My Health Record: legal challenges

THIS article is the second in a series on “the making of the digital health revolution”. It outlines some of the legal challenges under the Australian Government’s My Health Record scheme – the privacy of patients and clinicians, the ownership of records, and approaches to law making in fields of emerging technology.

Privacy of the patient

While there are issues that affect all who have a My Health Record, certain patients are particularly vulnerable to privacy breaches under this scheme. The risk to some patients, including children, people with disabilities, the elderly, those experiencing family abuse, and the parties to a custody dispute, is that their records may be accessible by unauthorised relatives or carers, and such breaches may go undetected and unreported.

Another privacy consideration is the effect of the “opt-out” model, which was adopted after the traditional “opt-in” informed consent model resulted in low levels of adoption. In 2015, the Parliamentary Joint Committee on Human Rights raised concerns that the opt-out model limited the Article 17 right to privacy under the International covenant on civil and political rights, which says that: “No one shall be subjected to arbitrary or unlawful interference with [their] privacy, family, home or correspondence, nor to unlawful attacks on [their] honour and reputation”.

The Committee requested that reasoning or evidence be provided to show that the opt-out model addressed a pressing or substantial public concern, or that it achieved a legitimate objective. More recently, as part of the 2018 Senate Inquiry into My Health Record, the Human Rights Commission stated:

“Improving health care is a legitimate purpose which can justify the collection, use and disclosure of personal information, provided that those activities are carefully regulated and sufficient protections are in place. Such uses can promote the right of affected people to the highest attainable standard of health.”

The Human Rights Commission also stated that:

 “… without appropriate justification, personal information should not be collected about people without their free, specific, informed and unambiguous consent. The Explanatory Memorandum states that several reviews and trials were conducted before the decision was made to make the My Health Record system ‘opt-out’. The Commission is not aware whether the inputs to, or the findings of, those evaluation processes have been made publicly available. The Commission urges the Government to consider whether compelling circumstances exist to justify continuing the operation of the My Health Record system on an ‘opt-out’, rather than an opt-in, basis.”

Although improving health outcomes is one of the stated objectives of the My Health Record system, there is insufficient evidence to show that it will lead to improved health outcomes, let alone the “highest attainable standard of health” suggested by the Human Rights Commission. In this light, the government should revert back to the traditional opt-in model used in the medical field, which involves explicit informed consent based on provision of adequate information about what the scheme does and does not do, including realistic information about benefits and risks.

Privacy of the clinician

There is also the privacy of the clinician to consider. The records that they create and upload to My Health Record will for the most part be accessible to other health care providers around the country who have access to the same patient management systems that they do. Estimates of the numbers of such professionals with access to the My Health Record range from about 800 000 to over a million. The health service for which the clinician works needs to be registered with the Australian Digital Health Agency – the system operator – for the practitioner to have access through their patient management software or online portal. The ADHA does not display who accessed a record on an individual basis, only displaying the institution of the accessor and the accessor’s role, so it is potentially difficult or impossible to determine who has actually accessed a record:

The audit log displays:

• the name of the healthcare organisation that accessed the record;

• when it was accessed;

• the nature of the access, such as viewing a document or uploading a shared health summary; and

• the role of the person who accessed the record, such as General Practitioner (if available).

Secondly, section 67 of the My Health Records Act 2012 states that patients are permitted to use their My Health Record information “for any purpose”. While many patients would not be inclined to disclose their records to others, there is an emerging trend towards the consumerisation of health information, and persuasive appeals to “share”. Firms such as Hu-manity are offering to pay patients for access to their medical records in exchange for using their information in research studies and for other purposes. There would be no way for a practitioner to know whether records that they authored, such as referrals or letters to a specialist, were shared by their patient with a third party, and whether there was further subsequent disclosure. Allowing patients to use records for any purpose should be carefully considered with the view of maintaining the privacy of clinicians, and restricting the use of the system more closely to the core of clinical and health purposes for which the information was originally collected.

Ownership and control

Who controls and owns health information in a health record? Presently we have two inconsistent approaches. The standard, which has been applied for many years, from the Breen v Williams case, is that the doctor owns most of the records holding the information, and the legislation permits the patient to apply for access to a copy. Ownership of the physical record has overshadowed the more nebulous question of control over the information embedded in it.

The second is the emerging paradigm in which patients using My Health Record ostensibly have control over their records. The legislation does not define who the owner of the information is; however, patients can use the information for any purpose, they can place controls on access (albeit via an interface, and it is unclear whether these will be used), and they can remove certain information.

If you remove a document, depending on the document type, you may be able to reinstate it at a later date.

Some may tout this new approach as a means of empowering their patients to take control over their health care. Indeed, the original legislation was titled Personally Controlled Electronic Health Records Act 2012, emphasising this claimed feature. However, an important consideration is that patient control rights under My Health Record are subject to legislation that can be amended at the discretion of Parliament at any time, and there are already a range of circumstances under which third parties may potentially be able to make use of the information in one form or another – the absence of full disclosure of all such potential pathways for secondary use was one of the concerns raised around an opt-out process that did not involve direct presentation of comprehensive, unbiased information to patients. Furthermore, My Health Record brings a third party, the government, in contact with sensitive information that they otherwise would not have access to, in effect, intruding into the middle of the most confidential professional relationship of trust that most people will have.

Digital health expert and cardiologist Dr Eric Topol suggests that the inevitable result of direct-to-consumer health care apps, devices and wearables is that the patient will “own” their health information and it will be stored in their own personal cloud. It has also been suggested that ownership should be a human right for all citizens.

Given the changes to control under My Health Record, and the fact that the ownership issue will be of continuing relevance, these matters should be more fully discussed. We need to debate whether patient control is a good idea from a clinical, legal, ethical and social perspective, and also the degree to which the current claims about patient control reflect the design and operation of a system by a third party with the power to change the rules at any time, and to interpret which third party claims to accept.

For now, the question of who legally owns or controls health information, and how the principles from existing case law apply in this new domain of My Health Record, remains a legal grey area that requires judicial or legislative clarification.

Law making

Law making for My Health Record has followed the typical law making process, but it may be time we consider altering these processes for areas of emerging technology in which the benefits of the technology are not yet firmly established and their risks may not be fully appreciated, or are yet to manifest.

At present, there is no standard of evidence, including about the actual benefit or potential risk, that needs to be cited by law makers to support their policies and proposed laws. Evidence-based law making is controversial in the sense that it can be viewed as impeding social progress. Indeed, if all law making decisions were tied to logical reasoning and scientific evidence, some laws may never pass through parliament.

However, an alternative approach may be that we require a minimum standard of evidence for specific areas of law, such as digital health. For example, when there are claims of health benefits, there could be a requirement that references be provided to studies that meet a minimum evidentiary standard. Furthermore, it could be expected that the risks of the proposed technology are outlined in full. Such risk-centric methodologies are increasingly accepted in mission critical software making; perhaps it is time to adopt these best practices in the face of the uncertainty that technology such as the My Health Record creates.

Conclusion

My Health Record raises a range of legal questions, with only a few having been considered in this article. For example, more research needs to be done to determine what rights physicians have to their own standards of health in their workplaces, specifically their mental health and wellbeing. The Medscape National Physician Burnout and Depression Report of 2018 reveals that computerisation of practice using electronic health records is one of the contributing factors in physician burnouts.

While this does not prove that My Health Record will result in physician burnouts, it sheds light on the potential risks to physician health.

We need more discussion among doctors, technologists and lawyers around issues of privacy, ownership and law making, and further consideration of the potential medico-legal and health risks for physicians.

Bianca Phillips is a Victorian academic lawyer conducting medical law research. She completed her Master of Laws at the University of Melbourne with her thesis on telemedicine, and is currently completing a doctoral thesis on the law making of the digital health revolution. She has authored articles on the digitisation of medicine in both legal and medical publications. She can be found on Twitter @biancarphillips.

David Vaile is chair of the Australian Privacy Foundation and the privacy and surveillance stream lead in the new Allens Hub for Technology, Law and Innovation at the UNSW Law Faculty. He was director of UNSW’s previous Cyberspace Law and Policy Centre. He has worked for federal and NSW privacy regulators, and for organisations in areas including legal services, community advocacy, medical informatics, online education, communications regulation, transport regulation, data-centric start-ups, and the Data to Decisions Cooperative Research Centre. He is on policy or privacy committees for the Australian Transaction Reports and Analysis Centre, the Association of Market and Social Research Organisations, Internet Australia and the Law Society of NSW. He can be found on Twitter @DavidVaile.

The statements or opinions expressed in this article reflect the views of the authors and do not represent the official policy of the AMA, the MJA or MJA InSight unless that is so stated.