Risk Analysis of ‘My Health Record’.
My Health Record
My Health Record is a national initiative managed by the Australian Digital Health Agency as
a method, to sum up, and encapsulate public health records for effective healthcare
delivery. In 2012, Australia initiated a Personally Controlled Electronic Health Record system
which in 2015 was renamed ‘My Health Record’. My Health Record (MyHR) could be
thought of as a digital repository of healthcare records. It contains details on past medical
history, drug history, history on investigative reports, immunization history, adverse drug
reactions, Medicare claims, hospital discharge reports, information on advanced care
planning, and any similar interactions with the healthcare system (Health Direct Australia,
n.d.).
The benefits of My Health Record
My Health Record was initiated to achieve the following benefits (Health Direct Australia,
n.d.) :
– Allows for quick access to a patient’s comprehensive medical history
– Information can be filtered more efficiently
– The interoperability between multiple sectors of healthcare provides more efficiency and
promotes a more multidisciplinary approach to healthcare.
– Patients have access to their records and thus facilitates easy access and negates the need
to retake medical tests and procedures that are unnecessary.
– helps limit medical-related spending from the patient as well as at the organization level
– As it is comprehensive and spans over multiple aspects of a patient’s medical history, data
can be correlated more easily, thereby helping earlier diagnosis, probable pharmaceutical
interactions, treatment outcomes and serve as a measure of control on medical misconduct
and breach of ethics (Raposo, 2015).
– Save around 11 billion AUD in healthcare expenditure by 2025 (Komesaroff & Kerridge,
2018).
Risks
This digital record system did have its risks that would hinder the agency in achieving the
objectives and benefits it set out to achieve. As per the NSW Treasury Management Toolkit
(2012), a risk assessment highlighting the risks, related impacts, and risk management
initiatives is elaborated below. It includes the risks that could be encountered in due process
of implementation and operation in terms of security and privacy, service delivery, exposure
to litigation, reputation and image, legal and ethical concern and stakeholder satisfaction.
1. Risk Analysis
| Risk | Impact | Likelihood | Consequence | Rating | Risk Treatment | Responsibility |
| Data breach and theft of the patient data within MyHR (Hicks & News, 2012). |
-Security & privacy. -Exposure to litigation. -Data breach and theft are a possibility where data can be stolen or encrypted by hackers and used for deceitful purposes which would expose the organization to litigation where, inspection and scrutinization would trace back to authorized users (Hicks & News, 2012). |
Likely | High | Extreme | Adopting protocols where data is made available on an inquiry basis while pseudonymising the data where the link between the pseudonymized data is stored externally (Vimalachandran et al., 2016). Establishing a secure multi-layered firewall as a cybersecurity measure that is constantly updated and offers end-to-end data cryptography, where any attempt at a breach is instantly reported (Keshta & Odeh, 2020). |
Chief Technology Officer and team |
| The lack of digital literacy and issues of non-compliance among the general population (Andrews et al., 2014). |
-Reputation & Image. -Service Delivery. -The lack of digital literacy and knowledge about MyHR and its objectives gives rise to misconceptions, thereby reflecting a negative attitude towards MyHR, tarnishing its reputation and adoption (Andrews et al., 2014). |
Likely | Medium | Moderate | This can be combated with public education in the form of advertisements and public service announcements addressing the most common misconceptions and policies (Andrews et al., 2014). |
Chief Operating Officer and team and Public Relations Team |
| Secondary use of MyHR data by stakeholders such as hospitals, insurance companies, researchers, government, police, and employers (Spriggs et al., 2012). |
-Legal & ethical concerns. -Secondary use of MyHR data by stakeholders or persons who stand to benefit from such data. Ex: targeted marketing by pharmaceuticals. And the unethical use of data by organizations outside healthcare for personal gain would incur legal litigations and result in decreased reform adoption (Spriggs et al., 2012). |
Likely | Medium | Moderate | Anonymization of data and the use of clear policies and consent procedures stating the purpose for access and approval for the use of secondary data (Presser et al., 2015). |
Chief Technology Officer and team, Chief Digital Officer and team |
| Data Integrity and the risk of having inaccurate data linked to MyHR (Raposo, 2015). |
-Service Delivery. -Electronic health records are comprehensive and interlinked records therefore an error in data input or data entry could have a compounded effect at a later stage in form of a late diagnosis or treatment that could have serious implications (Raposo, 2015). |
Possible | Very High | Extreme | Ensuring system users adhere to a proposed medical database-linked coding system to ensure standardisation of data input into the system. Incorporating a data review necessity before uploading or submitting the data (Vimalachandran et al., 2016). |
Chief Operating Officer and team, Independent Clinical Advisor, Doctors at the primary & secondary health care level |
| Access to data and the risk of violation of privacy could result in underreporting or inaccurate reporting (Keshta & Odeh, 2020). |
-Privacy. -Concerns of privacy over sharing data of sensitive nature such as stigmatized conditions could have a social impact, as a result of which patients could withhold sharing such confidential information, thereby negatively impacting their health record and the reform overall (Keshta & Odeh, 2020). |
Possible | Medium | Moderate | Establishing a system of inquiry-based authorisation to access patient data that will be further secured with encryptions and anonymization and protected by multi-layered cybersecurity (Keshta & Odeh, 2020; Presser et al., 2015). |
Chief Technology Officer and team |
| Ownership of the data in MyHR (Lupton, 2019). |
-Stakeholder satisfaction. -Concerns over who owns and has the right over the data in terms of its use, accessibility, and sharing; negatively impacting adoption and decreasing overall public participation (Lupton, 2019). |
Possible | High | Moderate | Establishing that the patient/individual has sovereignty over the data and its use. Notifying the individual as to who is accessing the data and when and allowing an opt-out option if personal interest does not align with that of the reform (Health Direct Australia, n.d.). |
Chief Executive Officer, Chief Digital Officer, and team |
| Ill-matched patient data and the risk of mismatched treatment (Vimalachandran et al., 2016). |
-Service Delivery. -Reputation & Image. Ill-matched patient data could lead to the patient not receiving the required care or intervention at the appropriate time due to difficulty in connecting the correct patient record with the correct data (Vimalachandran et al., 2016). |
Possible | Very high | Extreme | Ensuring that each patient is given a unique identification number or adopting an indexing system whereby patient identification is easy and data can be efficiently matched. For example, The Medicare – Health Identifier (Services Australia, 2013). Ensuring Data Integrity (Vimalachandran et al., 2016). |
Chief Digital Officer and team |
2. References
Andrews, L., Gajanayake, R., & Sahama, T. (2014, 2014/12//). The Australian general public’s perceptions of having a
personally controlled electronic health record (PCEHR). International journal of medical informatics, 83(12),
889-900. https://doi.org/10.1016/j.ijmedinf.2014.08.002
Health Direct Australia. (n.d.). My health record. https://www.healthdirect.gov.au/my-health-record
Hicks, S., & News, A. (2012). Russian hackers hold Gold Coast doctors to ransom. ABC News, 11.
Keshta, I., & Odeh, A. (2020). Security and privacy of electronic health records: Concerns and challenges. Egyptian
Informatics Journal.
Komesaroff, P. A., & Kerridge, I. (2018, 2018/11/01). The My Health Record debate: ethical and cultural issues
[https://doi.org/10.1111/imj.14097]. Internal Medicine Journal, 48(11), 1291-1293.
https://doi.org/https://doi.org/10.1111/imj.14097
Lupton, D. (2019). ‘I’d like to think you could trust the government, but I don’t really think we can’: Australian
women’s attitudes to and experiences of My Health Record. Digital health, 5, 2055207619847017.
NSW Treasury. (2012). Risk assessment toolkit. https://www.treasury.nsw.gov.au/information-publicentities/governance-risk-and-assurance/internal-audit-and-risk-management/risk
Presser, L., Hruskova, M., Rowbottom, H., & Kancir, J. (2015). Care. data and access to UK health records: patient
privacy and public trust. Technology Science, 2015081103, 1-35.
Raposo, V. L. (2015). Electronic health records: Is it a risk worth taking in healthcare delivery? GMS health technology
assessment, 11, Doc02-Doc02. https://doi.org/10.3205/hta000123
Services Australia. (2013). Individual healthcare identifiers.
https://www.servicesaustralia.gov.au/individuals/services/medicare/individual-healthcare-identifiers
Spriggs, M., Arnold, M. V., Pearce, C. M., & Fry, C. (2012). Ethical questions must be considered for electronic health
records. Journal of Medical Ethics, 38(9), 535. https://doi.org/10.1136/medethics-2011-100413
Vimalachandran, P., Wang, H., Zhang, Y., Heyward, B., & Whittaker, F. (2016). Ensuring data integrity in electronic
health records: a quality health care implication. 2016 International Conference on Orange Technologies
(ICOT)