Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Department of Health MOU Quarterly Report for the period ending 30 June 2015

Mr Kim Bessell
Assistant Secretary
eHealth Change & Adoption Branch
Department of Health
GPO Box 9848
CANBERRA ACT 2601

Dear Mr Bessell

I am pleased to provide you with the quarterly report for the period ending 30 June 2015, in accordance with Section 3.3 of Schedule 1, Section 3.3 of Schedule 2 and Section 10.1 of the Memorandum of Understanding between the Office of the Australian Information Commissioner and the Department of Health, in relation to the provision of dedicated privacy-related services under the Privacy Act 1988, the Personally Controlled Electronic Health Records Act 2012 (PCEHR Act) and the Healthcare Identifiers Act 2010 (HI Act).

If you have any queries relating to the report please contact Jacob Suidgeest on [contact details removed].

Yours sincerely

Angelene Falk
Assistant Commissioner

14 July 2015

Section 1 — Advice, guidance, liaison and other activities

The Office of the Australian Information Commissioner (OAIC) is required to report quarterly under the Memorandum of Understanding (MOU) with the Department of Health (Health) in relation to Personally Controlled Electronic Health Records (PCEHR) system and Healthcare Identifiers (HI) system activities.

Clause 10.1 of the MOU requires that the performance and impact of the activities set out in the MOU are adequately and effectively monitored and assessed.

The activities reported below relate to work performed on activities listed in section 3.3 of Schedule 1 and section 3.3 of Schedule 2 of the MOU, other than the compliance and enforcement activities set out under Section 2 of this report.

Activities relating to the PCEHR system

Advice

S3.1(g) – Respond to enquiries and requests for advice on the appropriate handling of PCEHR information and other privacy compliance obligations in relation to the PCEHR system
  • The OAIC finalised its advice to an eHealth IT security consultant who wrote to the OAIC seeking advice on privacy compliance obligations when outsourcing IT support services.

  • The OAIC finalised its response to a peak health body who wrote to the OAIC seeking advice about patient consent in the context of electronic transfer of prescriptions (eTP) transactions, including where that information is uploaded to the PCEHR system.

  • The OAIC responded to five enquiries received from individuals about the PCEHR system. This included two enquiries from members of the public who were seeking information about the process for opting-out of the eHealth record system (apparently believing that the system was already based on opt-out participation or that the change to opt-out was imminent). The OAIC consulted with the Department to obtain up-to-date information to provide to the enquirers.

Guidance

S3.1(h) – Prepare and/or update written guidance materials for participants in the PCEHR system on the appropriate handling of PCEHR information and other privacy compliance obligations in relation to the PCEHR system
  • The OAIC has continued developing a series of new business resources for health service providers. The resources relate to privacy obligations when handling health information, including information contained in the PCEHR system. Once finalised after consultation, the resources will replace the OAIC’s existing health privacy guidance. The resources include information on privacy legislation in some State and Territory jurisdictions, noting that some healthcare providers are covered by both federal and state/territory legislation.

  • The OAIC has also continued to develop two consumer fact sheets relating to health privacy issues including access to, and correction of, health information. Once finalised after consultation, the resources will replace the OAIC’s existing consumer health privacy guidance.

  • The OAIC is in the process of developing a webpage for health service providers that describes health privacy legislation in Australia, including explaining the coverage of Commonwealth, state and territory legislation.

S3.1(i) – Update guidance for exercising the powers conferred on the Information Commissioner by the PCEHR Act as required
  • The OAIC has continued to prepare updates to the PCEHR Enforcement Guidelines (made under s 111 of the PCEHR Act) to reflect the OAIC’s Privacy regulatory action policy. The Enforcement Guidelines outline how the OAIC will approach enforcement issues under the PCEHR Act and other privacy legislation.

  • The OAIC has continued work on the draft guide to mandatory data breach notification under the PCEHR system in consultation with the Department of Health and other key stakeholders.

  • The OAIC published the final version of its Guide to privacy regulatory action. This Guide is relevant to the OAIC’s powers under both the PCEHR Act and the Privacy Act and provides stakeholders with a more detailed understanding of when and how the OAIC will exercise particular powers.

Liaison

S3.1(j) – Liaise and coordinate on privacy-related PCEHR activities with the System Operator and other key agencies (Health, NeHTA and DHS-Medicare)
  • The OAIC attended an eHealth briefing session in relation to the eHealth budget announcements on 25 May 2015.

  • The OAIC attended an eHealth briefing session in relation to the eHealth legislation discussion paper on 16 June 2015.

  • The OAIC attended a quarterly meeting with the Department of Health on 29 May 2015.

  • The OAIC prepared a quarterly MOU report for the period ending 31 March 2015.

S3.1(k) – Liaise and coordinate on privacy-related PCEHR activities with state and territory regulators
  • None required.

Other activities

S3.1(l) – Prepare PCEHR-related briefing material, speeches, articles and media comment on privacy matters
  • The Privacy Commissioner gave a presentation at the Australian and New Zealand Health Complaints Commissioner's Conference on Thursday 23 April. The Commissioner informed the Commissioners of the OAIC’s work in eHealth, complaint handling work, challenges faced by health service providers and issues arising in regulating across jurisdictions.

S3.1(m) – Comment on draft legislation that may interact with the PCEHR Act (where appropriate)
  • The OAIC made a submission to the Department of Health in response to the Department’s Discussion Paper regarding proposed changes to the Personally Controlled Electronic Health Records Act 2012 and the Healthcare Identifiers Act 2010.

  • The OAIC attended a number of meetings with the Department and the Attorney-General’s Department to discuss proposed changes to the PCEHR Act and Privacy Act.

  • The OAIC provided comments on draft legislative proposals relating to the PCEHR Act and the Privacy Act.

S3.1(n) – Participate in consultations and comment on eHealth developments that relate to the PCEHR system
  • None required.
S3.1(o) – Update internal reference materials and provide staff training as necessary
  • As noted above under S3.1(i), the OAIC published the Guide to privacy regulatory action, which will be an internal reference for OAIC staff exercising regulatory powers in relation to the PCEHR system, as well as providing guidance for external stakeholders.
S3.1(p) – Monitor developments in eHealth and the PCEHR system to ensure the OAIC is able to offer informed advice about privacy aspects of the operation of the PCEHR system and the broader eHealth context
  • The OAIC reviewed the Australian National Audit Office’s Audit Report on the Department of Defence’s Electronic Health Records System.

  • The OAIC reviewed the first three ACSQHC Clinical Safety Reports into the PCEHR.

  • The OAIC continued to monitor the media for any news relating to the PCEHR.

Activities relating to the Healthcare Identifiers service

Advice

S3.1(e) – Respond to enquiries and requests for advice on the appropriate handling of HIs and other privacy compliance obligations in relation to the HI service
  • None required.

Guidance

S3.1(f) – Prepare and/or update written guidance materials for participants in the healthcare industry on the appropriate handling of HIs and other privacy compliance obligations in relation to the HI service
  • As noted above, the OAIC is developing new business privacy resources which deal with privacy obligations when handling health information.

Liaison

S3.1(g) – Liaise and coordinate on privacy related HI activities with key agencies (Health, NeHTA and DHS-Medicare)
  • The OAIC attended an eHealth briefing session in relation to the eHealth budget announcements on 25 May 2015.

  • The OAIC attended an eHealth briefing session in relation to the eHealth legislation discussion paper on 16 June 2015.

  • The OAIC attended a quarterly meeting with the Department of Health on 29 May 2015.

  • The OAIC prepared a quarterly MOU report for the period ending 31 March 2015.

S3.1(h) – Liaise and coordinate on privacy related HI activities with state and territory regulators
  • None required.

Other activities

S3.1(j) – Prepare HI-related briefing material, speeches, articles and media comment on privacy matters
  • The Privacy Commissioner gave a presentation at the Australian and New Zealand Health Complaints Commissioner's Conference on Thursday 23 April. The Commissioner informed the Commissioners of the OAIC’s work in eHealth, complaint handling work, challenges faced by health service providers and issues arising in regulating across jurisdictions.

S3.1(k) – Comment on draft legislation that may interact with the HI Act (where appropriate)
  • The OAIC made a submission to the Department of Health in response to the Department’s Discussion Paper regarding proposed changes to the Personally Controlled Electronic Health Records Act 2012 and the Healthcare Identifiers Act 2010.

  • The OAIC attended a number of meetings with the Department and the Attorney-General’s Department to discuss proposed changes to the HI Act.

  • The OAIC provided comments on draft legislative proposals relating to the HI Act.

S3.1(l) – Participate in consultations and comment on eHealth developments that relate to the HI service
  • None required.
S3.1(m) – Update internal reference materials and provide staff training as necessary
  • None required.
S3.1(n) – Monitor developments in eHealth and the HI service to ensure the OAIC is aware of the implications of any developments for the HI service and able to offer informed advice about privacy aspects of the operation of the HI service in the broader eHealth context.
  • The OAIC continue to monitor the media for HI related news and developments.

Section 2 — Compliance and enforcement activities

The OAIC is required to undertake a range of compliance and enforcement activities under the MOU.

Clause 3.3 of Schedule 1 of the MOU requires the OAIC to produce a quarterly report about activities related to the PCEHR system which, at a minimum, provide a summary of

  1. any complaints or compliance issues within the period and the outcomes or conciliation activities associated.

  2. any investigations commenced within the period and the findings and recommendations associated; and

  3. any assessments commenced within the period and the findings and recommendations associated.

The Information Commissioner (the Commissioner) also has annual statutory reporting obligations under section 106 of the PCEHR Act.

Clause 3.3 of Schedule 2 of the MOU requires the OAIC to produce a quarterly report about activities related to the HI Service which, at a minimum, provide a summary of

  1. any investigations commenced within the period and the findings and recommendations associated

  2. any assessments commenced within the period and the findings and any recommendations associated; and

  3. complaints or compliance issues within the period and the outcomes or conciliation activities associated.

The Commissioner also has annual statutory reporting obligations under section 30 of the HI Act.

For consistency purposes, the quarterly reports will contain the same statistical reporting fields as the Commissioner’s statutory reporting requirements under the PCEHR Act and the HI Act.

However, information about enforceable undertakings accepted by the Commissioner or proceedings taken by the Commissioner will not appear in quarterly reports. Full details about compliance and enforcement activities (complaints, investigations and assessments) may not be available for quarterly reports where these matters are still undergoing investigation or assessment.

Compliance activities relating to PCEHR system

Table A: Matters commenced and finalised during the reporting period 1 April to 30 June 2015.

 

Received/commenced during period

Finalised during period

Open at 30 June 2015

Complaints

Nil

Nil

Nil

Commissioner-initiated investigations

Nil

Nil

Nil

Assessments

1

1

2

Mandatory Data breach notifications

Nil

7

Nil

Details of assessments relating to the PCEHR system

Assessments commenced during the reporting period

Assessment: The OAIC is conducting an assessment of privacy policies of 40 general practice clinics. The clinics were selected at random other than ensuring half of the clinics were, or form part of, GP super clinics and that all Australia's states and territories were represented. The assessment includes consideration of whether the policies reflected the clinics’ use of the eHealth system and individual healthcare identifiers.

Status: This assessment is ongoing.

Assessments closed during the reporting period

Assessment: The OAIC has conducted an assessment of the controls applied by St Vincent’s Hospital Sydney Limited relating to access to the eHealth system.

Status: Finalised and published on the OAIC website.

Assessments commenced in previous reporting periods and still underway

Assessment: The OAIC is conducting an assessment of controls applied by a number of GP clinics relating to access to the eHealth system.

Status: This assessment is continuing.

Details of mandatory data breach notifications relating to the PCEHR system

Mandatory data breach notifications received during the reporting period

None

Mandatory data breach notifications closed during the reporting period

The OAIC has completed its enquiries into the seven data breach notifications received from the Chief Executive Medicare in the previous reporting periods and referred to in the last quarterly report.

The OAIC requested further information from the Chief Executive Medicare. Following consideration of that material the OAIC considers that the Department of Human Services has acted appropriately in assessing the incident, containing any disclosure of personal information and notifying affected individuals. The Department has also developed a work plan to lessen the chance of further data breaches of the same nature.

Mandatory Data breach notifications received in previous reporting periods and still open

None

Compliance activities relating to Healthcare Identifiers service

Table B: Matters commenced and finalised during the reporting period 1 April to 30 June 2015.

 

Received/commenced during period

Finalised during period

Open at 30 June 2015

Complaints

Nil

Nil

Nil

Commissioner-initiated investigations

Nil

Nil

Nil

Assessments

1

Nil

1

Details of assessments relating to the HI Service

Assessments commenced during the reporting period

Assessment: The OAIC is conducting an assessment of privacy policies of 40 general practice clinics. The clinics were selected at random other than ensuring half of the clinics were, or form part of, GP super clinics and that all Australia's states and territories were represented. The assessment includes consideration of whether the policies reflected the clinics’ use of the eHealth system and individual healthcare identifiers.

Status: This assessment is ongoing.