The Australian Digital Health Agency’s CEO Tim Kelsey told a Senate inquiry on Monday that about 900,000 have opted out of My Health Record since the opt out period began in July, representing 3 per cent of the population.
About 181,000 had also chosen to opt in to the medical database, according to figures to September 9. The numbers had come as a surprise, Kelsey said.
"We had anticipated significantly higher levels of opt out than we're seeing. And we certainly hadn't anticipated such high levels of opt in as we’re seeing," he told the inquiry.
Paper forms from rural and remote areas of the country are yet to be collated, with the opt out figures collected from online and call centre services.
According to the Kelsey, agency polling had found that 59 per cent of Australians were aware of My Health Record and the right to opt out, up from 16 per cent in July, which he described as “fairly unprecedented in terms of marketing awareness”.
In response to questions about the communications campaign and the public controversy surrounding opt out, Kelsey said the ADHA welcomed the debate.
“The agency is very respectful of the debate that has taken place and absolutely listening and learning from different ways in which communities are supporting us with insights into how we can improve and deepen those communications,” Kelsey said.
The Senate's community affairs committee was told that 16,848 of 6.1 million My Health Records had passcodes in place preventing access to the records, while 4109 had passcodes limiting access to certain documents as of September 2.
More than 136,640 people had activated email or SMS notifications to alert them when a healthcare organisation accesses their records for the first time or a Shared Health Summary is uploaded.
Clinical Professor Meredith Makeham, the ADHA’s Chief Medical Adviser, said changing the current open access system – in which Australians must set passcodes – to a default security code system could affect My Health Record’s clinical usefulness.
"The difficulty would be that with a record access control set as a default, the clinical benefit of the system relating to medications safety would be very much potentially closed down," Makeham said.
"[Difficulty] would arise for a clinician who was trying to view the My Health Records of patients who were coming through, say, an emergency situation or through their rooms."
Currently, My Health Record allows healthcare providers to override access controls in emergencies.
MHR an 'excellent opportunity' if mistakes are avoided
The former head of the government’s Digital Transformation Agency Paul Shelter told the inquiry that few would deny the potential value to patients and clinicians of a national source of patient data “that assures privacy by design”. But he said the current access control arrangements place confidential medical information at risk.
“I believe that My Health Record represents an excellent opportunity for Australia to think big and do the right thing and take the lead worldwide on data and privacy. But to deliver this we need to be bold and we must admit the shortcomings of our current approach in terms of functionality and data security,” Shetler said.
He warned that changes need to be made to prevent My Health Record from following the path of the UK Government’s care.data ehealth database, which was abandoned in 2016 following a data privacy and security outcry.
“We should learn from what others, and in some cases we ourselves, have done earlier and seek to avoid repeating the same mistakes. Doing nothing is not an option anymore – in its current form the program will fail,” he said.
According to Shetler, allowing 900,000 healthcare and associated workers to access a centralised “honey pot” makes the system vulnerable without the need to hack.
“Even with the settings they’ve set up so far, people still can have wide-ranging access to data without having to hack it. It’s just not set up in a secure way … It is the most intimate data about a person as possible. There is a problem there, and it has to be taken seriously. It’s shocking how bad the access control is on it. It’s a very real concern,” Shetler said, advising that the government institute GDPR-type controls on user data.
Calling for the system to revert to opt in, he claimed the shift to opt out was “a mistake”.
“If it was something that people wanted, you would never need to mandate the use. People would be clambering for it because it’s free.”
[Read more: The pace of revolution accelerates as 39 US hospitals integrate Apple Health Records | Australian FHIR innovation a frontrunner as the US government looks to standardise health data exchange]
More change needed
In his address to the inquiry, FHIR creator Grahame Grieve, who works with healthcare programs around the world and companies such as Cerner, Epic, AllScripts, Apple and Google, claimed My Health Record was initially planned as a distributed system rather than the current national database of static summary documents.
In the last decade, he said, the web has developed into “a set of federated systems that act together to serve us”, leading to the transformation of industries.
“But the My Health Record is still frozen as if all this hasn’t happened: inconvenient, inflexible, with poorly controlled information access rules.”
Grieve said it was the direction taken by the Australian government that spurred him to create FHIR.
“When I saw the [My Health Record] system coming together, I realised that we’d end up here and that it would be partly because of limitations in the technical standards that we used. As a result, I created a new set of standards based on the web so that healthcare could use the same methods as other industries. I wanted to see healthcare transformed too.”
Those standards are now considered the future of health information exchange internationally, with the United States and the Netherlands using it to build distributed systems, and Apple implementing the framework to connect its Health Record app into hospital systems’ electronic medical records.
“When I travel, what I see is that Australia is lagging behind other countries which are prototyping innovative digital approaches to solve healthcare problems,” Grieve told the parliamentary inquiry.
He said the government needs to heed the concerns of industry.
“This isn’t really anything new; lots of the commentary and submissions have dealt on this. The healthcare IT community has been talking about this for years. But nothing has been done about it.
“The industry fears that another round of investment in the My Health Record as it is will increase the focus on forcing it to look like a success, to the exclusion of any other approach – just like we’ve been doing for the last 10 years. This investment and political focus hurts innovation, even outside the system, because it’s too big a risk for institutions and their vendors to invest in anything else.”
Public trust a key element to success
Other concerns were raised at the inquiry by unions and legal experts, with recommendations including the need for informed and deliberate consent, as well as improved safeguards to prevent access to the data by third parties such as employers and insurers.
Another hearing has been set down for tomorrow, with the Department of Health scheduled to give evidence again.
Meanwhile, Shadow Health Minister Catherine King told parliament on Monday a My Health Record data leak was inevitable.
"It is foolish of any government to say this data won't leak at some point. What are the protections for people when that actually occurs?" King said.
She has called again for the program to be suspended while security and privacy concerns are addressed.
In a statement on Tuesday, King claimed public trust in the important reform had been “severely damaged” by the management of the roll out.
The Labor-led Senate inquiry was launched last month following public criticism by medical, legal, data privacy and cybersecurity experts, as well as advocates representing vulnerable groups including domestic violence victims.
The opt out period has also been extended to November 15 and now every Australian will have a My Health Record created for them unless they opt out by the new deadline.
To share tips, news or announcements, contact the HITNA editor on email@example.com