Future Tense

Down With My Health Record

Australia offers a cautionary tale of government tech gone really, really wrong.

Then-Australian Prime Minister Malcolm Turnbull speaks on stage during the Aerotropolis Investor Forum on May 28 in Sydney.
Photo illustration by Slate. Photos by by Rawpixel/Unsplash and Mark Kolbe/Getty Images.

Wes Mountain, an editor and cartoonist for the Australia-based website the Conversation, decided to opt out of his country’s new “My Health Record” program on the very first day he could.

The project, which Australia has been working on for years at substantial cost, is supposed to make health care more efficient and allow medical providers to better communicate with one another. In its early years, it was an opt-in program that let Australians decide whether to participate. But after spending billions of dollars and many years to build what political leaders assumed would be an appealing program to create a centralized health care database, the government discovered that many citizens weren’t sold on the need for, or benefits of, the program. When less than 25 percent of Australia’s citizens signed up for My Health Record in its first few years, the government didn’t question whether it was a good idea in the first place. Instead, it decided to just sign them up by default. July 16 was first opportunity for people to make the proactive decision not to take part. Then the tweets began.

Mountain quickly discovered opting out was difficult and maybe impossible—because the Australian government database already had a “My Health Record” for him, and there was no easy way to delete it. By default, according to the government, once you had a My Health Record, you could choose to limit access to your records but not to erase them entirely.

“So because myGov [the government’s Web portal] thinks I have a Health Record,” Mountain tweeted that morning, “I have to login with a billion details to setup my Health Record, so I can delete my Health Record.” While many Australians were discovering they already had records, others found it difficult to opt out if they didn’t. “I had to agree to let them share info with other agencies in order to opt out of having my info shared with other agencies,” tweeted D. Robert Digman, which meant, in effect, that he had to “opt-in in order to be allowed to opt-out.”

The hard lesson—which the Australian government has yet to grasp—is that you can’t just tinker with an inherently anti-privacy program and hope to fix it. You have to redesign it from scratch. If Australia fails to do this, that failure will also permanently erode Australians’ expectations of privacy. That would be bad for Australia, of course, but it would also be bad for other Western democracies, including the United States, where there’s always a tension between government’s prerogative to collect data on its citizens and citizens’ prerogative to say, “Hands off!”

Months before the planned opt-out window—the three-month period in which those who didn’t have a “My Health Record” could tell the government not to create one—at least one poll suggested that as many as two-thirds of Australians don’t want the government to keep their health information in a centralized health records database.

The newly reorganized government (which is still reeling from a “leadership spill” over the weekend) is expected to continue pushing for legislative changes aimed at addressing the growing public criticism of the program. These changes include narrowing the range of purposes for which non-health-related government agencies can access health records, requiring warrants and other due-process protections to further limit government use of citizens’ data, and increasing the ability of citizens to fully delete their records at some point in the future. On Aug. 15, it was announced that the Australian Senate will hold an inquiry into the program. But the one thing the government refuses to consider is the possibility of reverting My Health Record to a purely voluntary “opt-in” basis.

If the Australian public isn’t embracing My Health Record, that’s partly because the government is working to erode citizen privacy on multiple digital fronts—not just medical information, but also the data on citizens’ digital devices, and the data that phone companies and internet services are being ordered to keep about citizens’ use of those services. Still, the “My Health Record” controversy is leading the pack of current privacy concerns. According to Dave Vaile, who chairs the Australian Privacy Foundation, the My Health Record program “has the characteristics of a classic, major, large government IT system failure.”

There are lots of devils in the details of My Health Record. Under the program as it has begun to be implemented this summer, any citizen’s health care records would held by the government until 30 years after that person’s death. Even if an Australian chose later to opt out of the program, the record might still (theoretically) accessible to health care providers and government officials. The government’s health minister introduced legislation on Aug. 22 that would address some complaints about the program, but it’s unclear whether the Australian Parliament has the focus or will to implement the changes, given the political uncertainty in the country.

The pushback against My Health Record has been immense: The majority of media coverage of the rollout has been critical of the “full steam ahead” approach taken by then–Prime Minister Malcolm Turnbull’s government. Citizens who have rushed to opt out have found the system less than easy to navigate. Even some politicians who initially supported the program have made public their own choice to opt out. A Sydney Morning Herald report last month said the number of opt-outs might “run into the millions.”

The same kind of public concern sank a similar health-care effort in the United Kingdom just a few years ago. The U.K.’s “care.data” program—essentially a British version of “My Health Record—was abandoned in 2016 after a government-appointed commission underscored privacy and security concerns. As the U.K.’s experience suggests, the policy problem signaled by the opposition to the My Health Record initiative is bigger than Australia. The appeal of “big data” approaches to create efficiencies in health care is broad yet not entirely rational: Little actual economic research shows that centralized health care databases will actually provide benefits that recoup the costs of investment. The chief argument in favor of this kind of program is that it will enable health care providers to share patient data more easily—but health care workers, much as they hate the paperwork associated with it, mostly know that there’s no substitute for taking a fresh patient history at the point of intake.

Australia’s health care system has been in something like its current form since 1984. But the push for a national database of personal health information has been more recent. The Australian Department of Health announced in 2010 that the government would be investing heavily in a system of Personally Controlled Electronic Health Records. (That’s the earlier, clunkier name for My Health Record.) The primary idea was to make it more efficient to share critical patient information among health care providers treating the same person.

Another purported benefit would be standardization. Like the United States, Australia has a federal system uniting a set of states that have their own governments. The concern was that a failure to set national standards for digital health records would lead to the states and territories developing their own, possibly mutually incompatible systems. (Incompatible systems are also a problem in the United States, and proposals to standardize a U.S. electronic health record system have been floated for years.)

The 2010 announcement of the Personally Controlled Electronic Health Records program stated expressly “[a] personally controlled electronic health record will not be mandatory to receive health care.” The basic model was opt-in—starting in 2012, Australians had to actively choose to create their shared digital health records. If you didn’t register for the program, however, you didn’t create a PCEHR. If you did register, you had the assurance that, under the government-promulgated Australian Privacy Principles, your personal health information would be strongly protected.

The PCEHR program (which was retroactively renamed My Health Record in 2015) looked good in theory, but not so much in practice. The hard fact was that after the government burned somewhere near or past $2 billion AUD, the total number of citizens who had volunteered to “opt in” to have their health records shared and available in the program was only about 6 million. In other words, about three-quarters of Australia’s population didn’t see a compelling reason to opt in. Australia’s physicians haven’t necessarily seen the value in the program either, according to a March report in the Medical Republic.

My Health Record had never been an easy sell. The program went live in 2012, but as of a year later, only 400,000 of Australia’s 23 million population at the time had opted in. When the country’s Liberal Coalition government took power in 2013, it sponsored a review of the program by experts who, a half-year later, made 38 recommendations aimed at rebooting the stalled program. And the recommendation most important to improving citizen participation in My Health Record was to switch the program from opt-in to opt-out—that is, from purely voluntary participation to passive enrollment by default.

The government hired a consulting firm to evaluate trial studies in Far North Queensland and in the Blue Mountains region of New South Wales, which resulted in a November 2016 trial report that, according to an IEEE Spectrum article recounting the history of the program, led to the government’s announcement of a switch to opt-out. “Interestingly, neither the public nor health care practitioners paid much attention to the announcement,” the Spectrum reports, perhaps because “few people had much faith that the e-health system would survive much longer anyway.” Despite the government’s renewed commitment to My Health Record, new voluntary signups didn’t increase—instead they began to plunge.

As it stands now, the law already authorizes a lot of government access (for law-enforcement agencies, court proceedings, and other non-health-related purposes). And of course, the laws can be amended to authorize even more access. Were you ever treated for alcohol intoxication or for a drug overdose? Did you get a Viagra prescription? An abortion? If your government decides it has a good enough reason to know this stuff about you, it’s already holding the information.

The Australian Digital Health Agency, the relatively new government agency in charge of the program, said a warrant would be required—but that claim was contradicted by Australia’s Parliamentary Library, whose analysis found that access by non-health-related government agencies with few if any procedural or privacy safeguards. Disturbingly, the Parliamentary Library’s report was abruptly removed and revised after pushback from Turnbull’s government. (The removed report has been reproduced here.) And the less-easily-silenced Queensland Police Union advised its members that their records could be viewed without a warrant. A leaked ADHA document, as summarized in a Wednesday report by Australia’s Healthcare IT News, reveals that the agency is scrambling to respond to the program’s critics, either by “holding steadfast or fixing problems on the fly.”

One criticism the ADHA is plainly dodging is the fact that access to a citizen’s health record will be given to organizations, not just specified individuals. A centralized health care record database will give 900,000 health care workers (not just doctors) comparatively unrestricted, untracked access to patient health records. “We understand the challenges to consumers around monitoring access by organisation [sic] rather than individual healthcare providers,” the ADHA said in the leaked document. “If a consumer has a concern with information provided in their record’s audit log, they can contact the System Operator or the organisation directly to understand who has accessed their record.” Yes, that sounds exactly like something a consumer should have to do!

This is a key reason so many prominent Australian health care and privacy experts argue that the government’s new promises to patch the system are inadequate. Measures like requiring government agencies to get a warrant do nothing to protect patients from unauthorized access to their records by health care workers with access to the My Health Record system.

Some critics argue the government has painted itself into a corner due to the sunk costs. But Bernard Robertson-Dunn of the Australian Privacy Foundation argues the better choice is to write off the whole problem, despite the fact that the government has spent those billions.

That seems unlikely to happen. But citizens in a democratic society should have the political power to demand that their governments scrap a policy when it’s based on major privacy blunders. In a 2016 article in the Atlantic, Yale law professor Jack Balkin and Harvard professor Jonathan Zittrain may have hinted at a way forward. They suggested that the big tech companies ought to be considered “information fiduciaries,” with something like the same professional duties of care and loyalty that doctors and lawyers must adhere to.

Big Tech hasn’t exactly rushed to embrace the idea. But surely imposing fiduciary obligations on government itself is within reach. In democratic societies, we insist that our governments be accountable to us, loyal to us, and careful about our privacy as well as our other rights. In this sense, what Australians want is no different from what U.S. citizens want—a government that earns our trust, deserves it, and does what’s necessary to keep it.