19 January 2021

Health data protection rules are a mess

Comment MyHealthRecord

The Australian Digital Health Agency wants changes made to the My Health Records Act under which it operates to make its reporting of data breaches more practical, and to harmonise the application of privacy rules across Australia.

Normally the ADHA saying that the privacy rules need to be eased and simplified might arouse a good deal of suspicion among privacy and consumer advocates, but reading the application it quickly becomes clear that privacy legislation for Australian healthcare data is a mess, largely created by different federal and state privacy rules not talking to each other, and AHDA management is making an important point.

Not that they’ll be able to sort much out.

When the MHR system was commenced it was given its very own data breach and privacy rules, ostensibly because the creators knew that a national health record system would raise a lot of eyebrows so they needed the MHR to appear extra safe. The intention was to provide an additional level of transparency and reliability for consumers.

But a few years on it’s apparent the rules for the MHR are overcooked, and don’t harmonise very well with new national legislation on data breach laws introduced in 2018, or individual state based laws on privacy. One aspect of the MHR legislation compared to the more recent data breach legislation introduced federally is that the MHR requires reporting on breaches which clearly had no adverse consequences, and even of breaches which didn’t actually occur, but nearly occurred.

When the 2018 Federal notifiable data breach scheme was introduced as a part of the Privacy Act, the MHR system was made exempt – probably because the two schemes were so incompatible.

Notably, state and territory public sector bodies, which are important participants in the MHR scheme, are not subject to the Privacy Act or its notifiable data breach scheme. This creates a lot of potential for confusion in the management of healthcare data across the country.

AHDA CEO Amanda Cattermole wrote to the Attorney General’s Department late last year that “depending on the state or territory where these bodies operate, they might not otherwise be subject to equivalent privacy laws”.

“Currently there is no comprehensive privacy framework to enable a consistent approach to handling health information across different jurisdictions and public and private sectors,” the letter said.

As an example, the Privacy Act applies to commonwealth government agencies and private sector health service providers but it doesn’t apply to state and territory health bodies, except for some new COVID app data.

Cattermole pointed to the potential confusion at a hospital that has both private and public components in its operation.

“[D]espite sharing administrative functions, [each] will be subject to different legislation with different requirements,” she wrote, even though they might be dealing with exactly the same health data.

Cattermole’s letter is intriguing in that it is alerting at the highest level that privacy legislation and data protocols across the country are inconsistent, messy, and likely in lots of circumstances unworkable.

But the tone of the letter is more “just so you know” rather than “fix this immediately, it’s a priority and a mess”… which it appears to be.

Cattermole is not insisting on changes, and points out that the MHR protections, though overreach, probably need to stay in place for a while yet, while the rest of the situation becomes a little more harmonised acrossed states, territories and the federal sphere.

It’s the sort of letter you can pull and point to when something really goes wrong and say “it’s not like I didn’t tell you this could happen”.

COVID-19 live update