Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Annual report of the Australian Information Commissioner’s activities in relation to digital health 2015–16

Part 1: Executive summary

This annual report sets out the Australian Information Commissioner’s digital health compliance and enforcement activity during 2015–16, in accordance with s 106 of the My Health Records Act 2012 (My Health Records Act) and s 30 of the Healthcare Identifiers Act 2010 (Cth) (HI Act). The report also provides information about the Office of the Australian Information Commissioner’s (OAIC) other digital health activities, including its assessment program, development of guidance material, provision of advice, and liaison with key stakeholders.

This was the fourth year of operation of the My Health Record system and the sixth year of the Healthcare Identifiers (HI) Service, a critical enabler for the My Health Record system and digital health generally.

The management of personal information is at the core of both the My Health Record system and the HI Service (collectively referred to as digital health in this report). In recognition of the special sensitivity of health information, the My Health Records Act and the HI Act contain provisions that protect and restrict the collection, use and disclosure of personal information. The Australian Information Commissioner oversees compliance with those provisions and is the independent regulator of the privacy aspects of the My Health Record system and the HI Service.

The 2015-16 financial year saw significant changes made to the My Health Record system. The system started in 2012 as an opt-in system where an individual needed to register in order to get their My Health Record. However, from March 2016, the Australian Government commenced a trial of opt-out system participation in Far North Queensland and in the Nepean Blue Mountains region of NSW. A My Health Record has now been created for each individual living in those areas, unless the individual chose to opt-out of participating in the trial. Changes to the My Health Records Act introduced by the Health Legislation Amendment (eHealth) Act 2015 enabled the trial to be undertaken. That amendment Act also introduced a number of other changes across digital health legislation and the Privacy Act 1988 (Privacy Act), including streamlining the personal information handling authorisations, and introducing additional civil and criminal penalties for privacy breaches.

In 2015–16, the OAIC received 16 mandatory data breach notifications. These notifications recorded 94 separate breaches affecting a total of 103 healthcare recipients, 98 of whom had a My Health Record at the time of the breaches. Five of these notifications remain open at the end of the reporting period. The OAIC received one complaint regarding the My Health Record system and no complaints relating to the HI Service. In addition to handling data breach notifications, the OAIC carried out a full program of digital health-related work, including:

  • commencement of three[1] privacy assessments and completion of two assessments from the previous year
  • commenting on draft legislation and preparing a submission to the Senate Community Affairs Legislation Committee inquiry into the Health Legislation Amendment (eHealth) Bill 2015
  • providing advice to the Department of Health (Health) on a range of privacy matters and documents in connection with the planning for, and conduct of, the opt-out trials
  • providing advice to various stakeholders on privacy compliance obligations in relation to the My Health Record system, including close collaboration with peak health bodies on APP1 privacy policy templates
  • developing, revising and updating guidance materials for a range of health and consumer audiences, including publishing consumer fact sheets containing key privacy information on the opt-out trials
  • publishing the OAIC’s Guide to mandatory data breach notification in the My Health Record system, which explains the mandatory reporting obligations under the My Health Records Act and outlines the steps for dealing with a data breach
  • monitoring developments in digital health, the My Health Record system and the HI Service.

The OAIC’s digital health activities were carried out under a memorandum of understanding (MOU) with Health, signed on 30 June 2015 and which continued to 30 June 2016. More information about the OAIC’s MOU with Health is provided below in section 2 of this report. The MOU can be accessed on the OAIC’s website: www.oaic.gov.au.

Back to Contents

Part 2: Introduction

Many Australians view their health information as being particularly sensitive. This sensitivity has been recognised in the My Health Records Act and HI Act, which regulate the collection, use and disclosure of information, and give the Australian Information Commissioner a range of enforcement powers. This sensitivity is also recognised in the Privacy Act which treats health information as ‘sensitive information’.

The Australian Information Commissioner is the independent regulator for the privacy aspects of the My Health Record system and HI Service, and plays a crucial role in overseeing compliance with privacy provisions. However, the OAIC’s role is not limited to compliance and enforcement. During the 2015-16 financial year, the OAIC also carried out a number of other digital health activities under its MOU with Health.

The MOU set out a program of work that included business as usual activities (such as responding to requests for advice and investigating privacy complaints relating to digital health), and project-based work (such as developing guidance materials and conducting assessments). Information about these activities is set out in sections 3 and 4 of this report. Further information about the OAIC’s MOU activities can be found in its Biannual Reports under the MOU, available on the OAIC website: www.oaic.gov.au.

The MOU, signed on 30 June 2015, covers activities related to both the My Health Record system and the HI Service. Health provided the OAIC with $1,865,519.01 in 2015-16 to carry out activities in accordance with the MOU.

The Australian Information Commissioner’s digital health functions

The My Health Record system

The Australian Information Commissioner’s roles and responsibilities under the My Health Records Act and Privacy Act include the following:

  • respond to complaints received relating to the privacy aspects of the My Health Record system as the Commissioner considers appropriate, including through preliminary inquiries, conciliation, investigation or deciding not to investigate a complaint
  • investigate, on the Commissioner’s own initiative, acts and practices that may be a contravention of the My Health Records Act in connection with health information contained in a healthcare recipient’s My Health Record or a provision of Part 4 or 5 of the My Health Records Act
  • receive data breach notifications and assist affected entities to deal with data breaches in accordance with the My Health Record legislative requirements
  • investigate failures to notify data breaches
  • exercise, as the Commissioner considers appropriate, a range of enforcement powers available in relation to contraventions of the My Health Records Act or contraventions of the Privacy Act relating to the My Health Record system, including making determinations, accepting enforceable undertakings, seeking injunctions and seeking civil penalties
  • conduct assessments
  • provide a range of advice and guidance material
  • comment on draft legislation that may interact with the My Health Records Act
  • maintain guidance for exercising the powers available to the Commissioner in relation to the My Health Record system.

Healthcare Identifiers Service

The Australian Information Commissioner has the following roles and responsibilities under the HI Act andPrivacy Act:

  • respond to complaints received relating to the privacy aspects of the HI Service as the Commissioner considers appropriate, including through preliminary inquiries, conciliation, investigation or deciding not to investigate a complaint
  • investigate, on the Commissioner’s own initiative, acts and practices that may be a misuse of healthcare identifiers
  • receive data breach notifications and respond as appropriate
  • conduct assessments
  • provide a range of advice and guidance material
  • comment on draft legislation that may interact with the HI Act.

Year in review — a summary

During 2015–16 financial year, the OAIC undertook the following activities:

Table 1: OAIC My Health Record and HI Service activities 2015–16

Activity

My Health Record

HI Service

Telephone enquiries

14

0

Written enquiries

16

1

Complaints received and finalised

1[2]

0

Policy advices[3]

16

2

Assessments[4]

4

1

Mandatory data breach notifications received

16

n/a

Media enquiries

5

0

Back to Contents

Part 3: OAIC and the My Health Record system

The OAIC performs a range of functions in relation to the My Health Record System (formerly the PCEHR system). These functions include compliance and enforcement activities and other activities set out under the MOU, including providing privacy related advice and developing guidance and training materials for internal and external stakeholders.

Compliance and enforcement activities include:

  • receiving and investigating complaints about alleged interferences with the privacy of a healthcare recipient in relation to the My Health Record system
  • conducting assessments of participants in the system to ensure they are complying with their privacy obligations
  • receiving mandatory data breach notifications from system participants.

Information about the OAIC’s enforcement and compliance activities is set out below.

The OAIC is also responsible for producing statutory and regulatory guidance for consumers and other participants such as healthcare providers, registered repository operators and the System Operator. In addition, the OAIC responds to enquiries and requests for policy advice from a broad range of stakeholders about the privacy framework for the My Health Record system and the appropriate handling of My Health Record information. These activities are an important component of the OAIC’s regulatory role under the My Health Record system.

To deliver these outcomes, the OAIC liaised with external stakeholders including professional industry bodies in the health sector and consumer organisations. Information about the OAIC’s activities in relation to providing advice, developing guidance material and liaison with key stakeholders is provided below.

OAIC enforcement and compliance activities

Complaints and investigations relating to the My Health Record system

The OAIC received one complaint about the My Health Record system during 2015–16, which is currently being finalised.

Under s 40(2) of the Privacy Act,the Australian Information Commissioner also has the discretion to investigate an act or practice that may be an interference with privacy, on the Commissioner’s own initiative (without first receiving a complaint from an individual).

During 2015–16, the Australian Information Commissioner did not carry out any Commissioner initiated investigations into the My Health Record system.

Assessments relating to the My Health Record system

Under the MOU with Health, the OAIC was required to conduct up to two assessments in 2015–2016 from the following targets:

  • the My Health Record System Operator, and
  • agencies and organisations participating in the My Health Record system.

The OAIC initiated two assessments relating to the My Health Record system in 2015–16, and finalised two assessments commenced in the previous reporting period.

Assessments conducted in 2015–16

Assessment subject

No. entities assessed

Year opened

Closed

1. Access controls of GP clinics — APP 11

7

2014–2015

August 2015

2. Privacy policies of GP clinics — APP 1

40

2014–2015

October 2015

3. Follow up assessment of the 2015 audit of the National Repositories Service

1

2015-2016

Ongoing

4. Assessment of the National Prescription and Dispense Repository – APP 11

1

2015-2016

June 2016

Access controls of GP clinics

The OAIC completed an assessment of the access controls applied by healthcare provider organisations relating to access by their staff to the My Health Record system. The assessment encompassed seven general practitioner (GP) clinics, commenced in the 2014-2015 reporting period and was completed in August 2015. A consolidated de-identified report of the OAIC’s findings was published.

Assessment of the privacy policies of GP clinics

The OAIC finalised an assessment of privacy policies of 40 general practice clinics, selected at random (other than ensuring half of the clinics were, or form part of, GP super clinics and that all Australia's states and territories were represented). The assessment included consideration of whether the policies reflected the clinics’ use of the My Health Record system and individual healthcare identifiers. This assessment commenced in the 2014-2015 reporting period and was completed in October 2015.

Following the OAIC’s assessment of the privacy policies of 40 GP clinics, the OAIC provided feedback to the Royal Australian College of General Practitioners (RACGP) and the Australian Medical Association (AMA) on their privacy policy templates. The RACGP and AMA have since published new versions of their templates.

Additionally, a consolidated de-identified report of the OAIC’s findings was prepared and discussed with key representative bodies, specifically the AMA, the RACGP, the Australian Association of Practice Management and the Australian College of Rural and Remote Medicine. The consolidated report was finalised and published on the OAIC website during the reporting period.

Follow up assessment of the 2015 audit of the National Repositories Service

The OAIC undertook an assessment of the System Operator’s implementation of recommendations made by the OAIC in its previous Information Privacy Principle 4 audit of the System Operator. The previous audit examined how the System Operator protected personal information held on the National Repositories Service.

The OAIC anticipated that this assessment, which commenced in September 2015, would be finalised during this reporting period. However, due to delays in the finalisation of the System Operator’s end-to end security review of the My Health Record system and the consequential updating of the relevant security policies (both of which are relevant to this assessment), the scope of the assessment was amended. The OAIC conducted the assessment based on the amended scope and is in the process of finalising its findings.

National Prescription and Dispense Repository (NPDR)

The OAIC commenced an assessment of the System Operator’s handling of personal information held in the National Prescription and Dispense Repository. The OAIC anticipated that this assessment would be finalised during this reporting period. However, the assessment has been discontinued due to delays in the finalisation of the System Operator’s end-to-end security review of the My Health Record system and the consequential updating of relevant security policies (both of which are relevant to this assessment).

Receiving mandatory data breach notifications

Notifying party

Received in the period

Closed in the period

Open at 30 June

Number of data breach notifications

Number of healthcare recipients affected

Number data breach notifications

Number of healthcare recipients affected

Number of data breach notifications

Number of healthcare recipients affected

System Operator

3

7

3

7

Nil

Nil

DHS

13

96[5]

8

295

5

675

The OAIC received three data breach notifications from the System Operator under s 75 of the My Health Records Act. The first of these notifications related to MyGov accounts held by healthcare recipients being incorrectly linked to the My Health Records of other healthcare recipients. The second and third notifications related to unauthorised My Health Record access by a third party.

The OAIC also received thirteen notifications under s 75 of the My Health Records Act from the Chief Executive of Medicare in their capacity as a registered repository operator under s 38 of the My Health Records Act.

Five of these notifications were about five separate data breaches related to intertwined Medicare records of healthcare recipients with similar identifying information. As a result, the Medicare claims data belonging to one healthcare recipient was made available in the digital health record of another healthcare recipient. The remaining eight notifications involved 86 separate breaches in which Medicare claims data were uploaded to incorrect digital health records. These breaches were identified from the Medicare compliance program conducted by the Department of Human Services.

Of the 13 received, five notifications remain open as at the end of the reporting period. The OAIC expects to close these notifications following further clarification of the circumstances of the breaches contained within those notifications.

My Health Record system advice, guidance, liaison and other activities

Advice

My Health Record system enquiries

The OAIC’s Enquiries Team received 28 enquiries and finalised responses to 30 enquiries about the My Health Record system during the reporting period.

Eight of these enquiries came from members of the public who were seeking information about the process for opting-out of the My Health Record system. The OAIC also received enquiries about technical questions which were referred to the System Operator, enquiries regarding data breach notification and enquiries seeking general information about the system.

Policy advice to stakeholders and members of the public

During the reporting period, the OAIC provided eight policy advices about the My Health Record system to various stakeholders.

The policy advice requests received included:

  • Requests from ICT consultants about issues such as the use of de-identified aggregate My Health Record data, the OAIC’s role in digital health policy development, and My Health Records Act penalties.
  • An enquiry about the My Health Record system and the OAIC’s role in the development of digital health policy, from an individual who was both a resident and healthcare practitioner in the Nepean Blue Mountains opt-out trial area.

In addition, the OAIC worked closely with peak health bodies to provide advice on template documents, including:

  • Providing feedback to the RACGP on its privacy policy template which was developed following the OAIC’s assessment of the privacy policies of 40 GP clinics. The RACGP published a new version of their template in November 2015.
  • Providing comments to the AMA on its draft privacy policy template. The AMA published a new version of their template in April 2016.
  • Providing comments to the RACGP on its draft My Health Record policy template. The template was developed to address the requirements of Rule 42 of the My Health Records Rule 2016.

The OAIC conducted a webinar on privacy policies for GP clinics on 11 August 2015. The webinar was fully subscribed, and the webinar continues to be accessible from the OAIC’s website.

Policy advice to Health

Under its MOU with Health, the OAIC liaised and coordinated with the My Health Record System Operator on privacy related matters in relation to the system, including providing feedback and advice on proposals and projects with a possible privacy impact and on written materials. During the reporting period, the OAIC provided eight policy advices to Health.

The OAIC provided advice to Health on draft Privacy Impact Assessments of several significant policy proposals, including:

  • the opt-out trials for the My Health Record system
  • proposed arrangements for Professional Representatives to access and manage the My Health Records of children in out-of-home care
  • mobile applications and the My Health Record system.

The OAIC gave Health feedback on the information provided to users of the My Health Record System in Health’s:

  • digital health privacy notices and privacy policy, and the revised versions of those documents developed for the opt-out trials
  • draft materials for healthcare recipients living in the opt-out trial areas of the system, developed for Health’s public awareness campaign
  • draft healthcare provider training modules, which are now accessible to healthcare providers through the My Health Record website.

Additionally, the OAIC provided comments to Health on the eHealth working group’s draft National Digital Health Strategy.

Submissions

The OAIC made one submission during the reporting period to the Senate Community Affairs Legislation Committee on its inquiry into the Health Legislation Amendment (eHealth) Bill 2015 (amendment Bill). In its final report, the Committee made two recommendations, one of which was that Health consider the recommendations by the OAIC in relation to privacy in developing the public awareness campaign about the opt-out trial.

Guidance

Guidance on the Australian Information Commissioner’s powers

The OAIC revised the My Health Record (Information Commissioner Enforcement Powers) Guidelines 2016 (Enforcement Guidelines), a legislative instrument that is registered on the Federal Register of Legislation. The Enforcement Guidelines are made under s 111 of the My Health Records Act. Section 111 requires the Australian Information Commissioner to formulate, and have regard to, guidelines regarding the exercise of the Commissioner's powers under the My Health Records Act, or a power under another related Act, such as the Privacy Act.

The revisions to the Enforcement Guidelines are designed to incorporate the Australian Information Commissioner’s new enforcement powers, added to the Privacy Act in 2014, and to ensure that the Enforcement Guidelines are consistent with the OAIC’s Privacy regulatory action policy and Guide to privacy regulatory action. The OAIC ran a public consultation seeking comments on the amendments. Following the consultation, the OAIC updated the revised guidelines to reflect feedback received and also made further changes to reflect amendments made by the Health Legislation Amendment (eHealth) Act 2015 (amendment Act). The OAIC finalised and registered the revised guidelines in March 2016.

The OAIC also prepared draft updates to its Guide to privacy regulatory action to reflect changes to its My Health Records Act enforcement powers as a result of the amendment Act. The Guide sets out a more detailed explanation of how the OAIC will exercise its privacy regulatory powers under the Privacy Act and the My Health Records Act, as well as the procedural steps the OAIC will take in using these powers.

Guide to mandatory data breach notification in the My Health Record system

The OAIC published a Guide to mandatory data breach notification in the My Health Record system. The guide explains the breach notification obligations that apply to registered repository operators, registered portal operators and the My Health Record System Operator under s 75 of the My Health Records Act. The guide contains information about the types of breaches that have to be reported and what information should be included in a notification. It also outlines how entities should contain a breach, evaluate risks arising from the breach and take steps to prevent future breaches.

Following changes to s 75 of the My Health Records Act, the OAIC also prepared draft revisions to the guide to reflect these changes, and the revised guide is expected to be published in the new financial year.

Guidance for healthcare providers
My Health Record System guidance

The OAIC developed draft versions of two new business resources for healthcare providers. One covers the legislative requirements that apply to handling a patient’s personal information when using the My Health Record system. The second provides tips on how to protect a patient’s privacy when using the system. The OAIC expects to publish these new resources in the new financial year.

The OAIC also began developing a business resource for healthcare providers on the mandatory data breach notification requirements. This resource is specifically targeted at providers and will complement the OAIC’s existing data breach notification guide.

Health guidance

Additionally, the OAIC continued to develop draft guidance on healthcare providers’ privacy obligations when handling health information, including information contained in the My Health Record system. Following a public consultation, the OAIC conducted further consultation with stakeholders on the guidance and added new content to reflect relevant changes introduced by the amendment Act.

To explain how health privacy legislation applies to health service providers, the OAIC published a webpage describing the coverage of Commonwealth, state and territory health privacy legislation in Australia.

Guidance for healthcare recipients
My Health Record System guidance

The OAIC published two new fact sheets for healthcare recipients on the My Health Record system. These fact sheets apply to individuals living in the opt-out trial areas. One provides an overview of key aspects of the opt-out trials, including how to set preferences before healthcare providers can access the record and the factors to consider before deciding whether or not to opt-out. It also explains who will be able to access a My Health Record once it has been created. The second fact sheet provides information for parents, carers and young people on accessing the system.

The OAIC revised its seven existing fact sheets on the My Health Record system for healthcare recipients. These fact sheets were updated to reflect changes to the system made by the amendment Act.

Health guidance

The OAIC developed two consumer fact sheets relating to the handling of their health information, including information contained in the My Health Record system. The OAIC ran a public consultation on the draft fact sheets and expects to publish them in the new financial year.

Liaison

Liaison with the System Operator

During 2015-16, the My Health Record System Operator was the Secretary of the Department of Health. The OAIC liaised regularly with Health to discuss MOU activities and other matters relating to the My Health Record system.

The OAIC regularly engaged with Health regarding the changes to the My Health Record system and the resulting amendments to the former Personally Controlled Electronic Health Records Act 2012, Privacy Act and HI Act (as outlined under ‘Comment on draft legislation’ below).

The OAIC provided Health with advice on a number of specific matters and consulted with Health in its development of privacy guidance materials, as described above. The OAIC also met with Health to discuss privacy training and guidance for health service providers using the system.

In addition, the OAIC also reported to Health on activities performed in relation to the My Health Record system through its two biannual reports and annual report for 2014-15, which are published on the OAIC website.

Liaison with state and territory regulators

The OAIC published a webpage for health service providers, describing the coverage of Commonwealth, state and territory health privacy legislation in Australia. This work followed a meeting in the prior financial year with State and Territory regulators which included discussion of national consistency in health privacy regulation, interoperability and the development of health privacy guidance. The OAIC consulted with state and territory regulators in developing the content. The webpage also provides a link to digital health legislation and to the OAIC’s digital health resources.

To further address issues raised in the prior meeting, the OAIC included information in its draft healthcare provider guidance explaining how Commonwealth, state and territory health privacy legislation in Australia applies to providers. The guidance also offered tips for providers covered by both Commonwealth and state or territory legislation.

Liaison with other key stakeholders

The OAIC met with the former National eHealth Transition Authority (NeHTA) in relation to several digital health developments, including:

  • privacy issues related to the disclosure of personal information contained in diagnostic imaging reports that are stored in the My Health Record system
  • issues arising from the OAIC’s assessment of the access security controls of seven General Practice clinics.

The Australian Information Commissioner gave a presentation at a meeting of the United General Practice Australia group. The Commissioner discussed privacy in the healthcare sector, gave an overview of the My Health Record system information handling requirements and related compliance issues, the OAIC’s assessment of general practices, and the OAIC’s approach to enforcement of the My Health Records Act.

The OAIC engaged with other key stakeholders, such as consumer groups and health organisations, by responding to requests for policy advice, as outlined above.

Other activities

Comment on draft legislation

The OAIC provided advice to Health on proposed changes to the former Personally Controlled Electronic Health Records Act 2012, Privacy Act and HI Act. As part of this, the OAIC:

  • commented on draft versions of the amendment Bill, which proposed changes to the legislation referred to above
  • attended a number of meetings with Health, the Attorney-General’s Department and the Office of Parliamentary Counsel to discuss proposed legislative changes
  • reviewed parts of the draft Explanatory Memorandum to the amendment Bill
  • as noted above, the OAIC also made a submission to the Senate Community Affairs Legislation Committee on its inquiry into the amendment Bill.
Strengthening internal expertise and reference materials

Throughout 2015–16, the OAIC continued to develop its internal expertise relating to its functions and powers in connection with the My Health Record system.

OAIC staff delivered an update session to the OAIC’s Enquiries Line and Dispute Resolution Branch on the opt-out trials and other developments in the My Health Record system. Given the opt-out trials, an increased number of enquiries were expected and received, so the update session provided those staff with the necessary knowledge and information to deal with relevant enquiries.

As noted above, the OAIC revised and developed a number of guidance materials for healthcare providers and recipients. These external reference materials also provide information for OAIC operational staff on the OAIC’s functions and powers in connection with the My Health Record system and the application of the My Health Records Act.

In addition, the OAIC continued to ensure that new staff received induction training in digital health and the OAIC’s regulatory oversight role. Staff who are new to working specifically on digital health receive extensive on-the-job training to ensure that they acquire the necessary digital health subject matter knowledge.

Senate Committee Inquiry

The Australian Information Commissioner made a submission to the Senate Select Committee on Health’s hearing for its inquiry into data linkage. The Commissioner subsequently appeared at a Committee hearing and OAIC staff developed briefing material for the Commissioner in preparation for his appearance. The briefing material included an overview of the My Health Record System Operator’s function of preparing and providing de-identified data for research and public health purposes.

Monitoring developments in digital health and the My Health Record system

Under the MOU with Health, the OAIC is required to monitor developments in digital health and the My Health Record system to ensure it is able to offer informed advice about privacy aspects of the operation of the system and the broader digital health context. During the reporting period, staff:

  • attended the ‘Healthcare efficiency through technology’ stream at the annual Australian Healthcare Week conference in Sydney. The conference provided an overview of how hospitals are evolving to keep up with technological change and advancements, including the implementation of digital health records and new technologies that are being used in medicine
  • attended the ‘Measuring Health Outcomes Conference’ which included presentations on health data analytics, personalised medicine and other issues relating to technological developments in the health industry
  • attended the annual Health Informatics Conference in Brisbane. The conference provided an overview of prevalent technological, medical and social issues in the digital health space and included a number of international keynote speakers who specialised in the relationship between health IT and public policy
  • attended the former NeHTA’s webinar on privacy, consent and provider obligations in the My Health Record system
  • monitored developments in digital health and the My Health Record system through news clips and digital health websites and blogs
  • reviewed the findings of Minter Ellison’s privacy impact assessment report on the opt-out model for the My Health Record system
  • monitored the RACGP’s eHealth forum, and noted the outcomes from the forum
  • assessed the Australian National Audit Office’s audit report on the Department of Defence Electronic Health system for its relevance to the My Health Record system.
Media

The OAIC responded to five media enquiries regarding digital health and the My Health Record system during 2015-16. The media outlets included Bloomberg BNA, Canberra IQ, Medical Observer, The New Daily and The Australian.

The OAIC also issued a media release on its assessment of the privacy policies of GP clinics in April 2016. The media release included quotes from AMA, the RACGP, the Australian Association of Practice Management and the Australian College of Rural and Remote Medicine welcoming the report and indicating their efforts to assist GP clinics in the future.

Back to Contents

Part 4: OAIC and the Healthcare Identifiers Service

The HI Service has been established as a foundation service for a range of digital health initiatives in Australia, particularly the My Health Record system. Accordingly, the use of healthcare identifiers has increased since the launch of the My Health Record system on 1 July 2012. Under the My Health Record system, healthcare identifiers:

  • are used to identify healthcare recipients who register for a My Health Record
  • enable the My Health Record System Operator to authenticate the identity of all individuals who access a My Health Record and record activity through the audit trail
  • help ensure the correct health information is associated with the correct healthcare recipient’s My Health Record
  • registration with the HI Service is a prerequisite for a healthcare provider organisation to be registered for the My Health Record system.

OAIC compliance and enforcement activities

Complaints relating to the HI Service

No complaints were received during the reporting period.

Investigations relating to the HI Service

No complaint investigations or CIIs were commenced or finalised during the reporting period. At 30 June 2016, there were no HI investigations open.

Assessments relating to the HI Service

Under the MOU with Health, the OAIC was required to conduct at least one assessment in 2015–16 from the following targets:

  • the HI Service Operator (DHS-Medicare), and
  • agencies/organisations or state and territory authorities using healthcare identifiers.

The OAIC has commenced one assessment relating to the HI Service.

Australian Health Practitioner Regulation Agency (AHPRA)

The OAIC is currently conducting an assessment into the handling of personal information by AHPRA in its role as a national registration authority for healthcare practitioners.

The OAIC has conducted the fieldwork for this assessment, and is in the process of finalising its findings.

Healthcare identifiers advice, liaison and other activities

Advice

The OAIC provided comments to Health on a draft Privacy Impact Assessment regarding proposed arrangements for Professional Representatives to access and manage the My Health Records of children in out-of-home care. Aspects of the proposal related to the handling of those children’s individual healthcare identifiers (IHIs).

The OAIC provided advice in response to an enquiry from an ICT consultant which related to penalties under the HI Act.

The OAIC also received and responded to one enquiry in relation to healthcare identifiers.

Guidance

Review of existing resources

The OAIC published updates to pages of the OAIC website to reflect legislative and terminology changes as a result of the amendment Act.

The OAIC also prepared draft updates to its Guide to privacy regulatory action to reflect changes to its HI Act enforcement powers as a result of the amendment Act.

Liaison

The OAIC met regularly with Health in 2015–16 to discuss MOU activities and other matters relating to the HI Service.

The OAIC regularly engaged with Health regarding the amendments to the former Personally Controlled Electronic Health Records Act 2012, Privacy Act and HI Act (as noted under ‘Comment on draft legislation’ below).

In addition, the OAIC also reported to Health on activities performed in relation to the HI Service through its two biannual reports and annual report for 2014-15, which are published on the OAIC website.

The OAIC met with the former NeHTA in relation to the matching process for obtaining IHI records and issues relating to intertwined IHI records. The OAIC also met with NeHTA for a briefing and discussion on proposed enhancements to the IHI search rules to improve IHI match rates.

Other activities

Comment on draft legislation

The OAIC provided advice to Health on proposed changes to the former Personally Controlled Electronic Health Records Act 2012, Privacy Act and HI Act. As part of this, the OAIC:

  • Commented on draft versions of the amendment Bill, which proposed changes to the Personally Controlled Electronic Health Records Act 2012, Privacy Act and HI Act.
  • Attended a number of meetings with Health, the Attorney-General’s Department and the Office of Parliamentary Counsel to discuss proposed legislative changes.
  • Reviewed parts of the draft Explanatory Memorandum to the amendment Bill.
  • As noted below, the OAIC also made a submission to the Senate Community Affairs Legislation Committee on its inquiry into the amendment Bill.
Submissions

The OAIC made a submission to the Senate Community Affairs Legislation Committee on its inquiry into the amendment Bill.

Strengthening internal expertise and reference materials

Throughout 2015–16, the OAIC continued to develop its internal expertise relating to its functions and powers in connection with the HI Service.

In addition, the OAIC continued to ensure that new staff received induction training in digital health and the OAIC’s regulatory oversight role. Staff who are new to working specifically on digital health receive extensive on-the-job training to ensure that they acquire the necessary digital health subject matter knowledge.

Monitoring developments in digital health and the HI Service

Under the MOU with Health, the OAIC is required to monitor developments in digital health and the HI Service to ensure the OAIC is aware of the implications of any developments for the HI Service and able to offer informed advice about privacy aspects of the operation of the HI Service in the broader digital health context. During the reporting period, the OAIC:

  • monitored developments relating to digital health and the HI Service through news clips and digital health websites and blogs
  • reviewed the findings of Minter Ellison’s privacy impact assessment report on the opt-out model for the My Health Record system, which considered the handling of healthcare identifiers
  • as outlined above in relation to the My Health Record system, attended various conferences related to digital health.

SIGNED

Timothy Pilgrim PSM

Acting Australian Information Commissioner
Australian Privacy Commissioner

13/09/2016

Back to Contents

Footnotes

[1] This figure includes an assessment opened during this reporting period regarding the System Operator’s handling of personal information held in the National Prescription and Dispense Repository. However, this assessment has been discontinued – see further details in Part 2 below.

[2] The OAIC is currently conducting preliminary inquiries in relation to this matter.

[3] Two policy advices related to both the My Health Record system and HI Service and are included in both columns.

[4] This figure includes an assessment opened during this reporting period regarding the System Operator’s handling of personal information held in the National Prescription and Dispense Repository. However, this assessment has been discontinued – see further details below.

[5] The total number of healthcare recipients affected include individuals with and without a My Health Record at the time of the breach. Accordingly, there were 91 individuals with a My Health Record in the DBNs received in the period, 26 such individuals in the DBNs closed in the period, and 65 in the DBNs open at 30 June.

Back to Contents