As readers will be aware, the My Health Record system is the Australian Government’s digital health record system. It holds ‘My Health Records’, these are an online summary of an individual’s health information.
A My Health Record contains details such as what medicines a person may be taking, hospital discharge summaries, reports from tests and scans, what treatments they have received, allergy information and referral letters.
The system has been plagued by privacy and cyber-security concerns, which contributed to the Government extending the opt-out period. Statistics from the Australian Digital Health Agency (ADHA) presented to the Senate Estimates Committee revealed that 1 in 10 Australians (approximately 2.5 million people) have elected to opt-out of the scheme. An additional 300,000 have also cancelled their Record since the opt-out period expired. This acts as a timely reminder that Australians are increasingly taking proactive steps to protect their personal data.
In this article, we will explore some of the legal and privacy issues associated with the system in more detail.
The ADHA is the ‘System Operator’ of the My Health Record system.
A Court or Tribunal can only direct the ADHA to disclose the information in a person’s My Health Record to a Court or Tribunal in limited circumstances.
One circumstance is where the proceedings relate to:
A second circumstance is where a coroner orders or directs the ADHA to disclose the information.
What this makes clear is that, unless you fall within one of the above mentioned categories, you cannot rely on issuing a subpoena to the ADHA if you need to obtain the information contained within another person’s My Health Record. You will need to seek the information from the primary source. As such, the ADHA is more accurately described as the aggregator of the health data.
Alternatively, you can consent to the ADHA disclosing your My Health Record to a Court or Tribunal.
It is an offence under section 70A of the Act for an insurer to request, require or use information in your My Health Record to:
Your medical practitioner also cannot use the information in your My Health Record for the above purposes, even if you have consented.
However, insurance that does not extend beyond the limit of the State concerned (generally Workers Compensation insurance) is excluded from the above provisions.
Like the situation concerning an insurer discussed above, the Act also makes it an offence for your employer to use or request information in your My Health record to either employ, continue to employ or cease to employ you.
Lavan’s Cyber and Data Protection team can assist you and your organisation with navigating your rights and obligations in relation to the My Health System, as well as privacy and cybersecurity more broadly. Should you have any questions in relation to any of the topics raised in this article, please do not hesitate to contact Iain Freeman, Lorraine Madden or Andrew Sutton.