- 1. Executive summary
- 2. Introduction
- 3. OAIC and the PCEHR system
- 4. OAIC and the Healthcare Identifiers Service
1. Executive summary
The 2012–13 financial year was the first year of operation of the Personally Controlled Electronic Health Records Act 2012 (PCEHR Act). Integral to the PCEHR system, and a critical enabler for eHealth generally, was the establishment of the Healthcare Identifiers (HI) Service by the Healthcare Identifiers Act 2010 (HI Act) two years prior.
Both the PCEHR and HI Acts establish systems, and authorise processes, that involve the handling of personal information of individuals. In recognition of the special sensitivity of health information, both Acts contain provisions protecting and restricting the collection, use and disclosure of personal information. The Information Commissioner oversees compliance with those provisions and is the independent regulator of the privacy aspects of the eHealth system.
This annual report sets out the Information Commissioner’s compliance and enforcement activity during 2012–13 in relation to both the PCEHR system and the HI Service (in accordance with section 106 of the PCEHR Act and section 30 of the HI Act). The report also provides information about the Office of the Australian Information Commissioner’s (OAIC) other eHealth activities, including: its development of guidance material, provision of advice, and liaison with key stakeholders (including the PCEHR System Operator and HI Service Operator).
During the reporting period, the OAIC received no complaints regarding the PCEHR system and closed one HI complaint (which was from 2011–12). Despite minimal enforcement activity during the year, the OAIC carried forward a full program of eHealth related work. Major projects included the OAIC’s:
- commencement of an audit program focused on ensuring records of personal information are maintained in accordance with the Privacy Act 1988 (Cth) (Privacy Act) and the related PCEHR Act and HI Act
- establishment of PCEHR enforcement guidelines setting out the Information Commissioner’s approach to the exercise of enforcement and investigative powers under the PCEHR Act and Privacy Act
- publication of fact sheets for consumers about privacy and eHealth
- development of an eHealth complaint handling and information sharing arrangement between the OAIC and state and territory privacy and health regulators
- establishment of internal processes and documentation to prepare for the OAIC’s regulatory role under the PCEHR Act
- training and development of the OAIC’s staff in the eHealth privacy regulatory framework.
The OAIC’s eHealth activities were carried out under a memorandum of understanding (MOU) with the Department of Health and Ageing (DoHA) signed on 29 November 2012 and which continues to 30 June 2014. More information about the OAIC’s MOU with DoHA is provided below in section 2 of this report. The MOU can be accessed on the OAIC’s website, www.oaic.gov.au.
A strong privacy framework provides a foundation for public confidence in eHealth. Individuals expect a high degree of privacy protection when it comes to their health information. In the eHealth context where systems are established to enable sharing of information with trusted healthcare providers, privacy protection is necessarily a central consideration in the development of system functionality and mapping of information flows.
In recognition of the sensitivity of health information, the PCEHR and HI Acts contain provisions that regulate the collection, use and disclosure of information, and give the Information Commissioner a range of enforcement powers. As the independent regulator for the privacy aspects of the eHealth system, the Information Commissioner plays a crucial role in overseeing compliance with those privacy provisions.
In addition to compliance and enforcement functions in relation to eHealth, the OAIC carries out a number of other activities, which are set out in an MOU with DoHA. The MOU sets out a program of work that includes business-as-usual activities (such as responding to requests for advice and investigating privacy complaints relating to the eHealth system), and project-based work (such as developing guidance material, conducting audits and establishing complaint handling arrangements and materials). Information about these activities is set out in sections 3 and 4 of this report. Further information about the OAIC’s MOU activities is summarised in Quarterly Reports under the MOU, available on the OAIC website, www.oaic.gov.au.
The MOU, signed on 29 November 2012, covers activities related to both the PCEHR system and the HI Service. It replaced earlier separate MOUs the OAIC had with DoHA for PCEHR and HI respectively. During 2012–13, the OAIC received $2,223,578 from DoHA to carry out activities in accordance with the MOU.
2.1 The Information Commissioner’s eHealth functions
The PCEHR System
The Information Commissioner has the following key roles and responsibilities under the PCEHR Act and Privacy Act to:
- investigate an act or practice that may be an interference with the privacy of an individual under ss 73(1) and (2) of the PCEHR Act or the Privacy Act, and if the Commissioner considers it appropriate to do so, attempt a settlement by conciliation of the matters that gave rise to the investigation
- conduct audits
- conduct an investigation on the Commissioner’s own motion
- accept data breach notifications
- investigate failure to notify data breaches
- use enforcement mechanisms, when appropriate, including civil penalties, injunctions, determinations and the acceptance of enforceable undertakings
- issue guidelines outlining how the OAIC will approach enforcement issues under the PCEHR Act (s 111 of the PCEHR Act)
- provide a range of advice and guidance material.
Healthcare Identifiers Service
The Information Commissioner has the following key roles and responsibilities under the HI Act and Privacy Act to:
- investigate an act or practice that may be an interference with the privacy of an individual under subsection 29(1) of the HI Act and, if the Commissioner considers it appropriate to do so, attempt a settlement by conciliation of the matters that gave rise to the investigation
- conduct audits
- conduct an investigation on the Commissioner’s own motion
- provide a range of advice and guidance material.
2.2 Year in review — a summary
During the financial year 2012–13, the OAIC has undertaken the following:
|Audits||1 (ongoing at 30 June 2013)||1 (ongoing at 30 June 2013)|
|Legal advice and assistance||14||1|
3. OAIC and the PCEHR system
The OAIC performs a range of functions in relation to the PCEHR system. These functions include compliance and enforcement activities and other activities set out under the MOU, including providing privacy related advice and developing guidance and training materials for internal and external stakeholders.
Compliance and enforcement activities include receiving and investigating complaints about alleged interferences with the privacy of a consumer in relation to the PCEHR system. In addition, the OAIC conducts audits of participants in the system to ensure they are complying with their privacy obligations. Information about the OAIC’s enforcement and compliance activities are set out below under section 3.1.
The OAIC is also responsible for producing statutory and regulatory guidance for consumers and other participants such as healthcare providers, registered repository operators and the System Operator.
These activities are an important component of the OAIC’s regulatory role under the PCEHR system. These activities have set the foundation for the OAIC’s compliance and enforcement role and enabled the OAIC to review and begin to implement the necessary changes to its processes. Among other things, OAIC developed training and guidance materials about the PCEHR system and provided progressive training and updates to staff about the OAIC’s new regulatory responsibilities and the impact of these changes.
To deliver on these outcomes, the OAIC carried out extensive liaison with external stakeholders including state and territory health and privacy regulators, professional industry bodies in the health sector and consumer representatives. Information about the OAIC’s activities in relation to providing advice, developing guidance material and liaison with key stakeholders is given below in section 3.2.
3.1 OAIC enforcement and compliance activities
Complaints and investigations relating to the PCEHR System
The OAIC received no complaints from individuals about the PCEHR system during 2012–13 . Therefore, the Information Commissioner did not undertake any investigations or enforcement action.
Under s 40(2) of the Privacy Act 1988 the Information Commissioner also has the discretion to investigate an act or practice that may be an interference with privacy on the Commissioner’s own motion (without first receiving a complaint from an individual). During 2012–13 , the Commissioner did not carry out any own motion investigations into the PCEHR system. The OAIC did, however, commence an audit of the PCEHR System Operator (outlined below).
Audits relating to the PCEHR system
Under the OAIC’s MOU with DoHA, the Office must conduct up to two audits of the PCEHR System Operator and up to two audits of agencies and organisations (on invitation) before 30 June 2014.
Audits commenced and ongoing during the reporting period
The OAIC commenced an audit of the PCEHR System Operator’s:
- policies and procedures for the collection of personal information during the PCEHR consumer registration processes
- processes and guidance material for collecting personal information via the assisted registration procedure.
During the reporting period, the OAIC determined an appropriate audit target and audit methodology, developed the audit scope, objectives and assessment criteria, and sought documentation from the System Operator prior to the commencement of fieldwork. Fieldwork and preparation of the audit report is scheduled to occur early in the new financial year.
The audit was ongoing at 30 June 2013.
3.2 PCEHR system advice, guidance, liaison and other activities
The OAIC’s Enquiries Team received 12 enquiries about the PCEHR system during the reporting period.
The majority of enquiries came from individuals wishing to find out more about the eHealth system, including whether it was compulsory to register for a PCEHR, the effect of opting out of an eHealth record on Medicare benefits and the type of information that could be held in an eHealth record. Some healthcare providers also contacted the OAIC to learn how they could participate in the eHealth system and to find out general information about eHealth and their privacy obligations.
Policy advice to key stakeholders and members of the public
The OAIC responded to written enquiries from consumer groups, including the Australian Privacy Foundation (APF) and the Consumer eHealth Alliance (CeHA). The APF raised a number of issues relating to privacy aspects of the eHealth system, including in relation to collection, use and disclosure of information in eHealth records, audit logs, application of PCEHR rules, the australia.gov site (now my.gov.au) and general security and oversight of the eHealth system. CeHA raised concerns with the OAIC regarding media reports of inaccurate prescription information in eHealth records and possible privacy issues associated with the assisted registration process. Both APF and CeHA sought further information about the OAIC’s MOU with DoHA (available on the OAIC website), and accessibility of the OAIC’s consumer fact sheets about privacy and eHealth.
The OAIC provided advice to APF and CeHA clarifying the privacy aspects of the eHealth system, and directed both organisations to further information where relevant. The OAIC also sought information from DOHA regarding specific concerns raised.
In total, the OAIC provided 15 policy advices to individuals and entities about privacy and the PCEHR system.
Policy advice to the Department of Health and Ageing
Under its MOU with DoHA, the OAIC liaises and coordinates with the PCEHR System Operator on privacy related matters, including by providing feedback and advice on proposals and projects with a possible privacy impact.
During the reporting period, the OAIC:
- provided feedback to DOHA on the privacy aspects of eHealth guidance and registration material, including in relation to the draft participation agreement between the System Operator and registered healthcare providers and accompanying frequently asked questions (FAQs)
- engaged with DOHA on its policy proposal for assisted registration (where consumers are assisted to register for an eHealth record by their doctor or another known healthcare provider) and provided comments on the ‘Essential information’ brochure and form given to consumers during the assisted registration process
- provided feedback on new and revised privacy notices developed in conjunction with new system functionality.
The OAIC also provided advice to DOHA’s Change and Adoption Partner regarding its eHealth Training Modules relating to the privacy of healthcare professionals.
PCEHR (Information Commissioner Enforcement Powers) Guidelines 2013
On 20 June 2013, the PCEHR (Information Commissioner Enforcement Powers) Guidelines 2013 were registered on the Federal Register of Legislative Instruments. The Guidelines were made under section 111 of the PCEHR Act which requires the Information Commissioner to formulate, and have regard to, guidelines regarding the exercise of the Information Commissioner's powers under the PCEHR Act or a power under another related Act, such as the Privacy Act.
As the independent regulator of privacy aspects of the PCEHR system, the Information Commissioner has a range of enforcement powers including:
- using existing Privacy Act investigative and enforcement mechanisms, including conciliation of complaints and formal determinations
- seeking an injunction to restrain or require particular conduct
- accepting enforceable undertakings
- seeking a civil penalty order from a Court.
The Guidelines explain the Information Commissioner’s general approach to the exercise of these enforcement powers and investigative powers under both the PCEHR Act and the Privacy Act, in relation to the PCEHR system. The Guidelines are available on the Comlaw website or the OAIC website, www.oaic.gov.au.
Consumer fact sheets
On 5 June 2013, the OAIC published six fact sheets for consumers about privacy and the eHealth system:
- The OAIC and the eHealth record system
- How to manage your eHealth record
- Consent and the handling of personal information in your eHealth Record
- Young People and the eHealth record system
- Medicare and your eHealth Record
- Emergency Access and your eHealth Record.
The fact sheets were developed following a targeted consultation with key health and consumer stakeholders. The OAIC also received input from the Privacy Advisory Committee and government agencies, including DoHA, the National e-Health Transition Authority (NeHTA) and the Department of Human Services (DHS) (on the factsheet Medicare and your eHealth Record).
The fact sheets are available on the OAIC website, www.oaic.gov.au.
Draft guide to data breach notification under the PCEHR Act
In September 2012, the OAIC published a consultation draft of a Guide to mandatory data breach notification in the eHealth record system, accompanied by a consultation paper.
The draft guide explains the breach notification obligations that apply to registered repository operators (RROs), registered portal operators (RPOs) and the PCEHR System Operator under s 75 of the PCEHR Act. The guide contains a range of information about the types of breaches that have to be reported and what information should be included in a notification. It also outlines how entities should contain a breach, evaluate risks arising from the breach and take steps to prevent future breaches.
During the consultation, the OAIC received 18 submissions from stakeholders. The OAIC is in the process of finalising the guide and developing forms to assist entities with notification.
The OAIC delivered privacy and eHealth training to the Australian Medicare Local Alliance in October 2012. In conjunction with that training, the OAIC developed a short video about eHealth and privacy, and the OAIC’s role as the independent regulator of the privacy aspects of the eHealth record system.
Liaison with key stakeholders
During 2012–13, the OAIC met with NeHTA on several occasions in order to share information and receive updates regarding the eHealth system. NeHTA also participated in consultations held by the OAIC, including consultations associated with the development of the PCEHR data breach notification guide and consumer factsheets.
The OAIC also engaged with DHS on the development of the OAIC’s consumer fact sheet — Medicare and your eHealth Record — and a set of internal eHealth FAQs for use by the OAIC Enquiries Line team (seeking feedback from the Department in its capacity as a Helpline Operator).
Engagement with other key stakeholders, such as consumer groups and health organisations occurred via public consultations held by the OAIC and as a consequence of direct requests for policy advice.
Liaison with the System Operator
The PCEHR System Operator is the Secretary of DoHA. In addition to regular meetings with DoHA under the MOU, the OAIC is currently developing an ‘Agreement for information sharing and complaint referral relating to the eHealth record system between the OAIC and the System Operator’, in consultation with the Department.
The purpose of the Agreement is to work towards ensuring that the process for making a complaint about the eHealth system is as seamless as possible for individuals, thus avoiding a situation where complainants are needlessly referred back and forth between regulators. To this end, the Agreement aims to facilitate cooperation between the OAIC and the System Operator and remove barriers to effective complaint handling.
The agreement also fulfils the OAIC’s obligation under the MOU with DoHA to ‘develop and agree on a protocol for processes, procedures and service standards with the PCEHR System Operator for the exchange of information and advice in relation to complaints about the PCEHR system and referral of privacy complaints and complex privacy enquiries’.
The OAIC developed a draft Agreement and at 30 June 2013 was liaising with DoHA to finalise the document.
Liaison with state and territory regulators
During 2012–13 , the OAIC engaged extensively with state and territory privacy and health regulators in order to clarify jurisdiction in the eHealth system and to develop a complaint referral framework. The Office conducted meetings with regulators to discuss complaint handling in the eHealth system and consulted regulators on successive drafts of an information sharing arrangement.
The final Information Sharing and Complaint Referral Arrangement for the Personally Controlled Electronic Health (eHealth) Record System between the OAIC and State and Territory Health and Privacy Regulators was circulated to regulators on 9 April 2013, inviting their participation. At 30 June 2013, there were five parties to the Arrangement:
- Office of the Information Commissioner, Queensland
- Health Services Commissioner, ACT Human Rights Commission
- Office of the Health Services Commissioner, Victoria
- South Australian Health and Community Services Complaints Commissioner.
The OAIC expects other state and territory regulators consulted during the development of the Arrangement to indicate their participation in coming months. The Arrangement is available on the OAIC website.
The OAIC held two public consultations in connection with eHealth during 2012–13.
On 28 August 2012, the OAIC posted on its website a draft of the PCEHR (Information Commissioner Enforcement Powers) Guidelines together with a discussion paper, inviting public comment. Public consultation was for three weeks. The closing date for submissions was 18 September 2012.
To encourage input into the development of the Guidelines, the OAIC wrote to various key stakeholders, providing details of how to obtain a copy of the draft Guidelines and inviting comment. The OAIC also promoted the draft Guidelines through other communication channels such as the OAIC’s email newsletter OAICnet, Twitter and the Rich Site Summary (RSS) news feed from the OAIC’s website.
The OAIC received 15 non-confidential submissions, and one legal-in-confidence submission as a result of public consultation, and made some variations to the draft Guidelines as a result. The final Guidelines are available on the Comlaw website or on the OAIC website. The submissions are also available on the OAIC website.
The second major public consultation was held in September 2012 when the OAIC released a consultation draft of the Guide to mandatory data breach notification in the eHealth record system for public comment. The consultation draft was published on the OAIC website along with a consultation paper that set out background information and questions for stakeholder feedback. The OAIC received 17 non-confidential submissions and one legal-in-confidence submission. Submissions are available on the OAIC website.
Along with two major public consultations, the OAIC carried out targeted consultations with health and consumer stakeholders in relation to the development of factsheets for eHealth and privacy (see guidance above in section 3.1 for further information).
Establishing internal processes and reference materials
Throughout 2012–13, the OAIC continued to focus on developing internal processes and reference materials relating to its functions and powers in connection with the eHealth system.
During the reporting period, the OAIC:
- developed a document containing answers to a range of FAQs on privacy issues related to the eHealth record system for use by OAIC Enquiries Line staff
- developed guidance material to assist OAIC staff with the initial assessment of complaints relating to the eHealth record system
- developed guidance material to assist OAIC staff to accurately record eHealth enquiries, complaints and other matters into the OAIC’s case management system
- delivered training to the OAIC’s Enquiries Line staff on the FAQs document and the guidance material for recording eHealth enquiries
- implemented updates to its case management system to facilitate the accurate and detailed recording of eHealth complaints, enquiries and other matters
- developed amendments to the Privacy Complaints Practice and Procedure Manual to address the handling of eHealth complaints
- commenced development of an internal guide to enforceable undertakings.
The OAIC also took steps to ensure that staff were fully trained in matters relating to eHealth enforcement. OAIC staff involved in conducting eHealth audits under the MOU have attended a three day training course, ‘Fundamentals of Internal Auditing’, conducted by the Institute of Internal Auditors. The Office also arranged for training to be delivered to OAIC staff by the Australian Government Solicitor in relation to the OAIC’s new enforcement powers under the PCEHR Act. This training was held in November 2012 and further training is scheduled to occur early in 2013—14.
Receiving data breach notifications
The OAIC did not receive any data breach notifications in relation to eHealth during the period.
4. OAIC and the Healthcare Identifiers Service
The HI Service has been established as a foundation service for eHealth initiatives in Australia, in particular, the PCEHR system. Accordingly, the use of healthcare identifiers has increased since the launch of the PCEHR system on 1 July 2012. Under the PCEHR system, healthcare identifiers:
- are used to identify consumers who register for a PCEHR
- enable the PCEHR System Operator to authenticate the identity of all individuals who access a PCEHR and record activity through the audit trail
- help ensure the correct health information is associated with the correct consumer’s PCEHR
- are used to compile information for inclusion in a consumer's PCEHR. Information comes from registered data repositories or the National Repositories Service.
Additionally, registration with the HI Service is a prerequisite for a healthcare provider organisation to be registered for the PCEHR system.
However, as the PCEHR system is still in the early stage of implementation, the use of healthcare identifiers has been moderate, and the OAIC has not been required to undertake enforcement activities. This has meant that the OAIC focused on undertaking proactive compliance activities, such as monitoring developments in eHealth, conducting audits and participating in the review of the HI Act and Service (outlined below).
4.1 OAIC compliance and enforcement activities
Complaints relating to the HI Service
Complaints received and finalised during the reporting period
The OAIC had one open complaint as at 1 July 2012, which it subsequently closed. No other complaints about the HI Service were received during the period.
The complaint alleged that the respondent, a state health agency, had improperly handled the complainant’s individual healthcare identifier (IHI).
The complainant’s audit log showed that the state agency had 'searched and accessed' the complainant’s IHI. The complainant believed the IHI had been improperly accessed as they had not lived in that state for some time and were not receiving services from the state agency at the time. The complainant was concerned that previous associates who worked at that state agency had accessed the IHI for personal reasons.
Enquiries made by the OAIC showed the state agency was conducting an implementation project with NeHTA. The project trialled the manner in which identifying data held by a state agency could be matched effectively with data held by the IHI Service Provider. The project aimed to identify an effective process by which the state agency could request and obtain the correct IHI for its consumers when they used health services in the state.
On this basis, the OAIC considered that the handling of the complainant’s IHI by the agency was permitted by s 24(1)(a)(ii) of the HI Act, which allows for the use of the HI for the management and monitoring of healthcare. Accordingly, it was decided that the state agency had not interfered with the complainant’s privacy and the matter was closed.
Investigations relating to the HI Service
No complaint investigations or own motion investigations were commenced or finalised during the reporting period. At 30 June 2013, there were no HI investigations open.
Audits relating to the HI Service
Under the OAIC’s MOU with DOHA, the OAIC must conduct up to two audits of the HI Service Operator (DHS-Medicare) and up to two audits of agencies, organisations or state and territory authorities during the period covered by the MOU.
Audits commenced and ongoing during the reporting period
The OAIC commenced an audit of the HI Service Operator. The audit focused on the Service Operator’s collection, use and disclosure of IHIs, healthcare provider for individuals and associated identifying information after identifiers have been assigned by the Service Operator or the Australian Health Practitioner Regulation Agency.
During the reporting period, the OAIC determined an appropriate audit target and audit methodology, developed the audit scope, objectives and assessment criteria, sought and reviewed documentation from the Service Operator, and conducted two days of fieldwork. Preparation of the audit report is scheduled to occur early in the new financial year.
The audit was ongoing at 30 June 2013.
4.2 Healthcare Identifiers advice, liaison and other activities
Advice and liaison
The OAIC continued to engage with key stakeholders and provide policy advice on privacy aspects of the HI Act. This included meeting with DoHA on a quarterly basis under the MOU and meeting regularly with DHS under a separate MOU, beginning July 2012 and ending June 2013.
The OAIC responded to specific requests for advice. For example NeHTA sort advice regarding a change request which would allow access to the HI Service Operator’s electronic healthcare provider database to enable batch searching of Healthcare Provider Identifiers for individuals by a requesting Healthcare Provider Organisation.
In total, the OAIC provided six policy advices related to the HI Service, mostly to key agencies (DOHA, NeHTA and DHS). In addition, the OAIC’s Enquiries Team received one phone enquiry about healthcare identifiers during the reporting period.
Participation in the review of the Healthcare Identifiers Act and Service
Under s 35 of the HI Act, the Minister must appoint an individual to review the operation of the Act and prepare a report on the review before 30 June 2013. Ms Joanna Kelly was appointed the independent reviewer of the HI Act and HI Service. The OAIC engaged with Ms Kelly on several occasions from December 2012, providing feedback on the operation of the HI Act and pointing out possible privacy issues.
As noted above, the OAIC took steps to ensure that staff were fully trained in matters relating to eHealth enforcement. OAIC staff involved in conducting HI audits under the MOU attended a three day training course, ‘Fundamentals of Internal Auditing’, conducted by the Institute of Internal Auditors.
Professor John McMillan
Australian Information Commissioner
Date: 9 September 2013