My Health Record posing ‘significant’ concern for at-risk family law clients
As the deadline for opting out of the My Health Record looms ever closer, lawyers need to be informed about privacy and safety concerns associated with the new system to advise their family law clients accordingly, writes Michelle Meares.
Snap Shot
• Currently any person with parental responsibility (except in limited circumstances) for that child can become an authorised representative and access that child’s record, which may reveal the location of the child and details of their treating health care providers and confidential health information.
• This is a significant concern for those at risk of family violence if their location was revealed.
• Those clients should be advised to cancel the child’s My Health Record if they have not opted out by 31 January 2019.
The My Health Record (MHR) system is the Commonwealth government's digital health record system that contains an individual's health information, including treatments they have received, healthcare providers they have visited and medicines they have consumed that commenced operation in July 2012. Originally the system was designed on an opt-in basis, but in May 2017 the Commonwealth government announced that the MHR system would transition to an opt-out system largely due to the slow uptake of the system by the Australian public. This means that every Australian now has an MHR automatically created for them unless they chose to opt-out by the deadline of 31 January 2019. This includes children and young people.
The MHR of a child or young person can be accessed by the authorised representative of the child or young person. An authorised representative currently includes any individual with parental responsibility for that child except in limited circumstances following recent amendments to the My Health Records Act 2012. When creating an MHR, the Australian Digital Health Agency (ADHA) uses Medicare records to determine who has parental responsibility. If neither parent opts out, an MHR will be established for the child and both parents, if recorded at Medicare, will be deemed to have parental responsibility and will have access to it as an authorised representative.
There were concerns raised about perpetrators of family violence being potentially able to become an authorised representative of a child's MHR. Amendments were passed to the act on 26 November 2018 providing that a person cannot become an authorised representative of a child's MHR if under a court order or a law of the Commonwealth or a state or territory, the person must be supervised while spending time with the healthcare recipient; or the life, health or safety of the healthcare recipient or another person would be put at risk if the person were the authorised representative of the healthcare recipient. It is not yet clear what evidence in practice will satisfy the ADHA of that risk and it is up to those who consider that their safety or the safety of their child may be at risk to notify the ADHA and Medicare (Department of Human Services) and provide copies of any relevant orders with a request that the perpetrator be prevented from accessing the child's records.
The Family Law Act 1975 provides that each parent has parental responsibility (i.e. all the powers, responsibilities and authority which, by law, parents have in relation to a child), for a child subject to any order made by the court. While some parents do have court orders providing for sole parental responsibility for a child, these are usually only made after a final hearing and can take up to three years or more to obtain at a significant cost. There are many families where there are significant risk issues where children may be having no contact with a parent (by court order or otherwise) or only supervised contact with a parent in a controlled contact centre environment where both parents still have parental responsibility. There are also many families where one parent may be the subject of an apprehended domestic violence order (ADVO) that prohibits that parent from coming within, for example, 100 metres of a child's school or place of residence, or approach or contact the other parent or child. Frequently both parents may still retain parental responsibility under the Family Law Act 1975 if neither parent makes an application for parenting orders.
In these circumstances detailed above, the parent who is prohibited from contacting the other parent or child under state-based ADVO or interim or final parenting orders made pursuant to the Family Law Act 1975, would still be permitted to obtain access to the child's MHR (if the other parent has not opted out the child by 15 November 2018 or otherwise cancelled the child's record) unless a copy of the orders is provided to the ADHA.
Online access to a child’s MHR will provide information potentially about the location of the child and family and/or their treatment providers and the nature and dates of treatment. Family law practitioners should be aware of this when advising clients of risks when their clients or subject children may be at risk of family violence if the other parent was to gain access to their health record information or location revealed through the MHR system.
If either parent cancels the child's MHR account, this information will be deleted from the system if the My Health Records Amendment (Strengthening Privacy) Bill 2018, which was introduced to Parliament on 22 August 2018, is passed. This bill also contains provisions that a warrant, subpoena or court order will be required before the data can be provided by the ADHA to another agency.
On 23 August 2018, the Australian Senate referred the My Health Records Amendment (Strengthening Privacy) Bill 2018 to the Senate community affairs legislation committee for inquiry and report. This inquiry was conducted concurrently with the Senate community affairs references committee inquiry into the MHR system.
Submissions to the inquiries highlighted the safety and privacy concerns held by many, especially in relation to parents and young people who may be at risk of family violence if their location was to be revealed to the other parent, potential for tracking of domestic violence victims and the potential for confidential health information to be revealed in circumstances where there have been relationships of coercive and controlling family violence.
The Law Council recommended in their submission that the term ‘parental responsibility’ in the My Health Record Act 2012 (Cth) be replaced with an alternative term such as ‘parental rights’, and notes that the use of the term ‘parental responsibility’ in the MHR Act is “likely to cause considerable confusion” due to the different definitions used in the MHR Act compared with the Family Law Act. The Australian Law Reform Commission in the discussion paper Review of the Family Law System, released 2 October 2018, recommends replacing the term 'parental responsibility' with the term 'decision making responsibility' and the term is therefore already the subject of possible future review.
The Law Council recommends Section 5 of the MHR Act be amended so that and that the term ‘parental responsibility’ or ‘parental rights’ be amended to:
• A person has parental responsibility/parental rights if under a parenting order the child is to spend unsupervised time with the person; and
• A person does not have parental responsibility/parental rights if he/she has a restraining/personal protection order preventing them from spending time with the child under the Family Law Act 1975 or a law of a state or territory unless there is a Family Law Act order providing that person has parental responsibility for the child.
The Law Council noted that the current configuration of the MHR system means that there are "serious issues for children and parents who may be at risk of harm if their location was to be disclosed through the MHR system to a perpetrator of family violence. As the MHR system is currently opt-out this issue must be urgently addressed and education provided to the community for those who may be at risk of family violence or harm". Parents may need to be proactive about either opting out of the MHR system for their children if there are safety concerns.
The Senate committee (18 October 2018) was not satisfied “that women and children are adequately protected and believes that further work is required to ensure that MHR is not used by perpetrators to gain access to records”, and made a range of recommendations including those below to address these safety concerns such that:
1. Record access codes should be applied to each MHR by default and an individual should be required to choose to remove the code.
2. Amendment of the My Health Records Act 2012 to protect the privacy of children aged 14 to 17 years unless they expressly request that a parent be a nominated representative.
3. Amendment of the My Health Record Rule 2016 to extend the period for which an MHR can be suspended in the case of serious risk to the healthcare recipient, such as in a domestic violence incident.
The committee also raised concerns about the potential security vulnerabilities associated with having a centralised database with broad access. Other privacy concerns include that audit logs kept by the system only show access to the data at an organisation level, not at an individual level, so any unauthorised access to a health care recipient’s information will be trackable to an organisation level not an individual and whether the end user’s IT security systems such as those located at a small medical practitioner office would provide adequate safeguards to protect the MHR system.
Despite the recent amendments to the legislation made by the government, privacy concerns remain. According to the Annual Report of the Australian Digital Health Agency 2017-2018, there were 42 data breaches (in 28 notifications) of the MHR system reported to the Office of the Australian Information Commissioner in 2017-18. Of the 42 breaches, the agency confirmed that one was the result of “unauthorised access to a My Health Record as a result of an incorrect parental authorised representative being assigned to a child”.
Family lawyers will need to consider advising any affected clients to take steps to notify ADHA about their circumstances if they consider they may be at risk. The concerns about safety remain unless affected parents take action to notify ADHA of their circumstances. The opt-out model means the burden is placed back on victims to protect their safety and to take further steps and ‘prove’ the risk through provision of court orders, rather than the MHR system being built to protect by default.
A parent who has concerns is being advised by the ADHA to contact them to request that their child’s record be immediately suspended or cancelled (for a permanent solution).
Michelle Meares is a family law associate with Watts McCray Lawyers, and has a background in website development and IT. Ms Meares sits on the Law Society of NSW’s privacy and data committee 2017-2019 and has also recently been appointed to the Law Society of NSW family law committee.