EXPERT REACTION: Pros and cons of MyHealthRecord as opt-out looms

Collecting health data across the population will lead to better health outcomes by showing how effective interventions are and allowing treatments to be personalised based on the experience of thousands of other patients.

New forms of measurement (based on artificial intelligence) will also give patients far more significant information about institutional performance, practitioner performance, the outcomes of specific interventions, etc.

In terms of cybersecurity and privacy we need to be realistic. Let’s remember that many people (doctors, nurses, receptionists, etc) have easy access to today’s paper-based health records – an electronic record is actually a step up in privacy.

Within My Health Record, we can make it the default to require a patient access code.

Clearly there is danger of data leaking due to cyber hacking, as is true of any data system. However, a well-designed record system which is managed by a professional security organisation and has a clear audit trail (e.g. provided by Blockchain) can mitigate this risk significantly.

If we have learnt anything over the last 4 months, it is that electronic health records are hackable. We need not have to look too far to see that no system is impenetrable. And the fallout from health data breaches for some might well be irreparable to their very livelihood. In a highly targeted effort on SingHealth, 1.5 million Singapore health records were breached, among them the Singapore Prime Minister Lee Hsien Loong's personal records. What does this tell us when one of the world's most advanced cybersecurity nations suffers such a large-scale attack? Plainly, that no one's personal information is safe, no matter the measures in place. 

But in this world of blockchain initiatives, we will likely be told in the not too distant future that we wildly underestimated our security requirements and as such must go one step further and protect our credentials by implanting a 16-digit Personal Health Record (PHR) ID number so that the primary token is in us, and the implant can even read our vital signs too while embedded, and alert first responders of our ailments and medications per chance we are found incapacitated. Fear not, we've seen this elaborate scheme before-- it was called the VeriChip, a US-based Food and Drug Administration-approved microchip from 2002 that was voluntarily injected by some, and nestled in the right tricep as per the patent by Applied Digital Solutions. Welcome to twilight, Australia.

All Australians, regardless of any illness or condition, deserve to get the highest-quality care. Our members work in public and private hospitals, and commonly in Emergency Departments, making sure patients are provided the right medicines for their condition.
 
‘More often than many would think, patients are unable to explain the medicines they are already taking and for what conditions they are already being treated, particularly after a seizure or if unconscious. Many of these patients are unaccompanied. Sometimes this lack of information leads to errors that have serious impacts on peoples’ lives. 
 
The ‘My Health Record' debate has highlighted the need for greater consideration of regulatory support for privacy information, and careful control of implementation. However these concerns should not void the rationale for an integrated e-health system, accessible only to health professionals and set up at the request of health organisations, for the benefit of all Australians.
 
Hospital pharmacists have long called for a shared, electronic patient data system and SHPA backs the important principles of My Health Record: linking up a fragmented health system and empowering patients in their own care.

I'm concerned that the privacy implications of secondary uses of My Health Records are not being accurately explained. The My Health Record privacy policy says: "It is expected that most applications which are assessed will be for the use of de-identified data. This is where your personal details are removed from the dataset and you cannot be identified.

Unfortunately, removing obvious personal details (such as name, location, and date of birth) does not securely de-identify the data.  We showed that both doctors and patients can be easily and confidently identified in a dataset of Medicare Benefits Schedule (MBS) and Pharmaceutical Benefits Scheme (PBS) data that the Australian Department of Health published online in 2016 (https://pursuit.unimelb.edu.au/articles/the-simple-process-of-re-identifying-patients-in-public-health-records).

In the case of patients, this means that a few points of information (such as the patient's age and dates of surgeries or childbirths) is enough to identify the person and thus retrieve all their Medicare bills and PBS prescriptions for many years. Easy and confident re-identification has been demonstrated on numerous other datasets that were shared in the mistaken belief that they were de-identified. It is probably not possible to securely de-identify detailed individual records like My Health Records without altering the data so much that its scientific value is substantially reduced.
 
Patients can choose to opt out of secondary uses of their data (see this explanation of how: https://www.myhealthrecord.gov.au/sites/default/files/hd315_factsheet_secondary_use_of_data.pdf?v=1535679293). However, they can't make a genuinely informed decision if they are inaccurately told that their detailed record cannot be identified. Even more importantly, those whose identifiable MBS-PBS records were already published in 2016 should be notified, because the earlier release could make re-identification of their My Health Records much easier. They need to know about the data that has already been published so they can make an informed decision about further sharing.
 
It's a cause for concern that the administrators of our health records either don't fully understand, or don't accurately convey, the existing demonstrated problems with de-identified health data, or the likely risks of further sharing of detailed individual records. If you choose to keep your My Health Record, I recommend that you carefully consider whether to opt out of secondary uses. You should make this decision on the basis that your de-identified record is highly likely to be identifiable.