The Senate inquiry into the My Health Record system has called for access controls to be applied by default, with individuals having to choose to remove access codes themselves, and for the current opt-out period to be extended for a further 12 months.
It has also called for stronger restrictions on using My Health Record data for secondary uses, commercial purposes, for employment or insurance purposes, or to enable the government to recoup revenue.
The report by the Senate Community Affairs References Committee was tabled in the Senate on Thursday by the committee chair, Senator Rachel Siewert of the Australian Greens. The inquiry received 118 public submissions.
"I think that the number of submissions demonstrates the importance of My Health Records to the community, but also the importance of getting it right ... It's very clear that the community want their concerns to be heard, of which there are many," Siewert said.
"Although we did hear many concerns, overall it's fair to say that the purpose of the My Health Record system is supported, and people recognise the benefits that a properly -- and I reiterate the word 'properly' -- executed digital record will have for both individuals, but also for the broader public health for our community," she said.
"A key theme of the recommendations, and what the committee heard, is the need to ensure that the information in a record is used for as person's health only."
The 14 recommendations are, paraphrased:
Government senators, in a dissenting report, have rejected three of the recommendations.
Applying access codes by default would represent a "serious implementation challenge for many Australians", particularly those "who did not (or could not) want to receive their PIN online".
"Asking for a PIN, and requiring consumers to remember their PIN, will interrupt the clinical workflow and impede use of the record... Both the clinician's and the consumer's time will be wasted while the consumer attempts to remember or locate their PIN," they wrote.
"The proposal would also in practical terms effectively return the My Health Record to an opt-in participation model."
Coalition senators rejected the call for data to not be made available for secondary use without the individual's explicit consent.
"We do not support this recommendation as this would be inconsistent with the Government's general opt-out approach to My Health Record," they wrote, pointing to the secondary use policy framework that was developed in consultation with consumers, clinicians, medical researchers, and industry experts.
"Coalition senators are therefore concerned that making the system 'opt-in' for research purposes would greatly diminish the potential data pool and limit the potential benefits highlighted above. It could also lead to distortions in data sets and individuals who chose to opt-in under this approach may not be a representative sample of the wider Australian public."
They rejected the 12-month extension to the opt-out period as "excessive and unnecessary", given the planned changes to a "hard deletion" policy, and the ADHA's "comprehensive multi-channelled campaign to reach all Australians through trusted clinical and community networks".
The Coalition senators also noted that the recommendation to protect the privacy of children aged 14 to 17 years is a "sensitive policy issue" and that it's "premature to suggest specific recommendations on this matter at the present time".
"There is likely to be a divergence of views within the community balancing the rights of minors with the view and expectations of parents and carers. It is also important to ensure such a change would not cause any unintended consequences resulting from this change," they wrote.
How and when the report's recommendations are implemented, if they are to be implemented at all, is now a matter for the government.
Labor senators, meanwhile, have called for an independent review of the My Health Record system by the Privacy Commissioner and the Office of the Australian Information Commissioner (OAIC), noting that the OAIC "has itself called for further consideration of several privacy and security concerns".
"In the meantime, the Government must suspend the opt-out rollout until the Privacy Commissioner and OAIC report, the Government makes necessary changes, and public confidence in this important reform is restored," they wrote.