The My Health Record system is an Australian Commonwealth government program designed to extract parts of your medical and health information and put them in a new system the government controls. It was originally designed for you to voluntarily opt-in (which few did) but in 2016 the government announced its intention to make it opt-out, whether you want it or not.
The My Health Record is supposed to be a patient centric, patient controlled repository of health information. Any system of this nature requires maintenance and support. One essential support mechanism is the Call Centre.
This capability is the Achilles’ heel of the system and is the main reason why the architecture that underpins the whole system is wrong. The meaning of this statement is significant. What it means is that the system itself cannot be modified to rectify the risks and dangers of the system in its present from.
This page justifies this claim.
Table of Contents
The Government’s high level document that describes the system functionality, the Concept of Operations, has this on Call Centres:
6.3.5 The PCEHR System operator will provide a Call Centre to allow individuals to obtain general information about the PCEHR System, register/withdraw from the PCEHR System and manage their access controls. The Call Centre will also provide support to healthcare organisations.
The Call Centre is available to both individuals and providers and will be able to support:
- General enquires about the PCEHR System.
- Assistance around the registration process.
- Assistance in managing basic access controls
- Assistance in resolving issues around the PCEHR System.
- Resolution of complaints.
- Feedback around the PCEHR System
- Further functions may be added in time
Concept of Operations: Relating to the introduction of a Personally Controlled Electronic Health Record (PCEHR) System
Edition: September 2011 Release
Date: 12 Sept 2011
Prepared by: National E-Health Transition Authority www.nehta.gov.au
NEHTA Version Number: 0.14.18
This document was, but is now not, available on the NEHTA or Department of Health websites.
A copy is available here.
The High Level architecture of the system, the document that describes how the system will work says this on the Call Centre:
The Call Centre is used to handle PCEHR related administrative queries from individuals and providers. The PCEHR Call Centre is a separate entity from any Call Centres which may be associated with conformant portals. The Call Centre is deemed to be outside of the scope of this document and as such the related informational entities are not covered further here
There is no information on the design of the Call Centre. We are not told which records a Call Centre operator can see, what they can see on a record, or what they can change.
In other words, the government has hidden from the public the extent to which the privacy of an individual’s health data is at risk from all centre operators.
In addition to the above information it is stated that the PCEHR Call Centre will be run by Medicare.
In 2010/11 the government commissioned a Privacy Impact Assessment [PIA] from Minter Ellison, a firm of lawyers.
Their report included these statements:
5.1.13 Privacy Risks – Access to personal information by Call Centre(a) It has not yet been determined the extent to which staff of the System Operator’s Call
Centre will be able to ‘view’ data held in a consumer’s PCEHR.
5.1.14 Recommendation – Access to personal information by Call Centre staff5.11 That regulations under the PCEHR Bill set controls over the System Operator’s Call
Centre including requirements for staff security screening the monitoring of calls and how
much of a consumer’s data can be ‘viewed’ in what circumstances.
Paragraph 5.1.14 recommends that the Minister for Health create regulations that define controls over what Call Centre operators can and cannot do.
Regulations are part of the legislative process that allow a minister to “fine tune” a parliamentary act, without having to present a bill to parliament. This is a normal parliamentary process.
The Department of Health’s response to paragraph 5.11 of the Privacy Impact Assessment, above, was this:
The Department agrees that a clear and robust framework is required for the operation of the PCEHR system Call Centre. The Department considers that this would be achieved in a flexible and responsive way through the use of regulations or rules. This is provided for in the legislation (s109(2) and (3)).
The normal process is that the Minister makes rules and regulations and publishes them.
The relevant documents are available here:
- Link to the original act:
- Link to all the rules and regulations associated with the Act and its amendment in 2015:
- Link to the rules currently in force:
The government accepted the recommendation regarding Call Centres, however nowhere in the rules is there any mention of them.
This means that the government has not created a “clear and robust framework is required for the operation of the PCEHR system Call Centre” which it agreed, in 2011, was necessary for the PCEHR, as it was then.
Our view of the situation regarding the Call Centre is:
- The design and operating plans of the Call Centre, if they exist, have never been published.
- Rules the Minister for Health agreed were required for the operation of the PCEHR have never been created or published.
- Either deliberately or through incompetence, the government has failed to explain if the risks to health data privacy have been addressed and controlled.
- For all we know there may be no controls or mechanisms to protect the privacy of Australians from Call Centre operators.
Without any clear understanding of the exact capabilities of the Call Centre other than that outlined above and lacking the government’s promised “clear and robust framework” we can only fall back on our, not insubstantial, knowledge of government Call Centre operations and capabilities.
Given that the government wants to ensure that over twenty million Australians have a My Health Record, it only takes a one in a million chance of things going wrong for twenty people a year to have a serious data breach.
Health data is the most sensitive and valuable of an individual’s personal data. Health and associated personal data could be used as the basis for identity theft, blackmail and many other criminal purposes.
This means it it is highly attractive to criminals and hackers.
The government’s criminal and civil penalties approach is largely useless against people who have a ready made defence – accidental or mistaken access, or against overseas organisations.
Furthermore, laws may reduce criminal activity, they very rarely, if ever completely prevent it. Laws work by punishing the guilty; corruption, violent crime and other more serious offences still occur.
The only totally effective way to eliminate the risk of My Health Record data breaches via the Call Centre. is not to have a Call Centre.
The consequences of this are that without the support required by patients and service providers, the central My Health Record database would become unusable.
This should have been obvious to those architecting and designing the system years ago. A different model, one not requiring a central database and without direct patient access, should have been implemented. It would have been far cheaper, far more effective and nowhere near the privacy risk of the My Health Record.