My Health Record is an online electronic summary of a person’s health information. The Australian Government invested $1.15 billion in the development of the system and other digital health infrastructure between 2012 and 2016. In the 2017–18 Budget, the government allocated a further $374.2 million to continue operating the system and expand its use by making it an opt-out model. Nine out of every ten Australians now has a My Health Record.
The Department of Health established the My Health Record system in 2012, and administers the My Health Records Act 2012 on behalf of the Minister for Health. In July 2016, the Australian Digital Health Agency (ADHA) was prescribed as the System Operator for My Health Record.
My Health Record potentially impacts all Australians as it collates electronic summaries of individuals’ health information so it can be accessed by different healthcare professionals involved in a person’s care (as well as by the individual themselves). The system is intended to generate personal benefits for individuals and economic benefits for the health system, but achieving this requires a balance between increasing access to information and managing privacy and cyber security risks. The system has also generated parliamentary and public interest in relation to privacy and cyber security risks.
The audit objective was to assess the effectiveness of the implementation of the My Health Record system under the opt-out model. The audit adopted the following criteria:
implementation of the My Health Record system promotes achievement of its purposes;
My Health Record system risks are appropriately assessed, managed and monitored; and
monitoring and evaluation arrangements for the My Health Record system are effective.
Implementation of the My Health Record system was largely effective.
Implementation planning for and delivery of My Health Record under the opt-out model was effective in promoting achievement of its purposes. Implementation planning and execution was appropriate, and was supported by appropriate governance arrangements. Communication activities were appropriate to inform healthcare recipients and providers.
Risk management for the My Health Record expansion program was partially appropriate. Risks relating to privacy and the IT system core infrastructure were largely well managed, and were informed by several privacy risk assessments and the implementation of key cyber security measures. Management of shared cyber security risks was not appropriate and should be improved with respect to those risks that are shared with third party software vendors and healthcare provider organisations.
The monitoring and evaluation arrangements for My Health Record are largely appropriate. There are appropriate mechanisms to improve the quality of information entered into the system. Some benefits measurement activities are underway, but they are not yet organised in a research delivery and evaluation plan setting out milestones, timeframes and sequencing of activities over forward years.