The government is planning to give every Australian a digital health record by the end of 2018. With that goal in mind, the Council of Australian Governments (COAG) Health Council has approved Australia’s National Digital Health Strategy, drafted by the Australian Digital Health Agency (ADHA.) So how much data will a digital health record — known officially as a My Health Record (MHR) — contain?

Lots.

The MHR was previously known as the Personally Controlled E-Health Record (PCEHR.) But after patients and healthcare providers avoided signing up to the PCEHR in droves, ADHA renamed the project and changed patients’ sign-up option from opt-in, to opt-out only. Yes, that’s right: you all get an MHR, whether you like it or not. Want to opt-out? Too bad.

The government won’t delete your e-health record: people who opt-out will still have a shadow-file — a shell account the ADHA will retain, void of healthcare data from the date patients opt-out. And how well do opt-outs work anyway? Well, before the UK scrapped its equivalent digital health data project — known as care.data — it was discovered the National Health Service was disregarding patient requests and still populating patient files with information, even after patients opted-out.

The National Digital Health Strategy claims the MHR will allow all Aussies to access their health info “at any time online and through mobile apps”. And what could go wrong, considering the Australian government has left a trail of failed data governance projects in its wake in recent years? “Early app developers are already taking advantage of new interfaces on top of the MHR system which allow people to see the medications they have taken, or to view clinical documents on their mobile devices,” according to the strategy.

[Sure you can opt out of giving govt your info — by giving govt your info]

While the Digital Health Agency website states “vendors have to ‘self-declare’ conformance to My Health Record system specifications under a new ‘Conformance, Compliance and Declaration (CCD) process’”, what security measures the government is actually taking to ensure app developers have appropriate clearance to access a firehose of national health data isn’t specifically addressed in the strategy document. The strategy points out a key challenge is “establishing confidence in the reliability of secure messaging. (Of course, the concept of “establishing [public] confidence” — usually by process of spin and PR — is very different from the process of actually ensuring security.)

While the Digital Health Agency has established a technical working group to “co-design solutions” for secure messaging, the names of the members of the technical working group haven’t been made public, and details of ADHA’s process for appointments to the group are not available via the department’s website. Despite the MHR going live in 2018, ADHA doesn’t plan to undertake a “public consultation on draft interoperability standards” until the end of that year, which seems all kind of arse-backwards. One wonders, wouldn’t it perhaps be better if the government completed the public consultations first, and then set up digital accounts for every last damn person, based on feedback?

It’s all rather concerning, particularly as the National Digital Health Strategy is proposing some fairly ambitious projects, including the “development of a mental health portal which will provide support in accessing quality endorsed mental health apps and mental health services” and allow services to “support tailored individual care for people with severe and complex mental illness”. Which raises the question: is the government planning to make a great big old list of people with mental health issues? What happens when the mental health portal gets breached, and incredibly sensitive data leaks?

The strategy notes lots of privacy concerns, but it doesn’t seem to be particularly interested in road-mapping a resolution to those particular issues — at least not within the report. The strategy deals with security concerns with an instant fix: the creation of a “Digital Health Cyber Security Centre (Digital Health CSC)”, which plans to develop a “range of guidance materials” over time. It’s also uncertain from the strategy how the Cyber Security Centre will adequately train thousands of GPs, pharmacists and app developers involved in the My Health Record project to protect the security of Australian medical data.

[Govt’s electronic health record plan is a data breach waiting to happen]

The National Digital Health Strategy is nothing but an ode to positive thinking: “Greater utility will be realised through pushing information (e.g. notifications for patients) and pulling information,” chirps the strategy merrily. Coincidentally, insurance agency BUPA is quoted twice in the National Digital Health Strategy. Yes, the very same BUPA that only recently experienced a serious data breach involving customer details of 20,000 Australians.

BUPA’s submission to the National Digital Health Strategy argues “the strategy should specifically recognise that the role of government is to facilitate private sector development of innovative digital products and services”. Errrrm, what? Perhaps it’s an old-fashioned notion, but traditionally the role of government is to serve its citizens first, as opposed to insurance agencies. So it’s odd that a government department should have seen fit to include such a corporately aligned quote in it’s national strategy.

Of course, the Digital Health Strategy is eager to talk up positive cases of Australian scientific advancements, mentioning robotic medical operating systems and Aussie development of wi-fi. The Digital Health Strategy doesn’t manage to mention any negative case studies, such as the recent discovery that Medicare data was up for sale on the dark web, or that the Department of Health and Ageing had to pull a public dataset after discovering the information was re-identifiable.

Towards the end of the report, it’s suddenly pointed out that “strong privacy, security and risk management frameworks to protect sensitive information, while also enabling the safe and efficient sharing of information are vital” is a “critical success factors for the national digital health strategy”. So, will privacy, security and patient consent in the MHR turn out to be anything more than just lip service? The MHR opt-out process will begin in early 2018 — just in case you’re not willing to take the gamble on the safety of your own medical records.

Get Crikey for $1 a week.

Lockdowns are over and BBQs are back! At last, we get to talk to people in real life. But conversation topics outside COVID are so thin on the ground.

Join Crikey and we’ll give you something to talk about. Get your first 12 weeks for $12 to get stories, analysis and BBQ stoppers you won’t see anywhere else.

Peter Fray
Peter Fray
Editor-in-chief of Crikey
12 weeks for just $12.