The Victorian Government’s Health Legislation Amendment (Information Sharing) Bill 2021 was rushed through its first parliamentary vote on 14 October 2021, raising many unanswered questions for patients and health care professionals in that state.
The purpose of the Bill, as stated in the preliminary section of the legislation is twofold:
- to establish a centralised electronic system to enable public hospitals and other specified health services to share specified patient health information for the purpose of providing medical treatment to patients; and
- to provide for public hospitals and other specified health services to collect and disclose specified patient health information to the Secretary for the purpose of establishing and maintaining the Electronic Patient Health Information Sharing System.
We believe the law will allow the Victorian Government to “establish a centralised electronic patient health information sharing system for participating health services” going back 5 years. The Bill mentions denominational hospitals, metropolitan hospitals, residential care services, and other specified services, including mental health, community health and ambulance. Where the grey area lies is in the Bill’s future potential to affect private practice, particularly in rural areas, where the duties of rural doctors in hospitals often overlap public and private systems.
We understand that every Victorian will be given a unique patient identification number, and that the Secretary can request information and identification on any patient from the participants, and enforce compliance, outlined in Sections 3 (b) and 4, of the Bill, with this request.
The data collected and linked by the proposed new Victorian Government medical records portal will be exposed to a large number of end users, such as government agencies and linked businesses across Australia, subject to the Secretary’s control. The data will contain each patient’s current and historical medical and health information.
The law blocks individuals’ ability to consent to or opt out of the process, to control access to their sensitive information, and to limit access to certain parties.
Section 134ZL, No consent required
- A participating health service may collect, use or disclose specified patient health information as permitted or authorised by this Part without the consent of the person to whom the information relates.
- The Secretary may collect, use or disclose specified patient health information as permitted or authorised by this Part without the consent of the person to whom the information relates.
Put plainly, this legislation allows agents of the Victorian Government a complete record of every Victorian person’s most sensitive and private information. The Bill does not specify details of the complete record, so we assume this includes all GP records, mental health details, community health records, and admission to hospitals and so forth.
The powers embodied in the Bill are unprecedented. We believe it risks the health and wellness of some individuals who decide not to seek clinical attention for potentially life-threatening or serious conditions.
The Australian Privacy Foundation (APF) has been unable locate the Privacy Impact Assessment (PIA) supporting the Bill. The PIA, if conducted, must be published in the public domain if Victorians are to trust the Bill.
Why does the Victorian Government need to harvest and store such a rich database of patient information?
The Australian Doctors Federation (ADF) and the APF are alarmed by the content of the legislation, as well as the haste and lack of consultation with which it was executed.
Some of the serious questions raised by this legislation include:
- Will clinicians be required to enter information into the system, and how will this affect their current workplace duties and duty of care?
- To whom will the government grant access to the information in the central patient record (third-party use), and how will this be regulated? This is an issue one of the authors of this article raised a few years ago relating to My Health Record.
- Why are key privacy principles being suspended for this system?
- What sort of database technology is involved? How will cybersecurity infiltration, exfiltration or other abuses be detected or prevented?
- Will this new central system be used to enforce the government’s coronavirus disease 2019 (COVID-19) policies, or any other aspect of government policy?
- Who bears responsibility and liability for the accuracy, currency, completeness and relevance of the data, data breaches or other abuse?
- What rights and compensation will patients be afforded when mistakes are made and abuses occur?
Both the APF and ADF maintain that quality health care requires patient trust and confidence, protection of patient–doctor confidentiality, with access to top class health informatics and high integrity data.
Unfortunately, governments have a weak track record for implementing robust and trustworthy systems (for example, Robodebt, the COVIDSafe app, and data breaches).
We strongly recommend that the proposed legislation not proceed until these and other key questions are publicly debated, carefully scrutinised and resolved.
David Vaile is Chair of the Australian Privacy Foundation.
Dr Juanita Fernando is Adjunct Research Fellow in Medical Education Research and Quality at Monash University. She is chair of the APF’s Health Committee.
Stephen Milgate AM is a Director of the Australian Doctors’ Federation.
Dr Shirley Prager is a psychiatrist in private practice in Melbourne.
Dr Aniello Iannuzzi is Chair of the Australian Doctors’ Federation. He is a rural GP