You Probably Want to Opt-Out of My Health Record

My Health Record (MHR) is, simply put, a huge mess of privacy concerns already happening. Designed, according to its website, as a ‘secure’ “online summary of your key health information”, this not-particularly-widely-advertised new service is awash with a multitude of privacy concerns, particularly relevant to trans people! I mean, there have already been 9 - 9! - data breaches and the thing isn’t even technically going yet! Let’s break down all the ways it’s terrible.

Information Collection
So the MHR is essentially a database designed to ‘securely’ store and manage your private health information - which includes prescriptions, diagnoses, test results, Medicare claims, and any information your healthcare professionals choose to upload (something we’ll be coming back to a couple of times). It can be accessed by anyone, without individual consent, with access to either clinical software somewhere you have a patient record (eg. any place you’ve been to where you’ve filled out an intake form), or through the National Provider Portal (NPP) using your surname, date of birth, ‘sex’, and Medicare number/Department of Veterans’ Affairs number/Individual Healthcare Identifier. (That’s the information on the MHR website; Tom Ballantyne, from Maurice Blackburn Lawyers, is quoted as saying just an Individual Health Identifier or Medicare number.)

The past two years of Medicare data is automatically uploaded, which includes all Medicare and Pharmaceutical Benefits Scheme (PBS) information, Medicare and Repatriation Schedule of Pharmaceutical Benefits (RPBS) information stored by the Department of Veterans’ Affairs (DVA), organ donation decisions, and immunisations - so, the past two years of every claimed healthcare appointment, the past two years of your discounted prescriptions, organ donation decisions, and the past two years of your immunisation history. Already, that’s three areas (claimed appointments, prescription history, immunisation history) in which you can be potentially outed to anyone that accesses the record. I’d like to stress that this isn’t just doctors and specialists - pharmacists, carers, pathology labs, in some cases parents (more on that in a bit), even potentially employers. Anything else can be added and viewed at the discretion of individual healthcare professionals.

About that. The way MHR is being sold as a solution for “safer, faster and more efficient care for you and your family”, which “could save lives in emergencies by providing health workers with information about drug allergies, medications, and medical history”. Minister Hunt said that MHR was designed to address the problem of “fragmented” patient information.

MHR, however, is “not a clinically-reliable medical record” - the Office of the Australian Information Commissioner (OAIC) points out that the “system contains an online summary of a patient’s key health information; not a complete record of their clinical history”. There’s no guarantee that it’s up to date - and as information added is up to the judgement of individual people, and MHR itself advises that you can ask your doctor to refrain from adding information regarding “sensitive clinical conditions”, there’s also no guarantee that the ‘key’ information is on there. A June 2018 poll running on the AMA’s Doctors Portal revealed that 76% of respondents think the MHR will not improve patient outcomes - and only 12% disagree.

The proposed (in)efficacy of MHR is not, however, our main focus. That would be the many, many ways in which your information is insecure.

Who can access your MHR, exactly? Well, that’s the thing. I’ve mentioned that it’s not just your GP and your specialists - it’s any registered health care professional, anyone registered with the My Health Record System Operator, anyone that works for an organisation which is a registered with the My Health Record System Operator, and anyone with access to the conformant software containing an authenticated digital certificate.

This can include your receptionist, your pharmacist, whoever is handling your pathology tests and X-rays, Centrelink (as the MHR is linked to your mygov account), etc.

If you’re not particularly into that, you can, of course, opt out of having a MHR (until 15 November), ask your doctor to refrain from recording information, or adjust the privacy controls on the account - but there are issues there too! Not least being that some people are reporting that records have already (illegally) been created for them without their consent. Currently, police/government agencies can access your record without a warrant. Bowing to public pressure, Minister Hunt proposed a bill in the lower house last Wednesday (22 August) with the intention of revoking the free access of the latter institutions, but there’s no way to determine how long it will take to pass, or indeed, how long it will take to be enacted.

For a while parents and guardians have been barred from access to your Medicare records from when you turn 14, in order to allow young people confidentiality and privacy and all of that jazz we’re super about. MHR, however, automatically allows your parents/guardians access to everything else in the record until you reach 18. While they still can’t see your Medicare and PBS data, they’ll be able to see a doctors’ summary and any test results - for example, an STI test. This can be adjusted, as noted above, but places the responsibility on young people, who might not know their information is insecure in this way, or be practiced in advocating for themselves.

National unions have been advising members to opt out due to the uncertainty regarding “potential for employers to gain access to the private health data of workers”. The concern is twofold: first, that employer doctors have the ability to access and pass on your information, and second, that this is not strictly prosecutable under the Healthcare Identifiers Act 2010. Ballantyne (the lawyer I mentioned earlier) is quoted in the SMH as saying, “we don't have clarity and there is ongoing confusion and that in itself is an enormous concern”. The SMH also quotes Peter A. Clarke, a barrister with a “special interest” in privacy, “the government shouldn’t have too much comfort in section 14(2) in providing real protection… there is a significant likelihood of unintended consequences bringing on disastrous results in the future. It was a dud Act in 2012. It is not getting better with time.”

The bill Minister Hunt presented on the 22nd has also been criticised as being unclear and open to challenge.

There’s also a concern - quite a significant one - that MHR will be affected by current issues regarding patient privacy. Specifically, the vulnerability of patient information due to things like the culture of open computers and shared logins in many organisations. A Victorian nurse interviewed by ABC said that, “where I work, it's easy to access pathology, medical imaging and medical records without identifying yourself”. A retired NSW nurse added that in previous workplaces, generic passwords were used, sometimes taped to computers.

Dr Daya Sharma, a Sydney surgeon, said that, while “it's unethical and illegal to access someone's records in that way, but if you have a centralised database ... you've got more potential for people to abuse that right,” adding that, “if you had a jilted ex or somebody who wanted to take revenge on someone, or a domestic violence situation — it's not inconceivable.”

Data security
The majority of newsprint, however, has been expended on the digital security problems inherent in the MHR system. Best practice in data protection, as with most things, requires you to be fully informed and explicitly consenting. MHR presumes consent with an ‘opt-out’ model, which puts the burden on the individual to self-educate.

Once a record is created, the privacy settings default to non-secure. While it can be strengthened - shutting out parents/guardians, restricting access to documents and providers - it’s complicated and tedious. Access to documents and providers, for instance, is controlled by individually setting PIN codes for each document and provider. And while you can choose to be notified every time someone accesses your record, only the institution name will be recorded. According to the Australian Digital Health Agency (ADHA), “fewer than 2 out of every 1000 individuals registered” have changed their privacy tools.

In terms of hacking - yeah, I know - health information is pretty attractive. According to Criminology lecturer Cassandra Cross at QUT, it can be used for identity fraud and theft, blackmail, and extortion. And that’s not theoretical - in July 1.5 million Singaporeans had health data stolen, which “reportedly” also happened to 80,000 Canadian care home residents who were “then held to ransom”. In Australia, “at least” 75 people had their Medicare details sold online, and Family Planning NSW had a booking system breach which “exposed client data of those who had contacted the organisation within the past two and a half years”.

Data storage
Another issue - big enough that it concerns one of the changes announced by Hunt - is the deletion of data. In the original plans, once you were in, that was it - your data was there forever. Now that’s been updated to ‘of course we’ll modify the system to allow us to delete things’, but that’s not as one-step as it sounds. Not only are systems like this designed for retention, but in general, deleting stuff permanently from IT systems is pretty hard.

There’s not a lot of information out there about the set up of the MHR system (other than that the system it’s based on is terrible), but the way it usually works - according to Robert Merkel, a lecturer in software engineering at Monash - is that ‘deleting’ a recording is less like binning a piece of paper, and more like writing ‘this is in the bin now’ in the corner. The underlying record still exists in the database, so that if the deletion was a mistake or the result of an error or bug, they can get it back relatively easily.

If they do fully delete the entire file from the system, the files will still exist on backups. As Merkel says, “if the backups are left unaltered, we might wonder in what circumstances the information in those backups would be made accessible. If…[the] backups are…modified to permit deletion, those archival backups are at high risk of other modifications … [which] would defeat the purpose of having trusted archival backups.”

Third party access and de-identification problems
So one of the deals with MHR is that the information within it is going to be sold to third party apps - defined as “external health apps” - for… reasons? What the government have said is that data will be made available for “public health and research purposes”. But, as mentioned, ‘third party apps’ also includes health apps and systems, like HealthEngine, which was exposed in June by the ABC for selling patients’ private medical information to “law firms seeking clients for personal injury claims”. Supposedly, this will be fine because the information will be de-identified, which is what it sounds like - the information shouldn’t be able to be linked back to anyone. But, surprise! The government is bad at this. In 2016, they released a ‘de-identified’ data set for a bunch of people covering a thirty year period, and IT researchers at Melbourne University re-identified it pretty quickly. Additionally, the ADHA (Australian Digital Health Agency, who are one of the agencies that runs MHR) itself published a report on how bad the privacy policies are on mental health apps - aka external health apps. But it’s fine! It’s fine. We should definitely trust the government because they told us to, and that’s the most important thing. Right?

To opt out head to before November 15, or come to Ygender’s ‘Opt Out of myhealthrecord Day!’ ( on the 13th of October.