Australia’s controversial and clumsy rollout of its “My Health Record” program this summer didn’t cause the “spill” — what Australians call an abrupt turnover of party leadership in Parliament — that gave the country a new Prime Minister in August. But it didn’t improve public trust in the government either. The program — which aims to create a massive nationally administered database of more or less every Australian’s health care records — will pose massive privacy and security risks for the citizens it covers, with less-than-obvious benefits for patients, the medical establishment, and the government.
Citizen participation in the new program isn’t quite mandatory, but it’s nearly so, thanks to the government’s recent shift of the program from purely voluntary to “opt-out.” Months before the planned rollout, which began June 16, at least one poll suggested that a sizable minority of Australians don’t want the government to keep their health information in a centralized health-records database.
In response to ongoing concern about the privacy impact of the program (check out #MyHealthRecord on Facebook and Twitter), the new government is pushing for legislative changes aimed at addressing the growing public criticism of the program. But many privacy advocates and health-policy experts say the proposed fixes, while representing some improvements on particular privacy issues, don’t address the fundamental problem. Specifically, the My Health Record program, which originally was designed as a voluntary program, is becoming an all-but-mandatory health-record database for Australian citizens, held (and potentially exploited) by the government.
Australia’s shifting of its electronic-health-records program to “opt-out” — which means citizens are automatically included in the program unless they take advantage of a short-term “window” to halt automatic creation of their government-held health records — is a textbook example of how to further undermine trust in a government that already has trust issues when it comes to privacy. Every government that imposes record-keeping requirements that impact citizen privacy should view Australia’s abrupt shift to “opt-out” health-care records as an example of What Not To Do.
And yet: supporters of My Health Record have persisted in their commitment to “opt out” during the shift from Malcolm Turnbull’s administration to that of his successor, Scott Morrison. This means that if an Australian doesn’t invest time and energy into invoking her right not to be included in the database — within the less-than-one-month window that citizens currently have to make this choice — she will be included by default.
In other words, any citizen’s health-care records in the program will be held by the government permanently throughout that citizen’s and will persist for 30 years after that citizen’s death. Even if an Australian chose later to opt out of the program, the record might still (theoretically) accessible to health-care providers and government officials. Health Minister Greg Hunt introduced legislation last summer that would address some of these complaints about the program, but it’s unclear whether the Australian Parliament, which has weathered several leadership shifts over the past decade, has the focus or will to implement the changes.
The fact is, the automatic creation of your My Health Record could still result in a permanent health-care record that’s outside of any individual Australian’s control because the government can always repeal any law or regulation requiring deletion or limiting access. In effect, “My Health Record” is a misnomer: a more accurate name for the program would be “The Government’s Health Records About You.”
A great deal of Australian media coverage of the rollout has been critical of the Turnbull government’s -– and later the Morrison government’s — “full steam ahead” approach. The pushback against My Health Record has been immense. Worse, citizens who have rushed to opt out of the program have found the system less than easy to navigate — whether on the Web or through a government call center. The flood of Australians who attempted to opt out of the program on the first day they were allowed to do so, found that they were unwitting beta testers, stress-testing the opt-out system. After the first-day opt-out numbers, the government has either declined or been unable to disclose how many Australians are opting out. But a Sydney Morning Herald report in July said the number of opt-outs might “run into the millions.”
In kind of a weird mirror-universe adventure, Australia has managed to reproduce the same kind of public concern that sank a similar health-care effort in the United Kingdom just a few years ago. Phil Booth of the UK’s Medconfidential privacy-advocacy group told the Guardian that “[t]he parallels are incredible” and that “this system seems to be the 2018 replica of the 2014 care.data.” After a government-appointed commission underscored privacy and security concerns, the UK’s “care.data” program was abandoned in 2016. Unfortunately for Australians, in the Australian version of the UK’s “care.data” scheme, Spock has a beard.
The UK’s experience suggests that the policy problem signaled by the opposition to the My Health Record initiative is bigger than Australia. That shouldn’t be a surprise. After all, a developed country may provide a “universal health care” program like the United Kingdom’s National Health Service, or a more “mixed” system (a public health care program supplemented by private insurers like that of Australia) or even an insurance-centric public-health program like Obamacare. But whatever the system, the appeal of “big data” approaches to create efficiencies in health care is broad, in the abstract.
But despite the theoretical appeal of #MyHealthRecord there’s a paucity of actual economic research that shows that centralized health-care databases will actually provide benefits that recoup the costs of investment. (Australia’s program has been estimated to cost more than $ 2 billion AUD so far, and it’s not yet fully implemented.) No one, in or out of government, has made a business case for My Health Record that uses actual numbers. Instead, the chief argument in favor MHR is that it will enable health-care providers to share patient data more easily — which supposedly will save money — but health-care workers, much as they hate the paperwork associated with it, mostly know that there’s no substitute for taking a fresh patient history at the point of intake.
The push for a national database of personal health information has been a fairly recent development, even though the country’s current health-care system has been in place in more or less its current form since 1984. The Australian Department of Health announced in 2010 that the government would be spending nearly half a billion Australian dollars to build a system of what then were called Personally Controlled Electronic Health Records. The primary idea was to make it more efficient to share critical patient information among health-care providers treating the same person.
Another purported benefit would be standardization. Like the United States (where proposals to for a national health-records system have sometimes been promoted) Australia is a federal system of states and territories, each of which has its own government. The concern was that a failure to set national standards for digital health records would lead to the states and territories developing their own, possibly mutually incompatible systems. The distance among the states and territories (mostly on the coasts surrounding Australia’s dry, unpopulated Outback) makes integration harder because of the distances separating different pockets of its population (now 25 million).
The 2010 announcement of the Personally Controlled Electronic Health Records program stated expressly “[a] personally controlled electronic health record will not be mandatory to receive health care.” The basic model was opt-in — starting in 2012, Australians had to actively choose to create their shared digital health records. If you didn’t register for the program, however, you didn’t create a PCEHR. If you did register, you had the assurance that, under the government-promulgated Australian Privacy Principles, your personal health information would be strongly protected.
In practice, the PCEHR program, eventually rebranded as My Health Record, has never had much appeal to most citizens. The government burned somewhere near or past $ 2 billion AUD and yet, years into the program, the total number of citizens who had volunteered to “opt in” to have their health records shared and available in the program was only about 6 million. According to a March report in Australia’s medical-news journal, the Medical Republic, Australia’s physicians also seem to be less than sold on the value in the program either.
Prior to the latest push for a shift to “opt-out,” only a few citizens saw much benefit (much less any fun or personal return) of investing the time it takes to master producing a complete and useful health record, and even those who did only rarely ended up using its key features. (Some health-fashion-forward citizens who do want to share their health-care records easily have opted to invest in more private solutions rather than rely on a centralized database that may be less controllable and less complete.)
By 2014 it was clear that the Australian government (control of which had shifted to the more conservative of the two major parties) wanted to move in closer-to-mandatory direction. It did so by announcing a wholesale conversion of the My Health Record database from opt-in to opt-out. This meant that, if you were an Australian citizen, a health record would be created automatically for you—unless you explicitly said you didn’t want one. But the possibility of opting out hasn’t quelled these ongoing complaints from the general public:
- The still-too-short, too-limited opt-out window. Australians were originally given a three-month window, starting July 16, to opt out of My Health Record. (It was later extended to November 15. Of course, critics regard the one-month extension as something less than stellar.) If you don’t opt out in the approved window, an electronic health record will be created for you. By default, program provides that the government will keep the record for 30 years after your death. And the government will have the right to access the record—whether you’ve died or not— “for maintenance, audit and other purposes required or authorised[sic] by law.”
- This goes on your permanent record. The law already authorizes a lot of government access (for law-enforcement agencies, court proceedings, and other non-health-related purposes). And of course the laws can be amended to authorize even more access. Were you ever treated for alcohol poisoning? Did you ever have an abortion? You may be able to limit access somewhat by tweaking the privacy controls of “My Health Record,” but (unless you take strong, affirmative steps otherwise) it’s never erased. And it may be demanded by a range of government authorities for all sorts of reasons under current or future laws or regulations.
- The disputed warrant requirement. The Australian Digital Health Agency, the relatively new government agency in charge of the program, said a warrant would be required—but that claim was contradicted by Australia’s Parliamentary Library, whose analysis found that access by non-health government agencies with few if any procedural or privacy safeguards. Disturbingly, the Parliamentary Library’s report was abruptly removed and revised after pushback from the Turnbull government. (The removed report has been reproduced here.) A subsequent Senate inquiry—with a report issued October 12—shows growing consensus behind adding a warrant requirement before law enforcement gets health record access, but the Australian Labor Party and the Australian Greens have dissented on the question of whether a warrant requirement fixes the problems: Per the Greens, the warrant requirement is “an improvement on the status quo, but it is an insufficient and disappointing one.”
And none of these criticisms even touch on the significance that a centralized health-care record database will give 900,000 health-care workers (not just doctors) comparatively unrestricted, untracked access to patient health records. By comparison, the average Australian under the pre-My Health Care system likely had to worry only about dozens of people having access to her health records — not hundreds of thousands.
Then-Prime Minister Malcolm Turnbull was dismissive of privacy concerns early on arguing that “there have been no privacy complaints or breaches with My Health Record in six years and there are over 6 million people with My Health Records.” But many prominent health-care and privacy experts argue that the government’s new promises to patch the system are inadequate. For example, requiring government agencies to get a warrant does nothing to protect patients from unauthorized access to their records by health-care workers with access to the My Health Record system. And the Labor members have argued that the new system needs a statutory provision that prevents health-care insurers from accessing My Health Record’s data.
Typical of the external critics is former Australian Medical Association President Kerryn Phelps, who views the promises as “minor concessions” that are “woefully inadequate.” Phelps, who cites a survey showing that 75 percent of doctors are themselves planning to opt out, called for “full parliamentary review” of the My Health Record program. Other critics have argued the government has painted itself into a corner due to the “sunk costs” of $ 2 billion AUD. Bernard Robertson-Dunn of the Australian Privacy Foundation argues that the whole problem, despite the fact that the government has spent those billions, is that Australia needs to reboot its digital-health initiative entirely.
But many of the critics of My Health Record in Parliament seem to be maneuvering to lessen the privacy harms likely to ensure from the shift to near-mandatory participation in My Health Record. In this, they may be driven by the fear that writing off the Australian health-care-records program may look too much like the abject failure that was the UK’s “care.data” program. But Robertson-Dunn views the unwillingness of some members or Parliament to cut their losses as short-sighted, given the likely long-term harms the system poses to citizens’ health privacy. Better to scrap My Health Record and write off the costs so far, he argues. Once that’s done, he says, Australia can “[s]tart with a problem patients and doctors have and go from there.”
Mike Godwin ([email protected]) is a distinguished senior fellow at R Street Institute.
Permalink | Comments | Email This Story