Government agencies can access the My Health Record without a warrant

Researcher flags a 'significant reduction' in legal thresholds

The legal thresholds for police and government agencies to access patients' clinical information on My Health Record are "significantly" lower than those protecting patient records held by doctors, according to advice from the Parliamentary Library.

data privacy threat

The billion-dollar system has been at the centre of another media frenzy as a three-month opt-out period begins, allowing patients to withdraw before they are signed up automatically in November.

Unlike GP records, the final say on whether police or a government agency can obtain access to a patient’s record will not lie with the courts but with the system’s operator, the Australian Digital Health Agency.

The agency has the freedom to pass on any information it "reasonably believes" is necessary to investigate or prosecute a crime, to counter “seriously improper conduct” or to “protect the public revenue”.

Sex workers have already expressed concerns about police accessing their records without a warrant.

Likewise, refugee and mental health groups are also concerned about the lack of privacy protections.

Fears 'not without foundation'

But an expert report by the Parliamentary Library — drawn up to provide background information for MPs — says the law governing My Health Record represents a “significant reduction" in the legal threshold for the release of private medical information to police.

Fears that the Department of Home Affairs could access the system to track down illegal immigrants were “not without foundation”, it adds.

It was also reasonable to assume that the clause about “protecting the public revenue” would allow the Australian Digital Health Agency to hand over a patient's clinical information to investigators from Centrelink or the Australian Taxation Office.

“[It] does not appear that the ADHA’s operating policy is supported by any rule or regulation."

The report warns that laws governing the release of clinical information on My Health Record sharply contrast with current protections preventing authorities gaining access to a doctor’s records, which can only be released without a patient's consent via warrant, subpoena or court order or in line with mandatory reporting obligations.

Although it has been reported that the Australian Digital Health Agency’s operating policy is to release information "only where the request is subject to judicial oversight", this policy is not mandated by the My Health Records Act 2012.

“[It] does not appear that the ADHA’s operating policy is supported by any rule or regulation," the report says.

Hunt's denial at odds with legislation

"As legislation would normally take precedence over an agency’s ‘operating policy’, this means that unless the ADHA has deemed a request unreasonable, it cannot routinely require a law enforcement body to get a warrant, and its operating policy can be ignored or changed at any time.

“It seems unlikely that [the] level of protection and obligation afforded to medical records by the doctor-patient relationship will be maintained, or that a doctor’s judgement will be accommodated, once a patient’s medical record is uploaded to My Health Record and subject to section 70 of the My Health Records Act 2012.” .

It also said last week’s denial by the federal Minister for Health Greg Hunt that people can be “criminalised” through My Health Record was “at odds with the legislation”.

Under Federal Government compacts signed last year, both the AMA and the RACGP have pledged to support the roll-out of My Health Record.

Read the report here