The opt out period for My Health Record ends today, here's the pros and cons

Everyone will be different, but you need to decide whether My Health Record is for you.

The Federal Government’s My Health Record has sparked healthy debate among many Australians, and has encouraged the community to engage in deep discussions around the privacy impacts associated with having a digital health record. Millions of Australians have sifted through large amounts of information in the search for a definitive answer on whether a digital health record is a good or a bad thing.

With the opt out period for automatic creation of a My Health Record expiring at midnight tonight, The Australian Data Privacy Certification Register has decided to present both sides of the argument, to help you decide whether a My Health Record is suitable for you.

Privacy experts remain concerned about the privacy and security of the data, and health professionals are prompting Australians to allow for record creation, and trust the scheme for both convenience, and for it to be accessed in the face of an emergency.

Remember, it’s your choice to have a My Health Record. You should critically assess whether a digital health record meets your needs, and whether you’re comfortable with the privacy protections in place. We understand that for some Australians, the My Health Record will be of benefit to them - while for others, it won’t have any material impact on how they receive their healthcare.

The case for FOR NOT opting out of My Health Record

The case for allowing automatic creation of a My Health record has largely been led by key members of the healthcare industry. The security and integrity of the My Health Record system has been largely improved since it was first introduced to Australians.

A digital health record can be valuable when you’re comfortable in the knowledge that the information on your record is current and accurate. The record gives health care professionals fast access to information on your medications and allergies, immunisations, history of hospital and GP care, reports, and care plans which can be valuable in an emergency.

The creation of a My Health Record also gives users the opportunity to better understand of their health care, with easier access to information that allows for more informed decision making.

The Australian Digital Health Agency has clarified the rules around police access to records in a fact sheet, noting that they have not (and will not) release any documents without a court, coronial or similar order.

Newly introduced privacy tools and controls can restrict the data made available, including a feature which allows only those persons with the record access code to be able to view the data. This does require extra set up via the My Health Record system in MyGov, but is an important privacy protection worth investigating.

Users can now also add restrictions to the information that health care professionals can see, and can also restrict access to documents. You can remove clinical and Medicare documents from your My Health Record. This means that healthcare providers won’t be able to access these clinical documents, even in an emergency. If you change your mind, or remove a document by mistake, you can restore it.

The My Health Record can now also be deleted at any point in your life, meaning that if you no longer find it useful, or if it isn’t providing any value to your healthcare, you can request deletion.

The My Health Record may be used to provide insight into Australia’s health system and the services being provided, to improve health outcomes for patients. This access can be revoked via the My Health Record System in MyGov.

The case for FOR opting out of My Health Record

Privacy experts have been vocal in warning Australians about the privacy risks associated with the creation of a digital health record. Many of these concerns have been addressed in subsequent updates to relevant legislation, however there are still some major concerns around the privacy protections in place, and the accuracy of the information available to health care professionals.

One of the primary concerns around the My Health record is that multiple health agencies and doctors are able to access information without your explicit consent.

Sole practitioner health professionals are considered ‘organisations’ under current legislation, meaning the access-logging system fail to track the individual staff members accessing the data, posing a security risk.

Health Industry insiders have revealed that passwords and credentials are commonly shared among staff throughout Australian hospitals to save time during an emergency. This practice threatens the integrity of the audit system, and allows for unauthorised individuals to access a patients My Health Record using another practitioners credentials.

Today it was revealed by The Advertiser that ambulance paramedics can’t access your record – and they’re the people most likely to need to know if you have a pre-existing issue or deadly allergy.

Data from the My Health Record can be distributed among researchers as long as names and other identifying information is removed first. The de-identification process is not fool-proof though. Using other details, such as the individual’s birth year or information about a previous surgery, researchers have been able to link data back to the original patient as Dr Teague of the University of Melbourne has discovered.

A paper created by the Office of the Australian Information Commissioner, titled “Handling personal information in the My Health Record system”, identifies that the record contains only an ‘online summary of a patient’s key health information; not a complete record of their clinical history’. In emergency situations, the My Health Record is therefore not an accurate source that medical professionals could turn to.

Health data breaches are increasing in Australia and overseas. Health records are rich in data and valued highly in identity theft instances making them highly sought after on the Dark Web.

The Sydney Morning Herald has recently reported that the My Health Record system had experienced 42 data breaches in 2018. While some will argue that these breaches aren’t of concern, as they don't involve cyber criminals that have hacked the system to extract information, human error and  data mishandling can be just as dangerous.

Singapore’s digital health record has been breached on multiple occasions since its inception – adding to the concerns of privacy professionals about an Australian iteration.

In late December 2018, SBS reported data mistakes that saw the wrong information being entered onto the wrong records. One of the errors reported involved a child being assigned to the wrong guardian.

My Health Record allows external health apps access to your data. Consent is required from each person before this occurs, however consent is often obtained by simply signing up to an app or website & agreeing to the terms and conditions. The Australian Financial reported that HealthEngine was selling patient information to law firms in the pursuit of legal claims, and the Australian Digital Health Agency published a report about the inadequate privacy policies of mental health apps, yet these apps might be authorised to access your My Health Record data with your consent.

Finally, making the My Health Record an opt-out system goes against the Office of the Australian Information Commissioner guidelines on the sort of consent necessary for use of personal and sensitive information. According to those guidelines, consent should “… ensure that an individual is properly and clearly informed about how their personal information will be handled, so they can decide whether to give consent”. These definitions are tightened for sensitive information, noting that organisations should “… seek express consent from an individual before handling the individual’s sensitive information, given the greater privacy impact this could have.” The lack of consideration afforded to this key concept, which is also a global privacy best practice, is concerning.

Stronger privacy measures may come in the future. If you decide later that you would like a My Health Record, you can re-register for one at any time.

Now is the time to decided whether My Health Record is for you.

If you would like to opt out of having a My Health Record automatically created for you, you will need to do so before midnight tonight via the official website: https://www.myhealthrecord.gov.au/for-you-your-family/opt-out-my-health-record. You can also call the helpline on 1800 723 471. You can find the current wait times for the helpline here. If you experience any issues opting out, you can elect to have the automatically created record deleted from February 01 2019.

If you believe a My Health Record could be beneficial to you and your family, you do not have to take any action, as one will be automatically created for you.

Subscribe to Alerts by ADPCR. Get free alerts to assess whether your accounts are compromised or at risk.

Alerts by ADPCR is a free data breach alert service operated by the Australian Data Privacy Certification Register. When a data breach or security incident occurs, we'll deliver an alert to you that contains actionable advice, and steps that may reduce personal harm. If you find yourself the victim of a data breach or security incident, we're here to help. Subscribe now.

Click here to subscribe to Alerts by ADPCR, and get data breach & security alerts delivered directly to your inbox.
More News

Stay informed and in control.
Get notified when a data breach hits.

Get free alerts to assess whether your accounts are compromised or at risk.
Subscribe to Alerts