My Health Record emergency access

Automated Introduction: Welcome to the Australian Digital Health Agency podcast, supporting health professionals to realise a healthier future for Australians through connected healthcare.

Dr. Andrew Rochford (Facilitator): Welcome to the Agency’s podcast series. I'm Dr. Andrew Rochford and I will be your host for today's podcast. Before we begin, I would like to acknowledge the traditional owners of the land on which we are broadcasting from and in which you are listening. I wish to acknowledge their continuing connection to the land, sea, and community. I pay my respects to them and to Elders past, present, and emerging, and extend the respect to any Aboriginal and Torres Strait Islander peoples joining us today.

In this podcast, we will be exploring the appropriate use of the My Health Record emergency access function by healthcare providers. There are legislative requirements that must be followed when using this function. These are outlined under section 64 of the My Health Records Act of 2012.

Essentially, this is a ‘break glass’ function and it is expected that it will be rarely required. Any unauthorised use of the function is considered a contravention of the My Health Records Act 2012 and may constitute an interference with the privacy under the Privacy Act 1988. Today, our panel will discuss the key things that healthcare providers need to know when deciding if it is appropriate to use the emergency access function.

It is my pleasure to introduce today's panel. We have Jennie McDonald, the Director of Compliance Outreach. Dr. Xiu Lee, Emergency Physician and Agency Clinical Reference Lead. Neil Fraser, Deputy Chief Executive Officer, Positive Life NSW, and Agency Consumer Adviser. And Diana Weston, Assistant Director of Regulation and Strategy Branch, Office of the Australian Information Commissioner. So, to kick things off, my first question is a fairly straightforward and simple one. What is the emergency access function, Jennie?

Jennie McDonald (Director Compliance Outreach): Thanks Dr. Rochford. That's a great question and it's actually helpful for us to take a step back, before we look at what emergency access, and to consider how the My Health Record system is set up to enable healthcare providers to access information. Essentially healthcare provider organisations have an authorisation under the My Health Records Act to enable them to access information in a healthcare recipient’s record for the purpose of providing healthcare, so long as that access occurs in accordance with access controls. Which then leads to, of course, what are the access controls? Access controls are simply some settings that people can put in place on their record to control the way in which healthcare provider organisations can access their information. A person can choose to lock down their entire record by setting a Record Access Code. They can also choose to restrict particular documents within their record, and they can set a Limited Document Access Code which they can share with healthcare provider organisations to enable them to access those restricted documents. The emergency access function enables healthcare providers to bypass any access codes that may have been set if that access is required to lessen or prevent a serious threat to a person's health, life, or safety.

Dr. Andrew Rochford (Facilitator): Is it true however in practice, that there's few healthcare recipients actually choose to set any access controls?

Jennie McDonald (Director Compliance Outreach): The majority of people choose to keep their record with general access settings, which is probably because most people recognise that it's really helpful for healthcare providers to be able to access information in their My Health Record so that they can provide appropriate care.

Dr. Andrew Rochford (Facilitator): Diana, do you have anything else to add that we should know when it comes to being aware of the emergency access function?

Diana Weston (Assistant Director, Regulation and Strategy Branch Office of the OAIC): Sure, thanks Dr. Rochford. Well, there are a few key points that all healthcare providers should know when they're using the emergency access function. One of those is that healthcare recipients be informed about the use of the emergency access. All use of the My Health Record system is recorded in a person's My Health Record access history, which can be viewed by the healthcare recipient themselves or any authorised or nominated representatives that they have, that can also access their record. In addition, some healthcare recipients may have also set up some notifications. So, they may also receive an e-mail or an SMS, letting them know that the emergency access function has been used and that a healthcare provider has viewed their record in those circumstances.

Another thing that healthcare providers should really think about when they're using the emergency access function is whether it's reasonable. So, when we look at section 64, that legislative provision includes the words ‘reasonably believe’. That means you must reasonably believe that the access is necessary to lessen or prevent a serious threat. A good way of testing that is check with an appropriately informed person, so that may be the clinician standing next to you. A quick check in to say, you know, do you think we need to use the emergency access function in these circumstances? Another thing that healthcare providers need to keep in mind when they've used the emergency access function, always document why you've used it and note down the details of the serious threat that you were trying to prevent. Also, make sure you keep a record of why it was unreasonable or impracticable for the person to provide their consent to you to override those restrictions that they may have set on their record.

There's no set way for you to make these records. I would probably recommend just using your usual record keeping processes. So that could be your local clinical information system or your practice management software, but it's really important that you do keep a record because later down the track you may get a query from the healthcare recipient who's looked up their access history and maybe confused as to why that emergency access was used in that situation.

You could also get a request from the Australian Digital Health Agency for further information about your use of the emergency access function. Or you may get an inquiry for example from our office, the Office of the Australian Information Commissioner. We are the independent privacy regulator for the My Health Record system, and we may have received a complaint, or we may be undertaking investigations about potential inappropriate use of the emergency access function. Or there may be some other sort of investigation or inquiry, such as the coronial inquest. Once you do get emergency access, your organisation will have that access to any restricted information for five days. Once that five-day period ends, the access level for your organisation will revert to the usual access level.

Dr. Andrew Rochford (Facilitator): Jennie?

Jennie McDonald (Director Compliance Outreach): Yes, I just thought it might be helpful to explain a little bit more about the requirement for it being unreasonable or impracticable to obtain the healthcare recipient’s consent. In the context of emergency access the consent is provided when the healthcare recipient gives the healthcare provider organisation their Record Access Code or their Limited Document Access Code. If it's not reasonable or practicable for them to provide those codes for whatever reason, for example, them being unconscious, that requirement would then be met.

Dr. Andrew Rochford (Facilitator): Thank you. Xiu, did you have anything to add?

Dr. Xiu Lee (Emergency Physician and Agency Clinical Reference Lead): Other point to consider is, what classifies people being able to use the emergency access? Just because you work in an emergency department doesn't necessarily mean you can use the emergency access. It needs to fulfill the criteria of the access being needed to reduce harm to the person if there’s a threat to their life or their health. And very rarely for public health matters, and because there’s certainly lots of other reasons why you might think it might be useful to have information, but it doesn't really fulfill the criteria of it being that much of a threat to them. And you also have to have the criteria they can't reasonably or practically provide consent. So can't really just use emergency access just because they happen to be in an emergency department and you're also in an emergency department.

Dr. Andrew Rochford (Facilitator): That's a very good point. Neil, did you have anything to add here?

Neil Fraser (Deputy Chief Executive Officer, Positive Life NSW, and Agency Consumer Adviser): I was just going to add in there around looking at this from a health consumer’s perspective. So, there's probably two things you need to know. First one is that I very much love my motorcycle riding, but the second one is I'm also a person living with HIV. I've gone in and used the access controls a number of times for My Health Record. There have been times where I've restricted access to be able to see not only my pathology results, but also what medications I’m prescribed, purely because those medications are only prescribed for HIV. I've also then made conscious decisions to reopen or provide that access again, because if I do present in hospital and I'm unconscious knowing my HIV status as well as my medications is important to my healthcare in that situation.

Dr. Andrew Rochford (Facilitator): So, what information can you see when you use the emergency access, Jennie?

Jennie McDonald (Director Compliance Outreach): When you use emergency access, you will be able to see any restricted documents within a person's My Health record as well as any information that is not restricted. There's some information however, that you won't be able to see even using emergency access. That includes information that a person has written in their personal health note and any documents that have been removed from the record or hidden. It is important to remember though, that a My Health Record is not a full clinical record. It doesn't give you access to a person's entire medical history because the My Health Record system only started in 2012, so anything that occurred prior to that won't be in there. Also, not all information is uploaded to the My Health Record in the first place.

Dr. Andrew Rochford (Facilitator): A question I really want to know the answer to is, what should you do if there's not a serious threat, like we've discussed, but your patient can't remember their access code?

Jennie McDonald (Director Compliance Outreach): If there's not a serious threat, but a person is not able to remember their code, a person can log into their My Health Record via my Gov or a My Health Record app. Or they can telephone the My Health Record help line. So that number is 1800 723 471. The number is also listed on the My Health Record website. The customer service officers can provide assistance with resetting a person’s Record Access Code, or Limited Document Access Code if requested by that healthcare recipient.

Dr. Andrew Rochford (Facilitator): What I'd like to do now is give the panel an opportunity to run through some examples, of when it may or may not be appropriate to use emergency access. But I'd like to start by reminding our listeners that we are going to be discussing scenarios of a general nature, and please remember that this is not legal advice and scenarios are illustrative examples only. Just to give everyone listening a better idea of when they may or may not use emergency access. So, I'm going to kick things off with you Diana, do you have a scenario that you could offer our listeners that might help them understand a little bit more about emergency access?

Diana Weston (Assistant Director, Regulation and Strategy Branch Office of the OAIC): I would like to just talk a little bit about an example where we're looking at a situation, where there is not a serious threat to an individual's life, health or safety. In this example we have a patient who presents to an emergency department with a broken leg. The patient appears to be otherwise fit and healthy and is able to talk to the clinician and advise that they do not take any regular medications and that they don't have any allergies. The patient's happy for the clinician to access their My Health Record, but they have set up a Record Access Code which they can't remember. Here we have a situation, where the legislative requirements for using the emergency access function have not been met. Even though we're here in an emergency department setting, that doesn't necessarily mean you can use the emergency access function. In this circumstance the clinician has determined that the broken leg is not a serious threat to the patient’s life, health, or safety, so the first part of the test in the legislation in section 64 has not been met.

Dr. Andrew Rochford (Facilitator): Thanks Diana. Neil, do you have a scenario that you could offer, potentially one that's focused around a serious threat?

Neil Fraser (Deputy Chief Executive Officer, Positive Life NSW, and Agency Consumer Adviser): I mentioned before, I enjoy motorcycle riding, and this was actually a scenario that happened to me. I had a motorbike accident and the first thing I did was jump up and ask, is my motorbike fine? And the second thing that I remember was laying down because I was feeling quite lightheaded. I wasn't awake obviously at this point and I was rushed to a trauma hospital where I was immediately admitted in for surgery. I had internal bleeding and a collapsed lung. So, in this scenario, I think they were able to confirm who I was by looking at both my license and Medicare card, but the hospital had never seen me before. It was my first time there and I was unconscious. So, in this scenario, the emergency department staff would make a decision to be able to use that emergency access to get access to my health information, particularly when they're trying to treat a serious threat to my health. This would be an appropriate use for healthcare providers to use the emergency access function.

Dr. Andrew Rochford (Facilitator): Thanks, Neil. Xiu, do you have a scenario that you can offer to our listeners to help them understand a little bit more about emergency access.

Dr. Xiu Lee (Emergency Physician and Agency Clinical Reference Lead): Yes, happy to discuss another scenario, covering where it's impractical to obtain consent and perhaps unreasonable, but also maybe discuss a little around other options for emergency access where sometimes someone may have nominated another authorised representative who may be able to provide access instead. So, one not uncommon scenario is where an elderly resident is brought into emergency from their aged care facility after having had a fall, and with evidence of head trauma and with an altered level of consciousness. And documentation from the aged care facility tells you the patient has dementia and provides some contact details for a relative who has enduring power of attorney. Patient is unable to give you a good history, unable to give you an account of their access code, and the documents are restricted, and it's going to be difficult to determine whether that is perhaps an underlying condition, if they have advanced dementia or from the head injury.

You, in this instance, would have the criteria of potentially serious threat to the individual, because they could have serious head trauma and potentially deteriorate from there. You would want to know what their background history is. However, the consent would be difficult to obtain if they're unable to give you a good account of things, and they can't tell you their access code. And in this instance, your option would be to contact the relative who might be able to provide you the access code they have on the patient’s My Health Record. And just saying, sometimes people will have besides them directly, they'll have a nominated representative who can then act on the behalf of the patient and be able to give you the access code. In that instance, you would not use emergency access, but you would attempt to obtain the code from the nominated representative and next of kin. And if you are not able to contact the nominated representative or next of kin, then you would have the criteria for being able to use emergency access, because we do want to reduce or prevent serious threat to that patient's life, health, and safety. An important point would be, as I said, to definitely document your decision making around that just so there is a record for why you've chosen to use emergency access.

Dr. Andrew Rochford (Facilitator): One question that does come to mind is, what happens if the emergency access function has been used inappropriately, Diana?

Diana Weston (Assistant Director, Regulation and Strategy Branch Office of the OAIC): This could be a contravention of the My Health Records Act. Contravention of the My Health Records Act is also considered an interference with privacy under the Privacy Act 1988. If you do become aware that there may have been a contravention or there has been a contravention of the My Health Records Act using the emergency access function, there are certain obligations under section 75 of the My Health Records Act around reporting of that inappropriate use or unauthorised use. As soon as you become aware that that has occurred or may have occurred, you must notify the system operator as well as the Office of the Australian Information Commissioner as soon as practicable. This includes using emergency access function just by mistake where you shouldn't have used it.

Failure to notify an actual or potential data breach where you're involved could result in a civil penalty of up to 1500 penalty units. This could equate to $330,000 for an individual or even higher if you're a corporation. Separately to the data breach requirements, unauthorised use of the emergency access function could result in other penalties under the My Health Records Act or under the Privacy Act. There could be things like an enforceable undertaking or where there's been a complaint made, the Information Commissioner could make a determination where compensation is provided for the individual that suffered an interference with their privacy. And for any healthcare providers that have any questions or want a bit more information about the data breach obligations, please do look at the OIAC's website. We do have some great resources for healthcare providers around what their data breach obligations are and what you should do if you experience a data breach in the My Health Record system.

Dr. Andrew Rochford (Facilitator): Now might be a good time to give our listeners an opportunity to find out where they can learn more. So where can healthcare providers get help, Diana?

Diana Weston (Assistant Director, Regulation and Strategy Branch Office of the OAIC): Thanks Dr. Rochford. Well yes, the OAIC has just released some new guidance materials for healthcare professionals, specifically around the use of the emergency access function. They're available on our website which is www.oaic.gov.au. There's some online guidance about emergency access which has some really practical examples, some of which we've discussed today and in the podcast. There's also a set of frequently asked questions, and there's a printable flow chart, which is sort of designed to help your decision-making process. And again, it's printable, so we encourage healthcare providers to print that out and sort of pop it next to the computer where you may be accessing the My Health Record functions. Additionally, we've got a lot of other resources generally around the My Health Record system. We have our guide to mandatory data breach notification in the My Health Record system and a fairly new resource that's been well received, which is the guide to health privacy, which is more generally about healthcare providers, privacy obligations under the Privacy Act, so we'd really encourage you to have a look at all of those resources.

Dr. Andrew Rochford (Facilitator): Jennie?

Jennie McDonald (Director Compliance Outreach): In addition to the range of resources that Diana has just outlined, the Australian Digital Health Agency has information on the My Health Record website. Including information about use of emergency access and a range of other information about how to use the My Health Record system, various training resources that you can access and guidance that you can share with your healthcare recipients in relation to the My Health Records system and how to set access controls if they wish to do so. You can access those resources by visiting digitalhealth.gov.au.

Dr. Andrew Rochford (Facilitator): Why is it important to enable healthcare providers to access all available My Health Record information in an emergency? Neil?

Neil Fraser (Deputy Chief Executive Officer, Positive Life NSW, and Agency Consumer Adviser): Thanks, Andrew. I think beyond the relationship I have with my parents, sadly, the next longest relationship I have is with my healthcare providers as a person living with HIV. I'm regularly in attendance with a number of different services. And for me, sometimes it can be a bit of a challenge to remember everything I need to be able to tell them when I'm presenting, whether or not that's because I've kicked my toe or another episode I had, which was an issue relating to my heart. Being able to give the information that's necessary can sometimes be quite challenging as a health consumer. So being able to give healthcare providers access to My Health Record for me is important to make sure the care that I'm getting is the best care available to me.

Dr. Andrew Rochford (Facilitator): How is this scenario any different from in the past when it came to accessing a patient's private medical records? Xiu?

Dr. Xiu Lee (Emergency Physician and Agency Clinical Reference Lead): I would say it is in a lot of ways and maybe it's an easier way for people to think about how to approach this. It's kind of similar to what we do in probably what's called the old school method. Sometimes when patients come to emergency and you don't have the information you require and you need to contact, say their general practitioners or another hospital that might have those records. And typically, you need to submit a request to them, and you have an information consent form on it. If the patient is able to sign it to say yes, I approve of you obtaining my medical records from someone else. You get them to sign it, which is very similar to them consenting, and therefore you don't need the emergency access. There are going to be situations where you need the information, but patients can't sign that form. Say as in these scenarios they're unconscious or they're critically unwell, and in that instance, you can then signal or write in the document back, they're unwell or critically unwell, they can't sign this form, but I'm still submitting my request. Can I have the information please? And sort of that I guess would be similar to using the emergency access function in this instance, where you have a very valid reason, threat to patient health and safety, and they can't provide consent and it’s sort of similar to you submitting that same sort of request. That’s maybe a slightly easier way to think about how to approach this.

Dr. Andrew Rochford (Facilitator): Thanks Xiu, was there anything else that anyone wanted to add?

Jennie McDonald (Director Compliance Outreach): I just thought it might be helpful to refer back to one of the things we said at the beginning of the podcast, which is that the My Health Record Act provides an authorisation for healthcare provider organisations to access information in a person's My Health Record for the purpose of providing healthcare. And that authorisation is a standing authorisation, so they don't need to ask you every time. So long as that access occurs in accordance with any access controls that a person has put on their record.

Dr. Andrew Rochford (Facilitator): I'd like to say a big thank you to Jennie, Neil, Xiu and Diana and thank you for listening today. We hope that you will join us again next time. You may also be interested in previous podcasts made by the Australian Digital Health Agency, covering the topics of electronic prescriptions and cyber security.