The federal government has revealed amendments to the My Health Record service that it says “strengthen its already robust privacy framework” following the launch of a senate inquiry last week.
The My Health Record Amendment (Strengthening Privacy) Bill 2018 was introduced to the Parliament on Wednesday morning by Health Minister Greg Hunt, a day after offering his resignation following his support of former home affairs minister Peter Dutton in the Liberal Party leadership spill.
Mr Hunt said that through the amendments law enforcement and agencies required to obtain a warrant before they can access information stored on MHR. The changes also require the Australian Digital Health Agency – the operator of the MHR – to permanently delete any data if a user cancels their account.
“This government has listened to the recent concerns and in order to provide additional reassurance is looking to address them in this bill. These legislative changes reinforce the existing privacy controls the system already gives to each individual over their information,” Mr Hunt told the Parliament.
The bill makes amendments to the My Health Record Act 2012 to “strengthen the privacy framework of the My Health Record system”.
It removed the ability for the ADHA to “disclose health information in My Health Records to law enforcement agencies and government agencies without an order by a judicial officer or the healthcare recipient’s consent”.
“Since the opt-out period began, concerns have been expressed by some healthcare recipients, privacy advocates and some peak healthcare bodies that the MHR Act authorises the release of information to law enforcement agencies and other government bodies,” the explanatory memorandum said.
“The safeguards that apply to a healthcare recipient’s My Health Record will be strengthened by this bill, effectively providing that health information can only be collected, used or disclosed for healthcare purposes, with the healthcare recipient’s consent, in response to a court order or an order by a judicial officer, to respond to public health or safety threats, for medical indemnity claims or in order to operate the My Health Record system.”
Agencies or state or territory authorities will have to apply to a judicial officer for an order to disclose health information from MHR, and the officer must be satisfied that the disclosure is “reasonably necessary for the body to carry out its functions and will not “unreasonably interfere” with the user’s privacy.
The order must identify the individual, what information will be disclosed, the purpose for the disclosure and must not last for more than six months.
“While this authorisation is no longer limited to enforcement bodies, it removes any doubt that government bodies (except the Auditor-General, Ombudsman or Information Commissioner which are authorised under section 65) and law enforcement agencies can only obtain My Health Record information using an order by a judicial officer,” the government said.
Unauthorised disclosure of the health information will be met with imprisonment of up to two years and a maximum fine of $126,000 for an individual and $630,000 for a company.
It also requires the ADHA to “permanently delete” all health information stored on an individual if they choose to cancel their account. Previously the agency was required to store the data until 30 years after the individual’s death.
It comes a week after Labor was successful in launching a senate inquiry into the My Health Record service.
While the electronic medical records service was launched under the previous Labor government, and the Opposition supported the current government’s legislative changes to transform it into an opt-out service, shadow health minister Catherine King said the launch has been an “utter disaster”.
“Labor remains deeply concerned that the government has lost public support when it comes to the implementation of its important health reform,” Ms King said last week.
“It’s pretty clear this government has lost community support for My Health Record because of the complete and utter disaster it has made of its implementation.”
“We think the senate needs to look at the overall legislative framework of the My Health Record, including any regulations and rules that may be put in place, as well as looking at the implementation.”
The inquiry would look at the MHR legislation, the rules and regulations underpinning it, the shift to the opt-out service, privacy and security concerns and the adequacy of the government’s public communications campaign.
“There are significant additional concerns around privacy and security that needs a root and branch look at the legislation, the regulation and implementation of the My Health Record before we can regain critical public support in this health reform,” Ms King said.
A number of civil and digital rights advocates have said the government’s changes don’t go far enough, and have called on the system to be paused while a review is conducted.
“The system needs to be paused so a comprehensive review of the various interacting pieces of legislation can be performed, as well as the privacy and security controls,” Electronic Frontiers Australia board member Justin Warren told InnovationAus.com.
“Ploughing ahead with the system with all these unresolved issues is unethical, and will likely result in real harm being done to people,” he said.
Australian Privacy Foundation health committee chair Bernard Robertson-Dunn also said the government’s proposed changes “do not go far enough to properly protect Australians’ privacy”.
The senate committee will report back by mid-November.