July 25, 2018


My Health Record: The opt-out period for My Health Record runs from July 16 until October 15.

Katharine Kemp, UNSW; Bruce Baer Arnold, University of Canberra, and David Vaile, UNSW

The My Health Record (MHR) opt-out period begins and you have until October 15 to decide whether or not to be part of the scheme. You can read the case for opting in to My Health Record here.

Unless you take action to remove yourself from the My Health Record (MHR) system, the federal government will make a digital copy of your medical record, store it centrally, and, as the default, provide numerous people with access to it.

If you don’t opt out during this period and later choose to cancel your record, you will no longer be able to access that record but the government will continue to store it until 30 years after your death. You will need to trust that it will not be breached.

There are three main problems with the MHR scheme.

Read more:
The latest health data breach is one reason why I’ll be opting out of MyHealthRecord

1. It can’t be relied upon as a clinical record

Contrary to what many Australians may believe, MHR is not a clinically-reliable medical record, and was not designed to be. It is not up-to-date and comprehensive. As the Office of the Australian Information Commissioner (OAIC) points out:

The My Health Record system contains an online summary of a patient’s key health information; not a complete record of their clinical history.

If, for example, a doctor were treating a child in an emergency, the doctor could not rely on an MHR to know what medications the child has been prescribed up to that date. In an emergency, an unreliable record is a distraction, not a help.

Many doctors have in fact objected to the incompleteness and lack of utility of the MHR. A recent poll on the AMA’s doctors portal suggests 76% of respondents think the MHR will not improve patient outcomes while 12% think it will.

Notwithstanding this fundamental deficiency, the government is pushing ahead with an inherently risky scheme.

2. It creates a security risk

If you read the very long (7,800 words) privacy policy for MHR, you’ll see that the Australian Digital Health Agency (ADHA) itself states there are risks from the online transmission and storage of our personal information in this system.

Health data is prized by hackers

We have witnessed a stream of health data breaches in Australia and overseas, and the incentives for these breaches are only increasing.

Storing records digitally with online access greatly increases their accessibility for criminals, hackers and snoopers. Health records are valuable as a means of identity theft due to the wealth of personal information they contain. They are a huge prize for hackers, fetching a high price on the Dark Web.

Read more:
After the Medicare breach, we should be cautious about moving our health records online

You won’t know who has seen it

It won’t just be your doctor who has access to this centralised digital record of your personal health information. The default position is that numerous people will have access – doctors, pharmacists, physiotherapists, nurses, and unidentified staff of various organisations.

MHR’s access-logging system does not track which individuals are accessing records, only institutions, which means you won’t be able to tell who has seen it. Even without a technical hack, that will make it almost impossible to keep your information secure in this system.

De-identification is risky

The government is also planning to allow access to your health information for research purposes by “de-identifying” your information. That means the data should not be able to be linked to a particular individual.

But the national government has a bad record for successfully de-identifying health information.

In 2016, the government released a data set that included information on a large number of patients spanning 30 years. It was meant to be de-identified.

IT researchers at Melbourne University quickly demonstrated it could be re-identified and linked to the individuals concerned. Such re-identification risk will only grow, as data sets proliferate and tools get smarter.

Third-party access jeopardises security

MHR also permits external health apps to access your records. According to the legislation, this should only be done with your consent.

Unfortunately, and predictably, health apps are already securing “consent” through obscure, standard form contracts so you might not be aware the app owner could sell your sensitive medical information to others.

Last month, the ABC revealed one such health app (HealthEngine) was selling patient information to law firms, so patients with serious conditions and injuries were contacted repeatedly by strangers pushing them to pursue legal claims. Many didn’t know how their sensitive medical information was revealed.

The ADHA’s website has published a report on the woefully inadequate privacy policies of mental health apps, and yet these apps might be authorised to access your MHR data with your supposed consent.

Read more:
HealthEngine may be in breach of privacy law in sharing patient data

3. An ‘opt-out’ scheme goes against best practice

Critically, the opt-out consent mechanism for MHR flies in the face of global best practice for informed consent – and our own federal privacy regulator’s guidelines on the sort of consent necessary for use of health information.

Consent for use of personal information should be express, fully informed, easy to understand, and should require action on the part of the individual.

MHR disregards all of those principles.

MHR does not seek your express consent. Instead, if you do not take the necessary steps before 15 October, your health records will automatically be copied, stored and shared.

You will also not be fully informed. There will be no national television, radio or print media campaign to advertise the MHR scheme, which many Australians have misunderstood in the past. The government will not even send you a letter to tell you about this scheme, let alone its very serious risks.

By contrast, the OAIC says organisations seeking individual consent to use personal information should generally:

… ensure that an individual is properly and clearly informed about how their personal information will be handled, so they can decide whether to give consent.


… seek express consent from an individual before handling the individual’s sensitive information, given the greater privacy impact this could have.

Even if implied consent were acceptable (and it is not), the OAIC states further that an organisation:

… should not assume that an individual has consented to a collection, use or disclosure that appears to be advantageous to that person. Nor can an entity establish implied consent by asserting that if the individual knew about the benefits of the collection, use or disclosure, they would probably consent to it.

Read more:
App technology can fix the e-health system if done right

The time to opt-out is now

MHR is likely to create very limited benefits for many, if not most, Australians. It creates unacceptable security risks for our most sensitive personal information. And the government’s method of obtaining “consent” goes against international best practice.

If the MHR scheme were properly advertised, fully explained and Australians given a choice whether to opt-in, Australians could make an informed choice about whether the limited benefits justify the substantial risks to their sensitive information.

Those concerned about the security of their health information will need to take steps now to remove themselves from the MHR system.

Opt out HERE.

The ConversationThis article has been updated to reflect that the ADHA report on the privacy policies of health apps focused on mental health apps.

Katharine Kemp, Lecturer, Faculty of Law, UNSW, and Co-Leader, ‘Data as a Source of Market Power’ Research Stream of The Allens Hub for Technology, Law and Innovation, UNSW; Bruce Baer Arnold, Assistant Professor, School of Law, University of Canberra, and David Vaile, Teacher of cyberspace law, and leader of the Data Protection and Surveillance stream of the Allens Hub for Technology Law and Innovation, UNSW Faculty of Law, UNSW

This article was originally published on The Conversation. Read the original article.

We may get commissions for purchases made using links in this post. Learn more.
  • I opted out. I really have concerns over security especially after the Optus drama. An IT company that you would think would have the best security as thats their trade.


  • I know medical staff who don’t have it themselves or recommend it.
    Not all have the right phones to be able to access it.


  • This is just a scaremongering campaign. All that will be up on there is your scripts and vaccinations basically. the fact is that no one else can access this. you will have the choice to delete anything you want as the account holder. I know as ive had the training about this as i work in a medical clinic. Don’t always believe what you hear. Make sure you make a well informed decision.

    • Not scaremongering, even the top IT guys have all said it is not safe.


  • I’m really on the fence about this!!! Hopefully some more information will be given as I really haven’t heard a lot. My partner works remotely and didn’t even know what it was!!! An opt out system deffinitely isn’t the way to go.


  • I really appreciate this article as I find the whole thing rather confusing. Where I thought I would stay in, this has helped me be more informed and I will be opting out.


  • This is one of those things that is going to be a personal choice.
    Ive have opted out only to find all that was on my health record was a just a prescription for a toothache.
    Does that really matter to anyone?
    Does my dental record matter to my physiotherapist? Answer is no.
    However on another note should a psychologist know what medications their patient is on say if someone had a mental illness?
    Yes, i think that does matter. So really its a personal choice based on your own life circumstances not on what someone is telling what you should do.


  • First of all, I would never advise anyone to opt in or out, it’s a matter of personal choice and some of the information contained in the article is now changing thanks to public pressure. All I can say are the reasons why my family and I opted out on the first day. This system has been in play for a number of years now under a different name. Some people are now only finding out they have a record, some have nothing uploaded to their record while other people have ad hoc stuff and some incorrect information that they’ve finding very difficult to change. This system should have always been opt in from the start, however the Government are most likely relying on people being apathetic and or not doing the research themselves. We’ve opted out because anywhere there’s a large amount of personal data is where hackers will focus and it’s not just about them seeing that I had a broken foot or a blood test it’s about all the other personal information that’s stored on My Health Record like the medicare number, date of birth, address and so on, all the information that a hacker needs to commit identity theft. The record will not be a whole medical history from the beginning to the end either, it’s merely a summary and because the system relies on humans to upload the information and documents it’s a train wreck waiting to happen, just ask the millions of people that were brought into the trial years ago who have nothing or very little on their My Health Record. Also, any system that gives us the choice to add in our own information or remove certain information that’s on the record or direct our GP not to add input information because we find it embarrassing then it stands to reason, that won’t be a record that can be relied upon. The Health Minister Greg Hunt has recently had a meeting with the AMA and the privacy provisions will be tightened concerning the MHR so for anyone sitting on the fence about this then consider looking for the updates in the news and on the MHR website as there was a huge issue about the police and Government agencies accessing the records, this will now be changed to only with a court order. He’s also considering extending the opt out period and an amendment is to be made concerning the permanent deletion of the record.


  • Another reason for opting in for MyHealthRecord. I am caring for my elderly father and he regularly needs hospital care, depending on the severity of his illness he could be transferred from one hospital to the next due to us living in regional Western Australia. We have had many instances where I have had doctors from one hospital or another calling me up asking what medication he is currently on or what tests he has had previously. When this information should have been documented during the transfer. Also, I continue to get asked about his medical history. When medical history is involved it is not an invasion of privacy, it is a necessity. We do not always visit the same Doctor now days or if an emergency occurs get sent to the same hospital. So, it would be extremely helpful for the treating medical teams to have your relevant medical information instead of your having to repeat your entire medical history by memory. I don’t know about you but I always forget about something, even when I have everything written down. Please have a serious think about this before opting out.

    • Totally disagree. Our medical information is some of our most private and confidential information. Please see my comment above, however if you feel it’s right for you and your family then of course you can exercise your right to have the Government opt you in. We’re all different.

      • Also, I meant to say I am my husband’s carer so I do see where you are coming from and all the best.


  • Thought it was a good idea but see now it is becoming “Big Brother as predicted in book written long ago. You have given me something to think about, thank you

    • 1984 by George Orwell sure is scary and big brother is watching you still sticks with me!


  • Thank you very much for sharing this important information.


  • I do not know anyone that plans to stay in – they will all be opting out!


  • I don’t want just anyone to know about my health. The government should have left it as an opt-in. There are many concerns to ponder over before I finally choose what to do


  • This is a quandary for many people.


  • There has been so much conflicting information and, obviously, the harder it is to opt out, the more people won’t. I’m on the fence, but this article tips me over. I’ll be opting out.


  • I even haven’t heard of this ! I feel for opting out too.


  • I have opted out my family, you are mad if you don’t. this is one of the most undemocratic things the Government has done, it should have stayed as an ‘opt-in’ option, and to not advertise the fact they changed it and only given it a limited time to opt out is ridiculous. All the big IT people have already said it is very insecure and would be opting out themselves. This is not going to benefit anyone and is purely a control system, and possibilities of selling your information to insurance companies too. OPT OUT! You can always opt in again in the future if they fix it. The UK abandoned a similar thing after only 2 years, and Singapore had their health records hacked.


  • I opted out this morning it’s personal information and I don’t think people should be able to view it.


  • Our whole family has opted out.


Post a comment
Add a photo
Your MoM account

Lost your password?

Enter your email and a password below to post your comment and join MoM:

You May Like


Looks like this may be blocked by your browser or content filtering.

↥ Back to top

Thanks For Your Star Rating!

Would you like to add a written rating or just a star rating?

Write A Rating Just A Star Rating