Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Department of Health and Ageing MOU Quarterly Report For the period ending 31 March 2013

pdfPDF version525.5 KB

Dear Mr Corkhill

I am pleased to provide you with the quarterly report for the period ending 31 March 2013, in accordance with:

  • clause 3.3 of Schedule 1
  • clause 3.6 of Schedule 2, and
  • clause 10.1

of the Memorandum of Understanding (MOU) between the Office of the Australian Information Commissioner (OAIC) and the Department of Health and Ageing (DoHA) in relation to the provision of dedicated privacy-related services under the Privacy Act 1988, the Personally Controlled Electronic Health Records Act 2012 and the Healthcare Identifiers Act 2010.

If you have any queries relating to the report please contact Jacob Suidgeest on (02) 9284 9809 or by email at jacob.suidgeest@oaic.gov.au. Mr Suidgeest is on leave from 8 April to 30 April 2013. If you have enquiries during this period contact Zoe Fitzell on (02) 9284 9727 or by email at zoe.fitzell@oaic.gov.au. 

Yours sincerely

Angelene Falk

Acting Assistant Commissioner

Regulation and Strategy Branch

Office of the Australian Information Commissioner

8 April 2013

1. Advice, guidance, liaison and other activities under the MOU

Clause 10.1 of the MOU requires that the performance and impact of the activities set out in the MOU are adequately and effectively monitored and assessed. 

The activities reported below relate to work performed on activities listed in clause 3.3 of Schedule 1 and clause 3.6 of Schedule 2 of the MOU, other than the compliance and enforcement activities set out under Section 2 of this report.

Activities relating to the PCEHR System

Advice

Activity Item

Activity Description

 Work Performed

S.3.1   (m)

Respond to requests for advice on the appropriate handling of PCEHR information from Commonwealth agencies, WA and SA public authorities, private sector organisations and individuals

  • Responded to a written enquiry from the  Australian Privacy Foundation about restrictions on collection, use and disclosure of eHealth records, audit logs, coverage of the PCEHR Rules, the Australia.gov.au website, security of the system and oversight and review by the OAIC.
  • Responded to a written enquiry from an individual on various privacy aspects of the system including cancellation and deletion of records, authorised collection, use and disclosure, and participation agreements.

S.3.1 (r)

Comment on draft legislation that may interact with the Personally Controlled Electronic Health Records Act 2012 (where appropriate)

  •   No draft legislation received.

 

Guidance

Activity Item

Activity Description

 Work Performed

S3.1 (h)

Advise participants on their obligations in relation to PCEHR System and liaise with state and territory regulators

  • Incorporated feedback received from stakeholders during the consultation on the draft guide to mandatory data breach notification under the PCEHR System, and worked to simplify and clarify the language and structure of the guide.
  • Drafted data breach notification templates and compliance checklist for the System Operator and registered repository and portal operators.
  • Finalised updates to the information about the PCEHR System on the OAIC website.
  • Published a video on the OAIC’s website about healthcare provider privacy responsibilities in relation to the PCEHR System.

S.3.1 (n)

Provide telephone and written guidance to individuals and participants in the health care industry on their privacy compliance obligations in relation to the PCEHR System

  • Updated the draft consumer fact sheets to incorporate stakeholder feedback received through consultation. The drafts have been provided to the OAIC’s Privacy Advisory Committee for comment prior to final OAIC Executive clearance.
  • Provided advice in response to five enquiries, including the written enquiry from the individual referred to at S.3.1(m) above.

S.3.1 (s)

Enforcement Guidelines for exercising the powers conferred on the Information Commissioner by the Personally Controlled Electronic Health Records Act 2012

  • Updated the draft Enforcement Guidelines to incorporate feedback received through the public consultation process.
  • Instructed the Australian Government Solicitor (AGS) to prepare a draft Explanatory Statement for the Enforcement Guidelines.  
  • The OAIC is finalising the Guidelines and Explanatory Statement in preparation for registration on the Federal Register of Legislative Instruments.

Liaison

Activity Item

Activity Description

 Work Performed

S.3.1   (o)

Liaise and coordinate on privacy related PCEHR activities with key stakeholder agencies (DoHA, NeHTA and Medicare Australia)

  • Attended quarterly meeting with DoHA on 23 January 2013.
  • Prepared quarterly MOU report to 31 December 2012.
  • Met with NeHTA for an update on developments in the PCEHR on 26 February 2013.
  • Updated DHS on the OAIC’s eHealth activities on 1 March 2013.
  • Met with DoHA (Matthew Corkhill & Andrew Sibraa) on 12 March 2013 to discuss PCEHR compliance activities.

S.3.1 (p)

Liaise and coordinate on privacy related PCEHR activities with PCEHR System Operator

  • Provided advice to DoHA regarding a data security incident reported to DoHA by a third party health service provider.

 

Other activities

Activity Item

Activity Description

 Work Performed

S3.1 (b)

Accept data breach notifications and assist affected entities to deal with data breaches in accordance with the PCEHR legislative requirements

  • None received.

S3.1 (c)

Investigate failures to notify data breaches (where empowered to do so)

  • None required.

 

S.3.1 (k)

Develop protocol with the System Operator for the referral of complaints and complex privacy enquiries

  • An Information Sharing and Complaint Handling Agreement between the OAIC and DoHA is in the process of being developed by the OAIC, and consultation with DoHA will shortly commence.
  • Continued liaising with DoHA to develop the complaint referral table to be attached to the Information Sharing and Complaint Handling Agreement.
  • Feedback from DoHA and state and territory regulators was incorporated into the draft Information Sharing and Complaints Referral Arrangement between the OAIC and states and territories. The final Arrangement is with OAIC Executive for clearance, following which it will be circulated to states and territories for signature.

S.3.1 (l)

Update internal reference materials

  • Obtained advice from AGS in relation to the required updates to the compliance manual, and the OAIC is currently implementing these changes.
  • Instructed AGS to develop ‘information sheets’   for the OAIC’s internal training purposes. The OAIC is currently finalising these resources.
  • AGS developed template notices (for the OAIC to use in eHealth investigations) relating to the OAIC’s power to obtain information and documents.
  • Internal FAQs for OAIC Enquiries Line staff were revised in consultation with the Department of Human Services (in its capacity as eHealth helpline operator).
  • A review and revision of the OAIC’s existing assessment and allocation procedures for eHealth complaints has commenced.

S.3.1 (q)

Prepare privacy related PCEHR-related committee briefing material, speeches and media comment

  • None required.

S.3.1 (t)

Monitor developments in eHealth to ensure the OAIC is able to offer informed advice about privacy aspects of the operation of the PCEHR System in the broader eHealth context

  • Briefed the OAICPCEHR Steering Committee on PCEHR aspects of recent Senate Estimates hearings.

S3.1 (u)

Monitor eHealth developments related to the PCEHR System to ensure that the OAIC is aware of the implications of any developments for the PCEHR system, and is able to ensure compatibility with the privacy aspects of the PCEHR system

  • Attended NeHTA’s Model Healthcare Community Tour on 25 February.
  • Attended Health-e-Nation Leadership Summit on 20 March.
  • Attended Australian e-Health Research Colloquium on 27 March (hosted by the Australian eHealth Research Centre).

 

Activities relating to the HI Service

Advice

Activity Item

Activity Description

 Work Performed

S3.1 (d)

Advise on obligations in relation to HIs and liaise with State and Territory privacy regulators as appropriate

  • None required.

 

S3.1 (f)

Respond to requests for advice on the appropriate handling of HIs from Commonwealth agencies, private sector organisations or individuals

  • Received request for an amendment to a HIFAQ on the OAIC website from DHS. The OAIC is currently considering this request.

 

 

S3.1 (m)

Comment on draft legislation that may interact with the HI Act

  • None required.

 

Guidance

Activity Item

Activity Description

 Work Performed

S3.1 (g)

Provide guidance to individuals and participants in the healthcare industry on their privacy compliance obligations in relation to HIs   including, where appropriate, the development of information sheets, frequently asked questions and articles in industry magazines

  • Reviewed HI guidance material and considered areas where further guidance may be needed.

 

Liaison

Activity Item

Activity Description

 

 

Work Performed

S3.1 (l)

Liaise and coordinate with key agencies (DoHA, NeHTA and Medicare

  • None required.

S3.1 (n)

Participate in consultation and comment on eHealth developments that relate to the HI Scheme

  • Provided input into Phase One of the HI Review   and responded to further questions from Joanna Kelly of Doll Martin Associates (independent reviewer of the HI Act and HI Service). This included   internal liaison regarding the OAIC’s jurisdiction over the Australian Health Practitioner Regulation Agency (AHPRA) under the HI Act.

 

Other activities

Activity Item

Activity Description

Work Performed

S3.1 (j)

Receive Data Breach Notifications and undertake, where appropriate,   action

  • None received.

S3.1 (k)

Develop internal training material and train staff

  • None developed.

 

2. Compliance and enforcement activities

The Office of the Australian Information Commissioner is required to undertake a range of compliance and enforcement activities under the MOU with the Department of Health and Ageing. 

Clause 3.3 of Schedule 1 of the MOU requires the OAIC to produce a quarterly report about activities related to the Personally Controlled Electronic Health Records (PCEHR) system which, at a minimum, provides a summary of:

  1. any complaints or compliance issues within the period and the outcomes or conciliation activities associated
  2. any investigations commenced within the period and the findings and recommendations associated
  3. any audits commenced within the period and the findings and recommendations associated.

The Information Commissioner (the Commissioner) also has statutory reporting obligations under section 106 of the Personally Controlled Electronic Health Records Act 2012 (Cth) (the PCHER Act). [1]

Clause 3.6 of Schedule 2 of the MOU requires the OAIC to produce a quarterly report about activities related to the Healthcare Identifiers (HI) Service which, at a minimum, provides a summary of:

  1. any investigations commenced within the period and the findings and recommendations associated
  2. any audits commenced within the period and the findings and any recommendations associated
  3. complaints or compliance issues within the period and the outcomes or conciliation activities associated.

The Commissioner also has statutory reporting obligations under section 30 of the Healthcare Identifiers Act 2010 (Cth) (the HI Act). [2]

For consistency purposes, the quarterly reports will contain the same statistical reporting fields as the Commissioner’s statutory reporting requirements under the PCEHR Act and the HI Act.

However, information about enforceable undertakings accepted by the Commissioner or proceedings taken by the Commissioner will not appear in quarterly reports. Full details about compliance and enforcement activities (complaints, investigations and audits) may not be available for quarterly reports where these matters are still being assessed for investigation or auditing.     

Complaints relating to the PCEHR System

The section contains information on complaints made by individuals. Complaints received about the PCEHR system will be assessed under the provisions of the PCEHR Act and the Privacy Act to determine the most appropriate course of regulatory action. In some cases the Commissioner will decline to investigate a complaint, in other cases preliminary inquiries will need to be made before deciding whether to proceed to investigation.

Complaints subject to investigation are also mentioned under the section titled ‘Investigations under section 40(1) of the Privacy Act’.

Table A Complaints received and finalised during the reporting period

Complaints

1 January – 31 March

Received during period

0

Finalised during period

0

Complaints open at 31 March

0

 

Complaints received during the reporting period

NIL

Complaints finalised during the reporting period

NIL

Complaints commenced in the previous reporting period but still underway

NIL

Investigations in relation to the PCEHR system

Under the Privacy Act 1988 (Cth), the Commissioner will undertake investigations that arise from a complaint made by an individual about an act or practice that may be an interference with privacy. The Commissioner also has the discretion to investigate an act or practice that may be an interference with privacy on his own motion.   

Given that individual complaints may be the subject of investigation, there may be some matters reported under ‘Complaints relating to the PCEHR System’ that are also listed below.

Investigations under section 40(1) of the Privacy Act

Table B Investigations received and finalised during the reporting period (Section 40 (1))

Investigations

1 January – 31 March

Received during period

0

Finalised during period

0

Investigations open at 31  March

0

 

Investigations received during the reporting period

NIL

Investigations finalised during the reporting period

NIL

Investigations commenced in the previous reporting period but still underway

NIL

Own motion investigations under section 40(2) of the Privacy Act

Table C Investigations received and finalised during the reporting period (Section 40 (2))

Investigations

1 January – 31 March

Received during period

0

Finalised during period

0

Investigations open at 31  March

0

 

Investigations received during the reporting period

NIL

Investigations finalised during the reporting period

NIL

Investigations commenced in the previous reporting period but still underway

NIL

Audits relating to the PCEHR system

Audits commenced and ongoing during the reporting period

The OAIC has identified possible targets for audits of the PCEHR System and mapped out a draft audit timetable over the MOU period. The draft audit timetable includes up to four audits relating to the PCEHR system. 

The OAIC is liaising with Department staff about the possibility of shortly commencing the following audits:

  • eHealth record registration processes
  • security of the eHealth record system.

Further discussions with Department staff about the scope and timing of these audits are expected to occur in early April 2013.

Audits closed during the reporting period

NIL

Audits commenced in previous reporting periods but still underway

NIL

Complaints relating to the HI Service

Table B Complaints received and finalised during the reporting period

Complaints

1 January – 31 March

Received during period

0

Finalised during period

0

Complaints open at 31 March

0

 

Complaints received during the reporting period

NIL

Complaints finalised during the reporting period

NIL

Complaints commenced in the previous reporting period but still underway

NIL

Investigations relating to the HI Service

Investigations under section 40(1) of the Privacy Act

Table D Investigations received and finalised during the reporting period

Investigations

1 January – 31 March

Received during period

0

Finalised during period

0

Investigations open at 31  March

0

  

Investigations received during the reporting period

NIL

Investigations finalised during the reporting period

NIL

Investigations commenced in the previous reporting period by still underway.

NIL

Own motion Investigations under section 40(2) of the Privacy Act

Table C Investigations received and finalised during the reporting period (Section 40 (2))

Investigations

1 January – 31 March

Received during period

0

Finalised during period

0

Investigations open at 31 March

0

 

Investigations received during the reporting period

NIL

Investigations finalised during the reporting period

NIL

Investigations commenced in the previous reporting period by still underway.

NIL

Audits relating to the HI Service

Audits commenced and ongoing during the reporting period

The OAIC has identified possible targets for audits of the HI Service and mapped out a draft audit timetable over the MOU period. The draft audit timetable includes up to four audits relating to the HI Service. 

The OAIC is liaising with DoHA and Department of Human Services (DHS) staff about the possibility of shortly commencing an audit of the HI Service Operator, focusing on the collection, use and disclosure of individual healthcare identifiers and individual healthcare provider identifiers.

Further discussions with DoHA and DHS staff about the scope and timing of this and subsequent HI Service audits are expected to occur in early April 2013.

Audits closed during the reporting period

NIL

Audits commenced in previous reporting periods but still underway

NIL


[1]  Under s 106 of the Personally Controlled Electronic Health Records Act 2012 (Cth) the Information Commissioner (the Commissioner) is required to prepare an annual report setting out the compliance and enforcement activities undertaken in relation to the PCEHR Act.  This report must include:

  1. statistics of the following:
    1. complaints received by the Commissioner in relation to the PCEHR system;
    2. investigations made by the Commissioner in relation to PCEHRs or the PCEHR system;
    3. enforceable undertakings accepted by the Commissioner under this Act;
    4. proceedings taken by the Commissioner in relation to civil penalty provisions, enforceable undertakings or injunctions; and
  2. any other matter prescribed by the regulations.

[2]  Section 30 of the Healthcare Identifiers Act 2010 (Cth) requires the Commissioner to prepare an annual report setting out the compliance and enforcement activities undertaken during the period.