Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Department of Health MOU Quarterly Report for the period ending 31 December 2013

pdfDepartment of Health OAIC MOU Quarterly Report 31 Dec 2013898.58 KB

Contents

  1. 1. Advice, guidance, liaison and other activities under the MOU
    1. Activities relating to the PCEHR System
    2. Activities relating to the HI Service
  2. 2. Compliance and enforcement activities
    1. Complaints relating to the PCEHR System
    2. Investigations in relation to the PCEHR System
    3. Audits relating to the PCEHR System
    4. Complaints relating to the HI Service
    5. Investigations relating to the HI Service
    6. Audits relating to the HI Service

Mr Matthew Corkhill
Assistant Secretary
eHealth Operations Branch
Department of Health
GPO Box 9848
CANBERRA ACT 2601

Dear Mr Corkhill

I am pleased to provide you with the quarterly report for the period ending 31 December 2013, in accordance with:

  • section 3.3 of Schedule 1
  • section 3.6 of Schedule 2
  • section 10.1

to the Memorandum of Understanding between the Office of the Australian Information Commissioner and the Department of Health in relation to the provision of dedicated privacy-related services under the Privacy Act 1988, the Personally Controlled Electronic Health Records Act 2012 and the Healthcare Identifiers Act 2010.

If you have any queries relating to the report please contact me on (02) 9284 9651 or by email to angelene.falk@oaic.gov.au.

Yours sincerely

Angelene Falk
Assistant Commissioner
Regulation and Strategy Branch

8 January 2014

Back to Contents

1. Advice, guidance, liaison and other activities under the MOU

Section 10.1 of the MOU requires that the performance and impact of the activities set out in the MOU are adequately and effectively monitored and assessed.

The activities reported below relate to work performed on activities listed in section 3.3 of Schedule 1 and section 3.6 of Schedule 2 of the MOU, other than the compliance and enforcement activities set out under Section 2 of this report.

Activities relating to the PCEHR System

Advice

Activity ItemActivity DescriptionWork Performed
S3.1 (m) Respond to requests for advice on the appropriate handling of PCEHR information from Commonwealth agencies, WA and SA public authorities, private sector organisations and individuals
  • The OAIC received two enquiries regarding the PCEHR System. The first was an enquiry from a Senator about the number and status of complaints about eHealth matters received by the OAIC. A letter was sent in response. The second was an enquiry from an individual seeking information about how to cancel an eHealth record and find out who is accessing the record. The enquirer was referred to the eHealth Helpline.
  • On 16 October 2013 the OAIC provided comment to Health on a new ‘essential information’ brochure to be used for a streamlined registration processin Medicare offices.
S3.1 (r) Comment on draft legislation that may interact with the Personally Controlled Electronic Health Records Act 2012 (where appropriate)
  • No draft legislation received.

Guidance

Activity ItemActivity DescriptionWork Performed
S3.1 (h) Advise participants on their obligations in relation to PCEHR System and liaise with state and territory regulators
  • Prepared a further draft of the guide to mandatory data breach notification under the PCEHR System and scoped options for a ‘smart form’ for breach notifications.
S3.1 (n) Provide telephone and written guidance to individuals and participants in the health care industry on their privacy compliance obligations in relation to the PCEHR System
  • Continued work on the development of factsheets for healthcare providers on privacy and the eHealth system.
S3.1 (s) Formulate Enforcement Guidelines for exercising the powers conferred on the Information Commissioner by the Personally Controlled Electronic Health Records Act 2012
  • Completed in quarter ending June 2013. Revision of the Enforcement Guidelines to incorporate amendments to the Privacy Act 1988 taking effect on 12 March 2014 will commence in the next quarter.

Liaison

Activity ItemActivity DescriptionWork Performed
S3.1 (o) Liaise and coordinate on privacy related PCEHR activities with key stakeholder agencies (Health, NeHTA and DHS-Medicare)
  • Prepared quarterly MOU report to 30 September 2013.
  • Attended quarterly meeting with Health on 15 November 2013. This meeting included discussion of the review of the PCEHR System, the impact of the privacy reforms on our PCEHR and HI guidance materials and other documents, potential subjects for organisational audits under the MOU and assisted registration.
  • Liaison at officer level with NEHTA privacy section.
S3.1 (p) Liaise and coordinate on privacy related PCEHR activities with PCEHR System Operator
  • Continued to liaise with Health regarding possible privacy risks associated with assisted registration. An audit of an organisation conducting non point‑of‑care assisted registration is proposed to commence in the next quarter.
  • In December 2013, the OAIC liaised with Health about two issues arising from registration and use of the system by consumers and providers.
  • Ongoing discussions with Health on PCEHR System audit program.

Other activities

Activity ItemActivity DescriptionWork Performed
S3.1 (b) Accept data breach notifications and assist affected entities to deal with data breaches in accordance with the PCEHR legislative requirements
  • The OAIC received information from the System Operator on 1 October 2013 regarding a data breach in which a consumer’s identity verification code was sent to the incorrect email address. A letter was sent to the System Operator on 3 October 2013 providing recommendations to reduce the impact of any future breaches of this type. The System Operator has advised that it is implementing the OAIC’s recommendations to reduce the risk and potential impact of a future breach of this type.
  • On 19 December 2013, the OAIC was advised by the System Operator that a technical change made to the system meant that healthcare providers could view patients’ personal health notes. Investigation identified the cause and a technical fix was put in place to prevent further access. The OAIC is treating this as a notifiable data breach under the PCEHR Act and is reviewing the information provided by the System Operator regarding the breach.
S3.1 (c) Investigate failures to notify data breaches (where empowered to do so)
  • None required.
S3.1 (k) Develop protocol with the System Operator for the referral of complaints and complex privacy enquiries
  • The OAIC has finalised the PCEHRInformation Sharing and Complaint Agreement, incorporating Health’s comments on the draft version. The final version was sent to Health on 29 November 2013 with a letter requesting Health’s acceptance of the agreement. Health confirmed their acceptance of the agreement on 22 December 2013.
S3.1 (l) Update internal reference materials
  • Continued research and drafting of an internal OAIC guide in relation to the acceptance of enforceable undertakings under the PCEHR Act.
S3.1 (q) Prepare privacy related PCEHR-related committee briefing material, speeches and media comment
  • Provided a submission to the Review of the PCEHR System on 12 November 2013. This brief submission outlined the OAIC’s role in the system and offered to discuss any privacy considerations with the review panel.
  • Prepared briefing paper on eHealth activities for joint meeting of Information Advisory Committee and Privacy Advisory Committee on 12 November 2013.
  • The Assistant Commissioner, Regulation and Strategy gave a presentation to the PCEHR Independent Advisory Council meeting on 27 November 2013, outlining the OAIC’s activities relating to the PCEHR and HI systems to date.
S3.1 (t) Monitor developments in eHealth to ensure the OAIC is able to offer informed advice about privacy aspects of the operation of the PCEHR System in the broader eHealth context
  • OAIC staff continued to monitor news clips and subscribe to eHealth websites and blogs, such as eHealthspace.org and Pulse+IT.
  • Reviewed the Healthcare Identifiers Act and Service Review – Final Report.
S3.1 (u) Monitor eHealth developments related to the PCEHR System to ensure that the OAIC is aware of the implications of any developments for the PCEHR system, and is able to ensure compatibility with the privacy aspects of the PCEHR system
  • Continued to consider possible privacy risks associated with assisted registration.
  • Monitored media and stakeholder comments regarding the review of the PCEHR System (see S3.1.(q) above).
  • Reviewed the PCEHR System Operator Annual Report.

Back to Contents

Activities relating to the HI Service

Advice

Activity ItemActivity DescriptionWork Performed
S3.1 (d) Advise on obligations in relation to HI’s and liaise with State and Territory privacy regulators as appropriate
  • None required.
S3.1 (f) Respond to requests for advice on the appropriate handling of HI’s from Commonwealth agencies, private sector organisations or individuals
  • As noted above,the OAIC received an enquiry from a Senator about the number and status of complaints about eHealth matters received by the OAIC, and a letter was sent in response.
S3.1 (m) Comment on draft legislation that may interact with the HI Act
  • No draft legislation received.

Guidance

Activity ItemActivity DescriptionWork Performed
S3.1 (g) Provide guidance to individuals and participants in the healthcare industry on their privacy compliance obligations in relation to HI’s including, where appropriate, the development of information sheets, Frequently Asked Questions and articles in industry magazines
  • See S3.1(n) in relation to PCEHR above.

Liaison

Activity ItemActivity DescriptionWork Performed
S3.1 (l) Liaise and coordinate with key agencies (Health, NeHTA and DHS-Medicare)
  • Met with key agencies to discuss eHealth matters (see S3.1(o) in relation to PCEHR above).
  • Ongoing discussions with DHS-Medicare regarding HI Service audit program.
S3.1 (n) Participate in consultation and comment on eHealth developments that relate to the HI Scheme
  • No consultations occurred.

Other activities

Activity ItemActivity DescriptionWork Performed
S3.1 (j) Receive Data Breach Notifications and undertake, where appropriate, action
  • None received
S3.1 (k) Develop internal training material and train staff
  • See S3.1(l) in relation to PCEHR above.

Back to Contents

2. Compliance and enforcement activities

The Office of the Australian Information Commissioner (OAIC) is required to undertake a range of compliance and enforcement activities under the Memorandum of Understanding (MOU) with the Department of Health (Health).

Section 3.3 of Schedule 1 of the MOU requires the OAIC to produce a quarterly report about activities related to the Personally Controlled Electronic Records (PCEHR) system which, at a minimum, provide a summary of:

  1. any complaints or compliance issues within the period and the outcomes or conciliation activities associated
  2. any investigations commenced within the period and the findings and recommendations associated
  3. any audits commenced within the period and the findings and recommendations associated.

The Information Commissioner (the Commissioner) also has statutory reporting obligations under section 106 of the Personally Controlled Electronic Health Records Act 2012 (Cth) (the PCEHR Act).[1]

Section 3.6 of Schedule 2 of the MOU requires the OAIC to produce a quarterly report about activities related to the Healthcare Identifiers (HI) Service which, at a minimum, provide a summary of:

  1. any investigations commenced within the period and the findings and recommendations associated
  2. any audits commenced within the period and the findings and any recommendations associated
  3. complaints or compliance issues within the period and the outcomes or conciliation activities associated.

The Commissioner also has statutory reporting obligations under section 30 of the Healthcare Identifiers Act 2010 (Cth) (the HI Act).[2]

For consistency purposes, the quarterly reports will contain the same statistical reporting fields as the Commissioner’s statutory reporting requirements under the PCEHR Act and the HI Act.

However, information about enforceable undertakings accepted by the Commissioner or proceedings taken by the Commissioner will not appear in quarterly reports. Full details about compliance and enforcement activities (complaints, investigations and audits) may not be available for quarterly reports where these matters are still being assessed for investigation or auditing.

Back to Contents

Complaints relating to the PCEHR System

This section contains information on complaints made by individuals. Complaints received about the PCEHR System will be assessed under the provisions of the PCEHR Act and the Privacy Act to determine the most appropriate course of regulatory action. In some cases the Commissioner will decline to investigate a complaint, in other cases preliminary inquiries will need to be made before deciding whether to proceed to investigation.

Complaints subject to investigation are also mentioned under the section titled ‘Investigations under section 40(1) of the Privacy Act’.

Table A Complaints received and finalised during the reporting period
Complaints1 October – 31 December
Received during period 0
Finalised during period 0
Complaints open at 31 December 0

Complaints received during the reporting period

NIL

Complaints finalised during the reporting period

NIL

Complaints commenced in the previous reporting period but still underway

NIL

Back to Contents

Investigations in relation to the PCEHR System

Under the Privacy Act 1988 (Cth), the Commissioner will undertake investigations that arise from a complaint made by an individual about an act or practice that may be an interference with privacy. The Commissioner also has the discretion to investigate an act or practice that may be an interference with privacy on his own motion.

Given that individual complaints may be the subject of investigation, there may be some matters reported under ‘Complaints relating to the PCEHR System’ that are also listed below.

Investigations under section 40(1) of the Privacy Act

Table B Investigations received and finalised during the reporting period (Section 40 (1))
Investigations1 October – 31 December
Received during period 0
Finalised during period 0
Investigations open at 31 December 0

Investigations received during the reporting period

NIL

Investigations finalised during the reporting period

NIL

Investigations commenced in the previous reporting period but still underway

NIL

Own motion investigations under section 40(2) of the Privacy Act

Table C Investigations received and finalised during the reporting period (Section (40 (2))
Investigations1 October – 31 December
Received during period 0
Finalised during period 0
Investigations open at 31 December 0

Investigations received during the reporting period

NIL

Investigations finalised during the reporting period

NIL

Investigations commenced in the previous reporting period but still underway.

NIL

Back to Contents

Audits relating to the PCEHR System

Audits commenced and ongoing during the reporting period

Audit: The OAIC commenced a second audit of the PCEHR System Operator during the reporting period. The scope of this audit is the storage and security of personal information held on the National Respositories Service. A notification letter has been sent to the System Operator and fieldwork is scheduled for January 2014.

Status: Ongoing. Reviewing documentation and preparing for fieldwork.

Audits closed during the reporting period

NIL

Audits commenced in previous reporting periods but still underway

Audit: The OAIC is undertaking an audit of the PCEHR System Operator. The scope of the audit is the System Operator’s policies and procedures for the collection of personal information during the PCEHR consumer registration process. During the reporting period the OAIC prepared a draft report, which was provided to the System Operator on 6 December 2013 for comment.

Status: Ongoing. Awaiting auditee comments.

Training

Three OAIC staff involved in conducting audits under the MOU participated in training on auditing fundamentals in November 2013.

Back to Contents

Complaints relating to the HI Service

Table D Complaints received and finalised during the reporting period
Complaints1 October – 31 December
Received during period 0
Finalised during period 1
Complaints open at 31 December 1

Complaints received during the reporting period

NIL

Complaints finalised during the reporting period

The OAIC closed one complaint relating to the HI Service during the reporting period, on the basis that the complainant had not first complained to the agency that was the subject of the complaint.

Complaints commenced in the previous reporting period but still underway

Preliminary inquiries are underway in relation to one complaint received in the previous reporting period. The complainant alleged that the respondent, a state government healthcare provider, had inappropriately accessed the complainant’s individual healthcare identifier (IHI) on multiple occasions. The complainant believed that the IHI had been accessed inappropriately because they had not received any services from the healthcare provider and due to the frequency of access during a short period.

Back to Contents

Investigations relating to the HI Service

Investigations under section 40(1) of the Privacy Act

Table E Investigations received and finalised during the reporting period (Section 40 (1))
Investigations1 October – 31 December
Received during period 0
Finalised during period 0
Investigations open at 31 December 0

Investigations received during the reporting period

NIL [The complaint listed above may result in an investigation.]

Investigations finalised during the reporting period

NIL

Investigations commenced in the the previous reporting period by still underway

NIL

Own motion Investigations under section 40(2) of the Privacy Act

Table F Investigations received and finalised during the reporting period (Section 40 (2))
Investigations1 October – 31 December
Received during period 0
Finalised during period 0
Investigations open at 31 December 0

Investigations received during the reporting period

NIL

Investigations finalised during the reporting period

NIL

Investigations commenced in the previous reporting period by still underway.

NIL

Back to Contents

Audits relating to the HI Service

Audits commenced and ongoing during the reporting period

Audit: The OAIC commenced a second audit of the HI Service Operator during the reporting period. The scope of this audit is the storage and security of personal information held on the database of Healthcare Provider Identifiers – Individual.

During the reporting period, the OAIC undertook fieldwork (9–11 December 2013) and commenced drafting of the audit report.

Status: Ongoing. Drafting of audit report underway.

Audits closed during the reporting period

NIL

Audits commenced in previous reporting periods but still underway

Audit: The OAIC is undertaking an audit of the HI Service Operator. The audit is focusing on the collection, use and disclosure of Individual Healthcare Identifiers and Healthcare Provider Identifiers – Individual.

During the reporting period the OAIC provided a revised draft report to the HI Service Operator and participated in discussions regarding the recommendations. The OAIC is waiting for the auditee to add its responses to the recommendations before the document is published.

Status: Ongoing. Awaiting auditee response.

Training

As noted above, OAIC staff involved in conducting audits under the MOU participated in training on auditing fundamentals in November 2013.

Back to Contents


[1] Under section 106 of the Personally Controlled Electronic Health Records Act 2012 (Cth) the Information Commissioner (the Commissioner) is required to prepare an annual report setting out the compliance and enforcement activities undertaken in relation to the PCEHR Act. This report must include:

  1. statistics of the following:
    1. complaints received by the Commissioner in relation to the PCEHR System;
    2. investigations made by the Commissioner in relation to PCEHRs or the PCEHR System;
    3. enforceable undertakings accepted by the Commissioner under this Act;
    4. proceedings taken by the Commissioner in relation to civil penalty provisions, enforceable undertakings or injunctions; and
  2. any other matter prescribed by the regulations.

[2] Section 30 Healthcare Identifiers Act 2010 (Cth) requires the Commissioner to prepare an annual report setting out the compliance and enforcement activities undertaken during the period.