18 November 2018

Police can acess medical data, MHR or not

Insights

An examination of the legislation underpinning Medicare Australia has revealed that the precedent for the police accessing MyHealthRecord without a warrant was set a long time ago.

Medicare Australia is legally allowed to share linked PBS and MBS data with law enforcement without a court order, so long as the disclosure is “reasonably necessary” to enforce criminal law, a law imposing a pecuniary penalty, or the protection of the public revenue.

Once linked, PBS and MBS data can tell a very detailed story about an individual’s medical history. 

It was possible to infer from item numbers and prescription codes whether a patient had a mental health condition, an STI or had undergone an abortion, said Dr Chris Culnane, a cybersecurity expert at The University of Melbourne. 

“So, releasing that information is very similar to releasing someone’s medical records, which is obviously not something that should occur without appropriate oversight,” he said.

Two legal experts contacted by The Medical Republic confirmed that Medicare Australia could legally pass health information onto law enforcement without judicial oversight under the National Health Act 1953.

Medicare Australia was contacted for comment but did not provide a response prior to going to press.

The revelation came as fear and confusion mounted in response to reports that the Australian Digital Health Agency (ADHA) could disclose MyHealthRecord documents to police, Centrelink, Medicare, or the Australian Tax Office without a court order. 

Currently, the police cannot access medical data held privately in a GP clinic without a warrant or a subpoena. 

But under Section 70 of the My Health Records Act 2012, the ADHA can share health information if it reasonably believes it is necessary for, among other things, the prevention, detection, investigation, prosecution or punishment of criminal offences, or the protection of the public revenue. 

“You could drive a reasonably large truck through those provisions and not hit the side,” said Peter Clarke, a barrister at Isaacs Chambers in Melbourne. “They are drafted in such broad and vague terms that it is easy to justify access. It is a big gift to the police.”

Lowering privacy protections could put vulnerable patients at risk if, for instance, their Centrelink payments depended on their health status, or they were technically breaking the law by undergoing an abortion in Queensland, said Professor Kerryn Phelps, a GP and past president of the AMA.

“Who in their right mind puts the ADHA in charge of deciding whether this precious information is handed over to a third party?” she said. 

Assistant Professor Bruce Baer Arnold from the School of Law at the University of Canberra said the drafting of the legislation was a “deliberate privacy creep” and that bureaucratic convenience had trumped the rights of citizens.

The ADHA said it would never release documents without a court order, and had not done so in six years of operation.

But legal experts said requests for private health information should be subject to judicial review.

“It is a big deal in our society, and it has been for about 400 years, to be able to enter someone’s private domain,” said Mr Clarke. 

By not embedding judicial oversight in the legislation, the government was effectively asking the public to trust every individual in every agency that might have control over MyHealthRecord information in the future. 

This was a flawed approach because “people are inherently fallible and subject to various temptations and various biases,” said Jonathan Crowe, a professor of law at Bond University.