28 June 2019

So just who does have access to your MHR?

Insights MHR

If you’re a little unclear who can access a patient’s My Health Record, you’re in good company.

After getting some contradictory information from sources close to the system, The Medical Republic sat down with the Australian Digital Health Agency (ADHA) to be reassured on who can legally and practically access one, and when, and how it’s monitored.

Take pharmacies: can the teenager at the till, or the technician in the dispensary, read your health information? No and yes respectively. A surgeon’s receptionist? No. A GP practice nurse? Yes.

The Pharmacy Guild of Australia offers a course called Introducing My Health Record, written in partnership with the Australian Digital Health Agency “especially for pharmacy assistants and dispensary assistants”, its website says.

“On completing this module, pharmacy assistants and dispensary assistants will have learned how they can support their pharmacy to use My Health Record when supplying medicine and providing advice to customers.”

TMR asked the guild whether pharmacists would be accountable for any misuse or mistakes by an unregistered assistant.

A spokesman replied: “You have to be an AHPRA-registered health professional to access the MHR of a patient in your care – which excludes pharmacy assistants.” He said the education module was provided to pharmacy assistants only so they could answer questions about MHR.

ADHA initially told us: “Pharmacy assistants, who mainly help with administrative and front shop/over-the-counter duties in running a pharmacy, will generally not have access to individuals’ MHRs.

“Some pharmacy assistants, usually dispensary assistants, may be authorised to access an individual’s MHR if approved by their employer, and under direct supervision of a pharmacist … [A] pharmacy assistant’s duties may include confirming for the pharmacist what other drugs a patient is taking, confirming patient details and matching that patient to their Individual Healthcare Identifier.”

Providers had to document which employees would have access and what training they’d had, and be able to identify to ADHA anyone who had accessed a record, it said. Abuse would attract $315,000 in fines for individuals and up to five years’ jail.

Health IT analyst David More, who raised the alarm over the Guild’s education module on his Australian Health Information Technology blog, said this showed ADHA had “no real control of just who can poke about in a person’s My Health Record. They also don’t know who in the pharmacy (or surgery) has accessed the My Health Record. It’s an outrage and privacy-invasive.

“When this was introduced we thought it was only going to be doctors who could access this information. Then, oh, it’s nurses too. Then we realised it was GP practice staff … then pharmacists, podiatrists, and physiotherapists – and now anyone who works for them. Every wardsman and trolley boy!”

RACGP president Harry Nespolon said: “Why is this needed? You’d think it’d be the pharmacist who’d be the one accessing the record, it’s difficult to understand why they’d need to get their assistant to do it.

“This has always been a problem – it’s not clear who’s the person accessing the record.

“This just sounds like convenience for the pharmacists, and it’s not going to increase public trust to have assistants accessing people’s medication and possibly the rest of their medical records.”

The My Health Records Act 2012 covers authorisations in two separate sections.

Section 99 says: “An authorisation under this Act to an entity (the first entity) is also an authorisation of: (a) an individual: (i) who is an employee of the first entity; and (ii) whose duties involve doing an act that is authorised in relation to the first entity”.

Section 61 says: “A participant in the My Health Record system is authorised to collect, use and disclose health information included in a registered healthcare recipient’s My Health Record if the collection, use or disclosure [is] for the purpose of providing healthcare”.

That still sounds a bit loose, or at least open to interpretation – how tightly do you define “providing healthcare” in a pharmacy context when all sorts of questions are being asked and answered?

In fact, there are practical restraints, as well as reputational risks and the aforementioned criminal liabilities, to stop a bored 17-year-old assistant looking up their teachers’ records.

At a meeting with ADHA chief of staff Mark Kinsela, chief medical adviser Clinical Professor Meredith Makeham, and Pharmaceutical Society of Australia CEO Shane Jackson, the original ADHA official response was disavowed and we were set straight on how MHR works in a pharmacy.

“A pharmacist may choose to [delegate access] under direct supervision for a specific circumstance – it’s not blanket access to the My Health Record,” Mr Jackson said.

The pharmacy’s clinical information system, which already contains sensitive customer information that is protected from non-professional staff, if it is conformant with ADHA’s system can provide view-only access to an individual’s MHR when multiple fields of information are inputted.

This means only one record can be brought up at a time and nothing can be downloaded (unlike general practice software, which may allow downloads). And the only computers linked to the system are in the dispensary, so only dispensary technicians, not purely retail assistants (though some will do both), have access.

“When a patient comes in and provides a script, the pharmacist or the dispensing technician will look at the clinical information system to be able support providing that script to the patient,” Mr Kinsela said. “That system is not available to the person at front of house.”

Mr Jackson added: “Dispensary technicians may access the My Health Record if the organisational policy allows it, and that access would be documented.

“You wouldn’t have the retail manager or assistant at front of house having access because, one, they wouldn’t have access to the clinical information system, and two, they’re not delivering clinical care.”

A dispensary technician requires only the S2/S3 certificate “Support the supply of pharmacy medicines and pharmacist-only medicines”, a six-week online course available through TAFE for $115 to pharmacy employees who have completed year 10. Dispensary technicians are not AHPRA-registered and do not have unique identifiers.

Every pharmacy has a Health Provider Identifier – Organisation, and every pharmacist has a Health Provider Identifier – Individual, which uses two-factor authentication and is linked to their employer’s HPIO. Both are automatically logged when a MHR is accessed.

Record holders can tailor their privacy settings down to which healthcare provider organisations can view which documents.

“When someone looks at your record can get an audit history or be provided with an alert when someone accesses your My Health Record,” Mr Kinsela said. “You can tell at an organisational level, and then if you approach us we can provide you with the individual [HPII].”

Each organisation also has its own My Health Record security and access policy “to make sure that within an environment everything is clearly documented around who should have access, how that should be monitored and how it should be audited”, Mr Jackson said.

“Pharmacists are more than adequately aware of the penalties associated with misuse of the My Health Record. They’re a significant disincentive to do the wrong thing.”

Professor Makeham added: “There’s no ability for the retail people to see My Health Record, it’s illegal for them to see it, ignorance of the law is not an excuse in any setting.”