Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Annual Report 2011-12 on the Compliance and enforcement activities under the Healthcare Identifiers Act

pdfPrintable version1.06 MB

1. Executive summary

Section 30(1) of the Healthcare Identifiers Act 2010 (HI Act) requires the Australian Information Commissioner (the Information Commissioner) to prepare a report on the Information Commissioner's compliance and enforcement activities under the HI Act during the financial year, as soon as practicable after the end of each financial year. This report fulfils the Information Commissioner's reporting obligation under the HI Act.

This report also addresses a number of matters outside the reporting requirements of the HI Act. This includes details of activities relating to the Healthcare Identifiers Service (HI Service) that were undertaken pursuant to the exchange of letters agreement with the Department of Health and Ageing (DoHA) for the period 1 July 2011 to 30 June 2012.

The period ending 30 June 2012 brought to a close the Information Commissioner's second year as privacy regulator of the HI Service. Since its inception, the Office of the Australian Information Commissioner (OAIC) has received few enquiries and complaints. This is attributable to the graduated implementation of the HI Service. However, the OAIC has remained actively involved in the regulation and development of the HI Service. Over the past year, the OAIC has focused its efforts on:

  • developing guidance material for healthcare providers and individuals
  • providing policy advice
  • consulting and liaising with DoHA and the HI Service Operator about the HI Service and
  • finalising audits of the HI Service Operator.

The HI Service is one of the key building blocks of the personally controlled electronic health (eHealth) record system. Accordingly, the OAIC has both monitored and engaged in the development of the eHealth record system, including the way the eHealth record system and governing legislation interacts with the HI Service and HI Act. During 2011–12, the OAIC made submissions to DoHA and to the Senate Committee conducting the Inquiry into the Personally Controlled Electronic Health Records Bill 2011 and one related bill,[1] commenting on consequential amendments to the HI Act.

The OAIC expects that there will be a gradual expansion of the OAIC's compliance and enforcement activities as uptake of the HI Service expands alongside the rollout of the eHealth record system.

Back to Contents

2. Introduction

The Information Commissioner's functions relating to healthcare identifiers

Legislation: Healthcare Identifiers Act and Privacy Act

The Information Commissioner has the following key roles and responsibilities under the HI Act and Privacy Act 1988 (Cth):

  • to investigate an act or practice that may be an interference with the privacy of an individual under subsection 29(1) of the HI Act and, if the Commissioner considers it appropriate to do so, to attempt by conciliation, to effect a settlement of the matters that gave rise to the investigation and

  • to do anything incidental or conducive to the performance of that function.

Exchange of letters

The Information Commissioner has the following key roles and responsibilities under the exchange of letters with DoHA:

  • investigate acts and practices that may be a misuse of healthcare identifiers by Commonwealth agencies, private sector organisations or individuals

  • if the Commissioner considers it appropriate to do so, attempt by conciliation to effect a settlement of the matters that gave rise to the investigation

  • advise on obligations in relation to healthcare identifiers and liaise with state and territory regulators

  • conduct up to two audits of the HI Service Operator per year

  • prepare an annual report at the end of each financial year for the Minister and Ministerial Council on the office's compliance and enforcement activities related to healthcare identifiers

  • respond to requests for advice on the appropriate handling of healthcare identifiers from Commonwealth agencies, private sector organisations and individuals and

  • provide guidance to individuals and participants in the health care industry on their compliance obligations in relation to healthcare identifiers including, where appropriate, the development of information sheets, frequently asked questions and articles in industry magazines.

Year in review — a summary

During the financial year 2011–12, the OAIC has undertaken the following:

Activities undertaken during 2011–12
ActivityNumber
Telephone enquiries 0
Written enquiries 0
Complaints 1
Audits[2] 2
Policy advices 2
Legal advices 1
Guidance materials 5
Reports 1
Submissions[3] 3
Case notes 0
Media enquiries 0
Speeches 0
Meetings/consultations 2
Internal briefing 2
Inter-agency liaison 3
Training 3

Back to Contents

3. Compliance and enforcement activities (reporting requirements under s 30(1) of HI Act)

The HI Service is still in the early stage of implementation and the use of healthcare identifiers has been modest to date. This has provided the OAIC with an opportunity to focus on proactive compliance activities aimed at testing the strength of the privacy framework underpinning the HI Service. It has also allowed the OAIC to draw together a holistic picture of the compliance and governance aspects of the HI Service.

For example, during 2011–12, the OAIC's audit team focused on developing an in-depth understanding of the activities performed by the HI Service and how the obligations on the HI Service Operator under the HI Act interact with their obligations under the Information Privacy Principles (IPPs).

Specifically, the OAIC has undertaken the following key compliance and enforcement activities to support the appropriate use and handling of healthcare identifiers.

Audits

The exchange of letters requires that the OAIC complete up to two audits of the HI Service Operator each year. Work on two audits of the HI Service Operator was undertaken in 2011–12. These audits were commenced in the previous financial year. No audits were commenced in 2011–12.

  1. Scope: The process for assigning Individual Healthcare Identifiers (IHIs), policies and procedures governing the handling of IHIs, particularly to ensure compliance with data security, accuracy and reporting requirements.

    Outcomes: No privacy issues were identified and no recommendations were made. The final audit report was issued in July 2011.

    Commenced: September 2010.

  2. Scope: The collection, storage and security, quality, use and disclosure of Healthcare Provider Identifiers, including how IHIs and identifying information is handled through batch search processes.

    Outcomes: No recommendations were made as part of the audit, however the OAIC offered a number of best privacy practice suggestions, which generally addressed collection, accuracy, record destruction and security matters. The final audit report was in draft form at 30 June 2012.

    Commenced: June 2011.

The complaint process under the HI Act

Contraventions of the HI Act are considered interferences with privacy for the purposes of the Privacy Act. Further, section 29(2) of the HI Act prescribes that state and territory authorities will be treated as organisations within the meaning of the Privacy Act for the purpose of investigations under Part 5 of the Privacy Act.

The OAIC can investigate acts or practices that may be a breach of privacy. Where appropriate, an attempt will be made to resolve a complaint through conciliation. If the OAIC is satisfied that a matter has been adequately dealt with, or if there has not been an interference with privacy, it may decide not to investigate the matter any further. Otherwise, the Information Commissioner may make a determination about a complaint under s 52 of the Privacy Act.

Complaints, investigations and preliminary enquiries

One complaint relating to the handling of healthcare identifiers was received during the reporting period.

The complainant alleged that a state authority had accessed their IHI unlawfully. The OAIC commenced preliminary enquiries under section 42 of the Privacy Act to clarify the precise circumstances in which the IHI was searched and accessed by the respondent, and whether this was authorised by the HI Act.

This complaint remained open as at 30 June 2012.

Training

Compliance and Operations staff conducted ongoing training of new staff members in the requirements of the HI Act, as part of the staff induction privacy training. In particular, the training covered:

  • the purpose and aim of healthcare identifiers
  • types of healthcare identifiers
  • OAIC's role as the HI Service privacy regulator and
  • the HI Service complaint handling processes and possible outcomes, including penalties.

On occasion the training required staff to travel between the OAIC's Sydney and Canberra offices.

Back to Contents

4. Advice, guidance, liaison and other activities

The OAIC has provided or undertaken the following advice, guidance, liaison and other activities to support the appropriate use and handling of healthcare identifiers.

Guidance material

One of the OAIC's functions is education. It produces various materials for individuals about their privacy rights and for agencies and organisations about their obligations. It has a range of materials for the health sector including guidelines and fact sheets and frequently asked questions (FAQs) for individuals. These materials can be found on the OAIC's website.[4]

In addition to guidance about obligations under the Privacy Act, the OAIC also produces materials about privacy obligations contained in other legislation it regulates, such as the HI Act. The HI Act imposes specific obligations on healthcare providers, including in the state and territory public health sector, regarding how they collect use and disclose healthcare identifiers. With the commencement of the eHealth record system, the use of healthcare identifiers is expected to increase. Given the new obligations the HI Act imposes and the likelihood of expanding use of the HI Service, the OAIC produced fact sheets to educate healthcare providers about their compliance obligations under the HI Act. The OAIC also revised its frequently asked questions to help educate consumers about their privacy rights.

Specifically, the OAIC developed and published the following guidance about healthcare identifiers in 2011–12:

  • A new FAQ for individuals[5] and an update of the existing FAQs[6] on the OAIC website, published in June 2012. The OAIC consulted with DoHA in relation to the new FAQ.
  • Three fact sheets advising private as well as state and territory healthcare providers about their compliance obligations, published in June 2012.[7] The OAIC consulted extensively with DoHA, Medicare Australia, the National eHealth Transition Authority (NeHTA) and other industry groups in relation to the fact sheets.
  • A fact sheet about the relationship between healthcare identifiers and the eHealth record system, published in June 2012. The OAIC consulted with DoHA in relation to the fact sheet.[8]

Advice

Activity in the HI Service has been limited in the early stages of its operation, as DoHA and its partners focused on the next stage of the eHealth framework – the eHealth record system. During the development and transformation phase of the eHealth record system, the OAIC concentrated on building the capacity and expertise of its policy and compliance staff about regulatory functions under the HI Act, and the impact of the Personally Controlled Electronic eHealth Records Bill. Specific activities undertaken by the Policy branch included:

  • providing advice to Compliance staff involved in audits of the HI Service Operator about the legislative requirements of the HI Act and assisting them to plan and develop their HI audit program
  • providing analysis and advice to assess the impact and interaction of the Personally Controlled Electronic eHealth Records Bill, on the OAIC's regulatory role under the Privacy Act and the HI Act.

Liaison

The OAIC undertook regular liaison with the other agencies and organisations with roles and responsibilities under the HI Service, which included providing advice and receiving information about their activities under the HI Service.

The OAIC also liaised with the Privacy Advisory Committee. This Committee, which is established under section 82(1) of the Privacy Act, consists of members who have privacy expertise and who come from a range of industries. The Committee provided strategic advice on privacy, from a broad range of perspectives, to the Australian Information Commissioner. The OAIC kept the Committee abreast of developments in relation to the OAIC's healthcare identifiers activities through two briefing papers and sought advice in relation to its regulatory and educative roles.

Other

The OAIC performed the following other activities in relation to the HI Service:

  • Produced and arranged the printing and delivery of the OAIC's Healthcare Identifiers Annual Report 2010–11, over the period July to October 2011.
  • Monitored the development of the eHealth record system design model as it relates to the HI Service. For example, the OAIC made submissions regarding the Exposure Draft to the Personally Controlled Electronic Health Records Bill 2011 in October 2011, a submission into the Inquiry into the Bill in January 2012, and proposals for the accompanying Regulations and Rules in April 2012. These submissions included comments that related to consequential amendments to the HI Act and Privacy Act, as well as the consistency in approach with the HI Service more broadly.

Back to Contents

5. Management and accountability

Summary of administrative and legislative arrangements which govern the Australian Information Commissioner in relation to healthcare identifiers

Legislation: Healthcare Identifiers Act and Privacy Act

Part 4 of the HI Act sets out the interaction between the HI Act and the Privacy Act. Section 29 of the HI Act brings the regulation of healthcare identifiers within the OAIC's jurisdiction by stating that a breach of the HI Act or Regulations in connection with an individual's healthcare identifier is an interference with their privacy under the Privacy Act. Section 29(2) also brings the handling of healthcare identifiers by state or territory authorities within the OAIC's jurisdiction unless the Minister of the state or territory has made a declaration under section 37(5) of the HI Act. These sections provide that the Information Commissioner's powers and functions under the HI Act are similar to those conferred on the Commissioner under the Privacy Act.

Exchange of letters

Under an exchange of letters agreement, DoHA allocated $550,000 (GST inclusive) of funding to the OAIC to provide regulatory oversight of the HI Service and to advise individuals and participants in the health care industry about their obligations in relation to healthcare identifiers, for the period 1 July 2011 to 30 June 2012. The OAIC's work in relation to the HI Service has been largely informed by this exchange of letters.

In the previous reporting period, a National Partnership Agreement (NPA) set out the governance arrangements, administrative arrangements, objectives and scope of the HI Service, including the responsibilities of the OAIC. The NPA expired on 30 June 2012. Work was undertaken during the reporting period to develop new arrangements and the OAIC was actively engaged in the development of the new arrangements.

Breakdown of how funding was spent

DoHA provided the OAIC with $550,000 in funding to provide regulatory oversight of the HI Service and advise on obligations in relation to healthcare identifiers. During the reporting period, the OAIC applied the funding received under the exchange of letters agreement with DoHA to produce the outputs listed below, and detailed in the body of the report.

The uptake in the use of healthcare identifiers was gradual. Consequently the OAIC has not yet been required to operate at full capacity in this area. However, the OAIC maintained the level of readiness required to respond effectively to any complaints, enquiries and requests for advice received. As indicated above, the OAIC has focused its efforts on the development of guidance material, training and two audits of the HI Service Operator – one is yet to be finalised.

Policy Branch

Work performed by the Policy Branch in relation to the HI Act and HI Service accounted for approximately 50 per cent of the funding provided by DoHA.

Experienced policy staff with an in-depth knowledge of the HI Act, HI Regulations and the HI Service performed the activities required by the MOU. The development of guidance material and provision of policy advice involved detailed research into the new requirements of the HI Act, drafting of material, and stakeholder consultation. The production of the annual report for 2010–11 involved collating information about activities performed under the HI Service from the different branches, liaising with the branches about the content and structure of the report and liaising with DoHA. The Policy Branch was also required to maintain dedicated staffing to respond to any requests for advice received.

During the 2011–12 year, the Policy branch:

  • produced guidance material for healthcare providers and individuals
  • liaised with stakeholders and participated in consultations
  • provided policy advice
  • produced the annual report for 2010–11
  • revised and finalised the funding agreement
  • monitored eHealth developments.

Compliance Branch

Work performed by the Compliance branch in relation to the HI Act and HI Service accounted for approximately 40 per cent of the funding provided by DoHA.

Notwithstanding the fact that compliance activity in relation to the HI Service has been limited, given the regulatory responsibilities of the OAIC under the HI Act, it must ensure that it maintains the capacity to respond as and when required. The Compliance Branch maintained its capacity to respond to telephone enquiries, written enquiries and complaints, and to investigate potential breaches of the HI Act through its training program. Efforts were principally focused on audit activities designed to assess the strength of the HI Service Operator's governance structures. The audit work required expertise from experienced staff members, who researched the requirements of the HI Act, identified areas of focus, interviewed and inspected the premises of the HI Service Operator, drafted audit reports and liaised with the HI Service Operator about the reports.

During the 2011–12 year, the Compliance branch:

  • undertook audit work of the HI Service Operator
  • identified and sought advice about knowledge gaps
  • conducted a preliminary enquiry
  • trained staff about the OAIC's regulatory role under the HI Act and Regulations and about the HI Service.

Operations Branch

Work performed by the Operations Branch in relation to the HI Act and HI Service accounted for approximately 10 per cent of the funding provided by DoHA.

The OAIC's Operations branch manages media enquiries, external and internal communication, website publications, training and legal services. Experienced staff in the OAIC's Operations branch provided advice and support to the Policy and Compliance branches in relation to the preparation of HI materials for publication and were actively involved in publication on the website of HI guidance materials and reports about HI activities. Staff from its training team assisted compliance staff to train new staff about the HI Act and the OAIC's regulatory role.

During the 2011–12 year, the Operations branch:

  • published and arranged for the typesetting, printing and delivery of the 2010–11 annual report
  • published guidance and training material
  • published HI audit reports
  • provided legal advice
  • trained staff.

Administrative costs

The OAIC incurred administrative costs of approximately $2000 for the publication of the 2010–11 annual report and travel associated with training.

[SIGNED]

Professor John McMillan
Australian Information Commissioner
Date: 7 September 2012

Back to Contents

Footnotes

[1] See <http://aph.gov.au/Parliamentary_Business/Committees/Senate_Committees?url=clac_ctte/pers_cont_elect_health_rec_11/info.htm>.

[2] One audit was finalised and the second audit was substantially finalised in the financial year. Further details about these audits are included in section 3 of the report.

[3] The OAIC made submissions regarding the Exposure Draft to the Personally Controlled Electronic Health Records Bill 2011 and proposals for the accompanying Regulations and Rules. This included comments that related to consequential amendments to the HI Act as well as the consistency in approach with the HI Service more broadly.

[4] See Privacy topics — Health

[5] See How will my IHI be used in my eHealth record?

[6] See Health FAQs

[7] See Privacy fact sheet 13: Healthcare Identifiers—General information for healthcare providers, Privacy business resource 1: Individual Healthcare Identifiers—Compliance obligations of private healthcare providers, and Privacy agency resource 1: Individual Healthcare Identifiers—Compliance obligations for state and territory healthcare providers.

[8] See Privacy fact sheet 14: Healthcare identifiers and the eHealth record system

Back to Contents