Audit finds key privacy problems with My Health Record
Patients are not doing enough to protect their My Health Record and doctors are possibly breaking the law by using a backdoor to access private records of up to 200 Australians a month, according to an audit.
News
Don't miss out on the headlines from News. Followed categories will be added to My News.
An audit report has identified key privacy risks with the $1.5 billion My Health Record and found fewer than one per cent of people have set a PIN number to protect their record.
The Australian National Audit Office found there had been 28 breaches of the record in 2017-18 affecting the private health information of 65 people.
It says doctors are using the emergency override function to access the records of up to 200 people per month without their permission sometimes in contravention of the law and the Australian Digital Health Agency (ADHA) has failed to notify the Information Commissioner as required.
The report is critical of the ADHA for failing to conduct an end to end privacy risk assessment of the record since 2017 even though it shifted from an opt-in to an opt-out system in 2019.
It found the ADHA, which runs the record, has not yet considered the updated 2019–2023 cyber security strategic plan which was finalised by the ADHA executive on 14 November, 2018.
Even though the ADHA gave the Office of the Australian Information Commission $3.6 million to conduct and up to six privacy assessments of the My Health Record between 2017 and 2019 the audit found “no assessments were completed during this period”.
Nine in 10 Australians were given a My Health Record if they failed to opt out by February and it contains highly sensitive personal information such as whether the person had an abortion, is impotent or has a mental illness.
Most people are unaware the record can be accessed by any registered health practitioner from their podiatrist to a chiropractor unless they set up PIN number to restrict who can view it, the audit found only 0.1 per cent of people had set a PIN.
Doctors can override security settings and access information in the record in an emergency but the audit found doctors had done this inappropriately possibly breaking the law and these breaches were not reported to the Information Commissioner as required.
It said the risk management for the My Health Record expansion program was only “partially appropriate”.
While risks relating to privacy and the IT system core infrastructure were largely well managed the audit found security risks posed by medical software and medical clinics should be improved.
MORE
My Health Record agency in workplace dispute
The $2 billion health record Aussies can’t use
Aussie after school care provider’s shocking breaches
The Audit called on the ADHA to conduct an end-to-end privacy risk assessment of the My Health Record.
It recommended the ADHA notifying the Information Commissioner of potential and actual contraventions of emergency access to people’s records.
It has been claimed the record will reduce medication errors, cut the number of duplicate medical tests ordered by doctors and enable technological improvements in patient management.
But the audit found there was as yet no evidence on how the My Health Record was tracking to achieve the $14.59 billion savings forecast for the health system
The ADHA welcomed the recommendations and said it agreed with all of them and would work to implement them.
The chair of the Privacy Foundation’s health committee Bernard Robertson-Dunn said “privacy concerns seem to be something that are grossly unaddressed”.
“We need to get a firm commitment from the government when they are going to act on recommendations 1-5 and if they are taking privacy seriously they need to do something urgently,” he said.
The ADHA said it was only required to report to the OAIC when medicos accessed people’s My Health Record through the emergency access function if a contravention of the Act had occurred.
“ A reporting obligation would only occur if a view was formed that access had not been lawful, which has not occurred to date. “ the agency said.
However, the audit office said in its report that in a number of instances the ADHA did not receive a response from hospitals or doctors about why they used the emergency access to see a person’s My Health Record and therefore “could not satisfy itself the circumstances of the emergency access did not constitute an interference with privacy”.
“In other instances some of the responses indicated a potential contravention of the Act. To date the ADHA has not notified the Information Commissioners of any of these instances, and nor have the healthcare provider organisations,’ the audit report said.
The ADHA said the 28 instances in which Medicare records were intertwined, Medicare fraud was committed and accidental unauthorised access given to some people’s My Health Records in 2017-18 were not “breaches” of privacy but merely matters where it had to notify the OAIC.
Originally published as Audit finds key privacy problems with My Health Record