Doctors’ $50K deal to hand over your details
GPs are being paid to hand over data on their client's weight and alcohol use and patients are not being asked for their permission.
The Federal Government is requiring doctors to hand over patient data to Primary Health Networks on 10 performance measures in return for a $50,000 a year taxpayer-funded practice incentive payment.
The data is meant to be de-identified but the Australian General Practice Alliance (AGPA) said "the likelihood that it could be re-identified in the event of a breach is very high."
To qualify for the money GP practices must provide information on their patients' diabetes status, smoking, weight classification, alcohol use and influenza immunisation status.
The government wants to use the information to track the treatment and improve the management of patients with key chronic health conditions.
Nine in ten GP practices have already handed over de-identified patient data and earned $20.3 million while 395 practices were granted an exemption over concerns about data security.
Under the guidelines for the program GPs are meant to ask their patients for permission to transfer the data but this has not been happening and patients are not being given the chance to opt out.
Asked whether patients permission was being sought Royal Australian College of General Practitioners president (RACGP) Dr Harry Nespolon said the short answer was "no".
The collection of the data was covered by legislation that allows doctors to collect quality assurance type data "as long as it's de-identified you can do it", he said.
The AGPA however says history shows it is very easy to re-identify health data.
In 2016 when the Department of Health released 30 years' worth of Medicare data it took Melbourne University computer experts just three days to decrypt it.
And medical appointment booking firm HealthEngine was recently caught passing on users' personal information to law firms seeking clients for personal injury claims, AGPA Director and former AMA president Dr Mukesh Haikerwal said.
"The reality is that while scraping the data, these data extracting tools are in most cases being given unfettered access to the entire practice record and are extracting massive amounts of data," he said.
"The likelihood that it could be re-identified in the event of a breach is very high."
While Dr Nespolon said, "we do have concerns about how much data is going up".
"They (the data scraping companies) do get stuff in addition to what the government asks for," he said.
Three data scraping companies PenCS, Polar and Primary Sense are involved in extracting the information.
Edweana Wenkart said PenCS "does not host or store any data" and gave doctors a patient opt out feature as part of their program.
"We take patient privacy extremely seriously," she said.
Primary Sense spokesman Matt Carrodus said the data extraction tools have been designed to be compliant with privacy laws and PHNs "strongly encourage general practices to notify patients that their data could be used for a secondary purposes", he said.
Adam McLeod the CEO of Outcome Health which runs the Polar said the had recently passed a privacy impact assessment.
"There is inherent risk with any data but we do everything we can to mitigate it," he said.
The Department of Health said practices participating in the PIP program have to be accredited in accordance with the RACGP Standards for General Practices which outlines requirements for patient consent.
"Software providers are required to support patient opt out with simple options to manage this. "All current software extractors have opt out features as part of their system. Practice participation in PIP QI is voluntary," the department said.