New Bill to Strengthen My Health Records Privacy Introduced Into Federal Parliament

Friday 31 August 2018 @ 1.18 p.m. | Legal Research

The My Health Records Amendment (Strengthening Privacy) Bill 2018 (Cth) (the “Bill”) was introduced into Federal Parliament’s House of Representatives on 22 August 2018 by the Health Minister, Greg Hunt (the Minister). The Bill is intended to amend the My Health Records Act 2012 (No 63 of 2012) (Cth) (the “MHR Act”) to strengthen the privacy framework of the My Health Record system it establishes.

The introduction of the Bill is in response to criticism of the system created by the legislation and to the security and privacy of records stored in the My Health Record system.

My Health Record Legislative Background

The system was initially created under the Gillard Labor Government with around half a million patients being the first to receive electronic health records under a radical plan to overhaul the way in which medical data was kept.

The then Federal Health Minister, Nicola Roxon, announced $55 million for nine projects, to be run by various groups including pharmacists, general practitioners and hospitals. The plans included a Geelong project for doctors to view all medicines prescribed and dispensed to a particular patient enabling clinicians to see a combined list of medicines, regardless of how many doctors and pharmacists the patient had attended. Another project was a Medibank Private project to create electronic records containing basic health information and history for 28,000 patients enrolled in its chronic disease management programs across Australia and other projects to provide e-health records for maternity patients in Brisbane, for aged and palliative care patients in Tasmania, and for all residents of the Northern Territory.

At the time, the then government claimed that by 1 July 2012 any patient would be able to ask their doctor to create an e-health record which would be uploaded onto the web to be accessed with patient permission by any of Australia's 700,000 registered medical and allied professionals. Initially introduced as the Personally Controlled Electronic Health Records Bill 2011 (Cth) the legislation was renamed and enacted as the My Health Records Act 2012 (Cth) (No 63 of 2012).

The Amendment Bill

The amendment Bill will specifically:

remove the ability of the My Health Record System Operator to disclose health information in My Health Records to law enforcement agencies and government agencies without an order by a judicial officer or the healthcare recipient’s consent; and
require the System Operator to permanently delete health information stored in the National Repositories Service for a person if they have cancelled their registration with the My Health Record system – that is, they have cancelled their My Health Record.

According to the Minister, the safeguards that apply to a healthcare recipient’s My Health Record will be strengthened by the Bill, effectively providing that health information can only be collected, used or disclosed for healthcare purposes, with the healthcare recipient’s consent, in response to a court order or an order by a judicial officer, to respond to public health or safety threats, for medical indemnity claims, or in order to operate the My Health Record system.

Concerns for Security of Personal Data

Responding to public concern about the potential for unauthorised release of information by law enforcement authorities, Minister Hunt said in a Computerworld article:

“No material has been released from the system for law enforcement purposes during the system’s six years of operation … the Australian Digital Health Agency (ADHA), which runs the system, has a policy of not releasing information without a court order — however, there is no requirement for this in the current legislation … The My Health Record system has its own dedicated privacy controls which are stronger in some cases than the protections afforded by the Commonwealth Privacy Act on the advice I have.”

In the Minister’s Second Reading Speech (House of Representatives), he commented:

“The bill will also require the system operator to permanently delete health information it holds for any consumer who has cancelled their My Health Record … In addition to these amendments, I have already extended the opt-out period by a further month, to end on 15 November [2018] … Even after this period a consumer can choose not to participate at any time and cancel their My Health Record. Their record will then be cancelled and permanently deleted …”

Penalties for Misuse of the System

Speaking anonymously to the ABC, a healthcare worker said it may be hard to know exactly who has viewed a My Health Record. The healthcare worker claimed it was common practice (currently occurring in an unnamed hospital), for a surgeon to leave a logged-in computer open all day in an operating theatre, "meaning passing employees could potentially access patient health records without being individually traceable".

The penalties for any unauthorised collection, use or disclosure of this information will continue to be subject to criminal and civil penalties – up to two years’ imprisonment and/or up to $126,000 for an individual (up to $630,000 for bodies corporate).

According to the MyHealthRecord website:

“… serious penalties relating to the misuse of information do not apply to accidental misuse. The unauthorised collection, use or disclosure of information will only incur a penalty if the person knows or is reckless as to whether that action is unauthorised …”

TimeBase is an independent, privately owned Australian legal publisher specialising in the online delivery of accurate, comprehensive and innovative legislation research tools including LawOne and unique Point-in-Time Products. Nothing on this website should be construed as legal advice and does not substitute for the advice of competent legal counsel.