Dr. Bernard Robertson-Dunn is an electronic and automation engineer, has a Ph.D. in modeling the electrical activity in the human small intestine, and has had more than 40 years modeling, architecting and designing large scale information systems, mostly in government environments. These include the Departments of Health, Finance, Immigration and Defence. Bernard has been following the progress of and has contributed to the debate on the My Health Record for more than 10 years. He has no association or affiliation with any vendor or government organization. Bernard is chair of the Health Committee of the Australian Privacy Foundation. The views in this article are his considered opinion and are provided to Privacy Unbound to provide a broad contextual analysis of the issue surrounding health records and My Health Record in particular.

A medical record primer

Back in the day, when general practitioners wrote on paper with black ink about the consultation they had just had with their patient, there was an implied joint contract and mutual trust. The doctor wanted to remember what their patients’ symptoms were, what he (they were nearly always he in those days) had prescribed, and his musings and guesses as to what you were suffering from. You didn’t have to know or remember what you were suffering from. You both had in interest in the existence of the record. It was written by and for the doctor, you never saw it, and it was called a medical record.

There was a reasonable balance between two parties with different but compatible and complementary objectives. You trusted your GP to keep your data confidential and do their best to make and keep you well; the GP wanted to stay in business and he valued his reputation.

Automation

Then along came computers. Initially, all they did was store the same information in the same manner as did the paper records. There was the odd downside: Computers are more expensive than pen and paper; GPs had to learn how to use a keyboard and how to operate a computer. The relationship between patient and GP didn’t change much. The GP probably spent more time looking at a computer screen than they did when they used pen and paper, but that was seen as a small price to pay for improved record keeping.

It was a similar situation in those hospitals that implemented electronic health records, although there are some horrendous tales of failed IT projects, but that’s not particularly uncommon in such complex environments.

With early computerization, the situation regarding privacy, confidentiality and trust between patient and health care provider was largely unchanged. The IT systems were more prone to single points of failure, to ransomware and to data breaches, but they were issues that could be solved with proper management and attention to technology.

There were — and still are — some major problems with the access to and management of health care information. Much data is transferred via fax, only a small amount of information is interchanged; sometimes data exists, but this is unknown to health providers who could benefit from having it available.

However, the old medical record systems did have one advantage. Only those involved in a particular aspect of a patient’s care had access to a patient’s data about that care. Poor sharing of data was a double-edged sword. It was privacy enhancing, but there were clinical downsides. When it comes to addressing some of the problems facing data management in the health care system — better access to health information dispersed throughout a large, multifaceted industry — there are two potential approaches. These can be summarised as decentralized or centralized.

Distributed health ecosystems

A decentralized or distributed system would create a mechanism for identifying the location of a patient’s health data and allowing a health provider to access that data. There would need to be a mechanism for implementing a need to know principle — i.e., a health provider could only see that data they needed to in order to treat or advise their patient. The holder of that information would be responsible for granting access to the data.

All data could remain where is was; thus, not complicating data consistency, which would occur if data were copied from one system to another. However, there may be a good argument that there should be a single source of truth, which would logically be the patient’s primary health provider — their GP.

A distributed system has the added advantage of being far more resilient and thus reliable than a centralized one that is at risk of being overloaded in times of high usage — e.g., in an epidemic or bio-hazard situation, or prone to failure dues to power or communication loss. It is far less risky to have clinical systems located as close as practical to the point of care.

A distributed system has the characteristics of a virtual health ecosystem, rather than a health record. Additional capabilities at the health provider level can include such integrated functions as appointments, repeat prescription requests, and a patient portal access to relevant information. Such systems are being implemented overseas.

The result would be an ecosystem of health information in which a virtual medical record existed. This record, although distributed, could be made available to systems that could undertake complex analysis and predictive functions that would assist health providers in their diagnosis and treatment of the patients. The major characteristics would be flexibility, the coexistence of a variety of capabilities, and a platform for small-scale innovation that would scale or find a niche if useful or atrophy if not.

The privacy, trust and confidentiality issues would not be unduly challenged; the symmetry of need between patient and health provider would be retained. The health provider would be responsible for maintaining patient privacy and the patient would only need to trust a single party.

Centralized health records

The alternative is a centralized system such as My Health Record. This requires a database at the hub and a system that acquires and stores data. If it only passed on the data and did not retain it, it would functionally be the same as a distributed system.

A centralized system results in the database becoming the defining feature of the health information ecosystem. Innovation is stifled because compatibility with the database is essential. In a distributed system, local innovation is possible and preferable — it can be tested and assessed locally. Change in a centralized system is totally dependent on the hub and would need to happen globally.

The primary issue of a centralized system is “who owns the database in the hub?” Ownership bestows significant privileges; the owner runs the system and any access rules do not apply to the owner.

This single characteristic completely changes the dynamics of the health data environment.

Now there are three parties: the patient, the health provider and the system owner. In the case of My Health Record, this is the Australian Digital Health Agency, an Australian government entity that both reports to, and is funded by, the Federal Minister for Health.

What was a symmetry of needs between the patient and their health provider is fundamentally altered — not just changed but distorted.

If the health provider is a GP, then a number of changes are introduced into the interaction between the GP and their patient. My Health Record is an additional, summary system over and above the GP’s clinical support system. Uploading data into My Health Record is not a simple matter of a few clicks. The AMA has produced a set of guidelines that GPs are supposed to follow. It is a 27-page document and following it takes time out of a consultation to manage a patient’s My Health Record.

In addition — and this is a significant issue — the government, through a variety of mechanisms, pays the GP to provide the patient’s data. It could be argued that this is “selling” patient data to the government. This may or may not be a valid description, but it does introduce a real or perceived conflict of interest. The patient suffers from less attention; the GPs is paid for something that does not involve treating the patient. The patient may not be happy with the financial arrangement and may perceive a conflict of interest. This issue has the potential to have a negative impact on the trust between the patient and their GP.

The relationship between the GP and the government is primarily financial. The GP gains little or no benefit, they already have the data. The GP still gets data from other providers via the traditional mechanisms — fax or emails. Data that is not provided to GPs may or may not be uploaded to My Health Record. Patients have the option of requesting that pathology labs or specialists do not upload data. There is no guarantee that data that a new GP or an A&E department would like to see is in My Health Record. In short, it is unreliable. There are also reports that data is sometimes incorrect or uploaded to the wrong patient resulting in either compromised treatment or the need for a patient to spend significant time and effort correcting the error, if they discover it.

The relationship between the patient and the federal government, a funding agent, is totally unnecessary for the delivery of health care. However, it represents a real and potential problem for the patient. Why does the federal government want such detailed health data? This is a question that has never been answered satisfactorily. There is an argument that the government needs aggregated data in order to develop policy, but there is no rationale for more detailed data. Furthermore, there is a suggestion that it could match detailed health data to its existing payment data looking for patterns of health care decisions by health providers; but this is only supposition. However, this uncertainty does nothing to engender trust.

The existence of a centralized database means that data from different providers will be stored in a single location; data which is available to anyone authorised to see the record. The inherent privacy advantages of a distributed system, where only the originating health provider has access, are nullified. In order to retain the trust levels inherent in a distributed system, there needs to be an access control mechanism that, at a minimum, mimics that of the old system. My Health Record does not provide this. My Health Record has a complicated, poorly implemented set of access controls that require the patient to take responsibility for monitoring and managing access controls. In a similar way that automation has failed to help GPs manage input and usage of data in their clinical system, My Health Record has introduced extra responsibilities into the management of a patient’s health data. This is a responsibility that most patients are unaware of and are potentially unable to take on. If they don’t, their privacy is at risk from third parties.

Privacy and My Health Record

The symmetry of the original relationship between patient and GP has now been destroyed. To some, there is now the feeling that there is a spy in the consulting room — the government. In addition, the effort required by the patient to manage their own data has been increased. Hardly an improvement.

The government introduced legislation in 2016 that set the scene to make the system opt out. Australians now have a three-month window in which to tell the government they do not want to be automatically registered for a My Health Record.

In order to enable an opt-out approach the government has had to remove the need to obtain explicit consent to register people and to acquire and disseminate their health data.

Because of the change to My Health Record from opt in to opt out, the legislation, especially that in Section 70 has recently become a major issue.

Section 70 includes a wide range of circumstances where it can release or make available My Health Record data. These include providing data to courts, tribunals, coroners and to other government agencies “in the protection of the public revenue.” This last item has never been defined by the government but appears to be related to the investigation of fraud and applies to any government, state or federal, that is able to impose fines.

The courts have long been able to subpoena health data from a health provider but, according to a report from the Parliamentary Library, the ease with which documents can now be obtained has been significantly increased.

This report contradicts the Health Minister’s claims that a warrant is necessary to obtain information under Section 70. The library also makes the observation that the legislation is a major weakening of existing protections around health records. The Minister has also been contradicted by the Queensland Police union. That the Minister for Health, himself a lawyer is seen to be (allegedly) misrepresenting the legal standing of My Health Record is not adding to the trust Australians might have had in the system.

The minister did not add to a feeling of trust or enhance his credibility when the Parliamentary Library withdrew the original document and replaced it with another revised version.

Even the Human Rights Commissioner has concerns about confidence in the privacy and security of the system and wants the government to improve privacy protections. "I think we can do better. We definitely are saying that there are problems with My Health Record," he told the ABC.

Conclusions

Unfortunately, there are significant consequences from having the government both own the system and set the laws and regulations that govern it. The big problem is that a government in the future could change the rules that permit easier access to My Health Record data. What these are is a matter of guesswork and supposition, but is likely to be unsettling to a population that has already rejected several Identity Card/Number initiatives.

Privacy seems to matter to many Australians and they are not routinely likely to trust government initiatives, especially after problems with the recent census and the so called Robodebt debacle the result of the ATO and Centrelink sharing and linking data, something the government has expressed a desire to do with data from other agencies, including Health, more often. We do not know if that will include My Health Record data, but it could, in the future.

How the My Health Record initiative will all turn out is a matter of conjecture. What is certain is that My Health Record, if widely adopted by patients and health providers will have major consequences for the dynamics of health care system in Australia. Patients will need to become more involved in the management of their own summary health data; GPs will need to spend more time managing health record systems – their own and the governments; and the government will need to continue funding, maintaining and operating the system as well as protecting the data for the foreseeable future. The cost of this system is currently over $AUD2billion; what the return on this investment will be is not yet known.

Even if the issue of government ownership is resolved, there are other characteristics of a centralized system that make its use and effectiveness problematic and questionable. In summary, these include:

• The security of a system that is attached to the internet.
• The system is designed to promote data being downloaded to other systems with fewer controls and less visibility.
• The responsibility for accuracy, currency and completeness lies with the patient.
• The significant cost and effort required by patients and GPs to maintain the system.

These are significant obstacles to making any centralized system acceptable for clinical use.

From a privacy and trust perspective, the distributed approach has much to recommend it. The simple yet important relationship between a GP and their patient is a significant driver in the maintenance of a high degree of privacy. Both have a lot to lose. The introduction of a third party, the federal government, apart from distorting the privacy trust relationship is also an asymmetry of power. Taking on the government is no trivial task and only one has a lot to lose.

My Health Record, even after six years operation is still very much a work in progress. The government is currently going through a market testing process that is looking at completely revamping system. This is an implicit acknowledgement that the system as it exists is not fit for purpose.

It is possible, even likely, that over the opt-out period public reaction will result in the government changing its mind regarding such things as the legislation that protects the privacy of My Health Record users. Unfortunately, there are two characteristics that cannot be changed.

1. My Health Record means the government acquires and keeps highly personal health data. It can also potentially track the behaviour and performance of health providers.
2. The government has already changed the legislation from opt-in and a need to get a patient’s consent to opt-out and no need to get consent. At the end of the second week of the opt-out period, the government has been forced by statements made by the AMA and the Queensland Police to change the legislation to "remove ambiguity" and improve the protection of Australian’s privacy.

What has the potential to totally destroy any trust people may have in the government is the reality that in our political system there is nothing is to stop this or future governments from further changing the privacy protection.

Not only is My Health Record a work in progress, so is the government’s attempt to persuade Australians to adopt this scheme. Unfortunately for the government, the twin problems of a lack of a guarantee regarding future governments and the reality that there is a better, cheaper, more flexible system with inherently better privacy protection means they have a difficult job ahead.

Photo credit: marcoverch Stethoskop auf der Tastatur eines Laptops via photopin (license)