The Australian government is set to increase the maximum penalties for improper use of My Health Record data, Health Minister Greg Hunt announced on Wednesday morning.
Under the changes, the maximum jail term will increase from two to five years, the maximum fine for individuals will jump from AU$126,000 to AU$315,000, and private health insurers will not be able to access health or de-identified data.
Employers will also not be able to use health information or de-identified data to discriminate against employees or potential employees.
“Importantly, employers or insurers cannot simply avoid the prohibition by asking the individuals to share their My Health Record information with them,” Hunt said.
Parents who have restricted access to a child, or are a potential risk to a child or person associated with the child, will not be allowed to become an authorised representative.
Hunt added that a review will be conducted into whether parents should have default access to the health records of their children aged between 14 and 17.
“Currently, a young person aged 14 and over can take control of their My Health Record at any time by removing their parents’ access to their record,” Hunt said.
The changes arrive in response to a Senate inquiry into My Health Record, which called for access controls to be applied by default, stronger restrictions on using My Health Record data for secondary uses, and the opt-out window extended for another year.
In a dissenting report, government senators said access controls would represent a “serious implementation challenge for many Australians”, particularly those “who did not (or could not) want to receive their PIN online”.
“Asking for a PIN, and requiring consumers to remember their PIN, will interrupt the clinical workflow and impede use of the record … both the clinician’s and the consumer’s time will be wasted while the consumer attempts to remember or locate their PIN,” they wrote.
“The proposal would also in practical terms effectively return the My Health Record to an opt-in participation model.”
The same senators also rejected the call for data to not be made available for secondary use without the individual’s explicit consent.
“We do not support this recommendation, as this would be inconsistent with the government’s general opt-out approach to My Health Record,” they wrote.
Australians who do not want a My Health Record automatically created for them can opt out until November 15. Records will not be created until a month later, due to the need to reconcile paper form opt-outs.
Speaking at Senate Estimates last month, the Australian Digital Health Agency (ADHA) said the opt-out rate is under 5 percent, and 1.147 million Australians had chosen to remove themselves from the system.
Documents obtained under Freedom of Information last month showed that ADHA had no detailed policy or process for releasing My Health Record data to support regulatory and legal requests.
The only internal policy guidance appears to have been the agency’s commitment, stated publicly, not to release data except “where the agency has no discretion”, such as when responding to a court order.
Individual document controls were used only 10 times during the electronic health record trial.
An additional 200,000 Australians have opted out, but it is sitting under ADHA’s 5 percent target.
A comprehensive review of Australia’s centralised digital health record has recommended extending the opt-out period by another 12 months while privacy controls are significantly tightened.
An Australian senate committee has recommended passing the My Health Records Amendment (Strengthening Privacy) Bill 2018, but Labor senators have lashed out at the government’s “stubborn refusal” to fix further problems.
Australia has spent billions of dollars for ‘nothing really useful’, according to leading internet policy commentator Mike Godwin, and the proposed anti-encryption laws are ‘inhumane, wrong, anti-democratic’.
Many of the concerns about Australia’s centralised digital health records are real, but the abstract, hand-wavey arguments aren’t persuading people outside the digital privacy bubble.