Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Healthcare Identifiers Service — Department of Human Services — Audit Report

Information privacy principles audit
Section 27(1)(h) Privacy Act 1988

Audit undertaken: June / July 2011
Revised report issued: October 2011
Final report issued: August 2012

On this page

  1. Part 1 — Introduction
    1. Background
  2. Part 2 — Description of audit
    1. Purpose
    2. Overview
    3. Scope
    4. Timing and location
    5. Information obtained during the audit
    6. Opinion
    7. Follow up review
    8. Reporting
  3. Part 3 — Audit issues
    1. General Legislative provisions relating to the handling of HPI-Is
    2. IPPs 1-3 : Collection of personal information
    3. IPP 4 Issues: Storage and security of personal information
    4. IPP 6 Issues – Access to records containing personal information
    5. IPPs 7 & 8 Issues –  Alteration of records containing personal information & Accuracy of personal information used
    6. IPP 10 - 11 Issues: Limits on the use and disclosure of personal information
  4. Part 4 — Summary of recommendations
  5. Part 5 — Summary of best privacy practice suggestions
  6. Appendix A — Information Privacy Principles
    1. Principle 1 — Manner and purpose of collection of personal information
    2. Principle 2 — Solicitation of personal information from individual concerned
    3. Principle 3 — Solicitation of personal information generally
    4. Principle 4 — Storage and security of personal information
    5. Principle 5 — Information relating to records kept by record-keeper
    6. Principle 6 — Access to records containing personal information
    7. Principle 7 — Alteration of records containing personal information
    8. Principle 8 — Record-keeper to check accuracy etc of personal information before use
    9. Principle 9 — Personal information to be used only for relevant purposes
    10. Principle 10 — Limits on use of personal information
    11. Principle 11 — Limits on disclosure of personal information

Part 1 — Introduction

Background

The government has allocated funding to the Office of the Australian Information Commissioner (OAIC) during 2010-11 and 2011-12 to oversee the handling of healthcare identifiers and the functioning of the Healthcare Identifiers Service Operator (HI Service). This includes providing advice on obligations in relation to healthcare identifiers and liaising with state and territory regulators.

Under the Exchange of Letters funding agreement with DOHA for the period 1 July 2010 to 30 June 2011, the OAIC is required to conduct two audits of the HI Service. This is the OAIC’s second audit for that financial year.

It should be noted that from 1 July 2011, subsequent to the signing of this funding agreement, the Department of Human Services took over management of the HI Service (formerly Medicare Australia, now known as the Medicare Master Program). As such, while the OAIC maintains its agreement with DoHA, DoHA is no longer responsible for the administration of the HI Service.

Back to Contents

Part 2 — Description of audit

Purpose

2.1 Part 4 (sections 28 to 30) of the Healthcare Identifiers Act 2010 (the HI Act) makes specific provision for the relationship between the Privacy Act 1988 (Privacy Act) and the HI Act and Healthcare Identifier Regulations 2010 (HI Regs).

2.2 Section 28 of the HI Act provides that an authorisation to collect, use or disclose a healthcare identifier or identifying information under the Act is also an authorisation to perform those acts for the purposes of the Privacy Act.

2.3 Section 29 of the HI Act provides that an act or practice that contravenes the HI Act or the HI Regs is taken to be an interference with privacy for the purposes of the Privacy Act. This effectively equates a breach of the HI Act with a breach of the Privacy Principles. The section also makes it clear that the Commissioner's powers and functions under the HI Act are similar to those conferred on the Commissioner under the Privacy Act.

2.4 The purpose of this audit is to assess whether the HI Service’s handling of healthcare identifier information is in accordance with the HI Act, the HI Regs and the Information Privacy Principles (IPPs) in section 14 of the Privacy Act.

2.5 The audit reviewed the HI Service’s collection, use, disclosure and security processes in relation to healthcare identifier information.

Overview

2.6 The HI Service has been established to implement and maintain a national system for uniquely identifying healthcare organisations, providers and individuals.

2.7 The Service assigns three types of healthcare identifiers:

  • Individual Healthcare Identifier (IHI)—for individuals receiving healthcare services
  • Healthcare Provider Identifier-Individual (HPI-I)—for individual healthcare professionals involved in providing patient care
  • Healthcare Provider Identifier-Organisation (HPI-O)—for organisations (such as hospitals or health clinics) where healthcare is provided.

2.8 While the OAIC’s first audit of the HI Service focussed on the handling of IHI information, this second audit assessed the HI Service’s handling of HPI-Is  This audit report does not assess the auditee’s handling of HPI-O information.

2.9 A recognised individual healthcare provider, as defined in section 9A of the HI Act, is a provider either registered by a registration authority as a member of a health profession, or a member of a professional association that relates to the healthcare that has or is to be provided by that individual and which has uniform national membership requirements.

2.10 The Australian Health Practitioners Regulation Agency (AHPRA) is a national registration authority, within the definitions of sections 5 and 8 of the HI Act.  Specifically, AHPRA is responsible for the regulation of the National Registration and Accreditation Scheme across Australia.

2.11 Professions registered by AHPRA include the following:

  • Chiropractic 
  • Dental 
  • Medical 
  • Nursing & Midwifery 
  • Optometry 
  • Osteopathy 
  • Pharmacy 
  • Physiotherapy 
  • Podiatry 
  • Psychology

2.12 The HI Service operator provided AHPRA with 5.1 million HPI-I numbers for assignment to their registrants. These numbers have been quarantined by the HI Service for AHPRA’s use only.

2.13 Individual healthcare providers whose health profession is not covered under AHPRA must complete a registration form and apply directly to the HI Service to obtain their HPI-I. These forms are located on the HI Service Operator’s website.

2.14 As at 30 June 2011, 528 300 HPI-Is were either collected from AHPRA, or assigned to individual healthcare providers who had applied directly to the HI Service Operator. We note that AHPRA is not regulated by the Privacy Act.

2.15 The Chief Executive Medicare fulfils the role of HI Service operator, within the Department of Human Services. The key functions of the HI Service operator is to:

  • collect and use identifying information for the purpose of  assigning healthcare identifiers,  that is, IHIs, HPI-Is and HPI-Os
  • assign and issue healthcare identifiers
  • allow those authorised to access the Service to retrieve healthcare identifiers
  • keep information associated with healthcare identifiers up-to-date and accurate
  • deactivate or retire health identifiers which are no longer needed.

2.16 The HI Service also maintains a Healthcare Provider Directory (HPD) which allows healthcare providers and authorised employees of HPI-Os to search for and locate providers and organisations in order to facilitate communication. The Healthcare Provider Directory is available to healthcare providers registered with the HI Service with either an HPI-I or both an HPI-I and HPI-O or authorised employees of a HPI-O. 

Scope

2.17 The scope of this audit consists of:

  • the process for assigning HPI-Is
  • the policy and procedures governing the handling of HPI-Is, particularly with respect to data security, data accuracy and access to identifiers
  • general record keeping.

The scope of this audit is limited to reviewing the HIService’s compliance with the Privacy Act, HI Act and HI Regs, when handling HPI-Is and the identifying information associated with such identifiers.   

Timing and location

2.18 The auditors conducted the audit of the HI Service on Thursday 30 June 2011 and Friday 1 July 2011 at 186 Reed Street, Greenway, ACT. 

Information obtained during the audit

2.19 The HI Service provided the following documents, prior to the commencement of the audit:

  • Audit timetable
  • HPI-I Policy document
  • HPI-O Policy document
  • HI Quarterly Release Plan
  • Healthcare Identifier June 2011 PID.

Opinion

2.20 The auditors’ observations show that the HI Service handles identifier information in accordance with the IPPs in the Act.

2.21 The audit team holds the opinion that the HI Service is compliant in meeting its obligations under the Privacy Act.

2.22 The auditors did not identify any privacy risks requiring recommendations from the OAIC.

2.23 The auditors have made a number of best privacy practice suggestions surrounding the handling of HPI-I related information.

Follow up review

2.24 A follow up review may be undertaken after six months has elapsed from the date of the final report or as indicated by the Assistant Commissioner, Compliance.

Reporting

2.25 Final reports of audits of ACT, Australian and Norfolk Island government agencies commenced after 1 July 2002 are generally published on the Office of the Australian Information Commissioner’s website, available at www.oaic.gov.au.

2.26 Information Privacy Principle audit findings and recommendations, as well as best privacy practice across the public sector are also generally discussed in our annual report.

Back to Contents

Part 3 — Audit issues

The following findings and best privacy practice suggestions relate to the auditors’ consideration of the HI Service’s handling of healthcare identifier information, in accordance with the HI Act, the HI Regs and the Privacy Act.

The audit assessed whether the HI Service’s procedures adequately address the Department of Human Services’ obligations under the Information Privacy Principles of the Privacy Act.

The IPPs are produced in full in Appendix A.

General Legislative provisions relating to the handling of HPI-Is

3.1 The Chief Executive Officer of Medicare Australia is defined in the Act as the HI Service Operator for the purposes of the Act. On 1 July 2011, legislative amendments commenced which integrated Medicare Australia and Centrelink into the Federal Department of Human Services (DHS). These legislative changes included consequential amendments to the Act which resulted in the Chief Executive Medicare taking over the role of the HI Service Operator from the Chief Executive Officer of Medicare Australia. The amendment to legislation and new executive structure under DHS has no impact on operations of the HI Service.

3.2 The term ‘Service Operator’ under section 5 of the HI Act, refers to the Chief Executive Medicare, as defined in the Medicare Act. The auditors will be using the term ‘HI Service’ in this report, when referring to the Service Operator.

3.3 Under section 9(1)(a) of the HI Act,  the HI Service is authorised to assign identifiers to individual healthcare providers recognised by the HI Act.

Sections 27 and 28 of the HI Act outline the relationship between the Privacy Act and the HI Act, specifically:

  • that an authorisation to handle health identifiers and identifying information under the HI Act is also an authorisation to do so under the Privacy Act
  • that a breach of the HI Act is considered an interference with privacy.

IPPs 1-3 : Collection of personal information

IPP 1 provides that personal information shall not be collected unless the collection is for a lawful purpose directly related to the collector’s functions and activities and necessary or directly related to that purpose.

IPP 2 provides that, where a collector solicits and collects personal information directly from an individual, it must inform the individual of the purpose of collection, any legal authorisation or requirement for the collection, and any person, body or agency to which it usually discloses that information.

IPP 3 provides that, where a collector solicits and collects personal information generally it must take steps reasonable in the circumstances to ensure that, having regard to the purpose for which the information is collected, the information is relevant to that purpose, up to date and complete, and that the collection does not intrude to an unreasonable extent on the individuals’ personal affairs.

Observations

Collection – legislative requirements

3.4 In terms of the collection of personal information, section 7(1) of the HI Act sets out the identifying information that can be collected by the HI Service from an individual healthcare provider for performing functions under the HI Act.  This includes:

  • the name of the healthcare provider
  • the address of the healthcare provider
  • the date of birth, and the date of birth accuracy indicator, of the healthcare provider
  • the sex of the healthcare provider
  • the type of healthcare provider that the individual is
  • if the healthcare provider is registered by a registration authority--the registration authority's identifier for the healthcare provider and the status of the registration (such as conditional, suspended or cancelled).

3.5 Regulation 5 of the HI Regs permits the collection of an email address, a phone number and a fax number.

Lawful purpose directly related to the collector’s functions and activities

3.6 The auditors were informed that the HI Service collects identifying information from healthcare providers for the purpose of assigning identifiers (HPI-Is) to individual healthcare providers.

3.7 The auditors were also informed that the HI Service’s collection of identifying information from individual practitioners includes practitioner name, date of birth, address and proof of registered profession.

3.8 Further, the HI Service’s healthcare identifier Policy document FR.POLHPI-IPL100 states at 1.2.3 that ‘the following mandatory information must be included in the web service request when creating a new HPI-I record’:

  • name details
  • personal details, including sex and date of birth
  • address details
  • provider details including specialty information
  • electronic communication details.

3.9 The auditee has advised that an HPI-I search of the Healthcare Provider Directory will return results including the HPI-I number, preferred name and preferred address.  Other details which may also be returned as part of a search are the healthcare provider’s contact details, provider type and sex. We note that this information is consistent with the information that the HI Service is authorised to collect under section 7(1) of the HI Act and section 5 of the HI Regs.

3.10 In practical terms, the HI Service collects identifying information from healthcare providers by having them complete an ‘application to register a healthcare provider’ form (the application form).

3.11 The application form requests personal information including:

  • given name and family name, as well as the individual’s title and any suffix
  • date of birth
  • sex
  • business address and postal address, if different to the business address
  • phone number/s, fax and pager numbers
  • email address.
Notice provided where information is collected directly from an individual

3.12 The application form also contains a privacy notice informing health providers of the purpose for which the HI Service is collecting the information, the legislation authorising this collection and circumstances under which the HI Service may use and disclose the information.

Steps to ensure collected information is relevant, up to date and complete

3.13 In addition to identifying information, the application form also provides that a healthcare provider must submit copies of original documents verifying the applicant’s identity (EOI documents). The copies must be certified by an acceptable referee.

3.14 With reference to the auditee’s powers to collect EOI documents, the auditee has informed the auditors that it is authorised to collect this information under section 9B of the HI Act, which provides that the ‘(HI Service) may request an individual healthcare provider to provide (…) information that shows that section 9A applies to the healthcare provider.  Section 9A of the HI Act refers to a healthcare provider’s professional registration status or membership in a professional association.

3.15 The auditee also advised that it collects HPI-I registration data from two sources:  

  • directly from the healthcare practitioner, or
  • where a healthcare provider belongs to one of the ten professions registered by AHPRA, the information is collected from AHPRA Registration data received directly from AHPRA and is processed through the HI Service’s eHealth Program (EHP).  

3.16 The EHP is purpose-built to validate and reject identically matched data as this indicates a possible duplicate. AHPRA will then be advised of the exact match and asked to either check its records or send updates to the existing record.

Steps to ensure collection is not unreasonably intrusive

3.17 In cases where HPI-Is are not allocated by AHPRA, it is the responsibility of the healthcare provider to request an identifier number from the HI Service.  This suggests that healthcare providers voluntarily submit their personal information to the HI Service and the collection process is an open and transparent one.

3.18 Further, where the collector is requesting information about the healthcare provider, for example, in cases where identifiers are assigned by AHPRA, the personal information is collected directly from the individual health provider. This again ensures that the collection process is as open and transparent as possible.

Privacy issues

3.19 The auditors noted only one privacy issue concerning the collection of information by the HI Service and this relates to the EOI process.   While the collection of EOI documents enables the HI Service to verify the identity of healthcare providers, collecting EOI documents often means that the HI Service may collect data such as driver’s licence numbers, organ donor status, licence class and conditions, as well as photographic images, if, for example, collecting driver’s licence information.

3.20 There were no further privacy issues noted by the auditors in terms of the HI Service’s compliance with IPPs 1, 2 and 3, as:

  • the HI Service’s collection of information is consistent with its purpose under the HI Act
  • the HI Service’s policy and practices comply with the limitations imposed by both the HI Act and HI Regs with reference to the collection of identifying information
  • the HI Service provides individuals with an IPP 2 notice prior to collecting personal information directly from them
  • the HI Service has systems in place to ensure the relevance and accuracy of the personal information it collects from third parties.

Recommendations

3.21 The auditors have made no privacy recommendations to the auditee for this part of the privacy performance assessment.

Best privacy practice suggestion

3.22 The auditors note- that on some occasions EOI documentation may contain additional information that is not required by the HI Service (eg donor status). In these cases it is suggested that the additional information is redacted after collection.

IPP 4 Issues: Storage and security of personal information

IPP 4(a) A record-keeper who has possession or control of a record that contains personal information shall ensure the record is reasonably protected against loss, against unauthorised access, use, modification or disclosure, and against other misuse.

IPP 4(b) If it is necessary for the record to be given to a person in connection with the provision of a service to the agency, everything reasonably within the agency's power should be done to prevent unauthorised use or disclosure of the information contained in the record.

Observations

Security and storage – legislative requirements

3.23 Section 27 of the HI Act provides for the protection of healthcare identifiers from misuse, loss, modification or disclosure.

3.24 Section 26 of the HI Act also provides that unauthorised use or disclosure of a healthcare identifier is an offence. The HI Act provides penalties of up to 2 years imprisonment, 120 penalty units [where one penalty unit equates to $110 under the Crimes Act 1914 (Cth)], or both.

HI Service security policy

3.25 The HI Service has a security policy for healthcare identifier information. Policy document FR.POLSECPL100 outlines the HI Service’s protocol for releasing an HPI-I number to a healthcare provider. In particular, the Policy provides that:

  • a security check will be conducted on the provider prior to releasing any information.
  • the provider’s HPI-I number will be requested. If the provider cannot supply this number, their personal demographics will be requested
  • the HI Service provider database will be checked to find the record to verify the providers identity and eligibility to request their own HPI-I
  • where an exact match is found to the demographics provided, the HPI-I number will be disclosed to the provider
  • where an exact match is not found, the provider will be advised there is no record.

3.26 FR.POLSECPL100 sets out the limited scope of transactions which healthcare providers may perform over the phone. These include:

  • confirmation of their own healthcare identification number
  • confirmation of the HPI-O number the individual provider is linked to
  • amendments to non-identifying details such as phone number, address
  • request for linking an existing PKI certificate for HI access.

3.27 The policy document states, however, that where healthcare providers request amendments to identifying information such as the individual provider’s name, date of birth, sex or qualifications, the provider must have proof of change.

3.28 The Auditors noted that policy document FR.POLSECPL100 also uses the term ‘non-identifying information’, when referring to an HPI-I recipient’s name and address. 

Physical storage and security processes

3.29 A range of physical security measures are in place at the HI Service’s premises, which the auditors observed while on location.

3.30 Each visitor to the building is asked to sign the visitor's log book by noting their name, the date and the organisation they represent.

3.31 An HI Service representative meets visitors in the secure lobby of the building and presents them with visitor badges. Also, staff members in the HI Service’s offices escort guests both on and off the secure lifts leading onto the premises.

3.32 The standard procedures in place require that visitors be escorted at all times by staff while they are in the HI Service work area. This ensures office areas containing personal or sensitive information are not accessed by non-staff members without an escort being present, thereby reducing the risk of personal information being improperly accessed.

3.33 Visitors are asked to return their visitor badges each time they leave the premises and are escorted out of the secure lobby by at least one staff member.

3.34 In terms of storing personal information, the HI Service advised that all hard copy application forms they receive are stored in locked cabinets and held in two locations in Melbourne and Canberra.

3.35 Further, mailouts of HPI-I numbers include a minimum amount of information, being the HPI-I number itself and the provider name and address, to ensure the security of the provider’s identifying information.

IT security and storage processes

3.36 The auditors observed that the auditee’s computer terminals are password protected.

3.37 In addition, the auditee has advised that all programs and applications on its system have individual user names and passwords.  Each password has a different expiry date and users are unable to utilise the same password for all systems at the same time.

3.38 Policy document FR.POLAUDPL03 outlines the processes surrounding the creation, access, updating or deletion of HI records and the HI Service’s capability to record, audit and monitor system log entries.

3.39 The document specifies, as part of its purpose, that audit trails and logs will provide the HI Service with a means to accomplish security-related objectives such as individual accountability, reconstruction of events, intrusion detection and problem identification. HI Service compliance to this policy is mandatory.

3.40 Access to the HI Service’s testing environment is limited and staff must satisfy security clearance requirements, prior to commencing their employment.

3.41 Altogether, approximately 12 staff members can access personal information stored on the system. Of these:

  • tier 2 staff are able to access application forms and the HI Service’s database
  • tier 3 staff are limited in number and have access to the audit log, showing staff access to records and the frequency of this access.

3.42 Where large quantities of information, such as batch search information, must be provided to the HI Service by mail, the auditee provides the relevant organisation with Kingston memory sticks, which are secure portable USB devices.

3.43 The memory sticks are encrypted and use a password protection system, which ensures that the device locks down if incorrect passwords are entered three consecutive times.

3.44 After use, the auditee deletes the information received on the memory stick, ready for re-use. Checks are run by the auditee, to ensure the data is deleted.

3.45 The secure transfer of information via the HI Service network is overseen by an external committee, known as the HI Service Compliance, Conformance and Accreditation Governance Group (CCAGG), which ensures clinical data safety and testing standards are adequately met.

Destruction of records

3.46 The auditors were informed that information relating to healthcare identifiers may be retained indefinitely, even where these records are listed as deceased, retired or expired. Policy document FR.POLAUDPL03 confirms this, stating that the details of all deceased, retired and expired HI records will be stored in the HI Service System log.

3.47 The document further provides, however, that ‘all transactions occurring on a HI record and recorded on the System log will be archived after seven years’.

3.48 When questioned, the auditee advised that funding has only been provided by the National E-Health Transition Authority (NEHTA) for the first two years of operation of the HI Service.  While all records have been stored for archiving, they are kept separately from other Medicare records, so that they can be easily identified and transferred if the need arises.

3.49 The auditee advised that there is no separate policy about how long the HI Service will be retaining the records. While DHS policy requires that records be kept for seven years before destruction, if Medicare does not continue as the HI Service operator after its contract expires, it may need to transfer all or some of the HI Service records to the new operator.  

Privacy issues

There were no privacy issues noted by the auditors in terms of the HI Service’s compliance with IPP 4, as:

  • the HI Service’s policy and practices comply with the requirements of the HI Act and IPP 4
  • the auditee demonstrated that it has reasonable steps in place to protect the personal information it holds against loss, unauthorised access, use, modification or disclosure, and against other misuse, and
  • the auditee has adequate physical and virtual storage systems for the personal information it holds.

Recommendations

3.50 The auditors have made no privacy recommendations to the auditee for this part of the privacy performance assessment.

Best privacy practice suggestions

3.51 The auditors suggest the auditee may wish to review its use of the term ‘non-identifying information’, when referring to an HPI-I recipient’s name and address, in policy document FR.POLSECPL100.  Since the HI Act and HI Regs specifically include a healthcare provider’s name and address in its definition of identifying information, this terminology may be confusing.

3.52 The auditors also query this document’s reference to healthcare providers requesting ‘amendments to identifying information such as (..) date of birth’. The auditors note that there does not appear to be a plausible situation in which an individual could show proof of change of date of birth. The auditors therefore suggest that the auditee perhaps refer to this as amending an incorrect or inaccurate  date of birth, rather than amending one’s date of birth through a proof of change process.

3.53 The auditors suggest the HI Service seek advice from DHS regarding the record destruction policy that should apply to information collected for HI Service activities. 

IPP 6 Issues – Access to records containing personal information

IPP6     Where a record-keeper has possession or control of a record that contains personal information, the individual concerned shall be entitled to have access to that record, except to the extent that the record-keeper is required or authorised to refuse to provide access.

Observations

Access – legislative requirements

3.54 Section 21 of the HI Act provides for access controls over health identifier information and section 22 specifies that if the (HI service) discloses a healthcare identifier to an entity, the regulations may require the entity to provide prescribed information to the (HI Service) in relation to that disclosure.

3.55 HI Reg 8 requires a healthcare provider to give enough identifying information, at the time of making a request for access to a healthcare identifier, to ensure the service operator can identify by name the person making the request without having to seek additional information from another person.

HI Service access policy and processes

3.56 As previously outlined in this report, policy document FR.POLSECPL100 provides that an individual healthcare provider may access its HPI-I details by contacting the HI Service and providing demographic information.

3.57 Once the healthcare provider has successfully registered with the HI Service they may request to be issued with an Individual Authentication Token (Individual Public Key Infrastructure (PKI) Certificate). This allows the healthcare provider to securely access the HI Service.

3.58 If an individual health practitioner (registered via AHPRA) is de-registered or fails to renew their professional membership, access to their account is automatically revoked until the practitioner updates registration of their membership status.

Privacy Issues

3.59 There were no privacy issues noted by the auditors in terms of the HI Service’s compliance with IPP 6.

3.60 The HI Service’s policy regarding access to healthcare providers own information mirrors the requirements of HI legislation.

Recommendations

3.61 The auditors have made no privacy recommendations to the auditee for this part of the privacy performance assessment.

Best privacy practice suggestions

3.62 The auditors have made no best privacy practice suggestions to the auditee for this part of the privacy performance assessment.

IPPs 7 & 8 Issues –  Alteration of records containing personal information & Accuracy of personal information used

IPP 7 requires a record keeper who has possession or control of a record that contains personal information to take such steps that are reasonable in the circumstances to ensure the record is accurate, and, having regard for the purpose for which the information was collected, relevant, up to date, complete and not misleading.

Where, despite an individual’s request, the record keeper is not willing to correct, delete or amend personal information in the record and no decision or recommendation under an applicable Commonwealth law applies, the record keeper shall, following an individual’s request, take reasonable steps to attach to the record any statement provided by that individual of the correction, deletion or addition sought.

IPP 8 provides that a record keeper who has possession or control of a record that contains personal information shall not use that information without taking steps that are reasonable in the circumstances to ensure that, having regard for the purpose for which the information is proposed to be used, the information is accurate, up to date, and complete.

Observations

Accuracy and amendment of records – legislative requirements

3.63 Section 10 of the HI Act states that the HI Service has a responsibility to establish and maintain an accurate record of healthcare identifiers that have been assigned and information relating to these healthcare identifiers.

3.64 Section 13(2)(b) of the HI Act authorises a national registration authority to disclose healthcare identifiers or information relating to the identifier to the HI Service, for the purpose of maintaining the accuracy of its records.

3.65 Regulation 6 of the HI Regs also requires both healthcare providers not regulated under national law and healthcare provider organisations, to notify the HI Service within 28 days, of any change in identifying information and / or circumstances regarding the individual provider’s registration or membership, or the status of the Responsible Officer in a healthcare provider organisation. 

HI Service policy and practices regarding the accuracy and amendment of records

Where a HPI- I is assigned by the HI Service

3.66 Policy document FR.POLHPI-IPL100 provides that a healthcare provider may amend their own personal information once they have provided sufficient evidence to satisfy a service officer of their authority to make the request.

3.67 FR.POLHPI-IPL100 prescribes that a healthcare provider may not update or amend record details on behalf of another provider.

3.68 The HI Service Information Guide published by the HI Service confirms that individual healthcare providers registered with the HI Service may amend their own personal information and are in fact responsible for keeping their information accurate and up-to-date.

3.69 This approach was confirmed by the HI Service at audit.  Specifically, HI Service staff advised that individual healthcare practitioners are provided with the opportunity to amend and update their personal information, by submitting the ‘Healthcare Identifiers Service application to amend a healthcare provider record’ with certified copies of ‘proof of change’ documents, to ensure the accuracy of the amended information.

3.70 Where amendments are made to name details, policy document FR.POLHPI-IPL100 states that the service officer must determine whether these changes will result in a duplicate record and the officer is not to amend name details if this results in a duplicate record being created.

3.71 Policy document FR.POLHPI-IPL100 provides that the EHP flags potential duplicate entries and produces a weekly report alerting the HI Service to potentially inaccurate of out of date information in the system.

3.72 Service officers then conduct a manual search of these records to identify the issue. Policy document FR.POLHPI-IPL100 outlines the process for resolving individual duplicate records:

  • where a record is determined not to be a duplicate, the duplicate flag is removed. These can be later re-flagged if necessary
  • the HI Service retains the correct record, known as the ‘primary record’
  • records determined to be ‘secondary’ in nature are then merged with the primary record as part of the duplicate resolution procedure
  • primary records retain an active status and may be amended as required
  • as previously outlined, policy document FR.POLSECPL100 further provides that healthcare providers may amend details such as their phone number and address with the HI Service over the phone.
Where an HPI-I is assigned by a registration authority

3.73 The HI Service can only make amendments to the identifying information held for a healthcare provider, as set out in paragraph 3.73, where the original information was not supplied by a registration authority such as AHPRA. Where the registration authority provides original identifying information, it is the registration authority’s responsibility to ensure this information is updated/ amended.

3.74 In addition, the HI Service Information Guide states that health practitioners registered through AHPRA must notify AHPRA of any changes to their information. AHPRA will then inform the HI Service of these changes.

3.75 The auditee confirmed this process and further advised auditors that personal practitioner information received from AHPRA is first validated by the EHP. Only an exact data match is accepted into the HI System.

3.76 Personal information which does not match data stored in the auditee’s records is returned to AHPRA, thus ensuring that inaccurate information is not collected or used by the auditee.

3.77 If the auditee identifies via EOI that AHPRA have incorrect records, applicants are then advised by the auditee to notify AHPRA of the situation.

3.78 In addition to the above, the HI Service has informed auditors that an HPI-I is only retired after the auditee has received notification from Fact of Death Data (FODD), regarding the practitioner’s death.

Privacy issues

3.79 There were no privacy issues noted by the auditors in terms of the HI Service’s compliance with IPPs 7 and 8, as

  • the HI Service’s processes and policy documents reflect the requirements of the HI Act and HI Regs
  • the auditee has reasonable steps in place to ensure its records containing health practitioner information are amended and updated in accordance with the requirements of IPP 7(a), which include having health practitioners update their own information, and
  • in addition, the HI Service has adequate systems in place to ensure there is no duplication of records and that the information it uses is accurate up-to-date and complete and therefore compliant with IPP8. 

Recommendations

3.80 The auditors have made no privacy recommendations to the auditee for this part of the privacy performance assessment.

Best privacy practice suggestions

3.81 Considering the auditee’s policy to have healthcare practitioners update their own personal information, the auditors suggest that the auditee send practitioners an annual or bi-annual reminder of their duty to ensure their information is accurate, complete and up-to-date.

IPP 10 - 11 Issues: Limits on the use and disclosure of personal information

IPP10.1 provides that a record keeper who has possession or control of a record that contains personal information that was obtained for a particular purpose shall not use the information for any other purpose unless one or more of certain exceptions apply.

IPP 10.2 provides that, where personal information is used under IPP 10.1(d) the record keeper shall include in the record containing that information a note of the use.

IPP 11.1 provides that a record keeper who has possession or control of a record that contains personal information shall not disclose the information to a person, body or agency (other than the individual concerned) unless one or more of certain exceptions apply.

IPP 11.2 provides that, where personal information is disclosed under IPP 11.1(e) the record keeper shall include in the record containing that information a note of the disclosure.

IPP 11.3 provides that, where personal information is disclosed under IPP 11.1, the parties who receive that information must not use or disclose the information for a purpose other than the purpose for which the information was given to them.

Observations

3.82 At the time of the audit, there had been limited activity on the HI Service relating to the assigning of HPI-Is and the identifying information associated with those identifiers.  For that reason, the use and/ or disclosure of information by the HI Service operator was not dealt with at length during the audit.

Use and disclosure of health identifier information – legislative requirements

3.83 Section 15 outlines the HI Service’s duty of confidentiality in relation to information provided for the purpose of assigning a healthcare identifier.

3.84 However, division 2 of the HI Act authorises the service operator to disclose a healthcare provider identifier to:

  • a registration authority, for the purpose of registering the healthcare provider
  • any entity for the purpose of authenticating the healthcare provider’s identity.

3.85 Section 26 of the Act provides that the use or disclosure of a healthcare identifier is considered an offence, unless the use or disclosure:

  • is authorised under the HI Act
  • is authorised under other legislation
  • is being used for the purpose of or in connection with the person's personal, family or household affairs.
Unauthorised use

3.86 The auditors found no evidence suggesting that the HI Service is using healthcare provider information for any purpose other than for the assigning and maintenance of HPI-Is.  In particular, the auditors noted that the collection of identifying information about healthcare providers is limited to the information collected on the application form. The purpose for which this information is used is stated on the application form and this is consistent with the requirements of the HI Act.

3.87 The auditee informed the auditors that it has strict measures in place to restrict staff misuse of healthcare identifier information, including implementing an audit log to track staff use of this information. At present due to the minimal activity of the HI Service relating to HPI-Is, the log is only accessed upon specific request to the IT department.

3.88 Auditors did not closely observe or monitor staff use of healthcare identifier information during the course of this audit, as the assessment was mostly restricted to questioning key staff about staff use of this information.

Unauthorised disclosure

3.89 The auditee informed the auditors that it observes strict measures surrounding the disclosure of healthcare identifier information and that this information is not disclosed unless there is a formal or legal requirement to do so, such as requests from the Australian Federal Police or requests in reference to court matters.

3.90 The measures implemented by the auditee include:

  • an audit log to monitor staff disclosure of information
  • securing the consent of healthcare providers prior to disclosing their personal information in the Healthcare Provider Directory
  • restricting the disclosure of any header data including HPI-I information to parties which have satisfied the Vendor accreditation process.

Privacy Issues

3.91 There were no privacy issues noted by the auditors in terms of the HI Service’s compliance with IPPs 10 and 11.

3.92 The auditors observed that the auditee has reasonable steps in place to limit the use and disclosure of healthcare identifier information to meet the requirements of the HI Act.

Recommendations

3.93 The auditors have made no privacy recommendations to the auditee for this part of the privacy performance assessment.

Best privacy practice suggestions

3.94 The auditors suggest that the auditee may wish to perform regular audits of its system log in order to better identify any staff misuse of healthcare identifier information.

Back to Contents

Part 4 — Summary of recommendations

The auditors made no recommendations in reference to this audit.

Back to Contents

Part 5 — Summary of best privacy practice suggestions

5.1 That the HI Service implement processes to redact information that may be contained within EOI documentation, but is not required by the HI Service. These processes may include:

  • a destruction policy which would ensure EOI information is destroyed once the purpose of collection has been fulfilled, by the HI Service
  • redacting information in collected EOI documents, for example, driver’s licence number, organ donor status, licence class and conditions, as well as photographic images, if collecting driver’s licence information.

Auditee response

Accepted. Records to be redacted and new destruction policy implemented from July 2012.

5.2 That the auditee review its use of the term ‘non-identifying information’, when referring to an HPI-I recipient’s name and address, in policy document FR.POLSECPL100.

Auditee response

Accepted. Best practice privacy suggestion implemented April 2012.

5.3 For providers registered via the HI Service, that the auditee amend references, in relation to healthcare provider individual related information, to read 'correcting data of birth' information.

Auditee response

Accepted. Best practice privacy suggestion implemented in May 2012. References have been changed to read ‘correcting date of birth’ information.

5.4 That the auditee seek advice from DHS regarding the record destruction policy that should apply to information collected for HI Service activities. 

Auditee response

Accepted. Policy advice will be sought and new policy and procedures will be developed.

5.5 That the auditee provide its healthcare practitioners with an annual or bi-annual reminder of their duty to ensure their information is accurate, complete and up-to-date.

Auditee response

Accepted. Healthcare practitioners that register directly with the HI Service will be provided with an annual reminder letter.

5.6 That the auditee perform regular audits of its system log in relation to staff use of HPI-I information.

Auditee response

The HI Service currently undertakes audits of staff access on an as required basis. The suggestion is accepted to implement a systematic audit approach.

Back to Contents

Appendix A — Information Privacy Principles

Principle 1 — Manner and purpose of collection of personal information

  1. Personal information shall not be collected by a collector for inclusion in a record or in a generally available publication unless:
    1. the information is collected for a purpose that is a lawful purpose directly related to a function or activity of the collector; and
    2. the collection of the information is necessary for or directly related to that purpose.
  2. Personal information shall not be collected by a collector by unlawful or unfair means.

Principle 2 — Solicitation of personal information from individual concerned

Where:

  1. a collector collects personal information for inclusion in a record or in a generally available publication; and
  2. the information is solicited by the collector from the individual concerned:

the collector shall take such steps (if any) as are, in the circumstances, reasonable to ensure that, before the information is collected or, if that is not practicable, as soon as practicable after the information is collected, the individual concerned is generally aware of:

  1. the purpose for which the information is being collected
  2. if the collection of the information is authorised or required by or under law — the fact that the collection of the information is so authorised or required; and
  3. any person to whom, or any body or agency to which, it is the collector's usual practice to disclose personal information of the kind so collected, and (if known by the collector) any person to whom, or any body or agency to which, it is the usual practice of that first mentioned person, body or agency to pass on that information.

Principle 3 — Solicitation of personal information generally

Where:

  1. a collector collects personal information for inclusion in a record or in a generally available publication; and
  2. the information is solicited by the collector:

the collector shall take such steps (if any) as are, in the circumstances, reasonable to ensure that, having regard to the purpose for which the information is collected:

  1. the information collected is relevant to that purpose and is up to date and complete; and
  2. the collection of the information does not intrude to an unreasonable extent upon the personal affairs of the individual concerned.

Principle 4 — Storage and security of personal information

A record-keeper who has possession or control of a record that contains personal information shall ensure:

  1. that the record is protected, by such security safeguards as it is reasonable in the circumstances to take, against loss, against unauthorised access, use, modification or disclosure, and against other misuse; and
  2. that if it is necessary for the record to be given to a person in connection with the provision of a service to the record-keeper, everything reasonably within the power of the record-keeper is done to prevent unauthorised use or disclosure of information contained in the record.

Principle 5 — Information relating to records kept by record-keeper

  1. A record-keeper who has possession or control of records that contain personal information shall, subject to clause 2 of this Principle, take such steps as are, in the circumstances, reasonable to enable any person to ascertain:
    1. whether the record-keeper has possession or control of any records that contain personal information; and
    2. if the record-keeper has possession or control of a record that contains such information:
      1. the nature of that information
      2. the main purposes for which that information is used; and
      3. the steps that the person should take if the person wishes to obtain access to the record.
  2. A record-keeper is not required under clause 1 of this Principle to give a person information if the record-keeper is required or authorised to refuse to give that information to the person under the applicable provisions of any law of the Commonwealth that provides for access by persons to documents.
  3. A record-keeper shall maintain a record setting out:
    1. the nature of the records of personal information kept by or on behalf of the record-keeper
    2. the purpose for which each type of record is kept
    3. the classes of individuals about whom records are kept
    4. the period for which each type of record is kept
    5. the persons who are entitled to have access to personal information contained in the records and the conditions under which they are entitled to have that access; and
    6. the steps that should be taken by persons wishing to obtain access to that information.
  4. A record-keeper shall:
    1. make the record maintained under clause 3 of this Principle available for inspection by members of the public; and
    2. give the Commissioner, in the month of June in each year, a copy of the record so maintained.

Principle 6 — Access to records containing personal information

Where a record-keeper has possession or control of a record that contains personal information, the individual concerned shall be entitled to have access to that record, except to the extent that the record-keeper is required or authorised to refuse to provide the individual with access to that record under the applicable provisions of any law of the Commonwealth that provides for access by persons to documents.

Principle 7 — Alteration of records containing personal information

  1. A record-keeper who has possession or control of a record that contains personal information shall take such steps (if any), by way of making appropriate corrections, deletions and additions as are, in the circumstances, reasonable to ensure that the record:
    1. is accurate; and
    2. is, having regard to the purpose for which the information was collected or is to be used and to any purpose that is directly related to that purpose, relevant, up to date, complete and not misleading.
  2. The obligation imposed on a record-keeper by clause 1 is subject to any applicable limitation in a law of the Commonwealth that provides a right to require the correction or amendment of documents.
  3. Where:
    1. the record-keeper of a record containing personal information is not willing to amend that record, by making a correction, deletion or addition, in accordance with a request by the individual concerned; and
    2. no decision or recommendation to the effect that the record should be amended wholly or partly in accordance with that request has been made under the applicable provisions of a law of the Commonwealth;

    the record-keeper shall, if so requested by the individual concerned, take such steps (if any) as are reasonable in the circumstances to attach to the record any statement provided by that individual of the correction, deletion or addition sought.

Principle 8 — Record-keeper to check accuracy etc of personal information before use

A record-keeper who has possession or control of a record that contains personal information shall not use that information without taking such steps (if any) as are, in the circumstances, reasonable to ensure that, having regard to the purpose for which the information is proposed to be used, the information is accurate, up to date and complete.

Principle 9 — Personal information to be used only for relevant purposes

A record-keeper who has possession or control of a record that contains personal information shall not use the information except for a purpose to which the information is relevant.

Principle 10 — Limits on use of personal information

  1. A record-keeper who has possession or control of a record that contains personal information that was obtained for a particular purpose shall not use the information for any other purpose unless:
    1. the individual concerned has consented to use of the information for that other purpose
    2. the record-keeper believes on reasonable grounds that use of the information for that other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person
    3. use of the information for that other purpose is required or authorised by or under law
    4. use of the information for that other purpose is reasonably necessary for enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue; or
    5. the purpose for which the information is used is directly related to the purpose for which the information was obtained.
  2. Where personal information is used for enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue, the record-keeper shall include in the record containing that information a note of that use.

Principle 11 — Limits on disclosure of personal information

  1. A record-keeper who has possession or control of a record that contains personal information shall not disclose the information to a person, body or agency (other than the individual concerned) unless:
    1. the individual concerned is reasonably likely to have been aware, or made aware under Principle 2, that information of that kind is usually passed to that person, body or agency
    2. the individual concerned has consented to the disclosure
    3. the record-keeper believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or of another person
    4. the disclosure is required or authorised by or under law; or
    5. the disclosure is reasonably necessary for the enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue.
  2. Where personal information is disclosed for the purposes of enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the purpose of the protection of the public revenue, the record-keeper shall include in the record containing that information a note of the disclosure.
  3. A person, body or agency to whom personal information is disclosed under clause 1 of this Principle shall not use or disclose the information for a purpose other than the purpose for which the information was given to the person, body or agency.

Back to Contents