Parliament passes permanent My Health Record deletion provision

Parliament this morning passed legislation to allow citizens to opt out of My Health Record at any time, and permanently delete their records.

Previously, if an individual had not opted-out their record could not be later deleted but only made “unavailable”, meaning healthcare providers could not access it or upload documents to it. It would be, however, kept for 30 years after an individual’s death or, if the date of death was unknown, for 130 years after their date of birth.

The Australian Digital Health Agency (ADHA) – the system operator of the My Health Record – today said the new bill means individuals can now “permanently delete” their record “at any time”.

“No archived copy or back up will be kept and deleted information won’t be able to be recovered,” the agency said in a statement.

The new measures – contained in the My Health Records Amendment (Strengthening Privacy) Bill 2018 – mean Australians can opt out of having a My Health Record at any time. Initially citizens had a three month window (later extended by a month) during which to opt-out and stop a My Health Record being automatically created for them.

A number of people attempting to opt-out of having a record created for them reported that a record already existed in their name without them knowing.

Records will still be created for all Australians who haven’t opted-out from January 31 next year, but they can now be permanently deleted at any time. 

“These changes are in response to the Australian community’s calls for even stronger privacy and security protections for people using My Health Record,” the agency said.

Insurers get no access for any reason

The amended laws also ‘explicitly prohibit’ access to My Health Records by insurers and employers, and ‘make clear’ that the system cannot be privatised or used for commercial purposes.

Earlier this month the government revealed plans to ban insurers from participating in a ‘secondary use’ framework for access to de-identified data.

The secondary-use framework allowed commercial organisations to apply to use the My Health Record data “so long as it can be demonstrated that the use is consistent with ‘research and public health purposes’ and is likely to generate public health benefits and/or be in the public interest”.

As per the amended legislation, insurers “cannot access data for any reason” the ADHA said.

“Under these measures, insurers and employers are prohibited from accessing any information within your My Health Record or asking you to disclose your information,” the agency said in a statement.

“The primary purpose of My Health Record is to improve your care, and access to your information by private health insurers and employers is not healthcare,” it added.

Other legislative changes mean no information within My Health Record can be released to a law enforcement organisation without an order from a judicial officer. The agency said this was already its ‘official operating policy’ but the amendment gave Australians extra reassurance.

The ADHA’s powers as system operator of the My Health Record can no longer be delegated to another government agency, with the exception of the Department of Health and the chief executive of Medicare.

Extra protections for victims of domestic and family violence and increased penalties for inappropriate or unauthorised use of information in a My Health Record also feature in the bill.

Civil fines will increase to a maximum of $315,000, with criminal penalties including up to five years’ jail time.