When it comes to who can legally access a patient's My Health Record, the devil is in the definitions
If youâre a little unclear who can access a patientâs My Health Record, youâre in good company.
After getting some contradictory information from sources close to the system, The Medical Republic sat down with the Australian Digital Health Agency (ADHA) to be reassured on who can legally and practically access one, and when, and how itâs monitored.
Take pharmacies: can the teenager at the till, or the technician in the dispensary, read your health information? No and yes respectively. A surgeonâs receptionist? No. A GP practice nurse? Yes.
The Pharmacy Guild of Australia offers a course called Introducing My Health Record, written in partnership with the Australian Digital Health Agency âespecially for pharmacy assistants and dispensary assistantsâ, its website says.
âOn completing this module, pharmacy assistants and dispensary assistants will have learned how they can support their pharmacy to use My Health Record when supplying medicine and providing advice to customers.â
TMR asked the guild whether pharmacists would be accountable for any misuse or mistakes by an unregistered assistant.
A spokesman replied: âYou have to be an AHPRA-registered health professional to access the MHR of a patient in your care â which excludes pharmacy assistants.â He said the education module was provided to pharmacy assistants only so they could answer questions about MHR.
ADHA initially told us: âPharmacy assistants, who mainly help with administrative and front shop/over-the-counter duties in running a pharmacy, will generally not have access to individualsâ MHRs.
âSome pharmacy assistants, usually dispensary assistants, may be authorised to access an individualâs MHR if approved by their employer, and under direct supervision of a pharmacist ⌠[A] pharmacy assistantâs duties may include confirming for the pharmacist what other drugs a patient is taking, confirming patient details and matching that patient to their Individual Healthcare Identifier.â
Providers had to document which employees would have access and what training theyâd had, and be able to identify to ADHA anyone who had accessed a record, it said. Abuse would attract $315,000 in fines for individuals and up to five yearsâ jail.
Health IT analyst Dr David More, who raised the alarm over the Guildâs education module on his Australian Health Information Technology blog, said this showed ADHA had âno real control of just who can poke about in a personâs My Health Record. They also donât know who in the pharmacy (or surgery) has accessed the My Health Record. Itâs an outrage and privacy-invasive.
âWhen this was introduced we thought it was only going to be doctors who could access this information. Then, oh, itâs nurses too. Then we realised it was GP practice staff ⌠then pharmacists, podiatrists, and physiotherapists â and now anyone who works for them. Every wardsman and trolley boy!â
RACGP president Harry Nespolon said: âWhy is this needed? Youâd think itâd be the pharmacist whoâd be the one accessing the record, itâs difficult to understand why theyâd need to get their assistant to do it.
âThis has always been a problem â itâs not clear whoâs the person accessing the record.
âThis just sounds like convenience for the pharmacists, and itâs not going to increase public trust to have assistants accessing peopleâs medication and possibly the rest of their medical records.â
The My Health Records Act 2012 covers authorisations in two separate sections.
Section 99 says: âAn authorisation under this Act to an entity (the first entity) is also an authorisation of: (a) an individual: (i) who is an employee of the first entity; and (ii) whose duties involve doing an act that is authorised in relation to the first entityâ.
Section 61 says: âA participant in the My Health Record system is authorised to collect, use and disclose health information included in a registered healthcare recipientâs My Health Record if the collection, use or disclosure [is] for the purpose of providing healthcareâ.
That still sounds a bit loose, or at least open to interpretation â how tightly do you define âproviding healthcareâ in a pharmacy context when all sorts of questions are being asked and answered?
In fact, there are practical restraints, as well as reputational risks and the aforementioned criminal liabilities, to stop a bored 17-year-old assistant looking up their teachersâ records.
At a meeting with ADHA chief of staff Mark Kinsela, chief medical adviser Clinical Professor Meredith Makeham, and Pharmaceutical Society of Australia CEO Shane Jackson, the original ADHA official response was disavowed and we were set straight on how MHR works in a pharmacy.
âA pharmacist may choose to [delegate access] under direct supervision for a specific circumstance â itâs not blanket access to the My Health Record,â Mr Jackson said.
The pharmacyâs clinical information system, which already contains sensitive customer information that is protected from non-professional staff, if it is conformant with ADHAâs system can provide view-only access to an individualâs MHR when multiple fields of information are inputted.
This means only one record can be brought up at a time and nothing can be downloaded (unlike general practice software, which may allow downloads). And the only computers linked to the system are in the dispensary, so only dispensary technicians, not purely retail assistants (though some will do both), have access.
âWhen a patient comes in and provides a script, the pharmacist or the dispensing technician will look at the clinical information system to be able support providing that script to the patient,â Mr Kinsela said.
âThat system is not available to the person at front of house.â
Mr Jackson added: âDispensary technicians may access the My Health Record if the organisational policy allows it, and that access would be documented.
âYou wouldnât have the retail manager or assistant at front of house having access because, one, they wouldnât have access to the clinical information system, and two, theyâre not delivering clinical care.â
A dispensary technician requires only the S2/S3 certificate âSupport the supply of pharmacy medicines and pharmacist-only medicinesâ, a six-week online course available through TAFE for $115 to pharmacy employees who have completed year 10. Dispensary technicians are not AHPRA-registered and do not have unique identifiers.
Every pharmacy has a Health Provider Identifier â Organisation, and every pharmacist has a Health Provider Identifier â Individual, which uses two-factor authentication and is linked to their employerâs HPIO. Both are automatically logged when a MHR is accessed.
Record holders can tailor their privacy settings down to which healthcare provider organisations can view which documents.
âWhen someone looks at your record can get an audit history or be provided with an alert when someone accesses your My Health Record,â Mr Kinsela said.
âYou can tell at an organisational level, and then if you approach us we can provide you with the individual [HPII].â
Each organisation also has its own My Health Record security and access policy âto make sure that within an environment everything is clearly documented around who should have access, how that should be monitored and how it should be auditedâ, Mr Jackson said.
âPharmacists are more than adequately aware of the penalties associated with misuse of the My Health Record. Theyâre a significant disincentive to do the wrong thing.â
Professor Makeham added: âThereâs no ability for the retail people to see My Health Record, itâs illegal for them to see it, ignorance of the law is not an excuse in any setting.â
