My Health Record meets the auditor
This week the Australian National Audit Office released its much-anticipated report into the effectiveness of the implementation of the My Health Record by the Australian Digital Health Agency and the Department of Health.
The audit mainly looked at the implementation over the opt-out period rather than the distant days of the opt-in Pecker (PCEHR), and apart from a few security stumbles, the ANAO gave it a pretty clean bill of health.
Where ADHA was told to pull its socks up was in the sphere of third-party software and healthcare provider access, with the auditor saying the security framework put in place was not appropriate. The core infrastructure of the system was well guarded, the auditor found, but ADHA was criticised for not assessing the compliance of third-party software and systems with the federal government's Information Security Manual (ISM).
It's no surprise that when it comes to allowing clinicians to access the system through different pieces of software and in different healthcare settings, there is a delicate balance between making this as easy as possible and ensuring it is as secure as possible. Multiple access points has always been a weakness of the system but there does not seem to be a way around it.
Much to the dismay of the privacy lobby, the audit found that the privacy provisions put in place were appropriate. It did call for another privacy impact assessment to be completed on the system end-to-end and noted that a privacy report hadn't been completed since 2017, but otherwise ADHA and DoH seem to have got privacy right.
Much to the dismay of Pulse+IT, the audit found that ADHA's communication strategy for opt-out was appropriate and effective. We'll have to agree to disagree on this one as we still maintain it was appalling. ADHA claims that it had tracking capabilities that showed that the vast majority of Australians became aware of My Health Record during the opt-out saga, but as the audit points out, the vast majority of this came not from ADHA's educational activities or advertising, but from the media.
We'd suggest that the hysterical nature of the reporting by the media during opt-out was probably the biggest reason why 10 per cent chose to opt out, rather than the three per cent ADHA and DOH were expecting.
ADHA and DoH have agreed to the five recommendations made by the auditor, four of which concern privacy and security: an end-to-end privacy risk assessment, a review of ADHA's monitoring of emergency access by doctors to the record – it remains unexplained why so many attempts to break the glass were made – the development of an assurance framework for third-party software connecting to the system, and a regular report on monitoring of compliance with security requirements.
The other recommendation was that ADHA develop and implement a program evaluation plan for My Health Record and report on the outcomes of benefits evaluation.
Regular readers will remember that last week we asked your thoughts on whether the implementation of the My Health Record system had been effective. Two-thirds of you said no: 68 per cent versus 32 per cent who were positive. ADHA has promised to do better so we'll keep an eye on that.
Another popular story this week was the launch of a new personal health record called Snug. Like quite a few others, this app has been designed to integrate with the My Health Record but for the time being, the developers are only allowing that for St Lukes Health fund members who are being given free access to the app by their insurer. St Lukes is handling identity verification and authorisation to access the MyHR, but the feature is not yet available to paying subscribers.
We understand that ADHA's stalled mobile gateway strategy is one reason behind this, and we've heard from other app developers who are furious about the lack of progress in allowing them to proceed with integration. We'll have more on that next week.
In the meantime, our poll question for the week is: Would you pay $10 a month for a mobile personal health record?