Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Department of Health MOU Quarterly Report for the period ending 31 March 2015

pdfPrintable version243.17 KB

Ms Teressa Ward
Assistant Secretary
eHealth Change & Adoption Branch
Department of Health
GPO Box 9848
CANBERRA ACT 2601

Dear Ms Ward

I am pleased to provide you with the quarterly report for the period ending 31 March 2015, in accordance with Section 3.3 of Schedule 1, Section 3.3 of Schedule 2 and Section 10.1 of the Memorandum of Understanding between the Office of the Australian Information Commissioner and the Department of Health, in relation to the provision of dedicated privacy-related services under the Privacy Act 1988, the Personally Controlled Electronic Health Records Act 2012 (PCEHR Act) and the Healthcare Identifiers Act 2010 (HI Act).

If you have any queries relating to the report please contact Jacob Suidgeest on [contact details removed].

Yours sincerely

Angelene Falk
Assistant Commissioner
16 April 2015

Section 1 — Advice, guidance, liaison and other activities

The Office of the Australian Information Commissioner (OAIC) is required to report quarterly under the Memorandum of Understanding (MOU) with the Department of Health (Health) in relation to Personally Controlled Electronic Health Records (PCEHR) system and Healthcare Identifiers (HI) system activities.

Clause 10.1 of the MOU requires that the performance and impact of the activities set out in the MOU are adequately and effectively monitored and assessed.

The activities reported below relate to work performed on activities listed in section 3.3 of Schedule 1 and section 3.3 of Schedule 2 of the MOU, other than the compliance and enforcement activities set out under Section 2 of this report.

Activities relating to the PCEHR system

Advice

S3.1(g) – Respond to enquiries and requests for advice on the appropriate handling of PCEHR information and other privacy compliance obligations in relation to the PCEHR system
  • An IT security consultant with customers in the health sector wrote to the OAIC seeking advice on privacy compliance obligations when outsourcing IT support services. The OAIC is currently finalising its advice.

  • A peak health body wrote to the OAIC seeking advice about patient consent in the context of electronic transfer of prescriptions (eTP) transactions, including where that information is uploaded to the PCEHR system. The OAIC has considered the issues and is in the process of finalising its response.

  • A member of the public contacted the OAIC seeking verbal advice on the assisted registration of consumers for the PCEHR at aged care facilities.

Guidance

S3.1(h) – Prepare and/or update written guidance materials for participants in the PCEHR system on the appropriate handling of PCEHR information and other privacy compliance obligations in relation to the PCEHR system
  • The OAIC has continued developing a series of new business resources for health service providers. The resources relate to privacy obligations when handling health information, including information contained in the PCEHR system. Once finalised after consultation, the resources will replace the OAIC’s existing health privacy guidance.

  • The OAIC has also continued to develop two consumer fact sheets relating to health privacy issues including access to, and correction of, health information. Once complete, the resources will replace the OAIC’s existing consumer health privacy guidance.

S3.1(i) – Update guidance for exercising the powers conferred on the Information Commissioner by the PCEHR Act as required
  • The OAIC is updating the PCEHR Enforcement Guidelines to reflect the OAIC’s Privacy regulatory action policy. The Enforcement Guidelines outline how the OAIC will approach enforcement issues under the PCEHR Act and other privacy legislation. The Guidelines are made under s 111 of the PCEHR Act.

  • The OAIC has continued work on the draft guide to mandatory data breach notification under the PCEHR system and is currently considering the comments made following the OAIC’s final targeted consultation.

  • The OAIC has analysed and addressed submissions made on the six chapters of the OAIC’s draft Guide to privacy regulatory action. The OAIC has also continued drafting of the remaining three chapters of the Guide. This Guide is relevant to the OAIC’s powers under both the PCEHR Act and the Privacy Act and provides stakeholders with a more detailed understanding of when and how the OAIC will exercise particular powers.

Liaison

S3.1(j) – Liaise and coordinate on privacy-related PCEHR activities with the System Operator and other key agencies (Health, NeHTA and DHS-Medicare)
  • The OAIC met with NeHTA to generally discuss eHealth developments, as well as the background to electronic transfer of prescriptions services (eTP services).
  • The OAIC attended a quarterly meeting with the Department of Health on 17 February 2015.
  • The OAIC prepared a quarterly MOU report for the period ending 31 December 2014.
S3.1(k) – Liaise and coordinate on privacy-related PCEHR activities with state and territory regulators
  • The OAIC hosted a meeting of the ‘Privacy Authorities Australia’ group, which includes the privacy and health privacy regulators from the various Australian states and territories. This meeting included discussion of national consistency in health privacy regulation, interoperability and the development of health privacy guidance.

Other activities

S3.1(l) – Prepare PCEHR-related briefing material, speeches, articles and media comment on privacy matters
  • None required.
S3.1(m) – Comment on draft legislation that may interact with the PCEHR Act (where appropriate)
  • None required.
S3.1(n) – Participate in consultations and comment on eHealth developments that relate to the PCEHR system
  • None required.
S3.1(o) – Update internal reference materials and provide staff training as necessary
  • As noted above under S3.1(i), the OAIC continued work on the Guide to privacy regulatory action, which will be an internal reference for OAIC staff exercising regulatory powers in relation to the PCEHR system, as well as providing guidance for external stakeholders.
S3.1(p) – Monitor developments in eHealth and the PCEHR system to ensure the OAIC is able to offer informed advice about privacy aspects of the operation of the PCEHR system and the broader eHealth context
  • The OAIC reviewed the first three ACSQHC Clinical Safety Reports into the PCEHR. The OAIC is considering whether the matters identified in the Reports raise any privacy issues.
  • NeHTA attended the OAIC’s office on 3 March 2015 to present the PCEHR Reference Platform, demonstrating how health service providers access and use the PCEHR system.
  • The OAIC attended the 2015 Australian eHealth Research Colloquium on the 31 March 2015 in Brisbane.
  • The OAIC attended the Health Informatics Society of Australia’s PCEHR moving ahead in 2015 session on the 26 March 2015 in Sydney.
  • The OAIC attended the Healthcare Efficiency through Technology on 24-25 March 2015 in Sydney.
  • The OAIC continued to monitor the media for any news relating to the PCEHR.

Activities relating to the Healthcare Identifiers service

Advice

S3.1(e) – Respond to enquiries and requests for advice on the appropriate handling of HIs and other privacy compliance obligations in relation to the HI service
  • None required.

Guidance

S3.1(f) – Prepare and/or update written guidance materials for participants in the healthcare industry on the appropriate handling of HIs and other privacy compliance obligations in relation to the HI service
  • As noted above, the OAIC is developing new business privacy resources which deal with privacy obligations when handling health information.

Liaison

S3.1(g) – Liaise and coordinate on privacy related HI activities with key agencies (Health, NeHTA and DHS-Medicare)
  • The OAIC attended a quarterly meeting with the Department of Health on 17 February 2015.
  • The OAIC prepared a quarterly MOU report for the period ending 31 December 2015
S3.1(h) – Liaise and coordinate on privacy related HI activities with state and territory regulators
  • None required.

Other activities

S3.1(j) – Prepare HI-related briefing material, speeches, articles and media comment on privacy matters
  • None required.
S3.1(k) – Comment on draft legislation that may interact with the HI Act (where appropriate)
  • None required.
S3.1(l) – Participate in consultations and comment on eHealth developments that relate to the HI service
  • None required.
S3.1(m) – Update internal reference materials and provide staff training as necessary
  • None required.
S3.1(n) – Monitor developments in eHealth and the HI service to ensure the OAIC is aware of the implications of any developments for the HI service and able to offer informed advice about privacy aspects of the operation of the HI service in the broader eHealth context.
  • The OAIC continue to monitor the media for HI related news and developments.
  • As noted above, the OAIC attended the 2015 Australian eHealth Research Colloquium held in Brisbane on the 31 March 2015.

Back to Contents

Section 2 — Compliance and enforcement activities

The OAIC is required to undertake a range of compliance and enforcement activities under the MOU.

Clause 3.3 of Schedule 1 of the MOU requires the OAIC to produce a quarterly report about activities related to the PCEHR system which, at a minimum, provide a summary of

  1. any complaints or compliance issues within the period and the outcomes or conciliation activities associated.
  2. any investigations commenced within the period and the findings and recommendations associated; and
  3. any assessments commenced within the period and the findings and recommendations associated.

The Information Commissioner (the Commissioner) also has annual statutory reporting obligations under section 106 of the PCEHR Act.

Clause 3.3 of Schedule 2 of the MOU requires the OAIC to produce a quarterly report about activities related to the HI Service which, at a minimum, provide a summary of

  1. any investigations commenced within the period and the findings and recommendations associated
  2. any assessments commenced within the period and the findings and any recommendations associated; and
  3. complaints or compliance issues within the period and the outcomes or conciliation activities associated.

The Commissioner also has annual statutory reporting obligations under section 30 of the the HI Act.

For consistency purposes, the quarterly reports will contain the same statistical reporting fields as the Commissioner’s statutory reporting requirements under the PCEHR Act and the HI Act.

However, information about enforceable undertakings accepted by the Commissioner or proceedings taken by the Commissioner will not appear in quarterly reports. Full details about compliance and enforcement activities (complaints, investigations and assessments) may not be available for quarterly reports where these matters are still undergoing investigation or assessment.

Compliance activities relating to PCEHR system

Table A: Matters commenced and finalised during the reporting period 1 January to 31 March 2015.
  Received/commenced during periodFinalised during periodOpen at 31 March 2015
Complaints Nil Nil Nil
Commissioner-initiated investigations Nil Nil Nil
Assessments Nil Nil 2
Mandatory Data breach notifications Nil 1 7

Details of assessments relating to the PCEHR system

Assessments commenced during the reporting period

Assessment: Nil

Status:  The OAIC is currently considering the scope of a further assessment. This assessment will commence in the next quarter.

Assessments closed during the reporting period

Assessment:  Nil

Status:  N/A

Assessments commenced in previous reporting periods and still underway

Assessment: Two

Status:  The OAIC has commenced assessments of the access controls applied by health care provider organisations relating to access by their staff to the eHealth system. One assessment was of a single major healthcare provider. The other assessment is of a number of smaller healthcare providers.

Details of mandatory data breach notifications relating to the PCEHR system

Mandatory data breach notifications received during the reporting period

None

Mandatory data breach notifications closed during the reporting period

The OAIC received a mandatory data breach notification from the System Operator in May 2014. The data breach involved consumers logging into their MyGov account and using their identity verification code to access their own PCEHR. In some instances they also set up access to another consumer’s PCEHR while still logged into the same MyGov account. This resulted in the landing page of the first consumer’s PCEHR showing two ‘Open your eHealth record’ buttons which provides links to open both consumers’ PCEHRs.

The OAIC requested further information from the System Operator and following consideration of that material made a series of recommendations to reduce the risk and potential impact of a future breach of this type. The System Operator has advised that it is implementing the OAIC’s recommendations.

Mandatory Data breach notifications received in previous reporting periods and still open

The OAIC is continuing its enquiries into the seven data breach notifications received from the Chief Executive Medicare in the previous reporting periods and referred to in the last quarterly report.

Compliance activities relating to Healthcare Identifiers service

Table B: Matters commenced and finalised during the reporting period 1 January to 31 March 2015.
  Received/commenced during periodFinalised during periodOpen at 31 March 2015
Complaints Nil Nil Nil
Commissioner-initiated investigations Nil Nil Nil
Assessments Nil Nil Nil

Back to Contents