OAIC annual report on digital health
The national privacy regulator has released a snapshot of its activity across the digital health sector in 2018–19, including the My Health Record system.
The Office of the Australian Information Commissioner (OAIC) is the independent regulator of the privacy provisions under the My Health Records Act 2012 and the Healthcare Identifiers Act 2010.
The Annual Report of the Australian Information Commissioner’s activities in relation to digital health 2018–19 shows an increase in privacy enquiries and complaints as the My Health Record system moved from a self-register model to an opt-out model in February 2019.
In 2018–19, the OAIC received 145 enquiries and 57 complaints about the My Health Record system, compared to 14 enquiries and 8 complaints the previous financial year. Most complaints were received before the end of the opt-out period on 31 January 2019.
It also received 10 enquiries about the Healthcare Identifiers Service, and 5 complaints.
During the reporting period, the OAIC provided detailed privacy advice on the My Health Record system to stakeholders including the Australian Digital Health Agency (Agency) and to the Senate Community Affairs References Committee and Legislation Committee.
The OAIC also conducted privacy assessments of regulated entities in the digital health sector. In 2018–19, it opened three new assessments of digital health privacy practices, including assessments of private hospitals, pharmacies, and pathology and diagnostic imaging services.
In 2018–19, the OAIC received four mandatory data breach notifications from the My Health Record System Operator (the Agency):
- Two notifications related to unauthorised access to a My Health Record by a third party conducting fraudulent Medicare-claiming activity
- One notification involved incorrect Medicare enrolment resulting in unauthorised access to a My Health Record
- An enquiry into the fourth notification confirmed that a data breach had not occurred.
The OAIC received 31 mandatory notifications about data breaches involving Medicare records, including:
- Twenty-seven notifications involved intertwined Medicare records, where healthcare recipients with similar demographic information shared the same Medicare record, and Medicare provided data to the incorrect individual’s My Health Record
- Four notifications resulted from findings under the Medicare compliance program, where Medicare claims made in the name of a healthcare recipient, but not by that healthcare recipient, were uploaded to their My Health Record.
The OAIC assesses each notification it receives to determine whether appropriate action has been taken by the notifying organisation, and whether further action is required by the entity or the OAIC.
The OAIC also carries out proactive guidance and education activities relating to digital health. In 2018–19, this included:
- Developing guidance material for healthcare providers about protecting patients’ personal and health information
- Working with health sector organisations to promote good privacy practice and improve providers’ understanding about preventing and responding to data breaches
- Developing online resources to help consumers make informed decisions about opting out of the My Health Record system
- Promoting consumer awareness of the privacy controls available within their My Health Record, through videos, a website and other resources.
More information is available in the 2018-19 Australian Digital Health Agency Annual Report.