Annual Report of the Australian Information Commissioner’s Activities in Relation to Digital Health 2017–18

Publication date: 2018

Download the print version

Preliminary page

The Office of the Australian Information Commissioner (OAIC) was established on 1 November 2010 by the Australian Information Commissioner Act 2010.

ISSN 2202–7262

Creative commons

With the exception of the Commonwealth Coat of Arms, this Annual Report of the Australian Information Commissioner’s Activities in Relation to Digital Health 2017–18 is licensed under a Creative Commons Attribution 3.0 Australia licence (creativecommons.org/licenses/by/3.0/au/deed.en).

This publication should be attributed as:

Office of the Australian Information Commissioner, Annual Report of the Australian Information Commissioner’s Activities in Relation to Digital Health 2017–18.

Contact

Enquiries regarding the licence and any use of this report are welcome.

Email: enquiries@oaic.gov.au
Website: www.oaic.gov.au
Phone: 1300 363 992
TTY: 1800 620 241 (no voice calls)
Mail: Office of the Australian Information Commissioner
GPO Box 5218
Sydney NSW 2001

Accessible formats

All our publications can be made available in a range of accessible formats. If you would like this report in an accessible format, please contact us.

Part 1 — Executive summary

This annual report sets out the Australian Information Commissioner’s digital health compliance and enforcement activity during 2017–18, in accordance with section 106 of the My Health Records Act 2012 (My Health Records Act) and section 30 of the Healthcare Identifiers Act 2010 (HI Act), as outlined in the 2017–19 memorandum of understanding (MOU) between the Office of the Australian Information Commissioner (OAIC) and the Australian Digital Health Agency (the Agency).

The report also provides information about the OAIC’s other digital health activities, including its assessment program, development of guidance material, provision of advice, and liaison with key stakeholders.

More information about the MOU is provided in section 2 of this report. The MOU can also be accessed on the OAIC website.

This was the sixth year of operation of the My Health Record system and the eighth year of the Healthcare Identifiers Service (HI Service), a critical enabler for the My Health Record system and digital health generally.

The management of personal information is at the core of both the My Health Record system and the HI Service (which are collectively referred to as ‘digital health’ in this report). In recognition of the special sensitivity of health information, the My Health Records Act and the HI Act contain provisions that protect and restrict the collection, use and disclosure of personal information. The Australian Information Commissioner oversees compliance with those privacy provisions.

The My Health Record system commenced in 2012 as an opt-in system where an individual needed to register in order to get their My Health Record. Trials were conducted regarding opt-out system participation and an independent evaluation was commissioned by the Department of Health to look at the outcomes from these trials.

In the May 2017 Budget, the Australian Government announced the creation of a My Health Record for every Australian to begin nationally from mid-2018. In May 2018, it was announced that a three month opt-out period for individuals would run from 16 July to 15 October 2018. This period has since been extended to 15 November 2018.

In 2017–18, the OAIC received 28 mandatory data breach notifications. These notifications recorded 42 separate breaches affecting a total of 65 healthcare recipients, 47 of whom had a My Health Record at the time of the breaches. Four of these notifications remain open at the end of the reporting period. The OAIC received eight complaints regarding the My Health Record system and no complaints relating to the HI Service. In addition to handling data breach notifications, the OAIC carried out a program of digital health-related work, including:

  • Commencement of one privacy assessment, completion of one assessment from the previous year and progression of one assessment from the previous year
  • Being briefed by the Agency and the Department of Health on the process for national opt-out of My Health Record in 2018
  • Making a submission to HealthConsult on the development of the Framework to Guide the Secondary Use of My Health Record System Data
  • Providing advice to stakeholders, including the Agency, on privacy related matters relevant to the My Health Record system
  • Developing, revising and updating guidance materials for a range of audiences, including the publication of My Health Record related multimedia resources for healthcare providers and new Frequently Asked Questions for consumers, to coincide with the commencement of the opt-out period
  • Participation in the Privacy and Security Advisory Committee, one of the advisory committees established by the Agency to support the Agency’s Board
  • Monitoring developments in digital health, the My Health Record system and the HI Service

Part 2 — Introduction

Many Australians view their health information as being particularly sensitive. This sensitivity has been recognised in the My Health Records Act and HI Act, which regulate the collection, use and disclosure of information, and give the Australian Information Commissioner a range of enforcement powers. This sensitivity is also recognised in the Privacy Act 1988 (Privacy Act) which treats health information as ‘sensitive information’.

Although the My Health Record system has previously been a self-register model, in May 2017, the Australian Government announced the national expansion of the opt-out participation model for the My Health Record system. This followed earlier opt-out pilots in Nepean Blue Mountains and Far North Queensland in 2016. The effect of this decision is that every individual with a Medicare or Department of Veterans’ Affairs card who does not already have a record will be automatically registered to have a My Health Record, unless they choose not to have one. In May 2018, it was announced that a three month opt-out period for individuals would run from 16 July to 15 October 2018. This period has since been extended to 15 November 2018.

The Australian Information Commissioner is the independent regulator of the privacy provisions relevant to the My Health Record system and HI Service. However, as set out in the terms of the MOU with the Agency, the OAIC also performs proactive education and guidance functions that go beyond compliance and enforcement. During the 2017–18 financial year, the OAIC also worked proactively on digital health activities under the MOU with the Agency, particularly to help ensure consumers were aware that they have the opportunity to exercise an informed decision about whether to opt-out, and had resources available to assist them in making that decision. The OAIC has liaised with the Agency to receive progress briefings on the opt-out process, to ensure the information it provides to individuals about the opt-out process is up-to-date. This has informed the development of new and updated OAIC resources as required.

The MOU covers activities related to both the My Health Record system and the HI Service. It sets out a program of work that includes business as usual activities (such as responding to requests for advice and investigating privacy complaints relating to digital health), and project-based work (such as developing guidance materials and conducting assessments). Information about these activities is set out in sections 3 and 4 of this report. Further information about the OAIC’s MOU activities can be found in the MOU, signed 20 December 2017, available on the OAIC website.

The Agency provided the OAIC with $1,688,343.83 (GST exclusive) in 2017–18 to carry out activities in accordance with the MOU.[1]

The Australian Information Commissioner’s digital health functions

The My Health Record system

The Australian Information Commissioner has the following roles and responsibilities under the My Health Records Act and the Privacy Act:

  • Respond to complaints received relating to the privacy aspects of the My Health Record system as the Commissioner considers appropriate, including through preliminary inquiries, conciliation, investigation or deciding not to investigate a complaint
  • Investigate, on the Commissioner’s own initiative, acts and practices that may be a contravention of the My Health Records Act in connection with health information contained in a healthcare recipient’s My Health Record or a provision of Part 4 or 5 of the My Health Records Act
  • Receive data breach notifications and assist affected entities to deal with data breaches in accordance with the My Health Record legislative requirements
  • Investigate failures to notify data breaches
  • Exercise, as the Commissioner considers appropriate, a range of enforcement powers available in relation to contraventions of the My Health Records Act or contraventions of the Privacy Act relating to the My Health Record system, including making determinations, accepting enforceable undertakings, seeking injunctions and seeking civil penalties
  • Conduct assessments
  • Provide a range of advice and guidance material
  • Maintain guidance for exercising the powers available to the Commissioner in relation to the My Health Record system

Healthcare Identifiers Service

The Australian Information Commissioner has the following roles and responsibilities under the HI Act and the Privacy Act:

  • Respond to complaints received relating to the privacy aspects of the HI Service as the Commissioner considers appropriate, including through preliminary inquiries, conciliation, investigation or deciding not to investigate a complaint
  • Investigate, on the Commissioner’s own initiative, acts and practices that may be a misuse of healthcare identifiers
  • Receive data breach notifications and respond as appropriate
  • Conduct assessments
  • Provide a range of advice and guidance material

Year in review — a summary

During the 2017–18 financial year, the OAIC undertook the following activities:

Table 1 — OAIC My Health Record and Healthcare Identifiers Service activities 2017–18

Activity

My Health Record

HI Service

Telephone enquiries

9

1

Written enquiries

8

1

Complaints finalised

5

0

Policy advices[2]

13

0

Assessments completed or in progress

2

1

Mandatory data breach notifications received

28

N/A

Media enquiries

1

0

Part 3 — OAIC and the My Health Record system

The OAIC performs a range of functions in relation to the My Health Record system. These functions include legislative compliance and enforcement activities and other activities set out under the MOU, including providing privacy related advice and developing guidance materials for internal and external stakeholders.

Compliance and enforcement activities include:

  • Receiving, conciliating and investigating complaints about alleged interferences with the privacy of a healthcare recipient in relation to the My Health Record system
  • Conducting Commissioner initiated investigations of any act or practice that may be a contravention of the My Health Records Act
  • Conducting assessments of participants in the system to ensure they are complying with their privacy obligations
  • Receiving mandatory data breach notifications from system participants

Information about the OAIC’s enforcement and compliance activities is set out on page 08.

The OAIC is also responsible for producing statutory and regulatory guidance for consumers and other participants such as healthcare providers, registered repository operators and the System Operator (the Agency). In addition, the OAIC responds to enquiries and requests for policy advice from a broad range of stakeholders about the privacy framework for the My Health Record system and the appropriate handling of My Health Record information. These activities are an important component of the OAIC’s regulatory role under the My Health Record system.

To deliver these outcomes, the OAIC liaised with external stakeholders including professional industry bodies in the health sector and consumer organisations. Information about the OAIC’s activities in relation to providing advice, developing guidance material and liaison with key stakeholders is provided below.

OAIC enforcement and compliance activities

Complaints and investigations relating to the My Health Record system

The OAIC received eight complaints about the My Health Record system during 2017–18, five of which have been finalised. A complaint from the previous reporting period was also finalised during 2017–18. Two complaints from 2017–18 remain ongoing.

Under section 40(2) of the Privacy Act, the Australian Information Commissioner also has the discretion to investigate an act or practice that may be an interference with privacy, on the Commissioner’s own initiative (without first receiving a complaint from an individual).

During 2017–18, the Australian Information Commissioner did not carry out any Commissioner initiated investigations into the My Health Record system.

Assessments relating to the My Health Record system

Under the MOU with the Agency, the OAIC is required to conduct a minimum of four and up to six assessments during the 2017–18 and 2018–19 financial years in relation to the My Health Record system and the HI service.

The OAIC initiated one assessment relating to the My Health Record system in 2017–18; finalised one assessment which commenced in the previous reporting period; and continues to progress one assessment that began in the previous year.

Table 2 — Assessments conducted in 2017–18
Assessment subjectNo. entities assessedYear openedClosed
1. Assessment of Department of Human Services as a contractor to the System Operator for services related to the My Health Record System — APP 1.2 1 2016–2017 November 2017
2. Assessment of the Australian Digital health Agency — reasonable steps to protect personal information held in the My Health Record system — APP 11 and the My Health Record Act 1 2017–2018 Ongoing
Assessment of the Department of Human Services as a contractor to the System Operator for services related to the My Health Record system

The OAIC conducted an assessment of the Department of Human Services (DHS) in its capacity as a contractor of the My Health Record System Operator, the Australian Digital Health Agency (ADHA). The assessment focussed on whether DHS, in its role as a contractor to the ADHA, was taking reasonable steps to ensure compliance with APP 1.2. APP 1.2 requires that entities take steps to implement practices, procedures and systems to ensure compliance with the APPs and to deal with complaints. One recommendation was made, which was agreed by DHS. The assessment report is published on the OAIC website. Fieldwork was conducted in March 2017 and the final assessment report was issued in November 2017.

Assessment of the ADHA — reasonable steps to protect personal information held in the My Health Record system

The OAIC also conducted an assessment of the ADHA’s handling of personal information. The assessment focussed on APP 11 which requires the ADHA to take reasonable steps to protect personal information held in the My Health Record System and on the relevant provisions in the My Health Records Act. Fieldwork was conducted in June 2018 and the assessment will be finalised in the 2018–19 financial year.

Table 3 — Notification of mandatory data breach notifications

Notifying party

Notified in the period

Closed in the period

Open at 30 June

Number of data breach notifications

Number of healthcare recipients affected

Number of data breach notifications

Number of healthcare recipients affected

Number of data breach notifications

Number of healthcare recipients affected

System Operator

2

4[3]

2

4[3]

1

2[3]

DHS

26

61[3]

27

63[3]

3

6[3]

In 2017–18, the OAIC received two data breach notifications from the My Health Record System Operator. One notification, involving two separate data breaches, related to unauthorised access to a My Health Record by a third party while conducting fraudulent Medicare claiming activity online. The other notification involved one data breach, which resulted in unauthorised access to a My Health Record due to incorrect Medicare enrolment.

The OAIC also received 26 notifications from the Chief Executive of Medicare in their capacity as a registered repository operator under section 38 of the My Health Records Act:

  • Seventeen of these notifications involved separate breaches related to intertwined Medicare records. The majority of these notifications involved healthcare recipients with similar demographic information sharing the same Medicare record. However, one notification involved Medicare updating the Medicare records of two healthcare recipients interchangeably. These intertwined Medicare records resulted in Medicare providing data to the incorrect individual’s My Health Record.
  • Nine notifications, involving 22 separate breaches, resulted from findings under the Medicare compliance program. In these instances, certain Medicare claims made in the name of a healthcare recipient, but not by that healthcare recipient, were uploaded to their My Health Record.

Four notifications remained open at the end of the reporting period. The OAIC expects to close these notifications following further clarification of the circumstances of the breaches contained within those notifications.

My Health Record system advice, guidance, liaison and other activities

Advice

My Health Record system enquiries

The OAIC’s Enquiries Team received 14 enquiries about the My Health Record system during the reporting period. These enquiries related to general information about the My Health Record system, access to the records of children and the opt-out process.

Policy advice to stakeholders and members of the public

During the reporting period, the OAIC provided 11 policy advices related to the My Health Record system to various stakeholders. These included:

  • A response to an enquiry from a state agency about the national opt-out expansion of the My Health Record system, including the legislative context and the rules around the implementation.
  • Comments to the Department of Health and HealthConsult on the draft Framework to Guide the Secondary Use of My Health Records System Data.
  • Responses to requests for advice from a range of stakeholders such as medical indemnity insurers, healthcare provider associations and consumer representative bodies on issues such as:
    • How the data breach notification obligations under section 75 of the My Health Records Act interact with the notification obligations under the Privacy Act
    • The interaction between the Privacy Guidelines for the Medicare Benefits and Pharmaceutical Benefits Programs, made under section 135AA(5) of the National Health Act 1953 and the My Health Records legislation
    • Secondary uses of My Health Record information
  • Providing comments on new resources developed by a health practitioner association and medical indemnity insurer, which described the application of the My Health Records Act.

The OAIC further considered a request for advice from a state government body about the application and interpretation of certain provisions of the My Health Records Act.

Policy advice to the Australian Digital Health Agency

Under its MOU with the Agency, the OAIC liaised and coordinated with the My Health Record System Operator on privacy related matters in relation to the system. During the reporting period, this included providing advice regarding a request from the Agency on draft communications materials designed to inform consumers about the national opt-out expansion of the My Health Record system.

Submissions

The OAIC made one submission related to the My Health Record system during the reporting period. This submission was to HealthConsult, which developed a Consultation Paper on behalf of the Department of Health, discussing the development of a framework for secondary uses of My Health Record data.

In its submission, the OAIC notes its general support for initiatives that seek to maximise the use of data in the public interest, such as the Framework to Guide the Secondary Use of My Health Record System Data (the framework). The OAIC noted that although the rich source of health information collected by the My Health Record system has the potential to assist in improving outcomes for all Australians, it is crucial that privacy remain a central consideration.

The OAIC noted that the success of the framework will depend on the level of choice and control afforded to individuals, as health information is considered particularly sensitive for a large portion of the community and there is a greater reluctance to share it — even in de-identified form. As such, the OAIC noted that public support for projects that aim to maximise data usage, such as the framework, will depend on the level of choice and control afforded to individuals.

The OAIC set out some considerations for HealthConsult that centred on providing transparency and choice to consumers about how their personal information is handled. These considerations included:

  • Building informed confidence within the community
  • Building the framework on robust notice and consent processes
  • Embedding privacy enhancing governance arrangements and processes
  • Ensuring robust methods of de-identification
  • Requiring entities not covered by the Privacy Act seeking My Health Record data for secondary use to opt-in to the Privacy Act

Guidance

For healthcare providers

The OAIC has implemented a more contemporary approach to developing guidance materials, and has produced a range of multimedia resources for healthcare providers.

Three videos were published in October 2017. One summarises the role of the OAIC in the My Health Record system and is based on an existing fact sheet currently available on the OAIC’s website. The second explains the mandatory data breach notification requirements in the My Health Records Act to healthcare providers. The third provides an overview of the legislative requirements and privacy best practice when it comes to handling sensitive information in the My Health Record system. The third video complements two existing resources for healthcare providers and covers the legislative requirements that apply to the handling of a patient’s personal information when using the My Health Record system, it also includes tips on how to protect a patient’s privacy.

An infographic for healthcare providers on the mandatory data breach notification requirements under the My Health Record system was also published with the videos described above to complement the OAIC’s existing Guide to Mandatory Data Breach Notification in the My Health Record System.

Minor updates were also prepared for the two existing resources for healthcare providers to reflect the My Health Record system move to an opt-out participation model. (These updates were published on 16 July 2018 to coincide with the commencement of the opt-out period.)

For consumers

A series of eight new ‘Frequently Asked Questions’ (FAQs) were developed to help consumers make an informed decision about whether they should opt-out of the My Health Record system, and how to protect their health information should they choose not to opt-out. The FAQs were published on 16 July 2018 to coincide with the commencement of the opt-out period.

The OAIC also made significant updates to the existing suite of My Health Record consumer fact sheets to reflect the My Health Record system’s shift to an opt-out participation model. The fact sheets that were updated included:

  • Privacy fact sheet 15: Tips for protecting the personal information in your My Health Record
  • Privacy fact sheet 18: The OAIC and the My Health Record system
  • Privacy fact sheet 19: How to manage your My Health Record
  • Privacy fact sheet 21: Young people and the My Health Record system
  • Privacy fact sheet 22: Medicare and your My Health Record
  • Privacy fact sheet 23: Emergency access and your My Health Record

The updated fact sheets were published on 16 July 2018 to coincide with the commencement of the opt-out period.

A series of minor updates were also made to the My Health Record page on the OAIC website to reflect the move to opt-out and improve general readability.

Regulatory Guides

Updates to the OAIC’s Guide to Data Breach Notification in the My Health Record System were published in October 2017. The updates were necessary to reflect the 2015 legislative amendments to the My Health Records Act, in particular the data breach requirements. The updates also included minor restructuring and redrafting of text to improve readability and additional examples to provide clarity around the operation of certain provisions. The Agency was consulted on the updated guide.

The OAIC also made updates to the Privacy Regulatory Action Policy and the Guide to Privacy Regulatory Action, which were published in May 2018. The updates reflected the 2015 legislative amendments to the My Health Records Act and explained the interaction between section 75 of the My Health Records Act and the Notifiable Data Breach (NDB) scheme in Part IIIC of the Privacy Act (which commenced in February 2018).

External engagement

The OAIC attended the Thought Leadership Roundtable: Engaging Consumers in their Health Data Journey hosted by the Consumers Health Forum (CHF) and NPS MedicineWise on 28 November 2017. The roundtable provided an opportunity for the OAIC to discuss with other stakeholders the key findings of this joint CHF and NPS MedicineWise research project looking at consumer attitudes to the use of their health data, including in relation to the My Health Record system.

The Consumer Privacy Network (CPN) assists the OAIC to further understand and respond to contemporary privacy issues affecting consumers. In June 2018 a CPN meeting was held including a dedicated session covering the My Health Record system national opt-out expansion, the opt-out mechanisms and the communications that will be going out to consumers. The session was presented by the Agency and was followed by a question and answer session, providing CPN members with the opportunity to raise a range of questions about the implementation of the Government’s decision to move to an opt-out model.

The OAIC hosted the Privacy Authorities Australia (PAA) meeting on 6 March 2018. As part of this meeting, the OAIC invited the Agency to deliver a presentation on the My Health Record system. The presentation covered the Agency’s role and the approved Digital Strategy, My Health Record and the benefits to both consumers and providers, the expansion of the My Health Record in 2018 and the opt-out process. The presentation also covered key privacy issues, including:

  • The privacy settings within the My Health Record system
  • Research on how privacy during the expansion program should be communicated
  • Legislation and governance

The PAA meeting also generated important discussion between the privacy regulators and the ADHA about the regulation of the My Health Record system and the communication strategy.

The OAIC’s Acting Deputy Commissioner presented at the Australian Pharmacy Professional Conference in May, covering general privacy obligations for the health sector as well as certain aspects of the My Health Record system, such as mandatory data breach notifications required under the My Health Records Act.

Liaison

Liaison with the System Operator

The OAIC liaised regularly with the Agency to discuss MOU activities and other matters relating to the My Health Record system.

The OAIC engaged with both the Agency and the Department of Health about the decision to move to an opt-out participation arrangement for the My Health Record system, including briefings on:

  • The My Health Records (National Application) Rules 2017
  • The mechanisms available to individuals to opt-out
  • The communications strategy to inform all Australians about their choice to opt-out

The OAIC delivered a presentation at a workshop hosted by the Agency for medico-legal members, attended by Department of Health staff, healthcare provider associations, medical indemnity insurers and the Primary Health Network. The presentation covered the interaction between the data breach notification requirements under section 75 of the My Health Records Act and the new notification obligations in Part IIIC of the Privacy Act (which commenced in February 2018).

The OAIC delivered a presentation in October 2017 to the Australian Healthcare Information Security Forum in Melbourne, which included an overview of the My Health Records data breach reporting scheme, and its interaction with the notification obligations in Part IIIC of the Privacy Act.

OAIC staff also liaised with staff from the Agency’s Digital Health Cyber Security Centre to provide comments on the Agency’s cyber security checklist.

The OAIC participated in the Privacy and Security Advisory Committee, one of the advisory committees established by the Agency to support the Agency’s Board.

Liaison with other key stakeholders

In addition to liaising with the Agency and the Department of Health, OAIC staff participated in a workshop facilitated by HealthConsult to discuss the development of a framework for secondary uses of My Health Record data, including a presentation of the Public Consultation Paper, followed by a question and answer session.

Other activities

Strengthening internal expertise

Throughout 2017–18, the OAIC continued to develop internal expertise regarding its functions and powers in connection with the My Health Record system. This involved ensuring new staff received induction training in digital health and the OAIC’s regulatory oversight role. Staff who are new to working specifically on digital health receive extensive on-the-job training to ensure they acquire the necessary digital health subject matter knowledge.

An updated My Health Record induction session was developed and delivered to new staff to help them develop a comprehensive understanding of digital health policy issues and initiatives, the My Health Record system and the OAIC’s regulatory role. The session included information specific to the move to opt-out.

Monitoring developments in digital health and the My Health Record system

Under the MOU with the Agency, the OAIC is required to monitor developments in digital health and the My Health Record system to ensure it is able to provide informed advice about privacy aspects of the operation of the system and the broader digital health context. During the reporting period, staff attended:

  • The Wild Health Summit in Sydney, which included presentations by Executive staff of the Agency and presentations on such issues as cyber-security, health data and interoperability of digital health
  • The digital health stream of the 9th Annual Australian Healthcare Week in Sydney, which included discussions on good data governance and the importance of good data hygiene, as well as presentations by the Agency, state and Commonwealth agencies, academics and business representatives
  • A webinar on the secondary uses of the My Health Record data framework hosted by HealthConsult in conjunction with the Agency

In addition, OAIC staff:

  • Reviewed and analysed the final Framework to Guide the Secondary Use of My Health Record System Data in terms of how the OAIC’s submissions were received and outstanding privacy impacts
  • Reviewed new resources published on the My Health Record website, including the Agency’s guide to Keeping Your Healthcare Information Secure
  • Monitored news clips, relevant parliamentary committees, and digital health and related websites and blogs
Media

The OAIC responded to one media enquiry regarding digital health and the My Health Record system during 2017–18.

Part 4 — OAIC and the Healthcare Identifiers Service

The HI Service is a foundation service for a range of digital health initiatives in Australia, particularly the My Health Record system. Accordingly, the use of healthcare identifiers has increased since the launch of the My Health Record system on 1 July 2012.

Under the My Health Record system, healthcare identifiers:

  • Are used to identify healthcare recipients who register for a My Health Record
  • Enable the My Health Record System Operator to authenticate the identity of all individuals who access a My Health Record and record activity through the audit trail
  • Help ensure the correct health information is associated with the correct healthcare recipient’s My Health Record

Registration with the HI Service is a prerequisite for a healthcare provider organisation to be registered for the My Health Record system.

OAIC compliance and enforcement activities

Complaints relating to the HI Service

No complaints were received during the reporting period.

Investigations relating to the HI Service

No complaint investigations or Commissioner initiated investigations were commenced or finalised during the reporting period. At 30 June 2018, there were no HI investigations open.

Assessments relating to the HI Service

Under the MOU with the Agency, the OAIC was required to conduct a minimum of four and up to six assessments during the 2017–18 and 2018–19 financial years in relation to the My Health Record system and the HI service.

The OAIC initiated one assessment relating to the HI Service in 2017–18.

Table 4 — Assessments relating to the HI service in 2017–18
Assessment subjectNo. entities assessedYear openedClosed
Assessment of a private healthcare provider of their handling of Individual Healthcare Identifiers — APP 11 and the HI Act 1 2017–2018 Ongoing
Assessment of a private healthcare provider of their handling of Individual Healthcare Identifiers

The OAIC conducted an assessment into the handling of Individual Healthcare Identifiers by a major private healthcare provider. The assessment focussed on the healthcare provider’s handling of Individual Healthcare Identifiers in accordance with APP 11 (security) and the requirements under the HI Act. Fieldwork was conducted in September 2017 and the assessment will be finalised in the 2018–19 financial year.

Healthcare identifiers advice, guidance, liaison and other activities

Advice

In relation to the Healthcare Identifiers Service, the OAIC provided advice to:

  • A member of the public relating to an enquiry regarding the use of healthcare identifiers by medical practitioners.

Guidance

Update to existing resources

Following earlier consultation and a review of the healthcare identifier resources available on the OAIC’s website, the OAIC updated its healthcare identifier resource material to better meet stakeholder needs. The updated healthcare identifier information was published on the OAIC website in September 2017.

Other activities

Monitoring developments in digital health and the HI Service

Under the MOU with the Agency, the OAIC is required to monitor developments in digital health and the HI Service to ensure the OAIC is aware of the implications of any developments for the HI Service and is able to offer informed advice about privacy aspects of the HI Service in the broader digital health context. During the reporting period, the OAIC:

  • Monitored developments relating to digital health and the HI Service through news clips and digital health websites and blogs
  • As outlined above in relation to the My Health Record system, attended various conferences related to digital health

 

Angelene Falk

Australian Information Commissioner
Australian Privacy Commissioner

19 September 2018

oaic.gov.au

Office of the Australian Information Commissioner

1300 363 992
enquiries@oaic.gov.au
@OAICgov

Footnotes

[1] This figure is also included in the OAIC’s Annual Report 2017–18.

[2] This includes submissions.

[3] The total number of healthcare recipients affected by the data breach notifications (DBNs) include individuals with and without a My Health Record at the time of the breach. Accordingly, for DHS, there were 43 affected individuals with a My Health Record in the DBNs received in the period, 47 affected individuals with a My Health Record in the DBNs closed in the period and three affected individuals with a My Health Record in the DBNs that remained open as at 30 June. For the System Operator, there were four affected individuals with a My Health Record in the DBNs received, four affected individuals with a My Health Record in the DBNs closed in the period and two affected individuals with a My Health Record in the DBNs that remained open as at 30 June.