Response to a bad article on My Health Record

Dr Stephen Duckett of the Grattan Institute wrote a particularly poor piece on the My Health Record system. His article is available here:

This post is my response, lightly edited with some footnotes added.

Hullo Stephen.

Some feedback on your article.

Facing public distrust over data  privacy, what can the program tell us about the opportunities and challenges of implementing an electronic health record in a complex healthcare market?

“Facing public distrust” suggests that the public has it wrong, or that the Government has simply failed to convince the public. It is way more than that.

The MHR system, used as it is designed to be used, has no effective privacy protections at all. The supposed protections are a nonsense. The discussion of the document PIN below will give you the flavour of these “protections”.

This is not an academic fear, an irrational response or a political position, this is actual technical fact. If you would like more info on exactly why, feel free to ask.

Distrust is not a sufficiently strong response; rejection would be more appropriate.

The benefits of electronic health records (EHRs) are clear.

No “benefit” is clear until it has been held up against the costs. Some costs and benefits are emergent properties. The benefits and costs of a system depend completely on the actual characteristics of that particular system.

By way of analogy “the benefits of high speed personal travel are clear” but would we have been so quick to adopt the motor car if we had seen the millions of lives it takes (or ruins) every year? Or the amount of land given over to roads and parking? Or the pollution it brought? None of those costs has much to do with personal travel, but they are costs just the same.

 Many patients resent having to repeat their history to every healthcare professional they see. Money is wasted in duplicating diagnostic tests performed before hospital admission that are then repeated on admission, or where the results are not available when required. Emergency care can be compromised due to lack of accessible information.

Not a single one of the circumstances you mention will be usefully addressed by the My Health Record system. Details are uploaded by medical people after the fact, usually well after the fact. Most stuff uploaded will be delayed, most uploads are summaries. Many health professionals will not upload anything. Many citizens will not be in the system. Many citizens will prevent medical professionals uploading certain information (as it is their right to do).

The material available in the MHR system will NOT be detailed, up-to-the-minute information. No competent health professional will risk your life on it or waste their time on it; you will be repeating your medical history to a lot of doctors and nurses yet.

Digitization can also provide a platform for further enhancements in care delivery, including implementation of evidence-based electronic care paths between primary and secondary (hospital) care, built on improved transfer of information between different healthcare teams.

This may be true for digitisation generally but it’s pretty much a nonsense as far as the MHR is concerned. Using the MHR as an information sharing mechanism would be extraordinarily clunky. Directly sharing information obtained from MHR, without first obtaining the patient’s informed consent about what information was being given to whom, would be breaching that patient’s privacy.

Patient engagement in his or her own care can also be improved through EHRs, potentially enhancing health literacy. Decision-support systems and artificial intelligence – which could improve safety and patient outcomes – could also be applied to an EHR in a way that would be impossible with current paper-based systems.

The first is a very dubious idea, but you never know. As to the rest: The MHR system does not store information in a way that is accessible to automated processing. Most of the documents are and will be PDFs. Many will include handwritten sections.

You’ve used a motherhood-and-apple-pie phrase, “improve safety and patient outcomes”, without providing any real information as to what those are in practice and how specifically the MHR (or any digital system) will bring them about.

Such applications require unfettered sharing of highly personal data. That means they come with risks to patients’ “safety and outcomes”, even if those risks and outcomes are not in the emergency room, the operating theatre or the hospital ward.

Australia’s ambitious journey to a national, personally-controlled, EHR started a decade ago with a recommendation from a ‘national reform commission’. Dubbed My Health Record, the project is bold in its vision, but has hit several stumbling blocks in the implementation stage that are instructive to other countries looking to develop similar systems.

“Stumbling blocks”? The phrase implies the issues are trivial. Hopefully by now you are getting the message that the problems of the MHR system are anything but trivial. These are not teething problems to be waited out or resolved with a tweak here and there.

Far from being “bold”, MHR is stunted and limited in its vision. A federated system of information islands would have avoided almost every major fault in the current system AND been up-to-date by design.

People have been telling successive Governments this for literally decades, only to be persistently ignored.

A massive centralised database is so much easier to understand, not to mention saleable and useful in so many ways completely unrelated to health. Why, in the MHR legislation, is there specific provision for making the data available to commercial entities, Government agencies and law enforcement? What has that got to do with health?

Forgive my cynicism, but when a good way of achieving an objective is persistently ignored in favour of a much, much worse way that coincidentally is a really good way to achieve a bunch of other unrelated things, the suspicion must arise that the real objective has not been shared.

MHR certainly should be instructive to other countries – as a clear example of how not to do it. It is just a pity that our country did not look at what other countries had done before we went down the same path as for example the UK, with a system almost indistinguishable from the one they implemented and discarded.

As to being “personally controlled”, that is almost completely untrue. Let me detail the ways in which your MHR record is NOT personally controlled:

  • it is opt-out. The vast majority of people ending up in the system will not have consciously consented to being in it. Nor, typically, will the very young, the very old, the very vulnerable and the less educated.
  • you cannot opt out after November 15 this year (2018) [1].
  • if you don’t opt out, your future ability is limited to “cancelling” your record. This makes it unavailable as a health record, but it remains in the system and very much available to the system operators, and thus to Government agencies, commercial interests and law enforcement.
  • you (and others) cannot remove documents that you have uploaded (with a few exceptions). You can only upload corrected versions.
  • you cannot remove documents uploaded by someone else (with a few exceptions).
  • you cannot edit or replace documents uploaded by someone else.
  • you cannot tell who has seen your record [2].
  • you cannot prevent people accessing your record (there is a PIN system, but it is per document and the default is “no PIN”). You can’t change that default, so each new document uploaded is unprotected until you find out about it, log into the MHR system and protect it manually. The PIN system does not apply to access by government agencies or law enforcement, who will have unfettered, warrantless access to all your health data. Greg Hunt [3] has promised to add some restrictions [4], but it’s just a promise at this point. And some of his promises seem unlikely to be achievable, such as the complete deletion of a record [5].
  • the legislation has sanctions against misuse of data in the system, but offers no protection to the data once it has left the system. So a document downloaded by (say) a doctor’s receptionist and stored in the doctor’s system thereafter completely evades the sanctions provided in the legislation.
  • other people can opt you in even after you opt out [6].

EHRs could offer big potential gains for Australia’s healthcare industry, with promises of substantial savings, better care and improved convenience

You say that as if it is obvious, but it is not obvious at all. It depends utterly on the nature of the particular EHR. Your entire article talks about a fictional “EHR”, but in ways that make it sound as if you are describing the actual MHR. The actual MHR we now face is not your fictional idealised one at all.

Precisely because of this complexity, EHRs could offer big potential gains for Australia’s healthcare industry, with promises of substantial savings, better care and improved convenience.

Again – it is not obvious at all that the MHR system, or any other system, would bring such benefits, nor is it at all obvious what the costs would be if they did. And by costs I do not mean just dollars.

The initial EHR design was strong on personal autonomy: consumers would have personal control over what was in their record.

That has never been the case, if you mean the MHR. There has never been a real thing called “the EHR”. Perhaps you mean the PCEHR?

Healthcare providers, especially medical practitioners, were skeptical about this model, arguing that they could not know whether key information was missing or deleted from the record.

They will continue to not know! The MHR system does not in any way address that issue. Yet Greg Hunt and others continue to spruik the “emergency room scenario” as if MHR data will be relevant, complete, up-to-the minute and reliable. It is not, and with the current design can never be.

In fact, I am not sure it is even theoretically possible to have any health record system where that can be true. The provision of complete and up-to-date information in a system would be antithetical to personal control by the patient.

and, most importantly, a change from user opt-in to opt-out. This is where the project started to encounter serious difficulties: the public had not been properly prepared for this shift, and was mistrustful of the EHR program, despite patient organizations and many HCPs promoting the potential benefits.

So now EHR really does mean MHR?

I wonder what “proper preparation” you would think would be appropriate for MHR. I would have rather liked to see the actual legislation presented with honest costs and honest benefits, rather than half-truths (and frequent actual falsehoods) from various Government spokespeople.

In discussion with several doctors, nurses, receptionists I have been appalled at their almost complete lack of understanding of even the simplest aspects of how the MHR system is supposed to work, or of its benefits or its dangers.

(By the way, were you aware that the Government pays medical practices to enroll people in the MHR system – often, in fact usually, without the subjects’ knowledge or consent?)

I am reasonably convinced that most health professionals who have promoted the MHR system (or its predecessors) have been touting what they thought it was, not what it actually is. Amazingly, I rather suspect that most Government people promoting the system are doing this too!

And sadly I have to say that you seem to be doing pretty much the same, though you are more discussing than touting.

The big concern was privacy. The governing legislation – developed when My Health Record was an opt-in model – was relatively lax about releasing information, however this was no longer appropriate for a more wide-ranging opt-out-only public EHR, […]

It wasn’t ever appropriate. It was just marginally less damaging when people at least had the option of not participating, and when the default would protect people from their own ignorance.

It seems odd that you would suggest that being “relatively lax about releasing information” could ever be even remotely acceptable for medical information.

In the meantime, Australia is lagging behind in EHR implementation.

Lagging behind whom or what?

HCPs still transmit information and data about patients by fax.

Fax is point-to-point. It’s difficult to intercept except at the endpoints, interception between the endpoints takes a lot of specialised knowledge, and no endpoint is a honeypot. The medium is not inherently copyable. Interception at the endpoint takes a significant amount of time and requires the physical presence of an attacker. Any attacker would be able to access relatively few records. Access would be expensive and slow with very high risk of discovery (unless the attacker was on staff in which case all communication methods would be equally compromised), while for the legitimate user the rate of access is easily sufficient. So fax is actually not a bad means of transferring private data as long as the fax machines are not located in public spaces.

I’m not seriously suggesting a fax-based system 🙂 My point is just that things need to be considered for what they are. New is not necessarily better.

Your article is largely fact-free, vague, and devoid of any critical analysis of the actual flaws in the MHR. You use “EHR” sometimes to mean a fictional idealised system, and sometimes to refer to real systems, leading to a confusion between attributes of the fictional system and attributes of the PCEHR and the MHR systems.

For an article emanating from a largely respected organisation it was very disappointing.

The MHR is the health sector’s NBN. It’s a basically good idea that has has been perverted to serve political and administrative ends rather than the practical ends it was supposed to serve. In both cases the architects of the system steadfastly refused to listen to competent technical advice. The results were systems that did not achieve their stated goals; both were completely predictable disasters, ludicrously expensive, that will just have to be discarded and done again.

Regards, Karl Auer.


  1. The opt-out deadline was originally 15 October 2018. It was extended to 15 November 2018 in response to public and other pressures, but the Government has steadfastly refused to extend it further.
  2. Entities who can access your record are not personally identified unless they happen to be actual individuals. For example, an entire hospital with thousands of staff members might be one “user”.
  3. Greg Hunt is the current Health Minister at time of writing.
  4. Bernard Robertson Dunn has called the additional restrictions “akin to putting a band-aid on a train wreck“.
  5. The MHR system was designed not to forget. It is unlikely to be possible to retro-fit the ability to truly delete any records; they will still be available in backups and log entries, which means they will still be available to system administrators, Government agencies, and law enforcement.
  6. I have no definitive source for this. However, I know from my own personal experience and numerous anecdotes from others that people have been opted into the system by medical providers, without those people’s knowledge or consent. The Government has said that those who opt out will always be able to opt in again later. It therefore seems very likely that medical providers will continue to be able to opt people in even after they have opted out. The identifying information about an individual needed by a medical provider to opt that individual in appears to be less than the identifying information needed by individuals themselves to opt in or out.

Leave a Reply

Your email address will not be published. Required fields are marked *