An Australian Tale of Data Privacy and Health Data Gone Wrong

As we move into an era where more and more health data is generated, including devices such as wearable tech, smart beds for sleep tracking, devices to monitor falls in the elderly, DNA testing and a suite of other biometric tests generate data on our health before we even get to the doctor's office, it makes sense to want to store and share this plethora of different health data. However, a furor erupted in Australia recently with the public release of a mandatory health data centralization scheme called My Health Record. This article offers a two-part analysis of the challenges and issues of health data. The first part explores the attempts to introduce a centralized health records database in Australia.

The potential of a centralized health record, particularly for older people with complex chronic health conditions and multiple medications, it compelling. However, even with its potential to reduce confusion and improve communication between health practitioners, Australia's example is a poster child for how to do it wrong. 

What's the Problem With My Health Record?

You Have to Opt Out

Firstly, the scheme compulsorily enlists all Australians into sharing their health information, unless they opt out before the deadline of 15 October 2018. Opting out requires a reasonable level of technological literacy (as well as internet access) and, for myself, was an exercise that took several attempts as the system kept crashing over a number of days. 

Your Data Can Be Widely Shared Amongst Health Professionals 

The set up allows records to be accessed by 12,860 health organizations and up to 900,000 health professionals, including doctors, pharmacists, physiotherapists, nurses, and unidentified staff of various organizations. In the case of big employers, this includes in-house medical staff. My Health Record’s access-logging system does not track which individuals are accessing records, only institutions, which means you won’t be able to tell who has seen it. 

It might not sound like such a big deal. But, a central health record can include your prescriptions for Prozac, Valium, Viagra, or your treatment for schizophrenia, HIV, or herpes. Then, there's the fact that abortion is still illegal in parts of Australia. At risk of a hereditary disease? Not something you especially want to share. 

Furthermore, as currently worded, Section 70 of the related legislation allows government related authorities, including police, courts, social services, and the Australian Taxation office to access patient data, a definitive breach of doctor-patient confidentiality.

Then, there's Section 98, which gives the "system operator," the Australian Digital Health Agency, the power to delegate "any function" to “any other person” with the consent of the minister. This 'any other person' could foreseeably include insurers, researchers, and private companies. It's not helped by Australia's relative instability in leadership.

The Data Stored Is — at Best — Incomplete

The potential for a health record system that includes wearable data and that from our home environment (and in the future, our autonomous vehicle use) is great. But, at present, interoperability means there is no means to share this data in a variety of relevant formats across health devices and health professions.

Cybersecurity in Medical Records Is in a Parlous State

A recent Australian survey revealed that half of healthcare Chief Information Security Officers admit having suffered a security breach in the last 24 months. 22 percent of organizations surveyed said they were continuing to store and manage healthcare data using end-of-life systems that had no vendor support – meaning that the steady flow of new vulnerabilities was not being addressed at all through vendor patches and updates. Barely a week passes without a health data breach, including an apparently state-sponsored breach of Singapore’s government health database late last month, which saw the information of about 1.5 million people hacked, including Prime Minister Lee Hsien Loong. Health data hacking not only reveals your health information of course, but also date of birth, insurance and social security details and other means to enable data theft.

Computer security professionals have stated their concern about the possibility of unauthorized access to the MHR records, pointing to criminals selling health data at a premium online.

Data Sharing Is Inevitable but We Should Get Something for It

Data sharing is not something simply in the future. Home DNA kit testers 23andMe recently announced a four-year collaboration with British pharmaceutical company GlaxoSmithKline (GSK). During this time, 23andMe will only collaborate with GSK on any drug development projects and will provide GSK with access to its database of genetic information, as well as its analysis tools. Besides questions around the accuracy of home DNA tests, companies such as 23andMe may already sell your personal DNA, perhaps to an insurance company that might choose to deny you coverage based on predictions about your health (it’s illegal for health insurance companies to deny you coverage based on your genetic test, but not for life insurance companies).

I'm actually not opposed to sharing my health data, especially as I have a couple of rare health conditions that would greatly benefit from health research. Most people with rare conditions (or those difficult to treat) are not opposed to sharing health records with researchers, evidenced by the popularity of the Apple Research Kit as a means to facilitate research. For example, since 2015, the mPower app has enrolled over 10,000 participants, making it the largest Parkinson’s study in history — with 93 percent of participants never having taken part in any kind of research before.

However, as a health consumer, I want some control over who can see my personal data. I also want to share my data with whoever I wish and change my mind as and when I like. It should be up to me to decide who I trust. Furthermore, to be pragmatic, health treatment isn't cheap. I believe data monetization is the reality of the future, and I resent that others should control and profit from my health data instead of me.

Interested to look at how else it could work? Take a look at Part Two: Who owns your health data and why isn't it you?