Using My Health Record

3.1        Throughout the inquiry, submitters and witnesses provided evidence which emphasised that My Health Records need to be usable for both healthcare recipients and healthcare providers if the My Health Record (MHR) system is to operate effectively.

3.2        A MHR will be created for every Australian by the end of 2018 unless they chose to opt-out.[1] Following a 'trigger' event, a healthcare recipient's MHR will commence being populated with health information. Unless a healthcare recipient has requested otherwise, the MHR system's default access controls will be applied to their MHR. These controls, in part, enable healthcare providers to access MHR information for the purpose of providing healthcare.

3.3        This chapter considers the population of healthcare recipients' MHRs with health information following a trigger event, and the default access settings that will be applied to those MHRs when created by the System Operator. The chapter considers healthcare providers' use of MHRs, and, in particular, the balance which exists between MHR information being usable in clinical settings and the privacy controls afforded to healthcare recipients.

Populating a MHR

3.4        When a registered healthcare recipient's MHR is created it will be empty.[2] A MHR will start to be populated with certain health information when a healthcare recipient first interacts with the health system, or when they first log on to the MHR system to access their record.[3] The Royal Australian College of General Practitioners (RACGP) described this activation of healthcare recipients empty MHRs as 'trigger events'.[4] Following a trigger event, two years' worth of a healthcare recipient's Medicare Benefits Schedule (MBS) and Pharmaceutical Benefits Scheme (PBS) data will be uploaded to their MHR, unless the recipient has applied a control that prevent this from occurring.[5]

3.5        The Australian Digital Health Agency (ADHA) outlined some of the health information which will be uploaded following a trigger event: 

...certain types of documents then start flowing into the record – medicine prescription and dispense records, hospital discharge summaries, pathology test results and diagnostic imaging reports, specialist letters, event summaries and a curated shared health summary by a consumer's GP. Medicare data such as the Australian Immunisation Register, Organ Donor Register and MBS/PBS data also go into the record.[6]

3.6        Some submitters raised concerns that many healthcare recipients are not aware of what the MHR system's trigger events for populating a MHR are.[7] Some submitters considered that healthcare recipients should have more notice before this data is uploaded. It was argued that more should be done to alert healthcare recipients to this.[8] For example, Dr Nathan Pinskier, Chair, Expert Committee – eHealth and Practice Systems, RACGP suggested that:

The consumer may not always be aware of that, so we believe that the system should be strengthened so that the consumer is made aware that when the trigger event occurs it's actually occurring: 'I see you have a shell record. I see that nothing's been uploaded to it yet. Sending up a shared health summary, an event summary, a pathology request—whatever—will create the trigger event.' A positive consent flag should then get entered into the system, and the consumer should be advised that they should log on to their My Health Record through MyGov and the consumer portal and consider whether they want to strengthen their controls.[9]

3.7        The Health Workers Union expressed concern that, following a trigger event, PBS and MBS data may be uploaded for people who may not have voluntarily registered for a MHR, or for people who do not have a level of digital literacy that would allow them to access their MHR to amend their default access controls to prevent the upload.[10]

3.8        The committee notes evidence from the ADHA that healthcare recipients' past health information, such as older tests and medical reports, will not be available in new MHRs.[11]

Default access controls

3.9        The MHR system's consumer privacy controls are mandated by the My Health Record Rule 2016, which, in part, specifies the default access controls applicable to MHRs when created by the System Operator.[12] The default access controls which must be enabled by the System Operator are as follows:

1. permit all registered healthcare provider organisations involved in the care of a registered healthcare recipient to access the healthcare recipient's My Health Record;
2. include an access list of the registered healthcare provider organisations that are permitted to access the healthcare recipient's My Health Record because the organisation is involved in the care of the registered healthcare recipient;
3. permit registered healthcare recipients to view the access list for their My Health Record;
4. remove a healthcare provider organisation from the access list for a healthcare recipient's My Health Record if the organisation has not accessed the healthcare recipient's My Health Record for a period of three years;
5. permit registered healthcare recipients to:
   1. effectively remove records from their My Health Record; and
   2. authorise the System Operator to restore records which have previously been effectively removed; and
6. permit registered healthcare provider organisations that uploaded records to a healthcare recipient's My Health Record to access those records, but only by request to the System Operator, if the healthcare provider organisation is no longer on the access list for the healthcare recipient's My Health Record.[13]

3.10      RACGP observed that the default access controls of a MHR '...effectively allow any healthcare provider with access to My Health Record to view, upload and download from a consumer's My Health Record for the purposes of providing healthcare.'[14] RACGP recommended that consumers be prompted to review their access controls on activation of their MHR.[15]

3.11      Submitters expressed concern that the level of access to MHR information enabled by the default access controls was too extensive. For example, Maurice Blackburn Lawyers submitted that whilst the default access settings allowing all registered MHR healthcare providers to access recipients' MHRs may have been appropriate in an opt-in system, '...the same cannot be said of an out-out system.'[16] The Australian Council of Trade Unions similarly suggested that, given the MHR system had transitioned from an opt-in to an opt-out system, the default access controls should provide greater protection to individuals who may not be aware that a MHR is being created for them.[17]

3.12      The NSW Privacy Commissioner urged further consideration be given to the default settings applied to MHRs:

Consideration should be given to altering the default settings to ensure that individual privacy is protected. Access to health information should remain limited until the individual record holder chooses to allow a healthcare provider to have access to their health information.[18]

3.13      Considering the impact the MHR system may have on vulnerable groups, the NSW Privacy Commissioner informed the committee that the setting of access controls will be central to managing the risk of inappropriate access to MHR information and, given this, default privacy settings should be set at the highest level.[19] Positive Life NSW (PLNSW) and National Association of People with HIV Australia (NAPWHA) explained sharing sensitive health information with all members of their healthcare teams via the default settings applied to MHRs would particularly effect people living with HIV, or people who inject or use drugs. PLNSW and NAPWHA suggested this could potentially expose people who may not have the capacity to adjust their MHR privacy settings to an unnecessary risk of disclosure.[20]

3.14      Similarly, the Federation of Ethnic Communities' Councils of Australia recommended:

...default settings for the MHR should be set at maximum security and privacy with a prompt that offers individuals the choice to allow for their health data to be shared with others including caregivers and medical professionals should they wish.[21]

3.15      Several other submitters expressed support for strengthening the default privacy settings applied to healthcare recipients' MHRs.[22]

3.16      Some submitters noted that MHRs included other privacy controls which were not enabled by default. For example, the Consumers Health Forum of Australia pointed out that healthcare recipients are able to set an access control so that they are notified when their MHR has been accessed, however this control is not applied by default.[23] The ADHA informed the committee that the notification control was active in 136 644 MHRs, as at 2 September 2018.[24]

3.17      To increase registered healthcare recipients' understanding of the MHR system's default access settings, and broader privacy implications and controls available, submitters and witnesses suggested that improved public information and education is necessary.[25] The need for better awareness of the MHR system's privacy implications are considered in further detail in Chapter 4.

Record access code

3.18      In response to the open nature of the MHR system's default access controls, some submitters suggested that the, currently optional, Record Access Code (RAC) control should be applied to healthcare recipients' MHRs by default.[26] Healthcare recipients are able to apply a RAC to the MHR to restrict a healthcare provider from accessing their MHR without a code managed by the recipient.[27] A 'limited access document control' can also be enabled by healthcare recipients to restrict healthcare providers' access to individual documents within their MHRs.[28] Ms Bettina McMahon, Chief Operating Officer, ADHA, informed the committee that, as at
2 September 2018, healthcare recipients had applied 16 848 RACs to their MHRs, and  4109 limited documents access codes.[29]

3.19      Some submitters suggested that the use of a RAC could provide security benefits. For example, Dr Robert Merkel suggested that by using a RAC a healthcare recipient could reduce the potential for unauthorised access to their MHR:

...you can set a PIN on your My Health Record so that any new healthcare provider who wants to see your My Health Record needs to ask you what your PIN is, but that's not compulsory, and in the opt-out trial of the My Health Record system only a very small percentage of people set a PIN. That means that, if a hacker got access to a doctor's log-in credentials, for instance, they would be able to access the My Health Record of the vast majority of people, because they hadn't set an access code. If instead having an access code was the default rather than the exception, the range of people whom that hacker would be able to get access to would be very much reduced.[30]

3.20      Mr Grahame Grieve, Principal, Health Intersections Pty Ltd, echoed the view that potential unauthorised access to the MHR information through a clinician portal could be negated through the use of a record code by default. However, Mr Grieve noted a potential side effect of this protection could be limitations to the accessibility of MHR information.[31]

3.21      The Australian Medical Association (AMA) expressed similar concerns:

A decision to impose maximum security settings as a default for all new My Health Records created by government under an opt out model, would mean all clinical information uploaded to the patient's My Health Record would remain invisible to the patient's treating healthcare providers unless the patient creates myGov account and opts into their Record to relax these privacy settings.  The opt in approach has demonstrably failed in Australia to achieve a critical mass adoption necessary to create a self-sustaining My Health Record System with all the potential clinical benefits it offers.[32]

3.22      The AMA suggested that the default application of record access codes to all MHRs would, in effect, cause the system to operate more on an opt-in basis.[33] RACGP suggested that there is a balance which exists between the two MHR system's privacy requirements and system utility.[34]

Committee view

3.23      The committee recognises that MHRs will contain sensitive and confidential health information. As such, it is the committee's view that the MHR system's default access controls, which significantly impact how healthcare recipients' MHR information is used, require further consideration. The committee notes that following the creation of a MHR record by the System Operator, a trigger event will cause significant health information to be uploaded to the record. The committee also notes registered healthcare recipients may not be aware that they can vary the access controls for their MHRs, or may not have the ability to readily change those controls.

3.24      Many submitters expressed concern that the default access controls applied to healthcare recipients MHRs are too 'open'. Submitters stressed that more restrictive access controls should be applied to MHRs. The committee acknowledges the evidence from some submitters that restricted access controls are important for protecting vulnerable groups. The committee found this evidence particularly compelling, and considers that the call for strengthened default access controls is justified.

Clinical use

3.25      After a healthcare recipient's MHR has been created, healthcare providers are able to commence using those records in the provision of healthcare, subject to the healthcare recipient's MHR access controls.

Access to patients' health information

3.26      MHRs have potentially significant clinical benefits through increasing clinicians' access to patients' health information to improve the quality of health care.[35] The AMA summarised some of the clinical benefits in its submission:

Many of the greatest failures in patient care and safety result when patients are required to move across the health system but their clinical information does not follow them.

The My Health Record (Record) has the potential to circumvent these limitations to ensure clinically important patient information is available at the point of care, irrespective of the health care setting and the location of the treating doctor.  The result is better connected care, reduced medical harm from avoidable medication complications and allergic reactions.[36]

3.27      Some submitters noted that an MHR could be a significant advance on the lack of information that practitioners may currently be contending with. Without an electronic health record, the AMA explained that emergency doctors are effectively 'flying blind' when treating the patient in front of them:

In plain terms, that's what they're doing, they're flying blind and they're giving medications... There are 230,000 medication events leading to hospitalisation in Australia every year, many due to lack of information.[37] 

3.28      The AMA also explained that for healthcare recipients who change doctors, it can be very difficult to obtain proper information about that patient.[38]

3.29      Only 61 per cent of general practitioners, and 79 per cent of pharmacists, who have used the MHR system reported '...one or more actual benefits from use.'[39] The most common benefit reported by general practitioners was the ability to view information about a patient which was previously unknown, and 29 per cent of pharmacists reported having avoided a potential adverse medicines event through having access to patients' MHR information.[40]   

3.30      The Royal Australian College of Physicians (RACP) highlighted the benefits of the MHR system's review function, which allows '...clinicians to read and review opinions and decisions made by other clinicians on the same patient'.[41] Whilst noting imperfections of the MHR system, RACP suggested the review functionally is an improvement to the current system where there can be complete lack of visibility for clinicians who are not the patient's main consulting clinician. RACP commented:

...the review and information repository functions are one of the key characteristics of MHR that makes it an important building block for better integrated care. Even though interactive functionality of the MHR is currently limited, having this infrastructure in place can be an important first step for adding more sophisticated functionality to the platform later.[42]

3.31      The benefits of improved access to clinical data through patients' MHRs may also assist patients in better understanding and engaging with their clinical care. As observed by the AMA:

Research indicates 40-80 per cent of medical information provided by healthcare practitioners is forgotten immediately by patients. If patients have access to their clinical data in their My Health Record, they are more likely to understand their health conditions, adhere to treatment advice and engage more actively with their treating clinicians in their ongoing care. This will also assist in increasing overall patient health literacy which will improve long term health outcomes and indeed improve prevention and education activities.[43]

3.32      The Australian Healthcare and Hospitals Association submitted that MHRs, with active use and updating, have the potential to be very empowering for both clinicians and patients.[44]

Issues

3.33      Submitters to the inquiry raised concerns regarding the utility of the MHR system in clinical settings.

Information comprehensiveness

3.34      A concern frequently raised by submitters was the issue of how comprehensive the information in healthcare recipients' MHRs will be, and the potential consequences of incomplete information in clinical settings. MHRs are designed to be personally controlled by healthcare recipients. This means that they can effectively hide or remove clinical records from their MHR. Submitters noted that the personally controlled nature of the record contains an inherent limitation, in that a MHR can only be considered a component or summary of a person's broader health information.[45]

3.35      The RACP submitted that the usefulness of the MHR system will ultimately depend on the quality and comprehensiveness of the information uploaded. RACP explained the elements of information comprehensiveness and the risks to patient safety that could arise from the potential incompleteness of patient records:

There are two dimensions to comprehensiveness. There is firstly the extent of coverage of the MHR (of both patients and clinicians). Secondly there is the question of the completeness of the patient record. However, there will realistically be limits on this comprehensiveness because some people may choose to opt-out. In addition, under current provisions, people are also able to limit which healthcare provider organisations can access their MHR or restrict access to selected part of their record. These choices must be respected as a matter of patient autonomy. However, the possible incompleteness of the patient record introduces some risks to patient safety if clinicians treat it as a complete record and use it as a substitute for having an appropriate conversation with the patient or pursuing further investigations as required.[46]

3.36      Some submitters expressed concern that the MHR system's privacy controls available to registered healthcare recipients could adversely impact the completeness of their MHR. For example, the Australian Psychological Society (APS) submitted:

The reliability of health information held in MHR is further reduced by inconsistent approaches to uploading health information by providers and the ability for consumers to remove or restrict access to important information. There is currently no requirement for health providers to upload all clinical information to the MHR. Thus, a person's MHR may omit significant amounts of relevant information. This means that even in an emergency, treating practitioners cannot rely on the information contained in a MHR when making clinical decisions.[47]

3.37      The AMA NSW, whilst acknowledging that patients have the fundamental right to determine what health information is included in their MHR and who can access it, suggested that a patient-controlled electronic system may lead to omissions of information which may undermine the usefulness of MHRs.[48] The University of Melbourne echoed this view, noting that whilst the privacy rationale for general practitioners' uploading of health information to MHRs only with patients' explicit consent is clear, incomplete information in MHRs is an inhibitor to the clinical utility of those records.[49]

3.38      A number of other submitters noted that if an MHR is incomplete or out of date, the record's utility as a clinical tool is reduced.[50] Mr Paul Shetler, the former head of the Digital Transformation Office, questioned whether MHRs were being regularly updated. Based on a briefing he received in 2015, Mr Shetler told the committee that only a minority of healthcare recipients actually updated their records:

Of the 10 per cent of the Australians who had My Health Record, 10 per cent of them were having their health records updated with any kind of regularity. That was one per cent of the population[51]

Interface issues

3.39      To access the MHR system through a clinical information system (CIS), health providers need to:

• be using conformant software which has a secure and encrypted connection to the My Health Record system;
• be authorised to access the system by the healthcare provider organisation; and
• be providing healthcare to a patient of the practice who has had a record created on the local Clinical Information System (with patient name, Medicare card number, date of birth and gender as part of the local record).[52]

3.40      The ADHA noted that healthcare provider organisations must be registered to access the MHR system, and indicated it was important providers use up-to-date version of their CIS.[53] 

3.41      Some submitters noted that the software currently used by clinicians may not be well-integrated with the MHR interface and that this may lead to information gaps in MHRs. For example, the APS said in its submission:

Currently, psychologists are unable to write data to the MHR as the MHR interface is not compliant with the practice software for psychologists. This means that essential health information will not be included in a person's MHR. The absence of this important health information dilutes the continuity of care for consumers and reduces the reliability of MHR.[54]

3.42      The RACGP noted a similar concern that if a CIS used in a general practice was not the latest version, then the MHRs functions may not fully integrate with their CIS. RACGP noted that such compatibility challenges pose significant barrier to adopting the MHR.[55]

3.43      Dr Andrew Magennis, a general practitioner with extensive experience in medical software, noted that the MHR system is currently operating as a document management system, which, on viewing by a clinician, presents a list of documents which the clinician then has to open to determine contents and repeat this process with other documents until an understanding of the health context is determined.[56] This view aligned with that of an individual submitter, who noted that there does not appear a way for the data from a health-related document in their MHR can be summarised for the use of healthcare professionals.[57]

3.44      The Australian Privacy Foundation was particularly critical of the document management capability in MHRs and suggested little clinically useful data would be included.[58]

Break glass (override functionality)

3.45      Some submitters noted that access codes could inhibit practitioners from accessing information that could be clinically necessary. For that reason, MHR includes a 'break glass' feature that allows practitioners who are in emergency situations and need to access the information to do so.

3.46      The break glass functionality will, in an emergency situation, allow a healthcare provider to access the record or documents which a healthcare recipient had applied an access code to. The ADHA, the current System Operator, submitted that each break glass event would be investigated.[59]

3.47      Consumers of Mental Health WA observed that provisions are not made to restrict which health professionals can use the break glass function.[60] Multiple Sclerosis Australia noted that healthcare recipients can elect to receive a message or email when the break glass function had been used.[61]Dr Donald Rose, Summerdale Medical Practice, considered that the inability for healthcare recipients to block the break glass function from overriding a record access control is a major system flaw.[62]

Additional administration and costs for healthcare providers

3.48      Some submitters expressed concern that the MHR system may lead to additional work that would be passed on to the healthcare provider, or that the provider would not be appropriately remunerated for the additional work that the MHR system requires. For example, MIGA commented that excessive administrative and time burdens can pose challenges for health providers using the MHR system:

...the investments needed by practitioners and healthcare organisations in time, finances and understanding to use My Health Record effectively are significant.  The capacity to do this varies significantly across professionals and locations.[63]

3.49      The Royal Australian and New Zealand College of Radiologists (RANZCR) noted that, at present, only a small number of radiologists are uploading clinical radiologists reports to MHRs and that this was due, in part, to costs.[64] RANZCR argued that, due to radiology providers treating a large number of patients, the '...administrative costs associated with digital health, while relatively minor per patient, can become burdensome and costly in aggregate.'[65] 

3.50      The Law Council of Australia (LCA) suggested that healthcare providers who assist patients with their MHR registration may not be able to bill Medicare for that time, and was conscious that, for some providers, MHRs could be perceived as a burden on their limited consulting time.[66] The LCA recommended:

The Inquiry consult further with health practitioners about assisting patients with their MHR in a way that provides health practitioners with reasonable remuneration for their expertise and time to do so.[67]

3.51      Currently, the Practice Incentives Program (PIP) eHealth Incentive program provides financial incentives for general Practitioners who meet set targets for uploading shared health summaries to healthcare recipients' MHRs.[68] The PIP eHealth Incentive program does not, however, provide incentives for general practitioners to update healthcare recipients' MHR information.[69] Submitters noted that a similar incentive program is not in place for other health professions.[70] RACP recommended that provider readiness incentives should be provided to hospital and community-based specialist physicians.[71]

3.52      The Australian Association of Social Workers also expressed concern that the implementation of the MHR system may create a financial burden for accredited mental health social workers:

...the [Australian Association of Social Workers] shares the concerns of other allied Health professions that the cost of conformant software is prohibitive, especially for Accredited Mental Health social workers who are mainly in practice as sole operators or as part of small practices. Compared with the situation of general practices and other health services, social workers in private practice face significant financial burden in participating in My Health Record.

Committee view

3.53      The committee recognises that access to patient information is currently problematic for healthcare providers in clinical settings and that poor information can cause serious adverse impacts for patients' healthcare. In the committee's view, the MHR system provides an improvement to the information currently available to healthcare providers, which should improve the quality of care provided to healthcare recipients. The committee notes that some submitters anticipate MHRs will provide healthcare recipients with a better understanding of, and engagement with, their clinical care. The committee considers that MHRs, if managed correctly, can empower both healthcare providers and healthcare recipients.

3.54      However, the committee strongly believes that realising the benefits of MHRs in clinical use will involve overcoming some widespread issues. For example, the comprehensiveness of healthcare recipients' MHR information was a concern raised by many submitters during the inquiry. Healthcare providers submitted that, whilst healthcare recipients have a fundamental right to determine how their information is used, recipients using increased privacy controls in their MHRs can make providers' access, and contribution to, their MHR information difficult. Submitters stated that incomplete information in healthcare recipients' MHRs will reduce the clinical utility of those records.

3.55      Healthcare providers have also reported experiencing difficulty in accessing MHR information through their clinical information systems. Some submitters were concerned that healthcare providers face an administrative and cost burden in engaging with the MHR system. The committee believes that such issues could undermine the efficiency of the MHR system, and that the System Operator should take a lead role in investigating these issues. Where necessary, the System Operator should develop solutions which maximise the MHR system's benefits.

Navigation: Previous Page | Contents | Next Page