Media Briefing - Protecting Health Information in the Digital Age
11 August 2008
Electronic health records
In recent years, there have been increasing pressures, particularly from government, to move from paper to electronic health records. The ALRC’s Privacy Inquiry coincided with a number of major initiatives to develop electronic medical records—including the proposed national Shared Electronic Health Records system, in which a summary of personal information would be stored on a central database. A range of health service providers would be able to access the information on the database, with the consent of the individual health consumer.
The Commissioner in charge of the Privacy Inquiry, Professor Les McCrimmon, said that “Health information is highly sensitive and personal. Although people recognise that new ‘e-health’ systems can provide benefits in terms of better health care—and in coping with emergencies—many are concerned about the security and privacy of electronic health records. We recommend that any such system should be established under its specific legislation, which expressly addresses the key privacy issues and includes appropriate safeguards.”
Access to medical records
Another area of concern, both in relation to electronic health records and traditional paper-based files, is access. “We heard loud and clear that people want access to, and control, over their own health information,” said ALRC President, Professor David Weisbrot. “We heard many stories from patients who had experienced frustration in this regard. For example, we heard about health records being found in rubbish bins, garages or on the footpath after their family doctor had sold the practice, retired or passed away. One of our key recommendations in this area is that patients must be contacted and informed of the arrangements for the transfer or storage of their medical records.
“We also recommend that where a patient shifts from one medical practice to another, the old practice should be required to transfer the patient’s medical records to the new one, upon request.”
Greater facilitation of research in the public interest
The Privacy Act already recognises that, in some circumstances, researchers may be allowed to use personal information for health or medical research—such as epidemiological research on health trends—without the need to obtain the consent of every individual concerned. This kind of research only may proceed where: (a) it conforms to the Privacy Commissioner’s rules; (b) a Human Research Ethics Committee (HREC) decides that the public interest in the research substantially outweighs the interest in enforcing the privacy principles; and (c) obtaining the consent of every individual would be impractical.
However, Professor Weisbrot said that “Medical research isn’t the only form of research that can provide significant benefits to the community. For example, research on child protection or the causes of crime—which require access to personal information in situations where it is difficult to obtain consent—is also extremely important.
“The ALRC recommends that the research exception in the Privacy Act be extended to these other forms of socially worthwhile research—but under the same strict conditions that apply to medical research. Secondly, it should be sufficient for the HREC to conclude that the public interest in the research simply outweighs the competing privacy interests.”
For more information on health information and electronic health information systems, see Chapters 60–63 of For Your Information: Australian Privacy Law and Practice (ALRC 108, 2008). Research is considered in Chapters 64–66.