Those wishing to opt-out of the federal government’s My Health Record now officially have until January 31 to do so, with the House of Representatives on Monday passing amendments agreed upon in the Senate earlier this month.
A day before the original opt-out date, Pauline Hanson put forward an amendment to extend the opt-out period by just over two months, after the federal opposition had its request for a 12-month extension blocked. It would be two weeks until the House of Representatives had the opportunity to agree to the changes.
The opt-out period was originally meant to end on October 15, but was in August extended until November 15.
It has been well over a month since the system operator — the Australian Digital Health Agency (ADHA) — and Health Minister Greg Hunt have said how many Australians have opted out of the system since the option opened on July 16.
The last figure was given on October 24, when a Senate committee was told that 1.147 million people had opted out as of October 19. On the first day of the opt-out window, 20,000 people chose not to have a digital health record.
ADHA at the time told Senate Estimates that the opt-out rate was under 5 percent. In July, Hunt said the government was expecting a My Health Record opt-out rate of 10 percent.
The My Health Records Amendment (Strengthening Privacy) Bill 2018, waived through on Monday, will result in the laws controlling Australia’s centralised My Health Record system receiving significantly improved privacy provisions, such as regulatory oversight from a new Data Governance Board on the secondary use of health data, and that deleting a record now means just that.
The Data Governance Board will be responsible for “assessing applications for the collection, use, or disclosure of de-identified data and health information for research or public health purposes.
Data will not be made available before 2020 in order to provide sufficient time for governance, security, privacy, and technical arrangements to be implemented, the amendment says.
See: ADHA’s non-process for releasing My Health Record data revealed
The government hopes this will address the security concerns the public has of the My Health Record, such as the overly broad access for law enforcement and the retention of data even when a health record was cancelled.
“Concerns have been raised about the protections afforded to information stored in the system. While technical and operational protections are strong, and are constantly reviewed, the government has taken on board concerns about the level of protections afforded under the MHR Act and will increase the maximum penalty levels for breaches of key provisions,” the supplementary explanatory memorandum [PDF] explains.
The Data Governance Board will also monitor the ADHA in its preparation of de-identified data and health information for third-party use. The likes of insurance companies and employers are not allowed access to the My Health Record information, unless the healthcare recipient has requested the information be provided to that specific party.
The Data Governance Board is expected to comprise of a chair and deputy chair, and 7-10 other members chosen by the Health Minister, with members to exceed a five-year tenure.
The board is required to consist of one member representing the ADHA; one member representing the data custodian — currently the Australian Institute of Health and Welfare; a person who is an Aboriginal person or a Torres Strait Islander; with the remaining individuals to have expertise in at least one of the following areas: Population health and epidemiology, medical or health research, health services delivery, technology, data science, data governance, privacy, or consumer advocacy.
The board may also exercise its right to establish a committee to assist in carrying out its legislated functions and is directed to stay away from the day-to-day operations of the My Health Record.
Data in My Health Record was planned to be kept for 30 years after a person’s death, or, if their date of death is unknown, for 130 years after their birth — even if that person later cancelled their record.
A healthcare recipient can now cancel their record, and data will have to be deleted “as soon as practicable”, unless there’s a court order or similar legal requirement to retain or disclose the records, in which case it would have to be deleted “as soon as practicable after the conclusion of the matter to which the requirement relates.”
To avoid doubt, the amendment states that if the ADHA is required to destroy a record that includes health information, they must also destroy any copy of the record; any previous version of the record; and any back-up version of the record.
Further amendments introduced by the government will implement the changes announced earlier this month, addressing many of the 14 recommendations of the Senate Community Affairs References Committee.
Another amendment seeks to ensure that a person cannot be the authorised representative of a minor if they have restricted access to a minor or may pose a risk to the minor in any way.
The amendments will also remove the requirement for the ADHA to notify individuals about certain decisions, if it considers that the notification may pose a risk to a person’s life, health or safety.
Where authorised representatives are concerned, a healthcare recipient may nominate any person assist them in managing their My Health Record — in either “read-only” or “full” access.