Wednesday 16 May 2018

An insider has finally admitted what any digital native would be well aware of - your personal health information entered into a national database will be no safer that having it up on Facebook


Remembering that a federal government national screening program, working with with a private entity, has already accessed personal information from Medicare without consent of registered individuals and entered these persons into a research program - again without consent - and these individuals apparently could not easily opt out of being listed as a research subject but were often only verbally offered  the option of declining to take part in testing, which presumably meant that health data from other sources was still capable of being collected about them by the program. One has to wonder what the Turnbull Government and medical establishment actually consider patient rights to be in practice when it comes to "My Health Record".

Healthcare IT News, 4 May 2018:

Weeks before the anticipated announcement of the My Health Record opt out period, an insider’s leak has claimed the Australian Digital Health Agency has decided associated risks for consumers “will not be explicitly discussed on the website”.

As the ADHA heads towards the imminent announcement of the three-month window in which Australians will be able to opt out of My Health Record before being signed up to the online health information repository, the agency was caught by surprise today when details emerged in a blog post by GP and member of the steering group for the national expansion of MHR, Dr Edwin Kruys.

Kruys wrote that MHR offers “clear benefits” to healthcare through providing clinicians with greater access to discharge summaries, pathology and diagnostic reports, prescription records and more, but said “every digital solution has its pros and cons” and behind-the-scenes risk mitigation has been one of the priorities of the ADHA. However, he claimed Australians may not be made aware of the risks involved in allowing their private medical information to be shared via the Federal Government’s system.

“It has been decided that the risks associated with the MyHR will not be explicitly discussed on the website,” Kruys wrote.

“This obviously includes the risk of cyber attacks and public confidence in the security of the data.”

The most contentious contribution in the post related to the secondary use of Australians’ health information, the framework of which has yet to be announced by Health Minister Greg Hunt.

Contacted by HITNA, the agency moved swiftly to have Kruys delete the paragraph relating to secondary use.

In the comment that has since been removed, Kruys wrote, “Many consumers and clinicians regard secondary use of the MyHR data as a risk. The MyHR will contain a ‘toggle’, giving consumers the option to switch secondary use of their own data on or off.”

Under the My Health Records Act 2012, health information in MHR may be collected, used and disclosed “for any purpose” with the consent of the healthcare recipient. One of the functions of the system operator is “to prepare and provide de-identified data for research and public health purposes”. 

Before these provisions of the act will be implemented, a framework for secondary use of MHR systems data must be established. 

HealthConsult was engaged to assist the Federal Government in developing a draft framework and implementation plan for the process and within its public consultation process in 2017 received supportive submissions from the Australasian College of Health Informatics, the Australian Bureau of Statistics and numerous research institutes, universities, and clinicians’ groups.

Computerworld, 14 May 2018:

Use of both de-identified data and, in some circumstances, identifiable data will be permitted under a new government framework for so-called “secondary use” of data derived from the national eHealth record system. Linking data from the My Health Record system to other datasets is also allowed under some circumstances.

The Department of Health last year commissioned the development of the framework for using My Health Record data for purposes other than its primary purpose of providing healthcare to an individual.

Secondary use can include research, policy analysis and work on improving health services.

Under the new framework, individuals who don’t want their data used for secondary purposes will be required to opt-out. The opt-out process is separate from the procedure necessary for individuals who don’t want an eHealth record automatically created for them (the government last year decided to shift to an opt-out approach for My Health Record)……

Access to the data will be overseen by an MHR Secondary Use of Data Governance Board, which will approve applications to access the system.

Any Australian-based entity with the exception of insurance agencies will be permitted to apply for access the MHR data. Overseas-based applicants “must be working in collaboration with an Australian applicant” for a project and will not have direct access to MHR data.

The data drawn from the records may not leave Australia, but under the framework there is scope for data analyses and reports produced using the data to be shared internationally……

The Department of Health came under fire in 2016 after it released for download supposedly anonymised health data. Melbourne University researchers were able to successfully re-identify a range of data.

Last month the Office of the Australian Information Commissioner revealed that health service providers accounted for almost a quarter of the breaches reported in the first six weeks of operation of the Notifiable Data Breach (NDB) scheme.


Australians who don't want a personal electronic health record will have from July 16 to October 15 to opt-out of the national scheme the federal government announced on Monday.

Every Australian will have a My Health Record unless they choose to opt-out during the three-month period, according to the Australian Digital Health Agency.

The announcement follows the release of the government’s secondary use of data rules earlier this month that inflamed concerns of patient privacy and data use.


Under the framework, medical information would be made available to third parties from 2020 - including some identifying data for public health and research purposes - unless individuals opted out.

In other news....... 


A cyber attack on Family Planning NSW's website has exposed the personal information of up to 8000 clients, including women who have booked appointments or sought advice about abortion, contraception and other services.

Clients received an email from FPNSW on Monday alerting them that their website had been hacked on Anzac Day.

The compromised data contained information from roughly 8000 clients who had contacted FPNSW via its website in the past 2½ years to make appointments or give feedback.

It included the personal details clients entered via an online form, including names, contact details, dates of birth and the reason for their enquiries….

The website was secured by 10am on April 26, 2018 and all web database information has been secure since that time

SBS News, 14 May 2018:

Clients were told Family Planning NSW was one of several agencies targeted by cybercriminals who requested a bitcoin ransom on April 25…..
The not-for-profit has five clinics in NSW, with more than 28,000 people visiting every year.

The most recent Digital Rights Watch State of Digital Rights (May 2018) report can be found here.

The report’s 8 recommendations include:

Repeal of the mandatory metadata retention scheme

Introduction of a Commonwealth statutory civil cause of action for serious invasions of privacy

A complete cessation of commercial espionage conducted by the Australian Signals Directorate

Changes to copyright laws so they are flexible, transparent and provide due process to users

Support for nation states to uphold the United Nations Convention on the Rights of the Child in the digital age

Expand the definition of sensitive information under the Privacy Act to specifically include behavioural biometrics

Increase measures to educate private businesses and other entities of their responsibilities under the Privacy Act regarding behavioural biometrics, and the right to pseudonymity

Introduce a compulsory register of entities that collect static and behavioural biometric data, to provide the public with information about the entities that are collecting biometric data and for what purpose

The loopholes opened with the 2011 reform of the FOI laws should be closed by returning ASD, ASIO, ASIS and other intelligence agencies to the ambit of the FOI Act, with the interpretation of national security as a ground for refusal of FOI requests being reviewed and narrowed

Telecommunications providers and internet platforms must develop processes to increase transparency in content moderation and, make known what content was removed or triggered an account suspension.

No comments: