Chapter 2

Key issues

2.1 The Senate Community Affairs Legislation Committee (committee) received evidence from submitters and witnesses regarding the proposed amendments of My Health Records Amendment (Strengthening Privacy) Bill 2018 (Bill) to the Health Records Act 2012 (MHR Act).

2.2 Submitters supported the Bill's proposed amendments to, in effect, require the My Health Record (MHR) System Operator (System Operator) not to release health information to a law enforcement or government agency without a court order, and to require the System Operator to destroy the health information in a healthcare recipient's MHR if the recipient requests their MHR registration is cancelled.[1] Submitters also highlighted the expected benefits of the MHR system for Australians.[2]

2.3 However, some submitters and witnesses raised concerns that the Bill did not address the broader privacy issues affecting the MHR system.[3] This chapter outlines the key provisions of the Bill and the concerns raised.

Legislative framework

2.4 The legislative framework of the MHR system is established by the MHR Act, the Healthcare Identifiers Act 2010 (HI Act) and the Privacy Act 1988 (Privacy Act).[4] These acts contribute to the privacy provisions of the MHR system, and each impose serious penalties for the misuse of health information, as follows:

MHR Act—protects the information stored in the MHR system;
HI Act—regulates the management of healthcare identifiers; and
Privacy Act—regulates the management of personal health information and access and control of that information.[5]

2.5 The legislative framework of the MHR system is supported by several items of subordinate legislation, including the: My Health Records Regulation 2012, Healthcare Identifiers Regulations 2010, and the MHR Rules (My Health Records Rule 2016, My Health Records (Assisted Registration) Rule 2015, My Health Records (National Application) Rules 2017 and the My Health Records (Opt-Out Trials) Rule 2016).[6]

2.6 The MHR system's privacy framework was developed in accordance with the handling of information provisions of the Privacy Act, with provisions, such as the criminal penalties imposable under the MHR Act, made to reflect the unique and sensitive information potentially stored in a MHR.[7]

Retention of information provisions

Current arrangements

2.7 The MHR system draws on the health information stored in distributed participating repositories to compile the health information presented in healthcare recipients' MHRs.[8] As explained by the Department of the Health, the National Repositories Service (NRS) is operated by the System Operator to:

...ensure a minimum critical set of health information is available for a My Health Record, such as shared health summaries, event summaries, discharge summaries and specialist letters, and to hold information not stored elsewhere, such as a healthcare recipient’s own health summary and health notes.[9]

2.8 In accordance with section 17 of the MHR Act, the System Operator is required to retain a healthcare recipient's information, which has been uploaded to the NRS, for a period of 30 years after the death of a healthcare recipient or, if the healthcare recipient's date of death is unknown, 130 years after the date of birth of a the healthcare recipient.[10] Section 17 of the MHR Act does not currently distinguish between whether a healthcare recipient has a MHR registration or not. As such, the System Operator must retain health information uploaded to the NRS for all healthcare recipients, even if a healthcare recipient has requested their MHR be cancelled.[11]

Proposed amendments

2.9 Following the commencement of the opt-out period, concerns were raised that healthcare recipients' information would be retained in the MHR system after healthcare recipients had cancelled their MHR registration.[12] The Bill's amendments would require the System Operator to promptly destroy a healthcare recipient's MHR information following cancellation of their MHR registration, bar in specified legal circumstances.[13]

Record destruction

2.10 Item 6 of the Bill proposes to amend section 17 of the MHR Act through the addition of two new paragraphs which would require the System Operator to:

...permanently destroy any record uploaded to the National Repositories Service, which includes health information that is included in a healthcare recipient’s My Health Record, if that healthcare recipient has requested that the System Operator cancel their My Health Record.[14]

2.11 Proposed new subsection 17(3) requires the System Operator destroy health information in MHR if a healthcare recipient has cancelled their MHR registration in accordance with subsection 51(1) of the MHR Act. The System Operator is authorised to retain a minimal amount of information, including: the name and healthcare identifier of the healthcare recipient; the name and healthcare identifier of the person who requested the cancellation, if different from the healthcare recipient; and the date on which the cancelation of the MHR takes effect.[15]

2.12 For healthcare recipients who have not requested their MHR registration be cancelled, the System Operator is still required to retain their MHRs in accordance with the time periods specified in the MHR Act.[16]

Timeframes and exemptions

2.13 Proposed new subsection 17(4) requires the System Operator to comply with the destruction of health information as soon as practical after the cancellation of a MHR takes effect under subsection 51(7). If the System Operator is required to retain a record due to other legal requirements, the System Operator must destroy the record as soon as practical after the conclusion of the matters to which the additional requirements relate.[17]

2.14 The Department of Health outlined the circumstances in which the System Operator may be exempt from destroying information under proposed new subsection 17(4):

...if the information is being lawfully obtained by an entity under amended section 65, section 69 or new section 69A – that is, the System Operator has received a court order or an order by a judicial officer for the disclosure of that information, or a request by the Australian Information Commissioner, Ombudsman or Auditor-General for the information, or a court order instructing the System Operator not to destroy the information (for example, until certain related legal proceedings have ended). If one of these exceptions applies, the System Operator would be required to destroy the information promptly after that matter has concluded (for example, after the information has been disclosed as ordered).[18]

2.15 The Office of the Australian Information Commissioner (OAIC) observed that proposed paragraph 17(4)(a) of the Bill does not define the 'as soon as practicable' requirement for the System Operator to cause the record to be destroyed. However, the OAIC noted the statement in the Explanatory Memorandum that, in practice, permanent deletion would occur within 24 to 48 hours.[19]

2.16 Item 11 of the Bill proposes amending the note to section 67 of the MHR Act to inform readers that if a healthcare recipient's MHR registration is cancelled, their access to their MHR information may be limited due to the destruction requirements.[20]

2.17 Submitters supported the Bill's proposed amendments to the section 17 of the MHR Act to enable the deletion of recipients' healthcare information from the MHR system.[21] The Australian Human Rights Commission (AHRC) submitted that the proposed amendment '...better reflects the principle that people should be able to control how information about them is collected, used and disclosed.'[22] The AIDS Action Council of the ACT noted that the Bill's amendments to section 17 of the MHR Act would ensure communities subject to criminalisation, stigma and discrimination would have their confidentiality maintained.[23]

2.18 The Royal Australasian College of Physicians noted that the proposed record deletion amendment was commendable from a privacy perspective, however suggested the amendment may cause some complications, such as:

increasing the legal risks to practitioners who have previously relied on healthcare recipients' MHR information and which is subsequently deleted; and
should a patient subsequently wish to reinstate their MHR, there would be health information gaps in that record.[24]

2.19 Whilst welcoming the amendments, the Australian Council of Social Service (ACOSS) recommended that healthcare recipients be notified of the capacity to permanently delete information in a MHR at the time their record is created.[25] The Australian Nursing and Midwifery Federation and the Scarlet Alliance, Australian Sex Workers Association proposed the Bill's amendments could have gone further to allow healthcare recipients to permanently delete specific records within a MHR.[26]

2.20 Some witnesses and submitters suggested that the permanent deletion of information from the systems which back up the MHR systems is not a straightforward activity.[27]

Committee view

2.21 In the committee's view, the Bill's proposed amendments to section 17 of the MHR Act would, if passed, improve healthcare recipients' ability to control how their health information is stored.

2.22 The committee recognises some submitters and witnesses have suggested there may be practical difficulties around the deletion of data in the NRS, or that deletion functionality could have been applied to specific documents rather than entire MHR records.

2.23 The committee acknowledges that information related to peoples' health is a particularly sensitive, and confidential, category of information. The committee therefore considers it appropriate that healthcare recipients are able to control how their health information is accessed and stored, including through the capacity to have their MHR information permanently deleted, if they choose to cancel their MHR registration. The committee commends the Bill's proposed amendments to section 17 of the MHR Act as an additional privacy safeguard within the MHR system.

Authorised disclosure provisions

Current arrangements

2.24 The collection, use, or disclosure of the health information included in health recipients' MHRs is restricted by section 59 of the MHR Act.[28] Health information from a MHR can only be used, or disclosed, in accordance with the authorisations provided under Division 2 of Part 4 of the MHR Act.[29]

2.25 Currently, authorisations of the MHR Act to collect, use and disclose health information from the MHR system include, but are not limited to:

Section 65—authorising MHR system participants to collect, use and disclose information if required or authorised to do so by another Australian law;
Section 69—authorising the System Operator to disclose information if ordered to do so by a court or tribunal if the proceedings relate to the MHR Act, unauthorised MHR access, healthcare provider indemnity cover, or if a healthcare recipient provides their consent;
Section 69—authorising the System Operator to disclose information if ordered or directed by a coroner;
Section 70—authorising the System Operator to use or disclose information in a recipient's MHR to enable a law enforcement body to undertake specified law enforcement activities;
Section 70—authorising the System Operator to use or disclose health information if the System Operator suspects that there has been unlawful activity in relation to its functions, and reasonably believes that the use or disclosure of the information is necessary for investigation of, or report to, an authority.[30]

2.26 Section 70 of the MHR Act does not currently specify that a court order is required for the System Operator to use or disclose healthcare recipients' MHR information for law enforcement or related purposes.[31] Rather, the System Operator is authorised to disclose healthcare recipients' MHR information for law enforcement purposes where the System Operator has a reasonable belief that such disclosure is reasonably necessary for that purpose.[32]

2.27 Submitters and witnesses to the inquiry expressed their concern regarding the current law enforcement disclosure authorisations of the MHR Act.[33] This concern follows an equivalent concern raised by stakeholders at the commencement the MHR system opt-out period.[34]

Bill's proposed amendments

2.28 The Bill proposes to amend the MHR Act to '...further limit the circumstances in which health information in a healthcare recipients' MHR may be collected, used or disclosed.'[35] Principally, the System Operator will no longer have the ability to disclose MHR information to law enforcement or government agencies without an order from a judicial officer.[36]

Proposed new subsection 65(3)—disclosure to independent oversight bodies

2.29 Item 10 of the Bill proposes to amend section 65 of the MHR Act by adding proposed new subsection 65(3). Proposed new subsection 65(3) specifies, and, in effect, limits the laws which may authorise or require a MHR system participants to collect, use, or disclose the health information contained in healthcare recipients' MHRs to that of independent oversight bodies.[37] The Department of Health explained:

Under the changes proposed to section 65, it would generally no longer be sufficient for a participant in the My Health Record system to rely on other state, territory or Commonwealth laws to access health information in a healthcare recipient’s My Health Record. The purpose of this amendment is to restrict, as far as if practicable and in accordance with good governance, the other laws that are able to require or authorise access to health information stored in the My Health Record system. State and territory laws will no longer be able to be relied upon to require or authorise access. Only a very limited range of Commonwealth laws will be able to require or authorise access to health information – that is, laws which are necessary for the proper administration and oversight of the system.[38]

2.30 Proposed new subsection 65(3) limits the laws which may authorise the collection, use or disclosure of health information to those specified by the subsection, that is: the MHR Act itself; the Auditor-General Act 1997; the Ombudsman Act 1976; and Commonwealth laws enabling the Information Commissioner to perform statutory functions with respect to the MHR system.[39] If entities which are not enabled by the laws specified in proposed new subsection 65(3) seek to access MHR information, they would need to do so under proposed new section 69A.[40]

2.31 The AHRC submitted that the Bill, by restricting the scope of section 65 of the MHR Act, would contribute to the better protection of privacy for individuals whose health information is held the MHR system.[41] The OAIC supported the Bill's proposed amendment to section 65 of the MHR Act and noted the amendment '...provides certainty and transparency for individuals around which laws may authorise the collection, use, and disclosure of MHR information.'[42]

Proposed new sections 69A and 69B—disclosure to a designated entity and authorisation of judicial officers

2.32 Item 12 of the Bill proposes amending section 69 of the MHR Act to reflect Australian Government policy that '...My Health Record information will not be released to law enforcement agencies or government bodies without a court order.'[43] The Bill proposes two new sections, 69A and 69B, which, in effect, enshrines the Government's non-disclosure policy in the MHR Act.

2.33 In accordance with proposed new subsection 69A(5), a designated entity, as specified in proposed new subsection 69A(1), may apply to an authorised judicial officer for an order requiring the System Operator to disclose healthcare recipients MHR information. A judicial officer may grant the order provided they are satisfied the designated entity:

has a legal power to require a person to provide information, or its officers are authorised to execute search warrants;
is exercising its authorised powers, or purporting to exercise those powers;
the information requested for disclosure is reasonably necessary for the designated entity to investigate, audit, or access matters in accordance with its duties; and
there are not any other effective means for the designated entity to obtain the information requested for disclosure.[44]

2.34 Proposed new subsection 69A(8) would require that a judicial officer not make an order for a disclosure of MHR information if the designated entity applying for the order has not provided further information, if any, requested by the judicial officer regarding the grounds on which the order is being sought.

2.35 Proposed new section 69B sets out the arrangements for judicial officers to make orders under proposed new section 69A.[45]

2.36 The Bill proposes consequential amendments to section 70 of the MHR Act that remove the authorisations for the System Operator disclose MHR information for law enforcement purposes from that section. New proposed section 69A provides for the '...significantly reduced form of this authorisation, with significantly strengthened privacy protections.'[46]

2.37 Under subsection 70(3) of the MHR Act, the System Operator remains authorised to disclose MHR information in circumstances where the System Operator has reason to suspect unlawful activity has occurred in relation to its functions and reasonably believes that disclosure is necessary to commence an investigation, or to report the concerns to the relevant entities. Proposed new subsection 70(3A) provides that, if the conditions of subsection 70(3) are met, the System Operator must only disclose a minimal amount of information to ensure proper consideration of the suspected unlawful activity.[47]

2.38 Submitters supported the Bill's proposed amendments to require the System Operator disclose information to law enforcement and government agencies only in circumstances where a judicial officer makes an order requiring the disclosure.[48] The Australian Healthcare and Hospital Association submitted that the Bill '...appears to address community privacy concerns around the need for an appropriate judicial process to access information contained in an individual’s My Health Record.'[49]

2.39 The Australian Nursing and Midwifery suggested that concerns regarding disclosure without a court order are addressed by the Bill's amendments.[50] The Australian Medical Association suggested that the controls proposed by the Bill's amendments to the MHR Act regarding information disclosure:

...are substantially tighter than the controls that apply under the Privacy Act 1988 (Cth) to patient data stored in the clinician’s own patient records. They also impose greater restrictions on the government’s and courts’ powers to require production than apply to data held by the patient outside the My Health Record system.[51]

2.40 Whilst welcoming the Bill's proposed amendments, the AHRC urged consideration of amending proposed paragraph 69A(6)(b) to require a judicial officer, in making an order under subsection 69A(6), to '...consider the effect of any release of information on other human rights, in addition to the right to privacy.'[52] The AHRC also recommended that proposed paragraph 69A(7)(a) be amended:

...to make it explicit that an order may only be made allowing disclosure of health information to an entity if that entity would, absent the operation of s 69A(2), have power to obtain information held in the My Health Record system.[53]

2.41 The Queensland Law Society (QLS) queried whether the Bill's proposed new section 69A is an appropriate remedy to concerns raised regarding the disclosure provisions of section 70 of the MHR Act. QLS suggested it is unclear whether '...an application would still need to be made under this section in circumstances where a body already requires a warrant (notwithstanding the current section 70) to obtain a person’s personal information'.[54]

2.42 The University of Melbourne noted that healthcare recipients' trust of disclosure provisions of the MHR system could be enhanced if, under proposed subsection 69A(4), the System Operator was required to notify a healthcare recipient if their MHR information had been disclosed under proposed new section 69A.[55]

2.43 The University of Sydney indicated there was a lack of clarity and potential concern regarding researchers' access to MHR information.[56] Research Australia noted that, under subsection 15(ma) of the MHR Act, the System Operator may prepare and provide de-identified data for research and public health purposes.^[57] In May 2018, the Australian Government released the Framework to guide the secondary use of My Health Record system data which outlines how de-identified MHR information may be used for research purposes.[58]

2.44 Some submitters commented that the definition of a designated entity authorised to apply to a judicial officer for an order to disclose information in proposed section 69A is broad.[59] The Australian Federation of AIDS Organisations recommended that the designated entities authorised to apply for a court to access MHR information are restricted to law enforcement agencies.[60] Future Wise proposed that access to MHR system documents by designated entities should occur with the knowledge of the primary author, wherever possible.[61]

Committee view

2.45 In the committee's view, the Bill's proposed amendments, to require an order of a judicial officer prior to the System Operator disclosing any MHR information to a law enforcement or government agency, are a significant enhancement to the privacy provisions of the MHR Act.

2.46 The committee notes the MHR system will store healthcare recipients' sensitive, and confidential, health information for the primary purpose of improving their health care. The committee considers it appropriate that healthcare recipients are afforded the assurance, as provided for in the Bill's proposed amendments, that their MHR information will not be disclosed for purposes unrelated to their healthcare without appropriate judicial oversight. The committee acknowledges the Bill's proposed amendments reflect current government policy not to disclose MHR information without a court order.[62] The committee notes that the current System Operator, the Australian Digital Health Agency (ADHA), has not, since its establishment in 2016, received a request for MHR information for law enforcement purposes, nor has the ADHA disclosed information for that purpose.[63]

2.47 The committee recognises the considerable expected benefits of the MHR system, and that healthcare recipients' confidence in the privacy provisions of the system is vital in ensuring the system's overall success. The committee commends the Bill's proposed amendments to sections 65, 69 and 70 to the MHR Act to strengthen the privacy provisions of the MHR system.

Other issues

2.48 Submitters and witnesses noted varying issues and concerns that, whilst not directly addressing the provisions of the Bill, are relevant to the broader operation of the MHR system. Some of those issues and concerns are noted in this section.

Opt-out provisions

2.49 Some submitters raised issues and concerns regarding the MHR system operating on an opt-out basis.[64] ACOSS noted its concerns regarding MHR health information potentially being used for non-health related purposes were 'heightened' given the MHR system's opt-out basis.[65] The Australian Association of Social Workers (AASW) submitted the opt-out period should be extended.[66]

2.50 Other submitters supported the MHR system's opt-out arrangements to maximise the expected health benefits of the system.[67]

Family violence and elder abuse concerns

2.51 Some submitters raised concerns that MHR information could be accessed by perpetrators of family violence and subsequently used to compromise the safety of people subject to that violence.[68] The Women's Legal Service NSW reported concern that perpetrators of family violence could use a child's MHR information to potentially reveal the location of victims in hiding.[69] The Law Council of Australia's submission considered matters related to parental access arrangements and noted, amongst other things:

the System Operator will use Medicare records to determine who can access a child's MHR information;
parents will have the ability to make an application to alter parental responsibility and access to a child's MHR information, however the details and ease of that process are not currently clear; and
a person will have the ability to register for a MHR using a pseudonym which is not connected to that person's Medicare information.[70]

2.52 The AASW strongly recommended:

...much greater consideration needs to be given to victims and survivors of family violence, including safeguards to assure that the record is not used to further perpetuate abuse.[71]

2.53 The QLS noted concerns regarding the potential abuse of older people, or people with a disability, by persons acting on behalf of, or purporting to act on behalf of, an older person when creating or accessing an MHR. Subsection 6(4) of the MHR Act enables the System Operator to determine the authorised representative of a healthcare recipient. QLS submitted that it is not currently clear what degree of verification must be performed by the System Operator when making a determination regarding an individual becoming an authorised representative for another person.[72]

Coerced consent and related matters

2.54 Whilst supporting the Bill's proposed amendments to the MHR Act, the Australian Lawyers Alliance expressed concern regarding:

'...the inadequate measures in place to protect the medical records in the My Health database from ‘coercive sharing’, where individuals may be coerced into providing access to their medical records when applying for employment or seeking insurance products.[73]

2.55 Other witnesses provided evidence regarding related concerns for circumstances in which a healthcare recipient's MHR information could, potentially, be viewed by a health practitioner nominated by that recipient's employer or insurer.[74] The Law Council of Australia (LCA) recommended that the MHR Act be amended to '...create additional privacy for the health records of employees when accessed by employers.'[75]

Disclosures relating to threats to public health

2.56 Some submitters recommended that section 64(2) of the MHR Act be amended to require system participants to obtain an order from a judicial officer prior to using the provisions of that section to collect, use, or disclose MHR health information to lessen or prevent a threat to public health.[76]

2.57 Consumers of Mental Health WA recommended that the MHR Act be amended to require that healthcare recipients be notified as soon as practical after their MHR information had been used for emergency purposes under section 64.[77]

Committee view

2.58 The committee acknowledges the evidence provided by submitters and witnesses regarding the issues and concerns described in this section. The committee notes that these issues and concerns, whilst not directly applicable to the provisions of the Bill, are relevant to the effective operation of the MHR system.

2.59 The committee agreed to share evidence with its counterpart committee, the Senate Community Affairs References Committee (references committee), for the references committee's inquiry into the MHR system. The committee notes the matters discussed in this section will be examined in greater detail in the references committee's inquiry report.

2.60 The committee strongly believes the MHR system is a significant health policy reform, with the potential to benefit a large number of Australians through improved healthcare quality and health outcomes. The committee recognises that the national scale of the MHR system creates complexity in the design of the MHR system, and that the success of the MHR system significantly depends on the confidence Australians have in the system's capacity to protect their confidential health information. The committee commends the Bill's proposed amendments to the MHR Act that will, if passed, significantly strengthen the privacy provisions of the MHR System.

Recommendation 1

2.61 The committee recommends the Bill be passed.

Senator Lucy Gichuhi
Chair

Navigation: Previous Page | Contents | Next Page