Introduction

1.1 On 31 January 2019, the opt-out period for the My Health Record system concluded, marking a milestone in the establishment over two decades of a national system of access to electronic health records. On 22 February 2019, the System Operator for the My Health Record system — the Australian Digital Health Agency (ADHA) — announced that nine out of ten Australians would have a My Health Record.

My Health Record

1.2 Previously known as the Personally Controlled Electronic Health Record (PCEHR), My Health Record is an online electronic summary of a person’s health information. It is a key element of a national digital health agenda to facilitate better sharing of health information across healthcare settings.¹ Following a 2013 review the PCEHR was renamed My Health Record, and, following participation trials in 2016, the government decided to transition the system from an ‘opt-in’ to an ‘opt-out’ model for healthcare recipients. Figure 1.1 presents the timeline of key developments for My Health Record from July 2012 to January 2019.

Figure 1.1: Timeline of My Health Record 2012–2019

Source: ANAO analysis of Australian Digital Health Agency and Department of Health documentation.

1.3 As illustrated in Figure 1.2, individual My Health Records may include:

• information from healthcare providers — health summaries, hospital discharge summaries, pathology and diagnostic imaging reports, medications, and referral letters; ²
• information from repository operators — Medicare data, Pharmaceutical Benefits Scheme/Repatriation Pharmaceutical Benefits Scheme data, Australian Organ Donor Register decisions, and Australian Immunisation Register data;
• information added by healthcare recipients — such as contact numbers, emergency contact details, and advance care plans; and
• back-up copies of documents.³

Figure 1.2: How does My Health Record work?

Source: ANAO, based on Australian Digital Health Agency documentation.

1.4 My Health Records can be accessed by:

• healthcare recipients — who can view their My Health Record online through the myGov portal or through third party mobile applications;
• healthcare providers — who can upload, view and share health information, subject to access controls set by the healthcare recipient;
• nominated representatives — who are chosen by healthcare recipients; and
• authorised representatives — who manage records for people who cannot manage their own.

Australian Government investment in My Health Record

1.5 The Australian Government invested $1.15 billion in developing the system and other digital health infrastructure between 2012 and 2016.⁴ In the 2017–18 Budget, the government allocated a further $374.2 million to continue operating the system and expand its utilisation by making it an opt-out model. This was to be partially offset by savings for reduced duplication of pathology and diagnostic imaging claims on Medicare. At the time the 2017-18 Budget measure was developed potential economic benefits of $14.6 billion were identified in support of the Budget measure if the government was to invest $2.13 billion over ten years, including ongoing operating costs (as at June 2019, funding had only been allocated to 2020–21).⁵

Part of the National Digital Health Strategy

1.6 Implementation of My Health Record is one of seven strategic priorities in the National Digital Health Strategy, approved by the Council of Australian Governments (COAG) Health Council in August 2017 and being implemented by ADHA. The priorities are that:

• health information is available whenever and wherever it is needed;
• health information can be exchanged securely;
• high-quality data with a commonly understood meaning can be used with confidence;
• there is better availability and access to prescriptions and medicines information;
• digitally-enabled models of care improve accessibility, quality, safety and efficiency;
• the health workforce confidently uses digital health technologies to deliver care; and
• there is a thriving digital health industry delivering world class innovation.

Department of Health and Australian Digital Health Agency

1.7 The Minister for Health administers the My Health Records Act 2012. The Minister is supported by the Department of Health. The Department provides legislative support to ADHA, participates in system governance, and coordinates advice to government.

1.8 ADHA was established as a corporate Commonwealth entity on 30 January 2016, and prescribed as the System Operator on 1 July 2016.⁶ ADHA took over functions from the National E-Health Transition Authority (NEHTA) and system operation from the Department of Health.

1.9 The accountable authority for ADHA is the ADHA Board. The Board has four advisory committees (Clinical and Technical; Jurisdictional; Consumer; and Privacy and Security).⁷ The Board has also established two additional advisory committees (Digital Health Safety and Quality Governance; and Audit and Risk).

1.10 As well as the Department of Health, ADHA works with other Australian Government agencies to deliver My Health Record, including:

• Services Australia — which provides the Healthcare Identifiers Service, Medicare data repositories, and information technology including the myGov access point for the My Health Record system;⁸ and
• Office of the Australian Information Commissioner (OAIC) — which ADHA funds to provide advice and a regulatory service for the handling and management of personal information in the My Health Record system.⁹

1.11 A contracted National Infrastructure Operator (NIO) provides the technology platform for the My Health Record system and associated operation, maintenance, support and integration services. The contract has been held by the same service provider since 2012.¹⁰ The initial two-year term included several extension options, all of which were used. At the time of the audit, ADHA was negotiating a further extension to 30 June 2022. Planning for the procurement process for future NIO arrangements (beyond June 2022) was underway during the period of the audit. That process will be subject to gateway reviews. A generic handover plan to transition to an alternative NIO was last updated in May 2019.

1.12 The roles played by these entities and other stakeholders are reflected in Figure 1.3.¹¹

Figure 1.3: Roles of Australian Government entities and other stakeholders

Note a: Health services operated by jurisdictions participate in the My Health Record system as registered healthcare provider organisations.

Source: ANAO.

Basis for the ‘opt-out’ model

1.13 The PCEHR was an ‘opt-in’ system for healthcare recipients and providers. Amendments to the My Health Records Act 2012 in November 2015 enabled the system to operate on an ‘opt-out’ basis for healthcare recipients, and for the Minister for Health, in consultation with state and territory health ministers, to apply the opt-out model through trials and nationally if ‘the Minister decides that the opt-out model results in participation in the My Health Record system at a level that provides value for those using the My Health Record system’.¹²

1.14 From March to May 2016, My Health Record opt-out trials were held in the Northern Queensland and Nepean Blue Mountains Primary Health Networks. The trial evaluation recommended that ‘government proceed to a national opt-out approach’.¹³ The COAG Health Council agreed to a national opt-out model on 24 March 2017. The Minister for Health commenced the national opt-out model from 2 December 2017.¹⁴

1.15 The opt-out model initially included a three-month ‘opt-out period’ during which healthcare recipients could choose not to be registered, after which the System Operator would register every eligible person.¹⁵ This period was legislated to run from 16 July 2018 to 15 October 2018.

1.16 On 31 July 2018, the Minister for Health announced the government’s intention to amend the legislation, on 10 August 2018 he announced that the opt-out period would be extended to 15 November 2018, and on 22 August 2018 the Minister introduced the My Health Records Amendment (Strengthening Privacy) Bill 2018 into the Parliament.

1.17 On 15 August 2018, the Senate referred the My Health Record system to the Senate Community Affairs References Committee. The committee tabled its inquiry report on 18 October 2018.¹⁶ The report made 14 recommendations. By October 2019, a government response had not been tabled.

1.18 On 23 August 2018, the Senate referred the My Health Records Amendment (Strengthening Privacy) Bill 2018 to the Senate Community Affairs Legislation Committee. The committee tabled its inquiry report on 12 October 2018. The report recommended the Bill be passed, with minority reports raising issues around the scope of authorised disclosure and backup record destruction.

1.19 Following passage of the amendments by the Senate, the Minister for Health announced that the opt-out period would be extended to 31 January 2019. The amendments also implemented several changes that will come into effect in December 2019:

• enabling the My Health Records Rules to prescribe a framework to guide the collection, use and disclosure of de-identified data and, with the consent of healthcare recipients, health information, for research or public health purposes;
• appointing the Australian Institute of Health and Welfare as the My Health Record data custodian for research and public health purposes and creating a Data Governance Board to review applications for data use; and
• requiring the System Operator to comply with a direction from, and follow the guidance of, the Data Governance Board.¹⁷

1.20 The changes also required the System Operator to permanently delete health information stored in My Health Record when a healthcare recipient requests cancellation of their record.

1.21 On 22 February 2019, ADHA reported a national opt-out rate of 9.9 per cent. Statistics on use of the system at the end of opt-out and the end of July 2019 are presented in Table 1.1.

Table 1.1: My Health Record statistics

Note a: This figure includes all healthcare provider organisations including those with lower participation rates such as specialists, allied health and aged care. By contrast, at 28 July 2019, the participation rate for general practice was 86 per cent; public hospitals 75 per cent; pharmacies 85 per cent; and private hospitals 66 per cent.

Source: ANAO analysis of ADHA data

Rationale for undertaking the audit

1.22 The My Health Record system potentially impacts all Australians as it collates electronic summaries of individuals’ health information so it can be accessed by different healthcare professionals involved in a person’s care (as well as by the individual themselves). The system is intended to generate personal benefits for individuals and economic benefits for the health system, but achieving those intended benefits requires a balance between increasing access to information, and managing the inherent privacy and cyber security risks of making that information more readily available. For these reasons, My Health Record has generated parliamentary and public interest, particularly in relation to the management of privacy and cyber security risks.

Audit approach

Audit objective, criteria and scope

1.23 The audit objective was to assess the effectiveness of the implementation of the My Health Record system under the opt-out model. The following criteria were adopted:

• implementation of the My Health Record system promotes achievement of its purposes;
• My Health Record system risks are appropriately assessed, managed and monitored; and
• monitoring and evaluation arrangements for the My Health Record system are effective.

1.24 The audit did not examine the decisions to create the My Health Record system or adopt the opt-out model, or consider the framework for secondary use of My Health Record data.

Audit methodology

1.25 The audit team:

• examined ADHA and Department of Health information;
• reviewed the Senate Inquiries’ final reports and individual submissions;
• interviewed ADHA and Department of Health staff; and
• interviewed Services Australia, Digital Transformation Agency, and Office of the Australian Information Commissioner staff.

1.26 The audit was open to citizen contributions, and received 20 contributions.

1.27 The audit team did not examine any individual My Health Records.

1.28 The audit was conducted in accordance with ANAO auditing standards at a cost to the ANAO of $612,670.

1.29 The team members for this audit were Scott Humphries, Christopher Swain, Barbara Das, Emily Drown, Emily Kilpatrick, and David Brunoro.

2.1 Section 15 of the Public Governance, Performance and Accountability Act 2013 requires that accountable authorities must govern in a way that promotes the achievement of (an entity’s) purpose. The audit examined how ADHA governed the program of work that implemented My Health Record as an ‘opt-out’ model (this work was referred to as the ‘expansion program’ by ADHA). The audit considered the effectiveness of the following four elements:

• whether the intended objectives of My Health Record were clearly specified in legislation and relevant planning documents;
• clarity of the My Health Record governance arrangements;
• appropriateness of the My Health Record implementation planning; and
• appropriateness of the communication strategies that informed people about My Health Record and the opt-out process.

Were objectives clearly specified?

2.2 The My Health Records Act 2012 enabled establishment of the My Health Record system. The object of the Act is to enable the establishment and operation of a voluntary national public system for the provision of access to health information relating to recipients of healthcare, to:

• help overcome the fragmentation of health information;
• improve the availability and quality of health information;
• reduce the occurrence of adverse medical events and the duplication of treatment; and
• improve the coordination and quality of healthcare provided to healthcare recipients by different healthcare providers.¹⁸

2.3 The rationale for the My Health Record system was based on the intended benefits of a single point of access to health information at the point of care. The Minister for Health stated in August 2018 that:

Health information is spread across a vast number of different locations and systems. In many healthcare situations, quick access to key health information about an individual is not always possible. Limited access to health information at the point of care can result in a greater risk to patient safety, less than optimal health outcomes, avoidable adverse events, increased costs of care and time wasted in collecting or finding information, unnecessary or duplicated investigations, additional pressure on the health workforce, and reduced participation by individuals in their own healthcare management.¹⁹

2.4 The longer-term statutory objectives of the My Health Record system were translated into operational objectives in relevant corporate documents:

• the 2017–18 Portfolio Budget Statements for ADHA included performance criteria for ‘delivering national opt-out for My Health Record’, including communication and education activities, as well as improving participation, usage, content and engagement with the service through continued improvements and functionality;²⁰
• the 2017–18 corporate plan for ADHA reflected these criteria in ‘key milestones’ that, by 2019, ‘every Australian will have a My Health Record, unless they choose not to’. The plan also included targets to ‘deliver a national opt-out model for the My Health Record system and enhance the system to improve participation, usage, content and engagement with the service’, as well as increasing pathology and diagnostic imaging content.²¹

2.5 The corporate objectives were expanded upon in the implementation plans for delivering the opt-out model (discussed further from paragraph 2.10).

Were implementation governance arrangements clear and appropriate?

2.6 Effective governance arrangements start with having a clear purpose for the activity, which in this case was to implement the My Health Record system as an opt-out model.²² ADHA established the ‘My Health Record expansion program’ to move My Health Record to an opt-out model, under the direction of a program board that reported to the ADHA Board. This structure is reflected in Figure 2.1.

Figure 2.1: Implementation governance for the My Health Record expansion program

Source: ANAO, adapted from Australian Digital Health Agency documentation.

2.7 There were clear program governance plans in place that set out the purpose of the My Health Record expansion program, with regular progress reporting to the ADHA Board. This reporting was at least quarterly, but in practice was more frequent with updates provided at 13 of 16 board meetings held between June 2017 and April 2019. Program governance committees had terms of reference and meetings were documented. Senior executive staff had clearly defined responsibilities and key procedures were documented.

2.8 The Department of Health undertook a review of ADHA governance and operations in December 2018.²³ The report was provided to the ADHA Board in April 2019, and made 14 recommendations relating to organisational structure (including rationalisation of ADHA Board advisory committees); formalising its relationship with Health (including through a service level agreement); implementing a skills-matrix for future ADHA Board appointments; and articulating a clear vision, purpose and KPIs at the entity-level. The ADHA stated to the ANAO that these recommendations are being considered by the ADHA Board.

Was implementation planning appropriate?

2.9 The Department of the Prime Minister and Cabinet (PM&C) requires an implementation plan for new policy and program proposals that have significant risks or challenges. PM&C recommends that implementation plans include key milestones, details of senior responsible officers, and details of key risks and mitigation strategies.²⁴

2.10 In April 2017, the government approved a business case for the transition of My Health Record to an opt-out model (the My Health Record expansion program). The business case included an implementation plan that outlined administrative and governance structures for delivery of the My Health Record expansion program. The plan was adjusted in September 2018 to reflect timing and scope changes arising from ministerial decisions.

2.11 The plan outlined: objectives and outcomes for the opt-out process; timeframes, governance; project work required to deliver the expansion program; and project costings. The implementation plan was supported by several project work plans. A senior executive within ADHA was identified as the Senior Responsible Officer.

2.12 The expansion program was implemented in accordance with the implementation plan, and adjusted for changed timeframes associated with legislative changes including the opt-out period extension. Milestones were achieved on time – adjusted for the extended opt-out period – and reporting to the ADHA Board indicates the expansion program was delivered within the approved budget.²⁵

2.13 The expansion program was subject to gateway reviews.²⁶ An initial review was conducted in October 2016, a mid-stage review in June 2017, and a final review in May 2019. The final review found that the expansion program had been implemented and that the My Health Record system design addressed key issues of data ownership, privacy and cyber security, noting that time and continued effort would be required to realise the benefits of the system. The review made five recommendations, of which two were for immediate action: to review and finalise risk management procedures, and to commence preparations for the approach to market for the future National Infrastructure Operator arrangements. In August 2019, ADHA stated to the ANAO that ADHA was actioning all of the recommendations, with the risk management procedures expected to be finalised by November 2019 and preparations for the approach to market underway (see paragraph 1.11).

Were communication strategies appropriate?

2.14 The My Health Records Act 2012 includes a role for the System Operator ‘to educate healthcare recipients, participants in the My Health Record system and members of the public about the My Health Record system’.²⁷

2.15 The Guidelines on Information and Advertising Campaigns outline principles for certain government communication campaigns.²⁸ ADHA is not subject to the guidelines, but stated to ANAO that it applied them in its communications planning.

2.16 A communications strategy was developed in September 2017. It was informed by the trial evaluation recommendations and supplementary market research. The initial budget for communication and engagement was $27.75 million. With the second extension of opt-out, a further $5 million was provided to add a national television advertising campaign.

2.17 The strategy identified a range of stakeholders including all persons with a Medicare number or Department of Veterans’ Affairs card, state and territory health agencies, peak health organisations and clinician professional bodies, and healthcare providers. The strategy was supported by plans targeted to healthcare providers, general healthcare recipients, those in regional and remote areas, and those with special needs.²⁹

2.18 ADHA commissioned the development, testing and production of materials such as brochures, posters, and videos aimed at different target groups. The Office of the Australian Information Commissioner and Department of Health provided feedback on those materials.

Source: ADHA.

2.19 Delivery of the strategy aligned with a recommendation from the trials evaluation to be ‘nationally driven and locally delivered’, utilising partnerships with Primary Health Networks (PHNs), states and territory government departments, peak health and community bodies, and professional bodies. The largest partnership was with PHNs, which were contracted to develop and deliver local communication activities using materials developed by ADHA. PHNs’ plans were approved by ADHA and included various activities targeted to healthcare recipients and providers including general practice, pharmacists, public and private hospitals, specialists and allied health. Contracts included a schedule for delivery dates, KPIs and reporting. ADHA also delivered communications through its website and Services Australia channels (service centres, Your Health website, Medicare Online Account landing page, and social media).

2.20 The initial campaign did not include national television, print or outdoor advertising although there were some paid radio, social media and digital advertising placements, and regional television and print advertising linked to local PHN plans. The campaign instead aimed to provide information within community settings via healthcare providers, peak bodies and PHNs. Brochures were also included in Medicare letters mailed out during the opt-out period.

2.21 ADHA commissioned communication tracking which showed that ‘every Australian’ had on average 38 opportunities to see or hear about My Health Record within the opt-out period.³⁰ As shown in Table 2.1, awareness increased throughout the opt-out period.

Table 2.1: Healthcare recipient awareness of My Health Record and Opt-out

Source: ANAO analysis of ADHA documentation.

2.22 Communication to the wider public about My Heath Record and opt-out was initially limited to a three month period between July 2018 and October 2018. This was later extended for a further three months to January 2019 following the extension by government of the opt-out period. At this point, television advertising was conducted in major cities and regional areas. ADHA had not initially included national television advertising in the strategy, and the potential risks of not undertaking ‘above the line’ communications were acknowledged in ADHA Board papers.

2.23 The trials evaluation had found that the most common source of awareness about My Health Record for healthcare recipients in opt-out trial sites was ‘national media’³¹, myGov, and ‘Other’ (including social media and word of mouth). Awareness tracking commissioned by ADHA during opt-out showed that, while at the beginning of the opt-out period, the most common source of information was healthcare settings (32 per cent), by the end of the period most people had heard about My Health Record via the media (75 per cent).

Education activities

2.24 ADHA also delivered education activities for healthcare providers to increase their awareness and understanding of My Health Record and its potential benefits, and their proficiency in using it. In the lead-up to and during opt-out these efforts focussed on general practitioners, pharmacists, hospitals, and diagnostic imaging and pathology services.

2.25 As with the communications, education activities were delivered through partnerships with jurisdictions, PHNs, professional bodies and medical colleges. Activities ranged from webinars and face-to-face training, to individual support for medical practices and development of learning modules with Continuing Professional Development points for general practitioners and pharmacists. Activities were delivered between October 2017 and June 2019.

2.26 ADHA tracked the progress of the funded education activities. The tracking results showed that all general practices and community pharmacies in Australia received access to some form of My Health Record education activities, and that this corresponded with increasing registration and use of the system (registrations exceeded targets of 80 per cent of general practices and 60 per cent of community pharmacies – at July 2019, 86 per cent of general practices were registered and 85 per cent of community pharmacies).³²

2.27 Tracking also measured the number of shared health summary uploads to the system; the number of dispense record uploads; the number of event summary uploads; and the number of providers viewing record content, broken down by PHN region. This data showed an increase in record uploads and shares after delivery of the education activities.

3.1 The appropriateness of risk management for My Health Record is a key consideration for this audit, particularly given the parliamentary and public interest in the privacy and cyber security risks that are inherent to the system. These risks are increased because they are shared with a number of other entities and individuals. The ANAO examined the governance and oversight of My Health Record risks, and more specifically the management of privacy and cyber security risks. Findings in this chapter are based on analysis of documentation and information obtained from the entity. The ANAO did not undertake independent testing of risk controls.

Is governance of risk assessment, management and monitoring appropriate?

3.2 ADHA is required to establish and maintain an appropriate system of risk oversight and management.³³ As a corporate Commonwealth entity, ADHA is not required to comply with the Commonwealth Risk Management Policy, but ‘should review and align their risk management frameworks and systems with [the] policy as a matter of good practice’.³⁴ Also, while not mandatory, entities should align their risk management with existing standards and guidance.

3.3 The ADHA Board set the entity risk tolerances, endorsed the strategic risk assessment, and considered risk reporting from the Audit and Risk Committee and the Executive Leadership Team on multiple occasions. The ADHA Board regularly considered risk updates on the My Health Record expansion program. The Board queried risk ratings and mitigation strategies, and requested additional risk reporting and access to risk registers.³⁵

3.4 The ADHA risk management framework addressed key elements described in the Commonwealth risk management policy and was supported by:

• an entity-level strategic risk assessment and register, which identified key risks and controls to manage those risks; and
• an ‘operational risk register’and program-based risk assessments and registers, including one for the My Health Record expansion program.

3.5 ADHA’s entity level strategic risk assessment identified nine strategic risks, of which three were relevant to the My Health Record expansion program and ongoing operation:

• failure to maintain confidentiality, integrity and availability of national infrastructure (i.e. the My Health Record system) within forecast commercial arrangements (risk six);
• failure to provide a clinically safe national infrastructure (risk eight); and
• failure to plan for and deliver the My Health Record expansion program (risk nine).

3.6 For these risks, the documentation identified possible causes or triggers for each risk, current controls and potential treatments, however the specific controls were not linked to specific causes.

3.7 ADHA also maintained a risk management plan and a detailed risk register specific to the My Health Record expansion program. This documentation mapped risks, consequences, controls and residual ratings.

3.8 The 2019 gateway review found that risk management had improved since its 2017 review, but that documentation was not fully mature. It recommended that ADHA ‘review and finalise risk management procedures and artefacts in accordance with the agency’s framework as set out in the risk management plan’.

Shared risks

3.9 The Commonwealth Risk Management Policy states that ‘entities must implement arrangements to understand and contribute to the management of shared risks’.³⁶ The policy provides several ‘tips’ for managing shared risks, including: establishing memoranda of understanding with partners to formalise shared risk management; development of shared risk registers; educating officials on their responsibilities to identify and manage shared risks; and documenting control owners and governance arrangements for monitoring shared risks.

3.10 ADHA shares My Health Record risks with other system participants, including:

• Services Australia — which manages Medicare data integrity, the myGov platform, and the Healthcare Identifiers Service;
• the National Infrastructure Operator (NIO) — which operates and maintains the My Health Record system and has contractual obligations relating to privacy;
• healthcare provider organisations, medical practitioners, authorised representatives and nominated representatives — who access information from My Health Record;
• software vendors — which develop the clinical information systems that providers use to access and upload information to My Health Record;
• healthcare recipients — whose health and personal information is stored in the My Health Record system; and
• the Information Commissioner — who has additional statutory functions and powers relating to My Health Record, and a Memorandum of Understanding with ADHA.

3.11 ADHA’s approach to managing shared risks with government entities included involving those entities in My Health Record governance committees. This includes Commonwealth entities such as Health, Services Australia, Australian Institute of Health and Welfare, and state and territory jurisdictions. The Secretary of Health is a member of the ADHA Board.

3.12 ADHA’s risk registers identified some shared risks with other entities. For example:

• Health — which did not maintain its own risk register for My Health Record — is listed in ADHA’s registers as owning My Health Record risks relating to legislation and policy, such as policy relating to communicating with ‘hard to service’ consumer groups; and
• Services Australia was identified as sharing a range of risks related to system access and the provision of Medicare data into My Health Records (such as the creation of records for deceased or ineligible individuals, and risks related to potential data breaches arising from intertwined Medicare records, which are discussed further at paragraph 4.7) — ADHA also has a formal agreement with Services Australia which includes protocols for identifying and managing emerging risks.

3.13 ADHA could further clarify the specific roles and responsibilities of other government entities in managing shared risks by explicitly indicating which risks are shared, with which entities, and who in other entities is responsible for controls implementation. For example, ADHA had identified a risk that improved provider registration may not be ready in time for the opt-out process, as it was dependent on Services Australia delivering its identification solution, but this was not specifically described and managed as a shared risk.

3.14 The My Health Record risks that are shared with non-government entities, such as healthcare providers and software vendors, are particularly relevant to the management of privacy and cyber security risks. These issues are considered in more detail the following sections.

Were privacy risks appropriately managed?

3.15 The sensitivity of personal and health information is recognised in Australian privacy law and practice. Relevant privacy risk management standards can be found in:

• the Public Governance, Performance and Accountability Act 2013;
• the Privacy Act 1988, including the Australian Privacy Principles;
• the My Health Records Act 2012 and related legislation;
• the Healthcare Identifiers Act 2010;
• state and territory laws regulating privacy and health information; and
• professional standards and ethical codes of practice for healthcare providers.

3.16 The ADHA Board set the privacy risk appetite for the entity as ‘limited’ in 2017 and reinforced this in August 2018.³⁷ ADHA’s Risk Management Strategy identified privacy risk as a specialist risk type requiring ‘specific additional risk management and assessment policies, guidelines and reporting’, as well as targeted risk assessments, annual reporting, and summary reporting in the risk register.

Privacy risk assessment

3.17 Privacy risks for My Health Record were assessed through activities including commissioned Privacy Impact Assessments (PIAs) and other assessments.

3.18 Ten reports were commissioned to assess privacy risks of My Health Record between December 2011 and July 2017, focussing on various aspects of the system design and operation (outlined at Appendix 2). The evaluation of the participation trials also considered privacy risks. The earlier reports (2011–2016) informed the development of the ‘opt-in’ Personally Controlled Electronic Health Records (PCEHR) system, design of the participation trials, and technical processes. The most recent assessments examined specific issues related to the transition to opt-out:

• in December 2016, a PIA assessed the bulk transfer of records to the National Infrastructure Operator for record creation as part of the opt-out process; and
• in July 2017, a PIA examined privacy risks of the opt-out process and made 11 recommendations relating to opt-out communications and the bulk registration of records after the opt-out period.

3.19 Recommendations from these assessments were addressed as part of the My Health Record expansion program.

3.20 A security review of the system in 2016 also identified risks with variable healthcare provider awareness of privacy and security (see paragraph 3.58).

Assessments by the Office of the Australian Information Commissioner

3.21 Between 2011 and 2017, the OAIC undertook 14 privacy assessments in relation to the My Health Record system and the Healthcare Identifiers Service.³⁸

3.22 ADHA entered into a Memorandum of Understanding with the OAIC in 2017, covering the period 1 October 2017 to 30 June 2019. Under this agreement, ADHA provided funding of $3.6 million to OAIC which included a minimum of four and up to six assessments to be conducted in relation to My Health Record and the Healthcare Identifiers Service. No assessments were completed during this period.³⁹

3.23 Despite the failure to complete any privacy assessments under the 2017-2019 Memorandum of Understanding before the nominal end date of 30 June 2019, ADHA entered into a new agreement with the OAIC on 26 June 2019 for an additional $2.1 million. This agreement is to continue the OAIC’s regulatory and complaints management functions, and to conduct at least two assessments relating to My Health Record and the Healthcare Identifiers Service.

Senate committee inquiries

3.24 Two Senate committee inquiries considered privacy risks in the My Health Record system (as discussed at paragraphs 1.17 and 1.18). The government had not tabled a response to either report by October 2019. Of the 14 recommendations relating to privacy, the ANAO observed that ten were implemented, one partly implemented, and three not implemented (see Appendix 3).

Comprehensiveness of assessments

3.25 The Commonwealth Risk Management Policy states that ‘each entity must review its risks, its risk management framework and the application of its risk management practices on a regular basis’.⁴⁰

3.26 The last privacy specific risk assessment was completed in 2017. These focused on either specific elements of the system’s operation or management aspects of the opt-out implementation process. Now that My Health Record is operating as an opt-out model – with 90 per cent of Australians having a record – a comprehensive, end-to-end privacy risk assessment on the ongoing operation of the My Health Record system should be considered.

Control, treatment and monitoring of privacy risks

3.29 ADHA implemented various processes to control, treat and monitor privacy risks:

• general preventive controls;
• system access controls;
• consumer access controls;
• the ability to cancel and delete records; and
• monitoring of the ‘emergency access’ override function.

General preventive controls

3.30 ADHA stated to the ANAO that external environmental controls contribute to reduced likelihood of privacy risks presented by the My Health Record — including medical indemnity insurance requirements, professional accreditation standards, practice accreditation standards, and reputational risk for providers involved in data breaches.

3.31 There are statutory controls within the My Health Record legislative framework. For example, in order to be eligible and remain eligible for registration, healthcare provider organisations must have policies governing access to the My Health Record system and reasonable user account management practices.⁴¹

3.32 The legislative framework contains penalties for unauthorised use, collection or disclosure of information in a My Health Record, or other misuse of information in a My Health Record.⁴² Since 10 December 2018, this has included unauthorised use of information in a healthcare recipient’s record for prohibited purposes such as: underwriting or determining whether to enter into a contract of insurance that covers the healthcare recipient; determining whether a contract of insurance covers the healthcare recipient in relation to a particular event; and an employer employing, or continuing or ceasing to employ, the healthcare recipient.⁴³

3.33 Entities must notify ADHA or the OAIC of actual or potential contraventions, events or circumstances relating to a My Health Record or the My Health Record system that directly involved, may have involved or may involve the entity.⁴⁴ In 2017–18, the OAIC received 28 notifications. Of these, 26 notifications were from Services Australia (17 related to intertwined Medicare records, and 9 related to fraudulent Medicare claims – these types of breaches are discussed further at paragraph 4.8); and two were from ADHA (one was unauthorised access to a My Health Record related to a Medicare fraud, and one was accidental access to an incorrect record). In total these notifications affected 65 individuals.

System access controls

3.34 The My Health Record system incorporated system access controls, including:

• identity verification requirements for healthcare recipients through the MyGov portal;
• unique Healthcare Identifiers for healthcare recipients, healthcare provider organisations and individual healthcare providers for accessing the system (see Box 2)⁴⁵; and
• access requirements for healthcare provider organisations accessing the My Health Record system through their clinical information systems.

Source: ANAO based on ADHA documentation.

Consumer controls

3.35 The My Health Record system included consumer preventive controls through ‘default’ and ‘advanced’ access settings (see Box 3). The ‘default access setting’ permits all registered healthcare provider organisations involved in the care of a healthcare recipient to access that recipient’s record and to upload documents. Healthcare recipients may also activate ‘advanced access settings’ to restrict access to their information.

Source: ANAO, adapted from ADHA documentation.

3.36 As at 30 June 2019, a Record Access Code had been set for 27,215 records – 0.1 per cent of all records – and a Limited Document Access Code had been set for 3,862 documents in the system.

3.37 Consumers have direct access to their health information in the system and may identify and seek corrections to errors in their records.⁴⁶ They can view access logs and report potential interference with privacy. ADHA documented protocols and procedures to follow-up access complaints.

Permanent deletion of records

3.38 Healthcare recipients can cancel their My Health Record registration. Since January 2019, they can also request permanent deletion of clinical information held in their records (the deletion process was applied retrospectively to cancellation requests prior to January 2019).⁴⁷ ADHA had detailed procedures for the management of requests, and this was supported by operational monitoring. Permanent deletion occurs through an automated two-step process, starting when a healthcare recipient requests record cancellation:

• an initial immediate cancellation – this stops anyone from accessing the record, including any data or clinical documents stored on the record from that point onwards; and
• the subsequent deletion – this occurs within the next 48 hours, and deletes all clinical information held in the record from the various system data stores. ⁴⁸

3.39 Healthcare recipients who request cancellation online receive a success notification on-screen advising them their record is cancelled and will be deleted. Healthcare recipients may also choose to receive an SMS or email confirmation. Healthcare recipients’ Individual Healthcare Identifiers are retained in the system when records are deleted, and a note is made against the identifier that the deletion was successful.

3.40 The information is also removed from system back-ups, but this may not occur immediately: ADHA stated that ‘deleted records are removed from the backup when a new backup is created during regular backup cycle’.⁴⁹

3.41 The ANAO reviewed the documentation that supported the design and build of the permanent deletion system functionality. While this review was not technical in nature and did not involve system testing, the ANAO assessed that the documents reflected a design that was consistent with the legal requirement to permanently delete clinical data and documents.⁵⁰

Emergency access function

3.42 Registered healthcare provider organisations and other system participants⁵¹ may use an ‘emergency access’ override function to access a My Health Record in circumstances involving a serious threat to an individual’s life, health or safety, or a serious threat to public health or public safety. This function overrides any advanced access settings set by healthcare recipients. Use of this function outside of the limited statutory circumstances could constitute an interference with privacy. ADHA assessed that use of this function had a ‘very high’ inherent privacy risk.

3.43 System participants must advise ADHA of the circumstances of emergency access, and must notify ADHA and the Information Commissioner as soon as practicable after becoming aware that a contravention of the Act has or may have occurred.⁵² ADHA monitors use of the emergency access function. Monthly use of the function increased from 80 instances in July 2018 – prior to the transition to an opt-out model – to 205 instances in March 2019, representing approximately 0.1 per cent of instances of system access. In only 8.2 per cent of those instances was the emergency access function used to access records which had advanced access controls set (in other words, in only 8.2 per cent of instances was it used as intended): this suggests a need for further healthcare provider training on the emergency access function.

3.44 ADHA documented a procedure for monitoring emergency access, but not next steps for receipt, assessment or monitoring of responses. ADHA sought written responses from healthcare provider organisations in relation to each instance of emergency access, and maintained detailed records and analysis of provider responses. In a number of instances, ADHA did not receive a response from specific healthcare provider organisations. In these cases ADHA could not satisfy itself that the circumstances of the emergency access did not constitute an interference with privacy. In other instances, some of the responses indicated a potential contravention of the Act. To date, ADHA has not notified the Information Commissioner of any of these instances, and nor have the healthcare provider organisations.

Were there appropriate systems of cyber security risk management and oversight?

3.48 To examine whether there were appropriate systems to oversee and manage My Health Record cyber security risks, the ANAO considered:

• cyber security risk context and standards;
• core infrastructure cyber security risk management;
• shared cyber security risk; and
• oversight of cyber security risks.

3.49 Analysis is based on a review of ADHA’s documentation and management frameworks. The ANAO did not test the technical effectiveness of cyber security controls as part of this audit.

Cyber security risk context and standards

3.50 The healthcare sector in Australia and overseas faces cyber security risks, such as phishing (compromised credentials), hacking and malware. International examples include a 2017 ransomware incident on the UK’s National Health Service⁵³, and a 2018 cyberattack on SingHealth’s IT system in Singapore.⁵⁴

3.51 In Australia, evidence shows that:

• not all healthcare provider organisations achieve minimum cyber security levels⁵⁵;
• in 2018, the private health service provider sector reported the most notifiable data breaches of any industry sector; and
• more than 40 per cent of data breaches from the private health service provider sector notifications to the OAIC in 2018 were due to malicious or criminal attacks, almost half of which were cyber incidents.⁵⁶

3.52 In early 2016, ADHA assessed the cyber security risk context for My Health Record, and identified ‘nation states and criminal actors as the greatest threat to the My Health Record system, with hacktivists and trusted insiders posing a medium threat and cyber terrorists posing a low threat’. ADHA assessed that in addition to denial of service attacks, sensitive information holdings ‘could be used for identity theft, leverage or blackmail’, and ‘manipulation of the system or the information contained within the system could be used to attack the nation’s health system as a whole, or to cause physical harm to an individual by changing the content of their health record’.

3.53 In 2017, the ADHA Board set a ‘limited’ risk appetite and ‘low’ risk tolerance for cyber security-related risks. The ADHA established the Digital Health Cyber Security Centre (CSC) to ‘strengthen the security of our national digital health systems and services; and to promote increased security awareness and maturity across the digital health sector’.⁵⁷

3.54 Under legislation the ADHA is required to: establish and maintain an appropriate system of risk oversight and management; maintain the confidentiality, integrity and availability of all official information; and exercise effective governance of information resources. ADHA also applied the Australian Government Protective Security Policy Framework (PSPF) core and supporting requirements, and the Information Security Manual (ISM), as mandatory requirements for the My Health Record system.⁵⁸

3.55 As with privacy risks, ADHA shares cyber security risks with other participants, including:

• the NIO and subcontractors – provide the core infrastructure for the My Health Record system, and have legislative and contractual security obligations;
• Services Australia – secures the data repositories and myGov portal, provides healthcare provider authentication through the National Authentication Service for Health (NASH) public key infrastructure (PKI) certificates and the National Provider Portal⁵⁹, and monitors the Healthcare Identifiers Service for anomalous transactions;
• software vendors – are responsible for the security of software used to access the My Health Record system, including clinical software used by healthcare providers and mobile applications used by healthcare recipients;
• healthcare provider organisations and their contracted service providers – have access to multiple records by design, and are responsible for their information management and cyber security practices; and
• individual healthcare recipients – are responsible for the security of the passwords, devices and connections they use to access their My Health Record, either through myGov or third party mobile applications.

Figure 3.1: Shared risks in the My Health Record system

Source: ANAO, adapted from ADHA, National Digital Health Cyber Security Centre Strategic Plan 2016-2019.

Core infrastructure cyber security risk management

3.56 The ICT platform and associated processes that comprise the central My Health Record system are referred to here as the ‘core infrastructure’. Core infrastructure consists of the software, equipment and interfaces that are operated by the National Infrastructure Operator on behalf of ADHA as the System Operator. Other ICT systems connect to the core infrastructure to make My Health Record function as intended—such as the authentication services, data repositories, and external clinical information systems software (as shown in Figure 3.1). The ANAO considered core infrastructure risk management, as well as the management of shared risks to cyber security.

3.57 The PSPF accreditation framework requires that entities assess, certify and accredit ICT systems in accordance with the ISM.⁶⁰ This involves:

• assessment – to review the system architecture and documentation and examine the effectiveness of security measures;
• certification – the entity ‘certifies’ that security measures have been implemented and are operating effectively to ensure the system’s integrity and confidentiality; and
• accreditation – the entity accepts any residual security risk to the system and documents an approval for the system to operate.⁶¹

3.58 The My Health Record system underwent five information security assessments between 2012 and 2017. These were conducted by an external Information Security Registered Assessors Programme (IRAP) registered assessor. The most recent assessment was completed in 2017 in the lead-up to the opt-out period. The next assessment is due by late 2020.

3.59 ADHA should improve its mechanisms for tracking the IRAP recommendations:

• the 2017 assessment found that 11 of 31 recommendations from the previous 2015 IRAP assessment were still ‘open’ and not implemented;
• in 2018, a security risk management plan incorporated reference to some but not all recommendations from the 2017 IRAP assessment, and did not indicate whether these recommendations had been implemented;
• from June 2019, the NIO prepared a My Health Record security risk register that documented 74 risks in a comprehensive risk framework, but did not document any proposed risk treatments, controls, or assessment of the effectiveness of controls — including for the 15 ‘high’ and five ‘very high’ risks.

3.60 Following these IRAP security assessments, the system was certified and accredited by Health in 2013 and 2016, and by ADHA in 2018. Each time the system was accredited by a senior executive below the accountable authority, which is permissible under the PSPF. ADHA could consider elevating future accreditation decisions to the accountable authority (the ADHA Board).

3.61 In addition to the IRAP assessments, a number of other risk assessments and end-to-end security reviews were commissioned. Reviews in 2015 and 2016 found that threats to core infrastructure were being managed through relatively strong security controls and that healthcare provider security remained a challenge.

Information Security Manual controls

3.62 The most recent IRAP security assessment in 2017 found that for the My Health Record core infrastructure ADHA had implemented the ‘Top Four’⁶² and ‘Essential Eight’⁶³ cyber security mitigation strategies recommended by the Australian Cyber Security Centre. In addition the PSPF framework requires that ‘residual security risks to the system and information have been recognised and accepted’ in accordance with the ISM.⁶⁴

3.63 Further work is required to implement all ISM security controls (illustrated in Figure 3.2). Health and ADHA reported internally that the number of ISM cyber security controls not implemented over core infrastructure decreased over time. This was confirmed by the IRAP assessments.

Figure 3.2: Reported ISM cyber security controls implemented over time

Source: ANAO analysis of information from the Department of Health and Australian Digital Health Agency. The total number of controls varies between years due to changes in ISM requirements.

3.64 ADHA cyber security risk management arrangements with the NIO for core infrastructure are based on clearly defined roles and responsibilities documented in the NIO contract. While the contract required the NIO to comply with the PSPF and the ISM, this did not initially result in core infrastructure that implemented all applicable ISM cyber security controls. Additional funding was provided to the NIO to implement security improvements and increase the number of ISM cyber security controls for the core infrastructure.

Monitoring and other security activities

3.65 The CSC includes a Security Operations Centre, which monitors the My Health Record system using security incident and event management software, and provides an incident response management capability. ADHA stated to the ANAO that ‘the My Health Record system has not been the subject of any actual malicious cyber activity, events or incidents’.

3.66 ADHA also documented cyber security risks in corporate risk management plans. In 2018, the CSC reported that three residual risks remained above tolerance and were being actively managed:

• multiple health records are accessed, modified or made unavailable without authorisation due to vulnerabilities or bugs from development in the My Health Record system;
• multiple health records are accessed, modified or made unavailable without authorisation due to compromise of a participating healthcare organisation or their contracted service provider (including unauthorised access by a member of staff); and
• the My Health Record system is not available for individuals or healthcare providers due to a malicious denial of service attack against the hosting infrastructure.

3.67 Another security measure relates to the storage of information in Australia. The NIO must notify ADHA if the NIO, or subcontractor or personnel, is subject to an order made under the ‘law of a foreign country to disclose or transfer data it holds in relation to a My Health Record to a foreign country or to any entity outside Australia…if permitted by such law’. Legislative and contractual requirements can only be partially effective controls against this risk, which can also be mitigated in the selection of contractor. Future procurement processes for core infrastructure and data storage should consider the risk that an external contracted service provider or subcontractor is subject to direction from a foreign government that contravenes Australian law and places sensitive information at risk.

3.68 Regarding information classification, while ADHA’s approach is consistent with the PSPF, the classification is not displayed or documented on the user interface for healthcare providers. ADHA could consider amending the user interface and key documents to ensure the classification — or an equivalent statement that the information is sensitive — is displayed on the user interface and documents viewed, extracted or printed from the My Health Record system.

3.69 The ADHA maintains ‘hot’ and ‘warm’ sites, which provide a failover in case of technical failure at one site. The 2017 security assessment recommended that ADHA review the geographic location of data centres to provide better resilience against geographically focussed attacks and incidents.

Shared cyber security risks from the broader My Health Record system

3.70 ADHA assessed shared cyber security risks potentially posing ‘high’ to ‘very high’ residual risk to the My Health Record system.

3.71 ADHA conducted assessments of shared cyber security risks but did not appear to focus on potential consequences to vendors, healthcare providers and healthcare recipients. Shared risk assessments considered all key stakeholder groups — the NIO, Services Australia, software and mobile application vendors, healthcare providers and healthcare recipients — however primarily focused on consequences to the ADHA itself and the in-house technical ICT controls and treatments protecting core infrastructure.

Software vendor shared risk

3.72 ADHA’s end-to-end security review in 2016 recommended accreditation for contracted service providers of healthcare provider organisations, such as software vendors of clinical information systems. ADHA rejected this recommendation on the basis that it ‘presents several challenges’ including the additional burden to vendors and potential for reputational damage.

3.73 The IRAP security assessment in 2017 stated that ISM compliance should be considered a minimum acceptable standard for the My Health Record system — as an ICT environment with service-oriented architecture and extensive access by third party software. The IRAP assessment also stated that software products and services used by healthcare providers and recipients, including mobile applications, are an area of risk that needs to be carefully monitored as part of the supply chain managed by ADHA as the System Operator.

3.74 ADHA did not assess, certify or accredit the ISM compliance of third party software and systems connected to the My Health Record system. This included clinical software that gives healthcare providers access to multiple health records, and mobile applications for healthcare recipients. Instead, software vendors must complete a Conformance Vendor Declaration Form and a ‘deed poll’ that warrants their conformance testing against requirements set by ADHA. Mobile application vendors must sign a Portal Operator Registration Agreement that details their responsibilities and obligations.

3.75 The decision to not assess, certify or accredit the ISM compliance of third party software and systems — as required by the PSPF — limited ADHA’s assurance over the cyber security risks of the My Health Record system.⁶⁵ An ISM assessment, certification and accreditation approach would provide a rigorous system for ADHA to understand and manage cyber security risks from third party software, but any assurance process must be balanced against disincentives to register and use the system.

Healthcare provider organisation shared risk

3.78 The ADHA shared risk assessments identified cyber security awareness and practices of healthcare provider organisations as a key potential risk. The CSC conducts security and compliance ‘outreach’ activities to mitigate these risks by raising awareness of good cyber security practice. For example, it published cyber security information and awareness products, including a guide for procurement of secure information technology and other security and privacy guidance.⁶⁶ ADHA could consider doing more in this area.

3.79 If a security threat is detected on a provider’s system (such as malicious software), ADHA can suspend access to the My Health Record system until that user mitigates the threat. The consequence of temporary suspension of access may be limited for a small healthcare provider, but potentially extensive for a larger provider such as a major hospital or pharmacy. ADHA could develop procedures to inform and assist end users to respond to the impact of cyber security incidents, and test those procedures through crisis simulation exercises.

3.80 Entities such as healthcare provider organisations and contracted service providers must comply with mandatory legislated security requirements in order to be eligible, and remain eligible, for registration.⁶⁷ As the System Operator, ADHA should not register an ineligible entity, and may consider revoking registration of an entity that does not remain eligible.⁶⁸ Despite clear statutory functions and powers to register and deregister entities, ADHA stated to the ANAO that ‘it is unclear that the Agency has a mandate to undertake such monitoring and assurance activities’. Legislative requirements are only effective risk controls when enforced. ADHA conducted limited compliance monitoring to ensure registered healthcare providers met legislated security requirements. ADHA stated to the ANAO that:

Through our engagement with clinicians, they have told us that security and compliance controls can make the provision of healthcare unworkable. This can increase clinical safety risks and place additional pressure on the health workforce which is often already strained.

3.81 The risk that multiple health records are accessed, modified or made unavailable without authorisation due to compromise of a participating healthcare organisation or their contracted service provider remains a shared risk above ADHA’s residual risk tolerance. Quality reviews undertaken by ADHA of a very small sample of general practices against the requirement to have a security policy found that this requirement was only fully met by 32 per cent of survey recipients.

Oversight of cyber security risks

3.84 The ADHA Board noted dedicated cyber security briefings on four occasions between July 2016 and February 2019. This included noting the 2016–2019 Cyber Security Centre Strategic Plan and its 12 Key Performance Indicators (KPI) on 21 February 2017. Progress reporting against these KPI has not been provided back to the Board.

3.85 One of the ADHA Board’s advisory committees is the Privacy and Security Advisory Committee (PSAC). The PSAC Charter states that it will ‘monitor privacy and security issues in relation to digital health systems’, ‘provide advice and recommendations to the Board in relation to standards (including compliance with standards) relating to privacy and security’ and ‘provide advice to the Board about the privacy and security issues encountered by users of digital health systems’.

3.86 It was not clear that the PSAC provided advice or recommendations to the ADHA Board, despite meeting minutes recording that the PSAC noted regular briefings from ADHA on cyber security. As part of these meetings PSAC also noted the 2016–2019 Cyber Security Centre Strategic Plan on 23 March 2017, and reviewed the underpinning work plans supporting the strategy on 1 August 2018. Progress reporting against these KPI has not been provided back to PSAC. The ADHA updated the Cyber Security Centre Strategic Plan for 2019–2023 on 14 November 2018. The meeting minutes to April 2019 do not show that the updated Strategy was considered by the PSAC or the ADHA Board.

4.1 To examine the appropriateness of monitoring and evaluation for the My Health Record system, the ANAO considered:

• whether mechanisms have been put into place to improve the quality of data — because the quality of information entered into the system is critical to increasing the use of the system by healthcare providers, and therefore to the realisation of intended benefits; and
• whether there are arrangements to monitor, evaluate and report on the realisation of the intended benefits — because the timeframe for benefits realisation is relatively long, it is important that arrangements in place to collect and evaluation relevant performance information over time.

4.2 Analysis in this section is based on a review of documentary evidence.

Are there appropriate mechanisms to improve the quality of information entered into the My Health Record system?

4.3 Data quality is critical to realising the potential benefits from My Health Record, and the My Health Records Act 2012 established an objective to ‘improve the quality of health information’. While there is no baseline or benchmark against which ‘improvement’ is measured, the theory of change described in the 2017 business case suggested that increasing the availability and sharing of clinical information in the My Health Record system was both an intermediate success indicator for the system, and a foundation for realising its intended longer-term benefits.

4.4 As summarised in Figure 4.1, the business case stated that increasing the number of individual records would lead to increased use of the system by healthcare providers, resulting in increased availability and sharing of clinical information, which would promote better health care. Implicit in this business case is that the available information is of sufficient quality that providers change their behaviours, and that such behavioural change will generate a range of benefits (which are discussed at paragraph 4.19).

Figure 4.1: Theory of change for the My Health Record opt-out benefits case

Source: ANAO analysis of 2017 business case

4.5 To assess ‘data quality’, the ANAO considered three broad elements:

• information provided to My Health Record from external repositories;
• information directly entered by healthcare providers (shared health summaries, event summaries, discharge summaries, prescription and dispense records); and
• other activities intended to promote improved data quality.⁶⁹

Data quality: repository operators

4.6 Individuals can choose to have information from ‘registered repository operators’ included in their My Health Record. Broadly described as a ‘Medicare history’, this includes Medicare and Pharmaceutical Benefits Scheme claims⁷⁰; organ donor status; and immunisation records. Content from these systems is updated in My Health Record daily. Repository operators are responsible for, and manage, the quality of this data.

4.7 There are instances of administrative errors, called ‘intertwined records’, where a single Medicare record has been used interchangeably between two or more individuals. This most often occurs where the individuals have similar names and dates of birth and a Medicare claim has been directed to the wrong individual’s record, or of fraudulent Medicare claim data flowing onto a person’s My Health Record. These errors may be notifiable data breaches, but it should be noted that no individually identifiable information is contained in Medicare claims data.⁷¹ It should also be noted that intertwined record errors are not caused by the My Health Record system.

4.8 Intertwined records may be identified and corrected by the repository operator (Services Australia), or may be identified by the healthcare recipient and corrected in response to their complaint or query. Procedures are in place for both circumstances.

4.9 Services Australia stated to the ANAO that most of these issues are identified through its regular data integrity activities, which includes identifying intertwined records and investigating fraudulent claiming. In response to a 2014 Auditor–General’s report, and again in 2017 in preparation for the My Health Record expansion program, Services Australia conducted additional data mining activities to identify potential intertwined and duplicate Medicare records.⁷²

4.10 ADHA stated that, although there is a risk that confidence in My Health Record could be compromised when consumers identify administrative errors, the ‘spotlight’ effect of consumers seeing their own information may assist in driving improved overall health data quality.

Data quality: healthcare providers

4.11 Most information that is directly entered into the My Health Record system by healthcare providers is by way of structured data entry using drop down fields containing standardised clinical and medicines terminology. This promotes consistency in key records such as shared health summaries. These may be accessed and completed by providers in My Health Record via their own desktop clinical information systems which integrate with the My Health Record system.⁷³ ADHA works with the vendors of those systems to promote the use of the standardised terminology.

4.12 Various education and training activities for providers also sought to promote data quality:

• ADHA provided online training for providers in relation to data quality, and funded PHNs to deliver provider education activities;
• ADHA stated that My Health Record was included in Continuing Professional Development units delivered by the Royal Australian College of General Practice (for general practitioners) and the Pharmacy Guild of Australia (for pharmacists); and
• guidance to providers on improving health record data quality was developed by Royal Australian College of General Practice and the Pharmaceutical Society of Australia.

4.13 These activities have focussed primarily on general practice, pharmacies and hospitals. New data quality challenges may emerge as the focus turns to increasing the number of specialists, allied health and aged care providers using the system, as many individuals in these groups may not have accessed the awareness and education activities. As the quality of data entered into the system is critical to the realisation of potential My Health Record system benefits, work to monitor and improve data quality will need to continue as overall use of the system increases.

Other activities

4.14 ADHA was also involved in three other activities that sought to improve health data quality in general and, by extension, data quality in the My Health Record system:

• facilitation of national standardised e-record clinical and medicines terminology and taxonomy, specifically the Systematized Nomenclature of Medicine Clinical Terms (SNOMED-CT) that includes descriptions of diseases, clinical findings, treatments and outcomes, and the Australian Medicines Terminology that describes commonly used medicines and supports electronic medication management — these are integrated into key My Health Record documents, as explained at paragraph 4.11;
• participation in a Joint Data Quality Working Group with the Australian Commission on Safety and Quality in Health Care (ACQSHC), Australian Institute of Health and Welfare and jurisdictions, reporting to health ministers and seeking to address existing data quality problems that are coming to light through My Health Record; and
• the ACQSHC undertook ten clinical safety reviews of My Health Record, including data quality issues — the recommendations of which were addressed in improvements to the system, or incorporated into broader National Digital Health Strategy work.⁷⁴

4.15 Another potential source of information on data quality is feedback from system users. ADHA previously measured provider awareness, adoption and attitudes towards My Health Record, but at the time of the audit was no longer doing so.

Are there appropriate arrangements to measure, evaluate and report on benefits realisation?

4.16 Non-mandatory guidance on program monitoring, review and evaluation is available to entities through the Department of the Prime Minister and Cabinet (PM&C) policy implementation guidance.⁷⁵ Key elements include:

• defining success and identifying evidence needed to demonstrate outcomes;
• monitoring progress towards outcomes through relevant data collection;
• regular review to assess progress and evaluation of outcomes; and
• transparent reporting of results.

4.17 ADHA developed a benefits realisation plan in 2017 which defined success for the opt-out model of the My Health Record system. This plan’s purpose was to set out a strategy for managing benefits of the My Health Record system, and to make sure that benefits realisation was ‘planned and budgeted, underpinned by a whole of lifecycle process … appropriately resourced [and] backed by focused governance structures’.

4.18 The plan estimated the potential health sector economic benefits from implementing My Health Record as an opt-out model. Estimates were derived from academic studies rather than being extrapolated from actual My Health Record usage, due to a lack of sufficient historical data. Estimates were reviewed by a clinical reference group and clinicians from ADHA and Health. The plan stated that ‘estimates were calculated conservatively’.

4.19 Potential health sector economic benefits were estimated from 2007 to 2027⁷⁶, totalling $14.59 billion. The benefit categories identified were:

• ‘Improved health outcomes: if clinicians have greater access to medication information, it will result in avoided hospital admissions and saved lives’ — requiring evidence of reduced hospital admissions, lengths of stay, emergency presentations, and general practice visits;
• ‘A much more efficient health system’ — requiring evidence of reduced healthcare provider time gathering information and communicating with other providers;
• ‘Avoided duplication of diagnostic tests’ — requiring evidence of reduced expenditure on duplicate tests due to better access to pathology and diagnostic imaging information;
• ‘Putting the person at the centre of their healthcare’ — requiring evidence of improved patient self-management through increased use of care plans, mobile apps and advance care plans linked to My Health Record; and
• ‘Enabling innovation and developments in healthcare’ — requiring evidence of system improvements arising from secondary use of data and innovation in care delivery.

4.20 The plan stated that intermediate output measures would be tracked using My Health Record system data analytics. Intermediate output measures include: number of individuals and healthcare providers registered; and number and type of documents uploaded and viewed (‘shared’) by different types of healthcare providers. These are described in Appendix 4.

4.21 The plan also stated that additional bespoke research and statistical analyses would be necessary to measure the longer-term (‘end’) benefits, recognising that health system ‘confounding factors’ would complicate direct benefits attribution.⁷⁷ Potential research included:

• for improved health outcomes — a potential study assessing any change in adverse drug events in hospital admissions, emergency department visits and general practice visits;
• for a much more efficient health system — potential time in motion study of clinician time taken to gather patient information and communicate with other health professionals;
• for avoided duplication of tests — statistical analyses of pathology and diagnostic imaging Medicare data to identify reduction in growth below historical averages; and
• for putting the person at the centre of their care — potential study identifying change in service use by consumers who use My Health Record compared to those who do not.

4.22 The plan is being revised for the business case to government for future funding.

Monitoring

4.23 ADHA is monitoring the intermediate output measures described in the benefits realisation plan (see paragraph 4.20 above, and Appendix 4 for more detail on these measures). Regarding the measurement of longer-term (‘end’) benefits, ADHA has commissioned nine research studies, of which five have been completed (refer to Appendix 5 for a description of these). Each benefit category except for ‘enabling innovation and developments on healthcare’, which is dependent on making data available for secondary use research, have at least one commissioned research study relating to it. ADHA stated to the ANAO that it intended to commission a series of research projects to provide evaluative evidence across the benefit categories over time. At the time of the audit, there was no documented forward plan for delivery of this intended program of work.

4.24 In addition to the nine commissioned studies, ADHA has funded 15 ‘test beds’ to run over two years from June 2019 to assess ‘digitally-enabled models’ of care delivery.⁷⁸ These projects are part of the National Digital Health Strategy and each involves use of My Health Record. Projects include testing new approaches to caring for patients with chronic conditions, those requiring post-hospital support, and those receiving palliative care. Example approaches include digital sharing of information across care settings, and use of patient mobile applications linked to My Health Record.

Review and evaluation

4.25 The projected benefits realisation period for My Health Record is ten years (to 2027, not adjusted for the extended opt-out period). As noted by the gateway review in May 2019:

The [My Health Record] system is in place, but benefits will take time and continued effort to be fully realised. The long lead time increases risk.

4.26 PM&C’s guidance states that ‘evaluation plans should determine the purpose, the timing, the mechanism to be used, and how results will be shared and applied’, and that entities should:

Be strategic about the focus of the evaluation: what is the most important thing to evaluate across the whole initiative and what is the best method? Identify critical checkpoints to conduct reviews and evaluations as the initiative matures through implementation.

4.27 As noted at paragraph 4.23, the benefits realisation plan sets out a range of potential measurement activities, several of which have been or are being undertaken. However, neither that nor any other document set out a structured plan for undertaking data collection and research activities across future years. The benefits plan does not set out the timing or sequencing of activities. It does not identify critical checkpoints to conduct reviews and evaluations as the initiative matures, nor address the effectiveness of program administration elements.

4.28 Given that the projected benefits realisation period for My Health Record is ten years, the ADHA should develop a forward looking evaluation plan to guide the sequencing, timing and scope of activities across the coming years. This would provide a clear line of sight as to what actions will be taken and when to collect and assess relevant information. Without a plan, there is a risk that there will not be enough evidence to evaluate the longer-term effectiveness of My Health Record.

Reporting and transparency

4.31 Accountability and transparency is primarily achieved through the reporting requirements of the Public Governance, Performance and Accountability Act 2013 (PGPA Act). In accordance with these requirements, ADHA reports on My Health Record implementation in its corporate plan (key milestones for My Health Record)⁷⁹, annual performance statements (summary system usage statistics of healthcare recipient and provider uptake) and annual reports (achievement against entity objectives and KPIs for the My Health Record system).

Appendix 1 Entity responses

Appendix 2 Privacy risk and impact assessments

1. On 12 September 2011, Health’s initial Concept of Operations for the PCEHR identified privacy risks and issues related to: collection; use and disclosure; data quality; data security; openness; access and correction; use of identifiers; anonymity; cross-border data flows; and controls on sensitive information. Proposed controls included user authentication and system access controls, and regulatory compliance framework. This informed initial consultations on the development of the PCEHR.

2. On 15 November 2011, a PIA of the proposed opt-in PCEHR made 112 recommendations — 77 of which were accepted or supported in full and incorporated into the system design, 26 of which accepted in principle or in part, and 9 of which were not accepted. This assessment informed the development of the PCEHR legislation.

3. In 2014, a report on Health’s public consultation on the recommendations of the 2013 PCEHR review found that ‘issues of information security and misuse still exist but are not predominant concerns’, and consumers valued access controls and notifications. This informed development of the opt-out model.

4. On 20 May 2015, a PIA analysed flows of personal information and potential privacy risks and impacts of an opt-out model, making 46 recommendations. The recommendations further informed the development of the opt-out model and the design of the participation trials.

5. In November 2015, a PIA assessed pathology and diagnostic imaging reports functionality and made five recommendations.

6. On 21 March 2016, a PIA assessed the design of the participation trials and concluded that privacy risks could be mitigated. Fourteen recommendations were made. This assessment informed the conduct and evaluation of the participation trials.

7. On 28 June 2016, a PIA assessed professional representative arrangements and made 14 recommendations.

8. On 18 October 2016, a PIA assessed proposals for third party mobile applications to access the My Health Record system and made 27 recommendations.

9. The evaluation report of the 2016 participation trials also identified privacy considerations for an opt-out model for people in certain situations such as those at risk of family violence and for health services staff treated in facilities where they work (these were addressed in the 2018 legislation changes).

10. On 1 December 2016, a PIA assessed the proposed bulk transfer of records to the contracted National Infrastructure Operator for record creation as part of the opt-out process and made six recommendations.

11. In July 2017, a PIA further examined privacy risks and impacts of the proposed implementation of the opt-out process and made 11 recommendations relating to opt-out communications and the process of bulk registration of records after the opt-out period.

Appendix 3 ANAO assessment of implementation status of privacy recommendations from the 2018 Senate Inquiries

Source: ANAO analysis of ADHA and Health documentation

Appendix 4 ANAO assessment of the status of intermediate output measures for My Health Record benefits measurement

Source: ANAO analysis of ADHA documentation.

1. The baseline year for all categories is 2015–16.

2. Output measures for ‘healthcare providers’ are broken down by general practice, public and private hospitals, pharmacies, specialists, allied health, aged care, pathology and diagnostic imaging.

3. Output measures for ‘clinical information’ are broken down by the type of providers uploading and viewing, and by the type of document: shared health summary, discharge summary, event summary, specialist letter, MBS and PBS data, prescription records, medications views, advance care documents, care plans, age care transfer form, report patient observations/monitoring, organ donor status, child development report, pathology report, diagnostic imaging report, immunisation register, screening status and genomic information.

Appendix 5 Summary of commissioned research projects relevant to My Health Record benefits measurement

Research and evaluation reports completed at the time of the audit

1. Evaluation of a multifaceted intervention to change clinical practice using My Health Record in primary care, University of Wollongong, November 2018.

• Presented outcomes of an evaluation of an educational intervention, using My Health Record, for medical practitioners to encourage change in clinical behaviour and practice for pathology, diagnostic imaging ordering and de-prescribing.
• Results showed potential to effect significant changes in GPs’ prescribing and pathology test-ordering behaviours.

2. The Impact of My Health Record Use in Primary Care in Western Sydney. Pen CS, NSW Ministry of Health, Western Sydney PHN and Western Sydney University. July 2018.

• Presented findings of a qualitative evaluation of My Health Record use among primary care practices in the Western Sydney Primary Health Network. It aimed to qualitatively examine how My Health Record may impact on clinicians and consumers by potentially improving work efficiency, reducing time spent on communication with other clinicians, improving medication safety, and reducing duplicative testing.
• Found that My Health Record can optimise patient care among particular patient groups (those who are older, and/or have complex or chronic conditions), but that while there are positive attitudes towards the system in primary care, wider implementation in more healthcare settings (e.g. specialists) was needed to increase its perceived value.

3. The Impact of My Health Record on Primary Care, Final Report. NPS MedicineWise and University of Melbourne. August 2018.

• Purpose was to establish a baseline of My Health Record activity for primary care practice and to develop methodologies to track the impact of My Health Record over time.
• Four studies were evaluated to establish these baselines: (1) exploring whether My Health Record activity was associated with reduced diagnostic tests for people with certain chronic diseases, and rate of prescribing of benzodiazepines; (2) determining the proportion of primary care patients with a recorded allergy or adverse drug reaction to antibiotics who had relevant information recorded in My Health Record; (3) qualitative research on the impact My Health Record has had on clinicians and consumers in improving medication safety and management; and (4) using a novel simulation approach to explore how GPs use the My Health Record in a consultation where there is potential for an adverse drug reaction.
• Found that GPs welcome the potential benefits of My Health Record, but that, at the time of the research, GPs were not yet using My Health Record as a source of trusted information in routine consultations.

4. eHealth literacy study – Ballarat. Deakin University. January 2019

• Presented results of an epidemiological study of eHealth Literacy in western Victoria, making recommendations to improve eHealth engagement and increase use of My Health Record by consumers.

5. My Health Record: A South Australian General Practice Case Study. Flinders University. November 2018.

• Researched perceptions and use of My Health Record by GPs, practice staff and patients in a single site primary care setting in South Australia, prior to and following tailored training in My Health Record.
• Found that clinician understanding of the system increased after training; perception of benefits remained stable, and use of the system was low before training with minimal change after training where clinicians held concerns about data security and privacy or the comprehensiveness of content in the system.

Research and evaluation projects still underway at the time of the audit

6. Project to develop material for Aboriginal and Torres Strait Islander health services to increase adoption and meaningful use of My Health Record. University of South Australia.

7. Project to evaluate the application of the My Health Record system in an After Hours GP service to determine the benefits of the system for that service and emergency departments. HealthDirect Australia.

8. Project to realise the potential benefits of a scalable ‘eConsultant’ telehealth model, which provides an example of the application of secure email among different healthcare providers and settings. Mater Research Institute.

9. Project to measure digital health uptake and barriers as part of an existing three-year survey of GPs and specialists. University of Melbourne.