EXPERT REACTION: My Health Record opt-out period opens, but privacy concerns remain

We are currently trialling an intervention which uses myHealth Records to prevent hospitalisations in individuals with severe mental illnesses (aisquared.co). It is an innovative and first of its kind intervention, which applies machine learning on Medicare claims data in My Health Records (MyHR) to detect hospitalisation risk and raise alerts, to support patients with treatment adherence reminders, and to assist clinicians to intervene early.

This intervention is most effective on patients who are most at risk, but these patients find it burdensome and distressing to set up myHR accounts. So far in our trial we observed patients are experiencing significant difficulties to enroll with myHealth Records, and we also found mental health health professionals do not have sufficient time and energy to support patients in this enrolment process.  

It is excellent to see myHR move towards a opt-out process with sensible safeguards in place, as this way we would be able to develop digitally-enabled care models to support and manage patients with greatest need, as these vulnerable groups will most definitely miss out on care if we were to not set up a opt-out process.

In an environment where we seem to be hearing about a new data breach practically every few days, My Health Record is yet another privacy and security nightmare.

Our health records are some of the most sensitive information we have, yet the privacy controls My Health Record offers to patients are dubious at best.

Opting out of My Health Record isn’t just the one-time act of filling out a form either. All it might take to opt you right back in is someone at your GP’s office being careless as they rushed through typing in your patient data and forgetting to check a box.

Once that record is created, it’s there basically forever. You can opt-out again, but that won’t delete the data that’s already there.

While it’s currently prohibited for My Health Record data to be sold to third parties like insurance companies, just in the last month My Health Record partner app HealthEngine was caught sharing information with Slater and Gordon without the knowledge of patients.

It’s not a question of if My Health Record data will be misused. It’s only a question of when, and by whom.

The current My Health Record places a strong onus on individual consumers themselves to regulate the privacy and security settings of their record. While these settings exist, they are not the default option, and instead require individuals to know about this, to log into their record and to navigate the site in order to select the correct settings in order to exercise their control. In requiring an “opt in” model on the privacy settings of the record, this means that many people are unlikely to modify these settings. This may be through a lack of knowledge that the settings exist, uncertainty on how to do this, or an inability to successfully navigate the system.
 
There are also genuine concerns over the likelihood of data being compromised in some way. While it is argued that there are strong security measures in place, it is naïve to assert that these are 100% foolproof (as demonstrated through data breach incidents with many previous organisations). Health data is an increasingly common and attractive source of data for criminals, and their ability to use personal information to gain reward is a reality. This may be through means such as identity theft, fraud or other offences. Alternatively, the compromise of sensitive health information can open individuals up to blackmail and extortion from offenders, who may threaten to expose an aspect of an individual that has previously been private.

Implementation of MyHR shows that the Australian government has learnt nothing from the UK e-health trainwreck. In the UK patients, health practitioners, IT specialists and privacy lawyers alike condemned inadequate governance, misunderstanding of risk and disregard for patient autonomy. The UK government belatedly heeded those criticisms in, for example, the 2013 Caldicott report Information: To Share Or Not To Share? Independent review of how information about patients is shared across the health and care system. Australia has not.

A properly designed and implemented national e-health regime offers considerable benefits for patients, clinicians and researchers. The risks of an insecure system that conscripts patients (and assumes de-identification will enable problem-free sale of bulk health data) greatly outweigh those benefits.  Legal protection for patient privacy under MyHR are for example inadequate. So is the IT framework. Audit trails will not reclaim a patient’s privacy when a data breach occurs. Official expectations that many patients will understand security settings are naïve. MyHR has been sadly over-sold. There’s been little effort to provide patients with the basis for meaningfully informed consent. That threatens the most fundamental aspect of public health: trust

The move to opt out, in addition to being a major privacy risk for the public, ignores the persistent and significant issues with the implantation of My Health Record. After all of this time and with the billions of dollars of investment, the majority of the records are largely empty and the majority of health professionals in Australia continue to refuse to support the system. This programme gives the impression that this is a viable system. It is not and nor will it ever be.

Electronic health records make sense in a society undergoing digital transformation in every aspect of life. But it must be done the right way. The prospect for data discovery, patient welfare, and convenience is a value proposition that must be weighed up against risks and potential costs to individuals.

Privacy breaches are asymmetric. But the type of confidential information stored on an electronic health record, is unlike having merely your identity credentials stolen- it is like having your whole personhood exposed in terms of your condition, medication, past acts, and more. There are massive implications for those working in pressured workplaces who may have their health record used against them- e.g. pilots, doctors, surgeons, healthcare workers.

The implications for whether health insurance companies will have access to this data in the future is also questionable. Will it cost more to insure a child suffering from autism, or one born with Down Syndrome versus a child who seemingly is "normal". Might this cause a chilling effect over disclosure of illnesses, meaning the people who need the care the most are disadvantaged from the outset.

We need to make people aware of the pros and cons of opting-out, but we also need better more honest reporting by government about some of the potential risks, in essence, to better inform the public. What we have now is a major honeypot of health data, waiting to be hacked for the taking and be available on the dark web. We also need to call for urgent reforms, that if data is compromised, there is a privacy tort allowing people to sue the company or GP or government that has allows a data breach to occur.

With the rapid increase in the amount of digital information, there has been a growing trend in recent times to store data in such a way that it can be accessed by relevant stakeholders anytime and on-demand. 
 
In this sense, having access to patient records can be highly useful, especially when it comes to requiring them in the case of emergency or even with old age patients. However data security and patient privacy are critical when it comes to healthcare information. Though the New Health Record system has been around for a few years as opt-in, now it is becoming opt-out. This means every Australian citizen will have such a record unless she or he decides to opt out.
 
From usage point of view, a major issue is education of users in terms of privacy controls and their ability and competency in setting the controls etc. I believe it is important that substantial amount of work needs to be done in this area for the community to become familiar with the system as well as to develop trust.
 
From a technical point of view, there are access controls in place. However the data itself, at this stage, is in plain format, it is not encrypted. Hence there is a potential for leakage if a breach occurs. With the growth in malware and security attacks, we cannot rule this possibility out. With the Mandatory Data Breach regulation, there will be an onus on the part of the agency that is storing the data to notify the users in case of breaches. But given the personal nature of such information, once the data breach happens the harm done may be difficult to reverse. 

In this regard, there are technologies available that can help to protect the data via encryption and still allow the user (patient) requirements and policies to be enforced on the encrypted data. 

This also brings another issue as to where is the data stored. If the data is stored in a cloud, then the cloud administrators can have access to the data (there can be many such administrators). This can be an issue especially if the data is stored in plain format. Hence there is a case for the data to be stored in encrypted form thereby reducing the trust on the cloud provider as well as reducing the vulnerability due to a data breach.
 
Then there are issues down the road as to which other applications and services on the platform  (government or third party) are allowed to access the data? What are the controls that are in place (and how much does the patient have a say when it comes to sharing of data between different services)?
 
On the process side, there are also some issues which are not fully clear. For instance, if someone opts-in now, can she or he opt out later? What happens to their records?