Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Department of Health MOU Biannual Report 2015–2016 for the period ending 31 December 2015

pdfPrintable version263.89 KB

Department of Health
Memorandum of Understanding
Biannual Report
2015–2016

For the period ending 31 December 2015

Mr David Paull
Assistant Secretary
Design and Operations Branch,
Digital Health Division
Department of Health
GPO Box 9848
CANBERRA ACT 2601

Dear Mr Paull

I am pleased to provide you with the biannual report for the period ending 31 December 2015, in accordance with Section 3.3 of Schedule 1, Section 3.3 of Schedule 2 and Section 10.1 of the Memorandum of Understanding between the Office of the Australian Information Commissioner and the Department of Health, in relation to the provision of dedicated privacy-related services under the Privacy Act 1988, the Personally Controlled Electronic Health Records Act 2012 and the Healthcare Identifiers Act 2010.

If you have any queries relating to the report please contact Melanie Drayton on [contact details removed].

Yours sincerely

Timothy Pilgrim
Acting Australian Information Commissioner

21 January 2016

Back to Contents

Section 1 — Advice, guidance, liaison and other activities

The Office of the Australian Information Commissioner (OAIC) is required to report biannually under the Memorandum of Understanding (MOU) with the Department of Health (Health) in relation to Personally Controlled Electronic Health Records (PCEHR) system and Healthcare Identifiers (HI) system activities.

Clause 10.1 of the MOU requires that the performance and impact of the activities set out in the MOU are adequately and effectively monitored and assessed.

The activities reported below relate to work performed on activities listed in section 3.3 of Schedule 1 and section 3.3 of Schedule 2 of the MOU, other than the compliance and enforcement activities set out under Section 2 of this report.

Activities relating to the PCEHR system

Advice

S3.1(g) – Respond to enquiries and requests for advice on the appropriate handling of PCEHR information and other privacy compliance obligations in relation to the PCEHR system
  • The OAIC provided Health with comments on its review of its eHealth privacy notices and privacy policy on 10 August 2015.
  • During the reporting period, the OAIC received six new enquiries regarding the PCEHR system, and finalised responses to eight enquiries. The new enquiries included an enquiry from an individual about opting-out of the eHealth system, and an enquiry from a health care provider about how the PCEHR Act applies to the cross-border disclosure of information.
  • Following the OAIC’s assessment of the privacy policies of 40 GP clinics, the OAIC provided feedback to the Royal Australian College of General Practitioners (RACGP) on its privacy policy template. The RACGP published a new version of their template on 30 November 2015.
  • The OAIC conducted a webinar on privacy policies for GP clinics on 11 August 2015. The webinar was fully subscribed, and the webinar continues to be accessible from the OAIC’s website.
  • The OAIC prepared comments to Health on draft versions of materials developed for consumers who reside in areas involved in the opt-out trials for the PCEHR system.

Guidance

S3.1(h) – Prepare and/or update written guidance materials for participants in the PCEHR system on the appropriate handling of PCEHR information and other privacy compliance obligations in relation to the PCEHR system
  • The OAIC finalised and published a Guide to mandatory data breach notification in the PCEHR system.
  • The OAIC continued to develop a series of eleven new business resources for health service providers. The resources relate to privacy obligations when handling health information, including information contained in the PCEHR system. The OAIC also continued development of two consumer fact sheets relating to health privacy issues including access to, and correction of, health information.
  • The OAIC ran a public consultation seeking comments from health industry groups, health service providers, individuals with an interest or expertise in the health industry, health consumers, or any other interested parties. Once finalised after consultation, the materials will replace the OAIC’s existing privacy guidance.
  • The OAIC developed and consulted with state and territory health privacy regulators on a webpage for health service providers that describes health privacy legislation in Australia, including explaining the coverage of Commonwealth, state and territory legislation. The webpage has now been published and provides a link to eHealth legislation and the OAIC’s eHealth resources.
  • The OAIC commenced preparing updates to pages of the OAIC website to reflect legislative changes as a result of the Health Legislation Amendment (eHealth) Act 2015.
S3.1(i) – Update guidance for exercising the powers conferred on the Information Commissioner by the PCEHR Act as required
  • The OAIC updated the PCEHR Enforcement Guidelines (made under s 111 of the PCEHR Act) to reflect the OAIC’S Privacy regulatory action policy and the Information Commissioner’s enhanced enforcement and regulatory powers, conferred by the Privacy Amendment (Enhancing Privacy Protection) Act 2012. The Enforcement Guidelines outline how the OAIC will approach enforcement issues under the PCEHR Act and other privacy legislation.
  • The OAIC ran a public consultation seeking public comment on the amendments. Following the consultation, the OAIC updated the revised guidelines and also made further changes to reflect amendments made by the Health Legislation Amendment (eHealth) Act 2015. The OAIC intends to register the revised guidelines with the Federal Register of Legislative Instruments in the first quarter of 2016.
  • The OAIC commenced preparing updates to its Guide to privacy regulatory action to reflect changes to its PCEHR Act enforcement powers as a result of the Health Legislation Amendment (eHealth) Act 2015.

Liaison

S3.1(j) – Liaise and coordinate on privacy-related PCEHR activities with the System Operator and other key agencies (Health, NeHTA and DHS-Medicare)
  • The OAIC prepared an annual report of the OAIC’s activities in relation to the PCEHR system during 2014-15, in accordance with s 106 of the PCEHR Act.
  • The OAIC prepared a quarterly report under the previous MOU between Health and the OAIC for the period ending 30 June 2015.
  • On 7 August 2015, the OAIC met with NeHTA to discuss privacy issues related to the disclosure of personal information contained in diagnostic imaging reports that are stored in the PCEHR system.
  • On 6 November 2015, the OAIC met with Health to discuss privacy training for health service providers using the system.
  • On 10 November 2015, the OAIC met with NeHTA to discuss issues arising from the OAIC’s assessment of the access security controls of seven General Practice clinics.
  • On 16 November 2015, the OAIC met with NeHTA to discuss the matching process for obtaining IHI records and issues relating to intertwined IHI records.
S3.1(k) – Liaise and coordinate on privacy-related PCEHR activities with state and territory regulators
  • None required

Other activities

S3.1(l) – Prepare PCEHR-related briefing material, speeches, articles and media comment on privacy matters
  • The OAIC responded to a media enquiry regarding the secondary use of health information held in the PCEHR system.
S3.1(m) – Comment on draft legislation that may interact with the PCEHR Act (where appropriate)
  • The OAIC attended a number of meetings with Health, the Attorney-General’s Department and the Office of Parliamentary Counsel to discuss proposed changes to the PCEHR Act and the Privacy Act.
  • The OAIC provided comments on draft legislative proposals relating to the PCEHR Act and the Privacy Act.
  • The OAIC reviewed parts of the draft Explanatory Memorandum to the eHealth amendment Bill.
  • The OAIC made a submission to the Senate Community Affairs Legislation Committee on its inquiry into the Health Legislation Amendment (eHealth) Bill 2015.
  • The OAIC commented on a draft bill, which included draft provisions authorising the handling of personal information in connection with the PCEHR system.
S3.1(n) – Participate in consultations and comment on eHealth developments that relate to the PCEHR system
  • None required.
S3.1(o) – Update internal reference materials and provide staff training as necessary
  • The OAIC conducted induction training in eHealth and the OAIC’s eHealth regulatory oversight role for all new OAIC staff.
  • The OAIC conducted detailed eHealth induction and training for two new staff working in eHealth teams.
S3.1(p) – Monitor developments in eHealth and the PCEHR system to ensure the OAIC is able to offer informed advice about privacy aspects of the operation of the PCEHR system and the broader eHealth context
  • OAIC staff monitored news clips and subscribed to eHealth websites and blogs, such as eHealthspace.org and Pulse+IT.
  • The OAIC reviewed the findings of Minter Ellison’s privacy impact assessment report on the opt-out model for the PCEHR system.
  • In August, an OAIC staff member attended the annual Health Informatics Conference in Brisbane. The conference provided an overview of prevalent technological, medical and social issues in the eHealth space and included a number of international keynote speakers who specialised in the relationship between health IT and public policy.
  • The OAIC monitored the Royal Australian College of General Practitioner’s (RACGP)’s eHealth forum, held in October, and noted the outcomes from the forum.
  • The OAIC assessed the Australian National Audit Office’s audit report on the Department of Defence Electronic Health system for its relevance to the PCEHR system.

Activities relating to the Healthcare Identifiers service

Advice

S3.1(e) – Respond to enquiries and requests for advice on the appropriate handling of HIs and other privacy compliance obligations in relation to the HI service
  • The OAIC received and responded to one enquiry regarding healthcare identifiers during the reporting period.

Guidance

S3.1(f) – Prepare and/or update written guidance materials for participants in the healthcare industry on the appropriate handling of HIs and other privacy compliance obligations in relation to the HI service
  • The OAIC commenced preparing updates to pages of the OAIC website to reflect legislative changes as a result of the Health Legislation Amendment (eHealth) Act 2015.
  • The OAIC commenced preparing updates to its Guide to privacy regulatory action to reflect changes to its HI Act enforcement powers as a result of the Health Legislation Amendment (eHealth) Act 2015.

Liaison

S3.1(g) – Liaise and coordinate on privacy related HI activities with key agencies (Health, NeHTA and DHS-Medicare)
  • The OAIC prepared an annual report of the OAIC’s activities in relation to the HI service during 2014-15, in accordance with s 30 of the HI Act.
  • The OAIC prepared a quarterly report under the previous MOU between Health and the OAIC for the period ending 30 June 2015.
  • On 16 November 2015, the OAIC met with NeHTA to discuss the matching process for obtaining IHI records and issues relating to intertwined IHI records.
S3.1(h) – Liaise and coordinate on privacy related HI activities with state and territory regulators
  • None required.

Other activities

S3.1(i) – Prepare HI-related briefing material, speeches, articles and media comment on privacy matters
  • None required.
S3.1(j) – Comment on draft legislation that may interact with the HI Act (where appropriate)
  • The OAIC attended a number of meetings with Health, the Attorney-General’s Department and the Office of Parliamentary Counsel to discuss proposed changes to the HI Act and the Privacy Act.
  • The OAIC provided comments on draft legislative proposal relating to the HI Act and the Privacy Act.
  • The OAIC reviewed parts of the draft Explanatory Memorandum to the eHealth amendment Bill.
  • The OAIC made a submission to the Senate Community Affairs Legislation Committee on its inquiry into the Health Legislation Amendment (eHealth) Bill 2015.
S3.1(k) – Participate in consultations and comment on eHealth developments that relate to the HI service
  • None required.
S3.1(l) – Update internal reference materials and provide staff training as necessary
  • The OAIC conducted induction training in eHealth and the OAIC’s eHealth regulatory oversight role for all new OAIC staff.
  • The OAIC conducted detailed eHealth induction and training for two new staff working in eHealth teams.
  • The OAIC commenced preparing updates to its Guide to privacy regulatory action to reflect changes to its HI Act enforcement powers as a result of the Health Legislation Amendment (eHealth) Act 2015.
S3.1(m) – Monitor developments in eHealth and the HI service to ensure the OAIC is aware of the implications of any developments for the HI service and able to offer informed advice about privacy aspects of the operation of the HI service in the broader eHealth context.
  • OAIC staff monitored news clips and subscribed to eHealth websites and blogs, such as eHealthspace.org and Pulse+IT.

Back to Contents

Section 2 — Compliance and enforcement activities

The OAIC is required to undertake a range of compliance and enforcement activities under the MOU.

Clause 3.3 of Schedule 1 of the MOU requires the OAIC to produce a biannual report about activities related to the PCEHR system which, at a minimum, provide a summary of

  1. any complaints or compliance issues within the period and the outcomes or conciliation activities associated.
  2. any investigations commenced within the period and the findings and recommendations associated; and
  3. any assessments commenced within the period and the findings and recommendations associated.

The Information Commissioner (the Commissioner) also has annual statutory reporting obligations under section 106 of the PCEHR Act.

Clause 3.3 of Schedule 2 of the MOU requires the OAIC to produce a biannual report about activities related to the HI Service which, at a minimum, provide a summary of

  1. any investigations commenced within the period and the findings and recommendations associated
  2. any assessments commenced within the period and the findings and any recommendations associated; and
  3. complaints or compliance issues within the period and the outcomes or conciliation activities associated.

The Commissioner also has annual statutory reporting obligations under section 30 of the HI Act.

For consistency purposes, the biannual reports will contain the same statistical reporting fields as the Commissioner’s statutory reporting requirements under the PCEHR Act and the HI Act.

However, information about enforceable undertakings accepted by the Commissioner or proceedings taken by the Commissioner will not appear in biannual reports. Full details about compliance and enforcement activities (complaints, investigations and assessments) may not be available for biannual reports where these matters are still undergoing investigation or assessment.

Compliance activities relating to PCEHR system

Table A: Matters commenced and finalised during the reporting period 1 July to 31 December 2015.
 Received/commenced during periodFinalised during periodOpen at 31 December
Complaints Nil Nil Nil
Commissioner-initiated investigations Nil Nil Nil
Assessments 2 2 2
Mandatory Data breach notifications 7 2 5

Details of assessments relating to the PCEHR system

Assessments commenced during the reporting period

Assessment: The OAIC is conducting an assessment of the System Operator’s implementation of recommendations made by the office in its previous Information Privacy Principle 4 audit of the System Operator. The previous audit examined how the System Operator protected personal information held on the National Repositories Service.

Status: This assessment is ongoing.

Assessment: The OAIC is conducting an assessment of the System Operator’s handling of personal information held in the National Prescription and Dispense Repository.

Status: This assessment is ongoing.

Assessments closed during the reporting period

The following two assessments commenced in previous reporting periods and were closed during the reporting period:

Assessment: The OAIC has conducted an assessment of controls applied by a number of GP clinics relating to access to the eHealth system.

Status: Finalised and published on the OAIC website.

Assessment: The OAIC has conducted an assessment of privacy policies of 40 general practice clinics. The clinics were selected at random other than ensuring half of the clinics were, or form part of, GP super clinics and that all Australia's states and territories were represented. The assessment includes consideration of whether the policies reflected the clinics’ use of the eHealth system and individual healthcare identifiers.

Status: This assessment was finalised with individual report cards provided to the GP clinics. A consolidated de-identified report of the OAIC’s findings is being prepared for publication.

Assessments commenced in previous reporting periods and still underway

None.

Details of mandatory data breach notifications relating to the PCEHR system

Mandatory data breach notifications received during the reporting period

The OAIC received two mandatory data breach notifications from the System Operator during the reporting period:

  • The first notification was received in July 2015 and involved five cases where the myGov account of a consumer was linked to another consumer’s eHealth record. The OAIC closed this matter during the reporting period (see below).
  • The second notification from the System Operator was received in mid-December 2015 and involved access of a consumer’s digital health record by a third party. The assessment of this notification is ongoing.

The OAIC also received five mandatory data breach notifications from the Department of Human Services during the reporting period:

  • Three notifications were received in July, October and November 2015 and involved a similar pattern to data breach notifications received from the Department in previous reporting periods. Consumers with similar demographic information had intertwined Medicare records. As a result, Medicare claiming data belonging to more than one consumer was made available in the digital health record of the record owner. The OAIC closed one notification during the reporting period (see below). Assessment of the remaining two notifications was ongoing as at 31 December 2015.
  • Two notifications resulted from findings under the Medicare compliance program that certain Medicare claims that did not belong to the consumer were uploaded to their digital health record. The assessment of these notifications was ongoing as at 31 December 2015.

Mandatory data breach notifications closed during the reporting period

The OAIC completed its enquiries into the data breach notification received from the System Operator in July 2015 and referred to above. The OAIC requested further information from the System Operator regarding the data breach. Following consideration of that material and its response, the OAIC considers that the System Operator has acted appropriately in assessing the incident, containing any disclosure of personal information and notifying affected individuals.

The OAIC also completed its enquiries into the data breach notification received from the Department of Human Services in November 2015 and referred to above. The OAIC requested further information from the Department and following consideration of that material and its response, the OAIC considers that the Department has acted appropriately in assessing the incident, sought to cancel the relevant eHealth records and sought to contact affected individuals. The Department has implemented processes and procedures for dealing with intertwined Medicare accounts.

The OAIC expects to close the other two notifications received relating to the same subject matter shortly.

Mandatory Data breach notifications received in previous reporting periods and still open

None

Compliance activities relating to Healthcare Identifiers service

Table B: Matters commenced and finalised during the reporting period 1 July to 31 December 2015.
 Received/commenced during periodFinalised during periodOpen at 31 December
Complaints Nil Nil Nil
Commissioner-initiated investigations Nil Nil Nil
Assessments Nil 1 Nil

Details of assessments relating to the Healthcare Identifiers Service

Assessment: The OAIC has conducted an assessment of privacy policies of 40 general practice clinics. The clinics were selected at random other than ensuring half of the clinics were, or form part of, GP super clinics and that all Australia's states and territories were represented. The assessment includes consideration of whether the policies reflected the clinics’ use of the eHealth system and individual healthcare identifiers.

Status: This assessment was finalised with individual report cards provided to the GP clinics. A consolidated de-identified report of the OAIC’s findings is being prepared for publication.

Back to Contents