My Health Record – An Ethical Quagmire

Watching the My Health Record (MHR) debacle play out over the past couple of weeks, I have sat quietly with my anger seething under the surface. Apologies in advance… it is about to spill out here.

Over the next week, I will be posting several entries regarding the MHR scheme, and will explore the ethical concerns that I have regarding the implementation, management, use, and future potential of the scheme.

Let me first temper what I am about to say by admitting I can see the appeal of health data being centralised and easily and readily accessible. For one thing, it certainly seems more efficient and expedient, for another, it will probably lighten the administrative load on health professionals who are already under the pump. I also acknowledge, there are potential public health benefits to research that may result from mass storage and mining of patient data, but I qualify this acknowledgement by pointing out that this does not automatically mean the benefits outweigh the risks. If we are forced to have an e-health record scheme—and clearly we are—we need to ensure it is ethically implemented, managed, and used, by government, health care professionals, and all others involved. As with anything involving infringement upon individuals’ rights, I think informed consent is key, both at a societal and individual level. If, with full disclosure, the majority of society consents on the basis that the benefits outweigh the risks then the scheme should, arguably, go ahead. If the scheme proceeds, the individual should be comprehensively informed, and, provided they understand the information, they should then choose whether they consent to their personal data being stored, and opt in accordingly.

I have huge concerns with any opt-out system when it comes to infringements on individual privacy. As a former patient advocate (lay-spokesperson) on a Human Research Ethics Committee (HREC), I have argued strongly against similar opt-out schemes with respect to banking and mining of individuals’ data. As has been acknowledged in debates regarding opt-out schemes, the reason for choosing to make them opt-out, is that many people would not opt in of their own accord. Conversely, faced with multistep processes, which are often complicated and time consuming, many people will not take the time to opt out, simply wont understand how, or, may not fully understand what they’re signed up to in the first place. After all, if you have just been told you have a chronic or fatal condition, your mind is probably not on reading the leaflet you’re given about your data. I argue such practices struggle to meet the standards of informed consent; instead, this looks more like tacit consent obtained by something similar to coercion. Advocates of opt-out argue, individuals who oppose such schemes strongly enough will make the effort to opt out. I argue the inverse, individuals who believe strongly enough in the benefits of such schemes, will make the effort to opt in. Further, whilst the National Health and Medical Research Council (NHMRC) Guidelines do provide for opt-out consent, it specifically states, opt-out can only be used in ‘low risk’ situations, where ‘low risk’ means risk is limited to ‘discomfort’. Furthermore, even in cases where opt-out approaches are deemed permissible, the guidelines stipulate (among other things):

– Reasonable attempts must be made to provide all prospective participants with appropriate comprehensive plain language information on the study/databank their health information will be recorded for, including information on how their information will be used, and how to decline participation or withdraw from the research;

– There must be a reasonable time period between the provision of information and the use of participant data, to allow adequate opportunity for them to decline to participate before the research begins; and,

– A mechanism must be provided for prospective participants to obtain further information.

The roll-out of the MHR opt-out scheme has not satisfied any of the aforementioned NHMRC requirements, and, although it appears these guidelines do not apply to this government initiative (even though it will involve use of the data for medical research), it seems reasonable that the same or similar standards should be met.

Surely no-one would be without access to a phone…right?!

Beyond my general concerns regarding opt-out schemes, and this scheme in particular, one of my primary concerns is the potential injustices involved for many individuals, particularly amongst our most vulnerable members of society—namely the elderly, disabled, mentally ill, homeless, educationally-disadvantaged, and, socially and economically underprivileged.

Many of the groups I have outlined above are less likely to be aware of the scheme due to the very minimal advertising that has been involved, others may not possess the necessary computer literacy skills and/or access to the resources required to opt-out. As a HREC member, I was instructed to review patient consent forms with an expectation that someone with the comprehension level of a 12 year-old should be able to understand the information contained therein—the little information that has been made available on the MHR scheme. I should say, while I am aware that one can opt out via phone, many people may not be aware, and, even if they are, they may not know who to call or have the ability to wait for lengthy periods, on hold, to complete the process. Furthermore, I learned this week—via Twitter—that it is possible to opt out via a form available at post-offices, however, given the appalling lack of advertising, I doubt many people in the groups outlined above would be aware of this. The fact is, the onus should not be on people, particularly those who are vulnerable or already facing significant disadvantage, to seek the necessary information to meet the standard of informed consent, and then actively have to remove themselves from the scheme if they are not comfortable with participating. Despite not having a Bill of Rights, as a founding member of the UN and an instrumental force in the development of the UN Declaration of Human Rights, Australia has an ethical responsibility to uphold the rights it confers; Article 12 of the Declaration stipulates, “no one shall be subjected to arbitrary interference with his privacy…Everyone has the right to the protection of the law against such interference or attacks”, furthermore, fundamental to the very concept of human rights is individual autonomy—the right to self-govern, without external influence. The decision of the Australian Government to once again shirk their human rights obligations, particularly with regard to their own populace, is evidence of a willingness to exploit people for political gain.

Too bad if you didn’t have regular internet access…

Moving on from my gripe with the opt-out system, the challenges I have outline for the vulnerable groups above will only be exacerbated with respect to the access and management of individuals’ MHR data. Many of the privacy concerns that have been raised thus far have been met with insistence that individuals will be able to manage their own health data, including the provision for individuals to delete entries and restrict which types of health care providers (and others) can access the data. This task sounds quite burdensome and laborious for individuals, who will need to constantly log in to monitor the data. Also, it is worth noting, by default the records will have the least privacy restrictions possible; consumers will need to log in and change their settings if they want any real privacy at all. For those without access to a computer, without the technical, literacy, and other skills necessary to access, navigate, and manage the data, these tasks could well be insurmountable.

Of course you don’t need the individual’s consent to access their health record…sheesh…anyone would think it was private…

It is particularly worrying that the way the system has been implemented as opt-out, with the least possible privacy restrictions by default, and with onerous processes involved for consumers in managing privacy and data, looks suspiciously like a phenomenon known as ‘dark patterns’. Dark patterns are interface designs made to trick, shame, and delay consumers from taking some positive action. For example, have you ever wondered why Facebook make it so hard to find and change your privacy settings, or, heaven forbid, delete your account—that’s a dark pattern! Have you noticed how when T&C’s get updated online, you can ‘click to accept’ or be redirected to a lengthy process to ‘update your preferences’, which have accepted the changes by default, even though your actual preferences haven’t changed—that’s a dark pattern!

Well, if you’ve made it this far, thanks for reading. My next post, which will be out by Monday, will explore the epistemic injustices that may result from health care providers accessing your MHR.