Leaked documents from the My Health Record Expansion Program steering group point to a variety of concerns the group had about the system.

The documents, obtained by the Healthcare Information and Management Systems Society, reveal a number of questions the steering group had about the system, and include the Australian Digital Health Agency’s responses.

In particular, the group asked the ADHA about the system's cyber security precautions, and whether it would be better to include default passcodes on the records.

The ADHA rejected the suggestion, however, saying that putting default passcodes would “effectively render the system opt-in.”

“Currently there are 6 million Australians where less than 1 per cent of people have set access controls,” the ADHA response said.

“MHR is a secure system where only healthcare providers involved in an individual’s care are able to access a record.”

The agency also said it has published an Information Security Guide for Small Healthcare Businesses.

The guide is targeted at the roughly 900,000 healthcare providers that can potentially use the system and offers "simple guidance for non-technical health professionals on issues such as privacy, passwords, software updates, back-ups and staff security awareness.”

The steering group also raised concerns about the system’s protections for children under the guardianship of the government; for children in current domestic disputes; and for victims of domestic abuse where perpetrators might use MHR to monitor victims.

The ADHA responded that users have the ability to change the people nominated to access their accounts, while children will be protected through a variety of processes built into the system.

It said it was “working with jurisdictions and DHS to ensure that an individual’s safety is not jeopardised by information potentially found in their My Health Record.”

It also said it had made a fact sheet for 14-17 year olds to raise awareness of the system and provide guidance on how to control their record.

Updated Bill

The leak comes a week after the My Health Records Amendment (Strengthening Privacy) Bill 2018 was read to parliament.

The new Bill, currently Referred to Committee with a report due on October 8, was a response to the significant backlash against the My Health Record Scheme and is designed to tackle some of the key security concerns raised by industry groups and citizens.

“The bill will remove the ability of the system operator — that is, the Australian Digital Health Agency — to disclose health information to law enforcement agencies and other government bodies without a court order or the consumer's express consent,” said Health Minister Greg Hunt.

“The bill will also require the system operator to permanently delete health information it holds for any consumer who has cancelled their My Health Record.

“This makes it clear that the government will not retain any health information if a person chooses to cancel at any time.”