Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Department of Health and Ageing MOU Quarterly Report For the period ending 31 December 2012

pdfPDF version507.49 KB

Dear Ms Forman

I am pleased to provide you with the quarterly report for the period ending 31 December 2012, in accordance with:

  • Section 3.3 of Schedule 1
  • Section 3.6 of Schedule 2
  • Section 10.1

to the Memorandum of Understanding (MOU) between the Office of the Australian Information Commissioner (OAIC) and the Department of Health and Ageing (DoHA) in relation to the provision of dedicated privacy-related services under the Privacy Act 1988 (Cth), the Personally Controlled Electronic Health Records Act 2012 (Cth) (PCEHR Act) and the Healthcare Identifiers Act 2010 (Cth) (HI Act).

This report for the second quarter under the MOU is a short report as it covers only the period from 1 December to 31 December 2012. Activities performed by the OAIC in the first quarter (until 30 November 2012) were captured in the last activity report which the OAIC provided to DoHA on 7 December 2012 and which covered activities both under the former MOU and the current MOU.

If you have any queries relating to this report please contact Louise Gell on
(02) 6239 9172 or by email to louise.gell@oaic.gov.au.

Yours sincerely

 Toni Pirani

Assistant Commissioner

7 January 2013

1.   Advice, guidance, liaison and other activities under the MOU

The OAIC performs a range of policy functions in relation to the PCEHR system and HI Service.  Those activities include providing privacy-related advice to DoHA, DoHA’s delivery partners, consumers and other participants; liaising between the various parties including with state and territory privacy and health regulators and the health sector; and developing guidance and training materials for internal and external stakeholders.

The OAIC’s policy branch has also been responsible for producing statutory and regulatory guidance for consumers and other participants such as healthcare providers, registered repository operators and the PCEHR System Operator.

Clause 10.1 of the MOU requires that the performance and impact of the activities set out in the MOU are adequately and effectively monitored and assessed. 

The activities reported below relate to work performed on activities listed in section 3.3 of Schedule 1 and section 3.6 of Schedule 2 of the MOU, other than the compliance and enforcement activities set out under Section 1 of this report.

Activities relating to the PCEHR System

Advice

The OAIC provides advice to healthcare providers, the System Operator and other participants on privacy obligations that arise from the PCEHR Act, the PCEHR Regulations and the PCEHR Rules, the PCEHR System, the HI Act and the HI Service. The OAIC also provides advice to individuals on privacy rights and protections available under the PCEHR legislative framework, the eHealth record system and HI Act.

Activity Item

Activity Description

Work Performed

S.3.1   (l)

Respond to requests for advice on the appropriate handling of PCEHR information from Commonwealth agencies, WA and SA public authorities, private sector organisations and individuals

  • Provided comments to DoHA on the information  brochure and form provided to consumers who apply for a PCEHR through an assisted registration process

S.3.1 (q)

Comment on draft legislation that may interact with the Personally   Controlled Electronic Health Records Act 2012 (where appropriate)

  • No draft legislation received.

 

Guidance

Producing privacy guidance is an important aspect of the OAIC’s role and the OAIC has continued to develop privacy-related guidance materials about the PCEHR System on an ongoing basis.

Activity Item

Activity Description

Work Performed

S3.1 (h)

Advise participants on their obligations in relation to PCEHR System and liaise with state and territory regulators

  • Reviewed feedback received from stakeholders during the consultation on the draft guide to mandatory data breach notification under the PCEHR System, and considered how this feedback could be incorporated into the guide
  • Reviewed and updated the information on the PCEHR System on the OAIC website
  • Worked to finalise a series of fact sheets on the PCEHR System and in doing so liaised with the National eHealth Transition Authority. The OAIC also sent   the fact sheets to a range of stakeholders for comment on 18 December. These fact sheets included:
  1. The OAIC and eHealth
  2. Emergency Access and your eHealth Record
  3. Consent and the handling of personal   information in your eHealth Record
  4. Young People and eHealth
  5. Medicare and your eHealth Record
  6. How to manage your eHealth record

 

S.3.1 (m)

Provide telephone and written guidance to individuals and participants in the health care industry on their privacy compliance obligations in relation to the PCEHR System

  • No guidance requested.

S.3.1 (r)

Formulate Enforcement Guidelines for exercising the powers conferred on the Information Commissioner by the Personally Controlled Electronic Health Records Act 2012

  • Reviewed feedback received from stakeholders during the consultation on the draft PCEHR Enforcement Guidelines, and considered how this feedback could be incorporated into the Guidelines

 

Liaison

The PCEHR System brings together multiple stakeholders across government and the private sector to contribute resources and expertise. Communication and cooperation are therefore important to delivering on the aims of the PCEHR System.

To this end, the OAIC liaised regularly with key stakeholders to ensure the privacy advice we provided took system functionality into account and was appropriately balanced against other policy considerations and other relevant laws.

Activity Item

Activity Description

Work Performed

S.3.1   (n)

Liaise and coordinate on privacy related PCEHR activities with key stakeholder agencies (DoHA, NeHTA and Medicare Australia)

  • Conducted meetings with state and territory health and privacy regulators to discuss complaint handling and to develop an information sharing arrangement between the parties. Staff met with health and privacy regulators in South Australia on 6 December to discuss information sharing and complaint referral arrangements. The OAIC also sent a draft arrangement to state and territory health and privacy regulators for comment on 19 December.
  • Liaised with the Australian Medicare Local Alliance about future training webinars to be provided to Medicare Locals. Staff also finalised a training video featuring the Privacy Commissioner, which delivered key messages for healthcare providers. The video will be published on the OAIC’s website in January 2013.

S.3.1   (o)

Liaise and coordinate on privacy related PCEHR activities with PCEHR System operator

  • Attended a teleconference with DoHA on 18 December regarding the collection, use and disclosure of third party personal information in relation to the eHealth record system.

Other activities

Activity Item

Activity Description

Work Performed

S3.1 (b)

Accept data breach notifications and assist affected entities to deal with data breaches in accordance with the PCEHR legislative requirements

  • None notified.

 

S3.1 (c)

Investigate failures to notify data breaches (where empowered to do so)

  • None required.

 

S.3.1 (k)

Update internal reference materials

  • None required from Policy. See Compliance   ‘Other activities’.

 

S.3.1 (p)

Prepare privacy related PCEHR-related committee briefing material, speeches and media comment

  • Policy staff briefed the OAICPCEHR Steering Committee, which met once during the reporting period (see Compliance ‘Other activities’)

S.3.1 (s)

Monitor developments in eHealth to ensure the OAIC is able to offer informed advice about privacy aspects of the operation of the PCEHR System in the broader eHealth context

  • Staff reviewed a list of strategic activities which had previously been identified to be performed under the MOU, to prioritise key tasks and plan their delivery

S3.1 (t)

Monitor eHealth developments related to the PCEHR System to ensure that the OAIC is aware of the implications of any   developments for the PCEHR system, and is able to ensure compatibility with the privacy aspects of the PCEHR system

  • Staff continued to monitor developments related to the PCEHR system by reviewing PCEHR-related websites, media clips, newsletters and blogs.

Activities relating to the HI Service

Advice

Activity Item

Activity Description

Work Performed

S3.1 (d)

Advise on obligations in relation to HIs and liaise with State and Territory privacy regulators as appropriate

  • Not required.

 

S3.1 (f)

Respond to requests for advice on the appropriate handling of HIs from Commonwealth agencies, private sector organisations or individuals

  • No advice requested.

 

 

S3.1 (m)

Comment on draft legislation that may interact with the HI Act

  • Not required.

 

Guidance

Activity Item

Activity Description

Work Performed

S3.1 (g)

Provide guidance to individuals and participants in the healthcare   industry on their privacy compliance obligations in relation to HIs including, where appropriate, the development of information sheets, Frequently Asked Questions and articles in industry magazines

  • Reviewed and updated the information on the HI Service on the OAIC website

 

Liaison

Activity Item

Activity Description

Work Performed

S3.1 (l)

Liaise and coordinate with key agencies (DoHA, NeHTA and Medicare)

  • Not required.

S3.1 (n)

Participate in consultation and comment on eHealth developments that relate to the HI Scheme

  • Participated in the Review of the HI Act and HI Service. The OAIC met with the consultant   conducting the review on 6 December 2012 and recommended that a number of issues should be taken into account. Further information will be provided to the consultant in early January 2013.

 

Other activities

Activity Item

Activity Description

Work Performed

S3.1 (j)

Receive Data Breach Notifications and undertake, where appropriate,   action

  • None notified.

S3.1 (k)

Develop internal training material and train staff

  • None undertaken.

 

2.   Compliance and enforcement activities

The OAIC is required to undertake a range of compliance and enforcement activities under the MOU

Clause 3.3 of Schedule 1 of the MOU requires the OAIC to produce a quarterly report about activities related to the personally controlled electronic records (PCEHR) system which, at a minimum, provides a summary of:

  1. any complaints or compliance issues within the period and the outcomes or conciliation activities associated.
  2. any investigations commenced within the period and the findings and recommendations associated; and
  3. any audits commenced within the period and the findings and recommendations associated.

The Information Commissioner (the Commissioner) also has statutory reporting obligations under section 106 of the Personally Controlled Electronic Health Records Act2012 (Cth) (the PCEHR Act). [1]

Clause 3.6 of Schedule 2 of the MOU requires the OAIC to produce a quarterly report about activities related to the Healthcare Identifiers (HI) Service which, at a minimum, provide a summary of:

  1. any investigations commenced within the period and the findings and recommendations associated; and
  2. any audits commenced within the period and the findings and any recommendations associated.
  3. complaints or compliance issues within the period and the outcomes or conciliation activities associated.

The Commissioner also has statutory reporting obligations under section 30 of the Healthcare Identifiers Act 2010 (Cth) (the HI Act). [2]

The following compliance activities were undertaken during the reporting period, in relation to the PCEHR System and HI Service.

Telephone and written enquiries relating to the PCEHR System and HI Service

No telephone enquiries were received during the reporting period.

Complaints relating to the PCEHR System and HI Service

No complaints were received during the reporting period.

Investigations in relation to the PCEHR system and HI Service

No investigations were conducted during the reporting period.

Audits relating to the PCEHR system and HI Service

No audits were performed. Staff liaised with the Department of Human Services to plan and determine an appropriate scope for future audits of the HI Service and PCEHR System.

Other activities

Since the OAIC received no complaints in relation to the PCEHR System and HI Service during the reporting period, compliance work continued to focus on preparations for the implementation of the system. This included developing a complaint handling process, developing enforcement procedures, ensuring staff are appropriately trained and ensuring that the new case management system is ready to deal with and report on PCEHR and HI complaints. Compliance updated the internal PCEHR privacy FAQs for staff on the enquiries line. Compliance also engaged the Australian Government Solicitor to update the Privacy Compliance Manual to include processes relating to PCEHR enforcement activities.

Compliance completed enhancements and testing of PCEHR content on the ‘Resolve’ complaint handling system.

The OAIC has established a PCEHR Steering Committee to coordinate activities and administrative matters, to ensure that the OAIC meets its requirements under the MOU and carries out the Information Commissioner’s regulatory role under the PCEHR System and HI Service. The Steering Committee is comprised of executive staff, who met once during the reporting period. Some Compliance staff participated in this meeting.



[1]  Under section 106 of the Personally Controlled Electronic Health Records Act 2012 (Cth) the Information Commissioner (the Commissioner) is required to prepare an annual report setting out the compliance and enforcement activities undertaken in relation to the PCEHR Act.  This report must include:

  1. statistics of the following:
    1. complaints received by the Commissioner in relation to the PCEHR system;
    2. investigations made by the Commissioner in relation to PCEHRs or the PCEHR system;
    3. enforceable undertakings accepted by the Commissioner under this Act;
    4. proceedings taken by the Commissioner in relation to civil penalty provisions, enforceable undertakings or injunctions; and
  2. any other matter prescribed by the regulations.

[2]  Section 30 Healthcare Identifiers Act 2010 (Cth) requires the Commissioner to prepare an annual report setting out the compliance and enforcement activities undertaken during the period.