From as early as 2020 the medical information of Australians will made available to third parties, including data that identifies patients, unless they take steps to stop it being shared, according to the federal government’s new secondary data use rules.
Releasing the Framework to guide the secondary use of data in My Health Record system, Health Minister Greg Hunt confirmed in a statement that individuals’ highly confidential information will be made available for public health and research purposes unless they opt-out.
The framework, which was developed in collaboration with consumers, clinicians, medical researchers, industry experts, privacy advocates and the Office of the Australian Information Commissioner, also aims to ensure people’s privacy and the security of the data, the minister said.
“The My Health Record system will help save and protect lives and is supported by healthcare consumers, doctors and the medical community across Australia. It is subject to some of the strongest legislation in the world to prevent unauthorised use,” Hunt said.
All Australians will have a My Health Record in 2018 unless they opt out of the system during a three-month period from 16 July to 15 October 2018. Those who are handed a MHR will automatically be signed up for the secondary use of their data and can opt out by clicking on a ‘Withdraw Participation’ button.
If they don’t opt out, according to the framework, consumers can limit access as “any data or document that they have classified (using consumer controls) as being ‘Restricted Access’ or that they have removed will not be retrieved for secondary use purposes”. Data in a cancelled record will not be accessible.
Information could start flowing out of the MHR to third parties in 2020.
The MHR online repository is designed to collect and share the health information of Australians – such as GP health summaries, hospital discharge reports, imaging and pathology results, and details of drugs prescribed – between healthcare providers to support patient care.
The secondary use of the data is far more controversial, with a number of submissions to the public consultation process for the framework calling for the system to be opt-in.
In addition to its use in medical research, the minister said the information will allow improved forecasting of health trends, and inform planning and policy development.
He said the data “cannot be used for commercial and non-health-related purposes, including direct marketing to consumers, insurance assessments, and eligibility for welfare benefits”. Insurance companies won’t be able to access the information, according to the new rules.
However, the framework says companies can apply to have the data door opened to them if they can show it is in the public interest.
“There is a need to balance support for the use of the data for beneficial research and public health purposes against the policy of not using the data for solely commercial purposes,” it says.
“Commercial organisations may propose uses that could be approved so long as it can be demonstrated that the use is consistent with ‘research and public health purposes’ and is likely to generate public health benefits and/or be in the public interest.”
The framework also says identified data is up for grabs.
“For applications involving identified data, subject to the provisions of the My Health Records Act 2012 and the Privacy Act 1988, the Board will require ethics approval to be obtained by the AIHW Ethics Committee before data can be accessed or released.”
[Read more: Rebuffed by the ADHA, E-Nome looks to GP and hospital systems to enable people to access their health information and sell it on | Government seeking input into additional uses for My Health Record private medical information]
For those applying for access to de-identified data, ethics approval may need to be obtained. The risk of the data being re-identified and the potential harm or embarrassment it can cause to individuals is acknowledged within the framework, which says those considerations need to be balanced with the greater good.
“There is a need to ensure that individuals’ privacy is protected and that de-identification methods render the risk of re-identification as very low (having regard to the relevant release context). There is also a need to balance maximising the benefits of using the data with the risk of breaching an individual’s privacy or causing harm to individuals.”
The Board can permit the linkage of MHR system data with other data sources if the project is deemed to be of public benefit.
Hunt said “the protection of patient information and privacy is critical and we have strong safeguards in place to protect health data in Australia”, including the risk of jail for those found “doing the wrong thing with patient information”.
Any Australian-based entity – other than insurance companies – can apply to access the data. International organisations can apply if they are working in collaboration with Australian applicants on a proposed project, the data usage will generate public health benefits for Australians, and the MHR data will be stored in a facility within Australia.
The Australian Institute of Health and Welfare will be the data custodian for the purposes of the framework, and a Governance Board comprised of representatives from the AIHW, the Australian Digital Health Agency and independent experts in population health, research, health services delivery, technology, data science, data governance and privacy, and consumer advocacy will be appointed. The ADHA, as the system operator, will be responsible for preparing and providing the data.
The Board will work with the AIHW to develop an electronic system to process applications.
The framework will be reviewed two years after the initial dataset is released, with the possibility that wider uses of the information will be identified, including the provision of MHR data to insurance agencies.