Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Annual Report 2010–11 on compliance and enforcement activities under the Healthcare Identifiers Act

pdfPrintable version714.26 KB

1. Executive summary

Section 30(1) of the Healthcare Identifiers Act 2010 (HI Act), which commenced on 29 June 2010, requires the Australian Information Commissioner to prepare a report on the Commissioner's compliance and enforcement activities under the HI Act during the financial year, as soon as practicable after the end of each financial year.

This report also addresses a number of matters outside the reporting requirements of the HI Act. This includes details of all activities relating to the Healthcare Identifiers Service (HI Service) that were undertaken pursuant to the exchange of letters agreement with the Department of Health and Ageing (DoHA) for the period 1 July 2010 to 30 June 2011.

In the Office of the Australian Information Commissioner's (OAIC) first year as regulator of the HI Service, uptake by healthcare providers has been limited and no complaints have been received. Therefore the OAIC has focused its efforts on the development of guidance material for healthcare providers and individuals, and audits of the HI Service Operator, in preparation for the uptake of the scheme.

The OAIC anticipates a gradual expansion of its complaint handling activities during the next financial year, as the HI Service is implemented in time for the first release of the personally-controlled electronic health record scheme by mid-2012.

Back to Contents

2. Introduction

Functions of the Australian Information Commissioner in relation to healthcare identifiers

Legislation: Healthcare Identifiers Act and Privacy Act

The Australian Information Commissioner has the following key roles and responsibilities under the HI Act and Privacy Act 1988 (Privacy Act):

  • to investigate an act or practice that may be an interference with the privacy of an individual under subsection 29(1) of the HI Act and, if the Commissioner considers it appropriate to do so, to attempt by conciliation, to effect a settlement of the matters that gave rise to the investigation
  • to do anything incidental or conducive to the performance of that function.

Exchange of letters

The Australian Information Commissioner has the following key roles and responsibilities under the exchange of letters with DoHA:

  • investigate acts and practices that may be a misuse of healthcare identifiers by Commonwealth agencies, private sector organisations or individuals
  • if the Commissioner considers it appropriate to do so, attempt by conciliation to effect a settlement of the matters that gave rise to the investigation
  • advise on obligations in relation to healthcare identifiers and liaise with state and territory regulators
  • conduct up to 2 audits of the HI Service Operator per year
  • prepare an annual report at the end of each financial year for the Minister and Ministerial Council on the office's compliance and enforcement activities related to healthcare identifiers
  • respond to requests for advice on the appropriate handling of healthcare identifiers from Commonwealth agencies, private sector organisations and individuals
  • provide guidance to individuals and participants in the health care industry on their compliance obligations in relation to healthcare identifiers including, where appropriate, the development of information sheets, frequently asked questions and articles in industry magazines.

Year in review – a summary

During the financial year 2010–11, the OAIC has undertaken the following:

Activities undertaken by the OAIC in 2010-11.
ActivityQuantity
Telephone enquiries 1
Written enquiries 2
Complaints 0
Audits 2
Policy advices 1
Guidance materials 4
Reports 2
Submissions 1
Case notes 0
Media enquiries 1
Speeches 1
Meetings/interviews 2

Back to Contents

3. Compliance and enforcement activities (reporting requirements under s 30(1) of HI Act)

The OAIC has undertaken the following key compliance and enforcement activities to support the appropriate use and handling of healthcare identifiers.

Audits

  • Two audits of the HI Service Operator, including preparation, fieldwork, and writing audit reports:
    1. Scope: The process for assigning Individual Healthcare Identifiers (IHIs), policies and procedures governing the handling of IHIs, particularly to ensure compliance with data security, accuracy and reporting requirements.

      Outcomes: No privacy issues were identified and no recommendations were made.

      Commenced: September 2010.

    2. Scope: The collection, storage and security, quality, use and disclosure of Healthcare Provider Identifiers, including how Individual Healthcare Identifiers and identifying information is handled through the batch searches process.

      Outcomes: Not yet finalised. Currently identifying preliminary issues and conducting analysis of audit material.

      Commenced: June 2011.

Investigations

  • No investigations were undertaken.

Training

  • Updated the Complaint Handling Manual.
  • Training provided to Compliance staff in the requirements of the HI Act.

Back to Contents

4. Advice, guidance, liaison and other activities

The OAIC has provided or undertaken the following key advice, guidance, liaison and other activities to support the appropriate use and handling of healthcare identifiers:

Guidance material

  • Published 13 frequently asked questions for individuals in October 2010.
  • Prepared two draft information sheets advising private and state and territory healthcare providers about their compliance obligations. The information sheets are being prepared in consultation with DoHA, Medicare Australia, the National eHealth Transition Authority (NEHTA) and industry groups. The consultation process was still underway on 30 June 2011.
  • Prepared a draft article for industry magazines about compliance obligations, to be released with the information sheets.

Advice

  • Provided advice in June 2011 in response to a series of questions posed by NSW Health.

Liaison

  • Liaised in March 2011 with Medicare Australia regarding its response to a written enquiry by an individual.
  • Liaised regularly with DoHA, Medicare Australia, NEHTA regarding the roles and responsibilities in relation to the HI Service.

Other

  • Presented a speech on eHealth and Service Delivery Reform by the Commonwealth Department of Human Services to the Victorian Departments of Human Services and Health.
  • Participated in the review of the National Partnership Agreement on eHealth conducted by Elton Consulting in April 2011.
  • Provided an estimate of the costs associated with performing its functions in relation to healthcare identifiers for the period 1 July 2011 to 30 June 2012 and projected costing for the years 2012–13, 2013–14 and 2014–15 in June 2011.
  • Monitored the development of the personally-controlled electronic health record system design model as it relates to the HI Service.

Back to Contents

5. Management and accountability

Summary of the administrative and legislative arrangements which govern the Australian Information Commissioner in relation to healthcare identifiers

Legislation: Healthcare Identifiers Act and Privacy Act

Part 4 of the HI Act sets out the interaction between the HI Act and the Privacy Act. Section 29 of the HI Act brings the regulation of healthcare identifiers within the OAIC's jurisdiction by stating that a breach of the HI Act or Regulations in connection with an individual's healthcare identifier is an interference with their privacy under the Privacy Act. Section 29(2) also brings the handling of healthcare identifiers by state or territory authorities within the OAIC's jurisdiction until local regulators are nominated. These sections provide that the Information Commissioner's powers and functions under the HI Act are similar to those conferred on the Australian Information Commissioner under the Privacy Act.

Exchange of letters

Under an exchange of letters agreement, DoHA allocated $550,000 funding to the OAIC to provide regulatory oversight of the HI Service and to advise individuals and participants in the health care industry on their obligations in relation to healthcare identifiers for the period 1 July 2010 to 30 June 2011. The terms of the exchange of letters are broadly similar to the OAIC's responsibilities set out in Schedule A to the National Partnership Agreement on eHealth (the NPA). The OAIC's work in relation to the HI Service has been largely informed by this exchange of letters.

National Partnership Agreement on eHealth

The NPA provides a framework for cooperative jurisdictional arrangements and responsibilities for eHealth and outlines the objectives and scope for the HI Service. Schedule A to the NPA sets out governance and administrative arrangements for the HI Service, including the responsibilities of the OAIC.

Breakdown of how funding was spent

During the reporting period, the OAIC applied the funding received under the exchange of letters agreement with DoHA to produce the outputs listed below. The office also developed its capacity to respond to complaints and undertake investigations in relation to the HI Service. The uptake in the use of healthcare identifiers has to date been limited. Consequently the OAIC has not yet been required to operate at full capacity in this area. However, the OAIC maintained the level of readiness required to respond effectively to any complaints received.

As indicated above, the OAIC has focused its efforts on the development of guidance material and the commencement of two audits of the HI Service Operator – one is yet to be finalised.

Policy Branch

Staff resources

.01 Senior Executive Service Level 1 staff

.1 Executive Level 2 staff

.4 Executive Level 1 staff

.9 APS 6 Level staff

Outputs
  • develop guidance material for private healthcare providers and state/territory bodies
  • liaise with stakeholders or participation in consultations
  • provide advice
  • reporting
  • prepare submissions
  • monitor eHealth developments
  • prepare speeches

Compliance Branch

Staff resources

.01 Senior Executive Service level 1 staff

.4 Executive Level 2 staff

.4 Executive Level 1 staff

1 APS 6 Level staff

.01 APS 5 level staff

.8 APS 4 Level staff

Outputs
  • conduct audits
  • respond to enquiries
  • update training material
  • train staff

Operations Branch

Staff resources

.04 APS 5 Level staff

Outputs
  • publish guidance and training material

Administrative costs

(other than salary on-costs, which are included in branch staffing costs)

Staff resources

Approximately $4,000

Outputs
  • travel associated with audits
  • travel associated with stakeholder liaison and consultation participation
  • publication of guidance material.

Signed

[signed]

Professor John McMillan
Australian Information Commissioner

Date: 23 September 2011

Back to Contents