that you need to do something if you decide that you are uncomfortable with your health data, or at least a significant subset of it, from being made available to … well, who would be authorised to access it and for what purposes? You need to inform yourself of this and not simply suppose that the government knows best. I am not about to advise you one way or the other; you need to make the decision about whether to opt out and, if you decide to say in, what protections you want to put in place.
Now there are a few challenges associated with MHR but there are a few benefits. I will start with the challenges. These include (and this is not a complete list but just those points that I think are most significant:
Who will be able to use your data? Who will be able to access it? The short answer to this may be that you don’t know. It’s not just your doctor or other health professionals you see who can access your MHR. Exactly who can access and disclose your information is laid out in the My Health Records Act 2012. There are protections in the Act though I imagine that some may be tested over time. For example, that Act says the if you, as a healthcare recipient, “would reasonably expect the participant to collect, use or disclose the health information for that purpose” then it’s all OK. Another challenge relating to use is about what happens to your data once it is accessed. Your healthcare provider would access an MHR through their clinical software product which could store some or all of it. Of course, your healthcare provider may print out your data; if so then protecting it (or disposing of it) would be no different to the protection of any physical medical record, that is while it is not risk free it is no worse than what we have been living with for years. It is also possible for software to be hacked or maliciously designed to allow for screen scraping. Screen scraping collects the data that is displayed on a screen and saves it away.
Will it be secure? Security and privacy go hand in hand, but they are different. Security is designed to protect against theft or loss while privacy relates to what a third party (that is not you or the government) can use your data for. The track record of government is no better or worse, perhaps, than any other organisation. The fact is that there is a risk associated with the electronic storage of data. We read regularly of security breaches of both government and non-government organisations. Of course, it was always possible to steal data, but computers allow vast quantities of data to be stored. The track record of organisations in relation to privacy is also mixed. Someone using your data (if they are allowed to do so under MHR terms and conditions) will receive de-identified data. This means that, in principle, anything in the data they get that could identify an individual has been taken out. The trouble with this may be that as data analysis tools get more clever and as accessibility to other datasets increases re-identification becomes a greater risk.
An opt-out scheme is unusual; there is a view that opting out of something like this is not best practice. What will happen is that many people will simply go with default either because they don’t care or because they didn’t know about it. There is no advertising campaign about this, you will not get a letter or an e-mail. You need to inform yourself. Of course, the government wants you to stay in but 20,000 people decided to opt out on the first day. The official response to that was effectively “20,000 isn’t many” but any private sector organisation that launched a new product and got 20,000 active responses on day one would be delighted.
So, having thought about the challenges, the reasons that we might be wary of going with the flow on this, what are the benefits? Again, this list is not exhaustive.
Connecting the healthcare system: anyone who has been referred from one healthcare professional to another will know how notes haven’t arrived or are wrong … that should be a thing of the past with a single record. The MHR is not, however, complete. The Office of the Australian Information Commissioner points out that : “the My Health Record system contains an online summary of a patient’s key health information; not a complete record of their clinical history.” Nonetheless it’s a step in the direction of a complete on-line record
MHR puts (some) power in your hands: Our healthcare system tends to disempower us: it’s hard to compare healthcare insurance, it’s difficult to know how much procedures will cost and whether those costs are competitive and, frankly, it’s often difficult to understand the jargon. MHR doesn’t solve these problems, but it does allow you some control over your data: you can decide whether and how healthcare professionals can see your data
Most of us trust our healthcare professionals: no system can be 100% secure. I could argue that our healthcare data was far less secure when it was held on paper in filing cabinets at the doctor’s surgery with no backup in case of disaster. MHR will have, and will presumably maintain, an appropriate set of security protocols. A person contravening certain parts of the Act might be liable for up to 2 years in gaol.
The decision is yours. You can do nothing, and an MHR will be created for you. You can set protections later, but the default is that your data can be used within the Act and you would not necessarily know.
Alternatively, you can set privacy and security controls by setting:
a record access code that controls which healthcare provider organisations can see your record
a limited document access code that controls access by healthcare providers organisations to specific documents
a personal access code that allows your nominated representative(s) to access your MHR.
Finally, you could opt out altogether but that requires action on your part. If you choose to do this, then you can still opt in at a later date.
Whatever you do, you should do it now … even if it’s to do nothing.