Positive Life NSW

If you go electronic, will your health records stay private? Solicitor Brady from the HIV/AIDS Legal Centre outlines his concerns.

Once your health records go electronic, will you still have privacy around your health matters? That's the question raised by the personally controlled electronic health records (PCEHR – we pronounce it 'pecker') scheme the federal government is trialling in various 'high interest' centres, including St Vincent's Hospital in Sydney. A significant 'high interest' group at St Vincent's is the HIV-positive patient population.

There's no doubt about the potential benefits of a reliable electronic health record. Access to detailed information could reduce consultation time, the possibility of medical mistakes and complications for patients with complex health issues. We already see the value of such electronic health databases in reducing pharmaceutical contraindications (the unwanted side effects of multiple pharmaceutical prescriptions). Electronic health records have the real possibility of improving health outcomes and quality of care for those with the most complex heath needs, including people living with HIV.

What of our privacy, though? Privacy is a sleeper issue: most of us aren't really concerned about it until it's breached in a way we don't like or unless we have something we don't want others to know about – for whatever reason. HIV and HCV (Hepatitis C) remain highly stigmatised diseases that can attract discrimination, vilification or ostracism. Why wouldn't I want the information about my HIV or HCV status kept confidential?

Sleeper issue

The PCEHR scheme brings to light issues with existing privacy protections. The PCEHR legislation being crafted by the federal government is largely reliant on existing privacy laws for its protections. Current privacy laws in NSW and federally provide inadequate protections against privacy breaches. Problems exist in both the protections and the mechanisms for remedy.

Gaps in current privacy protection laws are often located around the issue of 'secondary' purpose use. When information is collected from people, it may be used and disclosed for a 'primary' purpose, but not for a 'secondary' purpose, unless with your permission. At HALC, we have encountered situations where the 'primary' purpose has not been easily identified and so the privacy commissioner failed to find that a breach of privacy occurred, as it was unclear that the breach was for a 'secondary' purpose. As there is no requirement to make explicit the primary purpose of collecting information, disputes over 'primary' and 'secondary' purposes in privacy create a huge gap in protection.

Complaint and review

Under current state and federal Privacy Acts, the privacy commissioner is usually the first and last word on whether a breach has occurred. There may be no chance for face-to-face conciliation between the parties to try to resolve the complaint, as there routinely is in discrimination matters. There is no requirement for review by a tribunal or review mechanism other than court. The courts are restricted to considering only legal argument in the process and cannot determine the merits of a breach of privacy claim. Court cases over privacy issues would ordinarily attract significant costs for the losing party and so put the complainant in considerable jeopardy, effectively locking them out of pursuing the complaint.

The PCEHR will magnify accessibility of a person's medical records and so also magnify the possibility of privacy breach or misuse of information. Where the protections advanced for the PCEHR scheme rely largely on current inadequate protections, there are real questions to be asked as to whether you will want to engage with the scheme.

While it may assist in provision of better medical care, being electronic will make access to your medical record easier. A larger range of people in the various health organisations you deal with will be able to see your record across the range of your healthcare services. While the PCHER system will allow you to set some access controls on your medical record, it will require you to take a more active role if you wish to maintain your privacy across services.

Questions remain about the amount of ongoing control you will have over your record. Once the record is activated, it will remain in the system even if you want to get out of the system. You might restrict access, but the record will be retained within the PCEHR system. There is currently no provision for you to have the record restricted upon death. This could make it hard to keep your health issues private from your executor, administrator or family after your death.

The onus on you

Where currently people rely on the direct relationship with their medical service provider to ensure their medical records privacy, with a PCEHR the onus will be on you to review and actively control your record's access controls if you wish to maintain your privacy.

The PCEHR system will be trialled in selected medical centres, then rolled out across Australia once any bugs are ironed out. At HALC, we remain concerned that the protections and remedies for the privacy of the PCEHR are inadequate. The PCEHR magnifies the accessibility of health records and the potential for breaches of privacy. Given the potential consequences of breach of privacy and unwanted disclosure for people living with HIV (and those with HCV), the choice about whether to register for the system requires informed and careful consideration. Brady

HIV/AIDS Legal Centre NSW
PO Box 350, Darlinghurst NSW 1300
Tel: (02) 9206 2060; freecall: 1800 063 060
E: halc@halc.org.au

Talkabout article by Lance Feeney, July 2011: http://www.positivelife.org.au/talkabout/2011/aug-sep/do-you-want-pcehr

Positive Life/HALC/Hepatitis NSW submission re PECHR: http://www.positivelife.org.au/advocacy/submissions