Wednesday, 12 December 2018

Do you know whose hands have harvested your medical information?



The Medical Republic, 7 December 2018:

An investigation by The Medical Republic has revealed state, territory and federal police forces have sent around 2,600 requests a year for this sensitive health data to the Department of Human Services over the past two years. The department can legally disclose private health records to the police without a court order.

The department would not reveal how many of these requests were granted, but said the number of disclosures per year had remained stable over the past decade.

Once linked, Pharmaceutical Benefits Scheme (PBS) and Medicare Benefits Schedule (MBS) data, can paint a very detailed picture about a person’s medical history.

PBS data includes every rebatable medication purchased at a chemist. MBS records show which Medicare item numbers were billed for during each consultation, and what tests were ordered.

This information is as sensitive as MHR data, although it lacks the granularity of laboratory test results or GP notes, which can be included in a MHR. In November, the federal parliament passed legislation requiring police to produce a court order to access MHR data.

“This begs the question as to why similar protections are not being enacted in the MBS and PBS legislation,” Malcolm Crompton, a former privacy commissioner of Australia and founder and lead privacy advisor of Information Integrity Solutions, told The Medical Republic.

The legislative inconsistency was an “undeniable oddity” especially because most of the content of a MHR would, at least initially, simply be MBS and PBS data, he said.
Data sharing between the Department of Human Services and the police is shrouded in secrecy, with decisions being made behind closed doors by unnamed officials using an undisclosed set of public interest guidelines, which were issued by the secretary of the Department of Health in 2003.

The human services department has refused to make its 18-page privacy guidelines public under FOI laws, citing concerns that agencies might use their knowledge of the guidelines to trick the department.

“Specifically, with the benefit of having reviewed the document, requestors may construct their requests in a manner that undermines the department’s procedures (e.g. by misleading the delegate) in order to secure the disclosure of the requested information,” an FOI decision maker said…..
The department eventually provided a single case study for police use of private health data, four months after initially being asked about the purpose of disclosing this data, and only after The Medical Republic’s investigation exposed the scale of police requests.
The case study describes a scenario where the police are making an enquiry about a missing person whose safety is in question, and are using MBS and PBS claims information to determine whether the missing person had seen a doctor, obtained medications or updated their contact details.

The Medical Republic contacted each state, territory and federal police force for this investigation, but only the NT Police confirmed how many times the department had provided patient information.

The NT Police, Fire and Emergency Services made an average of 26 requests per year for private health data, including current contact details, next of kin, MBS or PBS records.

All of these requests were successful, and all were made without a court order. “Requests are not made under court order but rather must satisfy certain criteria,” Detective Acting Superintendent Peter Kennon said.

“That is it must be for a missing person or in relation to an offence with a penalty of two years or more imprisonment or 44 penalty units (about $6,000), and be in the public interest.”

The department is obliged to report the number of times it has disclosed linked PBS and MBS data to law enforcement authorities on an annual basis to the Office of Australian Information Commissioner (OAIC).

The Medical Republic obtained a copy of the OAIC reports, which showed that the DHS gave linked MBS and PBS data to police five times in 2016-17, but did not disclose data given to police in the previous three years.

“Most of the public interest disclosures the department makes to law enforcement agencies do not need to be included in our annual reports to the Privacy Commissioner,” a department spokesperson said.

The department only has to report the disclosure of “linked” MBS and PBS data to police. The word “linked” is not defined in the legislative instrument, so in practice, the department appears able to apply a definition that minimises its reporting obligations.

MBS and PBS data was only “linked” if the information was “combined, joined or merged”, a department spokesperson said. “The mere extraction of an individual’s MBS and PBS claims information into separate documents does not constitute linking for the purposes of the guidelines, even if those documents are sent to the same email address,” the spokesperson said.

“The department seems to be playing with semantics in order to avoid complying with the intention of the guidelines,” Dr Robertson-Dunn said.


No comments: