Commonwealth of Australia Explanatory Memoranda Commonwealth of Australia Explanatory Memoranda[Index] [Search] [Download] [Bill] [Help]
2013-2014-2015
THE PARLIAMENT OF THE COMMONWEALTH OF AUSTRALIA
HOUSE OF REPRESENTATIVES
HEALTH LEGISLATION AMENDMENT (eHEALTH) BILL 2015
EXPLANATORY MEMORANDUM
(Circulated by authority of the Minister for Health and the Minister for Sport,
the Hon Sussan Ley, MP)
HEALTH LEGISLATION AMENDMENT (eHEALTH) BILL 2015
OUTLINE
The Health Legislation Amendment (eHealth) Bill 2015 (the Bill) will amend the Personally
Controlled Electronic Health Records Act 2012 (PCEHR Act), Healthcare Identifiers Act
2010 (HI Act), Privacy Act 1988 (Privacy Act), Copyright Act 1968 (Copyright Act), Health
Insurance Act 1973 (Health Insurance Act) and National Health Act 1953 (National Health
Act).
The primary purpose of the Bill is to make changes to the personally controlled electronic
health record (PCEHR) system. The PCEHR system allows individuals and their healthcare
providers to access their key health information online where and when they need it. A
PCEHR is an electronic summary of an individual‟s health records.
Background
The Healthcare Identifiers Service (HI Service) is a national system for consistently
identifying individuals, individual healthcare providers and healthcare provider organisations
for healthcare communication purposes. It commenced in July 2010 as the result of a joint
initiative of all Australian Governments as part of accelerating work on a national electronic
health record system to improve patient safety, support safe and efficient sharing and storage
of health information, and increase efficiency for healthcare providers. It is jointly funded by
the Commonwealth, states and territories.
As a foundation service to the PCEHR system and other eHealth measures, the HI Service is
an important step in realising the benefits expected to be derived from eHealth.
A review of the HI Act and HI Service (HI Review) was undertaken in 2012-13. It found that
the core functionality of the HI Service is operating effectively but given the PCEHR system
is now impacting directly on clinical workflows, there are some emerging issues that need to
be addressed. The HI Review made twenty-four recommendations to improve the HI Service.
The report of the HI Review, entitled Healthcare Identifiers Act and Service Review, Final
Report 2013, is available on the Department of Health‟s website.
The PCEHR system was implemented in July 2012 as a first step towards overcoming some
of the issues facing healthcare arising from the fragmentation of health information. Health
information is spread across a vast number of different locations and systems. In many
healthcare situations, quick access to key health information about an individual is not always
possible. Limited access to health information at the point of care can result in a greater risk
to patient safety, less than optimal health outcomes, avoidable adverse events, increased costs
of care and time wasted in collecting or finding information, unnecessary or duplicated
investigations, additional pressure on the health workforce, and reduced participation by
individuals in their own healthcare management.
A review of the PCEHR system (PCEHR Review) was undertaken in 2013. It found that
there was overwhelming support for continuing implementation of a consistent electronic
health record system for all Australians, but that a change in approach was needed to correct
early implementation issues. The PCEHR Review made thirty-eight recommendations aimed
at making the system more useable and able to deliver the expected benefits in a shorter
period. The recommendations include establishing new governance arrangements, moving to
1
an opt-out system for individual participation, and improving system usability and the clinical
content of records. The report of the PCEHR Review, entitled Review of the Personally
Controlled Electronic Health Record, December 2013, is available on the Department of
Health‟s website.
The Government‟s response to the recommendations of the PCEHR Review was announced
in the 2015-16 Budget and includes strengthening eHealth governance and operations by
establishing the Australian Commission for eHealth to manage governance, operation and
ongoing delivery for eHealth, trialling new participation arrangements including opt-out,
improving system usability and the clinical content of records, revising incentives, and
providing education and training to healthcare providers. The Government also announced
that the PCEHR will be renamed the My Health Record.
Trials of participation arrangements (including opt-out trials) are intended to inform future
strategies for increasing uptake and meaningful use of the My Health Record.
The Australian Government will continue to lead the national roll out of eHealth technology
and services, and work with the states and territories to support eHealth foundations and to
finalise a national eHealth strategy to identify the priorities for future Commonwealth and
jurisdictional investment in eHealth.
The Bill
The Bill will implement the Government‟s response to the PCEHR Review, specifically
changes to the PCEHR system to change its name, prepare for new governance arrangements,
improve usability of the system, and conduct participation trials. The Bill will also implement
recommendations of the HI Review, and make other minor and clarifying amendments to
improve the operation of, and align, the PCEHR system and the HI Service.
The Bill will change the name of the PCEHR system to the My Health Record system. This
change is intended to better reflect the partnership between individuals and healthcare
providers in healthcare, noting that individuals will retain all of the personal controls currently
available.
The Bill will enable opt-out trials to be undertaken for individuals in a manner that retains the
same patient controls as were provided in the PCEHR. While these trials are operating in
defined areas, the existing opt-in system will continue to operate everywhere else in Australia.
If the trials prove successful at improving both clinical and individual use of the system, and
the Government decides to implement opt-out nationally, the Bill enables this to occur.
To make way for new governance arrangements that will be established through rules to be
made under the Public Governance, Performance and Accountability Act 2013 (PGPA Act),
the Bill will abolish the existing PCEHR Jurisdictional Advisory Committee and Independent
Advisory Council.
The Bill will simplify the privacy framework by revising the way that permissions to collect,
use and disclose information are presented, making it easier for participants in the system to
understand what they can and cannot do. The Bill will also include several new permissions
to reflect how entities engage with one another. These will include a new mechanism
enabling entities to be authorised in regulations to use healthcare identifiers for healthcare-
related purposes, recognising the need for future health-related entities to be interoperable
2
with the PCEHR system. This change is consistent with the original purpose and scope of
healthcare identifiers.
In order to better protect the sensitive information that can be contained in a PCEHR, and to
provide a more graduated framework for responding to inappropriate behaviour that is
proportional to the severity of a breach of either the HI Service or PCEHR system, the Bill
will introduce new civil and criminal penalties and provide that enforceable undertakings and
injunctions are available in both systems.
The Bill will make clear that, unlike information about individuals and healthcare providers,
information about healthcare provider organisations is not personal information so does not
need the same privacy protections.
Given some current ambiguity in relation to the definition of "health services", the Bill
clarifies that health-related disability, palliative care and aged care services are considered
health services, as recommended by the Australian Law Reform Commission.
The Bill clarifies mandatory data breach notification requirements for participants in the
system to remove ambiguities and address issues that have been identified in the past three
years of operation. This requirement will extend to registered healthcare provider
organisations and registered contracted service operators, replacing their existing contractual
obligation to notify breaches.
Finally, the Bill will reflect the Australian Law Reform Commission‟s recent
recommendations regarding the obligations of people who provide decision-making support.
FINANCIAL IMPACT STATEMENT
In the 2015-16 Budget, the Government announced funding of $485.1 million over four years
for the My Health Record system, including new eHealth governance arrangements and trials
of participation arrangements, including opt-out. This includes three years of funding for
redevelopment and continued operation of the system. The table below sets out the elements
of funding related to this Bill.
2015-16 2016-17 2017-18 2019-20 Total
Budget Measure
($m) ($m) ($m) ($m) ($m)
My Health Record - a new direction for
30.7 16.4 5.4 5.2 57.7
electronic health records in Australia
3
REGULATION IMPACT STATEMENT
The Office of Best Practice Regulation found this Regulation Impact Statement compliant with
best practice and published it on 21 July 2015.
Changes to the PCEHR system
1. INTRODUCTION
On 3 November 2013 the Australian Government commissioned an external review of the
personally controlled electronic health record (PCEHR) system (the Review). The Review
identified a number of issues regarding the system that present an impediment to individual
and clinical uptake. In particular, the Review made recommendations concerning the model
for individual participation, the governance arrangements and usability.
Implementation of the Review‟s recommendations will improve the credibility, usability and
utility of the record for healthcare providers. These improvements will drive uptake, with
healthcare providers more likely to support a system where the direct benefits are clear and
the system is designed to sit within clinicians‟ existing workflows. Implementation will also
expedite health benefits for individuals by enabling people to better manage their health. The
number of avoidable admissions and adverse drug events will also be reduced.
The Personally Controlled Electronic Health Records Act 2012 (PCEHR Act) and possibly the
Healthcare Identifiers Act 2010 will need to be amended to support the changes.
A short form Regulation Impact Statement (RIS) for changes to the PCEHR system has been
previously considered by the Government. This standard form RIS has been provided for the
Government‟s consideration of the proposed changes in more detail which will be
implemented through changes to legislation and infrastructure.
Background
On 1 July 2012 the Australian Government implemented the PCEHR system, supported by
the PCEHR Act. It places the individual at the centre of their own healthcare by enabling
access to important health information when and where it is needed, by individuals and their
healthcare providers. A PCEHR is assembled using information created by a range of
healthcare providers across the health sector to reflect an individual‟s healthcare journey.
Since its implementation more than 2.1 million individuals and more than 7,600 healthcare
provider organisations have registered to participate in the PCEHR system. The system
includes capacity to accept, store and share access to documents from and with any
participating organisation and has more than 1.7 million clinical records, 70,000
individual-entered documents and over 192 million Medicare and Pharmaceutical Benefits
Scheme claim records uploaded to the system. The privacy protections that apply to the
system ensure individuals have strong protection of their records, and the security
arrangements are subject to an ongoing work program to improve security, reduce risks and
address threats in a rapidly changing cyber environment. There is an array of personal
controls available to the individual to allow them to control access to their record to the extent
that they prefer.
Participation in the PCEHR system is voluntary for individuals and organisations (healthcare
provider organisations, contracted service providers, repository operators and portal
4
operators). The system operates on an opt-in basis, which means that any person or
organisation wishing to participate in the system needs to register.
2. RATIONALE FOR GOVERNMENT INTERVENTION
The annual Commonwealth costs of healthcare are forecast to increase by $27 billion to
$86 billion by 2025 and over $250 billion by 2050.1 Productivity improvements such as those
that can be delivered by eHealth are needed to help counter the expected increases in the unit
costs associated with the delivery of healthcare. Leveraging eHealth is one of the few
strategies available to drive microeconomic reform to reduce Commonwealth health outlays.
The Australian Government implemented the PCEHR system as a first step towards
overcoming some of the issues facing healthcare arising from the fragmentation of health
information. Health information is spread across a vast number of different locations and
systems. In many healthcare situations quick access to key health information about an
individual is not always possible. Limited access to health information at the point of care
can result in:
a greater risk to patient safety (e.g. as a result of an adverse drug event (ADE) due to a
complete medications history not being available - it is estimated that 2.5% of hospital
admissions are due to ADEs2);
increased costs of care and time wasted in collecting or finding information (e.g. when a
general practitioner has to call the local hospital to get information because the discharge
summary is not available - 36% of visits involve the clinician spending at least five
minutes locating information3);
unnecessary or duplicated investigations (e.g. when a person attends a new provider and
their previous test results are not available - 10% of laboratory tests are avoidable through
electronic health records4);
additional pressure on the health workforce (e.g. needing to make diagnosis and treatment
decisions with incomplete information); and
reduced participation by individuals in their own healthcare management.
The PCEHR system has, however, not realised the full benefits of such a system in its first
two years. While the PCEHR system has the potential to deliver real benefits, some
significant design and policy changes need to be made in order to accrue these benefits in a
reasonable timeframe.
Government has historically sponsored the development of infrastructure services like this to
reduce the burden on business, and remove the possibility of creating further rail gauge
issues. Ongoing refinements made by government to streamline these services will bring
about even greater efficiencies, which can be leveraged and further innovations made possible
for the benefit of all Australians.
1
Australian Government‟s 2010 Intergenerational Report
2
Aus NZ Health Policy 2009, Roughead et al.
3
JAMA 2005, Smith et al.
4
Health Affairs 2012, McCormick et al.
5
3. THE PROBLEM
Participation
More than 2.1 million individuals have registered for a PCEHR. Since the vast majority of
individuals don‟t have a PCEHR, healthcare providers generally lack any incentive to adopt
and contribute to the system. As a result only 1.7 million clinical documents with key
information have been uploaded to the system by clinicians and dispensers.
Governance
The PCEHR Review identified several issues related to governance of eHealth broadly and
the PCEHR system in particular, namely:
governance processes around the PCEHR system did not adequately represent the
industry, were overly bureaucratic in nature and did not effectively balance the needs of
government and private sector organisations;
engagement and consultation with some key stakeholders, including clinical stakeholders,
has not been effective to date;
there are currently two significant governance arrangements in place for eHealth and there
are perceived benefits in reducing this to one; and
there has been a lack of transparency in the decision-making process for the PCEHR
system within the National E-Health Transition Authority (NEHTA) structure, whose role
is to lead the uptake of eHealth systems of national significance.
The review of the PCEHR system found that governance for eHealth nationally is in need of
significant change as it does not have the confidence of the industry. Multiple factors have
contributed to this, including a significant broadening of the remit of NEHTA since its
inception.
Further, eHealth governance is not representative of the users of eHealth. Although the
PCEHR system directly affects healthcare providers (private and public), the medical
software industry and individuals, the current governance predominantly comprises public
organisations. A prime example of this problem is the NEHTA board which is made up of the
heads of the Commonwealth, state and territory health departments.
Usability
The Review found that the system poses usability issues, such as:
problems with the efficiency and effectiveness of eHealth applications in clinical systems
and their poor fit within clinical practice workflow;
complexity in user interfaces, and multiple provider registration systems;
lack of integration across the broader eHealth infrastructure;
inability to agree and adopt standards in a timely manner;
6
technical compromises made to meet accelerated timeframes; and
the absence of standard terminology.
These issues have affected use of the system by healthcare provider organisations.
4. OBJECTIVE OF GOVERNMENT INTERVENTION
The objective of the system continues to be to address information fragmentation by allowing
a person to more easily access their own health information and make their health information
securely accessible to healthcare providers involved in their care.
Making the system more useable and reliable is central to gaining the support and acceptance
of healthcare providers and individuals, thereby leading to increased use and achievement of
the identified benefits.
Changes to governance and the way individuals can choose to participate in the PCEHR
system will be implemented in stages through to late 2017. Trials of participation
arrangements, including an opt-out system, will be undertaken in a few selected regions in
2016 and inform a decision, and future approaches, for increasing individual participation in
the system from late 2017.
The PCEHR Act will need to be amended to reflect such changes since it prescribes the
components of the current governance arrangements and opt-in nature of individual
participation.
5. OPTIONS
This section outlines the options for addressing the problems identified at section 3. Four
options are considered:
Option 1: Continuing with business as usual;
Option 2: Implementing a public awareness campaign to improve uptake;
Option 3A: Making the system opt-out for individuals with associated public awareness
raising and education and training for healthcare providers, improving usability and
changing the governance arrangements through the creation of a statutory authority.
Option 3B: Implementing participation trials, including opt-out, with targeted
communications in the trial regions and education and training for healthcare providers,
improving usability and changing the governance arrangements through the creation of a
statutory authority.
5.1 Option 1: Continuing with business as usual
The status quo would not require any additional regulatory action or legislative change, but
does not present a compelling business case. It could take a further 15 years to realise the
benefits sought as it will take that long before a significant proportion of the population has a
record, which is a key to increased use by healthcare providers. It is unlikely that healthcare
providers will make use of the system until a significant proportion of the population has a
7
PCEHR. This will result in limited content being contributed or accessed and minimal benefit
being realised.
Individuals would continue to be able to register for a record if they choose. Many healthcare
providers would continue to view the record as not clinically useful due to its limited content
and customer coverage.
The Secretary of the Department of Health would continue to be the System Operator,
delivering the system in cooperation with the following agencies:
Department of Human Services which delivers certain components of the PCEHR system
under agreement with the System Operator, and delivers other eHealth services such as
the National Authentication Service for Health, the Healthcare Identifiers Service and the
Health Professional Online Service that form part of the PCEHR infrastructure; and
NEHTA, a company limited by guarantee and funded by the Australian Government and
state and territory governments and whose board comprises heads of government health
departments, delivers certain components of the PCEHR system under contract with the
System Operator. It leads the uptake of eHealth solutions through the health system.
The System Operator would continue to be advised on the operation of the PCEHR system by
two statutory committees - the Independent Advisory Council (representing individuals from
peak stakeholder groups) and the Jurisdictional Advisory Committee (representing the health
department of each jurisdiction). These committees report directly to the System Operator.
As part of business as usual activities and streamlining, improvements would be made to the
system‟s access controls and the process for individuals to register and access their PCEHR.
The Clinical Usability Program would work with healthcare providers and software vendors
to continue to identify system usability improvements.
Stakeholders would continue to have concerns about the system‟s usability, transparency and
accountability which may undermine their confidence and likelihood to participate.
5.2 Option 2: Implementing a public awareness campaign to improve uptake
This option would not require any regulatory action or legislative change.
The option would see the PCEHR system complemented by a public awareness campaign
targeting all Australians. The intent of this campaign would be to raise community awareness
of the PCEHR - its purpose, the information it can contain, how it can be used, who can use it
and how it can improve healthcare.
Individuals would continue to be able to register for a record if they choose. During the
Medicare For All campaign of 2013, which included promotion of the PCEHR, there was an
increase of approximately 500 people a day registering using the consumer portal. This
dropped back to the pre-existing levels once the campaign finished. Allowing for a campaign
similar to the Medicare For All campaign but of 12 months‟ duration and assuming its direct
8
focus on the PCEHR would result in greater effectiveness, it is estimated that an additional
273,000 people would register5.
As described at option 1, as part of business as usual activities and streamlining,
improvements would be made to the system‟s access controls and the process for individuals
to register and access their PCEHR. The Clinical Usability Program would work with
healthcare providers and software vendors to continue to identify system usability
improvements.
It is considered, however, that many healthcare providers would continue to view the record
as not clinically useful due to its limited content and customer coverage.
Stakeholders would continue to have concerns about the system‟s usability, transparency and
accountability which may undermine their confidence and likelihood to participate.
5.3 Option 3A: Making the system opt-out for individuals with associated public
awareness raising and education and training for healthcare providers, improving
usability and changing the governance arrangements through creation of a statutory
authority
The opt-in approach of the system would be changed to an opt-out approach for individuals.
Providing every Australian with a PCEHR without needing to take steps to register would be
a fundamental step to delivering a world class PCEHR to the community. A record would be
created for every eligible individual. That individual may or may not choose to access their
record but healthcare providers would be able to access that record for healthcare purposes.
Individuals who wanted to access their PCEHR would need to first register for a myGov user
identity and undertake a process to verify their identity. Once they gain access they would be
able to fully exercise the access controls of the record. Experience over the past two years has
shown that only about ten per cent of individuals who have a PCEHR access it and exercise
their access controls. This rate has been used in the consideration of this proposal.
Individuals would have the option of opting out of the system before a record is created for
them or by cancelling their record so that it can no longer be accessed or used by healthcare
providers if they already have one. The individual would be able to opt back into the system
at any time.
National and international experience in opt-in/opt-out rates for eHealth record systems and
other health programs indicates that around one per cent of individuals choose to opt-out6.
This rate has been used in the consideration of this proposal. Implementation of opt-out
nationally would be supported by an appropriate awareness raising campaign including about
the benefits of the eHealth record system, how to set access controls, and details of how to
opt-out if that is what someone chooses to do.
5
This assumes that, over 12 months, there would be a 150% increase to the registrations achieved by the two
month Medicare For All campaign.
6
Research by McKinsey & Company, 2014. This research was undertaken on publicly available information
and input from selected expert interviews on prominent examples of electronic health record systems around the
world at different stages of evolution. The systems that operate on an opt-out basis use opt-out mechanisms that
are comparable to those that would likely be used in the PCEHR system.
9
This shift in participation rates would give effect to behavioural changes in the healthcare
provider industry, although participation by healthcare provider organisations will remain
voluntary. Nearly all individuals would have a record so, combined with other measures to
improve the usability of the system and the nature of information it contains, healthcare
providers would be more likely to commit to using and contributing to the PCEHR system,
thereby increasing the utility of the system by increasing the amount of clinically valuable
information in a PCEHR.
This option would also see a major shift in expectations of the governance arrangements to
address concerns raised by stakeholders regarding transparency, stakeholder representation
and accountability.
The following changes would result in a simplified structure with which the industry and
individuals could more easily interact, and would ensure more meaningful consultation is
undertaken in the operation and management of the system and the future directions of
eHealth more broadly.
A statutory authority would be established to have relative independence from government
departments ensuring it is balanced and represents the needs of key stakeholders to facilitate
eHealth delivery by the private health sector in partnership with the public health sector.
A governing board would comprise skills-based representatives reflective of key health
stakeholders. Some members would have experience as healthcare providers, care recipients
and leadership in governance. Others would have clinical safety, systems, technical and
government expertise. The new entity would retain jurisdictional input and representation to
reflect jurisdictions‟ interests as continuing national eHealth funders.
The new organisation‟s broad role would be the ongoing development and implementation of
the national eHealth strategy, including PCEHR-related responsibilities arising from the
Review. This would include coordinating and managing activities relating to national eHealth
infrastructure, solution design, specification and, where necessary, standards development and
working with other key agencies to ensure this work is carried out in a coordinated fashion
and expected outcomes are delivered to the satisfaction of key stakeholders. It would also
work to improve the usability of the system.
The new organisation would report directly to the Council of Australian Governments‟ Health
Council.
The current statutory committees that report to the System Operator would be abolished and
dedicated advisory committees would be established within the legislative framework
establishing the new entity to ensure that the PCEHR system delivers on the following
matters:
clinical and technical;
jurisdictional;
individual; and
privacy and security.
10
These committees would have appropriate representational coverage and skills to represent
the interests of key stakeholders and report directly to the board.
Assurance on the progress of eHealth would be provided to the Minister for Health through
the establishment of an independent assurer who would report regularly and directly to the
Minister. The purpose of this role would be to provide unfiltered advice to the Minister on
the real progress on the implementation of the changes to the eHealth record system and
stakeholder acceptance. The role would be fulfilled by an independent organisation with
experience in the health sector and in providing assurance in the delivery of complex
initiatives.
This option, together with other measures including:
improvements to usability, including those described at option 1;
the establishment of a core set of clinical information comprising current medications and
adverse events, clinical measurements, and pathology and diagnostic imaging reports;
improving education and training programs for healthcare providers; and
re-focused incentives for healthcare provider organisations to participate in and use the
system,
would significantly improve the clinical usability, credibility and utility of the record for
healthcare providers and encourage buy-in of the system.
In this option the Government would not trial the methods of implementing opt-out and
different methods of providing communications and education prior to national
implementation. This would pose a risk of failing to properly communicate with the target
audience, resulting in an increased number of individuals choosing to opt-out of having a
PCEHR, and less organisations choosing to participate, potentially undermining confidence in
the value of the system.
5.4 Option 3B: Implementing participation trials, including opt-out, with targeted
communications in the trial regions and education and training of healthcare
providers, improving usability and changing the governance arrangements through
creation of a statutory authority
This option would require regulatory action and legislative change.
In selected areas of Australia (covering a total population of 1 million), based either on
population size or type, trials of individual participation arrangements would be conducted,
including an opt-out system, and targeted communications would be undertaken together with
training for healthcare providers in these areas. The intent of these trials would be to test the
opt-out arrangements and other innovative approaches for driving registration and
participation in the system, identify appropriate methods of targeting and delivering critical
information to key audiences, assess the effectiveness of the communications and education
and training for healthcare providers, and inform future decisions about, and the optimal
approaches for, driving individual participation in the system for individuals from late 2017.
These trials would be evaluated over a period of up to nine months.
11
Outside the trial regions the PCEHR system would continue with business as usual and
individuals would continue to be able to register for a record if they choose. General
practitioners, pharmacists and aged care services would be provided with targeted education
and training in the trial regions, and more broadly.
In trialling an opt-out system, a record would be created for every eligible individual in the
trial except for individuals who choose to opt-out. Individuals may or may not choose to
access their record but healthcare providers would be able to access that record for healthcare
purposes. As described at option 3A, individuals would access their record by first registering
for a myGov user identity and will need to go through an identity verification process to
access their PCEHR and exercise their access controls. Experience indicates that about 10 per
cent of individuals choose to access their PCEHR.
Individuals in the opt-out trials would have the option of opting out of the system before a
record is created for them. In the case of individuals who already have one, they would
continue to be able to cancel them. Individuals that opt-out would be able to opt back into the
system at any time.
As outlined in option 3A, national and international experience in opt-in/opt-out rates for
eHealth record systems and other health programs indicates that around one per cent of
individuals choose to opt-out7.
Trials of other innovative approaches for driving individual registration and participation in
the system will also be conducted. The nature of these other trials has not yet been
determined.
This shift in participation rates would give effect to behavioural changes in healthcare
provider organisations in or providing care in the selected trial regions, although participation
by healthcare provider organisations will remain voluntary. Nearly all individuals in the opt-
out trials would have a record and individuals in the other trials would be more likely to have
a PCEHR so, combined with other measures to improve the usability of the system and the
nature of information it contains (as described at option 1), as well as targeted
communications in the trial regions, education and training of healthcare providers, along
with re-focused incentives, these healthcare providers would be more likely to commit to
using and contributing to the PCEHR system.
This option would result in improvements to the clinical value of the system and would see a
positive impact on healthcare providers across Australia in terms of system use.
This option would also see the same governance changes made as discussed at option 3A and
would include the other measures described at option 3A including usability improvements,
business as usual activities and streamlining.
Stakeholders that are not part of the trials may continue to have concerns about the value of
participating in the system given that the majority of their patients will not have a record.
This is despite the improvements to governance, clinical utility and usability of the system,
and the availability of incentives and training.
7
Research by McKinsey & Company, 2014. This research was undertaken on publicly available information
and input from selected expert interviews on prominent examples of electronic health record systems around the
world at different stages of evolution. The systems that operate on an opt-out basis use opt-out mechanisms that
are comparable to those that would likely be used in the PCEHR system.
12
6. IMPACT ANALYSIS
This section describes the impacts of the proposed options. An overview of the costs and
benefits, stakeholders impacted and issues associated with each option is provided below.
6.1 Option 1: Continuing with business as usual
Maintaining the status requires no regulatory action by Government.
The risk of adverse outcomes from poor use of the system is likely to persist under the status
quo. Limited use of the system by healthcare providers will affect the amount of clinical
information uploaded to a PCEHR. In the longer term the lack of information in the system
would become a disincentive to participate in the system.
Impact on individuals
The regulatory burden on individuals who choose to register for an eHealth record would be
unchanged. Any individual registering can apply through five channels - phone, online, in
writing, in person at a Department of Human Services shopfront and at healthcare provider
practices that provide assisted registration.
The impact of improvements to individual usability is not yet determined so they cannot be
quantified.
Individuals who choose to have a PCEHR will continue to be able to share their health
information with their healthcare provider organisations. However, few healthcare providers
use the system as the value proposition is low, so PCEHRs will continue to contain a limited
amount of clinically useful information.
Impact on healthcare provider organisations
If an organisation chooses to register to use the system, it needs to complete the registration
process to use the system. Depending on the type of healthcare provider organisation, its
needs in terms of start-up will vary.
A registered organisation is subject to the requirements of PCEHR Act and the participation
agreement with the System Operator. The regulatory burden on individual providers who
work in organisations participating in the PCEHR system would be unchanged as system
participation is undertaken at the organisational level, not individually.
The regulatory burden on healthcare provider organisations that choose to register to
participate in the PCEHR system would be unchanged.
If an organisation is registered, individual providers would continue to be subject to the
requirements relating to uploading information to the PCEHR system and using PCEHR
information in accordance with an individual‟s wishes.
Registered organisations may choose to assist individuals to register for a PCEHR. If an
organisation chooses to provide this assisted registration service, it needs to obtain the
necessary software from the Department, free of charge, and must comply with requirements
specified in the PCEHR Rules regarding policy and record retention. In providing assisted
registration, an employee of the organisation discusses with the individual the benefits of
13
having a PCEHR and, with the individual‟s consent, makes a registration application for the
individual. The regulatory burden on organisations that choose to provide assisted
registration would be unchanged.
The impact of improvement to healthcare provider usability is not yet determined so they
cannot be quantified.
Those organisations that choose to participate in the PCEHR system will continue to have
access to their patients‟ PCEHRs (with their patient‟s agreement) and be able to upload health
information to those PCEHRs. However, for reasons of usability, low individual participation
rates and low healthcare provider organisation rates, PCEHRs will not be fully utilised by
organisations and will contain limited information, and therefore will be of limited clinical
value.
Impact on software vendors
The medical software industry is not obliged to deliver medical software that is compliant
with the requirements of the PCEHR system. It develops software to meet the needs of its
customers (healthcare providers). To date, vendors have been working to develop and deliver
software that facilitates PCEHR access largely as a result of funding provided by NEHTA for
software in general practice, pharmacy, public hospitals and aged care. Increased
participation by healthcare provider organisations may increase the customer base of software
vendors. If healthcare providers lose interest in the system because of low participation rates
the industry is unlikely to exert pressure on software vendors to deliver PCEHR compliant
software.
Impact on Government
The Government will continue to incur increasingly significant healthcare costs and will only
begin realising the benefits of the PCEHR system, including a reduction in healthcare costs,
when a majority of individuals have a PCEHR which will lead to an increase in the healthcare
providers using the system.
6.2 Option 2: Implementing a public awareness campaign to improve uptake
This option requires no regulatory action by Government.
This option would see a negligible increase in the benefits realised from use of the system.
Limited use of the system by healthcare providers will affect the amount of clinical
information uploaded to a PCEHR. In the longer term the lack of information in the system
would become a disincentive to participate in the system.
Impact on individuals
The costs and benefits to individuals are largely as described at option 1. There would be a
regulatory cost to those extra people who sign up as a result of the public awareness
campaign.
14
Table 1 identifies the total costs over 10 years from additional individuals registering in the PCEHR
system.
Average time taken for individual to register8 11 minutes
Individual leisure time9 $27/hour
Average cost per application $4.86
Number of additional individuals registering10 273,000
Total regulatory cost for individuals $1.33 million
Impact on healthcare provider organisations
The costs and benefits to healthcare provider organisations are as described at option 1.
Impact on software providers
There is no impact on software vendors, as described at option 1.
Impact on Government
The Government will continue to incur increasingly significant healthcare costs and will only
begin realising the benefits of the PCEHR system, including a reduction in healthcare costs,
when a majority of individuals have a PCEHR which will lead to an increase in the healthcare
providers using the system. This option would be only marginally more effective than
option 1.
The impact on Government will be the cost of undertaking the public awareness campaign.
This cost has not been quantified but is likely to be in the same order of magnitude as the
Medicare For All campaign which was undertaken for two months in 2013 at a cost of
$8 million. The proposed public awareness campaign, which would be undertaken over
12 months, would be expected to cost over $50 million.
There will also be a cost for Government to support an increase to the capacity of the system.
6.3 Option 3A: Making the system opt-out for individuals with associated public
awareness raising and education and training of healthcare providers, improving
usability and changing the governance arrangements through creation of a statutory
authority
This option would require amendments to the PCEHR Act to:
revise the current consent framework to reflect the opt-out nature of the system while still
ensuring that individuals can ask that individual documents not be uploaded, and that
healthcare providers remain subject to specified state or territory laws regarding the
disclosure of certain types of health information;
change the name of the PCEHR where necessary to simplify references to legal aspects
such as terms and conditions, and compliance requirements;
8
Advice provided by Department of Human Services which manages the individual registration process
9
Figure provided by the Office of Best Practice Regulation
10
Based on current registration rates, it is expected that about 500,000 individuals will register each year.
15
revise the function of the System Operator as necessary to reflect changes to the
governance arrangements; and
abolish the Independent Advisory Council and Jurisdictional Advisory Committee (this
will also require amendment of the Personally Controlled Electronic Health Records
Regulation 2012).
It would also require amendment to other legislation to:
establish the new organisation as an inter-jurisdictional statutory authority and prescribe
its function and operation; and
establish the board and the four committees and specify their function and operation.
These amendments would result in a reduction to the volume of Commonwealth legislation.
Under this option the new organisation would be established under Public Governance,
Performance and Accountability Act 2013 (PGPA Act) rules or under its own primary
legislation, as an inter-jurisdictional statutory authority that is a body corporate.
The key advantages in establishing the entity as a statutory authority are:
A greater capacity to improve accountability, which could be imposed either under Public
Governance, Performance and Accountability Act 2013 (PGPA Act) rules or enabling
legislation. This could include a requirement that the new eHealth entity submit a rolling
work plan to the Australian Health Ministers‟ Advisory Council and the Council of
Australian Governments Health Council for approval on an annual basis, detailing its
planned work and priorities for the following three years. Additionally, any new statutory
authority would be subject to the existing accountability mechanisms in the PGPA Act,
such as the duty to keep the Ministers informed of its activities.
A greater level of ministerial oversight, which could be statutorily imposed. Rules made
under the PGPA Act could also confer State or Territory ministers with oversight of the
entity.
Ability to impose, through ministerial direction, adherence to particular standards and
processes such as procurement, staff engagement, and organisational performance
reporting.
The agreed role/charter of a statutory authority and the associated governance bodies such
as boards and committees would be set in law. This would allow for easier ongoing
management of the entity.
The Rules that the Commonwealth Finance Minister can make under the PGPA Act can
be made (or amended if necessary) more expediently than the previous approach of
passing enabling legislation through the Commonwealth Parliament (although they would
still be subject to Parliament‟s disallowance process).
Moving to a skills-based board (rather than retaining current jurisdictional directorship of
the board) would alleviate a range of perceived and real conflict of interest issues.
16
The main disadvantages of this option are:
potential adverse perceptions that this is increasing bureaucracy;
establishing a statutory authority under primary legislation could take marginally longer
than using a repurposed form of the NEHTA public company entity - approximately six
to twelve months. To mitigate this disadvantage a new eHealth entity could be created
through PGPA Act rules which would take approximately six to nine months; and
without conducting trials to evaluate methods of implementing opt-out and different
communications and education approaches, the Government may fail to properly target its
audience which could adversely affect participation and public confidence, and could see
a reduction to the estimated regulatory savings.
Impact on individuals
In an opt-out system, every eligible individual would automatically get a PCEHR without
taking any action.
The move to an opt-out system would represent a significant reduction in current regulatory
burden for the community. Individuals would no longer need to go through a registration
process to get a PCEHR.
Table 2 identifies the total savings over 10 years from individuals not having to register in the PCEHR
system.
Average time taken for individual to register11 11 minutes
Individual leisure time12 $27/hour
Average cost per application $4.86
Number of individuals registering13 5,000,000
Total regulatory saving for individuals $24.30 million
Those individuals who did not want a PCEHR would need to go through an opt-out process.
There is no explicit cost or burden in having a PCEHR and an individual can choose the
extent to which they use or access their PCEHR. However, some individuals may choose to
opt-out if they have unique privacy sensitivities, such as high profile individuals or
individuals who are involved in potentially violent domestic or custodial disputes. It is
possible that some people may be uncomfortable with having a record but not sufficiently
motivated to opt-out or to set controls to mitigate their concerns. There is some burden
associated with this situation but it has not been quantified. It will be mitigated by ensuring
the process for opting out or setting access controls is as simple as possible.
11
Advice provided by Department of Human Services which manages the individual registration process
12
Figure provided by the Office of Best Practice Regulation
13
Based on current registration rates, it is expected that about 500,000 individuals will register each year.
17
Table 3 identifies the total cost over 10 years for individuals to opt-out of the PCEHR system.
Estimated time taken for individual to opt-out14 6 minutes
Individual leisure time15 $27/hour
Average cost per opt-out $2.70
Number of individual opting out16 271,400
Total regulatory cost for individual $0.73 million
If an individual does not have a PCEHR they will not gain the benefits that making their
health information more easily accessible by their healthcare providers would achieve.
However, it would in no way affect their eligibility for health services.
Individuals who want to access their PCEHR and fully exercise their access controls would
need to go through a process to verify their identity with the System Operator. This process
would closely resemble the current registration process.
Table 4 identifies the total cost over 10 years for individuals to obtain access to their PCEHR.
Estimated time taken for individual to obtain access17 11 minutes
Individual leisure time18 $27/hour
Average cost per application $4.86
Number of individuals obtaining access19 2,686,860
Total regulatory cost for individuals $13.06 million
The PCEHR would enable healthcare providers to make more informed decisions about an
individual‟s care based on more complete information available in the individual‟s PCEHR,
and would also see a reduction in adverse medical events and in the duplication of treatment
and tests. With access to their key health information, individuals will be able to more
actively participate in their own healthcare and will no longer need to remember all of their
previous health information to repeat to each healthcare provider that treats them, and they
will benefit from improved quality of healthcare and coordination of healthcare delivery.
The reduction in adverse medical events would see improvements to productivity and labour
force participation since, over time, it would lead to improved treatment outcomes and less
sick leave. This may increase the community‟s trust in the healthcare system.
The PCEHR system is also expected to reduce the time spent, cost and number of healthcare
visits required by family members and their dependants, and therefore reduce their healthcare
14
The opt-out process has not been decided but is expected to be much simpler than the registration process
since it will not require the same extent of identity verification because there is a significant lower risk of privacy
breach.
15
Figure provided by Office of Best Practice Regulation
16
Based on an annual opt-out rate of 1% of population - 230,000 in year 1; 1% of population growth
(assume 2%) from year 2
17
This is expected to closely follow the identity verification undertaken in the current registration process so the
current average registration time has been adopted.
18
Figure provided by the Office of Best Practice Regulation
19
Based on current access rates, it is expected that about 10% of the population with PCEHRs would seek to get
access to their PCEHR (27.14 million less 271,400 who opt out).
18
expenditure as families. This will result in a consequent increase in the disposable income of
families.
The reductions in time taken in finding information and the performance of unnecessary
investigations would result in improved productivity for the health workforce thus addressing
some of the challenge faced by the Commonwealth in the increasing cost of healthcare.
A PCEHR will be of particular benefit to individuals with chronic and complex conditions,
older Australians, Indigenous Australians, mothers and newborn children, and individuals
living in rural and regional areas, as they are more likely to access healthcare from numerous
healthcare providers.
In addition, it would mean that patients and their families will be able to go anywhere in
Australia to receive high quality and convenient healthcare, reducing the time and costs
associated with undertaking duplicate tests or repeating information.
It is anticipated that benefits in health outcomes of families will be skewed towards
vulnerable families as they currently face more challenges in accessing timely and appropriate
healthcare and will have more to benefit from improved health outcomes. These people are
also less likely to participate in an opt-in model as they are more likely to be challenged by
the registration process. Vulnerable families may include Aboriginal and Torres Strait
Islander families, family carers with a member who has a mental illness, families in which
English is a second language, and families with low socio-economic status. These groups are
expected to experience more pronounced benefits as the PCEHR system will help reduce the
enormous burden carried by these families.
The impact of improvements to individual usability is not yet determined so they cannot be
quantified.
Impact on healthcare provider organisations
The regulatory burden on healthcare provider organisations that choose to register to
participate in the PCEHR system would be unchanged, as described at option 1.
The regulatory burden on individual providers who work in organisations participating in the
PCEHR system would be unchanged, as described at option 1.
The move to an opt-out system would have a regulatory impact on those registered healthcare
provider organisations that currently provide assisted registration to individuals because they
would no longer spend any time assisting individuals to apply to register for a PCEHR. This
would result in a savings.
19
Table 5 identifies the savings over 10 years from organisations no longer providing assisted
registration to individuals.
Average time to provide assisted registration 8 minutes
Average salary of officer providing assisted registration20 $175,000
Average cost to provide service $11.76
Number of individuals receiving assisted registration21 182,000
Total regulatory saving for organisations not
providing assisted registration $2.14 million
Opt-out participation by individuals would change the behaviour of the healthcare provider
industry. Healthcare providers would increasingly utilise the system and realise its benefits in
terms of availability of healthcare information to improve healthcare quality and delivery.
Participation for healthcare provider organisations would remain opt-in. There would be an
indirect impact on healthcare provider organisations since opt-out participation for individuals
will increase the value of the PCEHR system for providers. It is estimated that 20 per cent
more healthcare provider organisations would register each year.
The governance changes would not have a direct regulatory impact on healthcare providers
and organisations. However integrating the services and ensuring more appropriate
stakeholder representation would see improvements to the usability of the system and an
increase to the confidence in the system by healthcare providers. This would likely lead to
more healthcare provider organisations registering to participate in the system which, in itself,
would impact organisations as described above.
Table 6 identifies the cost over 10 years for an increased volume of organisations to register to
participate in the PCEHR system.
Average time taken for organisation to register 2.5 hours
Average salary of officer completing application22 $175,000
Average cost per application $220.50
Number of additional organisations registering23 2,400
Total regulatory costs for additional organisations
to apply to register $529,200
This option would improve the efficiency in the provision of health services. Healthcare
providers would have access to more complete and consistent information to inform their
healthcare decisions, resulting in a reduction in the time wasted duplicating tests and
treatment and seeking information from their patients and other healthcare providers, and
reducing the occurrence of medication errors.
The impact of improvements to healthcare provider usability is not yet determined so they
cannot be quantified.
20
This takes into account a $100,000 salary plus other operating labour costs and overheads.
21
Based on current assisted registration rates, about 50 individuals register through assisted registration per day.
22
This takes into account a $100,000 salary plus other operating labour costs and overheads.
23
Based on current registration rates, about 1,200 healthcare provider organisations will register each year. In an
opt-out system it estimated an additional 20 per cent (240) organisations will register each year.
20
Impact on software vendors
There is no regulatory impact on software vendors, as described at option 1.
Impact on Government
This option will impose some cost and burden on the Government as there would be a new
agency to administer, however, given the nature in which the entity would be established, it
would provide better accountability and transparency which would allow the Government to
achieve and deliver better outcomes.
There will also be a cost for Government to support an increase to the capacity of the system
and to undertake the communication campaigns and training.
The Government would gain significant economic benefits through the health sector and
individuals through:
reducing hospital admissions;
enabling improved individuals care including better management of chronic disease; and
enabling a more efficient healthcare system.
6.4 Option 3B: Implementing participation trials, including opt-out, with targeted
communications in the trial regions and education and training of healthcare
providers, improving usability and changing the governance arrangements through
creation of a statutory authority
This option would require legislative amendments as described in option 3A, plus further
amendments to the PCEHR Act to enable the system to operate on an opt-out basis in certain
trial regions while ensuring it continues as an opt-in system in the remainder of Australia.
Trials of other innovative approaches for driving registrations and participation in an opt-in
system would also be conducted.
The statutory authority would be established as described in option 3A.
While this option would result in an increase to short-term regulatory costs, it would enable
the Government to develop a robust approach to implementing an opt-out system nationally to
assure long-term savings.
Impact on individuals
The impact on individuals would be the same as under option 3A, however it would only
affect individuals in trial regions. These individuals would no longer need to go through a
registration process to get a PCEHR. Since the nature of the other trials has not yet been
determined, a conservative approach has been taken in this costing to assume that the
regulatory cost would apply to the maximum trial population.
21
Table 7 identifies the total savings from individuals in trial regions not having to register in the PCEHR
system.
Average time taken for individual to register24 11 minutes
Individual leisure time25 $27/hour
Average cost per application $4.86
Number of individuals registering26 22,000
Total regulatory saving for individuals $106,920
As described in option 3A, any individuals who don‟t want a PCEHR would need to go
through an opt-out process.
Table 8 identifies the total cost for individuals in trial regions to opt-out of the PCEHR system.
Estimated time taken for individual to opt-out27 6 minutes
Individual leisure time28 $27/hour
Average cost per opt-out $2.70
Number of individuals opting out29 10,000
Total regulatory cost for individual $27,000
If an individual does not have a PCEHR they will not gain the benefits that making their
health information more easily accessible by their healthcare providers would achieve.
However, it would in no way affect their eligibility for health services.
As described in option 3A, individuals who want to access their PCEHR and exercise their
access controls would need to go through an identity verification process.
Table 9 identifies the total cost for individuals in trial regions to obtain access to their PCEHR.
Estimated time taken for individual to obtain access30 11 minutes
Individual leisure time31 $27/hour
Average cost per application $4.86
Number of individuals obtaining access32 99,000
Total regulatory cost for individuals $481,140
24
Advice provided by Department of Human Services which manages the individual registration process
25
Figure provided by the Office of Best Practice Regulation
26
Based on current registration rates, it is expected that about 500,000 individuals will register each year which
represents about 2.2% of the population. By applying this percentage to the 1,000,000 individuals to be part of
the trials, it is expected that 22,000 individuals would otherwise register.
27
The opt-out process has not been decided but is expected to be much simpler than the registration process
since it will not require the same extent of identity verification because there is a significant lower risk of a
privacy breach.
28
Figure provided by Office of Best Practice Regulation
29
Based on 1 million individuals being opted in, minus 1% who choose to opt out
30
This is expected to closely follow the identity verification undertaken in the current registration process so the
current average registration time has been adopted.
31
Figure provided by the Office of Best Practice Regulation
32
Based on 990,000 individuals having a PCEHR
22
The PCEHR would enable healthcare providers who are treating individuals from the trial
regions to make more informed decisions about an individual‟s care based on more complete
information available in the individual‟s PCEHR. However it would likely see a negligible
reduction in adverse medical events and the duplication of treatment and tests. With access to
their key health information, individuals will be able to more actively participate in their own
healthcare and will benefit somewhat from improved quality of healthcare and coordination of
healthcare delivery.
A PCEHR will be of particular benefit to individuals with chronic and complex conditions,
older Australians, Indigenous Australians, mothers and newborn children, and individuals
living in rural and regional areas, as they are more likely to access healthcare from numerous
healthcare providers.
The impact of improvements to individual usability is not yet determined so they cannot be
quantified.
Impact on healthcare provider organisations
The regulatory burden on healthcare provider organisations that choose to register to
participate in the PCEHR system would be unchanged, as described at option 1.
The regulatory burden on individual providers who work in organisations participating in the
PCEHR system would be unchanged, as described at option 1.
Opt-out participation in trial regions would, to some degree, change the behaviour of the
healthcare providers who treat those individuals. These healthcare providers would
increasingly utilise the system and realise its benefits in terms of availability of healthcare
information to improve healthcare quality and delivery, and may feel compelled to register
with the system to meet patient demand.
Participation for healthcare provider organisations would remain opt-in. There would be an
indirect impact on healthcare provider organisations in trial regions and those providing
treatment to individuals in trial regions, since opt-out participation will increase the value of
the PCEHR system for these providers. It is therefore likely that additional healthcare
provider organisations would register during the trials. Until the trial regions are selected it is
not possible to quantify how many additional organisations are likely to register so for the
purpose of this proposal it is estimated that 50 additional organisations would register.
The governance changes would not have a direct regulatory impact on healthcare providers
and organisations. However integrating the services and ensuring more appropriate
stakeholder representation would see improvements to the usability of the system and an
increase to the confidence in the system by healthcare providers. This would likely lead to
more healthcare provider organisations registering to participate in the system which, in itself,
would impact organisations as described above.
23
Table 10 identifies the cost of additional organisations registering to participate in the PCEHR system.
Average time taken for organisation to register 2.5 hours
Average salary of officer completing application33 $175,000
Average cost per application $220.50
Number of additional organisations registering34 50
Total regulatory costs for additional organisations
to apply to register $11,025
This option would see negligible improvements to efficiency in the provision of health
services.
The impact of improvements to healthcare provider usability is not yet determined so they
cannot be quantified.
Impact on software vendors
There is no regulatory impact on software vendors, as described at option 1.
Impact on Government
This option will impose some cost and burden on the Government, including the cost to
undertake the communication campaigns and training, and to support an increase to the
capacity of the system.
The Government would gain negligible economic benefits through the health sector and
individuals through:
reducing hospital admissions;
enabling improved individuals care including better management of chronic disease; and
enabling a more efficient healthcare system.
The Government will continue to incur increasingly significant healthcare costs and will only
begin realising the benefits of the PCEHR system, including a reduction in healthcare costs,
when a majority of individuals have a PCEHR which will lead to an increase in the healthcare
providers using the system.
7. CONSULTATION
The panel undertaking the PCEHR Review considered information from submissions invited
from stakeholder groups, unsolicited feedback by interested parties and a series of interviews
with key stakeholders.
There is evidence of strong support for the opt-out model. There are specific user groups that
could potentially see significant benefits from having an eHealth record, including people
33
This takes into account a $100,000 salary plus other operating labour costs and overheads.
34
Until the trial regions are selected it is not possible to quantify how many additional organisations are likely to
register so for the purpose of this proposal it is estimated that 50 additional organisations would register.
24
with chronic and complex conditions, the elderly, Aboriginal and Torres Strait Islander
peoples, and mothers and newborns. An opt-out model would help resolve the difficult
registration process and enable people to realise the benefits of an eHealth record.
In terms of governance, the Review identified that stakeholders have little confidence in the
current PCEHR system for a range of reasons including a lack of transparency, usability,
complexity, accountability and proportional representation of its governance.
The Department undertook a national consultation process from 18 July to 9 September 2014
involving clinicians, individual representative groups, jurisdictions, the IT industry and
private health and indemnity insurers. Consultation sessions were held in all capital cities
(except Darwin) and Alice Springs, and were led by senior officers of the Department.
The consultations were aimed at obtaining stakeholder views on the intent of the PCEHR
Review‟s recommendations, any issues or risks for implementation and how these may be
overcome.
The key messages from the consultations were:
broad support by individuals and providers for the concept of an opt-out national shared
electronic health record;
the move to opt-out will need strong, effective communication about what it means in
terms of privacy, security, and where they can get further advice;
healthcare providers support the move to opt-out as one of a range of things that need to
happen to encourage adoption, including improvement in usability and content;
individuals consider provider participation should also be opt-out given the importance of
their participation;
providers consider the minimum key content of a PCEHR is allergies, adverse events, a
current medication list and transfer of care summaries, and pathology and diagnostic
imaging results are very useful; and
key information in the PCEHR, such as medications, must be current and easy to find -
the biggest concern is around current usability.
The consultations have informed the development of this proposal and the impact analyses,
and they will also influence the system design, implementation schedule, and the planning for
communication, education and risk management.
8. RECOMMENDATION
The recommended option is option 3B because:
it would achieve the Government‟s objectives and would, in the long-term, have a positive
impact on the reputation and usefulness of the system;
a majority of stakeholders support an opt-out model;
25
it would inform future decisions regarding approaches for the adoption of a national
opt-out system and the delivery of communications, and education and training for
healthcare providers.
While option 3B would see a short-term increase in the regulatory impact on individuals and
healthcare provider organisations in trial regions, with a net cost of $412,245, it would
provide valuable information that would enable the Government to increase participation in
and meaningful use of the PCEHR system in a manner that appropriately targets and educates
its audience, enhances confidence in the system and sees long-term savings.
Regulatory Burden and Cost Offsets Estimates Table
Option 2
Average annual regulatory costs (from business as usual)
Change in costs Business Community Individuals Total change in
($ million) organisations costs
Total, by sector $0 $0 $0.133 $0.133
Cost offset Business Community Individuals Total, by source
($ million) organisations
Agency $21.7 $0 $0 -$21.7
Are all new costs offset?
Yes, costs are offset
Total (Change in costs - Cost offset) ($ million) = -$21.567
This cost is offset by the regulatory savings of $21.7 million achieved by the National Industrial
Chemicals Notifications and Assessment Scheme reforms.
26
Option 3A
Average annual regulatory costs (from business as usual)
Change in costs Business Community Individuals Total change in
($ million) organisations costs
Total, by sector -$0.161 $0 -$1.051 -$1.212
Cost offset Business Community Individuals Total, by source
($ million) organisations
Agency $0 $0 $0 $0
Are all new costs offset?
Deregulatory--no offsets required
Total (Change in costs - Cost offset) ($ million) = -$1.212
Option 3B
Average annual regulatory costs (from business as usual)
Change in costs Business Community Individuals Total change in
($ million) organisations costs
Total, by sector $0.011 $0 $0.401 $0.412
Cost offset Business Community Individuals Total, by source
($ million) organisations
Agency -$21.7 $0 $0 -$21.7
Are all new costs offset?
Yes, costs are offset
Total (Change in costs - Cost offset) ($ million) = -$21.288
This cost is offset by the regulatory savings of $21.7 million achieved by the National Industrial
Chemicals Notifications and Assessment Scheme reforms.
9. IMPLEMENTATION AND REVIEW
New participation arrangements for individuals, a new governance framework and usability
improvements are intended to take effect in stages, alongside a national education and
communication campaign.
A post-implementation review will be undertaken after the recommended changes have been
in operation for a reasonable period of time.
27
STATEMENT OF COMPATIBILITY FOR A BILL THAT RAISES HUMAN RIGHTS
ISSUES
Statement of Compatibility with Human Rights
Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011
Health Legislation Amendment (eHealth) Bill 2015
This Bill is compatible with the human rights and freedoms recognised or declared in the
international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny)
Act 2011.
Overview of the Bill
The Health Legislation Amendment (eHealth) Bill 2015 (the Bill) will amend the Personally
Controlled Electronic Health Records Act 2012 (to be known as the My Health Records Act),
Healthcare Identifiers Act 2010 (HI Act), Privacy Act 1988 (Privacy Act), Copyright Act
1968 (Copyright Act), Health Insurance Act 1973 (Health Insurance Act) and National
Health Act 1953 (National Health Act).
As a national shared electronic health record system, the My Health Record system includes
capacity to accept, store and share documents from and with participating healthcare provider
organisations. The objective of the system is to address the fragmentation of information
across the Australian health system and provide healthcare providers the information they
need to inform effective treatment decisions. The system also gives individuals, and their
representatives, online access to the information and documents in the system so they can
view and manage their own health information. To support effective operation of the system,
individuals and healthcare providers are uniquely identified using numbers assigned and
managed as part of the Healthcare Identifiers Service (HI Service), a foundation service for
the My Health Record system.
The Bill seeks to improve the operation and management of the HI Service and the My Health
Record system, focusing on increasing participation, meaningful use and usability.
The changes respond to recommendations from the Review of the Personally Controlled
Electronic Health Record (PCEHR Review) and the Healthcare Identifiers Act and Service
Review, and address issues identified in the early years of operating these systems. The
Government‟s response to the PCEHR Review includes changing the name of the personally
controlled electronic health record system to the My Health Record system, strengthening
governance arrangements, including the establishment of a new Australian Commission for
eHealth, improving system usability and clinical content of My Health Records, and
conducting trials of different participation arrangements for individuals, including opt-out.
The Bill will enable opt-out participation arrangements for individuals to be trialled in
selected regions. Under opt-out arrangements a My Health Record would be created for
everyone unless they say they do not want one. Individuals will be able to view and manage
their information in the My Health Record system and would retain the same patient controls
that were developed in the PCEHR. While these trials are operating, the My Health Record
system would continue to operate as an opt-in system (as it is currently) everywhere else in
Australia. The Bill enables opt-out to be implemented nationally if the opt-out trial proves
successful and the Government decides to implement opt-out nationally.
28
The privacy protections that apply to the system ensure individual‟s records are strongly
protected. An ongoing work program is continually improving security, reducing risks and
addressing threats in a rapidly changing cyber environment. Individuals can also control
access to their My Health Record, allowing them to implement their personal healthcare
provider access preferences.
In order to better protect the sensitive information that can be contained in the My Health
Record system, and to provide a more graduated framework for responding to inappropriate
behaviour, the Bill would introduce new civil and criminal penalties and provide that
enforceable undertakings and injunctions are available in both the My Health Record system
and the HI Service. The Bill would also implement a revised mandatory data breach
notification requirement for all participants in the system. This requirement would extend to
registered healthcare provider organisations and registered contracted service operators,
replacing the existing contractual obligation for those entities to notify breaches.
Finally, the Bill reflects the Australian Law Reform Commission‟s recommendations
regarding the obligations of people who provide decision-making support.
Human rights implications
The Bill engages the following human rights:
right to health (Article 12(1) of the International Covenant on Economic, Social and
Cultural Rights);
protection of privacy and reputation (Article 17 of the International Covenant on Civil
and Political Rights, Article 22 of the Convention on the Rights of Persons with
Disabilities and Article 16 of the Convention on the Rights of the Child);
right to an effective remedy (Article 2 of the International Covenant on Economic, Social
and Cultural Rights);
right to a fair hearing and fair trial (Articles 14 and 15 of the International Covenant on
Economic, Social and Cultural Rights);
rights of people with a disability (Article 12 of the Convention on the Rights of Persons
with Disabilities);
protection of children and families (Articles 3, 5, 12 and 18 of the Convention on the
Rights of the Child); and
freedom of expression (Article 19 of the International Covenant on Civil and Political
Rights).
Right to health
Article 12(1) of the International Covenant on Economic, Social and Cultural Rights provides
for a right to the enjoyment of the highest attainable standard of physical and mental health,
which is to be realised progressively within the resources available. In its General Comment
No. 14 (2000), the Committee on the Economic, Social and Cultural Rights notes that
information accessibility is an element of the right to health and that this includes "the right to
29
seek, receive and impart information and ideas concerning health issues", without impairing
the right to have health data treated confidentially.
The My Health Record system promotes the right to health by facilitating the sharing of
information between healthcare providers and placing the individual at the centre of their
healthcare. Access to patients‟ health information through the My Health Record system
supports healthcare providers to make quicker and safer treatment decisions and reduces
repetition of information for patients and duplication of tests. Individuals are provided ready
access to their own information, empowering them to make informed decisions about their
healthcare.
The current participation arrangements have not effectively encouraged use of My Health
Records by individuals and subsequently healthcare providers, and are creating a barrier to
achieving the benefits to health. The Bill makes amendments that are designed to promote
use of the My Health Record system, improving the ability of the system to assist in the
attainment of the right to health. Making the My Health Record system more useable and
reliable is central to gaining the support and acceptance of healthcare providers and
individuals, thereby leading to increased use and more effective and efficient provision of
healthcare.
Protection of privacy and reputation
Article 17 of the International Covenant on Civil and Political Rights (ICCPR) prohibits
arbitrary or unlawful interference with a person‟s privacy. For interferences with privacy not
to be „arbitrary‟, they must be reasonable in the particular circumstances. Reasonableness, in
this context, incorporates notions of proportionality to the end sought and necessity in the
circumstances. This right is also reflected in Article 22 of the Convention on the Rights of
Persons with Disabilities (CRPD) and Article 16 of the Convention on the Rights of the Child
(CRC).
The Bill engages the right to privacy by allowing for disclosure of personal information to
support the provision of effective healthcare to individuals and for management of the My
Health Record system.
Amended Part 3 of the HI Act authorises the collection use and disclosure of healthcare
identifiers, identifying information and other information relating to identifiers. The HI
Service Operator can collect information about a person from various sources for the purpose
of assigning them a healthcare identifier. The HI Service Operator can disclose the identifier
to healthcare providers to assist them in communicating and managing health information.
For example, a healthcare provider can use a patient‟s healthcare identifier to access the
patient‟s My Health Record. The healthcare identifier can also be disclosed to other entities
to assist in operating the My Health Record system and for aged care purposes. Amended
Division 6 of Part 3 of the My Health Records Act relates to collection, use and disclosure of
information for the purposes of the My Health Record system. Section 58 of this Division
authorises the My Health Record System Operator to collect, use and disclose health
information in an individual‟s record, a core function of the system. Section 58A of this
Division provides authority for information about individual‟s representatives to be shared for
the purposes of the My Health Record system, allowing the relationships between individuals
to be recorded and used in the system.
30
Along with the My Health Record System Operator, identifying information can be collected,
used and disclosed by registered repository and portal operators, the Chief Executive
Medicare, the Department of Veterans‟ Affairs, the Department of Defence and the
department for responsible for aged care. The Minister has a regulation-making power to
prescribe additional entities that are authorised to collect, use and disclose identifying
information. Any regulations made for this purpose would be subject to Parliamentary
scrutiny. Participation by these additional entities allows for a comprehensive and
interconnected system drawing on multiple sources of information about an individual and
connecting disparate data sets.
The My Health Record system empowers individuals to manage their own health information.
The system supports individuals to exercise their rights to control how their information is
collected, used and disclosed. Individuals who have a My Health Record can control who can
access their information and what information can be accessed, and can elect to be notified
when someone accesses their My Health Record. Individuals can set the access controls on
their My Health Record online or over the phone. They can limit which healthcare providers
can access their My Health Record. They can nominate representatives, such as a friend or
family members, to access the My Health Record and support them in managing their health
information. They can effectively remove records that have been uploaded. They can also
request an email or text message (SMS) be provided when particular events occur, such as if
new information is included in their My Health Record or a new healthcare provider
organisation accesses their My Health Record.
Once they have a My Health Record an individual can cancel their registration. No new
information will be collected about individuals if they cancel their registration. Any
information collected about that individual up to that point will no longer be shared with
participating healthcare providers. If an individual cancels their registration they can choose
to participate again at any time.
The current participation arrangements, which require an individual to actively register, have
proved ineffective in facilitating broad use of the My Health Record system and are
considered a significant barrier to realising the benefits of the My Health Record system.
Under the opt-out participation arrangements, individuals will be provided an opportunity to
advise if they do not wish to participate (opt-out). The Bill allows for opt-out participation to
be trialled in particular locations. This means My Health Records will be created for people
living in a specified location unless they say they do not want one. Individuals in these
locations will be provided information about the My Health Record system so they can make
an informed decision about whether or not to participate. While the trials are underway the
current opt-in arrangements will continue in other areas. If the opt-out trials are found to be
successful in increasing participation and meaningful use of the My Health Record system,
the Bill allows the opt-out arrangements to be extended to a national level.
Increasing participation in the My Health Record system is intended to drive the use of My
Health Records by healthcare providers as part of normal healthcare in Australia. Increased
participation by individuals is anticipated to drive increased and meaningful use by healthcare
providers. Combined with other measures to improve the usability of the system and the
clinical content of My Health Records, if nearly all individuals have a My Health Record,
healthcare providers will be more likely to commit to using and contributing to the My Health
Record system, thereby increasing the utility of the system by increasing the amount of
clinically valuable information. Without a significant increase in use, individuals, healthcare
providers and the Australian community will not receive the health and economic benefits
31
that could be gained through the My Health Record system. These benefits include quick and
ready access to information about patients leading to improved and faster treatment decisions,
better health outcomes and reduced duplication of tests as the results are more easily shared
amongst healthcare providers.
The Bill makes amendments so that if an individual is participating in the My Health Record
system they would not need to consent for their health information to be provided to the My
Health Record system by a registered repository operator. This will allow information from a
wide range of sources to be included in the system. Examples include cancer screening
registers which store the test results of individuals. Over time these registers could become
repositories for the My Health Record system and an individual‟s results incorporated into
their My Health Record. An individual can effectively remove information from their My
Health Record at any time if they so choose.
Amended Parts 4, 5 and 6 of the My Health Records Act limit the circumstances in which an
individual‟s record can be accessed and their personal information collected, used and
disclosed, and provides sanctions for unauthorised collection, use and disclosure of
information. This is consistent with the current authorisations and limitations on the handling
of personal information in an individual‟s record.
Information in the My Health Record system can generally only be collected, used or
disclosed for provision of healthcare to the individual and management of the My Health
Record system. Sharing and using information in this way is the primary purpose of the
system.
An audit trail of activity in relation to a My Health Record is kept by the System Operator and
is available to the individual. This provides individuals transparent information about who
has viewed their personal information. The optional notifications available to individuals by
email or text message (SMS) alert them when new information is included in the record or
when new healthcare provider organisations access the record.
Information in the My Health Record system can be used for other purposes identified in
Part 4 of the My Health Records Act including if authorised by another law (section 65), for a
law enforcement purpose (section 70) or ordered by a court or tribunal (section 69). These
authorisations recognise that from time to time information in the My Health Record system
will be relevant for significant decisions, such as investigation of a crime. This information
cannot be disclosed arbitrarily and robust justification must be provided as to why the
information is necessary.
The My Health Record System Operator will continue to be able to prepare and provide
de-identified data for research and public health purposes (paragraph 15(ma) of the My Health
Records Act). This authority allows information in the My Health Record system to be used
for the benefit of the whole Australian community such as assessment of treatment,
identifying trends in disease prevalence and development of government policies. Individuals
will not be personally identifiable from information used for this purpose. This authority has
been in place since 2012 but a framework for preparation and release of data has not yet been
developed. Information will not be used for this purpose until appropriate arrangements are
in place to guide how data sets are prepared, who they can be used by and what they can be
used for.
32
The amended HI Act provides that a person must not use or disclose healthcare identifiers or
information collected for the purposes of the HI Service, except where authorised to do so.
Criminal and civil penalties apply if this prohibition is breached.
Amended section 75 of the My Health Records Act requires all data breaches be reported to
the My Health Record System Operator and/or the Information Commissioner, ensuring that
threats to privacy are detected and addressed early. Currently only entities that are or have
been a registered repository operator or a registered portal operator are required to report data
breaches to the My Health Record System Operator and the Information Commissioner. The
My Health Record System Operator is required to notify breaches it is involved in to the
Information Commissioner. Registered healthcare provider organisations and registered
contracted service providers are not currently subject to this requirement but are instead
obliged through contractual arrangements to report data breaches. The Bill will amend the
My Health Records Act so all of these entities are subject to reporting requirements under
legislation. The changes clarify and standardise data breach reporting for all participants,
ensuring protection of individual‟s personal and health information, allowing steps to be taken
to correct any breaches and, if necessary, allowing individuals to take steps to protect their
privacy and safety.
Right to effective remedy
The Bill engages Article 2(3) of the ICCPR which guarantees that any person whose rights or
freedoms, including the right to protection from arbitrary and unlawful interferences with
privacy, are violated shall have an effective remedy determined by competent judicial,
administrative or legislative authorities. New Part 5A of the HI Act and amended Part 6 of
the My Health Records Act authorise enforceable undertakings and injunctions to be put in
place if a participant has violated another person‟s privacy, performed an unauthorised act
harming an individual, taken health information from the My Health Record system outside of
Australia or failed to report a data breach.
The My Health Record System Operator, the HI Service Operator and the Information
Commissioner all have the power to accept an enforceable undertaking. An enforceable
undertaking seeks to have a participant voluntarily agree to remedy any damage a breach has
caused, such as making an apology or making a payment to an individual. It also seeks to
ensure the participant changes their acts, practices, procedures or behaviours to ensure it
complies with the law. If the undertaking is not complied with, the participant can be taken to
court to enforce the undertaking. The undertaking can also be published on a website,
generating public awareness of the breach and misconduct. For example, the My Health
Record System Operator could request an enforceable undertaking from a registered
repository operator that it would keep its software up-to-date if the operator had previously
failed to maintain up-to-date software and this had posed a potential weakness in the security
of the My Health Record system.
The My Health Record System Operator, HI Service Operator and Information Commissioner
can also apply to a court seeking an injunction. An injunction is a court order that requires a
person to take, or refrain from taking, a particular action. For example, an injunction could be
granted requiring a participant in the My Health Record system to update their IT security
software before being able to access the system, or to prevent a repository operator taking My
Health Record system information outside Australia.
33
A breach of the My Health Records Act or the HI Act will continue to be considered a breach
of the Privacy Act, allowing the Information Commissioner to be able to investigate and make
determinations. For an injunction to be granted, the Information Commissioner, My Health
Record System Operator or HI Service Operator is required to apply to a court. The usual
requirements for the grant of an injunction would apply.
The Bill provides for the My Health Record System Operator and the Information
Commissioner to make certain types of decisions, such as registration of individuals, portal
and repository operators, and for people to be able to seek review of those decisions.
Section 97 of the My Health Records Act continues to provide the opportunity for individuals
to request reconsideration of decisions which affect them. If they are not satisfied by the
outcome, they can progress matters to the Administrative Appeals Tribunal.
Right to a fair hearing and fair trial
The civil penalty provisions in the Bill, which in turn rely on the standard civil penalty
provisions in the Regulatory Powers (Standard Provisions) Act 2014, may potentially engage
the criminal process rights under Article 14 of the ICCPR, if the civil penalty provisions are
classified as "criminal" under human rights law. Even though the Bill labels the provisions as
civil penalties, this is not determinative and the nature and severity of the provisions must be
assessed.
Under the civil penalty provisions, proceedings are instituted by a public authority with
statutory powers of enforcement in a court. A finding of culpability precedes the imposition
of a penalty. This might make the penalties appear „criminal‟ however this is not
determinative. While the provisions are deterrent in nature, these penalties generally do not
apply to the public at large. Only a specific group of users, being healthcare providers and
other participants in the My Health Record system with access to sensitive information will
generally be impacted by these penalties. Further, the severity of the penalties is not too high,
with the highest pecuniary penalty that can be imposed being only 600 units. This penalty is
justified as the My Health Record system deals with privacy sensitive information and the
misuse of this information needs to have proportionate penalties to the potential damage to
healthcare recipients. In light of this analysis, the nature and application of the civil penalty
provisions suggest that they should not be classed as criminal under human rights law.
Only the Information Commissioner may seek the imposition of civil penalties, and this must
be done via an application to a court. Matters can be considered by the Federal Court of
Australia, Federal Circuit Court of Australia or certain courts of states or territories that will
have jurisdiction. These arrangements ensure that the most serious matters are dealt with
independently of the My Health Record System Operator and HI Service Operator.
The Bill introduces criminal penalties, including imprisonment, for unauthorised collection,
use or disclosure of information from the My Health Record system and holding or handling
information outside of Australia (sections 59, 60 and 77). Potentially criminal behaviour
would be referred to the Director of Public Prosecutions who would make an independent
decision about whether or not to pursue criminal penalties via the courts. These arrangements
ensure that the most serious matters are dealt with independently of the My Health Record
System Operator and HI Service Operator. Hearings in relation to these matters would be
heard by the Federal Court of Australia, Federal Circuit Court of Australia or certain courts of
state and territories that will have jurisdiction. The criminal penalties will align across the HI
Act and My Health Records Act.
34
Rights of people with a disability
The representative arrangements proposed in the amended section 7A of the My Health
Records Act engage the right of persons with disabilities to enjoy legal capacity on an equal
basis with others under Article 12 of the Convention on the Rights of Persons with
Disabilities (CRPD). Consistent with Article 12, people with a disability are provided equal
opportunity to participate in the My Health Record system and make decisions about access to
their personal information. Continuing current arrangements, authorised representatives can
support people to interact with the My Health Record system and act on behalf of the
individual if they are unable to act for themselves. These arrangements allow for people with
a disability to participate in the My Health Record system, control access to their personal
information and withdraw participation in the My Health Record system if they choose to do
so. This functionality also supports Article 22 of the CRPD protecting the privacy of people
with a disability.
The Bill shifts the duty of authorised representatives from being required to act in the „best
interests‟ of an individual, to a duty to give effect to the „will and preferences‟ of the
individual. This change realises the principle that people with disability have an equal right to
make decisions and to have those decisions respected, and is consistent with
recommendations of the Australian Law Reform Commission in its 2014 report entitled
Equality, Capacity and Disability in Commonwealth Law.
If it is not possible to ascertain an individual‟s will and preferences, reasonable efforts must
be made to ascertain likely will and preferences (including through consultation with relevant
people in the person‟s life). Where will or preferences cannot be ascertained, or giving effect
to the individual‟s will or preferences would pose serious risk to the individual‟s personal or
social wellbeing, the authorised representative is required to act in a manner to promote the
personal and social wellbeing of the individual. The duty to promote personal and social
wellbeing is consistent with the duty imposed on nominees under the National Disability
Insurance Scheme Act 2013.
Failure of an authorised representative to meet these duties may result in their appointment
being suspended or cancelled, or access to the individual‟s My Health Record being blocked
under the My Health Records Rules (currently the PCEHR Rules 2012).
Protection of children and families
The Bill engages:
Article 3 of the Convention on the Rights of the Child (CRC), providing appropriate
legislative measures, supported by administrative arrangements, for children to participate
in the system and for parents, or other legal guardians, to act on the child‟s behalf;
Article 3 of the CRC, requiring the child‟s representatives to ascertain and to give effect to
the will and preferences of the child;
Article 5 of the CRC, recognising the rights, responsibilities and duties of parents, legal
guardians and extended family to exercise the rights of a child;
35
Article 18 of the CRC, recognising both parents or any other legal guardians as having
shared responsibility and allowing them equal opportunity to act on behalf of a child in
relation to the My Health Record system; and
Article 12 of the CRC, assuring children who are capable of forming their own views are
able to express those views and their views are given due weight.
The existing arrangements allowing parents or other appropriate people to act on behalf of a
child (section 6 of the My Health Records Act) are not affected by the Bill. That Act
recognises parental responsibility consistent with the Family Law Act 1975. A child‟s
representative can register them for a My Health Record, and supporting Article 16 of the
CRC the privacy of children is protected as representatives such as parents and legal
guardians can set the privacy controls such as removing information or restricting access to
content. Under opt-out participation arrangements representatives will also be able to
withdraw the child from participation. More than one person can act on behalf of a child,
allowing both parents and multiple guardians to make decisions in relation to the My Health
Record.
The My Health Records Act continues to allow a child who is capable of making decisions for
themselves to take control of their My Health Record, set access controls or cancel their
registration (if already registered) if they choose to do so. The Bill will enable a child who is
capable of making decisions for themselves to, like other individuals, opt themselves out of
registration in the My Health Record system. Under subsection 6(3) of the My Health
Records Act a person cannot act on behalf of the child if the child wants to manage their own
record and is capable of making decisions for themselves.
As with representatives for people with a disability, the Bill shifts the duty of authorised
representatives for children from being required to act in the „best interests‟ of an individual,
to a duty to give effect to the „will and preferences‟ of the individual. This change realises the
principle that children with appropriate maturity have an equal right to make decisions and to
have those decisions respected, and is consistent with recommendations of the Australian Law
Reform Commission in its 2014 report entitled Equality, Capacity and Disability in
Commonwealth Law.
Freedom of Expression
The objective of the My Health Record system is to address information fragmentation by
allowing a person to more easily access their own health information and make their health
information securely accessible to healthcare providers involved in their care. This objective
promotes the freedom of expression, facilitating individuals receiving information regarding
their health and sharing that with their healthcare providers.
While individuals can share their personal information as they see appropriate, healthcare
providers, the My Health Record System Operator, the HI Service Operator and other
participants in the My Health Record system are restricted in how and when they can use and
share information in the My Health Record system. These restrictions protect the privacy of
individuals and identify the primary purposes of the My Health record system as supporting
individual‟s healthcare. Trust and confidence in the My Health Record system is paramount
to engagement and participation in the My Health Record system. Without restricting when
information can be accessed and used, people would not be willing to share their information
through this system.
36
Conclusion
The Bill provides effective remedies for misuse of sensitive information and presents a
contemporary approach to representation for children and people with a disability. The My
Health Record system continues to provide opportunities for individuals to exercise their right
to control how their information is collected, used and disclosed. The wide uptake of My
Health Records achieved through opt-out participation will facilitate the My Health Record
system becoming an integral part of the Australian health system leading to more effective
healthcare and a more sustainable health system.
The Bill is compatible with human rights to the extent that it promotes certain rights, and that
for those rights it limits, the limitation is reasonable, necessary and proportionate.
Minister for Health and Minister for Sport, the Hon Sussan Ley, MP
37
HEALTH LEGISLATION AMENDMENT (eHEALTH) BILL 2015
NOTES ON CLAUSES
For the convenience of readers, these notes will refer to the personally controlled electronic
health record (PCEHR), the PCEHR system and the Personally Controlled Electronic Health
Records Act 2012 (PCEHR Act) as the My Health Record, the My Health Record system and
the My Health Records Act 2012.
Clause 1 Short title
Clause 1 provides that the Health Legislation Amendment (eHealth) Bill (the Bill), once
enacted, will be cited as the Health Legislation Amendment (eHealth) Act 2015.
Clause 2 Commencement
This clause specifies when different parts of the Bill, once enacted, will commence.
Clauses 1 to 3, and Schedules 1 to 3, of the Bill will commence upon Royal Assent.
However, application provisions in Part 2 of Schedule 1 will mean that some provisions in
Schedules 1 to 3 will not apply until a later time fixed by proclamation. Having certain
provisions apply only after a proclaimed date is necessary as those provisions should not take
effect until either:
the Department has notified stakeholders of changes that will affect them, and updated its
public material about the My Health Record system - Part 2 of Schedule 1 describes that a
proclamation will prescribe an application day on which these amendments will take
effect, or if that day does not occur within six months of the day Schedule 1 commences
(the day the Act receives Royal Assent), these amendments will start immediately after
the six month period; or
the Australian Commission for eHealth has been established and prescribed as the System
Operator - Part 2 of Schedule 1 describes that a proclamation will prescribe a governance
restructure day on which these amendments will take effect. If that day is not prescribed,
these amendments will not commence.
Schedule 4 contains further consequential amendments which commence at various specified
times.
Clause 3 Schedule
Each Act that is specified in a Schedule to this Bill is amended or repealed as set out in the
applicable items in the Schedule concerned, and any other item has effect according to its
terms.
SCHEDULE 1--HEALTHCARE IDENTIFIERS AND HEALTH RECORDS
Schedule 1 amends the Copyright Act 1968 (Copyright Act), Healthcare Identifiers Act 2010
(HI Act), PCEHR Act and Privacy Act 1988 (Privacy Act).
38
PART 1--AMENDMENTS
Part 1 makes amendments primarily in relation to the handling of healthcare identifiers and
the information flows relating to the My Health Record system (previously known as the
personally controlled electronic health record or PCEHR system). It includes changes that
allow an opt-out My Health Record system to be trialled.
Copyright Act 1969
Item 1 After section 44BA
The My Health Record system enables registered healthcare provider organisations to upload
documents containing health information to individuals‟ My Health Records, such as reports,
specialist letters, pathology and diagnostic imaging results and shared health summaries. In
the future, health records containing sound recordings (such as a recording of a heart beat)
and cinematograph films (such as a three dimensional MRI video of a patient‟s heart
functioning) may also be uploaded to the My Health Record. Amendments made by this Bill
will also allow registered repository operators to make available health records they hold as
part of an individual‟s My Health Record (new section 50D refers).
Currently, healthcare provider organisations that register to participate in the My Health
Record system grant a licence to the System Operator to use, reproduce, copy, modify, adapt,
publish and communicate health records they upload for the purposes of providing healthcare
and the My Health Record system. That licence includes the right for the System Operator to
sub-license other healthcare provider organisations and participants in the system, so that
health records can be shared as part of providing healthcare and for other system purposes.
Under existing arrangements, all healthcare provider organisations are sub-licensed in a
participation agreement (contract) when they register with the System Operator to join the My
Health Record system.
As part of measures to reduce the regulatory burden on healthcare provider organisations, the
registration process will be simplified and the need to enter into participation agreements will
be removed. As it will no longer be possible to rely on contractual licences in participation
agreements, an exception to copyright infringement is to be placed in the Copyright Act to
ensure that sharing and use of health records does not infringe any copyright that might
subsist in health records.
However, sharing and use of health records does not just occur in the My Health Record
system. To enable the provision of healthcare, it is important that the exception to
infringement continues to operate in relation to a health record even after it has been
downloaded from the My Health Record. This is because, for example, the record might be
downloaded by a registered healthcare provider but then passed on to a treating specialist who
may not be registered with the My Health Record system. That specialist also needs to be
able to use and share the health record for the purposes of providing healthcare without
infringing any copyright that might subsist in the record. Outside the My Health Record
system, healthcare providers have generally relied on implied licences to share and use health
records that might be subject to copyright.
Item 1 inserts new section 44BB into Part III, Division 3 of the Copyright Act to specify that
a copyright in a work is not infringed by an act comprised in the copyright in the work if the
act is done, or authorised to be done:
39
under subparagraph (i), for a purpose for which the collection, use or disclosure of health
information is required or authorised under the amended My Health Records Act. This
will allow for the collection, use and disclosure of works to, in and from the My Health
Record system, for the provision of healthcare and other permitted purposes of the My
Health Records Act, without infringing any copyright that might subsist in the works.
under subparagraph (ii), in circumstances in which a permitted general situation exists
under item 1 of the table in subsection 16A(1) of the Privacy Act, or would exist if the act
were done, or authorised to be done, by an entity that is an APP entity for the purposes of
the Privacy Act. This exception is intended to ensure that there is no copyright
infringement where a work is used in situations where the collection, use and disclosure of
personal information is authorised under the Privacy Act in cases of a serious threat to the
life, health or safety of an individual or to public health or safety. Given that not all
entities that need to rely on the serious threat to the life, health or safety of an individual
or to public health or safety authorisation will be APP entities for the purposes of the
Privacy Act, subparagraph (ii) makes it clear that it also applies in circumstances that
"would exist if the act were done, or authorised to be done, by an entity that is an APP
entity";
under subparagraph (iii), if the circumstances constitute a permitted health situation
under the Privacy Act (noting the new circumstances inserted by item 109 of Schedule 1)
- this exception to copyright infringement also applies whether or not the entity taking the
action is subject to the Privacy Act; or
under subparagraph (iv) for any other purpose relating to healthcare, or the
communication or management of health information, prescribed by the regulations made
under the Copyright Act. No regulations are planned to support the My Health Record
system at this time. However, innovation and technology are constantly changing, as is
the delivery of health services. Therefore, flexibility is needed and the ability to prescribe
other purposes relating to healthcare or the communication or management of health
information is necessary to ensure that the exception to copyright infringement operates as
intended to facilitate the provision of healthcare including as part of the My Health
Record system. This regulation-making power is intended only as a safety net to address
any unforeseen circumstances and will operate in a narrow set of circumstances as
regulations can only be made for purposes relating to healthcare or the communication or
management of health information.
Under paragraph (b), section 44BB only applies to works:
that are substantially comprised of health information; or
where the work allows for the storage, retrieval or use of health information and it is
reasonably necessary to do the act, or authorise it to be done, in circumstances that would
otherwise infringe copyright in the work.
This paragraph is designed to restrict the scope of the exception to health information as
defined in the My Health Records Act and a limited class of other works that allow for the
storage, retrieval or use of the health record - for example, a computer program that may
accompany a digital 3D diagnostic image and which allows the image to be viewed on a
treating healthcare provider‟s IT system.
40
"Works" are defined in the Copyright Act as including literary works (such as written health
records) and artistic works (such as diagnostic still images, x-rays, etc.). Section 44BB will
apply to all works made on or after the application day. The exception is not intended to
effect an acquisition of property or otherwise affect ownership of any copyright that might
exist in a work. Rather, the exception merely provides that it is not an infringement of
copyright to do specified things related to the provision of healthcare, including as part of the
My Health Record system.
It will be a condition of the registration of healthcare provider organisations and repository
operators under the My Health Records Act that such organisations and operators do not
upload or make works available to the My Health Record system that are made before the
application day if to do so would breach copyright. Refer to items 78 to 79 for works that are
created before this amendment in item 1 commences.
Item 2 After section 104B
Health records may include sound recordings and cinematograph films. For example, a
recording of a person‟s breathing for their treatment as a chronic asthmatic, or an ultrasound
of a foetus for the treatment of a prenatal condition.
Item 2 inserts new section 104C into Part IV of the Copyright Act which will apply to sound
recordings and cinematograph films. It specifies that a copyright in a sound recording or
cinematograph film is not infringed by an act comprised in the copyright in the work if the act
is done, or authorised to be done:
under subparagraph (i), for a purpose for which the collection, use or disclosure of health
information is required or authorised under the amended My Health Records Act. This
will allow for the collection, use and disclosure of sound recordings and cinematograph
films to, in and from the My Health Record system, for the provision of healthcare and
other permitted purposes of the My Health Records Act, without infringing any copyright
that might subsist in the health information;
under subparagraph (ii), in circumstances in which a permitted general situation exists
under item 1 of the table in subsection 16A(1) of the Privacy Act, or would exist if the act
were done, or authorised to be done, by an entity that is an APP entity for the purposes of
the Privacy Act. This exception is intended to ensure that there is no copyright
infringement where a work is used in situations where the collection, use and disclosure of
personal information is authorised under the Privacy Act in cases of a serious threat to the
life, health or safety of an individual or to public health or safety. Given that not all
entities that need to rely on the serious threat to the life, health or safety of an individual
or to public health or safety authorisation will be APP entities for the purposes of the
Privacy Act, subparagraph (ii) makes it clear that it also applies in circumstances that
"would exist if the act were done, or authorised to be done, by an entity that is an APP
entity";
under subparagraph (iii), if the circumstances constitute a permitted health situation
under the Privacy Act (noting the new circumstances inserted by item 109 of Schedule 1)
- this exception to copyright infringement also applies whether or not the entity taking the
action is subject to the Privacy Act; or
41
under subparagraph (iv) for any other purpose relating to healthcare, or the
communication or management of health information, prescribed by the regulations made
under the Copyright Act. No regulations are planned to support the My Health Record
System at this time. However, innovation and technology are constantly changing, as is
the delivery of health services. Therefore, flexibility is needed and the ability to prescribe
other purposes relating to healthcare or the communication or management of health
information is necessary to ensure that the exception to copyright infringement operates as
intended to facilitate the provision of healthcare including as part of the My Health
Record system. This regulation-making power is intended only as a safety net to address
any unforeseen circumstances and will operate in a narrow set of circumstances as
regulations can only be made for purposes relating to healthcare or the communication or
management of health information.
Under paragraph (b), section 104C only applies to sound recordings or cinematograph films:
that are substantially comprised of health information; or
where the sound recording or cinematograph film allows for the storage, retrieval or use
of health information and it is reasonably necessary to do the act, or authorise it to be
done, in circumstances that would otherwise infringe copyright in the work.
This paragraph is designed to restrict the scope of the exception to health information as
defined in the My Health Records Act and a limited class of other sound recordings or
cinematograph films that allow for the storage, retrieval or use of the health record.
New section 104C applies to any sound recording or cinematograph film that is created on or
after the application day. It is not intended to effect an acquisition of property or otherwise
affect ownership of any copyright that might exist in a sound recording or cinematograph
film. Rather, new section 104C provides that it is not an infringement of copyright to do
specified things related to the provision of healthcare, including as part of the My Health
Record system.
It will be a condition of the registration of healthcare provider organisations and repository
operators under the My Health Records Act that such organisations and operators do not
upload or make available sound recordings or cinematograph films made before the
application day where to do so would breach copyright. Refer to items 78 to 79 for material
that is created before this amendment commences.
Healthcare Identifiers Act 2010
--For the purposes of the My Health Record system‖
In both the HI Act and the My Health Records Act, a number of the authorisations allow
collection, use or disclosure of information "for the purposes of the My Health Record
system". Amongst other things, the purposes of the My Health Record system will require
consideration of the System Operator‟s functions under section 15 of the My Health Records
Act, the purposes and objects of the My Health Records Act, and the powers and obligations
of the System Operator and other participants in the My Health Record system.
42
Items 3, 29, 34, 37, 41, 43, 44 and 47
It is now common practice to include simplified outlines in Acts. These outlines are intended
to assist readers to understand the intent of provisions and apply them.
The HI Act does not currently include any simplified outlines.
These items insert simplified outlines for the HI Act, providing a high level description of
what is contained in each Part of the Act and serving as a directory to the whole of the Act.
Items 4-25 Section 5
Section 5 of the HI Act defines certain terms used in the HI Act. Items 4 to 25 make
amendments to several definitions, or insert or remove definitions, as a result of other
amendments being made by this Bill. Changes include:
defining Australian law and court/tribunal order in relation to the collection, use or
disclosure of Healthcare Provider Directory information (item 42 refers) to ensure they
align with the Privacy Act and the Regulatory Powers Act;
defining authorised representative and nominated representative for the purposes of new
sections 15, 17 and 20 (item 34 refers) to ensure they align with the My Health Records
Act;
defining civil penalty provision as a result of establishing a civil penalty framework in the
HI Act (item 43 refers) to align with the Regulatory Powers (Standard Provisions) Act
2014;
defining linked in relation to a healthcare provider‟s relationship to an organisation for the
purposes of the Healthcare Provider Directory (items 41 and 42 refer);
revising Ministerial Council to recognise that the National Partnership Agreement on
E-Health to which the definition made reference has expired, and to provide future
flexibility for changes to the responsible senior body - at the time of writing, the Council
of Australian Governments Health Council is the relevant Ministerial Council;
updating network, network organisation, organisation maintenance officer, responsible
officer and seed organisation to correctly cross reference with the amended provisions at
new section 9A (item 31 refers);
defining personal information for the purposes of new and amended sections 25E, 26, 29
and 31 (items 34, 36, 38 to 40 and 42 refer) to ensure it aligns with the Privacy Act;
changing Personally Controlled Electronic Health Records Act to My Health Records
Act to reflect the changes made by Schedule 2 of this Bill;
defining Regulatory Powers Act for the purpose of new provisions that trigger provisions
of the Regulatory Powers (Standard Provisions) Act 2014 to allow for civil penalties,
enforceable undertakings and injunctions (see item 43);
revising service operator to reflect the new provision inserted by item 26; and
43
removing terms that are no longer used:
o data source which is no longer necessary because of the new style in which
authorisations are prescribed;
o Medicare Benefits Program, medicare program and Pharmaceutical Benefits
Program which are no longer necessary because of the new style in which
authorisations are prescribed;
o professional and business details which is no longer necessary because this
information is now detailed as part of new subsection 31(3) (item 42 refers); and
o public body which is no longer necessary.
Item 26 After section 5
This item inserts new section 6 to define that the HI Service Operator is either the Chief
Executive Medicare (as is the case at present) or a body specified in regulations.
While there is presently no intention to make another entity the HI Service Operator, this
amendment provides future flexibility should there be a government decision to make a
different entity the HI Service Operator. The same flexibility is already provided in
section 14 of the My Health Records Act in relation to the identity of the My Health Record
System Operator.
As a result of the words " ... a body established by a law of the Commonwealth ... " (emphasis
added), the identity of a new HI Service Operator is limited to statutory bodies formed under
a Commonwealth law. This would preclude, for example, a company formed under the
Corporations Act 2001 from being prescribed as the HI Service Operator. This will ensure
that if a decision is made in the future to change the identity of the HI Service Operator, the
new Service Operator will have the same standards of accountability as the current HI Service
Operator.
Items 27-28 Section 7
These items amend section 7 to specify additional information as identifying information for
the purposes of the HI Service and the My Health Record system.
Subsections 7(1) and 7(2) specify the information about an individual healthcare provider and
healthcare provider organisation respectively that is identifying information and therefore can
only be collected, used or disclosed for authorised purposes. These subsections also provide
that regulations can be made prescribing additional information as identifying information.
The Healthcare Identifiers Regulations 2010 (HI Regulations) currently specify that, among
other things, a provider‟s or organisation‟s email address, telephone number and fax number
are identifying information (regulation 5). Item 27 simply inserts a new paragraph (ba) in
each subsection to include this additional information to align with the equivalent definitions
in current section 9 of the My Health Records Act. The HI Regulations will be amended to
remove this information accordingly.
Subsection 7(3) specifies the information about a healthcare recipient that is identifying
information and therefore can only be collected, used or disclosed for authorised purposes.
Unlike subsections 7(1) and (2), it does not currently provide that regulations can be made to
44
prescribe additional information as identifying information. Item 28 inserts a new
paragraph (i) which will allow such regulations to be made. This aligns with the rest of
section 7 and with a corresponding change to the My Health Records Act (item 65 refers).
Item 30 Subsection 9(6)
Subsection 9(6) currently states that a healthcare identifier is a government identifier for the
purposes of the Privacy Act which means that they are subject to certain restrictions.
Item 30 amends the subsection to provide that only healthcare identifiers for healthcare
recipients and individual healthcare providers are government identifiers. This makes clear
that healthcare identifiers for healthcare provider organisations are not government identifiers.
Item 31 Section 9A
Section 9A currently defines the different classes of healthcare provider that may be assigned
a healthcare identifier, distinguishing between types of individual healthcare providers and
healthcare provider organisations.
Item 31 replaces the section with a new section 9A to simplify the provisions relating to seed
and network organisations, and the characteristics needed for an employee to be a responsible
officer or an organisation maintenance officer. Most parts of new section 9A have the same
effect as current section 9A of the HI Act.
New subsection 9A(1) specifies that the Service Operator may assign healthcare identifiers to
individual healthcare providers registered by registration authorities as a member of a
healthcare profession - for example, a medical practitioner or a nurse registered by the
Australian Health Practitioner Regulation Agency (AHPRA) under the National Law. The
subsection also permits the Service Operator to assign healthcare identifiers to individual
healthcare providers that are members of professional associations that meet specified criteria.
New subsection 9A(2) specifies that the Service Operator may assign healthcare identifiers to
healthcare provider organisations that are either seed organisations, or are not part of a
"network" (see new subsection 9A(4)), provided that the organisation meets the criteria
specified in paragraphs (a) to (c).
New subsection 9A(3) specifies that the Service Operator may assign healthcare identifiers to
healthcare provider organisations that are network organisations, provided that the
organisation meets the criteria specified in paragraphs (a) to (d).
New subsection 9A(4) specifies when a healthcare provider organisation will be part of a
"network". In summary, a network of healthcare provider organisations is a group of two or
more healthcare provider organisations that satisfy one of the two criteria in paragraphs (a)
and (b).
New subsections 9A(5) and (6) describe seed organisations and network organisations. In
summary:
a seed organisation is a healthcare provider organisation that is at the head of a network;
and
45
a network organisation is any healthcare provider organisation, other than a seed
organisation, that is part of a network.
New subsections 9A(7) and (8) set out the characteristics that a person must have to be a
responsible officer and an organisation maintenance officer respectively. It should be noted
that these two subsections merely specify the minimum characteristics that individuals must
have in order to be responsible officers and organisation maintenance officers. The
provisions do not limit the functions that responsible officers and organisation maintenance
officers may perform. For example, a healthcare provider organisation might nominate an
individual to be its responsible officer and also authorise the person to carry out any of the
functions that an organisation maintenance officer would usually perform - this is a matter for
the healthcare provider organisation. There is nothing in the amended legislation that would
prevent, for example, a responsible officer carrying out tasks that are specified under new
subsection 9A(8), even if the responsible officer had not separately applied to the HI Service
Operator to be an organisation maintenance officer.
As before, a responsible officer of a seed organisation is also the responsible officer of any
network organisation of the seed organisation, meaning that there will only be one responsible
officer for a network of healthcare provider organisations. A responsible officer can delegate
their powers and duties without assigning a replacement responsible officer or ceasing to be
the responsible officer.
Item 32 Section 10
Section 10 deals with the HI Service Operator‟s obligation to keep a record of healthcare
identifiers and related information such as requests for healthcare identifiers. Item 32 simply
updates references to Division numbers to reflect changes being made by this Bill.
Item 33 Part 3 (heading)
Item 33 replaces the heading of Part 3 to make clear that Part 3 deals not only with the use
and disclosure of healthcare identifiers and other information, but also with the collection of
healthcare identifiers and other information.
Item 34 Divisions 1, 2, 2A and 3 of Part 3
Divisions 1, 2, 2A and 3 currently authorise the collection, use and disclosure of healthcare
identifiers and other information and are grouped according to type of information or entity
taking the action. Some of these provisions have proven to be ambiguous and many are not
set out as clearly and simply as would be ideal. This has led to some confusion about whether
certain actions are or are not authorised.
Item 34 replaces these with restructured provisions to make clear how and why healthcare
identifiers and other information can be used, and by whom. It inserts new Divisions 1, 2
and 3.
New Division 1 provides a simplified outline for Part 3 of the HI Act as previously described.
New Division 2 sets out the authorisations related to the collection, use and disclosure of
healthcare identifiers and other information relating to healthcare recipients.
46
To help readers understand what changes are being made by this amendment, the
authorisations are set out in the following table with either a reference to existing equivalent
authorisations or with an explanation of why the new authorisation is required.
New Table
Existing section number or reason for
section item no. Authorisation
new authorisation
no.
Assigning a healthcare identifier to a healthcare recipient
HI Act: 11(1)
An identified healthcare provider may use Disclosure is currently authorised
and disclose to the HI Service Operator a under existing subsection 11(1), but
healthcare recipient's identifying information use is not as reliance was placed on
1 existing privacy laws for this. Use is
for the purpose of assisting the HI Service
Operator to assign a healthcare identifier to now included in the authorisation to
the healthcare recipient. clarify the situation and ensure all
necessary authorisations are in one
place.
HI Act: 12(1) and 12(2)
The Chief Executive Medicare, Veterans'
Affairs Department and Defence Department Disclosure is currently authorised, but
12 may use and disclose to the HI Service use is not as reliance was placed on
2 Operator a healthcare recipient's identifying existing privacy laws for this. Use is
information for the purpose of assisting the now included in the authorisation to
HI Service Operator to assign a healthcare clarify the situation and ensure all
identifier to the healthcare recipient. necessary authorisations are in one
place.
The HI Service Operator may collect from an
identified healthcare provider, the Chief
Executive Medicare, the Veterans' Affairs
3 Department and the Defence Department, HI Act: 11(2) and 12(3)
and use, a healthcare recipient's identifying
information for the purpose of assigning a
healthcare identifier to a healthcare recipient.
Keeping a record of healthcare identifiers and related information
Any entity that has access to a healthcare
recipient's healthcare identifier may use and This clarifies the collection, use and
disclose to the HI Service Operator that disclosure authorisations needed for
healthcare identifier or information that the service operator to establish and
1
relates to that healthcare identifier for the maintain a record of healthcare
purposes of assisting the service operator to identifiers assigned and other matters
establish and maintain a record mentioned in under section 10 of the HI Act.
13 section 10.
The HI Service Operator may collect from any
This clarifies the collection, use and
entity as referred to in item 1 above, and use,
disclosure authorisations needed for
the healthcare identifier of a healthcare
the service operator to establish and
2 recipient and information that relates to that
maintain a record of healthcare
healthcare identifier for the purposes of
identifiers assigned and other matters
assisting the service operator to establish and
under section 10 of the HI Act.
maintain a record mentioned in section 10.
47
New Table
Existing section number or reason for
section item no. Authorisation
new authorisation
no.
Providing healthcare to a healthcare recipient
HI Act: 16(1)
An identified healthcare provider may use
and disclose to the HI Service Operator a Disclosure is currently authorised, but
healthcare recipient's identifying information use is not, as reliance was placed on
14(1) 1 for the purpose of assisting the HI Service existing privacy laws for this. Use is
Operator to disclose the healthcare now included in the authorisation to
recipient's healthcare identifier to the clarify the situation and ensure all
healthcare provider. necessary authorisations are in one
place.
48
New Table
Existing section number or reason for
section item no. Authorisation
new authorisation
no.
HI Act: 16(2)
Collection and use of identifying
information is currently authorised
but disclosure is not. Disclosure is
now authorised to assist the
healthcare provider to correctly match
a healthcare recipient to their
healthcare identifier.
Experience over the last five years
indicates that there is about a 20%
failure rate when attempting to
identify an individual's healthcare
identifier based on information
provided by a healthcare provider
organisation. This failure rate is
frequently due to minor typographical
errors, differing naming conventions
(e.g. Jo vs Joanne) listed against an
individual by either the provider or by
the HI Service Operator. This level of
failure is resulting in a significant issue
The HI Service Operator may collect from an in that individuals cannot be correctly
identified healthcare provider, use and linked to their healthcare identifiers,
disclose to an identified healthcare provider a preventing them obtaining many of
2 healthcare recipient's identifying information the benefits of eHealth and the My
for the purpose of disclosing the healthcare Health Record system.
recipient's healthcare identifier to the
healthcare provider. Many of these failures could be
overcome if the Service Operator
were authorised to disclose limited
identifying information about an
individual back to the healthcare
provider organisation seeking the
individual's healthcare identifier.
Under this authorisation, the Service
Operator will only disclose
information about the individual (not
about third parties) and only where
the Service Operator is confident they
have identified the correct healthcare
recipient - e.g. there might be a small
typographical error in the first name
of the person whose details have been
provided by a healthcare provider.
The Service Operator will develop
policies to minimise risks associated
with disclosure of identifying
information to organisations seeking
an individual's healthcare identifier.
49
New Table
Existing section number or reason for
section item no. Authorisation
new authorisation
no.
The HI Service Operator may use and disclose
to an identified healthcare provider a
healthcare recipient's healthcare identifier for
3 the purpose of assisting the healthcare HI Act: 17 (1)
provider to communicate or manage health
information as part of providing healthcare to
the healthcare recipient.
An identified healthcare provider may collect
from the HI Service Operator a healthcare
recipient's healthcare identifier for the
4 HI Act: 17(2)
purpose of communicating or managing
health information as part of providing
healthcare to the healthcare recipient.
A healthcare provider may use and disclose to
another entity a healthcare recipient's
healthcare identifier for the purpose of
communicating or managing health
information as part of:
the provision of healthcare to the
healthcare recipient;
5 the management (including investigation HI Act: 24(1)
or resolution of complaints), funding,
monitoring or evaluation of healthcare;
the provision of indemnity cover for a
healthcare provider; or
the conduct of research that has been
approved by the Human Research Ethics
Committee.
An entity to whom a healthcare recipient's
healthcare identifier is disclosed as specified
in item 5 above may collect, use and disclose
6 HI Act: 24(2) and (3)
a healthcare recipient's healthcare identifier
for the purpose for which it was disclosed to
the entity.
Section 14 does not authorise the collection,
use or disclosure of a healthcare recipient's
healthcare identifier for the purpose of
communicating or managing health
information as part of underwriting a contract
of insurance that covers the healthcare
14(2) N/A recipient; determining whether to enter into HI Act: 24(4)
a health insurance contract that covers the
healthcare recipient (whether alone or as a
member of a class); determining whether a
contract of insurance covers the healthcare
recipient in relation to a particular event; or
employing a healthcare recipient.
50
New Table
Existing section number or reason for
section item no. Authorisation
new authorisation
no.
My Health Record purposes
HI Act: 19A, 19B and 19C
HI Regulations: 15(1)
The collection, use and disclosure by
The HI Service Operator may collect, use and
the HI Service Operator was
disclose identifying information about, or a
authorised but only in limited
healthcare identifier of:
circumstances to the System
a healthcare recipient; Operator, the Chief Executive
15 N/A
an authorised representative; or Medicare, other Departments and a
a nominated representative, participant in the My Health Record
System. To ensure the My Health
for the purposes of the My Health Record
Record system has the necessary
system.
legislative authorities, disclosure has
been broadened so long as it is for the
purposes of the My Health Record
system.
Aged care purposes
(These authorisations were included in the HI Act as parts of the amendments made by the Aged Care And
Other Legislation Amendment Act 2014)
An identified healthcare provider may
disclose to the Aged Care Department a
1 HI Act: 12A(1)
healthcare recipient's identifying information
for an aged care purpose.
The Aged Care Department may collect from
an identified healthcare provider, use and
2 disclose to an identified healthcare provider a HI Act: 12A(2) and 12A(3)(b)
healthcare recipient's identifying information
for an aged care purpose.
An identified healthcare provider may collect
from the Aged Care Department and use a
3 HI Act: 12A(5)
healthcare recipient's identifying information
16 for an aged care purpose.
The Aged Care Department may disclose to
the HI Service Operator a healthcare
4 HI Act: 12(3)(a)
recipient's identifying information for an aged
care purpose.
The HI Service Operator may collect from the
Aged Care Department and use a healthcare
5 HI Act: 12A(4)
recipient's identifying information for an aged
care purpose.
The HI Service Operator may use and disclose
to the Aged Care Department a healthcare
6 HI Act: 19D(1)
recipient's healthcare identifier for an aged
care purpose.
51
New Table
Existing section number or reason for
section item no. Authorisation
new authorisation
no.
A healthcare provider may disclose to the
Aged Care Department a healthcare
7 HI Act: 23A(1)
recipient's healthcare identifier for an aged
care purpose.
The Aged Care Department may collect from
the HI Service Operator or a healthcare
8 provider, and use, a healthcare recipient's HI Act: 19D(2) and 23A(2)
healthcare identifier for an aged care
purpose.
Adopting a healthcare recipient's healthcare identifier
HI Act: 25
Adoption of the healthcare recipient's
identifier was previously authorised in
A healthcare provider may adopt a healthcare the HI Act. New section 17 has
recipient's, an authorised representative's or broadened this authorisation to also
a nominated representative's healthcare include authorised representative's
1 identifier for use as the healthcare provider's and nominated representative's
own identifier of the healthcare recipient, the healthcare identifiers, as it may be
authorised representative or the nominated necessary for healthcare providers to
representative of the healthcare recipient. adopt these healthcare identifiers in
order to associate the correct
representative with the correct
healthcare recipient.
17
The System Operator may adopt a healthcare
recipient's, an authorised representative's or
a nominated representative's healthcare
2 HI Act: 22B(1) and 22B(2)
identifier for use as the System Operator's
own identifier for the purposes of the My
Health Record system.
A registered repository operator or registered
portal operator may adopt a healthcare
recipient's, an authorised representative's or
3 a nominated representative's healthcare HI Act: 22B(1) and 22B(2)
identifier for use as that entity's own
identifier for the purposes of the My Health
Record system.
52
New Table
Existing section number or reason for
section item no. Authorisation
new authorisation
no.
Disclosing a healthcare recipient's healthcare identifier
HI Act: 18(a) and 23
The HI Act authorised the HI Service
Operator and healthcare providers to
disclose a healthcare recipient's
healthcare identifier. Disclosure has
been broadened in this new section to
further allow the System Operator to
The HI Service Operator, the System Operator also disclose an identifier to the
or a healthcare provider may disclose a healthcare recipient or to a
18 N/A healthcare recipient's healthcare identifier to responsible person. This will make it
the healthcare recipient or to a responsible easier for healthcare recipients and
person as defined by the Privacy Act. responsible persons to get an
individual's healthcare identifier. For
example, if they are already dealing
with the System Operator, the System
Operator will be able to disclose the
identifier and it will not be necessary
to refer the healthcare recipient or
the responsible person to the HI
Service Operator.
Disclosing information about a healthcare recipient's healthcare identifier
The HI Service Operator may disclose
information relating to the healthcare
recipient that is included in its record of
19 N/A healthcare identifiers maintained under HI Act: 18(b)
section 10, to the healthcare recipient or to a
responsible person as defined by the Privacy
Act.
53
New Table
Existing section number or reason for
section item no. Authorisation
new authorisation
no.
Regulations to provide additional authorisation
HI Act: section 22E permits regulations
to be made authorising the collection,
use and disclosure of identifying
information and healthcare identifiers
for certain purposes related to the My
Health Record system. Disclosure of
this information is currently limited to
participants in the My Health Record
system.
New section 20 broadens the power
Regulations may authorise the collection, use
to allow for future regulations to be
and disclosure of identifying information
made allowing prescribed entities to
about, and a healthcare identifier of:
collect, use, disclose and adopt
a healthcare recipient; identifying information and healthcare
an authorised representative; or identifiers, but only for very limited
a nominated representative, purposes related to the provision of
healthcare or to assist people who,
or authorise the adoption of the healthcare because of health issues, require
identifier of: support. These entities could include,
a healthcare recipient; for example, the National Disability
an authorised representative; or Insurance Agency (NDIA) and cancer
a nominated representative, registers. Healthcare identifiers are
an accurate identifier of an individual,
20(1), but only for purposes relating to: and such entities and individuals may
(2) and N/A providing healthcare to healthcare benefit from the entity being able to
(3) recipients or a class of healthcare associate disability or health-related
recipients; records with an individual's healthcare
determining whether adequate and identifier. In the future this may
appropriate healthcare is available to allow, for example, the viewing of
healthcare recipients or a class of certain disability or cancer registry
healthcare recipients; records as part of an individual's My
facilitating the provision of adequate and Health Record.
appropriate healthcare to healthcare Currently, entities such as NDIA and
recipients or a class of healthcare cancer registers are not authorised to
recipients; handle healthcare identifiers or
assisting persons who, because of health identifying information as they are not
issues (including illness, disability or healthcare providers within the
injury), require support; or meaning of the HI Act. The new
the My Health Record system. power has been designed to allow the
appropriate collection, use, disclosure
and adoption of healthcare identifiers
and identifying information by entities
like NDIA and cancer registers, within
tight limits related to providing
healthcare and assisting individuals
who require support because of
health issues, without having to
amend the Act each time a new entity
needs to be authorised.
54
New Division 3 sets out the authorisations related to the collection, use and disclosure of
healthcare identifiers and other information relating to healthcare providers.
To help readers understand what changes are being made by this amendment, the
authorisations are set out in the following table with either a reference to existing equivalent
authorisations or with an explanation of why the new authorisation is required.
New Table
Existing section number or reason for
section item no. Authorisation
new authorisation
no.
Assigning a healthcare identifier to a healthcare provider
The HI Service Operator may collect from the
Chief Executive Medicare, Veterans' Affairs
Department or Defence Department, and use,
1 a healthcare provider's identifying HI Act: 12(3)
information for the purpose of assigning a
healthcare identifier to the healthcare
provider.
HI Act: 12(1) and 12(2)
The Chief Executive Medicare, Veterans'
Affairs Department and Defence Department Disclosure is currently authorised, but
may use and disclose to the service operator use is not as reliance was placed on
21 2 identifying information of a healthcare existing privacy laws for this. Use is
provider for the purpose of assigning a now included in the authorisation to
healthcare identifier to the healthcare clarify the situation and ensure all
provider. necessary authorisations are in one
place.
The HI Service Operator may collect from a
healthcare provider and use information The authorisation for the collection
relating to the healthcare provider that is and use of the information requested
3 requested by the HI Service Operator under under section 9B was implied. This
section 9B for the purpose of assigning a new item ensures there is express
healthcare identifier to the healthcare authorisation.
provider.
Keeping a record of healthcare providers' healthcare identifiers
A national registration authority may use and HI Act: 13(1)
disclose to the HI Service Operator a Disclosure is currently authorised, but
healthcare provider's healthcare identifier or use is not as reliance was placed on
information relating to that healthcare existing privacy laws for this. Use is
1
identifier, for the purposes of assisting the HI now included in the authorisation to
Service Operator to establish and maintain its clarify the situation and ensure all
record of healthcare identifiers under necessary authorisations are in one
section 10. place.
22
The HI Service Operator may collect from a
national registration authority and use a
healthcare provider's healthcare identifier or
information relating to that healthcare
2 HI Act: 13(2)
identifier, for the purposes of assisting the HI
Service Operator to establish and maintain its
record of healthcare identifiers under
section 10.
55
New Table
Existing section number or reason for
section item no. Authorisation
new authorisation
no.
Providing healthcare to a healthcare recipient
An identified healthcare provider may use
and disclose to the HI Service Operator a
healthcare provider's healthcare identifier for HI Act: 22E
1 the purpose of assisting the healthcare
provider to communicate or manage health HI Regulations: 14
information as part of providing healthcare to
a healthcare recipient.
The HI Service Operator may collect from an
identified healthcare provider a healthcare
provider's identifying information for the HI Act: 22E
2 purpose of assisting the healthcare provider
to communicate or manage health HI Regulations: 14
information as part of providing healthcare to
23 a healthcare recipient.
The HI Service Operator may use or disclose
to an identified healthcare provider a
healthcare provider's healthcare identifier for Hi Act: 17(1) and 22E
3 the purpose of assisting the healthcare
provider to communicate or manage health HI Regulations: 14
information as part of providing healthcare to
a healthcare recipient.
An identified healthcare provider may collect
from the HI Service Operator a healthcare
provider's healthcare identifier for the HI Act: 17(2) and 22E
4
purpose of communicating or managing HI Regulations: 14
health information as part of providing
healthcare to a healthcare recipient.
A healthcare provider may collect from
another healthcare provider, use and disclose
to another healthcare provider the healthcare HI Act: 24 and 22E
5 identifier of a healthcare provider for the
purpose of communicating or managing HI Regulations: 14
health information, as part of providing
healthcare to a healthcare recipient.
56
New Table
Existing section number or reason for
section item no. Authorisation
new authorisation
no.
My Health Record purposes
HI Act: 17, 19, 19A, 19B and 19C
The HI Service Operator previously
had various authorities to collect, use
The HI Service Operator may collect, use and or disclose healthcare identifiers and
disclose identifying information about, or a identifying information of healthcare
24 N/A healthcare identifier of, a healthcare provider providers in certain circumstances. To
for the purposes of the My Health Record ensure the efficiency of the My Health
system. Record system these authorisations
have been condensed to one authority
to allow collection, use or disclosure
for the purposes of the My Health
Record system.
Authentication in electronic communications
The HI Service Operator or a registration
authority may use and disclose to any entity
identifying information about, or a healthcare
1 identifier of, a healthcare provider for the HI Act: 20(1)
purpose of enabling the healthcare provider's
identity to be authenticated in electronic
transmissions.
An entity to whom information is disclosed
25 for the purposes of authenticating a
healthcare provider's identity in electronic
communications as specified in item 1 above,
may collect from any entity, use and disclose
2 HI Act: 20(2)
to any entity identifying information about, or
a healthcare identifier of, a healthcare
provider for the purpose of enabling the
healthcare provider's identity to be
authenticated in electronic communications.
Sharing information with registration authorities
HI Act: 19(1)
The HI Service Operator may use and disclose Disclosure is currently authorised, but
to a registration authority a healthcare use is not as reliance was placed on
1 provider's healthcare identifier for the existing privacy laws for this. Use is
purpose of assisting the registration authority now included in the authorisation to
to register the healthcare provider. clarify the situation and ensure all
25A necessary authorisations are in one
place.
A registration authority may collect and use a
healthcare provider's healthcare identifier for
2 the purpose of registering the healthcare HI Act: 19(2)
provider or performing any other function of
the registration authority under the law.
57
New Table
Existing section number or reason for
section item no. Authorisation
new authorisation
no.
The HI Service Operator may collect from a
registration authority, use and disclose to a
registration authority identifying information This is a new authorisation to ensure
about, or a healthcare identifier of, a information about healthcare
3
healthcare provider for the purpose of providers is kept accurate, up-to-date
ensuring that information held by the HI and complete.
Service Operator or the registration authority
is accurate, up-to-date and complete.
A registration authority may collect from the
HI Service Operator, use and disclose to the
HI Service Operator identifying information This is a new authorisation to ensure
about, or a healthcare identifier of, a information about healthcare
4
healthcare provider for the purpose of providers is kept accurate, up-to-date
ensuring that information held by the HI and complete.
Service Operator or the registration authority
is accurate, up-to-date and complete.
Adopting a healthcare provider's healthcare identifier
The System Operator may adopt a healthcare
provider's healthcare identifier for use as the
1 HI Act: 22B
System Operator's own identifier for the
purposes of the My Health Record system.
A registered repository operator or registered
portal operator may adopt a healthcare
2 provider's healthcare identifier for use as that HI Act: 22B
operator's own identifier for the purposes of
the My Health Record system.
25B
A participant in the My Health Record system
to whom the healthcare identifier is disclosed
by a registered repository operator or
registered portal operator under section 58A
3 of the My Health Records Act, may adopt a HI Act: Based on 20(2)(c)
healthcare provider's healthcare identifier for
use in authenticating the identity of the
healthcare provider in electronic
communications.
Providing the healthcare provider's healthcare identifier to them
New authorisation to allow healthcare
An entity who knows a healthcare provider's
providers easy access to their
healthcare identifier may disclose that
25C N/A healthcare identifiers which may have
healthcare identifier to the healthcare
been previously unknown to the
provider.
healthcare provider.
58
New Table
Existing section number or reason for
section item no. Authorisation
new authorisation
no.
Regulations to provide additional authorisation
HI Act: section 22E permits regulations
to be made authorising the collection,
use and disclosure of identifying
information and healthcare identifiers
for certain purposes related to the My
Health Record system. Disclosure of
this information is currently limited to
participants in the My Health Record
system.
New section 20 broadens the power
to allow for future regulations to be
made allowing prescribed entities to
collect, use, disclose and adopt
identifying information and healthcare
Regulations may authorise the collection, use identifiers, but only for very limited
or disclosure of the healthcare provider's purposes related to the provision of
healthcare identifier or identifying healthcare or to assist people who,
information, or the adoption of the because of health issues, require
healthcare provider's healthcare identifier, support. These entities could include,
but only for purposes relating to: for example, the National Disability
Insurance Agency (NDIA) and cancer
providing healthcare to healthcare registers. Healthcare identifiers are
recipients or a class of healthcare an accurate identifier of an individual,
25D (1), recipients; and such entities and individuals may
(2) and N/A determining whether adequate and benefit from the entity being able to
(3) appropriate healthcare is available to associate disability or health-related
healthcare recipients or a class of records with an individual's healthcare
healthcare recipients; identifier. In the future this may
facilitating the provision of adequate and allow, for example, the viewing of
appropriate healthcare to healthcare certain disability or cancer registry
recipients or a class of healthcare records as part of an individual's My
recipients; Health Record.
assisting persons who, because of health
issues, require support; or Currently, entities such as NDIA and
the My Health Record system. cancer registers are not authorised to
handle healthcare identifiers or
identifying information as they are not
healthcare providers within the
meaning of the HI Act. The new
power has been designed to allow the
appropriate collection, use, disclosure
and adoption of healthcare identifiers
and identifying information by entities
like NDIA and cancer registers, within
tight limits related to providing
healthcare and assisting individuals
who require support because of
health issues, without having to
amend the Act each time a new entity
needs to be authorised.
59
Any regulations made under new subsections 20(4) and (5) (relating to healthcare recipients‟
healthcare identifiers), and subsections 25D(4) and (5) (relating to healthcare providers‟
healthcare identifiers), may establish processes for disclosing healthcare identifiers including
rules about requests to the HI Service Operator to disclose healthcare identifiers, and may
require the entity to provide certain information to the HI Service Operator.
Under new subsection 25D(6), the regulations may also require an identified healthcare
provider to provide information relating to the healthcare provider‟s healthcare identifier or
prescribed by the regulations for the purposes of section 25D. This new subsection is based
on existing section 14 of the HI Act.
Subsection 25E(1) places an obligation on healthcare provider organisations to update
information about them held by the HI Service Operator, if the provider organisation becomes
aware that the information is not accurate, up-to-date and complete. This subsection is based
on existing section 14 and HI Regulation 6 (which will be repealed), but has been expanded to
ensure all information held by the HI Service Operator is maintained. With the move to all
healthcare provider organisations being listed in the Healthcare Provider Directory (HPD), it
is important that information held by the System Operator be maintained. If it is not
maintained, healthcare providers using the HPD may not be able to rely on the HPD to
accurately identify other providers as part of providing healthcare, and to accurately send
secure health information to them. Under subsection 25E(1), information must be updated
within 20 business days after the organisation becomes aware that the information held by the
Service Operator is not accurate, up-to-date and complete.
Subsection 25E(2) contains one of the two exceptions to the requirement to update
information held by the HI Service Operator - that is, if:
the information that is not accurate, up-to-date and complete is personal information that
the Service Operator could only obtain with the consent of the person to whom it relates;
and
instead of giving the Service Operator accurate, up-to-date and complete personal
information, the healthcare provider organisation tells the Service Operator within the
20 business day timeframe under subsection 25E(1) in the approved manner and form that
the person to whom the information relates has withdrawn their consent for the
information to be given to the Service Operator.
Subsection 25E(2) is consistent with the changes the Bill makes in removing many of the
restrictions that have previously applied to the healthcare identifiers and identifying
information of healthcare provider organisations, while retaining those protections in relation
to the healthcare identifiers and identifying information of individual healthcare providers. In
line with those changes, this subsection retains consent requirements around personal
information, while not extending the exception to cover information about healthcare provider
organisations.
Subsection 25E(3) contains the second of the two exceptions to the requirement to update
information held by the HI Service Operator - that is, if:
a healthcare provider is required by an Australian law, or by a lawful requirement of a
national registration authority, to give the registration authority accurate, up-to-date and
complete information; and
60
the healthcare provider complies with that requirement.
Subsection 25E(3) is primarily designed to reflect the situation that applies in relation to
individual healthcare providers registered by AHPRA (which is a national registration
authority under the HI Act and HI regulations) under the National Law. The National Law
obliges healthcare providers regulated by the National Law to keep their details held by
AHPRA accurate, up-to-date and complete. If AHPRA receives updated information, it
shares the information with the HI Service Operator - see new section 25A, items 3 and 4 of
the table.
A person is liable for a civil penalty of up to 100 penalty units under subsection 25E(4) if they
fail to give the HI Service Operator information in the circumstances mentioned in
subsection 25E(1), and the person knows or is reckless as to those circumstances.
Item 35 Division 4 of Part 3
Item 35 replaces the heading of Division 4 to make clear that it deals not only with the use
and disclosure of healthcare identifiers, but also with the use and disclosure of other
information that is obtained under the HI Act.
Item 36 Section 26
Section 26 currently provides that a use or disclosure of a healthcare identifier by a person is
prohibited unless it is used or disclosed:
for the purpose for which it was disclosed to the person;
for a purpose authorised by another law; or
for a purpose permitted by section 16 of the Privacy Act (relating to the person‟s personal,
family or household affairs).
A person who contravenes existing section 26 may incur a criminal penalty of two years‟
imprisonment, or 120 penalty units (currently $21,600 for individuals and $108,000 for
bodies corporate), or both.35
Similarly, section 15 currently provides that a use or disclosure of information by a person is
prohibited unless it is used or disclosed:
for the purpose for which was disclosed to the person; or
for a purpose authorised by another law.
Further, section 15 also provides that the use or disclosure of information by a person who
knows that the information was not authorised to be disclosed to them is prohibited. A
criminal penalty of two years‟ imprisonment or 120 penalty units, or both, applies to a person
who contravenes existing section 15.
Item 36 consolidates existing sections 15 and 26 and inserts new section 26.
35
As of September 2015, section 4AA of the Crimes Act 1914 provides that a penalty unit is $180. This amount
will be indexed according to the Consumer Price Index in July every three years from 2018.
61
New section 26 provides that the use or disclosure of any information obtained under the HI
Act, or a healthcare recipient‟s or individual healthcare provider‟s healthcare identifier, by a
person is prohibited unless:
in relation to a healthcare identifier, it is used or disclosed (subsection 26(3) refers):
for a purpose authorised by the HI Act;
for a purpose authorised by a Commonwealth law or a court/tribunal order;
by the person to whom the healthcare identifier relates, and is for the purposes of, or in
connection with, the personal family or household affairs of the person (within the
meaning of section 16 of the Privacy Act);
where an entity considers the use or disclosure is reasonably necessary to lessen or
prevent a serious threat to the life, health or safety of an individual, or to public health or
safety, and it is unreasonable or impracticable to obtain the individual‟s consent to the use
or disclosure (item 1, subsection 16A(1) of the Privacy Act). This exception applies
regardless of whether or not the person using or disclosing the healthcare identifier is an
APP entity;
where an entity has reason to suspect that unlawful activity or misconduct of a serious
nature, that relates to the entity‟s functions or activities, has been or may be engaged in,
and the entity reasonably believes that the use or disclosure is necessary for the entity to
take appropriate action (item 2, subsection 16A(1) of the Privacy Act). This exception
applies regardless of whether or not the person using or disclosing the healthcare identifier
is an APP entity;
where it is reasonably necessary for the establishment, exercise or defence of a legal or
equitable claim (item 4, subsection 16A(1) of the Privacy Act). This exception applies
regardless of whether or not the person using or disclosing the healthcare identifier is an
APP entity;
where it is reasonably necessary for the purposes of a confidential alternative dispute
resolution process (item 5, section 16A(1) of the Privacy Act). This exception applies
regardless of whether or not the person using or disclosing the healthcare identifier is an
APP entity; or
where it is required or authorised to enable the Information Commissioner, or an
equivalent officer or agency of a state or territory, to carry out his or her functions in
relation to privacy.
in relation to other information (including identifying information), it is used or disclosed
(subsection 26(4) refers):
for a purpose authorised by the HI Act;
for a purpose authorised by another Australian law or a court/tribunal order;
in a manner that would not constitute an interference with an individual‟s privacy, where
the information is personal information; or
62
where it is required or authorised to enable the Information Commissioner, or an
equivalent officer or agency of a state or territory, to carry out his orher functions in
relation to privacy.
Paragraph 26(3)(b) of the Act provides that disclosure will be authorised if it is required or
authorised under another Commonwealth law, while paragraph 26(4)(b) of the Act provides
disclosure will be authorised if it is required or authorised under another Australian law. This
is a deliberate difference to ensure that only Commonwealth laws may create exceptions to
unauthorised use or disclosure of a healthcare identifier.
A person who contravenes new section 26 may incur:
a civil penalty of up to 600 penalty units (currently $108,000 for individuals and $540,000
for bodies corporate), if the person uses or discloses in circumstances that contravene
subsections 26(1) or (2), and the person knows or is reckless as to those circumstances -
see subsection 26(6); or
a criminal penalty of up to two years‟ imprisonment and/or 120 penalty units (currently
$21,600 for individuals and $108,000 for bodies corporate) - see subsection 26(5). As the
fault element for the offence is not expressly stated in subsection 26(5), section 5.6 of the
Criminal Code will apply.
Items 38-40 Section 29
Section 29 currently provides that a collection, use or disclosure of a healthcare identifier that
is not authorised by the HI Act is taken to be an interference with privacy, which means that it
triggers the functions and powers of the Information Commissioner under the Privacy Act,
such as undertaking investigations. It further provides that healthcare identifiers are treated as
personal information for the purposes of the Information Commissioner conducting
assessments of an entity‟s activities in relation to the handling of personal information.
Healthcare identifiers are otherwise not considered to be personal information.
Items 38 to 40 amend section 29 to provide that only the unauthorised collection, use or
disclosure of a healthcare recipient‟s or individual healthcare provider‟s healthcare identifier
is taken to be an interference with privacy, or is treated as personal information for the
purpose of the Information Commissioner‟s assessments. This makes clear that healthcare
identifiers for healthcare provider organisations are not treated in the same way as those
relating to individuals.
Some of the civil penalty provisions inserted into the HI Act by the Bill contain fault
elements, meaning that they are not contravened unless the individual had a particular state of
mind - for example, they knew or were reckless in relation to certain circumstances. Item 38,
which amends section 29, will ensure that where a person does not breach a civil penalty
provision only because they did not have the required state of mind to make out the civil
penalty, there will still be an interference with the privacy of the individual, and the
Information Commissioner would still, for example, be able to investigate. This is similar to
the mechanism in existing subsection 73(1) of the My Health Records Act.
63
Item 42 Section 31
Section 31 currently provides that the HI Service Operator must operate a Healthcare Provider
Directory (HPD) which lists the professional and business details of individual healthcare
providers and healthcare provider organisations that agree to the publication of their
information.
Item 42 replaces this with new sections 31 and 31A.
New section 31 requires the HI Service Operator to establish and maintain an HPD of the
professional and business details of identified healthcare providers. That is, healthcare
providers who have been assigned a healthcare identifier. The new section authorises the HI
Service Operator to collect, use and disclose identified healthcare provider‟s personal
information in order to operate the HPD. This authorisation is subject to the consent of
individual healthcare providers. The effect of this is that the HI Service Operator may not
include the personal information of an individual healthcare provider if the provider has
elected not to have their details published on the HPD. The HI Service Operator does not
require consent from healthcare provider organisations in order to collect, use and disclose
non-personal information about the organisation in the HPD.
The purpose of the HPD is to facilitate communication between healthcare providers by
providing a reliable source of identifying and contact information. This can be useful when
sending secure messages, referrals, discharge summaries and forwarding test requests. The
HPD is not a public document - it can only be accessed through patient administration
systems or practice management software, or through the Health Professionals Online Service
provided by the Department of Human Services.
As part of operating the HPD, the HI Service Operator will only handle information relating
to identified individual healthcare providers and identified healthcare provider organisations.
New subsection 31(3) describes the types of information that will be included in the HPD,
including information about whether an individual healthcare provider is "linked" to a
particular healthcare provider organisation. An individual healthcare provider organisation
will be linked to a healthcare provider organisation if the individual is an employee of the
organisation, or if the organisation provides support services or facilities to the individual to
facilitate the provision of healthcare by the individual.
New section 31A authorises the HI Service Operator to collect healthcare identifiers and
identifying information about a healthcare provider from the System Operator, and use and
disclose that information, for the purposes of the HPD. This ensures that the HI Service
Operator has the necessary authority to collect, use and disclose the healthcare provider‟s
information, subject to the personal information restrictions under subsection 31(2), without
having to go to each individual healthcare provider for the information.
Item 43 After Part 5
Item 43 inserts new Part 5A into the HI Act to trigger provisions of the Regulatory Powers
(Standard Provisions) Act 2014 (Regulatory Powers Act) in relation to the imposition of the
new civil penalties established by item 36.
New section 31B provides a simplified outline for new Part 5A as previously described.
64
New section 31C triggers the provisions of Part 4 of the Regulatory Powers Act which,
among other things, deals with obtaining and enforcing a civil penalty order and the handling
of multiple contraventions. The Information Commissioner is the person who is authorised to
apply to a relevant court for a civil penalty order under the HI Act.
Subsection 31C(5) reinforces that the Crown cannot be liable to a pecuniary penalty.
New section 31D triggers the provisions of Part 6 of the Regulatory Powers Act which deals
with the ability to accept and enforce acceptable undertakings. A person may give an
undertaking to take certain actions or refrain from certain actions in order to comply with the
HI Act. The Information Commissioner or the Service Operator is authorised to accept and
enforce undertakings for the purposes of the HI Act, and publish the undertaking on their
websites.
New section 31E triggers the provisions of Part 7 of the Regulatory Powers Act which deals
with using injunctions - for example, to prevent someone from taking a particular action. The
Information Commissioner or the Service Operator is authorised to seek injunctions for the
purposes of the HI Act.
Since the HI Act applies to Australia and each of its external territories (that is, Christmas
Island, Cocos (Keeling) Islands, Ashmore and Cartier Islands, Coral Sea Islands, Heard Island
and McDonald Islands, and the Australian Antarctic Territory), for the purposes of new
sections 31C, 31D and 31E, the relevant parts of the Regulatory Powers Act will also apply to
all external territories in relation to the HI Act. For the purposes of new sections 31C, 31D
and 31E a relevant court is the Federal Court of Australia, the Federal Circuit Court of
Australia or a court of a state or territory which has the necessary jurisdiction.
Item 45 At the end of section 34
Section 34 of the HI Act requires that the Service Operator prepare an annual report of the
activities, finances and operations of the HI Service. The Service Operator must provide a
copy of the annual report to the Minister and the Ministerial Council by 30 September each
year, and the Minister must table the annual report in Parliament within 15 sitting days of
receiving a copy.
Section 46 of the Public Governance, Performance and Accountability Act 2013 (PGPA Act)
requires that Commonwealth entities prepare an annual report. New subsection 34(4),
inserted by item 45, provides that if the HI Service Operator is required to report under
section 46 of the PGPA Act, the Operator is not required to also give a report under section 34
of the HI Act.
Item 46 Section 35
Section 35 of the HI Act requires that a review of the HI Act must be undertaken and a report
of that review delivered by 30 June 2013, provided to the Ministerial Council and tabled in
Parliament. The Minister is required to consult with the Ministerial Council before
appointing a person to undertake this review. The HI Review met the requirements of this
section.
Item 46 replaces section 35 with a new requirement to undertake a review of the HI Act
within three years of the commencement of Schedule 1 of this Bill. As with the current
65
requirement, the Minister must consult with the Ministerial Council before appointing a
person to undertake this review, and the report of the review must be provided to the
Ministerial Council and be tabled in Parliament within 15 sitting days after the report is given
to the Minister.
Item 47 Before section 36
In addition to inserting a simplified outline to this Part, as previously described, item 47
inserts a new division number and heading into the HI Act to reflect that Part 7 is now
separated into five divisions.
Item 48 After section 36
Section 36 of the HI Act currently specifies that the authorisations set out in the Act apply to
employees and people acting on behalf of authorised entities, contracted service providers of
authorised healthcare provider organisations (and their employees or people acting on their
behalf), and contractors of participants in the My Health Record system.
Item 48 inserts a new section 36A into the HI Act to provide that if an entity is authorised to
disclose information to a healthcare provider, the authorisation extends to disclosing the
information to an employee or person acting on behalf of the healthcare provider, or a
contracted service provider of the healthcare provider (or an employee or contractor acting for
the contracted service provider). This reflects the practical operation of healthcare provider
organisations that may have a variety of different structures governing their business and
impacting on how information is received by the organisation.
Many of the participants in the My Health Record system will be organisations rather than
individuals, and those organisations are likely to be structured in a variety of ways. The HI
Act does not currently describe how it applies to entities that are not a legal person - for
example, partnerships, unincorporated associations and trusts with multiple trustees. To
ensure that the authorisations, obligations and penalties set out in the HI Act apply
appropriately to all relevant entities, notwithstanding different structures, item 48 inserts new
sections 36B, 36C and 36D into the HI Act. These align with sections 100 to 102 of the My
Health Records Act, as amended by items 97 to 99.
New section 36B provides that obligations will apply to each partner and may be discharged
by any partner. A criminal provision that would otherwise be contravened by the partnership
is taken to have been contravened by each partner in the partnership, at the time the offence
was committed, who:
did the relevant act or made the relevant omission;
aided, abetted, counselled or procured the relevant act or omission; or
was in any way knowingly concerned in, or party to, the relevant act or omission (whether
directly or indirectly and whether by any act or omission of the partner).
New subsection 36B(4) provides that section 36B applies to a contravention of a civil penalty
provision in a corresponding way to the way in which it applies to an offence.
66
New sections 36C and 36D apply in a similar way to 36B, but in relation to unincorporated
associations (and members of the association‟s committee of management) and trusts (and
multiple trustees) respectively.
The HI Act does not currently expressly allow the Service Operator to delegate any powers or
functions. Where the HI Service Operator is the Chief Executive Medicare, delegation
powers are found in the Human Services (Medicare) Act 1973. As the HI Act is being
amended to allow for the regulations to prescribe a Service Operator other than the Chief
Executive Medicare, a new delegation power is needed for any future HI Service Operators.
Item 48 also inserts new section 36E into the HI Act, specifying how the Service Operator‟s
powers and functions may be delegated. This new section is similar to the System Operator‟s
delegation power under section 98 of the My Health Records Act, as amended by items 95
and 96.
New section 36E provides that the Service Operator may delegate their powers or functions
to:
an Australian Public Service employee of the Department of Health (with the Secretary‟s
agreement if the Chief Executive Medicare is not the Service Operator);
(if the Service Operator is not the Chief Executive) the Chief Executive Medicare (but
only with the Chief Executive Medicare‟s agreement);
to any person with the consent of the Minister.
All delegations must be in writing.
Delegates must comply with any written directions by the Service Operator in acting as a
delegate. The Human Services (Medicare) Act 1973 permits the Chief Executive Medicare to
sub-delegate to Australian Public Service employees of the Department of Human Services
(or other department responsible for Medicare) any powers delegated to him or her.
Sub-delegates must also comply with any written directions of the Chief Executive Medicare.
Item 49 After section 38
Item 49 inserts a new division number to reflect that Part 7 is now separated into five
divisions. Division 5 deals with the making of regulations for the purposes of the HI Act.
Personally Controlled Electronic Health Records Act 2012
For the convenience of readers and to reflect that the name of this Act is changing to the My
Health Records Act 2012, this Act is referred to as the My Health Records Act.
--For the purposes of the My Health Record system‖
In both the HI Act and the My Health Records Act, a number of the amendments have
clarified the authorisations to allow collection, use or disclosure of information "for the
purposes of the My Health Record system". Amongst other things, the purposes of the My
Health Record system will require consideration of the System Operator‟s functions under
section 15 of the My Health Records Act, the purposes and objects of the My Health Records
67
Act, and the powers and obligations of the System Operator and other participants in the My
Health Record system.
Item 50 Section 4
Section 4 of the My Health Records Act currently provides a simplified outline of the My
Health Records Act. To reflect the updated Act, as amended by this Bill, item 50 replaces this
with a new simplified outline.
Item 50 also makes clear that new Schedule 1 to the My Health Records Act (inserted by
item 106) applies as part of the My Health Records Act.
Items 51-62 Section 5
Section 5 of the My Health Records Act defines certain terms used in the My Health Records
Act. Items 51 to 62 make amendments to several definitions, or insert or remove definitions,
as a result of other amendments being made by this Bill. Changes include:
defining cinematograph film, sound recording and work for the purposes of new
copyright provisions inserted by items 78 and 79;
updating the definitions of healthcare and health information to refer to the
corresponding definitions in the Privacy Act (items 107 to 110 refer), noting that while the
Privacy Act refers to a "health service" it has the same meaning as "healthcare" in the My
Health Records Act and the HI Act;
revising Ministerial Council to recognise that the National Partnership Agreement on
E-Health to which the definition made reference has expired, and to provide future
flexibility for changes to the responsible senior body - at the time of writing, the Council
of Australian Governments Health Council is the relevant Ministerial Council;
defining Regulatory Powers Act for the purpose of new provisions that trigger provisions
of the Regulatory Powers (Standard Provisions) Act 2014 to allow for civil penalties,
enforceable undertakings and injunctions (see item 94); and
removing terms that are no longer used:
o civil penalty order, civil penalty provision and Court which are no longer necessary
because this Bill will trigger the provisions of the Regulatory Powers Act which
defines those terms; and
o Independent Advisory Council and Jurisdictional Advisory Committee to reflect that
these committees have been abolished (see item 58).
Items 63-64 Subsections 6(9) and 7(6) and new section 7A
Sections 6 and 7 of the My Health Records Act ensure that children and individuals with
limited or no capacity can have a My Health Record. These sections set out the criteria for
becoming an authorised or nominated representative of a person and the obligations of a
representative. The provisions also specify how representatives are treated for the purposes of
the My Health Records Act - for example, where a healthcare recipient (previously referred to
as a "consumer") has an authorised representative, the authorised representative is entitled to
68
do any thing that the Act authorises or requires the consumer to do, and the consumer is not
entitled to do any thing that the Act otherwise requires or authorises the consumer to do.
Representatives are currently required to act in the best interests of the person they are
representing and have regard to any directions given by that person.
In light of international changes in the treatment of individuals who require supported
decision-making, recognising that one person cannot necessarily determine what is in the best
interests of another person, in 2014 the Australian Law Reform Commission recommended in
its ALRC Report 124 entitled Equality, Capacity and Disability in Commonwealth Laws, that
a person providing decision-making support should, instead of acting in the person‟s best
interests, give effect to the „will and preferences‟ of the person to whom they provide
decision-making support.
Items 63 and 64 give effect to this intention by removing the current obligations of
representatives to act in a healthcare recipient‟s best interests and, instead, inserting a new
section 7A which provides that an authorised or nominated representative must give effect to
the will and preferences of the person for whom they are a representative.
Under subsection 7A(1), an authorised representative or a nominated representative must
make reasonable efforts to ascertain the will and preferences of the healthcare recipient. If
this is not possible, subsection 7A(2) requires the representative to make reasonable efforts to
ascertain the healthcare recipient‟s likely will and preferences in relation to his or her My
Health Record.
Subsection 7A(3) includes a non-exhaustive list of sources from which the healthcare
recipient‟s will and preferences may be able to be ascertained. The reference to "to the extent
legally possible" in paragraph 7A(3)(b) is intended to ensure that seeking to ascertain the
likely will and preferences of a healthcare recipient is not undertaken in a way that would, for
example, interfere with the privacy of the healthcare recipient.
To the extent it is possible to ascertain the healthcare recipient‟s will and preferences, or
likely will and preferences, subsection 7A(4) requires representatives to give effect to the
healthcare recipient‟s will and preferences or likely will and preferences. However, if to do
so would pose a serious risk to healthcare recipient‟s personal and social wellbeing, the
representative must act in way that would promote the healthcare recipient‟s personal and
social wellbeing (subsection 7A(5)).
In terms of how these obligations will apply to parents or guardians of minors, the minor‟s
will or preference, if they have one, should still be ascertained. The older the minor gets the
more likely it is that they will have a will and preference, or likely will and preference, in
relation to their My Health Record, and the parent or guardian should ascertain this. If the
minor does not have a will or preference or it cannot be ascertained - for example they are too
young to understand - subsection 7A(6) will apply and the representative must act in a
manner that best promotes the personal and social wellbeing of the healthcare recipient.
Current subsection 6(3) of the My Health Records Act will continue to apply. That subsection
specifies the circumstances in which a minor is taken not to have an authorised representative and
may thus take control of their own My Health Record.
69
Item 65 At the end of subsection 9(3)
This item amends subsection 9(3) to allow regulations to be made specifying additional
information as identifying information for the purposes of the My Health Record system (and
HI Service). This change is consistent with a similar change being made to the HI Act - see
item 27 to 28.
Item 66 Subsection 11(2)
This item reflects that since new Part 6 of the My Health Records Act (inserted by item 94)
specifically sets out that the Crown is not liable to a pecuniary penalty, subsection 11(2) no
longer needs to make this statement.
Item 67 At the end of Part 1
The My Health Records Act imposes obligations on the System Operator to notify individuals
and entities of certain decisions in writing, and enables the System Operator to provide
information, for example, in relation to the ability to appeal a decision suspending a
participant‟s registration. As well as more formal communications such as those relating to
decisions about registration and appeal rights, the System Operator needs to be able to
communicate electronically with healthcare recipients and participants in relation to day-to-
day operations and administrative matters.
Item 67 inserts new section 13B which provides that such notifications and communications
may be given electronically, such as through email or a message to a mobile phone. This
section makes reference to the Electronic Transactions Act 1999 which deals with matters
that are conducted electronically and generally requires that communications from
government bodies cannot be sent electronically without a person‟s consent. Given the
electronic nature of the My Health Record system, and the numbers of healthcare recipients
and participants involved, the System Operator needs to be able to communicate
electronically where this is appropriate and the System Operator has a relevant electronic
address or mobile phone number. At present, healthcare recipients are not required to provide
electronic contact details, such as an e-mail address or mobile phone number. However,
where this information has been provided to the System Operator, the System Operator may
use those contact details to communicate electronically with the healthcare recipient, where
appropriate.
Item 68 Part 2 (heading)
This item replaces the existing heading of Part 2 to reflect the abolition of the Jurisdictional
Advisory Committee and Independent Advisory Council (item 72 refers).
Item 69 After paragraph 15(i)
Section 15 of the My Health Records Act sets out the functions of the System Operator.
The My Health Record system is an electronic system that interacts with the software and IT
systems of a wide range of entities. The My Health Record system needs to support a range
of technical specifications and needs to support effective use by healthcare providers. To
enable the My Health Record system to operate as intended, in an effective and efficient
manner, the System Operator needs to be able to operate a test environment that tests not only
the My Health Record system but also other systems that interact with the My Health Record
70
system - for example, the HI Service and the National Authentication Service for Health
(NASH), and clinical information system software packages used by healthcare providers to
access the My Health Record system.
While several functions of the System Operator deal with the operation of the actual system,
and paragraph 15(o) provides that the System Operator can do anything conducive or
incidental to the performance of its functions, item 69 inserts a new function expressly
providing that it is a function of the System Operator to establish and operate a test
environment.
Under new paragraph 15(ia) the System Operator must establish and operate a test
environment for the My Health Record system and other electronic system with which it
interacts directly, subject to the requirements (if any) in the My Health Records Rules. My
Health Records Rules may, for example, prescribe criteria that an entity must meet before it
can utilise the test environment. Subject to any Rules that may be made, access to and use of
the test environment is not restricted to participants in the My Health Record system.
It is important to note that any test environment established will not use real health, personal
or identifying information and will be entirely isolated from the "live" or "production" My
Health Record system.
Item 70 Section 16
Section 16 currently requires that the System Operator have regard to the decisions of the
Jurisdictional Advisory Committee and Independent Advisory Council. These bodies are
being abolished (item 72 refers) so item 70 removes this requirement.
The framework establishing the Australian Commission for eHealth and its advisory
committees may establish arrangements for how advice by those committees will be taken
into account by the Commission in making decisions regarding the My Health Record system.
Item 71 Paragraph 17(2)(b)
Currently, section 17 deals with the National Repositories Service which is a repository
operated by the System Operator that ensures there is capacity to store a minimum set of
health information in the My Health Record system for registered healthcare recipients. This
includes for example, but not limited, to shared health summaries, event summaries, discharge
summaries, specialist letters and healthcare recipient-only notes.
The System Operator is currently required to store any information uploaded to the National
Repositories Service for 30 years after the death of the healthcare recipient, or if that date is
unknown, for 130 years from the date it is uploaded. This long-term storage of information is
intended to support the longevity of a minimum data set in the My Health Record system.
Item 71 amends this requirement to provide that, where a date of death is unknown, the
information must be stored for 130 years from the healthcare recipient‟s date of birth. This is
being changed to align more closely with the requirement that information be available for
around 30 years after the healthcare recipient dies. At present, if information about a 90 year
old is uploaded to the National Repositories Service, and their date of death is unknown, the
system is potentially storing this information for more than 100 years from the likely date of
their death, well in excess of the period it would be stored if the date of death was known.
71
Any information stored by the National Repositories Service after the healthcare recipient
dies will continue to be subject to the same privacy protections that applied while the
healthcare recipient was alive.
It is important to note that these retention requirements apply only to the National
Repositories Operator and not to any registered repository operators, which are already
subject to Commonwealth, state and/or territory requirements for retaining health records.
Item 72 Divisions 2 and 3 of Part 2
Divisions 2 and 3 of Part 2 currently establish, and specify the purpose and composition of,
the Independent Advisory Council and the Jurisdictional Advisory Committee. These bodies
provide advice to the System Operator.
In 2016 it is intended that the Australian Commission for eHealth (yet to be established) will
become the System Operator. It is intended that new advisory bodies will be established as
part of the new Commission, and these bodies will be responsible for providing expert advice
to the System Operator about the My Health Record system, including fulfilling the current
roles of the Independent Advisory Council and Jurisdictional Advisory Committee.
Item 72 therefore removes Divisions 2 and 3.
Item 73 Division 1 of Part 3
Division 1 of Part 3 provides for the registration of healthcare recipients. Since new
Schedule 1 to the My Health Records Act (inserted by item 106) will allow the Minister to
apply arrangements for an opt-out system to certain groups or to the whole of Australia, the
requirements regarding the eligibility of healthcare recipients, how they can apply to register
and conditions of that registration, would not apply where opt-out arrangements are in force.
To make clear that Division 1 of Part 3 does not apply if the Minister has applied opt-out
arrangements, item 73 inserts a note into the Division.
Items 74-75 Section 41
Section 41 provides for the registration of healthcare recipients and currently provides that a
healthcare recipient must give standing consent for registered healthcare provider
organisations to upload health information to the healthcare recipient‟s My Health Record.
Despite this consent, the registered healthcare provider organisation cannot upload particular
information if the healthcare recipient has instructed them not to, and must not upload
information without the express or written consent of the healthcare recipient if required by
preserved state or territory laws.
A preserved law for the purposes of the My Health Record system refers to a law prescribed
by regulation 3.1.1 of the Personally Controlled Electronic Health Records Regulation 2012
(which will be amended to also cover new subsection 41(3A)). These preserved laws
generally prohibit the disclosure, without express or written consent, of identifying
information in relation to healthcare recipients who have been tested for Acquired Immune
Deficiency Syndrome, HIV or cervical cancer, or confidential information associated with
notifiable conditions, contagious conditions, environmental health events, perinatal history,
cancer history or pap smear history.
72
Item 74 inserts new subsection 41(3A) which recognises that health information about a
healthcare recipient may include relevant information about a third party. For example, in
relation to the person‟s ongoing treatment of hypertension, the information may reference the
fact that the person‟s mother has a heart condition. Similar to current subsection 41(3), new
subsection 41(3A) provides that a registered healthcare provider organisation must not upload
third party information if a preserved law of a state or territory applies, unless the
requirements of the applicable preserved law have been met.
Subsection 41(4) currently provides that the standing consent given by the healthcare
recipient under subsection 41(3) has effect despite state or territory laws that may require that
consent to be given in a particular manner, except where a preserved law applies. This means
that if any state or territory Act cannot operate concurrently with the My Health Records Act,
it will be overridden by the My Health Records Act, unless it is a preserved law. Item 75
simply updates this subsection to ensure that the new authorisation relating to third party
information (inserted by item 74) also has effect in this way.
Item 76 After paragraph 45(6)
Section 45 currently imposes conditions on registered healthcare provider organisations on
how and what they can upload to a healthcare recipient‟s My Health Record.
The condition at paragraph 45(b), among other things, requires that a shared health summary
and any other record specified by the My Health Records Rules be authored by a healthcare
provider with a healthcare identifier. The My Health Records Rules currently specify that all
other documents must also be authored by a healthcare provider with a healthcare identifier.
This condition ensures that health information contained in a My Health Record (other than
that authored by the healthcare recipient and included in healthcare recipient-only notes) has
been created by people qualified to do so.
Item 76 inserts a new paragraph 45(ba) that requires authors of records to also be an identified
healthcare provider whose registration or membership as applicable is not conditional,
suspended, cancelled or lapsed, other than in circumstances prescribed in My Health Records
Rules. This ensures that at the time a healthcare provider authors a document that is uploaded
to the My Health Record system, they are qualified and permitted to do so. For example, a
healthcare provider‟s professional registration can be suspended for reasons ranging from
forgetting to pay annual registration fees to being investigated for reasons of conduct and
public safety. Where, for example, a provider‟s registration is suspended or cancelled
because they are engaged in professional misconduct, it may not be appropriate for the
healthcare provider to be authoring records that are uploaded to the My Health Record system
where those records may be relied upon by other providers treating a healthcare recipient. It
is intended that the My Health Records Rules will prescribe specific circumstances where,
despite a healthcare provider‟s registration or membership being conditional, suspended,
cancelled or lapsed, it is still appropriate for the provider to author records that are uploaded
to the My Health Record system. One situation where it might be appropriate is where a
provider‟s registration or membership has conditions limiting their practice to a geographical
area.
73
Items 77-78 Section 45
As described in relation to items 1 and 2, copyright may exist in documents or other material
uploaded to the My Health Record system. Therefore, it is necessary to ensure that any use of
this material by the System Operator, other participants in the My Health Record system or
users of the material after the materials have been downloaded from the My Health Record
system does not infringe any copyright that might subsist in the materials.
A condition currently imposed on registered healthcare provider organisations by
paragraph 45(c) is that healthcare providers must not upload information to the My Health
Record system if it would constitute an infringement of copyright or moral rights. This means
a healthcare provider can only upload information produced by the healthcare provider
organisation on behalf of which they are acting, or for which the provider has permission to
do so from the copyright owner.
As part of being registered, healthcare provider organisations currently grant a licence to the
System Operator to use, reproduce, copy, modify, adapt, publish and communicate the
information they upload, including the right for the System Operator to sub-license other
healthcare providers and participants in the My Health Record system to do the same acts.
This licence is granted by way of a contract (called a participation agreement) with the
System Operator. The need to enter into participation agreements is being removed in order
to simplify the registration process for organisations, and an exception to copyright
infringement is being established instead (items 1 and 2 refer).
While the new copyright exceptions established by items 1 and 2 will ensure that any works,
films or sound recordings made on or after the date the exceptions commence can be
uploaded to the My Health Record system, and can be used in the system and subsequently
used following the download of material from the system, without infringing copyright, they
do not deal with material made before commencement of items 1 and 2.
Item 77 amends existing paragraph 45(c) of the My Health Records Act to reflect the new
copyright exceptions being inserted by items 1 and 2. Under item 77, there remains a
requirement that healthcare providers must not upload a record to the My Health Record
system if to do so would result in a moral rights infringement.
Item 78 inserts new sections 45A, 45B and 45C to deal with material made before the new
copyright exceptions in sections 44BB and 104C of the Copyright Act commence.
New sections 45A and 45B impose a condition on registered healthcare provider
organisations prohibiting them from uploading works (which extend beyond literary works
and include diagnostic images and computer programs), films or sound recordings made
before commencement of the new copyright exceptions, if any of the actions described at
paragraphs 45A(2)(a) to (d) or 45B(2)(a) to (d) would constitute an infringement of copyright.
This covers actions such as someone (whether or not the uploading organisation) accessing
the information through the My Health Record system, or subsequent use of the information
once it is downloaded from the My Health Record system.
74
This means that:
if the healthcare provider organisation that wishes to upload material created before
commencement of sections 44BB and 104C of the Copyright Act owns the copyright in
the material, there will be no infringement so they may upload it; or
if the healthcare provider organisation that wishes to upload material created before
commencement of sections 44BB and 104C of the Copyright Act does not own the
copyright in the material, they must not upload it unless the copyright owner grants a
licence to the System Operator - for example, to use, reproduce, copy, modify, adapt,
publish and communicate the material, including the right to sub-license others.
In practice, it is anticipated that most healthcare organisations will not upload old material
(that is, materials or records created before the copyright exceptions in sections 44BB and
104C of the Copyright Act commence) unless they own copyright in it. One possible
exception is where the information is clinically critical or directly relevant to the healthcare of
a healthcare recipient. In this case the uploading provider will need to ensure that uploading
the material or records will not result in an infringement of the copyright.
Sections 45A and 45B do not effect an acquisition of property or otherwise affect ownership
of any copyright that might exist in records or other materials. They merely prohibit
uploading of materials or records created before commencement of sections 44BB and 104C
of the Copyright Act if the uploading or subsequent use would result in an infringement of
copyright.
New section 45C provides that if loss or damage is suffered by any person - for example, by
the owner of copyright in material uploaded to the My Health Record system in contravention
of the prohibition in sections 45A or 45B - the person suffering loss or damage may bring an
action against the uploading healthcare provider to recover the amount of the loss or damage.
Actions must commence within six years of the loss or damage being suffered, and may
include a claim for costs incurred as a result of bringing the copyright infringement action.
This provision ensures that it is the entity uploading in contravention of sections 45A or 45B
that is liable for any loss or damage suffered, and not any other party (such as the System
Operator, participants in the My Health Record system or subsequent users of the materials or
records that have been uploaded in contravention of sections 45A and 45B).
Item 79 After section 50
Repository operators may register to participate in the My Health Record system and may
upload information to a registered healthcare recipient‟s My Health Record - for example, see
current section 38 and new section 50D inserted by this item.
Similar to material and records uploaded by healthcare providers, copyright may subsist in
material or records made available to the My Health Record system by registered repository
operators. As a result, it is necessary to ensure that any use of this material by the System
Operator, other participants in the My Health Record system or users of the material after the
materials have been downloaded from the My Health Record system does not infringe any
copyright that might subsist in the materials.
While the new copyright exceptions established by items 1 and 2 will ensure that any works,
films or sound recordings created on or after the date the exceptions commence can be
75
uploaded to the My Health Record system, and can be used in the system and subsequently
used following the download of material from the system, without infringing copyright, they
do not deal with material created before commencement of items 1 and 2.
Item 79 therefore inserts new sections 50A, 50B and 50C to deal with material created before
the new copyright exceptions commence.
New sections 50A and 50B are similar to new sections 45A and 45B (which apply to
healthcare provider organisations) and impose a condition on registered repository
operators prohibiting them from uploading works (in the case of section 50A) or films or
sound recordings (in the case of section 50B) if any of the actions described at paragraphs
50A(2)(a) to (d) or 50B(2)(a) to (d) would constitute an infringement of copyright. This
covers actions such as someone (whether or not the repository operator that makes the
materials available to the My Health Record system) accessing the information through the
My Health Record system, or subsequent use of the information once it is downloaded from
the My Health Record system.
This means that:
if the repository operator that wishes to make the materials (created before
commencement of sections 44BB and 104C of the Copyright Act) available to the system
owns the copyright in the material, there will be no infringement so they may make the
material available; or
if the repository operator that wishes to make the materials (created before
commencement of sections 44BB and 104C of the Copyright Act) available to the system
does not own the copyright in the material, they must not upload it unless the copyright
owner grants a licence to the System Operator - for example, to use, reproduce, copy,
modify, adapt, publish and communicate the material, including the right to sub-license
others.
In practice it is anticipated that most repository operators will not upload old material (that is,
material or records created before the copyright exceptions in sections 44BB and 104C of the
Copyright Act commence) unless they own copyright in it. One possible exception is where
the information is clinically critical or directly relevant to the healthcare of a healthcare
recipient. In this case the repository operator that makes the material or records available to
the My Health Record system will need to ensure that uploading the material or records will
not result in an infringement of the copyright.
Sections 50A and 50B do not effect an acquisition of property or otherwise affect ownership
of any copyright that might exist in records or other materials. They merely prohibit making
materials or records created before commencement of sections 44BB and 104C of the
Copyright Act available to the system if to do so, or any subsequent use of the materials or
records, would result in an infringement of copyright.
New section 50C provides that if loss or damage is suffered by any person - for example, by
the owner of copyright in material made available to the My Health Record system in
contravention of the prohibition in sections 50A or 50B - the person suffering loss or damage
may bring an action against the repository operator that made the material available to recover
the amount of the loss or damage. Actions must commence within six years of the loss or
damage being suffered, and may include a claim for costs incurred as a result of bringing the
76
copyright infringement action. This provision ensures that it is the entity making the
materials available in contravention of sections 50A or 50B that is liable for any loss or
damage suffered, and not any other party (such as the System Operator, participants in the My
Health Record system or subsequent users of the materials or records that have been made
available in contravention of sections 50A and 50B).
Items 80-82 Sections 51-53
Division 4 of Part 3 of the My Health Records Act deals with the cancellation, suspension and
variation of the registration of a healthcare recipient or participant in the My Health Record
system. If the System Operator decides to cancel, suspend or vary the registration of a
healthcare recipient or a participant, whether upon request or for other reasons, the System
Operator must generally give written notice to that person or entity and provide the reasons
for that decision and provide other information about rights for a review of that decision.
There has been some confusion about when cancellations, suspensions or variations come into
force.
These items remove this confusion by:
inserting a note below sections 51 and 53 explaining the operation of section 53 and how
it relates to sections 51 and 52; and
amending the language of subsections 53(4) and (5), including to make them more
consistent with the language used in subsection 51(7).
Item 83 Division 6 (heading)
This item replaces the existing heading of Division 6 of Part 3 to reflect changes made by
item 84 which now provides a different range of authorisations.
Item 84 Section 58
Section 58 currently authorises the use and disclosure to the System Operator of identifying
information about healthcare recipients, healthcare provider organisations, authorised
representatives and nominated representatives by certain Commonwealth entities to verify
identities and allow the System Operator to carry out its functions. It also requires these
entities to notify the System Operator of any changes to this information.
As part of restructuring the authorisations of the My Health Records Act and the HI Act to
make clear how and why certain information can be used, item 84 replaces this section with
new sections 58 and 58A. New section 58 encompasses some of the authorisations relating to
the My Health Record system that were previously contained in Division 2A of Part 3 of the
HI Act.
77
To help readers understand what changes are being made by this amendment, the
authorisations are set out in the following table with either a reference to existing equivalent
authorisations or with an explanation of why the new authorisation is required.
New Table
Existing section number or
section item no. Authorisation
reason for new authorisation
no.
Including health information in a My Health Record
The System Operator
currently takes these actions
on the basis of healthcare
recipients' implied consent.
With new section 58, the
System Operator is now
expressly authorised.
Section 58 is intended to be
broad enough to allow for the
collection, use and disclosure
of third party health
information, where this is to
The System Operator may collect, use and disclose
be included in a healthcare
health information about a healthcare recipient for
58 N/A recipient's My Health Record
the purposes of including health information in a
- for example, as part of the
healthcare recipient's My Health Record.
family medical history of the
healthcare recipient.
Supporting amendments to
other provisions of the My
Health Records Act and the
Privacy Act also help deal
with, and place limits on the
collection, use and disclosure
of, third party information.
Section 58 mirrors clause 7 of
Schedule 1 of the My Health
Records Act.
My Health Record system purposes
The System Operator may collect, use and disclose
identifying information about, or a healthcare
identifier of:
a healthcare recipient;
58A(1) 1 HI Act: 22A(2) and (3)
an authorised representative;
a nominated representative; or
a healthcare provider,
for the purposes of the My Health Record system.
78
New Table
Existing section number or
section item no. Authorisation
reason for new authorisation
no.
HI Act: 22A(3) and 22E
HI Regulations: 15
My Health Records Act: 6 and
7 (implied)
The System Operator may collect, use and disclose
information relevant to whether a person is an This new item clarifies and
authorised representative or nominated condenses existing
2 representative of another person, for the purposes of authorisations into an
determining whether a person is an authorised express authorisation in the
representative or nominated representative of My Health Records Act that
another person. permits the System Operator
to collect, use and disclose
information relevant to
determining whether
someone is an authorised or
nominated representative.
Registered repository operators and registered portal
operators may collect, use and disclose to a
participant in the My Health Record system a
healthcare identifier of:
3 a healthcare recipient; HI Act: 22C
an authorised representative;
a nominated representative; or
a healthcare provider,
for the purposes of the My Health Record system.
HI Act: 22E
HI Regulations: 15
My Health Records Act: 6 and
The HI Service Operator may collect from the System 7 (implied)
Operator, use and disclose to the System Operator This new item clarifies and
information relevant to whether a person is an condenses existing
authorised representative or nominated authorisations into an
4
representative of another person, for the purposes of express authorisation in the
assisting the System Operator to determine whether a My Health Records Act that
person is an authorised representative or nominated permits the HI Service
representative of another person. Operator to collect, use and
disclose information relevant
to determining whether
someone is an authorised or
nominated representative.
79
New Table
Existing section number or
section item no. Authorisation
reason for new authorisation
no.
The Chief Executive Medicare may collect from the
System Operator, use and disclose to the System My Health Records Act: 22D
Operator identifying information about a person who and 58
is or may be: While use and disclosure
a healthcare recipient; were previously authorised,
5 this new section clarifies that
an authorised representative; or
a nominated representative, the Chief Executive Medicare
may collect the necessary
for the purposes of assisting the System Operator to information from the System
verify the identity of the person, or otherwise for the Operator.
purposes of the My Health Record system.
HI Act: 22E
HI Regulations: 15
My Health Records Act: 6 and
The Chief Executive Medicare may collect from the 7 (implied)
System Operator, use and disclose to the System This new item clarifies and
Operator information relevant to whether a person is condenses existing
an authorised representative or nominated authorisations into an
6
representative of another person, for the purposes of express authorisation in the
assisting the System Operator to determine whether a My Health Records Act, that
person is an authorised representative or nominated permits the Chief Executive
representative of another person. Medicare to collect, use and
disclose information relevant
to determining whether
someone is an authorised or
nominated representative.
It is not necessary to subject
this authorisation to the
healthcare recipient's
The Chief Executive Medicare may collect, use and
consent to make the
disclose to a participant in the My Health Record
information available to the
system identifying information about, or a healthcare
System Operator (in an opt-in
identifier of:
setting) because section 38
7 a healthcare recipient; already does this. This
an authorised representative; or authorisation enables a
a nominated representative, healthcare identifier to be
attached to the healthcare
for the purposes of including health information in the
recipient's information so
healthcare recipient's My Health Record.
that it can be loaded into the
repository operated by the
Chief Executive Medicare.
80
New Table
Existing section number or
section item no. Authorisation
reason for new authorisation
no.
The Veterans' Affairs Department and Defence My Health Records Act: 58
Department may use and disclose to the System
Operator identifying information about, or a While use and disclosure
healthcare identifier of a person who is or may be: were previously authorised,
this new section clarifies that
8 a healthcare recipient; the Veterans' Affairs
an authorised representative; or Department or Defence
a nominated representative, Department can collect the
for the purposes of assisting the System Operator to necessary information from
verify the identity of the person. the System Operator.
It is not necessary to subject
this authorisation to the
healthcare recipient's
consent to make the
information available to the
System Operator (in an opt-in
setting) because section 38
already does this. This
authorisation enables a
healthcare identifier to be
attached to the healthcare
recipient's information so
that it can be loaded into the
The Veterans' Affairs Department and Defence
repository operated by the
Department may collect from the HI Service Operator,
Chief Executive Medicare.
use and disclose to a participant in the My Health
Record system identifying information about, or a The reference to "prescribed
healthcare identifier of: information" provides for the
possibility that, in future,
9 a healthcare recipient;
other kinds of
an authorised representative; or
Commonwealth agency
a nominated representative,
records may be identified
for the purposes of including prescribed information in which may be of value to
the healthcare recipient's My Health Record. include in healthcare
recipients' My Health
Records. For example, the
Departments of Defence or
Veterans' Affairs may have
records about current and
former service men and
women that relate to health
services they have received.
Regulations may be made to
allow healthcare identifiers to
be attached to prescribed
classes of records so they can
be included in the My Health
Record system.
81
New Table
Existing section number or
section item no. Authorisation
reason for new authorisation
no.
As part of running the My
Health Record system,
including verifying identities,
the System Operator may
An entity prescribed by regulations may collect, use need to disclose identifying
and disclose to another prescribed entity identifying information about a
information about a person who is or may be: healthcare recipient, an
authorised representative or
a healthcare recipient;
10 a nominated representative
an authorised representative; or
to an entity, and that entity
a nominated representative,
will need authorisation to
for the purposes of assisting the System Operator to collect, use and disclose that
verify the identity of the person. information. An example of
the need to make regulations
in relation to opt-out is
included in clause 8, item 10
of Schedule 1.
The Note to this table refers readers to section 15 of the HI Act which authorises the HI
Service Operator to collect, use and disclose healthcare identifiers and identifying information
about healthcare recipients, authorised representatives and nominated representatives for the
purposes of the My Health Record system. This means that the HI Service Operator relies on
the authorisations provided by both the HI Act and My Health Records Act to interact with
the My Health Record system.
New subsection 58(2) requires that if at any time the Chief Executive Medicare, Veterans‟
Affairs Department, Defence Department, HI Service Operator or a prescribed entity (item 10
of table at subsection 58(1) refers) becomes aware that the information it has provided to the
System Operator has changed, the entity must notify the System Operator. This ensures the
System Operator has and uses the most up-to-date information for identity verification and
other My Health Record system purposes.
Items 85-88 Sections 59 and 60
Existing section 59 provides that the collection, use or disclosure of health information in a
healthcare recipient‟s My Health Record by a person is prohibited unless it is authorised by
the My Health Records Act.
A person who contravenes section 59 may incur a civil penalty of up to 120 penalty units
(currently $21,600 for individuals and $108,000 for bodies corporate). It is only to be taken
to be a contravention if the person knows or is reckless to whether the collection, use or
disclosure is unauthorised. If a person accidentally collects, uses or discloses this information
they do not contravene section 59 and are not liable for a civil penalty under the My Health
Records Act (although under section 73 of the My Health Records Act, there may still be an
interference with privacy and the Information Commissioner may still be able to investigate).
Items 85 to 86 make amendments to provide that a person who contravenes section 59 may
now incur:
82
a civil penalty of up to 600 penalty units (currently $108,000 for individuals and $540,000
for bodies corporate); or
a criminal penalty of up to two years‟ imprisonment and/or 120 penalty units (currently
$21,600 for individuals and $108,000 for bodies corporate).
Section 60 provides that the use or disclosure of health information in a healthcare recipient‟s
My Health Record by a person who knows or is reckless to whether the information was not
authorised to be disclosed to them is prohibited, unless it is for the purpose of an investigation
into that original disclosure. A person who contravenes section 60 may currently incur a civil
penalty of up to 120 penalty units (currently $21,600 for individuals and $108,000 for bodies
corporate).
Items 87 to 88 make amendments to provide that a person who contravenes section 60 may
now incur:
a civil penalty of up to 600 penalty units (currently $108,000 for individuals and $540,000
for bodies corporate); or
a criminal penalty of up to two years‟ imprisonment and/or 120 penalty units (currently
$21,600 for individuals and $108,000 for bodies corporate). The fault elements for the
new criminal offences created under subsections 59(3) and 60(3) are contained in existing
sections 59 and 60 - that is knowledge or recklessness. If these fault elements are not
satisfied, there will be no breach of either the civil or the criminal provisions in
sections 59 or 60 (although there may still be an interference with privacy under the
Privacy Act - see subsection 73(1) of the My Health Records Act).
The new criminal penalties in the My Health Records Act (and new civil penalties in the HI
Act) are designed to better protect the sensitive information that can be contained in a My
Health Record, and to provide a more graduated framework for responding to inappropriate
behaviour that is proportional to the severity of a breach of either the My Health Record
system or the HI Service.
To ensure that all aspects of the amended My Health Records Act and the HI Act are
understood by participants in the My Health Record system and other affected people, it is
intended that a significant communications strategy will be implemented explaining all key
aspects of the new legislative arrangements, including the criminal and civil penalty
provisions.
Item 89 Section 72
Section 72 reflects that the My Health Records Act operates in conjunction with the Privacy
Act by specifying that any authorisation set out in the My Health Records Act to use or
disclose health information is treated as an authorisation under the Privacy Act. This ensures
that any use or disclosure done in accordance with the My Health Records Act does not
contravene the Privacy Act.
Section 72 does not currently refer to the collection of health information because each of the
collections authorised by the My Health Records Act is already authorised by the Privacy Act.
However, to remove doubt about the extent to which actions under the My Health Records
Act do not contravene the Privacy Act, item 89 amends section 72 to make clear that any
83
authorisation in the My Health Records Act to collect health information is treated as an
authorisation under the Privacy Act.
Item 90 Section 75
Section 75 currently requires that any entity that is or has been the System Operator, a
registered repository operator or a registered portal operator must notify the System Operator
and/or the Information Commissioner of:
a potential or actual unauthorised collection, use or disclosure of health information in a
healthcare recipient‟s My Health Record; or
potential or actual breach of the security or integrity of the My Health Record system.
Item 90 replaces current section 75 with a new section 75 to address ambiguities that have
been identified by the System Operator in its implementation, and to centralise data breach
reporting requirements for all participants in the My Health Record system.
To whom does section 75 apply?
New section 75 applies to any entity that is or has been the System Operator, a registered
healthcare provider organisation, a registered repository operator, a registered portal operator,
or a registered contracted service provider. Data breach reporting is not a new obligation for
registered healthcare providers organisations and registered contracted service providers -
they are currently subject to a contractual requirement to report breaches as part of their
participation agreement with the System Operator which will no longer be required.
What does an entity have to report?
Under new paragraph 75(1)(b) data breach reporting applies in relation to:
the unauthorised collection, use and disclosure of health information in an individual‟s My
Health Record;
any event that has, or may have, occurred that compromises, may compromise, has
compromised or may have compromised the security or integrity of the My Health Record
system; or
any circumstances that have, or may have arisen (whether or not involving a contravention
of the Act), that compromise, may compromise, have compromised or may have
compromised the security or integrity of the My Health Record system.
The drafting of paragraph 75(1)(b) clarifies that any events or circumstances that have or may
have occurred or arisen do not have to also involve a contravention of the My Health Records
Act.
The data breach obligation does not apply to information that is contained in, or has been
downloaded from the My Health Record system into, healthcare providers‟ clinical
information systems. However, data breach reporting under this section is required if
healthcare providers‟ clinical information systems (or acts or omissions of the healthcare
provider, whether or not involving a contravention of the My Health Records Act)
compromise, may compromise, have compromised or may have compromised the security or
84
integrity of the My Health Record system. For example if a healthcare provider‟s clinical
information system is infected with a virus that allows a hacker to access information in the
My Health Record system using the healthcare provider‟s IT or verification credentials, this
will need to be reported.
It is intended that further guidance and education material will be made available in relation to
reporting data breaches, including setting out examples of when data breach reporting will or
will not be required.
When does an entity have to report?
There has been some uncertainty about whether the current section 75 requirement applies
only to events or circumstances that currently exist or may exist in the future, or whether it
also includes events or circumstances that have happened but which no longer pose a risk
because they have been addressed or no longer exist. New section 75 makes clear that data
breach reporting relates to events or circumstances that have existed, currently exist or may
exist in the future. Under new section 75, even if a „breach‟ has been resolved by a
participant there will still be an obligation for the participant to report it.
Another uncertainty has arisen around whether it is necessary to notify a data breach before it
is certain that a data breach has in fact occurred. Determining whether or not a data breach
has occurred can take time, particularly where advice is required. However, it is critical that
the System Operator and affected healthcare recipients be notified of a data breach so they can
take any necessary action to mitigate risks they may face, or to improve the security of the My
Health Record system. For this reason new section 75 requires that relevant entities must
notify the System Operator or Information Commissioner about a potential data breach. If
there is a possibility that a breach had occurred but that possibility has not yet been
confirmed, a lack of certainty about whether in fact there has been a been a breach should not
be a used as a reason for postponing data breach reporting and carrying out any necessary
remedial actions.
An entity must report as soon as practicable after becoming aware of the contravention or
event or circumstances referred to in subsection 75(1). The meaning of "as soon as
practicable" is discussed below.
What steps does the entity have to take?
Subsections 75(5) and (6) set out the steps that the entity must take depending on whether the
contravention, event or circumstance:
may have occurred or arisen; or
has been confirmed as having occurred or arisen.
A. Where the contravention, event or circumstance may have occurred or arisen (potential
breach) - subsection 75(5)
Where there is a potential data breach, the entity must take steps to contain and evaluate the
breach. If there is a reasonable likelihood that a data breach has occurred and its effects may
be serious for at least one healthcare recipient, then the entity must ask the System Operator
to notify all healthcare recipients that would be affected (if the entity is the System Operator
85
then it must notify all affected healthcare recipients). The "seriousness" of each data breach
should be assessed on a case by case basis and should take into consideration all the relevant
circumstances.
The entity should then take some time and conduct some initial investigations to assess
whether a breach has or may have occurred, however there is an expectation that this occurs
within days rather than weeks or longer.
If or when the entity determines that an actual data breach occurred, and they have already
given notice of the data breach, they are not required to notify affected stakeholders again but
they are required to take steps to contain and evaluate the breach and mitigate its effects.
If the threshold of "a reasonable likelihood" of the contravention, event or circumstances
having occurred is not reached, it is not necessary to report the breach. However, the actions
at paragraphs 75(5)(a) and (b) must still be carried out where relevant.
B. Where the contravention, event or circumstance has occurred or arisen (confirmed breach)
- subsection 75(6)
Where there is a data breach, the entity must as soon as practicable take steps to contain and
evaluate the breach and notify affected healthcare recipients, and if it is a significant number
of healthcare recipients, notify the general public. Like subsection 75(5), if the entity is not
the System Operator, the entity must ask the System Operator to notify affected healthcare
recipients, and if necessary, the general public. Finally, the entity must take steps to prevent
or mitigate the effects of further contraventions, events or circumstances from occurring in the
future.
What does "as soon as practicable" mean?
To help participants understand what is meant by the need to notify "as soon as practicable",
it is important to consider the intent of the data breach notification requirements, which is to
allow the System Operator to take any steps needed to ensure information in the My Health
Record is protected and, equally importantly, to allow affected healthcare recipients to take
steps to minimise any risks that they may face and to ensure their information is protected to
their satisfaction. For example, if a participant in the My Health Record discovers malicious
software in their IT systems that connects to the My Health Record system, and that malicious
software may provide a „back door‟ into health records in the My Health Record system, the
entity would be expected to notify a data breach as soon as they discover the malicious
software since it could undermine the security of the My Health Record system.
Items 91-92 Section 77
Section 77 provides that the System Operator, registered repository operators, registered
portal operators and registered contracted service providers must not hold, take, process or
handle My Health Record information outside Australia. Contravention of this existing
prohibition may incur a civil penalty of up to 120 penalty units (currently $21,400 for
individuals and $108,000 for bodies corporate).
Consistent with the changes being made to section 59 and 60 of the My Health Records Act,
and the changes to the HI Act, items 91 to 92 make amendments to provide that a
contravention of section 77 may now incur:
86
a civil penalty of up to 600 penalty units (currently $108,000 for individuals and $540,000
for bodies corporate); or
a criminal penalty of up to two years‟ imprisonment and/or 120 penalty units (currently
$21,600 for individuals and $108,000 for bodies corporate).
The new criminal penalties in the My Health Records Act (and new civil penalties in the HI
Act) are designed to better protect the sensitive information that can be contained in a My
Health Record, and to provide a more graduated framework for responding to inappropriate
behaviour that is proportional to the severity of a breach of either the My Health Record
system or the HI Service.
Unlike sections 59 and 60 of the My Health Records Act, section 77 does not specify any
fault elements as part of the existing civil or the new criminal penalties. This means that the
criminal offence established by item 92 triggers the application of the Criminal Code Act
1995. As indicated by the Note, while the fault element for the offence is not expressly
stated, the appropriate fault elements in section 5.6 of the Criminal Code will apply.
To ensure that all aspects of the amended My Health Records Act and the HI Act are
understood by participants in the My Health Record system and other affected people, it is
intended that a significant communications strategy will be implemented explaining all key
aspects of the new legislative arrangements, including the criminal and civil penalty
provisions.
Item 93 Section 78
Section 78 currently provides that a person who is or has been a registered repository operator
or registered portal operator must not contravene the My Health Records Rules. A person
who contravenes this section may incur a civil penalty of 80 penalty units (currently $14,400
for individuals or $72,000 for bodies corporate).
As part of measures to centralise and align the obligations of all participants in the My Health
Record system, and to reflect the increase to civil penalties as a result of the introduction of
criminal penalties for certain provisions, item 93 replaces this section with a new section 78.
New section 78 provides that a person who is or has been at any time a registered healthcare
provider organisation, a registered repository operator, a registered portal operator or a
registered contracted service provider must not contravene the My Health Records Rules that
apply to that person. The civil penalty for contravention of new section 78 is 100 penalty
units (currently $18,000 for individuals or $90,000 for bodies corporate).
Item 94 Parts 6 and 7
Currently, Parts 6 and 7 of the My Health Records Act set out arrangements relating to civil
penalties, such as how a civil penalty order is obtained and how they relate to criminal
proceedings, and provide for other enforcement measures in the form of enforceable
undertakings and injunctions.
Item 94 replaces Parts 6 and 7 with a new Part 6 that triggers the equivalent provisions of the
Regulatory Powers (Standard Provisions) Act 2014 (Regulatory Powers Act). This ensures
87
that the My Health Records Act aligns with standard Commonwealth arrangements regarding
civil penalties, enforceable undertakings and injunctions.
New section 79 triggers the provisions of Part 4 of the Regulatory Powers Act which, among
other things, deals with obtaining and enforcing a civil penalty order and the handling of
multiple contraventions. The Information Commissioner is an authorised applicant who may
apply to a relevant court for a civil penalty order under the My Health Records Act.
New section 79 reinforces that the Crown cannot be liable to a pecuniary penalty.
New section 80 triggers the provisions of Part 6 of the Regulatory Powers Act which deals
with accepting and enforcing undertakings relating to compliance with provisions. A person
may give an undertaking to take certain actions or refrain from certain actions in order to
comply with the My Health Records Act. The Information Commissioner or the Service
Operator are authorised to accept and enforce undertakings for the purposes of the My Health
Records Act, and publish the undertaking on their websites.
New section 81 triggers the provisions of Part 7 of the Regulatory Powers Act which deals
with obtaining, imposing and discharging injunctions - for example, to prevent someone from
taking an action. The System Operator and the Information Commissioner are both
authorised to apply to a relevant court for an injunction.
Since the My Health Records Act applies to Australia and each of its external territories (that
is, Christmas Island, Cocos (Keeling) Islands, Ashmore and Cartier Islands, Coral Sea
Islands, Heard Island and McDonald Islands, and the Australian Antarctic Territory), for the
purposes of new sections 79, 80 and 81, the relevant parts of the Regulatory Powers Act will
also apply to all external territories in relation to the My Health Records Act.
For the purposes of new sections 79, 80 and 81, a relevant court is the Federal Court of
Australia, the Federal Circuit Court of Australia or a court of a state or territory which has the
necessary jurisdiction.
Items 95-96 Section 98
Currently, section 98 provides that the System Operator may delegate his or her functions or
powers to an Australian Public Service employee of the Department of Health, the Chief
Executive Medicare, or another person with the Minister‟s consent.
Given that the Australian Commission for eHealth is expected to become the System
Operator, items 95 and 96 amend section 98 to include in addition to the above delegations,
delegations that are appropriate for when Australian Commission for eHealth becomes the
System Operator.
Amended subsection 98(3) provides that if the System Operator is not the Secretary, the
System Operator may delegate his or her powers or functions to an Australian Public Service
employee of the Department of Health (with the Secretary‟s agreement) or to the Chief
Executive Medicare (with the Chief Executive Medicare‟s agreement).
Delegates must comply with any written directions of the System Operator. The Human
Services (Medicare) Act 1973 permits the Chief Executive Medicare to sub-delegate to
Australian Public Service employees of the Department of Human Services (or other
88
department responsible for Medicare) any powers delegated to him or her. Sub-delegates
must also comply with any written directions of the Chief Executive Medicare.
Items 97-100 Sections 100-103
Current sections 100 to 102 of the My Health Records Act set out how the provisions of the
My Health Records Act affect partnerships, unincorporated associations and trusts with
multiple trustees.
Items 97 to 99 replace subsections 100(3), 101(3) and 102(3) to reflect the introduction of
criminal penalties into the My Health Records Act. These new subsections ensure that a
criminal penalty that would otherwise have been committed by either a partnership, an
unincorporated association or a trustee is taken to have been committed by each respective
partner, member or trustee, at the time the offence was committed, who:
did the relevant act or made the relevant omission;
aided, abetted, counselled or procured the relevant act or omission; or
was in any way knowingly concerned in, or party to, the relevant act or omission (whether
(directly or indirectly) whether by an act or omission by the relevant partner, member or
trustee.
New subsections 100(4), 101(4) and 102(4) ensure that a contravention of a civil penalty
provision applies in a corresponding way to the way in which they apply to an offence.
These changes align with new sections 36B, 36C and 36D in the HI Act (item 48 refers).
Item 100 repeals current section 103 which is no longer necessary due to the above changes.
Item 101 Section 107
Section 46 of the Public Governance, Performance and Accountability Act 2013 (PGPA Act)
requires that Commonwealth entities prepare an annual report.
It is intended that the Australian Commission for eHealth will be established as a
Commonwealth entity and will be subject to the requirements of the PGPA Act. Therefore,
both now, and in the future if the Australian Commission for eHealth takes over as System
Operator, the System Operator will be subject to the reporting requirements, whether under
the existing My Health Records Act or under section 46 of the PGPA Act. As a result, it will
no longer be necessary to include a separate annual report obligation in the My Health
Records Act if the Australian Commission for eHealth takes over as System Operator.
Item 101 will therefore repeal current section 107 of the My Health Records Act and replace
the requirement to prepare an annual report with a requirement that the System Operator,
when preparing an annual report in accordance with the PGPA Act, include in that report
certain information about the My Health Record system, such as statistics about registrations
and system usage. New section 107 also provides that regulations may prescribe other
matters that must be included in this annual report.
Current section 107 of the My Health Records Act will be repealed, and new section 107 will
come into force, on governance restructure day. This means that the current reporting
89
obligation in section 107 will continue until the Australian Commission for eHealth takes
over as System Operator.
Item 102 Section 108
Item 102 replaces current section 108 of the My Health Records Act with a new requirement
to undertake a review of the My Health Records Act within three years of the commencement
of this Bill or, if the Minister has made My Health Records Rules to apply the opt-out model
nationally, within three years of the date those Rules are made. As with the current
requirement, the Minister must consult with the Ministerial Council before appointing a
person to undertake this review, and the report of the review must be provided to the
Ministerial Council and tabled in Parliament within 15 sitting days of the Minister receiving a
copy.
Items 103-105 Section 109
Current section 109 of the My Health Records Act allows the Minister to make My Health
Records Rules in relation to a variety of matters.
Subsection 109(2) currently requires that the Minister consult with the Independent Advisory
Council (IAC) and Jurisdictional Advisory Committee (JAC) before making any Rules. To
reflect the abolition of JAC and IAC (see item 67) and to recognise that the Australian
Commission for eHealth is proposed to soon become the System Operator, item 103 replaces
subsection 109(2) with a requirement that the Minister consult with the System Operator and
a subcommittee of the Ministerial Council. In terms of this subcommittee, in practice the
Minister will consult with the Australian Health Ministers‟ Advisory Council. As with
current subsection 109(2), any failure to consult does not invalidate the Rules.
Item 104 establishes a new matter about which the Minister can make My Health Records
Rules. Given the new function of the System Operator to operate a test environment (item 69
refers), item 104 inserts new paragraph 109(3)(e) which allows Rules to set out requirements
relating to that test environment.
Item 105 inserts new subsections 109(9), (10) and (11).
New subsection 109(9) allows the My Health Records Rules to incorporate other material
which may change from time to time. The ability to incorporate in My Health Records Rules
material that may change from time to time is important to ensure that the technical standards
and security of the My Health Record system are maintained in rapidly changing
environments. In particular, it is intended that some Australian standards and written security
manuals issued by the System Operator may be incorporated into My Health Records Rules.
It would not be practical for the Rules to refer to such material as it exists at a particular point
in time since it is likely to be subject to frequent change or may change at short notice.
Without the amendment, participants in the My Health Record system may be forced to
comply with outdated requirements. If standards and security manuals change and
participants in the My Health Record system no longer comply, it may pose a security or
privacy risk for the system. New subsection 109(9) therefore ensures ongoing compliance.
In practice, the System Operator would ensure that any such material that is referenced in the
My Health Records Rules is made available to affected parties for free or at a minimal cost.
90
Administrative arrangements would also be put in place to ensure that affected entities are
given as much notice as possible of a change so they can ensure they comply with the new
requirements when they take effect. There would also be a measure of common sense applied
so that if material changed suddenly and affected entities had insufficient time to comply with
the new requirements, they would not be penalised immediately.
New subsections 109(10) and (11) are inserted to reflect recommendations made by the
Senate to establish clear parameters about what can and cannot be dealt with in subordinate
legislation, and how subordinate legislation interacts. New subsection 109(10) clarifies that
the My Health Records Rules cannot do things which are intended to be determined by
Parliament through primary legislation, such as creating penalties or imposing taxes. New
subsection 109(11) provides that the My Health Records Rules are taken to be consistent with
the My Health Records Regulations to the extent that they are capable of operating
concurrently. However, if any Rules cannot operate concurrently with the Regulations, the
Rules do not apply to the extent of the inconsistency.
Item 106 At the end of the Act
Participation trials
The My Health Records Act currently provides that the system will operate on an opt-in basis
for individuals and other entities. This means that healthcare recipients can choose to apply to
the System Operator to register for a My Health Record, and healthcare provider
organisations, contracted service providers (to health provider organisations), repository
operators and portal operators can choose to apply to the System Operator to be registered to
participate in the system. An opt-in system operates on the basis of the healthcare recipient‟s
consent for their information to be included in the My Health Record system and for that
information to be shared and used for healthcare and other purposes.
As part of the Government‟s response to the PCEHR Review, trials will be conducted in
several regions in Australia to implement different participation arrangements for healthcare
recipients, including trials of operating on an opt-out basis. The purpose of these trials is to
inform the Government on future changes to the My Health Record system to improve
participation and usage, including whether to change the system to operate on an opt-out basis
nationally.
Some of the other trials will involve different education and communication arrangements but
will still revolve around opt-in participation by healthcare recipients, so no amendments to the
My Health Records Act would be required to support these. However, amendment to the My
Health Records Act is required to enable trials (and, if necessary, national implementation) of
opt-out arrangements. These different participation models are designed to gather evidence,
which will be used to improve the effectiveness of the My Health Record system, such as
evidence of the education and training required and any privacy issues faced by individuals.
Opt-out system
In an opt-out system, healthcare recipients would automatically be registered for a My Health
Record without the need to apply or give consent, unless they elect to opt-out. This ability to
opt-out is a privacy positive protection and allows healthcare recipients to control their own
health and privacy.
91
In an opt-out setting, if a healthcare recipient does not choose to opt-out, they will still have
an extensive range of privacy positive options for protecting the information in their My
Health Record (these privacy positive options are also available for healthcare recipients who
opt-in under the current arrangements). In summary, healthcare recipients who do not opt-out
and are registered will still be able to:
set access controls restricting access to their My Health Record entirely or restricting
access to certain information in their My Health Record;
request that their healthcare provider not upload certain information or documents to their
My Health Record, in which case the healthcare provider will be required not to upload
that information or those documents;
request that their Medicare data not be included in their My Health Record, in which case
the Chief Executive Medicare will be required not to make the data available to the
System Operator;
monitor activity in relation to their My Health Record using the audit log or via electronic
messages alerting them that someone has accessed their My Health Record;
effectively remove documents from their My Health Record;
make a complaint if they consider there has been a breach of privacy; and
cancel their registration (that is, cancel their My Health Record).
In any opt-out arrangements, it is intended that healthcare recipients would be given a
reasonable amount of notice before opt-out is implemented so they could learn about the My
Health Record system, and would be given a reasonable amount of time to decide whether or
not to opt-out. Various methods would be made available to healthcare recipients to opt-out,
for example, online, in person or by phone.
Healthcare providers, contracted service providers, repository operators and portal operators
would still need to opt-in and apply for registration should they wish to participate in the My
Health Record system, regardless of any opt-out arrangements for healthcare recipients.
Amendments to My Health Records Act to allow opt-out arrangements
Item 106 inserts Schedule 1 into the My Health Records Act which provides the
authorisations necessary for opt-out trial regions to be selected, for the System Operator to
register healthcare recipients and therefore obtain their identifying information without
application or consent, for their health information to be uploaded to the My Health Record
system, and for participants in the My Health Record system to use this information for
healthcare and other purposes as is currently permitted under opt-in arrangements. Further,
new Schedule 1 enables opt-out to be implemented nationally should the Government decide
to do so if evidence shows that the opt-out trials have demonstrated the value of adopting
opt-out arrangements.
New Part 1 of Schedule 1 provides rule-making powers for the Minister to impose opt-out
participation for healthcare recipients. Clause 1 provides that the Minister can make My
Health Records Rules that will prescribe the opt-out arrangements to a class or classes of
92
healthcare recipients and therefore to apply the authorisations in Schedule 1 to those specified
healthcare recipients. The authorisations in this Schedule will also apply to participants in the
My Health Record system in relation to their role in providing healthcare of the healthcare
recipients in the trials.
These trial Rules are not required to be confined to a timeframe, however if a timeframe is
specified in the Rules and the trial concludes and no decision is made to opt-out nationally or
extend the trials, the system will revert to operating as it currently does and the Schedule will
no longer apply. However, a healthcare recipient registered under Schedule 1 will continue to
have a My Health Record (including after the trials have finished) unless they or their
representative cancel their registration under current section 51 of the Act.
In making the trial Rules under clause 1, the Minister must:
be satisfied that applying opt-out to the class, or classes, of healthcare recipients will
provide evidence of whether the opt-out arrangements result in participation in the My
Health Record system at a level that provides value to those using the My Health Record
system;
consult with the subcommittee to the Ministerial Council. In practice, the Australian
Health Ministers‟ Advisory Council will be consulted.
An administrative framework will be established for the selection of trial sites, including
selection criteria, and this framework will be made public. The selection of trial sites will not
be preferential or give financial or other benefit to particular states or territories or parts of
states or territories. Rather, trial sites will be selected on the basis that a population and its
health services are representative of the broader community‟s characteristics and needs, and
will allow evidence to be gathered enabling a decision to be made about participation
arrangements, including opt-out.
Clause 2 provides that, at any point after the introduction of the opt-out trials, the Minister can
make My Health Records Rules that apply the opt-out model for the whole of Australia,
provided the outcomes of the opt-out trials have demonstrated the value in adopting an
opt-out model. The trials do not need to be confined to any timeframes, and could still be in
place, when the Minister decides there is enough evidence to make a decision to apply the
opt-out model nationally. In making Rules to apply the opt-out arrangements nationally, the
Minister must consider the evidence of the opt-out trials and any other relevant matters.
Before the Minister can make Rules applying the opt-out arrangements nationally, the
Ministerial Council must be consulted.
New Part 2 of Schedule 1 provides the authorisations necessary for the system to operate on
an opt-out basis for healthcare recipients, whether it is for trial sites or nationally.
If the Minister has applied the opt-out arrangements to trial sites or nationally, it means that
Part 2 applies in place of certain other provisions of the Act, such as the requirements for
healthcare recipients to apply for registration and to give standing consent to the uploading of
their health information (see clause 17 of Schedule 1 for more details).
Clause 3 enables the System Operator to register an eligible healthcare recipient (for
eligibility, see clause 4) if satisfied that the healthcare recipient‟s identity has been verified,
and that the healthcare recipient has been given an appropriate opportunity to opt-out and has
93
not chosen to do so. If a healthcare recipient has previously cancelled their registration (and
at the time of opt-out being implemented remains unregistered), the System Operator will not
register the healthcare recipient, however the healthcare recipient has the opportunity to
change their mind at any point and apply to be registered (see clause 6). The System Operator
must not register a healthcare recipient if doing so could compromise the security or integrity
of the My Health Record system - for example, if the healthcare recipient is known by the
System Operator to have previously committed fraudulent activity relating to the system.
This clause also provides that the My Health Records Rules may prescribe other
circumstances in which the System Operator must not register a healthcare recipient.
Clause 4 sets out the eligibility criteria for healthcare recipients to be registered. These are
the same as those prescribed in current section 40 of the My Health Records Act. That is, that
the healthcare recipient has a healthcare identifier and the following information is available -
full name, date of birth, healthcare identifier or Medicare card number or Department of
Veterans‟ Affairs file number, sex, and other information specified in regulations. At this
stage, there are no regulations proposed to collect any further information. However, the
regulation-making power is necessary to allow flexibility in the future if different forms of
identifying information are needed for a healthcare recipient to be eligible. Unlike current
section 40 of the My Health Records Act, healthcare recipients are not required to provide this
information as part of the registration process. Rather, under the opt-out arrangements in
Schedule 1, the System Operator is simply authorised to collect the information. In practice,
the System Operator will collect the information from the HI Service Operator (Chief
Executive Medicare).
Clause 5 ensures that healthcare recipients can choose to opt-out. To opt-out, a healthcare
recipient will need to notify the System Operator and provide sufficient information so the
System Operator can verify his or her identity. This process is intended to be as simple as
possible, using a less stringent standard of identity verification than is currently used in the
registration process, as opting out poses a much lower privacy risk to healthcare recipients
than to those registering. This is intended to mitigate the risk of healthcare recipients who
want to opt-out but are unable to do so or find the process too difficult.
In any opt-out arrangements, healthcare recipients will be given a reasonable opportunity to
choose to opt-out. For example, in opt-out trials there will be an advertised period for
healthcare recipients to opt-out, and in a national opt-out system it may be provided as a
tick-box on an application form to register newborns or immigrants with Medicare. It will be
critical in any setting that healthcare recipients are provided as much information as possible
about the My Health Record system to help them decide whether or not to opt-out, and are
provided support to make that decision where necessary.
Various opt-out channels are being developed which will enable healthcare recipients in a
range of circumstances to be able to opt-out. For example, an online channel will enable
healthcare recipients to opt-out themselves and their children who are under 18 years, using
their Medicare card and either a driver licence, passport or Immicard. For those without
online access, with communication disabilities, or without these identity documents, other
channels will be available, such as phone and in person.
If a healthcare recipient chooses to opt-out, it will have effect on the same day they notify the
System Operator. If a healthcare recipient changes their mind and wants a My Health Record,
they may apply to register under clause 6.
94
If a healthcare recipient has been registered as part of an opt-out trial, they may choose to
cancel their My Health Record at any time, and may subsequently choose to register again.
It is important to distinguish the difference between opt-out and cancellation. Opt-out
applies before a My Health Record is created - a healthcare recipient may choose to opt-out,
which means a My Health Record will not be created for them and no information will have
been compiled. Cancellation applies after a My Health Record is created - a healthcare
recipient may choose to cancel their My Health Record after it is created; information about
the healthcare recipient will have been compiled between the time the My Health Record was
created and cancelled and will be retained by the System Operator but cannot be accessed by
any entity.
Clause 6 provides for those healthcare recipients subject to the opt-out model who have either
opted-out, or who have previously cancelled their registration, but who subsequently change
their minds and want to register for a My Health Record. Clause 6 also allows registration in
opt-out trial sites to occur immediately, should a healthcare recipient so wish, without having
to wait for the pre-determined opt-out opportunity to lapse. For example, in the opt-out trials
it may be several weeks before a My Health Record is created for healthcare recipients who
choose not to opt-out.
Clause 6 allows healthcare recipients to apply to register for a My Health Record. These
arrangements reflect those already set out in Division 1 of Part 3 of the My Health Records
Act, except that the healthcare recipient will not need to give consent to the uploading of their
health information since this is already authorised under new Schedule 1.
New Division 2 of Schedule 1 sets out the authorisations that will operate where the opt-out
model is applied.
These new authorisations largely reflect the authorisations that are already provided in the My
Health Records Act at new sections 58 and 58A, except where additional authorisations are
required in place of a healthcare recipient‟s consent.
95
To help readers how these new authorisations operate, they are set out in the following table
with either a reference to existing equivalent authorisations or with an explanation of why the
new authorisation is required.
New Table Equivalent existing section
section item no. Authorisation number or reason for new
no. authorisation
Including health information in a My Health Record
The System Operator
currently takes these actions
on the basis of healthcare
recipients' implied consent.
With clause 7, the System
Operator is expressly
authorised.
Clause 7 is intended to be
broad enough to allow for the
collection, use and disclosure
of third party health
information, where this is to
The System Operator may collect, use and disclose be included in a healthcare
health information about a healthcare recipient for recipient's My Health Record
7 N/A
the purposes of including the health information in the - for example, as part of the
healthcare recipient's My Health Record. family medical history of the
healthcare recipient.
Supporting amendments to
other provisions of the My
Health Records Act and the
Privacy Act also help deal
with, and place limits on the
collection, use and disclosure
of, third party information.
Clause 7 of Schedule 1
mirrors new section 58 of the
My Health Records Act.
Including health information in a My Health Record
The System Operator may collect, use and disclose
identifying information about, or a healthcare
identifier of:
a healthcare recipient;
8(1) 1 HI Act: 22A(2) and (3)
an authorised representative;
a nominated representative; or
a healthcare provider,
for the purposes of the My Health Record system.
96
New Table Equivalent existing section
section item no. Authorisation number or reason for new
no. authorisation
HI Act: 22A(3) and 22E
HI Regulations: 15
My Health Records Act: 6
and 7 (implied)
This new item clarifies and
condenses existing
authorisations into an
express authorisation in the
The System Operator may collect, use and disclose
My Health Records Act that
information relevant to whether a person is an
permits the System Operator
authorised representative or nominated
in the opt-out system to
2 representative of another person, for the purposes of
collect, use and disclose
determining whether a person is an authorised
information relevant to
representative or nominated representative of
determining whether
another person.
someone is an authorised or
nominated representative.
This is needed to ensure that
the relevant person is the
authorised or nominated
representative, especially
when they are electing to
opt-out a healthcare
recipient.
A registered repository operator or registered portal
operator may collect, use and disclose to a participant
in the My Health Record system the healthcare
identifier of:
3 a healthcare recipient; HI Act: 22C
an authorised representative;
a nominated representative; or
a healthcare provider,
for the purposes of the My Health Record system.
97
New Table Equivalent existing section
section item no. Authorisation number or reason for new
no. authorisation
HI Act: 22E
HI Regulations: 15
My Health Records Act: 6
and 7 (implied)
This new item clarifies and
condenses existing
authorisations into an
The HI Service Operator may collect from the System express authorisation in the
Operator, use and disclose to the System Operator My Health Records Act, that
information relevant to whether a person is an permits the HI Service
authorised representative or nominated Operator in the opt-out
4
representative of another person, for the purposes of system to collect, use and
assisting the System Operator to determine whether a disclose information relevant
person is an authorised representative or nominated to determining whether
representative of another person. someone is an authorised or
nominated representative.
This is needed to ensure that
the relevant person is the
authorised or nominated
representative, especially
when they are electing to
opt-out a healthcare
recipient.
My Health Records Act: 22D
The Chief Executive Medicare may collect from the and 58
System Operator, use and disclose to the System While use and disclosure
Operator identifying information about a person who were previously authorised,
is or may be: this new clause and item
a healthcare recipient; clarify that the Chief
5 Executive Medicare may
an authorised representative; or
a nominated representative, collect the necessary
information from the System
for the purposes of assisting the System Operator to Operator in the opt-out
verify the identity of the person, or otherwise for the system, which is needed to
purposes of the My Health Record system. verify the identity of the
person.
98
New Table Equivalent existing section
section item no. Authorisation number or reason for new
no. authorisation
HI Act: 22E
HI Regulations: 15
My Health Records Act: 6
and 7 (implied)
This new item clarifies and
condenses existing
authorisations into an
The Chief Executive Medicare may collect from the express authorisation in the
System Operator, use and disclose to the System My Health Records Act, that
Operator information relevant to whether a person is permits the Chief Executive
an authorised representative or nominated Medicare in the opt-out
6
representative of another person, for the purposes of system to collect, use and
assisting the System Operator to determine whether a disclose information relevant
person is an authorised representative or nominated to determining whether
representative of another person. someone is an authorised or
nominated representative.
This is needed to ensure that
the relevant person is the
authorised or nominated
representative, especially
when they are electing to
opt-out a healthcare
recipient.
The Chief Executive Medicare may collect, use and This new authorisation is
disclose to a participant in the My Health Record designed to allow the Chief
system identifying information about, or a healthcare Executive Medicare to collect,
identifier of: use and disclose identifying
information or a healthcare
a healthcare recipient; identifier to include the
an authorised representative; or information in the healthcare
7 a nominated representative, recipient's My Health Record.
if: This authorisation is
necessary in opt-out
it is for the purpose of including health arrangements as it is not
information in the healthcare recipient's My possible to get healthcare
Health Record; and recipient's consent as is the
the healthcare recipient has not elected to case under opt-in
opt-out (and that decision is still in force). arrangements.
99
New Table Equivalent existing section
section item no. Authorisation number or reason for new
no. authorisation
My Health Records Act: 58
The Veterans' Affairs Department and Defence While use and disclosure
Department may use and disclose to the System were previously authorised,
Operator identifying information about a person who this new clause and item
is or may be: number clarify that the
Veterans' Affairs Department
8 a healthcare recipient; or Defence Department can
an authorised representative; or collect the necessary
a nominated representative, information from the System
for the purposes of assisting the System Operator to Operator, which is needed to
verify the identity of the person. assist the System Operator to
verify the identity of the
person.
100
New Table Equivalent existing section
section item no. Authorisation number or reason for new
no. authorisation
This new authorisation is
included to allow the
Veterans' Affairs Department
or Defence Department to
collect, use and disclose
identifying information or a
healthcare identifier for the
purpose of including
prescribed information in the
healthcare recipient's My
Health Record. This
authorisation is necessary in
The Veterans' Affairs Department and Defence opt-out arrangements as it is
Department may collect from the HI Service Operator, not possible to get healthcare
use and disclose to a participant in the My Health recipient's consent as is the
Record system, identifying information about, or a case under opt-in
healthcare identifier of: arrangements.
a healthcare recipient; The reference to "prescribed
an authorised representative; or information" provides for the
9 a nominated representative, possibility that, in future,
other kinds of
if:
Commonwealth agency
it is for the purpose of including prescribed records may be identified
information in the healthcare recipient's My which may be of value to
Health Record; and include in healthcare
the healthcare recipient has not elected to recipients' My Health
opt-out (and that decision is still in force). Records. For example, the
Departments of Defence or
Veterans' Affairs may have
records about current and
former service men and
women that relate to health
services they have received.
Regulations may be made to
allow healthcare identifiers to
be attached to prescribed
classes of records so they can
be included in the My Health
Record system.
101
New Table Equivalent existing section
section item no. Authorisation number or reason for new
no. authorisation
As part of running the My
Health Record system,
including verifying identities
in the opt-out system, the
System Operator may need to
disclose identifying
information about a
healthcare recipient, an
authorised representative or
A prescribed entity may collect, use and disclose to
a nominated representative,
another prescribed entity identifying information
and that entity will need
about a person who is or may be:
authorisation to collect, use
a healthcare recipient; and disclose that information.
10
an authorised representative; or For example, the regulations
a nominated representative, will likely authorise the
Document Verification
for the purposes of assisting the System Operator to
Service (run by the Attorney-
verify the identity of the person.
General's Department) to
collect identifying
information, to help correctly
identify a person seeking to
opt-out of being registered.
This would be necessary to
ensure that the System
Operator is opting out the
right person.
The Note to this table refers readers to section 15 of the HI Act which authorises the HI
Service Operator to collect, use and disclose healthcare identifiers and identifying information
about healthcare recipients, authorised representatives and nominated representatives for the
purposes of the My Health Record system. This means that the HI Service Operator relies on
the authorisations provided by both the HI Act and My Health Records Act to interact with
the My Health Record system.
Subclause 8(2) requires that if at any time the Chief Executive Medicare, Veterans‟ Affairs
Department, Defence Department, HI Service Operator or a prescribed entity (item 10 of table
at subclause 8(1) refers) becomes aware that the information it has provided to the System
Operator has changed, the entity must notify the System Operator. This ensures the System
operator has and uses the most up-to-date information for identity verification and other My
Health Record system purposes.
New Division 3 of Schedule 1 inserts new clauses 9 to 16 which mirror existing provisions in
the My Health Records Act which cannot operate without consent.
New clause 9 mirrors current subsection 41(3) and (4) and new subsection 41(3A) (item 68
refers). It authorises registered healthcare provider organisations to upload health information
to a healthcare recipient‟s My Health Record, which may include information about a third
party, unless:
102
the healthcare recipient asks the healthcare provider organisation not to upload it; or
a preserved law prohibits the organisation from disclosing it without the express or written
consent of the healthcare recipient.
New clauses 10 to 14 mirror current section 38 by requiring the Chief Executive Medicare to
apply to become a registered repository operator, allowing the Chief Executive Medicare to
include health information about a registered healthcare recipient in that repository, and
allowing the Chief Executive Medicare to make this information available to the System
Operator at the Chief Executive Medicare‟s discretion. This information cannot be provided
to the System Operator if the healthcare recipient has instructed the Chief Executive Medicare
not to do so.
Clause 13 includes a mechanism that permits healthcare recipients registered under
Schedule 1 to elect not to have Medicare information (MBS, PBS, AODR and ACIR) made
available to the System Operator for inclusion in their My Health Record. The mechanism
allows healthcare recipients to change their mind about whether or not they want Medicare
information included. Under subclause 12(2), Chief Executive Medicare must comply with
any election made by a healthcare recipient.
Under clause 14, information made available by the Chief Executive Medicare may include
the names of healthcare providers who have provided care to the healthcare recipient.
New clause 15 makes clear that Division 3 does not limit the way the Chief Executive
Medicare can operate the repository.
New clause 16 mirrors new section 50D (inserted by item 73) which provides that registered
repository operators may make available to the System Operator a registered healthcare
recipient‟s health information for inclusion in her or his My Health Record.
New clause 17 provides that specified provisions of the My Health Records Act do not apply
or are modified whenever the opt-out model is applied, either in trials or nationally, because
they are replaced by clauses set out in Schedule 1, are unnecessary in an opt-out setting or
require modification to operate in an opt-out setting. For example:
the requirement relating to the Chief Executive Medicare‟s repository in section 38 of the
My Health Records Act;
the provisions relating to the registration of a healthcare recipient in Part 3, Division 1 of
the My Health Records Act;
the provisions relating to non-discrimination in section 46 of the My Health Records Act;
the authorisation for registered repository operators to upload health information under
section 50D of the My Health Records Act;
the authorisations for the Chief Executive Medicare, Veterans‟ Affairs Department and
Defence Department to use and disclose healthcare identifiers and identifying information
for identity verification purposes or for the purposes of the My Health Record system, and
to notify the System Operator when this information changes; and
103
the ability for the System Operator to cancel, suspend or vary and healthcare recipient‟s
registration under paragraphs 51(2)(d) and (e) of the My Health Records Act on the basis
that the healthcare recipient‟s consent has been withdrawn or is no longer valid.
Additionally, new clause 17 clarifies that any reference to a registered healthcare recipient in
the Act, includes a reference to a healthcare recipient who is registered under Part 2.
Privacy Act 1988
Items 99-101
In 2008, the Australian Law Reform Commission (ALRC) published the report For Your
Information: Australian Privacy Law and Practice (ALRC Report 108), which recommended
changes to the definition of health service to remove some ambiguities about what is or is not
considered to be a health service. For example, a palliative care service would generally be
considered a health service, however it arguably did not meet a strict interpretation of the
previous definition - that is, it would not improve the individual‟s health or treat the
individual‟s illness.
Items 100 and 101 replace the current definition of health service with a new section 6FB
which provides that a health service is an activity performed in relation to an individual that is
intended or claimed (expressly or otherwise) by the individual or the person performing it:
to assess, maintain or improve the individual‟s health. This element of the definition is
similar to current subparagraph (a)(i) of the definition of health service. "Record" has
been moved to a new paragraph in the definition - see below;
where the individual‟s health cannot be maintained or improved - to manage the
individual‟s health. This part of the definition is intended to ensure that palliative care
services fall within the definition of health service, consistent with ALRC
recommendations;
to diagnose the individual‟s illness, disability or injury. This element of the definition is
similar to subparagraph (a)(ii) of the existing definition. "Injury" has been added
consistent with the recommendations of the ALRC;
to treat the individual‟s illness, disability or injury, or suspected illness, disability or
injury. This element of the definition is similar to subparagraph (a)(iii) of the existing
definition. Again, "injury" has been added consistent with the recommendations of the
ALRC;
to record the individual‟s health for the purposes of assessing, maintaining, improving or
managing the individual‟s health. The act of "recording" an individual‟s health has been
separated out (it was previously part of subparagraph (a)(i) of the definition of health
service). The reference to "record" is important for a number of reasons, including for the
link it provides to authorisations as part of the My Health Records Act. For this reason,
"record" has been retained as part of the definition of health service, despite an ALRC
recommendation that it be removed.
Subsection 6FB(2) is unchanged in substance from existing paragraph (b) of the definition of
health service.
104
Subsection 6FB(3) is intended to provide clarification, consistent with recommendations
made by the ALRC, that:
a reference in section 6FB to an individual‟s health includes the individual‟s physical or
psychological health;
an activity mentioned in subsections 6FB(1) or (2) that takes place in the course of
providing aged care, palliative care or care for a person with a disability is a health
service.
A regulation-making power has been included in new subsection 6FB(4) that enables
regulations to be made prescribing an activity that, despite subsections 6FB(1) and (2), is not
to be treated as a health service for the purposes of the Privacy Act. This regulation-making
power is designed to enable services to be excluded from the definition of health service
where it considered appropriate. The regulation-making power is consistent with the ARLC‟s
recommendations.
Items 99 and 101 replace the definition of health information with a new section 6FA to
reflect these changes to health service.
Item 102 After subsection 16B(1)
Section 16B of the Privacy Act sets out permitted health situations in relation to the
collection, use or disclosure of health information.
Item 102 of the Bill inserts subsection 16B(1A) as a new permitted health situation in the
Privacy Act. Subsection 16B(1A) is based on current Public Interest Determinations No. 12
Collection of Family, Social and Medical Histories (PID 12) and Public Interest
Determinations No. 12A Collection of Family, Social and Medical Histories (PID 12A), and
is designed to authorise the same things that the existing PID 12 and PID 12A authorise.
PART 2--RULE-MAKING POWERS, APPLICATION AND TRANSITION
PROVISIONS
Part 2 describes how the changes set out in Part 1 of the Bill will operate and have effect and
when the various changes will commence.
Item 128 Rules
Subitem 128(3) of Schedule 1 makes express provision for rules made for the purpose of
subitem 128(2) to modify the operation of:
the Healthcare Identifiers Act 2010;
the Personally Controlled Electronic Health Records Act 2012;
the Privacy Act 1988.
This provision is likely to be regarded as a "Henry VIII clause", in that it may allow the
Minister to modify the operation of the specified Acts by making rules. This power may
result in the operation of primary legislation being expressly or impliedly amended by
subordinate legislation. In general, primary legislation should not create a power to make a
105
legislative instrument which can modify the operation of an Act, however this clause is
needed for transition purposes. It is consistent with similar rule-making powers in other
amendment Bills.
The purpose of this provision is to allow the Minister to deal with any unforseen or
unintended consequences that may arise at a later date, specifically regarding the opt-out trials
and the changes in governance of the System Operator to the Australian Commission for
eHealth. In particular, as it is intended that the Australian Commission for eHealth will be
made under the PGPA Act and PGPA Rules at a later date, this provision is intended to help
avoid any unintended consequences from this change. The rule-making power provides
legislative authority to address a range of practical situations that might arise with a transfer
of functions or when a machinery of government change occurs. Where a rule is made that
could potentially modify the application of an Act, which another Minister is responsible for,
it is intended for those rules to be made only after that other Minister has been consulted.
Paragraph 128(4)(e) prohibits the making of rules that directly amend the text of the Act.
"Directly amend" means to make an amendment that would need to be incorporated in any
reprint of the Act by the Government Printer (see section 2 of the Acts Publication Act 1905).
Paragraph 128(4)(e) does not prohibit a rule that modifies the effect of a provision, such as by
providing that a provision has effect as if it had been amended in a specified way, but does
not make a direct amendment of any Act.
Subitem 128(4) places other restrictions on the rule-making power.
SCHEDULE 2--RENAMING PCEHR AS MY HEALTH RECORD
Schedule 2 amends the HI Act, Health Insurance Act 1973 (Health Insurance Act), National
Health Act 1953 (National Health Act) and PCEHR Act to change the name of the personally
controlled electronic health record to the My Health Record.
This change is intended to recognise that a health record is the result of a partnership between
a healthcare recipient and a healthcare provider. Further, the name change reflects that it is
becoming unnecessary to differentiate between digital and physical information so rather than
refer to it as an eHealth record, it is simply a health record. The personal controls available to
healthcare recipients to manage access to their My Health Record will not be reduced as a
result of this change.
All references to the following terms, including in definitions, headings, notes and the title of
the PCEHR Act, will be changed as set out below:
participant in the PCEHR system becomes participant in the My Health Record system;
PCEHR becomes My Health Record;
Personally Controlled Electronic Health Records Act 2012 becomes My Health Records
Act 2012;
PCEHR Rules becomes My Health Records Rules;
PCEHR system becomes My Health Record system; and
106
PCEHR System Operator becomes My Health Record System Operator.
SCHEDULE 3--RENAMING CONSUMERS AS HEALTHCARE RECIPIENTS
Schedule 3 amends the Health Insurance Act, National Health Act and My Health Records
Act to change all references from "consumer" to "healthcare recipient", including those in
definitions and headings. This change reflects the same language used in the HI Act, helping
further align the two Acts.
SCHEDULE 4--FURTHER CONSEQUENTIAL AMENDMENTS
Part 1 of Schedule 4 amends the reference to the "Legislative Instrument Act 2003" in the My
Health Records Act to the new name of Legislation Act 2003.
Part 2 of Schedule 4 amends parts of section 131 of the Health Insurance Act. Item 2 in Part
2 amends subsection 131(1) of the Health Insurance Act by omitting "or the Healthcare
Identifiers Act 2010" and substituting "or instruments made under this Act". Item 3 in Part 2
amends subsection 131(2) of the Health Insurance Act by inserting "or an instrument under
which the power exists" after "this Act". These amendments are designed to clarify when the
Minister, the Secretary and the Chief Executive Medicare may delegate their powers.
107