Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Department of Health MOU Biannual Report 2015–2016 for the period ending 30 June 2016

pdfPrintable version530.44 KB

Department of Health
Memorandum of Understanding
Biannual Report
2015–16

For the period ending 30 June 2016

Mr David Paull
Executive General Manager
Core Services and System Operations
Australian Digital Health Agency
Sirius Building, 23 Furzer Street
PHILLIP ACT 2606

Dear Mr Paull

I am pleased to provide you with the biannual report for the period ending 30 June 2016, in accordance with Section 3.3 of Schedule 1, Section 3.3 of Schedule 2 and Section 10.1 of the Memorandum of Understanding between the Office of the Australian Information Commissioner and the Department of Health, in relation to the provision of dedicated privacy-related services under the Privacy Act 1988, the My Health Records Act 2012 and the Healthcare Identifiers Act 2010.

As instructed, I am providing this report to you given your role in overseeing the MOU during the six months to which the report relates. However, now that you have moved across to the Australian Digital Health Agency, I would be grateful if you would also provide the report to relevant people within the Department of Health.

If you have any queries relating to the report please contact Melanie Drayton on [contact details removed].

Yours sincerely

Angelene Falk
Deputy Commissioner

16 December 2016

Section 1 — Advice, guidance, liaison and other activities

The Office of the Australian Information Commissioner (OAIC) is required to report biannually under the Memorandum of Understanding (MOU) with the Department of Health (Health) in relation to the My Health Record system and Healthcare Identifiers (HI) system activities.

Section 10.1 of the MOU requires that the performance and impact of the activities set out in the MOU are adequately and effectively monitored and assessed.

The activities reported below relate to work performed on activities listed in section 3.1 of Schedule 1 and section 3.1 of Schedule 2 of the MOU, other than the compliance and enforcement activities set out under Section 2 of this report.

Activities relating to the My Health Record system

Advice

S3.1(g) – Respond to enquiries and requests for advice on the appropriate handling of My Health Record information and other privacy compliance obligations in relation to the My Health Record system
  • The OAIC finalised comments to Health on draft materials developed for healthcare recipients living in the opt-out trial areas of the My Health Record system.
  • The OAIC provided Health with comments on its draft privacy policy and collection notice for the My Health Record system.
  • The OAIC provided comments to Health on its draft Privacy Impact Assessment on the opt-out arrangements for the My Health Record system.
  • The OAIC provided comments to Health on its draft healthcare provider training modules, which will be accessed by healthcare providers through the My Health Record website.
  • The OAIC provided comments to Health on the eHealth working group draft National Digital Health Strategy.
  • The OAIC provided comments to Health on a draft Privacy Impact Assessment regarding proposed arrangements for Professional Representatives to access and manage the My Health Records of children in out-of-home care.
  • The OAIC provided comments to Health on a draft preliminary Privacy Impact Assessment regarding mobile apps and the My Health Record system.
  • The OAIC responded to an enquiry from an ICT consultant regarding the use of de-identified aggregate My Health Record data.
  • The OAIC responded to an enquiry received from an ICT consultant about the OAIC’s role in digital health policy development.
  • The OAIC provided advice to an ICT consultant regarding penalties under the My Health Records Act.
  • The OAIC provided comments to a peak health body on its draft My Health Record policy template. The policy template was developed to address the requirements of s 42 of the My Health Record Rule 2016.
  • The OAIC responded to an enquiry about the My Health Record system and the OAIC’s role in the development of digital health policy, which was received from an individual who is both a resident and healthcare practitioner in the Nepean Blue Mountains opt-out trial area.
  • The OAIC commenced considering a request for advice from a State government body about the application and interpretation of the My Health Records Act 2012. The OAIC is currently consulting with Health on the issue (as the Department which administers the Act).
  • The OAIC received 22 other enquiries regarding the My Health Record system. These enquiries included a number relating to how to opt-out of the system, and enquiries relating to data breach notification requirements.

Guidance

S3.1(h) – Prepare and/or update written guidance materials for participants in the My Health Record system on the appropriate handling of My Health Record information and other privacy compliance obligations in relation to the My Health Record system
  • The OAIC revised a series of seven fact sheets for healthcare recipients on the My Health Record system. These existing fact sheets were updated to reflect changes to the My Health Record system made by the Health Legislation Amendment (eHealth) Act 2015 and are now available on the OAIC website. Five of these fact sheets apply to all healthcare recipients in Australia, while two of the fact sheets apply only to individuals living in opt-in areas.
  • The OAIC finalised and published two new fact sheets for healthcare recipients on the My Health Record system. These fact sheets apply to individuals living in the opt-out trial areas. One provides an overview of key aspects of the opt-out trials, including how to set preferences before healthcare providers can access the record and the factors to consider before deciding whether or not to opt-out. It also explains who will be able to access a My Health Record once it has been created. The second fact sheet provides information for parents, carers and young people on accessing the My Health Record system.
  • The OAIC developed draft versions of two new business resources for healthcare providers. One covers the legislative requirements that apply to handling a patient’s personal information when using the My Health Record system. The second provides tips on how to protect a patient’s privacy when using the My Health Record system. The OAIC expects to publish these new resources early in the new financial year.
  • The OAIC prepared draft revisions to its Guide to mandatory data breach notification in the My Health Record system to reflect changes to the mandatory data breach notification requirements in s 75 of the My Health Records Act 2012.
  • The OAIC began developing a business resource for healthcare providers on the mandatory data breach notification requirements. This resource is specifically targeted at providers and will complement the OAIC’s existing Guide to mandatory data breach notification in the My Health Record system.
  • The OAIC updated pages on the OAIC website to reflect legislative and terminology changes as a result of the Health Legislation Amendment (eHealth) Act 2015.
  • Following a public consultation in late 2015, the OAIC revised two draft fact sheets for healthcare recipients relating to health privacy issues including access to, and correction of, health information.
  • Following a public consultation in late 2015, the OAIC conducted further consultation with stakeholders on its new guidance dealing with health care providers’ privacy obligations when handling health information. In addition, new content was developed for the draft guidance to reflect the new permitted health situation on family medical histories (introduced into the Privacy Act 1988 by the Health Legislation Amendment (eHealth) Act 2015).
S3.1(i) – Update guidance for exercising the powers conferred on the Information Commissioner by the My Health Records Act as required
  • The OAIC finalised and registered the revised legislative instrument, My Health Records (Information Commissioner Enforcement Powers) Guidelines 2016 (made under s 111 of the My Health Records Act) on 21 March 2016. The revised guidelines reflect the OAIC’s Privacy regulatory action policy and the Information Commissioner’s enhanced enforcement and regulatory powers which were conferred by the Privacy Amendment (Enhancing Privacy Protection) Act 2012. The guidelines also reflect feedback received during a public consultation on the guidelines which ran from October to November 2015, and amendments made by the Health Legislation Amendment (eHealth) Act 2015.
  • The OAIC prepared draft updates to its Guide to privacy regulatory action to reflect changes to its My Health Records Act enforcement powers as a result of the Health Legislation Amendment (eHealth) Act 2015.

Liaison

S3.1(j) – Liaise and coordinate on privacy-related My Health Record activities with the System Operator and other key agencies (Health, NeHTA and DHS-Medicare)
  • The OAIC prepared a biannual report under the MOU between Health and the OAIC for the period ending 31 December 2015.
  • The OAIC and Health discussed the communications plan for the OAIC’s two fact sheets for healthcare recipients on the My Health Record system opt-out trials.
S3.1(k) – Liaise and coordinate on privacy-related My Health Record activities with state and territory regulators
  • None required

Other activities

S3.1(l) – Prepare My Health Record-related briefing material, speeches, articles and media comment on privacy matters
  • OAIC staff developed briefing material for the Commissioner in preparation for his appearance at the Senate Select Committee on Health’s hearing into data linkage. The briefing material included an overview of the System Operator’s function of preparing and providing de-identified data for research and public health purposes.
  • The Commissioner participated in a meeting of the United General Practice Australia group. The Commissioner was asked to discuss privacy in the healthcare sector, including an overview of the My Health Record system information handling requirements and related compliance issues, the OAIC’s assessment of general practices, and the OAIC’s approach to enforcement of the My Health Records Act 2012.
S3.1(m) – Comment on draft legislation that may interact with the My Health Records Act (where appropriate)
  • None required.
S3.1(n) – Participate in consultations and comment on digital health developments that relate to the My Health Record system
  • None required.
S3.1(o) – Update internal reference materials and provide staff training as necessary
  • The OAIC conducted induction training in digital health and the OAIC’s digital health regulatory oversight role for all new OAIC staff.
  • The OAIC conducted detailed digital health induction and training for one new staff member working in a digital health team.
  • OAIC staff delivered an update session to the OAIC Enquiries Line and Dispute Resolution Branch on the opt-out trials and other developments in the My Health Record system.
S3.1(p) – Monitor developments in digital health and the My Health Record system to ensure the OAIC is able to offer informed advice about privacy aspects of the operation of the My Health Record system and the broader digital health context
  • OAIC staff monitored news clips and subscribed to digital health websites and blogs, such as Pulse+IT.
  • An OAIC staff member attended the ‘Healthcare efficiency through technology’ stream at the annual Australian Healthcare Week conference in Sydney. The conference provided an overview of how hospitals are evolving to keep up with technological change and advancements, including the implementation of digital health records and new technologies that are being used in medicine.
  • An OAIC staff member attended the ‘Measuring Health Outcomes Conference’ which included presentations on health data analytics, personalised medicine and other issues relating to technological developments in the health industry.
  • OAIC staff attended NeHTA’s webinar on privacy, consent and provider obligations in the My Health Record system.

Activities relating to the Healthcare Identifiers Service

Advice

S3.1(e) – Respond to enquiries and requests for advice on the appropriate handling of Healthcare Identifiers and other privacy compliance obligations in relation to the HI Service
  • No enquiries or requests for advice received.

Guidance

S3.1(f) – Prepare and/or update written guidance materials for participants in the healthcare industry on the appropriate handling of Healthcare Identifiers and other privacy compliance obligations in relation to the HI Service
  • The OAIC published updates to pages of the OAIC website to reflect legislative changes as a result of the Health Legislation Amendment (eHealth) Act 2015.
  • The OAIC prepared draft updates to its Guide to privacy regulatory action to reflect changes to its Healthcare Identifiers Act 2010 (HI Act) enforcement powers as a result of the Health Legislation Amendment (eHealth) Act 2015.

Liaison

S3.1(g) – Liaise and coordinate on privacy related HI activities with key agencies (Health, NeHTA and DHS-Medicare)
  • On 7 April 2016, the OAIC met with NeHTA for a briefing and discussion on proposed enhancements to the Individual Healthcare Identifier (IHI) search rules to improve IHI match rates.
  • The OAIC prepared a biannual report under the MOU between Health and the OAIC for the period ending 31 December 2015.
S3.1(h) – Liaise and coordinate on privacy related HI activities with state and territory regulators
  • None required.

Other activities

S3.1(i) – Prepare HI-related briefing material, speeches, articles and media comment on privacy matters
  • None required.
S3.1(j) – Comment on draft legislation that may interact with the HI Act (where appropriate)
  • None required.
S3.1(k) – Participate in consultations and comment on digital health developments that relate to the HI Service
  • None required.
S3.1(l) – Update internal reference materials and provide staff training as necessary
  • The OAIC conducted induction training in digital health and the OAIC’s digital health regulatory oversight role for all new OAIC staff.
  • The OAIC conducted detailed digital health induction and training for one new staff member working in a digital health team.
S3.1(m) – Monitor developments in digital health and the HI Service to ensure the OAIC is aware of the implications of any developments for the HI Service and able to offer informed advice about privacy aspects of the operation of the HI Service in the broader digital health context.
  • OAIC staff monitored news clips and subscribed to digital health websites and blogs, such as Pulse+IT.

Back to Contents

Section 2 — Compliance and enforcement activities

The OAIC is required to undertake a range of compliance and enforcement activities under the MOU. Section 3.3 of Schedule 1 of the MOU requires the OAIC to produce a biannual report about activities related to the My Health Record system which, at a minimum, provide a summary of

  1. any complaints or compliance issues within the period and the outcomes or conciliation activities associated
  2. any investigations commenced within the period and the findings and recommendations associated; and
  3. any assessments commenced within the period and the findings and recommendations associated.

The Information Commissioner (the Commissioner) also has annual statutory reporting obligations under section 106 of the My Health Records Act.

Section 3.3 of Schedule 2 of the MOU requires the OAIC to produce a biannual report about activities related to the HI Service which, at a minimum, provide a summary of

  1. any investigations commenced within the period and the findings and recommendations associated
  2. any assessments commenced within the period and the findings and any recommendations associated; and
  3. complaints or compliance issues within the period and the outcomes or conciliation activities associated.

The Commissioner also has annual statutory reporting obligations under section 30 of the HI Act.

For consistency purposes, the biannual reports will contain the same statistical reporting fields as the Commissioner’s statutory reporting requirements under the My Health Records Act and the HI Act.

However, information about enforceable undertakings accepted by the Commissioner or proceedings taken by the Commissioner will not appear in biannual reports. Full details about compliance and enforcement activities (complaints, investigations and assessments) may not be available for biannual reports where these matters are still undergoing investigation or assessment.

Compliance activities relating to My Health Record system

Table A: Matters commenced and finalised during the reporting period 1 January to 30 June 2016.
 

Received/commenced during period

Finalised during period

Open at 30 June

Assessments

Nil

1[1]

1

Complaints

1

Nil

1

Commissioner-initiated investigations

Nil

Nil

Nil

Table B: Data breach notifications (DBNs) received and closed during the reporting period 1 January to 30 June 2016.
 

Received in the period

Closed in the period

Open at 30 June

Notifying party

Number of data breach notifications

Number of healthcare recipients affected

Number data breach notifications

Number of healthcare recipients affected

Number of data breach notifications

Number of healthcare recipients

System Operator

1

1

2

2

Nil

Nil

DHS

8

73[2]

7

27[2]

5

67[2]

Details of assessments relating to the My Health Record system

Assessments commenced during the reporting period

None

Assessments closed during the reporting period

Assessment: The OAIC w as conducting an assessment of the System Operator’s handling of personal information held in the National Prescription and Dispense Repository.

Status: The OAIC anticipated that this assessment would be finalised during this reporting period. However, the assessment has been discontinued due to delays with Health’s end-to-end security review of the My Health Record system and the consequential updating of relevant security policies (both of which are relevant to this assessment). Further assessment action on this area will be considered in consultation with Health.

Assessments commenced in previous reporting periods and still underway

Assessment: The OAIC is conducting an assessment of the System Operator’s implementation of recommendations made by the OAIC in its previous Information Privacy Principle 4 audit of the System Operator. The previous audit examined how the System Operator protected personal information held on the National Repositories Service.

Status: The OAIC anticipated that this assessment would be finalised during this reporting period. However, due to delays with Health’s end-to end security review of the My Health Record system and the consequential updating of the relevant security policies (both of which are relevant to this assessment), the scope of the assessment was amended. The OAIC conducted the assessment based on the amended scope and is in the process of finalising the findings. Further assessment action following the completion of the end-to-end security review and the updating of Health’s security policies will be considered in consultation with Health.

Other assessment publications

Assessment: The OAIC conducted an assessment of privacy policies of 40 general practice clinics. This assessment was finalised with individual report cards provided to the GP clinics in the previous reporting period.

Status: A consolidated de-identified report of the OAIC’s findings was prepared in consultation with key representative bodies, specifically the Australian Medical Association, the Royal Australian College of General Practitioners, the Australian Association of Practice Management and the Australian College of Rural and Remote Medicine. The consolidated report was finalised and published on the OAIC website during the reporting period.

Details of mandatory data breach notifications relating to the My Health Record system

Mandatory data breach notifications received during the reporting period

The OAIC received one mandatory data breach notification from the System Operator during the reporting period in April 2016. It involved the unauthorised access of a healthcare recipient’s My Health Record by a third party. The OAIC closed this matter during the reporting period (see below).

The OAIC also received eight mandatory data breach notifications from the Department of Human Services during the reporting period.

  • Six notifications resulted from findings under the Medicare compliance program that certain Medicare claims that did not belong to the healthcare recipient were uploaded to their digital health record. These notifications totalled 69 breaches, each of which affected a separate healthcare recipient. Three of these data breach notifications have been closed, and the review of the other three, totalling 63 breaches, was ongoing as of 30 June 2016.
  • A further two notifications, affecting four healthcare recipients, two with a My Health Record and two without, received in late June 2016 relate to healthcare recipients with similar demographic information having their Medicare records intertwined. As a result, Medicare claims data belonging to more than one healthcare recipient was made available in the digital health record of the record owner. Review of these notifications was ongoing as at 30 June 2016.

Mandatory data breach notifications closed during the reporting period

The OAIC completed its enquiries into the data breach notification received from the System Operator in April 2016 and referred to above and to a similar data breach notification received in the previous reporting period.

The OAIC requested further information from the System Operator regarding the data breaches. Following consideration of that material and its response, the OAIC considers that the System Operator has acted appropriately in assessing those incidents, sought to cancel the relevant My Health Records and sought to contact affected individuals. The OAIC did, however, request subsequent clarification on a number of issues relating to the steps being taken to prevent future breaches which it is progressing as at 30 June 2016.

The OAIC also completed its enquiries into seven of the data breach notifications received from the Department of Human Services referred to above. The OAIC requested further information from the Department and following consideration of that material and its response in regards to those data breaches, the OAIC considers that the Department has acted appropriately in assessing those incidents, sought to cancel the relevant My Health Records and sought to contact affected individuals.

The OAIC expects to close the other five notifications received following further clarification of the circumstances of the breaches contained within those notifications.

Mandatory Data breach notifications received in previous reporting periods and still open

None

Details of complaints relating to the My Health Record system

Complaints received during the reporting period

The OAIC received one complaint during the reporting period which alleged that the opt-out portal for the My Health Record system opt-out trials was not appropriately encrypted. The OAIC is conducting preliminary inquiries in relation to this matter.

Compliance activities relating to Healthcare Identifiers Service

Table C: Matters commenced and finalised during the reporting period 1 January to 30 June 2016.
 

Received/commenced during period

Finalised during period

Open at 30 June

Complaints

Nil

Nil

Nil

Commissioner-initiated investigations

Nil

Nil

Nil

Assessments

1

0

1

Details of assessments relating to the Healthcare Identifiers Service

Assessments closed during the reporting period

None

Assessments commenced in previous reporting periods and still underway

Assessment: The OAIC is conducting an assessment into the handling of personal information by the Australian Health Practitioner Regulation Agency (AHPRA) in its role as a national registration authority for healthcare practitioners. Status: The OAIC has conducted the assessment and is in the process of finalising the findings made from the assessment.

Other assessment publications

Assessment: The OAIC conducted an assessment of privacy policies of 40 general practice clinics. This assessment was finalised with individual report cards provided to the GP clinics in the previous reporting period and closed.

Status: A consolidated de-identified report of the OAIC’s findings was prepared in consultation with key representative bodies, specifically the Australian Medical Association, the Royal Australian College of General Practitioners, the Australian Association of Practice Management and the Australian College of Rural and Remote Medicine. The consolidated report was finalised and published on the OAIC website during the reporting period.

This figure includes an assessment opened during this reporting period regarding the System Operator’s handling of personal information held in the National Prescription and Dispense Repository. However, this assessment has been discontinued – see further details below.

The total number of healthcare recipients affected include individuals with and without a My Health Record at the time of the breach. Accordingly, there were 71 individuals with a My Health Record in the DBNs received in the period, 25 such individuals in the DBNs closed in the period, and 65 in the DBNs open at 30 June.

Back to Contents

Footnotes

[1] This figure includes an assessment opened during this reporting period regarding the System Operator’s handling of personal information held in the National Prescription and Dispense Repository. However, this assessment has been discontinued – see further details below.

[2] The total number of healthcare recipients affected include individuals with and without a My Health Record at the time of the breach. Accordingly, there were 71 individuals with a My Health Record in the DBNs received in the period, 25 such individuals in the DBNs closed in the period, and 65 in the DBNs open at 30 June.

Back to Contents