Electronic health records and healthcare identifiers: Legislation discussion paper

1 June 2015

Submission to the Department of Health

June 2015

Office of the Australian Information Commissioner

The Office of the Australian Information Commissioner (the OAIC) is an independent statutory agency within the Attorney-General’s portfolio, with functions that include independent oversight of privacy protections in the Privacy Act 1988 (Cth) (Privacy Act). The Privacy Act confers a range of functions on the Australian Information Commissioner which are also conferred on the Privacy Commissioner by operation of the Australian Information Commissioner Act 2010 (Cth).[1]

In addition, the OAIC is the independent regulator of the privacy aspects of the personally controlled electronic health records (PCEHR) system and the Healthcare Identifiers (HI) Service. The privacy requirements of the PCEHR system and HI Service are set out in the Privacy Act 1988, the Personally Controlled Electronic Health Records Act 2012 and the Healthcare Identifiers Act 2010. The OAIC has a range of functions and enforcement powers under the Privacy Act and PCEHR Act to ensure compliance with the privacy requirements. In addition to these enforcement functions, the OAIC performs a number of other activities relating to the PCEHR and HI systems, which are set out in a Memorandum of Understanding with the Department of Health.

General comments

The OAIC welcomes the opportunity to provide the Department of Health with comments on the Electronic health records and healthcare identifiers: legislation discussion paper155 KB (the discussion paper).

The discussion paper outlines a range of proposed changes to the Personally Controlled Electronic Health Records Act 2012 and the Healthcare Identifiers Act 2010. The proposed changes relate to areas including governance, participation models, the obligations of eHealth system participants, and privacy. While section 3.5 of the discussion paper is named ‘privacy’, the OAIC considers that privacy considerations arise in relation to all sections of the paper. We have therefore commented on a range of proposals throughout the paper.

In making the comments below, we recognise the benefits that are expected to accompany an effective eHealth record system in Australia. These benefits include better health outcomes arising from the improved availability and quality of health information, fewer adverse medical events, and efficiency through reduced duplication of treatment.

However, changes to the eHealth record system do pose potential privacy risks. The system is expected to increasingly handle significant volumes of sensitive health information. In addition, the Government has announced trials of an opt-out model of participation, with the possibility of that model being expanded nationally in the future. Under opt-out arrangements, the health information of an individual who does not opt-out will be handled in the eHealth record system without that individual’s express consent.

In the context of an opt-out system, it is important to provide individuals with control over if and how their health information is handled, and to ensure strong privacy protections are in place for those who do not exercise their choice to opt-out. We consider that an eHealth system operated on an opt-out basis should be designed with privacy as a critical consideration. Ensuring that privacy is adequately addressed is fundamental to establishing and maintaining public confidence in the system.

We acknowledge that the discussion paper raises for consideration a range of privacy issues, and explains the Department’s approach to managing these. We welcome this focus on privacy as a central consideration. The specific comments below outline the OAIC’s views on the key privacy issues that in our view are raised by the proposals.

Specific comments

The numbering and structure below match that used in the discussion paper.

3.1 Preliminary

3.1.2 Definitions

Alignment between HI and PCEHR Acts

The OAIC supports the proposal to adopt a consistent term (either ‘individual’ or ‘healthcare recipient’) across both the HI and PCEHR Acts to refer to individuals who have received, receive or may receive, healthcare. In considering this issue it should be noted that the term ‘individual’ is used in the Privacy Act.

Clarification of ‘healthcare’

We support the alignment of the definitions of healthcare/ health service across the Privacy Act, PCEHR Act and HI Act.

In relation to the express mention of health-related aged care, disability services and palliative care, we note that these activities may be covered by the existing definition. However, if their inclusion is considered necessary, we do not object provided that the drafting is limited to health-related activities in those fields. This is because ‘disability service’ and ‘aged care service’ could include services, such as household assistance or gardening that may not be primarily (or at all) health-related.

We agree that the addition of ‘injury’ to the definition is a useful clarification.

We note the proposal to allow regulations to be made to exclude activities from being ‘healthcare’ because they are performed for reasons other than care or treatment. To ensure the definitions under each Act do not diverge, we recommend that these regulations should only be made under the Privacy Act. We also suggest that the legislation include a specific requirement that the Information Commissioner be consulted in the making of the regulation.

We do not think the proposed changes to ‘health information’ are necessary, but do not object. We consider that the current definition implicitly covers both physical and psychological health.

Distinguishing between healthcare providers and organisations

We support the inclusion of separate definitions under the HI Act and information in the Explanatory Memorandum to reflect the three kinds of healthcare identifiers, articulating that HPI-Is and IHIs are considered personal information for privacy purposes. This is consistent with Recommendation 14(f) in the HI Review.

Regarding the recommendation that healthcare provider organisations be distinguished from individual healthcare providers, the HI Act review recommendation referred to in the discussion paper (recommendation 12(a)) was specifically limited to s 31 of the HI Act (relating to the Healthcare Provider Directory). It is unclear whether the proposal for all provisions to ‘make clear whether they apply to healthcare provider organisation and/or individual healthcare providers’ extends beyond s 31 and, if so, to which sections and for what purposes.

Expanding ‘identifying information’

In relation to the proposals to expand the definition of ‘identifying information’, the OAIC understands that the Department considers that the current definitions are preventing the handling of information in ways that would enhance the utility of the PCEHR system. The discussion paper therefore proposes a regulation-making power to facilitate the addition of new categories of ‘identifying information’.

It may be reasonable to include additional categories of identifying information such as IHI status, a telephone number and email in the legislation. It may also be reasonable to create a regulation-making power to allow additional categories to be prescribed. However, to ensure that the privacy impacts of any new categories are considered, we recommend that a privacy impact assessment be conducted before new categories are prescribed.

Further, while the collection of additional personal information may improve accuracy in some instances, this needs to be balanced against the requirement to avoid the collection of unnecessary personal information. The definition of ‘identifying information’ (including any definition expanded by any regulations) should allow the legislated purposes for which it is collected to be achieved, while ensuring only the minimum amount of personal information needed is collected. Any new category therefore should be drafted narrowly to confine its handling to the purpose for which it is required.

This is relevant to the proposal in the discussion paper to prescribe the unique reference number of an individual’s driver licence, passport or Immicard, and the type of credential, to facilitate the PCEHR System Operator collecting this information, and disclosing it to the Document Verification Service, for the purposes of verifying the identity of an individual whose chooses to opt-out.

The OAIC welcomes the statement that the ‘System Operator will not store this information once it has been used to verify the individual’s identity’. This is important and consistent with Australian Privacy Principle (APP) 11 in the Privacy Act which requires APP entities to destroy or de-identify personal information when it is no longer needed. We suggest that this requirement be included in the legislation so that such information is not used for other purposes in the future.

3.2 Governance

3.2.1 Establishment of ACeH

The OAIC supports the Australian Commission for Electronic Health (ACeH) being established as a new corporate Commonwealth entity. This will ensure that ACeH is an ‘APP entity’ and covered by the Privacy Act. In addition, we welcome the proposed inclusion on ACeH’s advisory committees of individuals with expertise in privacy and security.

3.2.2 HI Service Operator

The OAIC supports the proposal to ensure that legislative amendments limit the identity of any proposed new HI Service Operator to a public sector body. As an agency, the body will be an APP entity, which will ensure it remains covered by the Privacy Act and therefore subject to regulation by the OAIC.

3.3 Participation

3.3.1 An opt-out PCEHR system?

OAIC’s general comments

The OAIC has supported the existing opt-in participation model, which offers important privacy benefits to individuals, ensuring that they have provided active and express consent before registering in the PCEHR system.[2]

While we understand the reasons why the Department of Health is proposing to shift to an opt-out model, it is important that this be implemented in the most privacy-enhancing way. This includes giving individuals maximum opportunity to exercise their right to opt-out, and ensuring existing personal controls are not diminished. This is particularly important given the sensitive nature of the information held by the system, and given the system is a shared record which brings together information from diverse sources. Over time the system will make a greater amount of health information more readily available and to more people than has previously been possible.

Given the significance and potential privacy risks of an opt-out system, we support the proposal to conduct trials before adopting an opt-out system nationally. We also welcome the intention to conduct a public awareness and education campaign, and would welcome being consulted on this process.

The discussion paper proposes that a mechanism be included in the PCEHR legislation allowing the Minister or Governor-General to determine the areas of Australia where the system would be opt-out, and to expand this nationally if the Government decides to do so. While this may be a convenient mechanism, we note that it is important that the trials are evaluated and that the lessons learnt in relation to privacy are taken into account and any necessary changes implemented.

Before any decision to adopt opt-out nationally, we recommend that the Department arrange for an independent privacy impact assessment (PIA) to evaluate and address privacy risks identified during the trial. The Department should also conduct further PIAs as circumstances change, for example if new functionality is added to the system, information is to be handled for additional purposes, or significant amendments to legislation are made. We would appreciate the opportunity to comment on these PIAs.

Opting out in trial regions

An opt-out system raises issues relating to capacity and pseudonymous records.

Issues surrounding the ability of minors and adults who lack capacity to opt-out of having, and controlling, their record would need to be carefully considered under an opt-out system. The discussion paper indicates that the System Operator would verify that representatives who opt-out such individuals have the authority to act on their behalf. However, if such individuals are not opted-out, there are questions around who will be notified when their record is created, and how the System Operator will determine who their authorised representative(s) will be.

Other issues that may need to be considered include how the System Operator will determine that an individual lacks capacity, or whether they have fluctuating capacity; how minors will be informed of their right to take control of their record once they turn 14, and informed of their right to set up restricted access controls and remove documents. Additionally, there are differences between state and territory law as to when minors are capable of consenting to health issues (that is, when they become a ‘mature minor’), which may raise complexities.[3] In considering these authorised representative issues, the Department of Health could also consider whether any of these matters need to be addressed in legislation.

In relation to pseudonymous records, the discussion paper does not advise how consumers who may wish to obtain such a record would do so under an opt-out system. Also it is not clear how consumers who have already registered for a pseudonymous record would be impacted under an opt-out system, for example if an identified record would automatically be created for them.

We recommend that consumers be informed of the availability of pseudonymous records through the opt-out notifications, and be given sufficient time to register for a pseudonymous IHI before any new records are created. We also recommend that consumers who have already registered for a pseudonymous record be notified about how they will be affected if the system becomes opt-out.

Opt-out transition in trial areas

The OAIC supports the proposal for a staged process to opting-out, where consumers are given a two month period to opt-out, and a further time period when they can set access controls before healthcare providers can access their records.

The discussion paper refers to a proposed mechanism ‘allowing some changes to this timing if necessary’. It is unclear whether this mechanism would just allow the entire opt-out trial period to be brought forward or pushed back, or whether it might also allow the timeframes for each stage to be shortened. Given the privacy impacts of an opt-out approach and the importance of effective and wide-reaching communication, we consider that it is important to have sufficient time frames to allow individuals to make informed decisions.

Individual consent

The discussion paper indicates that it will be impractical for the System Operator to obtain consent to the collection and handling of the health information of those individuals who do not opt out of the PCEHR system. Instead, it is proposed that the legislation will authorise healthcare provider organisations to upload records.

While the System Operator may no longer obtain consumers’ express consent to participate (as the registration of individual and uploading of records in the system will be authorised by law), to mitigate the privacy impacts and give individuals choice and control, the System Operator nevertheless should try to obtain consumers’ implied consent, by giving them adequate opportunity to opt-out of the system. The awareness and education campaign foreshadowed in the discussion paper is critical to this. Consumers should be provided with effective communication about the system and their right to opt-out, including satisfying the following criteria:

  • individuals need to be provided with sufficient information about the eHealth system and their options, and a sufficient opportunity to opt-out

  • the option to opt-out should be clearly and prominently presented

  • it should be likely that consumers have received and read the information about the PCEHR system, the option to opt-out, and how to do so

  • consumers should be given information that clearly explains the implications of not opting-out. This information should also clearly explain the personal controls available to them

  • the material should be accessible, written in plain English and should take into account the needs of consumers with special needs, such as individuals from a non-English speaking background and disadvantaged or vulnerable individuals.

In addition, consumers should be provided with a simple and easy means of opting-out and the ability to do this via different channels.

We support the proposal that consumers will continue to be able to restrict access to their PCEHR via the access controls and to request that specific documents not be uploaded. It is important that consumers retain this right to request that certain documents are not uploaded to their record and we suggest that the obligation on healthcare providers to act in accordance with such a direction should be included in the legislation.

Inclusion of Medicare information

The discussion paper suggests that it is impractical for the System Operator to obtain the consent of all individuals in trial areas who do not opt out. Therefore, it is proposed that in place of consent, for those who do not choose to opt-out, the legislation would authorise up to two years of historical Medicare data to be uploaded, unless the consumer chooses to stop this. The consumer may also subsequently remove this data. The discussion paper proposes that the Chief Executive of Medicare would have the discretion not to upload or make Medicare data available, for example in relation to children aged between 14 and 18.

Medicare automatically uploading data by default without the consumer’s express consent could result in information being shared when the consumer would prefer that it is not. Therefore, we recommend that the awareness campaign clearly inform consumers that this will occur and that this information may include details that indicate diagnosed conditions and illnesses. Additionally, we would welcome clarification on when Medicare will exercise its discretion not to include the data.

Secondary use of information

The discussion paper indicates that there are no proposed changes to how information in the system can be used for secondary purposes.

The System Operator currently has the function under s 15(ma) of the PCEHR Act to prepare and provide de‑identified data for research or public health purposes. The discussion paper indicates that information in the PCEHR system is not currently used for this purpose, but as the volume of information grows, proposed processes, systems and protections for this to occur will be consulted on and implemented.

The discussion paper suggests that consumers may also provide consent for a researcher to collect and use the information in their PCEHR. We note that only registered ‘participants’ are permitted to access the PCEHR system. We would welcome clarification on how researchers could practically collect information from PCEHRs.

Registering individuals in opt-out trials

It is unclear from the discussion paper what will happen to the personal information of trial participants at the end of the opt-out period, if the Government decides not to adopt an opt-out system nationally. Will the records of those individuals be destroyed? If not, would the information in those records be effectively removed, but still retained for the standard retention period (proposed in the discussion paper to become 30 years after the consumer’s death or 130 years from their date of birth if the former is unknown)?

The OAIC recommends the Department of Health consider these issues and ensure that the legislation clearly defines what will happen to the information in such circumstances. We also recommend that trial participants be notified about what will happen to their personal information if the opt-out approach is not extended beyond the trial sites.

Registering healthcare providers in opt-out trials

The discussion paper indicates that under the trials, education and training services will be made available for healthcare provider organisations, to encourage them to use the PCEHR system. We recommend that these education and training services include information about healthcare providers’ privacy obligations under the system. The OAIC can assist with this.

3.4 Obligations of parties

3.4.1 Obligation to enter into participation agreement

The discussion paper proposes that healthcare provider organisations, contracted service providers, repository operators and portal operators will no longer be required to enter into participation agreements. Where necessary, PCEHR system requirements currently outlined in the participation agreements would be transferred into the legislation.

The OAIC supports transferring key obligations from participation agreements to legislation. However, including these obligations in legislation rather than an agreement may reduce the awareness of these obligations among some participants. We therefore think it is important that these participants are informed of their obligations in an alternative way, such as through a registration booklet or other guidance.

Data breach notifications

The OAIC currently has the role of receiving breach notifications from registered repository operators, registered portal operators and the System Operator, and can seek a civil penalty if a registered repository operator or registered portal operator does not report a notifiable data breach.

We generally support the extension of data breach notification provisions to healthcare provider organisations and contracted service providers, and amendments to ensure consistency and clarity in the operation of the provisions. Establishing effective mandatory data breach notification provisions can provide a strong incentive for participants in the PCEHR system to establish and maintain appropriate information handling practices and data security protections.

The existing data breach notification provisions require registered repository operators, registered portal operators and the System Operator to report all notifiable data breaches which directly involved, may have involved, or may involve them. There is currently no ‘threshold test’ regarding the seriousness or the outcome of the breach. Consideration may need to be given to the appropriate notification threshold for any expanded data breach notification provisions, to who is responsible for notifying affected individuals (for example, the System Operator or healthcare provider organisations) and to when affected individuals should be notified. In the context of the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015, we note that the Australian Government has agreed to introduce a mandatory data breach notification scheme.[4] It will be appropriate to consider how this proposal is being implemented in developing changes to s 75 of the PCEHR Act.

We understand that under the existing participation agreements, healthcare provider organisations and contracted service providers must report data breaches to the System Operator. If the PCEHR Act is amended to extend the requirement to report data breaches to include healthcare provider organisations and contracted service providers, we suggest that consideration be given to requiring these participants to notify both the System Operator and the Information Commissioner. Notifying the Information Commissioner of a data breach enables the OAIC to provide general advice about applicable obligations under the Privacy Act and to suggest steps to respond to it and to prevent similar future incidents. We will also be able to respond to community enquiries about the breach and explain possible steps that individuals can take to protect their personal information.

We support the proposal to make amendments to clarify when data breach notification must occur. We would welcome the opportunity to review and comment on the proposed amendments at an early stage, given the Information Commissioner’s role in relation to data breach notification provisions in the PCEHR Act.

Breach notification by AHPRA

The HI Act does not contain breach notification provisions, and AHPRA is neither a ‘participant’ under the PCEHR Act nor an APP entity under the Privacy Act. Therefore there is the risk that AHPRA may become aware of a data breach involving its records of HPI-Is that could significantly affect the integrity of PCEHR records and not be required to notify either the System Operator or the OAIC. Therefore, we suggest consideration be given to requiring AHPRA to report relevant data breaches.

3.4.2 Centralising and simplifying participant obligations

The OAIC supports the proposal to extend the application of s 78 of the PCEHR Act (requiring compliance with PCEHR Rules) to all participants in the PCEHR system.

In addition, we recommend that the Rules should impose security requirements on registered repository operators and portal operators similar to those imposed by the PCEHR Rules on healthcare provider organisations, given there are no information security provisions in the PCEHR Act.

We also suggest that consideration be given to ensuring s 78 applies to all participants in the PCEHR system, including state and territory authorities.

3.4.3 Obligation for organisations to have PCEHR policy

The OAIC supports amendments to the PCEHR Rules to require all participants to address data quality in their policies.

The current participation agreements contain some specific requirements around data quality. Given the proposal to abolish participation agreements, we are concerned the remaining framework around data quality will be less robust (given the Rules do not provide detail about how data quality should be protected). We therefore also suggest the Rules include a requirement that reflects APP 10 in the Privacy Act, noting that not all PCEHR system participants will necessarily be APP entities (such as State and Territory agencies). APP 10 requires APP entities to take reasonable steps to ensure the personal information they collect, use or disclose is accurate, up-to-date and complete.

3.4.4 Obligations on authorised and nominated representatives

The proposal to require authorised and nominated representatives to consider the will, preferences and rights of the individual when making a decision and to perform their role diligently and in good faith is consistent with good privacy practice.

However, the OAIC raised concerns about the use of terminology to describe representatives in a submission to the Australian Law Reform Commission Discussion Paper 81: Equality, capacity and disability in Commonwealth laws. Specifically, we raised concerns that adopting ‘supporter’ and ‘representative’ terminology in place of the current terminology could create confusion and additional complexities within the PCEHR system. We would appreciate advice on whether there is an intention to implement in full the proposals outlined in Recommendation 6-3 of the ALRC’s Report 124.

3.4.6 Obligations to use PCEHR system

The OAIC agrees that care would need to be taken in the development of any changes that make payment for Medicare items relating to health assessments, comprehensive assessments, mental healthcare plans, medication management reviews and chronic disease planning items depend on the uploading of specific documents to the PCEHR system. If the upload of records is incentivised, there is a risk that healthcare providers will upload records that a consumer feels are sensitive and may not give patients enough opportunity to request that documents not be uploaded.

If such changes were made to the Health Insurance Regulations 1975, it would need to be made clear to healthcare providers that individuals may direct them not to upload a document and that there would be no financial penalty to them for complying with that direction. Such guidance could perhaps be included in the incentives information provided to healthcare providers.

3.4.8 Obligation for System Operator to retain records

The OAIC supports the proposal to reduce the time that consumer records uploaded to the National Repositories Service (NRS) must be retained. However, we query whether it is necessary for records to be retained in the NRS for 30 years after the death of the individual or, if the date of death is not known, for 130 years from the individual’s date of birth. Consideration should be given to whether the clinical and other authorised purposes would be satisfied if records are retained for a shorter period, particularly if the PCEHR system becomes opt-out. Also, consideration should be given to whether holding records for that period is necessary and proportionate to those purposes.

A shorter retention period would be consistent with APP 11, which states that where an entity holds personal information it no longer needs for a purpose permitted under the APPs, it must take reasonable steps to destroy or de-identify the information (APP 11.2). A shorter retention period would better align with the destruction timeframes that apply to the majority of Commonwealth records as regulated under the Archives Act 1983 (Cth)

We also query whether a consumer’s PCEHR is deactivated once the System Operator becomes aware of that consumer’s death, or whether it will still be accessible to healthcare providers and/or authorised or nominated representatives. We suggest that the record to be deactivated once the System Operator becomes aware that the consumer is deceased.

3.4.9 Obligation for System Operator to provide system testing

The OAIC supports test environments being available to vendors and other stakeholders so they have an opportunity to test how systems operate and interact before they are implemented. Creating a test environment that does not use any real information and is isolated from the live system reduces the risk that personal information will be used for system testing, which is not authorised under the PCEHR Act.

3.5 Privacy

3.5.1 Notification of PCEHR use

The OAIC supports the proposal for new functionality in the system allowing individuals to choose to be notified when their PCEHR is opened or used. This will enhance the ability of consumers to control access to their PCEHR. We recommend the System Operator give individuals the option of choosing which channel they prefer – SMS or email, or both.

3.5.3 Collection, use and disclosure of information

The OAIC notes the proposal to amend the personal information handling provisions to move away from a prescriptive approach towards a more principles-based approach. We welcome the fact these changes are not intended to change the nature of the authorisations.

The sensitivity of the information held in the eHealth record system is an argument in favour of prescriptive personal information handling requirements. However, we note the statement in the discussion paper that the current approach ‘has left some entities confused about what they can and cannot do’. The discussion paper also suggests the current provisions have ‘created barriers to the effective operation of the HI Service and PCEHR system.’ We would be interested to understand what barriers the Department is seeking to overcome.

We would like the opportunity to review the revised provisions to help ensure they provide appropriate and effective protection for the personal information in the PCEHR system.

The discussion paper proposes to clarify certain authorisations and provide some new authorisations to improve the effectiveness of the PCEHR system and HI Service (which are described further in Section 3.5.3 of the paper). We welcome the intention not to relax the privacy framework for the respective systems, but otherwise look forward to the opportunity to review the proposed changes.

Third party information

Public Interest Determinations (PIDs) 12 and 12A made under the Privacy Act authorise private sector health service provider organisations to collect health information about third parties, where the information is necessary to provide a health service to a patient and that information is relevant to the patient’s family, social or medical history.[5] However, the terms of these PIDs are limited to collection by organisations.

We therefore agree with the proposal to clarify in the legislation that healthcare providers may include third party personal information in a record uploaded to the PCEHR system, and that the System Operator is authorised to collect the information in the record for inclusion in the individual’s PCEHR.

Healthcare Provider Directory (HPD)

We support the proposal to remove the need for organisations to provide consent before they are listed in the HPD, to the extent the information is not personal information. However, it is not clear in the discussion paper how this will work in the case of organisations that are sole provider organisations (and have an HPI-I and HPI-O). Information about sole provider organisations is classed as personal information under the Privacy Act, so the System Operator must comply with the Act when handling this information. We suggest clarification of the position in relation to sole provider organisations.

Also, if the HPD contains other types of personal information associated with HPI-Os, such as the contact details of a HPI-O’s Organisation Maintenance Officer, we suggest the System Operator seek consent before including this information in the HPD.

Handling of healthcare identifiers by prescribed entities

The discussion paper proposes a mechanism which would allow health-related organisations to be listed in regulations so that they are permitted to handle healthcare identifiers and associated information as part of assisting organisations in their registration and participation in the PCEHR system.

The discussion paper does not mention which types of healthcare identifiers this proposal is referring to. We understand from the HI Act Review Report that this recommendation was intended to apply to HPI-Is in the context of handling by Primary Healthcare Networks and we can see why this would be useful.[6] However, the discussion paper suggests that additional types of health-related organisations could be prescribed. The creation of such a regulation mechanism risks allowing function creep over time through increasingly more organisations being authorised to handle healthcare identifiers. Any regulation-making power should be narrowly drafted to minimise this function creep.

The discussion paper also proposes to allow regulations to be made prescribing additional uses of healthcare identifiers to ensure the owners of ‘certain other records’ are accurately identified. It states that any additional uses of healthcare identifiers would be tightly restricted – for example, for use in records relating to the provision of healthcare or for closely-related purposes. Aged card records and the National Disability Insurance Scheme records are listed as examples.

As with prescribing additional entities, this approach risks function creep in the way healthcare identifiers are used. Given the privacy risks associated with unique identifiers, it is important that healthcare identifiers are not permitted to be used beyond their original intention without sufficient consultation and scrutiny.

Assuming the power to prescribe additional entities and uses is created, we suggest that a provision be added to the HI Act requiring the Department to consult with stakeholders, including a specific requirement that the Information Commissioner be consulted in the making of the regulation, before making such regulations. In addition, we recommend that the Department undertake a privacy impact assessment before prescribing additional entities and uses.

Information Commissioner’s use of healthcare identifiers

The OAIC has powers under the Privacy Act to collect and use information to investigate complaints and conduct assessments. However, we support the proposal to provide legislative authority to clarify the OAIC’s ability to handle healthcare identifiers and associated information as part of carrying out all of its functions under the Privacy Act and HI Act. We suggest any change also make explicit the OAIC’s authority to collect and use personal information contained in the PCEHR system, where this is necessary to carry out its functions under the Privacy Act and HI Act.

Healthcare provider organisations’ use of healthcare identifiers

We support the proposal to authorise the HI Service Operator to disclose the status of HPI-Is and their identifying information to the organisation(s) they are part of. The purposes for which HPI-Is and their identifying information may be disclosed, and the parties it may be disclosed to should be restricted under the HI Act.

Healthcare identifier searching capabilities

We generally support the proposal to help the HI Service Operator verify the identity of the correct individual in order to disclose an individual’s IHI to their healthcare provider. However, care needs to be taken to ensure that the accuracy of health records is not compromised by setting the bar too low for identity verification. It is important that identity verification procedures remain robust to ensure information is matched with the correct IHI and to ensure information is not improperly disclosed. We look forward to being consulted on the draft legislative amendments to implement this proposal.

Retaining information for security purposes

The discussion paper states that the System Operator is currently prevented from undertaking certain security activities. It is unclear from the discussion paper what those activities are. We recommend the System Operator clarify precisely what security activities it is prevented from undertaking, the purpose of those activities, and why it believes it is unable to perform them under the existing provisions. We look forward to seeing the details of what is being proposed in this section and to being consulted on the draft legislative amendments.

Although the proposal under this section appears to relate to the collection, use and disclosure of information for security purposes, the title of this section refers to ‘Retaining information for security purposes’. The System Operator should clarify whether this proposal is also intended to relate to the retention of information.

Handling by Australian Health Practitioner Regulation Agency (AHPRA)

We support the proposal to enable the HI Service Operator to disclose information relating to data errors to AHPRA, which will improve the quality of data held by AHPRA.

3.5.4 Penalties for misuse of information

The OAIC understands that consideration is being given as to whether:

  • criminal penalties should be included in the PCEHR Act (in addition to the existing civil penalties)
  • criminal penalties in the HI Act should either be removed and replaced with civil penalties, or supplemented by the addition of civil penalties.

We suggest caution in relation to the statement in the discussion paper that ‘Healthcare identifiers are simply a number. They do not contain any health information’. This statement underestimates the privacy risks associated with unique identifiers issued to individuals for life, such as the healthcare identifier. These risks arise from the fact that the identifier is used to match or link records of personal information held by different agencies and organisations, and mean that detailed information about an individual can be accessed using the identifier. In the case of healthcare identifiers, they are a building block for the PCEHR system and are required in order to access the system and the information it contains.

Tax file numbers (TFNs) are another example of a unique identifier. Reflecting the privacy risks associated with the handling of TFNs, we note that criminal penalties apply to the misuse of TFNs. Consistency in the treatment of unique identifiers is an argument in favour of retaining criminal penalties in relation to healthcare identifiers.

In relation to the PCEHR system, we would support criminal penalties (in addition to civil penalties) for unauthorised use or disclosure of information in the PCEHR system, where these relate to sufficiently serious misconduct, but would appreciate the opportunity to comment further on any proposed offences.

If criminal penalties are not supported, we note that a civil penalty regime is a strong regime that in itself provides a significant incentive to comply with the legislation. In addition, together with the OAIC’s other powers including complaint conciliation, enforceable undertakings and determinations, civil penalties complete an existing graduated range of enforcement options.

3.6 Reviews

3.6.1 Review of the legislative changes

The OAIC supports the proposal for an independent review to be conducted two years after the proposed legislative changes are made, to ascertain whether they have achieved the desired results and identify whether any other issues need to be addressed.

3.6.2 Privacy Assessments of AHPRA

The OAIC supports the proposal for changes to be made to ensure the Information Commissioner can conduct assessments and carry out investigations of AHPRA in respect of its handling of healthcare identifiers. The overwhelming majority of HPI-Is issued to healthcare providers have been issued by AHPRA, which is also responsible for providing the personal information of those healthcare providers to the HI Service Operator for inclusion in the PCEHR database.


[1] See s 12 of the Australian Information Commissioner Act 2010.

[2] See the OAIC Submission on the Draft Concept of Operations: Relating to the introduction of a personally controlled electronic health record (PCEHR) system, paragraph 34.

[3] This issue was raised in the submission of NSW Centre for the Advancement of Adolescent Health in response to the Senate Inquiry into the provisions of the Personally Controlled Electronic Health Records Bill 2011 and a related bill.

[4] The Australian Government has responded to the inquiry of the Parliamentary Joint Committee on Intelligence and Security (PJCIS) into the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014

[5] Under s 72 of the Privacy Act

[6] Healthcare Identifiers Act and Service Review Report, pages 23-24

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at websitefeedback@oaic.gov.au