My Health Record – Future Threats

As promised, this will be my third and final post on the My Health Record system. In this post is will briefly outline my concerns for MHR in the long term. I will try and keep this post brief, but if you would like to discuss any of the points I outline, please either contact me on Twitter or drop me an email. My concerns can be roughly grouped as, potential scope/mission creep; data and system security concerns; inter-project data linking and mining; and intergenerational data.

Before I get started, I want to address the revisions to the legislation that were announced by Greg Hunt’s office on Tuesday. As far as I am concerned, these revisions are entirely inadequate and designed to give the appearance of making concessions without making substantial changes. The revisions barely scratch the surface of the many concerns raised by both myself, and others, and the system still requires an opt-out rather than an opt-in, which would give the Australian people a genuine choice.

The first concern I raised above, scope/mission creep, is relatively easily understood. Scope/mission creep can occur in two ways, the first is that legislation can be introduced with a particular goal, however, future governments can reappropriate the legislation (and in this case, the data gathered) for other ends. This form of mission creep has happened with many of the domestic anti-terror laws introduced in Australia post 9/11 (see discussion of examples here and here). The other form of scope creep, is when legislation that infringes on civil liberties is introduced, it is softened by sunset clauses or the least offensive version is introduced, with a view to amending it later to broaden its scope. Sometimes the government of the day may not necessarily intend to make substantial amendments to further infringe on civil liberties, but future governments see the appeal of such amendments and introduce them. One small change here by one government, another there by a subsequent government, and, over time, our civil liberties are eroded further and further. Let me make clear, I am not saying that all governments have some Machiavellian intent—although some may—rather it is the cumulative reappropriation and amendments that cannot be foreseen when legislation is introduced. Now, whilst I realise that amendments must pass through the parliament, it is easier to persuade parliament of the need for amendments that are incremental, than to push through a highly controversial bill that takes the hardest line at the outset. Again, think about Australia’s anti-terror laws, some of which were only introduced because they had sunset clauses, which were then continually extended, for longer and longer periods each time. These concerns relate both to government uses of the data, but also to the potential for governments to authorise broader access to the data, such as to health insurance providers, pharmaceutical companies, etc.

With respect to the second concern raised, data and system security, this point is worthy of several posts alone—but don’t worry, I wont have time to write them. I will however very briefly provide some food for thought on these concerns, some of which are more comprehensively covered elsewhere. My first thought with respect to security of patient data is obviously the potential for hacking and/or leaking, and I fear this may happen in several ways. It may be that, given a big fat shiny new target, hackers enjoy the challenge of splattering egg on the government’s face by hacking and then releasing the data (as proof of their hack). It may be that, given the commercial worth of the data, it is targeted for other ends, such as spurned ex-lovers, celebrities, politicians, or other public personalities having their data sold or leaked to the media (see here, here (account required), and here). Finally, and I will cover this a little more in a minute, if foreign governments obtain and leak this data, it would cause significant disruption and further erosion of public trust in government—both desirable outcomes for foreign governments seeking to destabilise the Australian government of the day. With respect to hacking, it is also worth noting that the potential for accessing individual patients’ data is greatly expanded, if files are accessed and downloaded to the local network by treating healthcare providers, the patient at home (either for review, management, or ‘safe keeping’), or hospitals, each instance weakens the security of the data and increases the likelihood it may be compromised—essentially it is only as secure as each local network’s data hygiene, management and security practices. A further concern, and one I touched on above, is the potential for the data to become the target of cyber-warfare or cyber-terrorism operations. As societies, particularly those in the West, become increasingly reliant on online critical infrastructure management systems and storing of critical data on internet accessible means (either via networked machines or in the cloud) they become very attractive targets for foreign governments and actors seeking to destabilise and undermine the sovereignty of their enemies. As Clausewitz told us, ‘war is a continuation of politics by other means’, and, as is commonly understood, the more you can destabilize a country and sow discord among the people, the closer you are to winning the war (see Sun Tzu for more on this). We already know that power grids have been subject to probes and attacks by foreign actors, and it entirely conceivable that taking the MHR system offline, or subversively altering data, could wreak havoc. I will end my discussion of data and system security here, but this is by no means an exhaustive account of the threats and vulnerabilities of MHR, and these are one of my foremost concerns with the MHR system.

OAIC Notifiable Data Breaches Quarterly Statistics  1 April – 30 June 2018

SOURCE: OAIC Notifiable Data Breaches Quarterly Statistics Report 1 April – 30 June 2018

Moving along to inter-project data concerns, I would be interested to know if anyone in Government (or otherwise) tracks the various disparate mass public data banking projects that are currently underway. For example, in the news recently we’ve seen a number of stories (see here, here and here) relating to private companies collecting and storing (and selling) consumer DNA in databases, these companies usually either offer ancestry searches, genetic screening, or, sometimes ‘tailored’ health solutions (see photo below). Further, many governments—including here in Australia—already collect and store DNA for ‘law enforcement’ purposes (see here for an interesting article on the efficacy of DNA in law enforcement). There are also numerous other initiatives collecting and health and other identity related data, such as, individuals’ genomic and biomarker information (see here and here)—which can be used for ‘targeted’ and personalised healthcare; biometric databases (facial recognition, retina scanning, etc); clinical registries, which record information on various conditions, diseases, and medical event outcomes for epidemiology and preventative medicine; and, of course, individuals’ metadata, which, whilst not necessarily health related, certainly collects identifying and behavioral information. In isolation, some of these initiatives seem worthwhile, however, there is a very real concern that the data could be cross-referenced or linked. The first concern here is that de-identified data is more likely to become re-identifiable the more data points you have at your disposal. Second, the potential for ‘predictive’ uses of the data are far more attractive when there is so much information available to mine—you may think of me a conspiracy theorist but if it becomes possible to identify genetic predispositions for violence, crime, mental health problems, etc, and that data is cross-reference against medical history and behavioral outcomes indicating the same, for some governments, the temptation to use it predictively (and preemptively) may seem to good to refuse. Even were governments not to proceed down this path, access to the above data, particularly if combined, would have enormous potential for companies seeking to target market to individuals, and would make the temptation to combine and on-sell it very attractive. Obviously everyone wants the best possible healthcare outcomes, and least crime possible, however as a community we need to evaluate the efficacy and potential benefits vs harms of these technologies, if used collectively, or in isolation. In addition, as I have maintained throughout, where practicable, individuals should be afforded the opportunity to weigh the risks and benefits of participation, based on complete and comprehensive disclosure. Whilst there is not yet evidence these databanks will be linked, it seems highly likely it will happen at some point in the future, this is a potentiality that many individuals would not necessarily take into account when making decisions regarding participation in individual data banking projects. Furthermore, I have yet to see any evidence that Government is assessing this potential in the ethical evaluation and future planning of these technologies and databanks—I believe this is a serious concern.

Looking for an opportunity to compromise your privacy? How about trying this DNA tests kit for weight management, which is available at Chemist Warehouse now…

Finally, related to inter-project databanks, and yet somewhat distinct, the potential for intergenerational datamining or cross-referencing is surely inevitable. My concerns here are two-fold. In the shorter-term, I would like to know how Government could assure the Australian public that treating practitioners will not access patients’ family members medical records. I know we are often asked about our family medical history, but (similar to the argument I have made in previous posts) it is currently at our discretion what information we disclose and when, particularly when the information may have stigma associated with it or predispose doctors toward certain diagnostic avenues (mental health, addiction, etc). My second concern with intergenerational data banking, is that whilst the current policy is to retain the data for 30 years post death (130 years if date of death is unknown), that is very likely to be extended, which would provide governments with longitudinal, intergenerational data on you, your children, their children, and so on. There is no doubt there are potential public health benefits to access to longitudinal, intergenerational health data, but, as I have maintained throughout, we each have a right to decide for ourselves whether we wish to disclose that information, and how we are comfortable with that information being used.

Well that is it for now on MHR. My attempt has not to give an exhaustive account of the failings and dangers of the MHR system, rather to give some insight into my most pressing thoughts and concerns on the system. As you may have guessed, I will opt my children and I out of the MHR system—for me, the risks just outweigh any potential benefits. I hope I have helped you to make an informed decision for you and your family—as the government should have done in the first place. I will continue to remain vocal on the need for the system to become opt-in, and the need for greater data and individual privacy protections in the system. If you’ve made it this far, thanks for reading.

/end rant

My Health Record and Epistemic Injustice


As promised, today’s post addresses the risk of epistemic injustices occurring as a result of the My Health Record (MHR) system. Advocates of the MHR system have argued the system will improve accuracy in treatment and record keeping; patients will have greater agency in their health care; and better patient outcomes will result. Contrarily, I argue adoption of this system has the potential to reduce patient agency and unjustly override patient testimony with respect to their wellbeing. Patients have the need, and right, to be heard and to retain control of their wellbeing.

Feminist philosopher, Miranda Fricker, coined the term epistemic injustice in her book, Epistemic Injustice: Power and the Ethics of Knowing, and she divided such injustices into two categories—testimonial injustice and hermeneutical injustice. Herein I am concerned primarily with testimonial injustice, which Fricker defines as: “a distinctively epistemic injustice, as a kind of injustice in which someone is wronged specifically in her capacity as a knower” (20). “The speaker sustains such a testimonial injustice if and only if she receives a credibility deficit owing to identity prejudice in the hearer; so the central case of testimonial injustice is [social] identity-prejudicial credibility deficit.” (28)** It is worth noting, however, hermeneutical injustice already exists in the healthcare system and is likely to be exacerbated by the MHR system, rather I am omitting it from my discussion for the sake of brevity.

MHR may increase testimonial injustice as practitioners rely less on patients’ testimony regarding their wellbeing during practitioner/patient interactions, and, instead, favour the information contained in the patient’s MHR files. Research already suggests significant epistemic injustice occurs in clinical situations, because of perceived ‘cognitive unreliability’ and ‘emotional instability’ in patients. This is likely to be compounded by reliance on information recorded in patients’ MHR, which is open to interpretation by the individual practitioner who may not understand the context and, in some cases, may lack relevant specialist knowledge. As a result practitioners may make incorrect judgments regarding the patient and their testimony’s credibility. This injustice is already present with respect to mental health care, where a phenomenon known as diagnostic overshadowing already occurs. Diagnostic overshadowing occurs when practitioners make diagnostic judgments based on their perception of a patient, in light of the patients pre-existing mental health history. Given the MHR will be accessible by a range of healthcare providers, with varying knowledge of mental illness, there is a very real potential for information recorded in a patient’s MHR to create unconscious bias in practitioner approach toward, and diagnosis of, patients. There is also a foreseeable risk of a similar bias resulting from other recorded information, particularly for marginalized groups, and patients already judged by practitioners to be less capable of giving an accurate account of their wellbeing. Where doctors have a source of information they consider to be more credible than patient testimony, it is conceivable they will default to the MHR account rather than the patient testimony; this is particularly likely where patient testimony conflicts with information recorded in the MHR data. Some may argue, individuals have control of their MHR by accessing it online, and therefore retain agency and control over the information made available to healthcare practitioners. However, as explained in my previous post, this is based on the presumption that everyone has equal access, skills, and intellectual ability to access, monitor, and control the information stored in their MHR. Marginalised and vulnerable groups such as the elderly, disabled, mentally ill, homeless, educationally-disadvantaged, and, socially and economically underprivileged, may not have these capabilities, and this will increase the likelihood of epistemic injustices being committed against them. This is a concern not only because patients have a right to be heard and (in most cases) believed regarding their wellbeing, but also because evidence suggests electronic health records are in some instances incomplete, inaccurate, and less reliable than traditional methods of accessing patient health information. One particular patient account detailed how, even in spite of a GP referral letter querying appendicitis, a patient was not believed regarding his own medical history because a previous entry in his electronic health record incorrectly stated that his appendix was removed during a prior surgery. Despite the patient assuring the ER doctors that he still had his appendix, the doctors refused to take this into account during their treatment of him as a patient—he almost died as a result.

Patients’ narrative and agency are vital to their wellbeing. Patient narratives provide context and insight into the patients’ perceptions and experience of their illness. Often patient narrative, together with their verbal account of their medical history, is likely to be more up to date, and potentially more accurate, than MHR data. However, evidence suggests practitioners with access to electronic health records (in countries where these systems already exist) have less face-time with patients, and, use of electronic health records can create additional practitioner/patient communication barriers. Any decrease in practitioner/patient communication, coupled with an increase in potential epistemic injustice, is likely to reduce the patients’ agency. There are also times when patients just need feel heard, and to have their perception of their wellbeing given due consideration. No-one doubts practitioners want the best outcomes for their patients, but when practitioners are overworked and time poor, they doubt patients’ credibility, or, patients’ testimonies are disjointed and drawn-out, practitioners may be tempted to default to the patients’ MHR rather than trusting their patient’s testimony.

There are times when a practitioner may well have good reason to assess a patient as having a credibility deficit, and, no doubt, there are times when patients are unable to convey accurate information regarding their wellbeing. In these instances, practitioners are currently forced to find other means of establishing this information, either via contacting the patient’s regular GP or speaking with family members. It is also likely, in some instances, this will delay treatment, and this is clearly not the desired outcome. I have seen numerous op-ed pieces where, having lost loved-ones due to delayed access to health information, people advocate strongly for MHR in the belief their loved-one may still be with them if the doctors could have accessed a MHR for the patient. Conversely, I have seen reports where practitioners say they wouldn’t act on, or have time to access, MHR in an emergency situation. Furthermore, research into electronic health records overseas suggests there is no improvement in patient in-hospital mortality rates. It is also very important to note, by default, it is not only emergency doctors and your GP who can access your health information, it is also accessible by allied health professionals. Of course there are instances, like the one mentioned above, where there is a critical need for time sensitive information, and every person should have the right to choose to make that available. That said, people should have the right to make an informed choice, they have the right to know the potential negative consequences, and to evaluate these carefully before choosing to opt-in if they’d prefer. They also shouldn’t be co-opted to have their information widely shared by default.

Thanks for reading thus far. I promise I will only make one more MHR post. My next post, will consider the possible long-term consequences of MHR, for the individual and the public at large. Until then…

**Fricker further divides testimonial injustice into systematic and incidental, where systematic injustice tracks the individuals it targets across many facets of their lives – economic, educational, professional, sexual, etc.

My Health Record – An Ethical Quagmire

Watching the My Health Record (MHR) debacle play out over the past couple of weeks, I have sat quietly with my anger seething under the surface. Apologies in advance… it is about to spill out here.

Over the next week, I will be posting several entries regarding the MHR scheme, and will explore the ethical concerns that I have regarding the implementation, management, use, and future potential of the scheme.

Let me first temper what I am about to say by admitting I can see the appeal of health data being centralised and easily and readily accessible. For one thing, it certainly seems more efficient and expedient, for another, it will probably lighten the administrative load on health professionals who are already under the pump. I also acknowledge, there are potential public health benefits to research that may result from mass storage and mining of patient data, but I qualify this acknowledgement by pointing out that this does not automatically mean the benefits outweigh the risks. If we are forced to have an e-health record scheme—and clearly we are—we need to ensure it is ethically implemented, managed, and used, by government, health care professionals, and all others involved. As with anything involving infringement upon individuals’ rights, I think informed consent is key, both at a societal and individual level. If, with full disclosure, the majority of society consents on the basis that the benefits outweigh the risks then the scheme should, arguably, go ahead. If the scheme proceeds, the individual should be comprehensively informed, and, provided they understand the information, they should then choose whether they consent to their personal data being stored, and opt in accordingly.

I have huge concerns with any opt-out system when it comes to infringements on individual privacy. As a former patient advocate (lay-spokesperson) on a Human Research Ethics Committee (HREC), I have argued strongly against similar opt-out schemes with respect to banking and mining of individuals’ data. As has been acknowledged in debates regarding opt-out schemes, the reason for choosing to make them opt-out, is that many people would not opt in of their own accord. Conversely, faced with multistep processes, which are often complicated and time consuming, many people will not take the time to opt out, simply wont understand how, or, may not fully understand what they’re signed up to in the first place. After all, if you have just been told you have a chronic or fatal condition, your mind is probably not on reading the leaflet you’re given about your data. I argue such practices struggle to meet the standards of informed consent; instead, this looks more like tacit consent obtained by something similar to coercion. Advocates of opt-out argue, individuals who oppose such schemes strongly enough will make the effort to opt out. I argue the inverse, individuals who believe strongly enough in the benefits of such schemes, will make the effort to opt in. Further, whilst the National Health and Medical Research Council (NHMRC) Guidelines do provide for opt-out consent, it specifically states, opt-out can only be used in ‘low risk’ situations, where ‘low risk’ means risk is limited to ‘discomfort’. Furthermore, even in cases where opt-out approaches are deemed permissible, the guidelines stipulate (among other things):

– Reasonable attempts must be made to provide all prospective participants with appropriate comprehensive plain language information on the study/databank their health information will be recorded for, including information on how their information will be used, and how to decline participation or withdraw from the research;

– There must be a reasonable time period between the provision of information and the use of participant data, to allow adequate opportunity for them to decline to participate before the research begins; and,

– A mechanism must be provided for prospective participants to obtain further information.

The roll-out of the MHR opt-out scheme has not satisfied any of the aforementioned NHMRC requirements, and, although it appears these guidelines do not apply to this government initiative (even though it will involve use of the data for medical research), it seems reasonable that the same or similar standards should be met.

Surely no-one would be without access to a phone…right?!

Beyond my general concerns regarding opt-out schemes, and this scheme in particular, one of my primary concerns is the potential injustices involved for many individuals, particularly amongst our most vulnerable members of society—namely the elderly, disabled, mentally ill, homeless, educationally-disadvantaged, and, socially and economically underprivileged.

Many of the groups I have outlined above are less likely to be aware of the scheme due to the very minimal advertising that has been involved, others may not possess the necessary computer literacy skills and/or access to the resources required to opt-out. As a HREC member, I was instructed to review patient consent forms with an expectation that someone with the comprehension level of a 12 year-old should be able to understand the information contained therein—the little information that has been made available on the MHR scheme. I should say, while I am aware that one can opt out via phone, many people may not be aware, and, even if they are, they may not know who to call or have the ability to wait for lengthy periods, on hold, to complete the process. Furthermore, I learned this week—via Twitter—that it is possible to opt out via a form available at post-offices, however, given the appalling lack of advertising, I doubt many people in the groups outlined above would be aware of this. The fact is, the onus should not be on people, particularly those who are vulnerable or already facing significant disadvantage, to seek the necessary information to meet the standard of informed consent, and then actively have to remove themselves from the scheme if they are not comfortable with participating. Despite not having a Bill of Rights, as a founding member of the UN and an instrumental force in the development of the UN Declaration of Human Rights, Australia has an ethical responsibility to uphold the rights it confers; Article 12 of the Declaration stipulates, “no one shall be subjected to arbitrary interference with his privacy…Everyone has the right to the protection of the law against such interference or attacks”, furthermore, fundamental to the very concept of human rights is individual autonomy—the right to self-govern, without external influence. The decision of the Australian Government to once again shirk their human rights obligations, particularly with regard to their own populace, is evidence of a willingness to exploit people for political gain.

Too bad if you didn’t have regular internet access…

Moving on from my gripe with the opt-out system, the challenges I have outline for the vulnerable groups above will only be exacerbated with respect to the access and management of individuals’ MHR data. Many of the privacy concerns that have been raised thus far have been met with insistence that individuals will be able to manage their own health data, including the provision for individuals to delete entries and restrict which types of health care providers (and others) can access the data. This task sounds quite burdensome and laborious for individuals, who will need to constantly log in to monitor the data. Also, it is worth noting, by default the records will have the least privacy restrictions possible; consumers will need to log in and change their settings if they want any real privacy at all. For those without access to a computer, without the technical, literacy, and other skills necessary to access, navigate, and manage the data, these tasks could well be insurmountable.

Of course you don’t need the individual’s consent to access their health record…sheesh…anyone would think it was private…

It is particularly worrying that the way the system has been implemented as opt-out, with the least possible privacy restrictions by default, and with onerous processes involved for consumers in managing privacy and data, looks suspiciously like a phenomenon known as ‘dark patterns’. Dark patterns are interface designs made to trick, shame, and delay consumers from taking some positive action. For example, have you ever wondered why Facebook make it so hard to find and change your privacy settings, or, heaven forbid, delete your account—that’s a dark pattern! Have you noticed how when T&C’s get updated online, you can ‘click to accept’ or be redirected to a lengthy process to ‘update your preferences’, which have accepted the changes by default, even though your actual preferences haven’t changed—that’s a dark pattern!

Well, if you’ve made it this far, thanks for reading. My next post, which will be out by Monday, will explore the epistemic injustices that may result from health care providers accessing your MHR.