PDL Professional Officers occasionally receive incident reports and notifications relating to breaches or concerns regarding access to a patient’s My Health Record. Some of these cases require responses to the Australian Digital Health Agency (ADHA) and/or the Office of the Australian Information Commissioner (OAIC). PDL is grateful to Meridian Lawyers for preparing the following article to remind pharmacists of the expectations around access and use of My Health Record.
Demystifying My Health Record
Did you know that your right of access to a patient’s My Health Record can differ from your right of access to clinical records you hold locally?
A common trap for practitioners is the well-intentioned assumption that you can always access a My Health Record if it relates to the care you are providing – the My Health Record system is subject to its own law and patients also have the ability to impose their own access controls. In practice this means that you may not always have a right of access to all or part of your patient’s My Health Record even though you are providing care to them.
My Health Records are often accessible via a portal within your existing clinical record keeping systems, for example pharmacists accessing a My Health Record via MINFOS or FRED, which can blur the lines for practitioners in regard to their right of access. It is important that practitioners understand the rules that apply to My Health Records before accessing the portal, and practitioners who do not familiarise themselves with basic access functions and how to properly navigate the My Health Record can risk inadvertently breaching a patient’s privacy.
Legal framework
Section 59 of the My Health Records Act 2012 provides that a person must not collect information from a healthcare recipient’s My Health Record unless specific criteria applies.
The circumstances in which information can be accessed commonly include but are not limited to:
- Collection, use or disclosure of information for the purpose of providing healthcare to the individual where it is in accordance with access controls set by the healthcare recipient (or default access controls if the individual has not set any)
- Where the healthcare recipient has consented to the collection, use or disclosure of their information
- The practitioner reasonably believes that the collection, use or disclosure of information is necessary to lessen or prevent a serious threat to an individual’s life, health or safety and it is unreasonable or impracticable to obtain the individual’s consent
Section 75 of the Act requires that if an entity (such as a registered healthcare provider organisation) becomes aware that a contravention of the Act may have occurred then it is required to notify the System Operator (the Australian Digital Health Agency) and the Information Commissioner.
Certain breaches of privacy are also covered under other laws such as the Privacy Act.
Access controls
Patients have the ability to set access controls on their My Health Record. For example, they can set controls that restrict access to their entire My Health Record, or to specific documents, or restrict access for certain healthcare provider organisations. Patients can grant access to restricted records by providing their healthcare providers with a Document Access Code. If there is information which is relevant to your care of a patient, but which is subject to a restriction, you should consider discussing this with your patient.
Emergency Access Function
Access controls can be bypassed using the emergency access function. The function is intended to be used in an emergency situation where its use is necessary to lessen or prevent a serious threat, as described above, and it is unreasonable or impracticable to obtain the patient’s consent.
Practitioners should avoid using the emergency access function outside of its intended use. Use of the function is audited by the ADHA, and patients can opt to receive notifications when the emergency access function is used. It is important that practitioners familiarise themselves with how to use the general access feature as the primary portal in the My Health Record. As use of the emergency access function bypasses access restrictions, if any, on a My Health Record, use of the feature outside of its intended use risks potential inadvertent breaches of privacy.
What are the consequences for misuse of the My Health Records system?
Offences under the My Health Records Act, for example, can carry civil and even criminal penalties. However, it is worth noting that the Office of the Australian Information Commissioner has published a position that it will not seek a civil penalty order for all contraventions of a civil penalty provision in the Privacy Act or My Health Records Act. It states it is unlikely to seek a civil penalty order for minor or inadvertent contraventions, where the entity or person responsible for the contravention has cooperated with the investigation and taken steps to avoid future contraventions.[1]
Civil penalties can also apply for a failure to notify the Information Commissioner and the ADHA when an organisation becomes aware that an offence under the My Health Records Act may have been committed. If you believe that there may have been a breach of privacy, health service organisations or individuals should seek immediate advice as to whether they are required to notify the event.
An individual who has been affected by a privacy breach can also make complaint to the Information Commissioner, who will generally try to get the parties to agree on an outcome of the complaint but also has the power to make a determination. Among a range of possible outcomes, the Information Commissioner has the power to order an organisation pay financial compensation to an affected individual in its determination. This is separate from a civil penalty order.
Conclusion
Practitioners should familiarise themselves with the My Health Records interface that they have access to and the differences between the general access feature and the emergency access function. Use of the correct functions in the appropriate circumstances reduced the risk of inadvertent breaches of privacy.
The requirement for all healthcare provider organisations to have a security and access policy in place to manage the security and integrity of software in their organisations, is an added mitigating element to reduce the risk of inadvertent breaches of privacy.
If you suspect a breach of privacy may have occurred, you may have an obligation to notify the Office of the Australian Information Commissioner and the ADHA, and you should seek immediate advice in respect to these obligations. You should also review the incident to identify the cause and steps that you can take to avoid future contraventions.
[1] Guide to privacy regulatory action; Chapter 7: Civil penalties- serious or repeated interference with privacy and other penalty provisions. Office of the Australian Information Commissioner, January 2023
This article was written by Meridian Lawyers’ Principal Kellie Dell’Oro with the assistance of Solicitor Daniel Lewis.
Disclaimer: This information is current as of August 2023. This article does not constitute legal advice and does not give rise to any solicitor/client relationship between Meridian Lawyers and the reader. Professional legal advice should be sought before acting or relying upon the content of this article.
For immediate advice and incident support, call PDL on 1300 854 838 to speak with one of our Professional Officers. We are here to support our pharmacist members 24/7.
