Thread.
Trawling back through old policy papers on My Health Record shows a slow-moving train wreck. 1/n
Trawling back through old policy papers on My Health Record shows a slow-moving train wreck. 1/n
2/n. Health policy professionals knew that an opt-out system for My Health Record was unpopular. However, they supported it anyway because the existing opt-in system was generating so few records.
3/n. This Deeble Institute for Health Policy Research paper from 2015 is a good example. (The Deeble Institute is the in-house research arm of the Australian Healthcare and Hospitals Association (AHHA).) 
4. The problem that My Health tried to solve was the low opt-in rates for the old PCEHR system inherited from Labor
5. The expert view was that "only ‘a fully
distributed and shareable clinical record’ is the appropriate course of action" (Glance 2015).
distributed and shareable clinical record’ is the appropriate course of action" (Glance 2015).
6. However, and this is back in 2015, " Wilson (2015) argues the current system’s ‘security and privacy safeguards are not up to scratch’ and do not instil the needed consumer confidence to halt consumers opting‐out of My Health Record." Hmmmm.
7. The Deeble Institute papers points out that "any move toward an opt‐out system will also need to address low levels of public support." In other words, they knew it wasn't popular.
8. That survey showing only 27% of participants supported an opt-out system is from this paper in 2014 ncbi.nlm.nih.gov/pubmed/24754689
9. IT expert Steve Wilson was warning about the inherent risks of opt-out in 2015 itnews.com.au/blogentry/why-…
10. As Wilson pointed out, "the Government is asking the community to trust it to hold essentially all medical records."
"Are the PCEHR's security and privacy safeguards up to scratch to take on this grave responsibility?" he asked. "No."
"Are the PCEHR's security and privacy safeguards up to scratch to take on this grave responsibility?" he asked. "No."
11. Firstly, Wilson pointed out the existing system had poor security controls and a bad track record of security breaches. This was reported as fas back as 2013 pulseitmagazine.com.au/index.php?opti…
12. But, more fundamentally, Wilson argued "you simply cannot invert the consent model as if it's a switch in the software." It would inevitably involve massive privacy problems.
13. As Wilson observed, and this is the nub of the crisis, "a default opt-out policy embodies a position that the scheme operator believes it knows best, and is prepared to make the decision to participate on behalf of all individuals."
14. If the government went ahead with opt-out, Wilson concluded, "it would be an amazing breach of the public's trust in the healthcare system."
15. Let us turn to the Evaluation of the Participation Trials for the My Health Record, carried out for the government in 2016 by Siggins Miller
16. Buried deep in this report, we find some fascinating results. Most importantly, it tells us about the government's trial of the My Health Record opt-out
17. Most people would not be aware that the government has already trialled a My Health Record opt-out for nearly 1 million Australians. "971,245 My Health Records were automatically created as part of the opt-out trials."
18. This was because the government did a terrible job of explaining the My Health Record trial. "The initial communication strategy for the opt-out sites (a letter and brochure to all individuals) was poorly
recalled."
recalled."
19. Siggins Miller embarked on an individual survey of My Health Record trial participants. This table here should have run alarm bells for the ADHA, if they were listening.
20. "Overall, individual survey respondents were ‘unsure’ or ‘not confident’ in the ability of the My Health Record system to keep their information confidential and secure, with just over a third of the respondents indicating that they were ‘confident’ or ‘really confident."
21. Elsewhere, the evaluation reiterates that "concerns about privacy and confidentiality of the My Health Record and its security against external threats was relatively high."
22. I should note that the Evaluation also found that once participants were informed of My Health Record privacy protections, some of their fears were allayed. But, one imagines this would have been the ADHA line on privacy, which has been partial and incomplete at best.
23. This was the finding that many in the health sector seized upon as justifying the opt-out system, eg. this media release by the AMA last year ama.com.au/ausmed/my-heal…
24. But how robust was this finding? This is the "fact sheet" that the ADHA publishes on privacy and security myhealthrecord.gov.au/sites/g/files/…
25. For instance, as many have pointed out, there is no mention anywhere in this fact sheet that the police and Centrelink can gain access to your My Health Record without a warrant
26. The fact sheet contains a reference to the My Health Record legislation, but IMHO it gives a rather misleading description of the legislation
27. How many health consumers would understand what is meant by the sentence "External software goes through a
conformance process before it is allowed to connect to the My Health Record system"? I'm not sure I do.
conformance process before it is allowed to connect to the My Health Record system"? I'm not sure I do.
Taking a break now, but I'll take the thread back up later this afternoon
28. Thanks to some good FOI work from @joshuabadge at @crikey_news, we now have a copy of the consultation report detailing submissions to the ADHA about My Health Record
29. And, surprise! surprise!, an ongoing theme of the submissions was privacy and data security. "For those submissions providing conditional support, privacy and security of patient information was
of highest concern to stakeholders."
of highest concern to stakeholders."
30. Good communication and appropriate privacy and security safeguards were highlighted in the report obtained by Crikey
31. As Badge notes in his Crikey piece, "The Health Department and ADHA have been aware of the issues surrounding an opt-out e-health system for years. Why was the report never published?"
32. Joshua Badge's article on the botched My Halth Record consultation in Crikey is here: crikey.com.au/2018/07/26/my-…
33. Moving on to some end-user issues with My Heath Record now. There are some massive issues here.
34. Some of you may have heard that '900,000 health professionals' will have access to your My Health record, once created, as per this article in Fairfax. smh.com.au/technology/bre…
35. It probably won't be this many initially. Sign-up for practitioners using My Health Record data has been slow. Why? Irony of ironies, *they don't have to sign up*.
Yep, that's right. For doctors and health professionals, MHR is opt-in.
Yep, that's right. For doctors and health professionals, MHR is opt-in.
36. If a GP wants to start using MHR data in their practice, they will have to opt-in, by signing up to through the MHR provider portal
37. I really don't think the general public realises that, while *they* will automatically get a My Health Record if they don't opt-out, hospitals and doctors don't have to use the MHR system, unless they opt-in
38. Of course, once doctors and other health practitioners do sign their practices up for MHR, obviously that information will then be available to the MHR system - and for access by third parties such as the police, Home Affairs, Centrelink and ATO
39. Some doctors have already warned about this, for instance Queensland doctor Trent Yarwood. yarwood.id.au/myhr-digest
40. “I don’t think a lot of doctors understand that medical records they upload to MHR in good faith ... could potentially be used against people for administrative reasons," Dr Yarwood told Fairfax's Ben Grubb and Jenny Duke.
41. We're talking about authorised data disclosure here, for instance by the ADHA to immigration officials. But there is an equally big problem of data security.
42. The vast scope of the MHR end-user population almost inevitably means there will be data breaches. MHR data will be available to thousands of hospitals and GP clinics, as well as pharmacies and dentists
43. There have already been plenty of security breaches by health providers. Earlier this year the Privacy Commissioner stated that in just 5 weeks, it had received notice of breaches from 15 health service providers affecting a total of 119 individuals. oaic.gov.au/media-and-spee…
44. Yarwood points out that unauthorised access to MHR data is all too likely -- whether it be curious health practitioners, malicious hackers, or simply someone looking over someone's shoulder
In my next round of posts I'll look at some of the other policy aspects of MHR, including its medical efficacy, and provide some links to those supporting the opt-out system. But for now I have to do some work.
