Note: QIMR have contacted Croakey to correct information in this morning’s story on the use of personal information by DHS. The post has been updated to include this information.
Data security and privacy are vital components of our health system but new revelations have challenged the trust consumers place in governments to keep their medical details secure.
Security processes at the Department of Human Services (DHS) have previously come under scrutiny after the Guardian revealed that Australians’ Medicare details were being illegally offered for sale on the Darknet
But now two more reports have emerged raising consumer and provider concerns about the use of personal medical information by DHS.
Jennifer Doggett reports (below) on these reports and their implications for medical data privacy issues in the long term.
Jennifer Doggett writes:
The Sydney Morning Herald reported yesterday that DHS, on behalf of a research team at QIMR Berghofer Medical Research Institute, sent a letter to people who had previously been prescribed lithium, inviting recipients to participate in a study exploring potential biomarkers for bipolar disorder.
The SMH report states that UNSW psychiatrist Professor Gordon Parker first became aware of a study investigating the genetics of bipolar when a former patient sent him an angry email accusing him of breaching her privacy.
“She was furious with me, believing that she was contacted by Medicare because I had blown her confidentiality,” he said.
But the letter had been sent by DHS on behalf of a research team at QIMR Berghofer Medical Research Institute inviting recipients to participate in a study exploring potential biomarkers for bipolar disorder.
QIMR has confirmed that DHS did not provide them with the names and contact details of consumers who had previously been prescribed lithium but had sent a letter, prepared by QIMR to these consumers on their behalf.
Medicare data used to recruit people with bipolar for research
Patients never consented to this, their GPs & Specialists never consented to this
— Ewen McPhee 🇦🇺👨👩👧👦🇩🇰🇺🇸 (@Fly_texan) July 29, 2019
*Tweets reproduced here may be based on a false understanding that DHS provided consumers’ names and addresses to QIMR*
Centrelink data-matching activities
Another report on the use of personal medical information has revealed that for some time Centrelink has been undertaking data-matching activities using Medicare data to identify cases of suspected welfare fraud.
The activity is detailed in a data protocol published by Centrelink on Friday and first noticed by Darren O’Donovan, a senior lecturer in administrative law at La Trobe University.
The data-matching program targets identity, employment or income-based welfare fraud, the protocol states, noting that combining multiple datasets could be more effective than current methods.
“The data-matching program is designed to detect false, manipulated and assumed identities used by customers in submitting multiple claims,” Centrelink said in the protocol.
These reports prompted a response from some consumers, GPs and psychiatrists concerned about DHS’s data management practices, in particular the provision of personal medical information to third parties.
As far as I know, this is the extent of DHS release of data (though to be honest, how would we know?) But if they are prepared to do this, who are they not prepared to release data to?
— Dr Tim (@timsenior) July 29, 2019
Consumer and provider concerns
Concerns raised via Twitter are that this could undermine trust in Medicare and in consumers’ faith in the confidentiality of information provided to medical practitioners.
This is BIG.
Patients we are trying to protect your data but the race for data mining like gold mining is a business and compliance bonanza for many.
— Karen Price (@brookmanknight) July 29, 2019
Oh, and I should add that there are many Australians who will have left other countries with authoritarian governments to come here, and I dread to think what their thoughts about seeking health care might be.
— Dr Tim (@timsenior) July 29, 2019
Oh yeah. It’s disgusting and possibly harmful. Lithium isn’t only used in bipolar disease too. So fail on that.
Ethics & research are not elements you just play with.
There is an enormous power differential here. I have patients that would go off the rails with this.
— Karen Price (@brookmanknight) July 29, 2019
Despite these concerns, it is not clear that DHS has breached any privacy conditions or policies in sending the letter to consumers who had previously been prescribed lithium on behalf of QIMR.
Information on the Department of Human Services’ website provides details of DHS’s management of Medicare data.
This information states that DHS ‘routinely’ provides consumers’ personal information to a broad range of organisations and individuals, including:
- Other Federal and State/Territory Government departments and agencies
- Australia Post
- Contracted translator services
- Contracted service providers
- Educational institutions and private providers of education and training
- Financial institutions for the purposed of identity matching.
- Insurance providers for the payment of compensation claims
- Private debt collection agents, for the purposes of recovering debts to the Commonwealth
- FOI applicants, in accordance with the provisions of the Freedom of Information Act 1982
- Employers, in relation to Paid Parental Leave,
- The Family Court of Australia
Although personal information was not provided to QIMR for this study, it appears that the provision of personal information to third parties could be possible under current guidelines. The DHS document states that it provides personal information to:
- The Australian Institute of Health and Welfare, for the purposes of Commonwealth data integration projects, for health and welfare research
- Study bodies, applicable ethics committees and relevant departmental policy departments (for identified consent study participants)
- Requestors of data for statistical and research purposes
- External companies conducting statistical analysis and market research to improve service delivery
The concerns raised by commentators indicate that this is an issue of importance to many consumers and providers and one which raises questions about how personal data is managed by government authorities and used by researchers.
This can be a particularly sensitive issue for people with a stigmatised condition, such as a mental illness or HIV/AIDs, and for population groups, such as Aboriginal and Torres Strait Islanders, who have a history of discrimination and marginalisation by governments and may have different cultural practices in relation to health information (for further details on this see the National Aboriginal and Torres Strait Islander health data principles, developed by the National Advisory Group on Aboriginal and Torres Strait Islander Health Information and Data.)
The role of Ethics Committees
It is not clear whether the potential for consumer concern over this study was raised by the Human Research Ethics Committee (HREC) approving the study, which includes lay people, people with a pastoral care role and health care providers, did not pick this up in their assessment of the research grant application. Their role is to represent the community and raise issues that may not be formally addressed in legislation or guidelines but which might cause concern in the community.
In assessing research applications, HRECs are required to follow the Guidelines under Section 95 of the Privacy Act 1988 which state:
Medical research is important for providing information to help the community make decisions that have an impact on the health of individuals and the community. However, it should be carried out in such a way as to minimise the intrusion on people’s privacy. Optimally, this is done by obtaining the informed consent of participants prior to using their personal information. Where this is not practicable, de-identified information should be used.
They have the info because they look after Medicare (well one of the Depts that does). Govt Depts don’t have data for private scripts and appts as they don’t fund them. How the data has been used is a different story to holding it. I am rather surprised it got thorugh ethics.
— Arlene Taylor (@dr_arlenetaylor) July 29, 2019
Health groups have not (so far) commented on this issue or more generally on this issue.
However, the Final Report of the Independent Review of Health Providers’ Access to Medicare Card Numbers (instigated after the revelations that Medicare data was being sold on the Darknet) did include comments from key health groups on the importance of consent when providing Medicare details to health providers, including the following:
Consent should be a requirement for a health service provider to access an individual’s Medicare card details in non-urgent or long-term treatment care. – Australian Healthcare and Hospitals Association
Informed patient consent is a fundamental principle in health service delivery. CHF believes that obtaining patient consent should be an explicit requirement for a health professional to obtain the patient’s Medicare card number particularly for instances where the patient is otherwise unknown to the practice. – Consumers Health Forum of Australia
More consultation needed
These issues indicate a broader need for consultation with consumers and providers about how to manage personal health information and how to protect consumers’ privacy, while also facilitating the provision of health care and supporting medical research. The capacity for collection and use of medical data has exploded in recent years and current privacy policies and practices have not kept pace with these developments.
The Privacy Act dates back to 1988 (although it has been amended many times since then) and the guidelines for HRECs were produced in 2014 – a generation ago in health data years.
Issues such as this also have broader implications for other Government initiatives involving personal health information, such as MyHealthRecord. The linkage of personal health data from different sources has the potential to significantly improve the continuity and efficiency of care within Australia’s fragmented health system.
However, unless consumers are fully consulted and given accurate information about how their personal data is stored and used, their lack of trust in government will undermine the potential of these initiatives to deliver these benefits.