As of July 2018, the Australian Digital Health Agency (ADHA) appears to have no detailed policy or process for releasing My Health Record data to support regulatory and legal requests.
The only internal policy guidance appears to have been the agency's commitment, stated publicly, not to release data except "where the agency has no discretion", such as when responding to a court order.
This state of affairs was revealed in documents released on Friday under a Freedom of Information request made on July 25 by infectious diseases physician Dr Trent Yarwood, who represents Future Wise on e-health and privacy matters.
"I request a copy of any documents (for example a work instruction or procedure) which applies to release of myHealthRecord data held by Digital Health Australia as the myHealthRecord Act in response to a request from an enforcement body under Section 70(1) of the My Health Record Act," he wrote.
"I request the final version of the document, which is in effect today, 25th July 2018."
After a certain amount of to-and-fro, which Yarwood has detailed in a blog post, only two redacted documents were released.
The first document is a discussion paper [PDF] for the ADHA board meeting of June 14.
It outlines the ADHA's authority to release data for law enforcement and other purposes under Section 70 of the My Health Records Act 2012; notes the existing policy; and says the board should "provide advice on whether it supports this position going forward".
There seems to have been concerns about public perception. Even though the powers to release data for law enforcement are separate from the so-called "secondary use powers and process", something that is still to be set up, the discussion paper notes that "this distinction would not be recognised by the broader community".
"If the agency were to release MHR information for law enforcement purposes, it is possible that the community could confuse this with our commitments about implementing the Framework for Secondary Use with the Australian Institute of Health and Welfare (AIHW), including governance and other protections."
The second document is a page from the minutes [PDF] of that same board meeting.
"The board discussed this matter with the agency executive and requested further advice on the implications to the agency as the system operator [the term used in the My Health Records Act]," it said.
The minutes record as an action item that the board be provided with advice to answer "Who is the system operator?" and a "policy that describes the framework for responding to data requests".
This was due to be done by the board's next meeting in August.
All of this raises a number of questions, says Yarwood.
"There is no official procedure, but just a position statement from the board," he wrote.
"This, depending on how charitable you are feeling, would either directly contradict the minister's repeated and emphatic statements that there was and it didn't allow the release of information; or at the very least mean that the interpretation of 'policy' seems to be loose enough that 'feelpinion from the board' now counts as a policy."
Another explanation could be that a policy or procedure exists, but failed to turn up as the documentation management of ADHA is "pretty terrible", Yarwood posited.
"It's of significant concern to me that the board is seeking advice as to ADHA's role as the system operator. Surely this should be a pretty fundamental issue for them to have some grasp of."
Legislation currently making its way through Parliament should clarify the situation.
The My Health Records Amendment (Strengthening Privacy) Bill 2018 proposes requiring "an order of a judicial officer" before data can be released, and would limit the situations under which such an order could be made.
On Monday, the Senate Community Affairs Legislation Committee recommended that the Bill be passed. On Thursday, the Senate Community Affairs References Committee recommended further privacy controls on My Health Record, as well as an extension of the opt-out period for another year.
Yarwood remains sceptical.
"Overall, I think the interpretation of 'the policy says no' is a bit of stretch, and I'll be watching carefully to make sure that the amendments to the My Health Record Act achieve the objectives of protecting access to patient data without judicial oversight," he wrote.
"The government has moved to make a number of amendments to the My Health Records Act 2012 to ensure no information stored in the My Health system can be released to police or other government agencies without a court/ coronial or similar order. This matches the existing Agency operating policy," they said.
"I can assure you that no documents have been released in the last six years and none will be released in the future without a court order. The amendments will remove any ambiguity and ensure the Agency's operating policy is enshrined in legislation."
A comprehensive review of Australia's centralised digital health record has recommended extending the opt-out period by another 12 months while privacy controls are significantly tightened.
An Australian senate committee has recommended passing the My Health Records Amendment (Strengthening Privacy) Bill 2018, but Labor senators have lashed out at the government's "stubborn refusal" to fix further problems.
Australia's federal opposition party wants guarantees that My Health Record will never be privatised or commercialised, and that health data will be kept far away from private health insurers.
Australia has spent billions of dollars for 'nothing really useful', according to leading internet policy commentator Mike Godwin, and the proposed anti-encryption laws are 'inhumane, wrong, anti-democratic'.
Many of the concerns about Australia's centralised digital health records are real, but the abstract, hand-wavey arguments aren't persuading people outside the digital privacy bubble.
Fewer people are opting out of Australia's centralised digital health record system than expected, but critics are still slamming the "poorly controlled" and rarely used access rules.