‘Damaging our trust’: why My Health Record lets down sexual and gender minorities

My Health Record is a well intentioned policy but its execution discourages marginalised groups from confidently accessing healthcare.

It stokes fears of the forced disclosure of confidential health information—such as the results of sexual health tests and HIV status—which undermine public health outcomes and the individual wellbeing of people in the LGBTI community.

The Australian Digital Health Agency (ADHA) was created in 2016 to improve health outcomes for Australians using digital systems.

The cornerstone project of the Agency is a national digital health system, and so every Australian will have a My Health Record account by the end of of 2018. The online account is a summary of your health information.

According to the ADHA website, its purpose is to deliver ‘safer, better quality healthcare’ and the initiative has many advantages.

Centralisation reduces the hassle of transferring documents between medical institutions and provides immediate access to information (e.g. allergies and prescribed medications) for efficient emergency treatment.

However, the problem is two fold. Firstly, once uploaded your confidential records are retained for 30 years after your death, or if that date is unknown, 130 years after your birth.

Secondly, and more pressingly, law enforcement agencies can access your confidential health information without oversight: the approval of a court or tribunal is not required [see: s. 17 and s. 70].

Health Department officials may release information included in a My Health Record if they believe it is ‘reasonably necessary’ to prevent, detect, or investigate ‘improper conduct’ or to prosecute criminal offences.

Additionally, your enrolment in the system is automatic so if you do not opt-out your consent to these details is presumed.

Privacy concerns are well founded. A My Health Record includes information such as discharge and event summaries, pathology and imaging reports, prescription documents, and specialist letters.

Medical data of this kind is highly sensitive, especially for people from gender and sexual minorities.

Things that are recorded could include a trip to A&E to obtain PEP, summaries of consultations with trans and gender diverse health specialists, notes from consultations with psychologists, the frequency of sexual health testing and the results of the tests, and prescriptions for such things as PrEP and HIV medication.

The Australian Privacy Foundation previously pointed out that the ATO and ABS have expressed an interest in accessing health data, and further warned that such information could be matched with your metadata. Indeed, one of the purposes of the system is to ‘provide de-identified data’ for research purposes.

Last year academics from Melbourne University demonstrated that it is already possible to identify people from supposedly de-identified health data from the Australian Medicare Benefits Scheme (MBS) and the Pharmaceutical Benefits Scheme (PBS).

It is already a danger that such information can reveal ‘if someone is on HIV medication, has terminated a pregnancy, or is seeing
a psychologist’.

Quite reasonably, people may not want law enforcement agencies to have unsupervised access to their health records, for such information to be recorded for up to 130 years or shared between government agencies, or for their sensitive information to be unwittingly disclosed.

These concerns are especially pressing for communities who experience stigma or intense police scrutiny, including people from gender and sexual minorities, people living with HIV, Indigenous people, immigrants, asylum seekers, sex workers, and people who use drugs.

People living with HIV and sex workers face various levels of criminalisation across Australia and so are under additional pressures.

In order to receive appropriate treatment and support, people must be able to speak openly and honestly to medical professionals.

However, the potential for law enforcement agencies to access My Health Records without oversight damages such trust, and ultimately, compromises public health outcomes.

Examining past experiences can be illuminating.

The case of Michael Neal attracted sensational media attention and ultimately a minor political scandal, however, the details of the interactions of law enforcement and health officials is of particular interest.

During the investigation Victoria Police approached GP practices, hospitals, and sexual health clinics requesting medical records not just of Neal but of other individuals who were potentially his sexual partners.

Some medical practices provided the requested files with little opposition. Notably, the Victorian AIDS Council refused to comment on medical records or surrender them without the consent of patients in the absence of a subpoena.

The reasons were made clear at a 2007 forum in Victoria for people living with HIV and AIDS where people expressed their fears: could confidential medical records be used as evidence to incriminate them? Could they trust the privacy of the conversations with their doctors?

Such anxieties are understandable. In the case of My Health Record, police access to confidential information without effective oversight creates a threatening environment where some people from vulnerable communities may feel that they have to choose between their health and the threat of legal intervention.

But it is critical that all people—but especially people from marginalised communities—can confidently seek medical support.

Dejay Toborek from Positive Life NSW argues that the legislation must be changed ‘to ensure our personal health data cannot be targeted by law enforcement without judicial oversight’ and indeed it ought to be.

There are broad privacy concerns which affect every Australian. However, these issues are acute for certain communities who are likely better off, as Toborek suggests, opt-ing out of the program.

In a disappointing move, a leak has revealed that the ADHA has decided not to discuss the associated risks of the system on its website.

Such hazards include the threat of cyber attack and the difficulties around the secondary use of private health data. In this context it seems unlikely that the privacy concerns of vulnerable communities will be publicly explored.

This is especially problematic given that it is an opt-out program: people’s consent is assumed without their having all the relevant information.

It is critical that people—especially people from gender and sexual minorities and people living with HIV—are made aware of the potential risks of the My Health Record system ahead of the three month opt out window later this year.

This isn’t an argument inattentive to the benefits of centralisation or digitisation, but rather a discussion about the effect that a policy (as it currently stands) has on people’s well-being.

Greater sensitivity for the needs of our communities is required to ensure constructive health outcomes.

Even a well intentioned policy can have unintended consequences.

The views expressed are those of the author and not of any affiliated organisations mentioned.