An equitable approach to enhancing the privacy of consumer information on My Health Record in Australia

Abstract

Australia’s national electronic health record (EHR), My Health Record (MHR), raises concerns about information privacy and the presumption of consent to participation. In contrast to the “opt-out” framework for participation, consumers must “opt-in” to obtain additional privacy features to protect their health information on MHR. We review ethical considerations relating to opt-in and opt-out frameworks in the context of EHRs, discussing potential reasons why consent for additional safeguards is not currently presumed. Exploring the implications of recent amendments to strengthen consumer privacy, we present recommendations to promote equity in health information security for all Australians using MHR.

Keywords

electronic health records e-health personal health records consumer health information privacy: data security confidentiality health information management

Introduction

Electronic health records (EHRs) are digitalised records regarding a patient’s health. In contrast to electronic medical records (EMRs), EHRs can be accessed and managed across multiple healthcare organisations (Garets and Davis, 2005). They include information about a patient’s personal details, diagnoses, investigations, treatment, allergies and more (Australian Commission on Safety and Quality in Health Care, 2019). EHRs are designed to help address fragmentation of medical records, improve quality of health information and thus enhance patient safety (My Health Records Act, 2012). However, contentious debate about privacy risks has at times overshadowed discussion of the purported benefits of EHRs, possibly limiting consumer uptake due to the perceived risks regarding privacy violations and misuse of health information (Department of Health, 2020). International research suggests that despite strong public support for EHRs in many countries, privacy concerns are widespread and may similarly limit participation in EHRs (Entzeridou et al., 2018; Papoutsi et al., 2015). In response to concerns about Australia’s EHR system, known as My Health Record (MHR), the Australian Parliament introduced the My Health Records Amendment (Strengthening Privacy) Act 2018 , which aimed to enhance health information security (Griffiths, 2018). In addition to the core privacy protections embedded in the MHR system, multiple additional safeguards are available that consumers can implement to broaden the security of their MHR (My Health Records Amendment (Strengthening Privacy) Act, 2018). However, in contrast to participation in MHR, for which consumer consent is presumed via an “opt-out” framework, consumers must “opt-in” to take advantage of these additional privacy features, as consent for these options is not presumed.

Many researchers have expressed concerns that disempowered groups, such as people living with mental health disorders and cognitive impairments, were least able to opt-out from creating a record due to their poorer health literacy and awareness of MHR (Hemsley et al., 2018; Kariotis and Harris, 2019). Unfortunately, few have noted that these individuals may also be least likely to benefit from the additional opt-in features that strengthen the privacy of MHR. In this article, we briefly review the ethical rationales for use of opt-in and opt-out frameworks within the context of EHRs and discuss potential reasons why consent for the additional MHR safeguards is not currently presumed. Exploring the implications of recent amendments to strengthen consumer privacy, we present some recommendations to promote equity in health information security for all Australians using MHRs.

Emergence of opt-out EHRs in Australia

Australia’s first e-health database, the “Personally Controlled Electronic Health Record” (PCEHR), was established in 2012 (My Health Records Act, 2012). Prior to the PCEHR, digital health information existed in the form of EMRs; however, it was only accessible to healthcare providers working within the institution in which these records were created (Allen-Graham et al., 2018). While paper records and EMRs can both be misused, the risks of inappropriate access are greater when a patient’s entire medical record is centralised in one place, in the form of an EHR.

Participation in the “opt-in” PCEHR was underwhelming; only two million Australians had registered to create a record 3 years after its inauguration (Department of Health, 2015). The online database was restructured and renamed as MHR in 2016 in an attempt to address poor uptake (Department of Health, 2020). By January 2019, almost seven million Australians had an MHR (Australian Digital Health Agency, 2019); however, low participation was again determined to be a barrier to an effective national EHR, and an opt-out approach to participation in MHR was implemented (Department of Health, 2020; Hambleton and Aloizos, 2019). The introduction of the opt-out scheme to MHR was met with resistance, mostly due to concerns pertaining to health information privacy and the presumption of consent. Nevertheless, almost 23 million Australians now have a MHR: over 90% of all Australians who are eligible for a record (Australian Commission on Safety and Quality in Health Care, 2019), although it is unclear whether this reflects public confidence in the program, or merely failure of individuals to opt-out.

Barriers to participation and risks of different consent models

Many health consumers may face barriers while exercising their autonomy in choices about participation in health programs such as the MHR. Online information about the MHR initially catered poorly to people with low health literacy and people from non-English speaking backgrounds (Walsh et al., 2019). Although the amount and quality of resources catering for languages other than English have increased considerably (Walsh et al., 2019), many people still experience difficulties accessing and changing their MHR due to language and technological barriers (Carneiro and Edwards, 2020). Even a computer literate group (n = 66) reported experiencing technical difficulties when accessing and editing their MHR (Lupton, 2019).

An opt-in process increases the probability that individuals have given informed consent to create an EHR, as one must know of the system and be motivated to participate in order to take the steps necessary to opt-in (Pearce and Bainbridge, 2014). In an opt-out system, the default setting is presumed consent. This also requires health consumers to be sufficiently informed, motivated and able to take steps to opt-out. Opt-out approaches to consent may help to ensure that barriers such as poor health literacy or English language skills do not exclude individuals or groups from accessing the benefits of these programs. However, these barriers to active decision-making also leave affected individuals and groups at greater risk of the harms associated with programs that employ a presumed consent approach.

Strengthening privacy protections for the MHR

In response to consumer appeals for stronger privacy and security protections for MHR, the Australian Parliament passed the My Health Records Amendment (Strengthening Privacy) Act 2018 (Carneiro and Edwards, 2020). This comprised changes increasing consumer autonomy over MHRs and penalties for inappropriate and unauthorised use of information in MHR (Carneiro and Edwards, 2020). Consumers are now able to permanently delete their MHR (Australian Commission on Safety and Quality in Health Care, 2019; Carneiro and Edwards, 2020). Legislative changes also reinforced existing privacy controls whereby consumers can implement a “Record Access Code” (RAC) to allow only specified care providers to access their MHR, or restrict access to specific sensitive documents using a “Limited Document Access Code (LDAC) (Australian Commission on Safety and Quality in Health Care, 2019). Consumers are still able to view their record access history to track activity on each document and can activate a text message notification system alerting them of new access by healthcare providers (Australian Commission on Safety and Quality in Health Care, 2019). These security provisions have the capacity to address many of the privacy concerns about EHRs, by increasing control of one’s personal health information – determining what may be accessed and by whom – and by enabling the consumer to monitor access – thus potentially helping them to identify and act on potential breaches of privacy. However, additional access codes and the text message notification system are opt-in features and thus access to their benefits is subject to the same limitations associated with decision-making about participation in the MHR (Australian Commission on Safety and Quality in Health Care, 2019; Carneiro and Edwards, 2020). Fewer than 40,000 Australians have placed advanced access controls such as RACs and LDACs since their introduction in 2012, possibly reflecting a lack of awareness of these additional security features (Australian Digital Health Agency, 2020). Australians with poor health, technological and English literacy, are least likely to be informed of and able to implement these opt-in security measures. Nevertheless, the number of records protected by LDACs and RACs has increased since the opt-out process was implemented and promoted by government agencies; in just 10 months from December 2019 to October 2020, the number of records protected by LDACs and RACs rose by 21% (Australian Digital Health Agency, 2020).

Why not presume consent to privacy protections for the MHR?

It may appear counter-intuitive that consumers are required to opt-in to the additional safeguards for the MHR whereas consent to participation in the program itself is presumed, particularly given the evidence that privacy and security of health information, and having more granular control over the privacy of EHRs are strongly valued by consumers (Caine and Hanania, 2013; Lutpon, 2019). However, making all these safeguards the default setting may jeopardise access to the benefits of the MHR. For example, if a RAC was automatically applied to every MHR, this could create significant access barriers for healthcare workers (HCWs). Reliance on consumers to voluntarily edit the settings of their MHR or to provide relevant codes to enable access by individuals may prove as burdensome as the original opt-in approach to MHR, thus undermining the benefits to MHR accessibility and information sharing that have resulted from the presumption of consent to participation in the MHR system (Australian Commission on Safety and Quality in Health Care, 2019; Australian Digital Health Agency, 2019). The current system thus effectively prioritises the benefits of MHR accessibility over consumer autonomy and privacy.

Fortunately, the design of the MHR does not entail a choice between consumer autonomy and the full benefits of EHRs. Several safeguards, including some that are already in place, might be implemented by default with measures to reduce the associated burdens on consumers and healthcare systems, and to ensure that protections do not create barriers to timely and effective healthcare (see Box 1). For example, in an emergency situation where there is a serious threat to patient or public safety and the consumer is unable to provide consent for access to MHR documents that are protected by LDACs and RACs, these can currently be accessed by HCWs via a so-called “break-glass” function (Australian Commission on Safety and Quality in Health Care, 2019). To bypass the code requirement, HCWs merely need to select the “emergency access” option on the system and the service provider is granted access to the MHR for 5 days (Australian Commission on Safety and Quality in Health Care, 2019).

Box 1.

Recommendations to strengthen privacy protections of MHR.

Apply additional security features to all MHRs with a provision to opt-out

− Consider which features can be feasibly incorporated to every record

− Implement measures with the objective to minimise inconvenience to HCWs and consumers

− Educate consumers about their options to enable informed decision-making

Require consumer consent to add information to MHR

− Undertaken on either a record by record basis or a once off agreement with the service provider

Add a security mechanism to the “break glass” emergency access override to MHR

− Minimise resultant delays in emergency care provision

Some protections may provide additional benefits for consumer engagement with care and health literacy. For example, if consumers are notified through text or email when providers access their MHR for the first time or when an emergency access event occurs, they may be better informed of the people involved in their care. Although some safeguards may appear burdensome, for example requiring HCWs to request access codes or explain why records were accessed, default settings necessitating discussions between HCWs and consumers about the use of the MHR may provide valuable opportunities for education and hence engagement with their health information.

Additional measures focused on controlling what is included in the MHR rather than access to the content of MHR may also enhance consumer autonomy over their health information. Although patients can instruct HCWs not to add specific files to their MHR, consent for uploading of files and Pharmaceutical Benefits Scheme (PBS) medication scripts to MHR is presumed, unless they opt to have these documents excluded (Wolf and Mendelson, 2019). Requiring healthcare providers to obtain consent before uploading information to MHR may be labour intensive, especially if undertaken for individual documents. Automated prompts to inform consumers when information is uploaded could help to provide opportunities for timely identification of sensitive information that consumers may wish to delete from their MHR or to safeguard with additional protections such as an LDAC. Pilot testing of such mechanisms would be helpful in evaluating their potential impact on the functionality of the MHR for both HCW and consumers, and on consumer confidence in and engagement with the MHR.

Conclusion

MHR is a national medical information database that has the potential to alleviate inefficiencies in care provision and improve patient outcomes. However, the current system may also present risks to consumer privacy in the healthcare context, particularly by undermining the right of privacy by virtue of which consumers are entitled to exert control over collection, access to and use of their personal health information. Although consumers can access additional measures to safeguard their privacy and control their confidential information in the MHR, many consumers may also be deprived of these benefits. More work is needed to explore and address potential barriers to the use of extra protections, and hence to improve equity of access to the benefits of MHRs and privacy protections within the MHR system; presuming consent to privacy protections should be a key consideration in this process.

Footnotes

Declaration of conflicting interests

The authors declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The authors received no financial support for the research, authorship, and/or publication of this article.

ORCID iDs

Zachary Hollo, BSc, MD

Dominique E Martin, MBBS, BA, PhD

References

Allen-Graham

Mitchell

Heriot

, et al. (2018) Electronic health records and online medical records: An asset or a liability under current conditions? Australian Health Review 42(1): 59–65.

Australian Commission on Safety and Quality in Health Care (2019) ED clinicians’ guide to My Health Record. Available at: https://www.safetyandquality.gov.au/sites/default/files/2019-11/myhealthrecord_in_ed_guide.pdf (accessed 21 July 2020).

Australian Government: Australian Digital Health Agency (2019) You always have a choice with My Health Record. Available at: https://www.myhealthrecord.gov.au/news-and-media/media-releases/you-always-have-choice (accessed January 2021).

Australian Government: Australian Digital Health Agency (2020) My Health Record statistics. Available at: https://www.myhealthrecord.gov.au/statistics (accessed January 2021).

Australian Government: Department of Health (2015) Privacy impact assessment report. Personally Controlled Electronic Health Record (PCEHR) System opt-out model. Available at: https://www.myhealthrecord.gov.au/sites/default/files/pcehr_opt_out_pia_-_2015.pdf?v=1520887003 (accessed January 2021).

Australian Government: Department of Health (2020) Review of the My Health Records legislation. Consultation paper. Available at: https://consultations.health.gov.au/provider-benefits-integrity/legislative-review-of-my-health-record-act-2012/supporting_documents/MHR%20Review%20Consultation%20Paper.pdf (accessed 19 September 2020).

Caine

Hanania

(2013) Patients want granular privacy control over health information in electronic medical records. Journal of the American Medical Informatics Association 20(1): 7–15.

Carneiro

DMR

Edwards

(2020) Systematic literature review of My Health Record system. Asia Pacific Journal of Health Management 15(1): 14–25.

Entzeridou

Markopoulou

Mollaki

(2018) Public and physician’s expectations and ethical concerns about electronic health record: benefits outweigh risks except for information security. International Journal of Medical Informatics 110(1): 98–107.

10.

Garets

Davis

(2005) EMRs and EHRs. Concepts as different as apples and oranges at least deserve separate names. Healthcare Informatics Journal 22(10): 53–54.

11.

Griffiths

(2018) My Health Records Amendment (Strengthening Privacy) Bill 2018. Available at: https://www.aph.gov.au/Parliamentary_Business/Bills_Legislation/bd/bd1819a/19bd030 (accessed July 2020).

12.

Hambleton

(2019) Australia’s digital health journey. The Medical Journal of Australia 210(6): S5–S6.

13.

Hemsley

McCarthy

Adams

, et al. (2018) Legal, ethical, and rights issues in the adoption and use of the “My Health Record” by people with communication disability in Australia. Journal of Intellectual & Developmental Disability 43(4): 506–514.

14.

Kariotis

Harris

(2019) Clinician perceptions of My Health Record in mental health care: medication management and sharing mental health information. Australian Journal of Primary Health 25(1): 66–71.

15.

Lupton

(2019) “I’d like to think you could trust the government, but I don’t really think we can”: Australian women’s attitudes to and experiences of My Health Record. Digital Health 5(1): 2055–2076.

16.

My Health Records Act (2012) s. 3.

17.

My Health Records Amendment (Strengthening Privacy) Act (2018).

18.

Papoutsi

Reed

Marston

, et al. (2015) Patient and public views about the security and privacy of Electronic Health Records (EHRs) in the UK: results from a mixed methods study. BMC Medical Informatics and Decision Making 15(1): 86.

19.

Pearce

Bainbridge

(2014) A personally controlled electronic health record for Australia. Journal of the American Medical Informatics Association 21(1): 707–713.

20.

Walsh

Hemsley

Allan

, et al. (2019) Assessing the information quality and usability of My Health Record within a health literacy framework: What’s changed since 2016? Health Information Management Journal 50(1): 13–25.

21.

Wolf

Mendelson

(2019) The My Health Record system: Potential to undermine the paradigm of patient confidentiality? University of New South Wales Law Journal 42(1): 619–651.