Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Annual report of the Information Commissioner’s activities in relation to eHealth 2014–15

1. Executive summary

The 2014–15 financial year was the third year of operation of the Personally Controlled Electronic Health Record (PCEHR) system, established under the Personally Controlled Electronic Health Records Act 2012 (Cth) (PCEHR Act). It was also the fifth year of the Healthcare Identifiers (HI) service, a critical enabler for the PCEHR system and eHealth generally. The HI service is established under the Healthcare Identifiers Act 2010 (Cth) (HI Act).

The handling of individuals’ personal information is at the core of both the PCEHR system and the HI service (collectively referred to as eHealth in this report). In recognition of the special sensitivity of health information, the PCEHR Act and the HI Act contain provisions that protect and restrict the collection, use and disclosure of personal information. The Information Commissioner oversees compliance with those provisions and is the independent regulator of the privacy aspects of the PCEHR system and HI service.

This annual report sets out the Information Commissioner’s eHealth compliance and enforcement activity during 2014–15, in accordance with s 106 of the PCEHR Act and s 30 of the HI Act. The report also provides information about the Office of the Australian Information Commissioner’s (OAIC) other eHealth activities, including its assessment program, development of guidance material, provision of advice, and liaison with key stakeholders (including the PCEHR System Operator and HI Service Operator).

In 2014–15, the OAIC received seven mandatory data breach notifications, all of which were resolved in the reporting period. A mandatory data breach notification from the previous reporting period was also resolved in this reporting period. The OAIC did not receive any complaints regarding the PCEHR system or the HI service. In addition to handling data breach notifications, the OAIC carried out a full program of eHealth-related work, including:

  • commencement of three[1] privacy assessments and completion of five assessments (including four continued from the previous year)
  • providing advice to a range of stakeholders on privacy compliance obligations in relation to the PCEHR system
  • reviewing and developing guidance materials for a range of health and consumer audiences
  • publishing the OAIC’s Privacy regulatory action policy and Guide to privacy regulatory action, which explain the OAIC’s range of regulatory powers and the way in which those powers are used, and are relevant to the OAIC’s powers under both the Privacy Act 1988 (Cth) (Privacy Act) and the PCEHR Act
  • monitoring developments in eHealth, the PCEHR system and the HI service.

During the reporting period, the Australian Government announced proposed changes to the PCEHR system. The PCEHR system currently operates as an opt-in system where individuals must register in order to get their own eHealth record. The announced changes include commencing trials in 2015–16 of new participation arrangements, including opt-out participation. Under an opt-out model, all individuals in the trial get an eHealth record, unless they choose to opt-out.

The OAIC provided advice to the Department of Health (Health) during the reporting period on privacy aspects of proposed changes to the PCEHR Act and HI Act, and the Australian Government’s decision to trial the use of opt-out participation arrangements ahead of a possible move to a national opt-out eHealth record system. This included preparing a submission in response to Health’s Electronic Health Records and Healthcare Identifiers: Legislation Discussion Paper.

The OAIC’s eHealth activities were carried out under a memorandum of understanding (MOU) with Health, signed on 30 June 2014 and which continued to 30 June 2015. More information about the OAIC’s MOU with Health is provided below in section 2 of this report. The MOU can be accessed on the OAIC’s website: www.oaic.gov.au.

Back to Contents

2. Introduction

Many Australians view their health information as being particularly sensitive. This sensitivity has been recognised in the PCEHR and HI Acts, which both contain provisions that regulate the collection, use and disclosure of information, and give the Information Commissioner a range of enforcement powers. This contributes to a strong privacy framework, providing a foundation for public confidence in the PCEHR system and HI service.

The Information Commissioner is the independent regulator for the privacy aspects of the PCEHR system and HI service, and plays a crucial role in overseeing compliance with privacy provisions. However, the OAIC’s role is not limited to compliance and enforcement. The OAIC also carries out a number of other eHealth activities under its MOU with Health.

The MOU sets out a program of work that includes business as usual activities (such as responding to requests for advice and investigating privacy complaints relating to eHealth), and project-based work (such as developing guidance materials, conducting assessments and establishing complaint handling arrangements). Information about these activities is set out in sections 3 and 4 of this report. Further information about the OAIC’s MOU activities can be found in Quarterly Reports under the MOU, available on the OAIC website: www.oaic.gov.au.

The MOU covers activities related to both the PCEHR system and the HI service. During 2014–15, the OAIC received $2,258,000 from Health to carry out activities in accordance with the MOU.

2.1 The Information Commissioner’s eHealth functions

The PCEHR system

The Information Commissioner’s roles and responsibilities under the PCEHR Act and Privacy Act include the following:

  • respond to complaints received relating to the privacy aspects of the PCEHR system as the Commissioner considers appropriate, including through preliminary inquiries, conciliation, investigation or deciding not to investigate a complaint
  • investigate, on the Commissioner’s own initiative, acts and practices that may be a contravention of the PCEHR Act in connection with health information contained in a consumer’s PCEHR or a provision of Part 4 or 5 of the PCEHR Act
  • receive data breach notifications and assist affected entities to deal with data breaches in accordance with the PCEHR legislative requirements
  • investigate failures to notify data breaches
  • exercise, as the Commissioner considers appropriate, a range of enforcement powers available in relation to contraventions of the PCEHR Act or contraventions of the Privacy Act relating to the PCEHR system, including making determinations, accepting enforceable undertakings, seeking injunctions and seeking civil penalties
  • conduct assessments
  • provide a range of advice and guidance material
  • comment on draft legislation that may interact with the PCEHR Act
  • update guidance for exercising the powers conferred on the Commissioner by the PCEHR Act.

Healthcare Identifiers service

The Information Commissioner has the following roles and responsibilities under the HI Act and Privacy Act:

  • respond to complaints received relating to the privacy aspects of the HI service as the Commissioner considers appropriate, including through preliminary inquiries, conciliation, investigation or deciding not to investigate a complaint
  • investigate, on the Commissioner’s own initiative, acts and practices that may be a misuse of HIs
  • receive data breach notifications and respond as appropriate
  • conduct assessments
  • provide a range of advice and guidance material
  • comment on draft legislation that may interact with the HI Act.

2.2 Year in review — a summary

During 2014–15 financial year, the OAIC undertook the following activities:

Table 1: OAIC PCEHR and HI activities 2014–15
ActivityPCEHRHI
Telephone enquiries 4 0
Written enquiries 3 0
Complaints received and finalised 0 0
Policy advices[2] 12 3
Assessments[3] 7 1
Mandatory data breach notifications received 7 n/a
Media enquiries 3 0

Back to Contents

3. OAIC and the PCEHR system

The OAIC performs a range of functions in relation to the PCEHR system. These functions include compliance and enforcement activities and other activities set out under the MOU, including providing privacy related advice and developing guidance and training materials for internal and external stakeholders.

Compliance and enforcement activities include receiving and investigating complaints about alleged interferences with the privacy of a consumer in relation to the PCEHR system, conducting assessments of participants in the system to ensure they are complying with their privacy obligations, and receiving mandatory data breach notifications from system participants. Information about the OAIC’s enforcement and compliance activities is set out in section 3.1.

The OAIC is also responsible for producing statutory and regulatory guidance for consumers and other participants such as healthcare providers, registered repository operators (RROs) and the System Operator. In addition, the OAIC responds to enquiries and requests for policy advice from a broad range of stakeholders about the privacy framework for the PCEHR system and the appropriate handling of PCEHR information. These activities are an important component of the OAIC’s regulatory role under the PCEHR system.

To deliver these outcomes, the OAIC liaised with external stakeholders including professional industry bodies in the health sector and consumer organisations. Information about the OAIC’s activities in relation to providing advice, developing guidance material and liaison with key stakeholders is given in section 3.2.

3.1 OAIC enforcement and compliance activities

Complaints and investigations relating to the PCEHR system

The OAIC did not receive any complaints about the PCEHR system during 2014–15. Therefore, the Information Commissioner did not undertake any investigations or enforcement action.

Under s 40(2) of the Privacy Act, the Information Commissioner also has the discretion to investigate an act or practice that may be an interference with privacy, on the Commissioner’s own initiative (without first receiving a complaint from an individual). During 2014–15, the Information Commissioner did not carry out any Commissioner initiated investigations into the PCEHR system. The OAIC did, however, commence three assessments and finalise five assessments relating to the PCEHR system, four of which commenced in the previous reporting period. The OAIC also received seven mandatory data breach notifications and continued its work on one mandatory data breach notification received in the previous reporting period.

Assessments relating to the PCEHR system

Under the MOU with Health, the OAIC was required to conduct at least two assessments in 2014–2015 from the following targets:

  • the PCEHR System Operator, and
  • agencies and organisations participating in the PCEHR system.

The OAIC worked on seven assessments relating to the PCEHR system in 2014–15 (one of which also related to the HI service).

Western Sydney Medicare Local (WSML)

This assessment considered WSML’s assisted registration practices. The objective of this assessment was to assess the extent to which WSML, in the course of conducting assisted registration, handled personal information in accordance with Australian Privacy Principle (APP) 3 (collection), APP 5 (notice of collection) and APP 11 (security of personal information). The assessment commenced in the previous reporting period and was completed in August 2014.

PCEHR System Operator

The OAIC completed two assessments of the PCEHR System Operator in the reporting period.

The first assessment, which commenced in May 2013, considered the System Operator’s policies and procedures for the collection of personal information during the PCEHR consumer registration process. The purpose of this assessment was to assess whether the System Operator’s policies and procedures were consistent with its obligations under Information Privacy Principles (IPPs) 1–3. The assessment report was finalised in August 2014.

The second assessment, which commenced in the previous reporting period, examined the storage and security of personal information held in the National Repositories Service (NRS). The objective of the assessment was to consider whether the System Operator had taken reasonable steps to protect personal information held in the NRS from loss, unauthorised access, use, modification or disclosure or other misuse. The assessment was finalised in December 2014.

Assisted registration policies

This assessment reviewed the assisted registration policies of ten healthcare provider organisations undertaking assisted registration. Under the PCEHR (Assisted Registration) Rules 2012 (Cth), organisations providing assisted registration are required to have policies in place setting out certain matters relating to the conduct of assisted registration, including the authorisation and training of employees, recording of consumer consent and processes for consumer identification. The assessment considered how these policies addressed the privacy obligations set out in APPs 3 and 11, relating to the collection and security of personal information. The assessment commenced in February 2014 and was finalised in December 2014.

Access controls

The OAIC commenced two assessments of the access controls applied by health care provider organisations relating to access by their staff to the eHealth system. One assessment was of a single major healthcare provider, St Vincent’s Hospital Sydney Limited, which was finalised in June 2015. The other assessment was of seven general practice (GP) clinics and was still in progress as at 30 June 2015.

Privacy policies

The OAIC commenced an assessment of privacy policies of 40 GP clinics, selected at random (other than ensuring half of the clinics were, or form part of, GP super clinics and that all Australia’s states and territories were represented). The assessment included consideration of whether the policies reflected the clinics’ use of the eHealth system and individual HIs. This assessment was still in progress as at 30 June 2015.

Receiving mandatory data breach notifications

The OAIC received seven data breach notifications under s 75 of the PCEHR Act from the Chief Executive Medicare in their capacity as a registered repository operator under s 38 of the PCEHR Act. All but one of the notifications resulted from data integrity activity initiated by the Department of Human Services (DHS) to identify intertwined Medicare records. An intertwined Medicare record exists when, by error, two consumers share the same Medicare record.

In each of the notified cases, one of the two consumers holding the intertwined Medicare record created an eHealth record and caused the Medicare Benefits Scheme and Pharmaceutical Benefits Scheme data of both consumers to be uploaded from the Medicare record to that eHealth record.

The OAIC requested further information from the Chief Executive Medicare. Following consideration of that material, the OAIC believes that DHS acted appropriately in assessing the incident by containing any disclosure of personal information and notifying affected individuals. DHS also developed a work plan to lessen the chance of further data breaches of the same nature.

The OAIC finalised one mandatory data breach notification received from the System Operator in May 2014. The data breach involved consumers logging into their MyGov account and using their identity verification code to access their own PCEHR. In some instances, they also set up access to another consumer’s PCEHR while they were still logged into the same MyGov account. This caused the first consumer’s PCEHR landing page to show two ‘Open your eHealth record’ buttons, which provides links to open both consumers’ PCEHRs.

The OAIC requested further information from the System Operator. Following consideration of that material, the OAIC made a series of recommendations to reduce the risk and potential impact of a future breach of this type. The System Operator advised that it was implementing the OAIC’s recommendations.

3.2 PCEHR system advice, guidance, liaison and other activities

Advice

PCEHR enquiries

The OAIC’s Enquiries Team received seven enquiries about eHealth and the PCEHR system during the reporting period.

Two of these enquiries came from members of the public who were seeking information about the process for opting-out of the eHealth record system (apparently believing that the system was already based on opt-out participation or that the change to opt-out was imminent). The OAIC consulted with Health to obtain up-to-date information to provide to the enquirers.

Policy advice to stakeholders and members of the public

The OAIC responded to four requests for advice during the reporting period, from a range of stakeholders.

The Australian Privacy Foundation (APF) wrote to the OAIC regarding concerns about the PCEHR review survey being conducted by Health. The OAIC considered the issues raised, and consulted with Health about the nature of the survey, the responses collected, and the contractual arrangement under which the survey was conducted. The OAIC responded to the APF, outlining how the Privacy Act and the APPs applied in the context of this survey.

The OAIC responded to a request for advice about patient consent in the context of using and disclosing health information to send a patient prescription through an electronic transfer of prescriptions (eTP) service. The enquiry was also about consent when using an eTP service to upload prescription information to a patient’s PCEHR via the National Prescription and Dispense Repository. The OAIC provided advice that clarified how patient consent should be handled when uploading prescription and dispense information.

The OAIC also provided advice to an IT security consultant in the eHealth sector who sought advice on privacy compliance obligations when outsourcing IT support services. The OAIC’s advice outlined how the APPs and the PCEHR Act would generally apply to such services.

Policy advice to Health

Under its MOU with Health, the OAIC liaises and coordinates with the PCEHR System Operator on privacy related matters, including by providing feedback and advice on proposals and projects with a possible privacy impact.

During the reporting period, the OAIC:

  • Provided written comments to Health on the PCEHR privacy policy at www.ehealth.gov.au.
  • Responded to an enquiry from Health on the OAIC’s Privacy fact sheet 15: Ten tips for protecting the personal information in your eHealth record.[4]
  • Provided comments on Health’s revised draft of Assisted Registration: A Guide for Healthcare Provider Organisations.
  • Liaised with Health about the planned pathology and diagnostic imaging functionality for the PCEHR system following media articles about new developments. The OAIC received the relevant design documentation and a verbal briefing from Health. The OAIC reviewed the documentation relating to the release and provided written comments to Health about the final design.
  • Liaised with Health about media enquiries, reports and other issues relating to the PCEHR review survey.

In addition, the OAIC provided advice to Health on privacy aspects of proposed changes to the PCEHR Act and related legislation, and the Australian Government’s decision to trial the use of opt-out participation arrangements, ahead of a possible move to a national opt-out eHealth record system. This included preparing a submission in response to Health’s Electronic Health Records and Healthcare Identifiers: Legislation Discussion Paper. The OAIC also provided advice on draft legislative proposals.

Submissions

The OAIC made the following submissions during the reporting period:

  • a submission to Health on its consultation papers Pathology and the PCEHR System and Diagnostic Imaging and the PCEHR System, which proposed models for the inclusion of pathology and diagnostic imaging results in the PCEHR system
  • a submission to Health in response to its Discussion Paper regarding proposed changes to the PCEHR Act and the HI Act
  • a submission to the Australian Law Reform Commission’s Discussion Paper 81: Equality, Capacity and Disability in Commonwealth Laws, which included proposals for changes to the terminology used to describe authorised and nominated representatives in the PCEHR Act.

Guidance

Guidance on the Information Commissioner’s powers

The OAIC published its Privacy regulatory action policy on 17 November 2014. The policy explains the OAIC’s range of regulatory powers, its approach to using those powers and making related public communications. The policy is relevant to the OAIC’s powers under both the Privacy Act and the PCEHR Act.

The OAIC also released a new Guide to privacy regulatory action to support the Privacy regulatory action policy. The Guide sets out a more detailed explanation of how the OAIC will exercise its privacy regulatory powers under the Privacy Act and the PCEHR Act, as well as the procedural steps the OAIC will take in using these powers.

The OAIC continued preparing revisions to the PCEHR (Information Commissioner Enforcement Powers) Guidelines 2013 (Enforcement Guidelines), a legislative instrument that is registered on the Federal Register of Legislative Instruments. The Enforcement Guidelines are made under s 111 of the PCEHR Act. Section 111 requires the Information Commissioner to formulate, and have regard to, guidelines regarding the exercise of the Information Commissioner’s powers under the PCEHR Act, or a power under another related Act, such as the Privacy Act. The revisions are designed to incorporate the Information Commissioner’s new enforcement powers, added to the Privacy Act in 2014, and to ensure that the Enforcement Guidelines are consistent with the OAIC’s Privacy regulatory action policy and the Guide to privacy regulatory action.

Guide to mandatory data breach notification in the PCEHR system

In 2014–15, the OAIC continued to develop a Guide to mandatory data breach notification in the PCEHR system, based on practical application of the draft version of the guide. The guide explains the breach notification obligations that apply to RROs, registered portal operators (RPOs) and the PCEHR System Operator under s 75 of the PCEHR Act. The guide contains information about the types of breaches that have to be reported and what information should be included in a notification. It also outlines how entities should contain a breach, evaluate risks arising from the breach and take steps to prevent future breaches.

The seven mandatory data breach notifications that the OAIC received from the System Operator during the reporting period further informed the development of the guide. The OAIC also conducted a final targeted consultation with key stakeholders and incorporated feedback into the guide. The OAIC expects to publish the final guide early in 2015–16.

The OAIC also continued development of a web based ‘smart form’ for data breach reporting, to assist RROs, RPOs and the System Operator to easily report matters to the OAIC and comply with their reporting obligations. The OAIC expects to release the form for use in the first half of 2015–16.

Review of existing resources

The OAIC made minor revisions to its seven PCEHR consumer fact sheets to reflect amendments to the Privacy Act and PCEHR system updates, and to improve readability.

Health privacy guidance

The OAIC is currently developing a series of guidance materials for healthcare providers. The guidance relates to privacy obligations when handling health information, including information contained in the PCEHR system. Once finalised after consultation, eleven new business resources will replace the OAIC’s existing health privacy guidance. The resources include information on privacy legislation in some state and territory jurisdictions, noting that some healthcare providers are covered by both federal and state/territory legislation. The OAIC has also been developing two fact sheets for consumers about health privacy issues, including access to, and correction of, health information (which includes health information in a consumer’s PCEHR). Once finalised after consultation, these fact sheets will replace the OAIC’s existing health privacy consumer guidance.

The OAIC is also developing a webpage for health service providers that describes health privacy legislation in Australia, including explaining the coverage of Commonwealth, state and territory legislation.

Liaison

Liaison with the System Operator

The PCEHR System Operator is the Secretary of Health. The OAIC has met regularly with Health in 2014–15 to discuss MOU activities and other matters relating to the PCEHR system.

In particular, the OAIC has regularly engaged with Health regarding the proposed changes to the PCEHR system and the PCEHR Act. This included attending teleconferences with Health relating to the PCEHR review, and attending a number of meetings with Health and the Attorney-General’s Department (AGD) to discuss proposed changes to the PCEHR Act and Privacy Act, in connection with incorporating the recommendations of the PCEHR review.

The OAIC also attended a briefing session in relation to the eHealth budget announcements, on 25 May 2015, and a briefing session on the eHealth legislation discussion paper, on 16 June 2015.

Liaison with state and territory regulators

In February 2015, the OAIC hosted a meeting of Privacy Authorities Australia, a group that includes the privacy and health privacy regulators from the various Australian states and territories. This meeting included discussion of national consistency in health privacy regulation, interoperability and the development of health privacy guidance.

Liaison with other key stakeholders

During 2014–15, the OAIC attended stakeholder consultations regarding the recommendations made in the PCEHR review. These included a consumer-focused consultation in Canberra, and a provider-focused consultation in Sydney.

The OAIC liaised with DHS Medicare about its proactive data integrity activities, which relate to HIs and the PCEHR system, as part of its work in relation to the mandatory data breach notifications received during the reporting period.

The OAIC met with the National E-Health Transition Authority (NeHTA) in relation to eHealth developments, as well as the background to and foundations of eTP services. The OAIC also arranged for NeHTA to deliver its PCEHR Reference Platform presentation (outlined below).

The Privacy Commissioner gave a presentation at the Australian and New Zealand Health Complaints Commissioner’s Conference on 23 April 2015. The Commissioner informed attendees of the OAIC’s work in eHealth, complaint handling work, challenges faced by health service providers and issues arising in regulating across jurisdictions.

The OAIC engaged with other key stakeholders, such as consumer groups and health organisations, by responding to requests for policy advice.

Other activities

Strengthening internal expertise and reference materials

Throughout 2014–15, the OAIC continued to develop its internal expertise relating to its functions and powers in connection with the eHealth system.

As noted above, the OAIC published both its Privacy regulatory action policy and Guide to privacy regulatory action during the reporting period.

In addition, the OAIC continued to ensure that new staff received induction training in eHealth and the OAIC’s eHealth regulatory oversight role. Staff who are new to working specifically on eHealth receive extensive on-the-job training to ensure that they acquire the necessary eHealth subject matter knowledge.

The OAIC arranged for NeHTA to deliver its PCEHR Reference Platform presentation to OAIC staff working in the area of eHealth. The presentation involved demonstrating, through NeHTA’s training environment, how healthcare providers access, use and interact with the PCEHR system within GP software.

Monitoring developments in eHealth and the PCEHR system

Under the MOU with Health, the OAIC is required to monitor developments in eHealth and the PCEHR system to ensure the OAIC is able to offer informed advice about privacy aspects of the operation of the PCEHR system and the broader eHealth context. The OAIC undertook the following relevant activities during the reporting period:

  • attended the Health Informatics Society of Australia’s digital health, eHealth and health informatics conference in Melbourne on 13 and 14 August 2014
  • attended the eHealth Interoperability Conference in Sydney on 28 and 29 October 2014
  • attended the 2015 Australian eHealth Research Colloquium in Brisbane on 31 March 2015
  • attended the Healthcare Efficiency through Technology in Sydney on 24 and 25 March 2015
  • attended the Health Informatics Society of Australia’s PCEHR moving ahead in 2015 session in Sydney on 26 March 2015
  • monitored media articles relating to the planned pathology and diagnostic imaging functionality in the PCEHR system
  • conducted research into Telstra’s recent acquisitions and expansion into the eHealth space
  • contacted researchers at the University of NSW who are conducting research into security for wearable healthcare sensor devices, and the possibility of collected data being fed into eHealth systems
  • reviewed the first three Australian Commission on Safety and Quality in Health Care Clinical Safety Reports into the PCEHR
  • reviewed the Australian National Audit Office’s Audit Report on the Department of Defence’s Electronic Health Records System.

Back to Contents

4. OAIC and the Healthcare Identifiers service

The HI service has been established as a foundation service for a range of eHealth initiatives in Australia, particularly the PCEHR system. Accordingly, the use of HIs has increased since the launch of the PCEHR system on 1 July 2012. Under the PCEHR system, HIs:

  • are used to identify consumers who register for a PCEHR
  • enable the PCEHR System Operator to authenticate the identity of all individuals who access a PCEHR and record activity through the audit trail
  • help ensure the correct health information is associated with the correct consumer’s PCEHR.

Registration with the HI service is a prerequisite for a healthcare provider organisation to be registered for the PCEHR system.

During the reporting period, the need for the OAIC to undertake compliance and enforcement action has been low. This has meant that the OAIC has focused on undertaking proactive compliance activities, including monitoring developments in eHealth and conducting assessments.

4.1 OAIC compliance and enforcement activities

Complaints relating to the HI service

No complaints were received during the reporting period.

Investigations relating to the HI service

No complaint investigations or CIIs were commenced or finalised during the reporting period. At 30 June 2015, there were no HI investigations open.

Assessments relating to the HI service

Under the MOU with Health, the OAIC was required to conduct at least one assessment in 2014–15 from the following targets:

  • the HI Service Operator (DHS-Medicare), and
  • agencies/organisations or state and territory authorities using HIs.

The OAIC commenced work on one assessment relating to the HI service in 2014–15 (which also relates to the PCEHR system).

This assessment involves assessing the privacy policies of 40 general practice clinics, selected at random (other than ensuring half of the clinics were, or form part of, GP super clinics and that all Australia’s states and territories were represented). The assessment includes consideration of whether the policies reflected the clinics’ use of the eHealth system and individual HIs. This assessment is ongoing.

4.2 Healthcare Identifiers advice, liaison and other activities

Advice

The OAIC provided advice to Health on privacy aspects of proposed changes to the HI Act and related legislation, and on the Australian Government’s decision to trial the use of opt-out participation arrangements, ahead of a possible move to a national opt-out eHealth record system. This included preparing a submission in response to Health’s Electronic Health Records and Healthcare Identifiers: Legislation Discussion Paper. The OAIC also provided advice on draft legislative proposals.

Guidance

Review of existing resources

The OAIC made minor revisions to its three HI business resources and one HI agency resource, to reflect amendments to the Privacy Act and current HI functionality, and to improve readability.

Other guidance

As noted above, the OAIC has published its Privacy regulatory action policy and its Guide to privacy regulatory action, has continued development of a Guide to mandatory data breach notification in the PCEHR system, and has been developing a new series of guidance material for healthcare providers. This guidance material is also relevant to entities that handle HIs and the OAIC’s privacy regulatory oversight of the HI service.

Liaison

The OAIC has met regularly with Health in 2014–15 to discuss MOU activities and other matters relating to the HI service.

The OAIC has regularly engaged with Health regarding the proposed changes to eHealth and the HI Act, including attending a number of meetings with Health and AGD to discuss proposed changes to the HI Act and Privacy Act in connection with incorporating the recommendations of the PCEHR review.

The OAIC also attended a briefing session in relation to the eHealth budget announcements, on 25 May 2015, and a briefing session on the eHealth legislation discussion paper, on 16 June 2015.

The OAIC liaised with DHS Medicare about its proactive data integrity activities, which relate to HIs and the PCEHR system, as part of its work in relation to the mandatory data breach notifications received during the reporting period.

The Privacy Commissioner gave a presentation at the Australian and New Zealand Health Complaints Commissioner’s Conference on 23 April 2015. The Commissioner informed the attendees of the OAIC’s work in eHealth, complaint handling work, challenges faced by health service providers and issues arising in regulating across jurisdictions.

Other activities

Strengthening internal expertise and reference materials

Throughout 2014–15, the OAIC continued to develop its internal expertise relating to its functions and powers in connection with the eHealth system.

The OAIC continued to ensure that new staff received induction training in eHealth and the OAIC’s regulatory oversight role in eHealth, including in relation to HIs. In addition, staff who are new to working specifically on eHealth are given extensive on-the-job training to ensure they acquire the necessary eHealth subject matter knowledge.

Monitoring developments in eHealth and the HI service

Under the MOU with Health, the OAIC is required to monitor developments in eHealth and the HI service to ensure the OAIC is aware of the implications of any developments for the HI service and able to offer informed advice about privacy aspects of the operation of the HI service in the broader eHealth context. As noted above, the OAIC undertook a range of eHealth monitoring activities during the report period.

SIGNED

[signature]

Timothy Pilgrim
Acting Australian Information Commissioner

Date: 9 September 2015

Back to Contents

Footnotes

[1] One of the assessments related to both the PCEHR system and HI service.

[2] Three policy advices related to both the PCEHR system and HI service and are included in both columns.

[3] One assessment related to both the PCEHR system and HI service and is included in both columns.

[4] See OAIC website <www.oaic.gov.au>.

Back to Contents

This page makes up a part of the OAIC Information Publication Scheme IPS