	Home \| Databases \| WorldLII \| Search \| Feedback Privacy Law and Policy Reporter

Home | Databases | WorldLII | Search | Feedback

Privacy Law and Policy Reporter

You are here: AustLII >> Databases >> Privacy Law and Policy Reporter >> 1994 >> [1994] PrivLawPRpr 23

Nelson, Rhonda --- "Medicare and Pharmaceutical benefits Programs - Privacy Guidelines" [1994] PrivLawPRpr 23; (1994) 1(2) Privacy Law & Policy Reporter 34

Medicare and Pharmaceutical Benefits Programs - Privacy Guidelines 1994

Australian Privacy Commissioner, December 1993 (issued 24 November 1993 to take effect 15 April 1994; tabled HR 25 November 1993, Senate 6 December 1993.

Legislative basis

In response to a proposal in 1990 to electronically link pharmacists with the Health Insurance Commission, amendments to the National Health Act 1953 (Cth) were introduced in 1991 requiring the Privacy Commissioner to issue guidelines relating to the privacy protection of Medicare and Pharmaceutical Benefits information. Difficulties in the interpretation of the original amendment led to it being repealed and replaced by the current s135AA of the National Health Act. The amending Act (the National Health Amendment Act 1993 (Cth)) also made related amendments to the Privacy Act 1988. s135AA and s135AB of the National Health Act provide the legislative basis for the Guidelines. These sections include provisions which require the Privacy Commissioner to issue guidelines; set out the information to which the guidelines apply; set out issues the guidelines must cover; define various terms used in the section; set down requirements for consultation, tabling and disallowance; define a breach of the guidelines as an ''interference with privacy'; and provide that the Privacy Commissioner may accept and deal with a complaint about a breach of the guidelines in the same manner as IPP complaints under s36 of the Privacy Act.

The National Health Amendment Act 1993 also amended the Privacy Act by adding to the list of ''interferences with privacy' in s13 Privacy Act 1988, a breach of the guidelines issued under s135AA of the National Health Act and by addingto the list of Commissioner's functions (in s27 of the Privacy Act), the issuing of guidelines under s135AA of the National Health Act.

The Guidelines will take effect on 15 April 1994, unless disallowed by Parliament (see dates above). It is proposed that the Guidelines will be reviewed after 12 months operation and consideration will be given at that time to whether any amendments are necessary.

Content of the Guidelines

The Guidelines apply to individuals' information collected in connection with claims under the Medicare and pharmaceutical benefits programs. They do not apply to information which identifies providers of services; ''eligibility' or ''entitlement' databases; or information which is not stored on a computer database.

The Guidelines have two main themes:

(a) the separation of Medicare and pharmaceutical benefits claims information; and

(b) the ''de-identification' of claims information after it is five years old.

The Health Insurance Commission will retain the ability to link to an identifiable individual the personal identification number associated with the claims information held by the Department of Health, Housing, Local Government and Community Services but the Guidelines strictly limit the circumstances in which this can occur. In this way claims information over five years old is de-identified but the capacity to re-identify the information in certain circumstances is retained.

Part A - Guidelines affecting the Health Insurance Commission (HIC)

The Guidelines:

require Medicare and Pharmaceutical Benefits Claims information to be stored separately (but this does not prevent the information from being stored on the same computer).
set down the limited circumstances in which the HIC can link, compare or combine claims information from the two databases.
prevent data-matching between the databases.
regulate the use and disclosure of the internal personal identification number (PIN) which the HIC uses to identify claimants under the two programs. The Guidelines require the PIN to not have any meaning in its own right (for example it cannot contain the person's initials etc) and the PIN not to be disclosed in conjunction with the individual's name. Claims information identified by PIN but no other identification information may be provided to the Department. (This Guideline is aimed at limiting the knowledge of the identity associated with any PIN to the HIC.)
require the HIC to destroy its claims information after five years except in limited circumstances.

Part B - Guidelines affecting the Department of Health, Housing, Local Government and Community Services

The Guidelines:

allow the Department to use claims information identified by PIN (referred to as ''de-identified' as the Department has no knowledge of the name associated with the PIN) in ways permitted by the Secretary.
prevent the Department from permanently combining information from the two programs which is identified by the PIN on the same database. (This is a further means of ensuring the separation of the Medicare and pharmaceutical benefits claims databases.)
provide that the Department may obtain from the HIC the name-PIN link in certain limited circumstances and set down controls which apply.

Part C - Research

The guidelines do not prevent claims information from being disclosed to researchers or retained by researchers after the information is more than five years old with the concerned individual's free and informed consent.

(The full text of the revised Guidelines is contained in the Federal Privacy Handbook, or is available separately from the Privacy Commissioner.)

Rhonda Nelson, Privacy Branch, Human Rights and Equal Opportunity Commission

AustLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback
URL: http://www.austlii.edu.au/au/journals/PrivLawPRpr/1994/23.html