In the wake of the HealthEngine scandals and as data security concerns continue to overwhelm the My Health Record opt out communications campaign, the Australian Digital Health Agency has tightened the rules on apps connecting to the national health information platform.
The ABC reports the ADHA has issued substantially amended agreements to digital health companies Tyde, Healthi Mobile, HealthNow and HealthEngine, including the introduction of cancellation clauses for apps that create reputation-damaging fall-out for the Federal Government or My Health Record.
The four third-party apps are authorised by the ADHA to provide consumers with ‘view only’ access to their My Health Record and the test results, prescriptions and GP-generated shared health summaries within them.
The new agreement, which was obtained by the ABC, provides the agency with the right to immediately terminate an app’s access if the company or its associates "engage in any other conduct that we consider, in our absolute discretion, could adversely affect our reputation or the reputation of the My Health Record system or the Commonwealth of Australia or any of its agencies".
Within the amendments, ADHA CEO Tim Kelsey has also been afforded additional executive powers to terminate a contract with at least five business days’ notice if he forms the view that it may be “contrary to the public interest”. If an agreement is ended in this way, the ADHA will not be liable “for any loss arising from or in connection with the termination”.
The new Portal Operator Agreement also introduces a three-day time limit for companies to notify the ADHA in the event of a My Health Record data breach.
The changes follow a series of media scandals that saw online booking app HealthEngine exposed for editing negative reviews of GP practices, revealing the identifying details of 75 of its users via a flaw in its website’s HTML code, and funnelling the private patient information of hundreds of patients to legal firms searching for personal injury cases, which lead to Health Minister Greg Hunt ordering an "urgent review".
News of the tightened agreements also comes as the government continues to be buffeted by an astonishing data privacy backlash since it last week opened its three-month window for Australians to opt out of My Health Record. If people do not opt out by October 15, a My Health Record will be created for them by the end of the year.
The ADHA claims about 6 million people have a My Health Record but as people have rushed to opt out many have discovered they had already had one created without their knowledge or consent. There were also numerous claims of incorrect information in records, including doctors’ appointments and medications.
[Read more: Unblurring the lines and rebuilding trust: HITNA talks to HealthEngine’s CEO | Tyde set to become the first digital health company to earn the government’s top cybersecurity accreditation]
Geoff Rohrsheim, the director of Chamonix Health, which has developed Healthi, said he is unconcerned about the changes.
"It doesn't affect us. We're not manipulating any of the data, we're not trying to share it with anyone else," Rohrsheim told the ABC.
The changes, he said, were appropriate.
"Should [third-party apps] be doing anything that is untoward then the agency has the ability to shut that down and I think that's appropriate."
The new agreement also requires companies to gain opt-in consent from users to access the My Health Record system via the apps and they must provide full disclosure of “your acts and practices that may fall within the scope of that consent”. Companies are instructed to avoid “bundled or general consents”.
Meanwhile, concerns about My Health Record’s data privacy and security continue to abound since the opt out period began.
Former Privacy Commissioner Malcolm Crompton, who is also the founder and lead privacy advisor at Information Integrity Solutions, voiced concerns about the many access points into the My Health Record system via numerous apps and platforms.
“There’s lots of talk about the centralised part of MyHR security but what is the evidence that ALL 900,000 health practitioners have even reasonable security on their digital devices let alone the high grade that is claimed for the centralised part,” Crompton told HITNA.
“Remember, Target in the US was penetrated (and $250 million damage caused) because the outsourced service provider of HVAC (heating, ventilation and air conditioning) was hacked.”
He said “the edge” – the 900,000 health practitioners and any health consumers who accesses their health record online – creates an “enormous attack surface” and the information contained within the My Health Record was a “honeypot” for hackers.
Crompton called for “regular credible, independent, capable, third party assurance processes throughout the system, including at the edge”, such as those required in the financial sector. He also called for effective remediation processes and said “a grossly underfunded OAIC is unable to give rapid help because it doesn’t have the resources”.
The data privacy expert also criticised the government for creating a “fully shared by default” system, with the risk compounded by an underfunded communications campaign that fails to adequately inform Australians of the need to urgently establish security settings in their My Health Records.
[Read More: Privacy Commissioner to release delayed data breach report next week but My Health Record adopts a different definition | My Health Record identified data to be made available to third parties]
Paul Shetler, the former head of the government's Digital Transformation Agency, has said he would probably opt out if he was an Australian citizen but said it was too early to predict if My Health Record would become a "tech wreck".
ADHA CEO Kelsey was at the helm of care.data in the UK when that national patient information database was axed as a result of concerns about confidentiality and the secondary use of data – including the selling of data to drug and insurance companies.
Within the findings of her independent review, the national data guardian Dame Fiona Caldicott said the NHS initiative failed to build trust.
“My recommendations centre on trust. Building public trust for the use of health and care data means giving people confidence that their private information is kept secure and used in their interests,” Caldicott said.
“Citizens have a right to know how their data is safeguarded. They should be included in conversations about the potential benefits that responsible use of their information can bring. They must be offered a clear choice about whether they want to allow their information to be part of this.”
"[The Australian Government] didn't learn from the history," Shetler told Radio National Breakfast.
"You don't spring something on people and tell them 'we're going to be doing this', with no preparation, with no clear understanding of what the benefits are, without having designed it around user needs and then with this weird security model."
About 20,000 people opted out of My Health Record on the first day of the withdrawal period began.
"They had to opt out under very difficult circumstances. They had to opt out after waiting an hour, and an hour-and-a-half on the phone to do that," Shetler said.
"If you were launching a new product and you had 20,000 people willing to wait for an hour-and-a-half on the phone, be put on hold, and go through an obscure process and they signed up, you'd say that's a pretty amazing demand for that product. That's a pretty successful product.
"Now reverse that."
To share tips, news or announcements, contact the HITNA editor on email@example.com