PDL has issued guidance on the use of My Health Record, including on privacy, consent and emergency access
With the participation rate in MHR ranked as 90.1% by the Government at the end of the opt-out period, it’s important pharmacists know and understand the circumstances in which it can be accessed, PDL says in its latest practice alert.
“Currently, patients provide ‘standing consent’ when they register for an MHR, which enables health care providers directly involved in a patient’s care to upload clinical information to their record,” observes PDL.
“Generally, there is no requirement for a health care provider to obtain the patient’s consent prior to viewing, or uploading clinical information to the MHR system.”
However, it is good practice to advise patients when information is being uploaded.
PDL highlights that a patient’s record can be accessed outside a consultation, as long as the access is for the purpose of providing health care to the patient.
“Access should be limited to sections of the MHR that are relevant to the care of the patient.
“It would be uncommon for a pharmacist to access certain sections of the Record. Any access outside of those areas of the Record typically used by pharmacists should be justified.”
Pharmacists could document their reasons for accessing such areas, for example, on the patient’s dispensing history or in the pharmacist’s notes.
PDL says there is accountability through individual organisational identifiers.
“If a pharmacist nominates as a Healthcare Provider Identifier-Organisation (HPI-O) theyn they will be considered responsible for the actions of the individual pharmacists in that pharmacy.
“Any pharmacist nominated as an HPI-O needs to be mindful that this approval will remain in place unless the system operator is informed.”
This could happen in times of absence or following departure from a given pharmacy.
PDL highlights that only registered health care providers who are involved in a patient’s care, and who are registered with the Australian Digital Health Agency, are permitted by law to access My Health Records.
“Password control has the potential to be an area of misjudgement for pharmacists.
“There have been questions posed regarding assistants accessing a patient’s MHR as part of the broader dispensing and supply process.
“The legislation is clear about who has the right to access the Record. That is the healthcare provider who is directly involved in a patient’s care.
“Once a password is provided to a third party you have no control over how it may be used. PDL strongly urges pharmacists to maintain control of their password and to consider regular revision of the password.”
Whether a pharmacy is choosing to upload data to MHR or not, all PBS data will load automatically onto a patient’s MHR within around four weeks, PDL says.
“Pharmacists need to be mindful that there is greater visibility of your dispensing records to both patients and prescribers. Therefore appropriate and accurate records are vital.
“Intern pharmacists can have their own HPI-I and therefore any access they undertake will be identified as that of the intern. As there is no recorded linking to the supervising pharmacist, other means will be required to identify who is overseeing the intern, when they access the Record.
“If a pharmacy becomes aware of a dispensing error made by another pharmacy, it would be most appropriate for the pharmacy responsible for the error to correct the data on their dispense record.
“The doctor should be informed, and consideration given to requesting an event summary being uploaded by the prescriber, if there is an adverse outcome for the patient.”
Privacy – and emergency access
PDL points out that transparency has been built into the MHR system to allow patients to see if their record has been accessed.
“A patient can set an access code which can be provided to a pharmacist to access the record. Email or SMS notifications can be incorporated in a MHR to inform an individual of access to their Record at particular times. Controls can be engaged by a patient to limit access to specific documents.
“A patient can direct a healthcare provider not to upload information at any time. The practitioner must comply with this request.”
PDL warns that the ADHA has the ability to audit and track all actions on an MHR via the system operator.
“Some of these may not be apparent to the client or the pharmacy but all actions are date and time-stamped.
“Viewing the records of a person who is not a patient at the time of the access is a breach. This includes accessing the record of a relative, unless you are an authorised representative of that individual.
But what about emergency access?
In an emergency, a patient’s privacy settings can be bypassed or overridden by the “Emergency Access” function, says PDL.
“The Emergency Access function can only be used in certain circumstances and it is important that healthcare providers understand when this function can be lawfully used,” it says.
The Emergency Access function can only be used by participants where either:
The healthcare provider reasonably believes that there is a serious threat to the patient’s life, health or safety and their consent cannot be obtained – for example, if they are unconscious; or
There are reasonable grounds to believe that access to the patient’s MHR is necessary to lessen or prevent a serious threat to public health or safety – for example, to identify the source of a serious infection and prevent it from spreading.
“The Emergency Access function must not be used other than as outlined in Section 64 of the My Health Records Act 2012 (Cth). It also cannot be used merely because the patient has forgotten their access code (unless there is a serious threat to the patient’s life, health or safety).
“Use of the emergency access mechanism is closely monitored and any access via this mechanism will trigger a notification to the Australian Digital Health Agency. The healthcare provider will receive a request for information and is required to inform the Agency of the circumstances requiring the use of the Emergency Access function.
“DO NOT attempt to use the emergency access mechanism on your own profile as this is a breach,” warns PDL.
“Pharmacists have sought help from PDL after being contacted by the Agency and asked to explain why the Emergency Access function was used, even though they’d accessed their own Record.”
PDL encourages members to contact it on 1300 854 838 or via its website if they have concerns arising from this article.