Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Department of Health MOU Quarterly Report for the period ending 31 December 2014

pdfPrintable version564.88 KB

Ms Teressa Ward
Assistant Secretary
eHealth Change & Adoption Branch
Department of Health
GPO Box 9848
CANBERRA ACT 2601

Dear Ms Ward

I am pleased to provide you with the quarterly report for the period ending 31 December 2014, in accordance with Section 3.3 of Schedule 1, Section 3.3 of Schedule 2 and Section 10.1 of the Memorandum of Understanding between the Office of the Australian Information Commissioner and the Department of Health, in relation to the provision of dedicated privacy-related services under the Privacy Act 1988, the Personally Controlled Electronic Health Records Act 2012 and the Healthcare Identifiers Act 2010.

If you have any queries relating to the report please contact Jacob Suidgeest on [contact details removed].

Yours sincerely

Timothy Pilgrim
Australian Privacy Commissioner
January 2015

Section 1 — Advice, guidance, liaison and other activities

The Office of the Australian Information Commissioner (OAIC) is required to report quarterly under the Memorandum of Understanding (MOU) with the Department of Health (Health) in relation to Personally Controlled Electronic Health Records (PCEHR) system and Healthcare Identifiers (HI) system activities.

Clause 10.1 of the MOU requires that the performance and impact of the activities set out in the MOU are adequately and effectively monitored and assessed.

The activities reported below relate to work performed on activities listed in section 3.3 of Schedule 1 and section 3.3 of Schedule 2 of the MOU, other than the compliance and enforcement activities set out under Section 2 of this report.

Activities relating to the PCEHR system

Advice

S3.1(g) – Respond to enquiries and requests for advice on the appropriate handling of PCEHR information and other privacy compliance obligations in relation to the PCEHR system
  • The Australian Privacy Foundation (APF) wrote to the OAIC on 8 August 2014 raising privacy concerns regarding a Department of Health survey which sought feedback on the PCEHR Review. The OAIC considered the issues raised, and consulted with Health about the nature of the survey, the responses collected, and the contractual arrangement under which the survey was conducted. The OAIC responded to the APF by letter.
  • The health peak body wrote to the OAIC seeking advice about patient consent in the context of electronic transfer of prescriptions (eTP) transactions, including where that information is uploaded to the PCEHR system. The OAIC is currently preparing a response.

Guidance

S3.1(h) – Prepare and/or update written guidance materials for participants in the PCEHR system on the appropriate handling of PCEHR information and other privacy compliance obligations in relation to the PCEHR system
  • The OAIC has drafted minor revisions to existing health privacy guidance to reflect amendments to the Privacy Act 1988.
  • The OAIC has commenced drafting a series of eleven new business resources for health service providers. The resources relate to privacy obligations when handling health information, including information contained in the PCEHR system. Once finalised after consultation, these resources will replace the OAIC’s existing health privacy guidance.
  • The OAIC has commenced drafting two fact sheets for consumers about health privacy issues, including access to, and correction of, health information. Once finalised after consultation, the resources will replace the OAIC’s existing consumer health privacy guidance.
S3.1(i) – Update guidance for exercising the powers conferred on the Information Commissioner by the PCEHR Act as required
  • The OAIC published its Privacy regulatory action policy on 17 November 2014. The Policy explains the OAIC’s range of regulatory powers and the way in which those powers are used, and is relevant to the OAIC’s powers under both the Privacy Act and the PCEHR Act.
  • The OAIC consulted on an exposure draft of six chapters of the draft Guide to privacy regulatory action in November and December 2014. This Guide is relevant to the OAIC’s powers under both the PCEHR Act and the Privacy Act and provides stakeholders with a more detailed understanding of when and how the OAIC will exercise particular powers.
  • The OAIC continued work on the draft guide to mandatory data breach notification under the PCEHR System and conducted a final targeted consultation. The OAIC has commenced an analysis of the consultation responses received.

Liaison

S3.1(j) – Liaise and coordinate on privacy-related PCEHR activities with the System Operator and other key agencies (Health, NeHTA and DHS-Medicare)
  • The OAIC contacted Health seeking an update on the planned pathology and diagnostic imaging functionality for the PCEHR system following media articles about developments that had occurred. The OAIC received the relevant design documentation and a verbal brief from the department of Health. The OAIC reviewed design documentation relating to the release and provided some written comments to Health about the development process and the final design.
  • The OAIC attended a quarterly meeting with the Department of Health in November 2014.
  • The OAIC prepared a quarterly MOU report for the period ending 30 September 2014.
  • The OAIC liaised with DHS Medicare about its proactive data integrity activities which relate to healthcare identifiers and the PCEHR system.
S3.1(k) – Liaise and coordinate on privacy-related PCEHR activities with state and territory regulators
  • None required.

Other activities

S3.1(l) – Prepare PCEHR-related briefing material, speeches, articles and media comment on privacy matters
  • None required.
S3.1(m) – Comment on draft legislation that may interact with the PCEHR Act (where appropriate)
  • No draft legislation was received.
S3.1(n) – Participate in consultations and comment on eHealth developments that relate to the PCEHR system
  • None required.
S3.1(o) – Update internal reference materials and provide staff training as necessary
  • As noted above under S3.1(i), the OAIC consulted on the Guide to privacy regulatory action, which will be an internal reference for OAIC staff exercising regulatory powers in relation to the PCEHR system as well as providing guidance for external stakeholders.
S3.1(p) – Monitor developments in eHealth and the PCEHR system to ensure the OAIC is able to offer informed advice about privacy aspects of the operation of the PCEHR system and the broader eHealth context
  • The OAIC monitored media articles relating to the planned pathology and diagnostic imaging functionality in the PCEHR system.
  • The OAIC conducted research into Telstra’s recent acquisitions and expansion into the eHealth space.
  • Following a media article about University of NSW research into security for wearable healthcare sensor devices, including the possibility of collected data being fed into eHealth systems, the OAIC has been in contact with the researchers with a view to following the progress of this research.
  • The OAIC attended the eHealth Interoperability Conference in Sydney on 28 and 29 October 2014.
  • OAIC staff continued to monitor news clips and subscribe to eHealth websites and blogs, such as eHealthspace.org and Pulse+IT.

Activities relating to the Healthcare Identifiers service

Advice

S3.1(e) – Respond to enquiries and requests for advice on the appropriate handling of HIs and other privacy compliance obligations in relation to the HI service
  • None required.

Guidance

S3.1(f) – Prepare and/or update written guidance materials for participants in the healthcare industry on the appropriate handling of HIs and other privacy compliance obligations in relation to the HI service
  • As noted above, the OAIC has drafted minor revisions to existing health privacy guidance, and has commenced drafting a series of eleven new business resources for health service providers relating to privacy obligations when handling health information.

Liaison

S3.1(g) – Liaise and coordinate on privacy related HI activities with key agencies (Health, NeHTA and DHS-Medicare)
  • The OAIC attended a quarterly meeting with the Department of Health on 19 November 2014.
  • The OAIC prepared a quarterly MOU report for the period ending 30 September 2014.
  • The OAIC liaised with DHS Medicare about its proactive data integrity activities which relate to healthcare identifiers and the PCEHR system.
S3.1(h) – Liaise and coordinate on privacy related HI activities with state and territory regulators
  • None required.

Other activities

S3.1(j) – Prepare HI-related briefing material, speeches, articles and media comment on privacy matters
  • None required.
S3.1(k) – Comment on draft legislation that may interact with the HI Act (where appropriate)
  • No draft legislation was received.
S3.1(l) – Participate in consultations and comment on eHealth developments that relate to the HI service
  • None required.
S3.1(m) – Update internal reference materials and provide staff training as necessary
  • None required.
S3.1(n) – Monitor developments in eHealth and the HI service to ensure the OAIC is aware of the implications of any developments for the HI service and able to offer informed advice about privacy aspects of the operation of the HI service in the broader eHealth context.
  • OAIC staff continued to monitor news clips and subscribe to eHealth websites and blogs, such as eHealthspace.org and Pulse+IT.

Section 2 — Compliance and enforcement activities

The OAIC is required to undertake a range of compliance and enforcement activities under the MOU.

Clause 3.3 of Schedule 1 of the MOU requires the OAIC to produce a quarterly report about activities related to the PCEHR system which, at a minimum, provide a summary of

  1. any complaints or compliance issues within the period and the outcomes or conciliation activities associated.
  2. any investigations commenced within the period and the findings and recommendations associated; and
  3. any assessments commenced within the period and the findings and recommendations associated.

The Information Commissioner (the Commissioner) also has annual statutory reporting obligations under section 106 of the PCEHR Act.

Clause 3.3 of Schedule 2 of the MOU requires the OAIC to produce a quarterly report about activities related to the HI Service which, at a minimum, provide a summary of

  1. any investigations commenced within the period and the findings and recommendations associated
  2. any assessments commenced within the period and the findings and any recommendations associated; and
  3. complaints or compliance issues within the period and the outcomes or conciliation activities associated.

The Commissioner also has annual statutory reporting obligations under section 30 of the HI Act.

For consistency purposes, the quarterly reports will contain the same statistical reporting fields as the Commissioner’s statutory reporting requirements under the PCEHR Act and the HI Act.

However, information about enforceable undertakings accepted by the Commissioner or proceedings taken by the Commissioner will not appear in quarterly reports. Full details about compliance and enforcement activities (complaints, investigations and assessments) may not be available for quarterly reports where these matters are still undergoing investigation or assessment.

Compliance activities relating to PCEHR system

Table A: Matters commenced and finalised during the reporting period 1 October to 31 December 2014.
 Received/commenced during periodFinalised during periodOpen at 31 December
Complaints Nil Nil Nil
Commissioner-initiated investigations Nil Nil Nil
Assessments 3 1 3
Mandatory Data breach notifications 3 Nil 8

Details of assessments relating to the PCEHR system

Assessments commenced during the reporting period

Assessment: The OAIC has commenced three assessments of the access controls applied by health care provider organisations relating to access by their staff to the eHealth system.

Status: Field work has been conducted on the first two healthcare provider organisations. Field work on the third will be undertaken in January 2015.

Assessments closed during the reporting period

Assessment: The OAIC completed its assessment of the assisted registration policies of ten healthcare provider organisations undertaking assisted registration. The scope of this assessment is how these policies address the privacy obligations set out in Australian Privacy Principles 3 and 11, relating to the collections and security of personal information.

Status: Completed.

Assessments commenced in previous reporting periods and still underway

Assessment: Nil

Status: N/A

Details of mandatory data breach notifications relating to the PCEHR system

Mandatory data breach notifications received during the reporting period

Three further data breach notifications were received during the reporting period from the Chief Executive Medicare in their capacity as a registered repository operator under s 38 of the PCEHR Act.

As with the four notifications received from the Chief Executive Medicare during the quarter ending 30 September 2014, these notifications have also resulted from data integrity activity initiated by the Department of Human Services to identify intertwined Medicare records.

In each of the notified cases, one of the two consumers holding the intertwined Medicare record created an eHealth record and caused the MBS and PBS data of both consumers to be uploaded from the Medicare record to that eHealth record. The OAIC is seeking further information on this issue.

Mandatory data breach notifications closed during the reporting period

None

Mandatory Data breach notifications received in previous reporting periods and still open

The OAIC is continuing its enquiries into the four data breach notifications received from the Chief Executive Medicare in the previous reporting period and a data breach notification received from the System Operator in the June 2014 reporting period. These notifications were also referred to in the last quarterly report.

Compliance activities relating to Healthcare Identifiers service

Table B: Matters commenced and finalised during the reporting period 1 October to 31 December 2014.
 Received/commenced during periodFinalised during periodOpen at 31 December
Complaints Nil Nil Nil
Commissioner-initiated investigations Nil Nil Nil
Assessments Nil Nil Nil