Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Healthcare Identifiers Service - Medicare Australia Audit Report

Final audit report
Information Privacy Principles audit
Section 27(1)(h) Privacy Act 1988

Audit undertaken: October 2010
Draft report issued: April 2011
Final report issued: July 2011

Part 1 — Introduction

1.1 Background

The government has allocated the Office of the Australian Information Commissioner, at the time of the audit known as the Office of the Privacy Commissioner, funding during 2010-11 and 2011-12 to oversee the handling of Healthcare Identifiers and the operation of the Healthcare Identifiers Service (HI Service). This will include oversight of private health service providers, state and territory public sector bodies and Commonwealth agencies.

The Privacy Commissioner has signed an Exchange of Letters funding agreement with the Department of Health and Ageing (DoHA), for the period 1 July 2010 to 30 June 2011.  The audits of Medicare Australia's handling of healthcare identifier information forms part of the Agreement between the DoHA and the Office of the Privacy Commissioner. 

This is the first audit under the Exchange of Letters funding agreement.

Back to Contents

Part 2 — Description of audit

2.1 Purpose

The purpose of the audit is to ascertain whether Medicare Australia's handling of healthcare identifier information is in accordance with the Healthcare Identifiers Act 2010(Cth) (the HI Act), the Healthcare Identifiers Regulations 2010 and the Information Privacy Principles (IPPs) in the Privacy Act 1988 (Cth) (the Privacy Act).  The audit will review Medicare Australia's collection, use, disclosure and security processes relating to healthcare identifier information. 

The audit assessed whether these procedures are in accordance with the Information Privacy Principles (IPPs) in section 14 of the Privacy Act.

2.2 Overview of the Healthcare Identifier Service

The HI Service is being established to implement and maintain a national system for uniquely identifying healthcare providers and individuals.

The HI Service will assign three types of healthcare identifiers:

  • Individual Healthcare Identifier (IHI)-for individuals receiving healthcare services
  • Healthcare Provider Identifier-Individual (HPI-I)-for healthcare professionals and other health personnel involved in providing patient care
  • Healthcare Provider Identifier-Organisation (HPI-O)-for organisations (such as the hospital or health clinic) where healthcare is provided.

These healthcare identifiers will be assigned by the HI Service, and are designed to be used by healthcare providers as unique reference numbers in their own health records systems. The Australian Health Practitioners Regulation Agency (AHPRA) assigns Healthcare Identifiers to Health Professionals however this audit deals specifically with Medicare Australia's handing of Healthcare Identifier information. 

Medicare Australia is the HI Service Operator, and is responsible for the effective operation of the HI Service. Medicare Australia has the national infrastructure, as well as the industry and community relationships needed to securely deliver and maintain healthcare identifiers.

The key functions of the HI Service Operator is to:

  •  Assign and issue healthcare identifiers-IHIs, HPI-Is and HPI-Os
  • Allow those authorised to access the Service to retrieve healthcare identifiers
  • Keep the information associated with healthcare identifiers up-to-date and accurate
  • Deactivate or retire health identifiers when they are no longer needed.

The HI Service will also maintain a Provider Directory Service that will allow healthcare providers to search for and locate other providers in order to facilitate communication between them.  The Provider Directory will only be available to healthcare providers registered with the HI Service with either a HPI-I and HPI-O. 

2.3 Scope

The scope of this initial audit consists of:

  • the process for assigning IHIs
  • the policy and procedures governing the handling of identifiers, particularly for data security, data accuracy and access to identifiers
  • general record keeping.

The HI Service went live on 1 July 2010, and the functions performed by the HI Service are being incrementally increased over time.  For example, at the time of the audit fieldwork no HPI-Is or HPI-Os had been assigned by the HI Service. While the Australian Health Practitioner Regulation Agency (AHPRA) had begun transmitting HPI-I details to the HI Service, many individual healthcare providers and healthcare organisations were still in the process of updating their systems to enable IHIs to be recorded in patient files and used in secure messaging.  Consequently, very few healthcare providers had accessed the HI Service to request disclosure of IHIs.

For these reasons, the scope of this initial audit was limited to reviewing the HI Service's compliance with assigning IHIs and the policies and procedures The HI Service has developed to ensure compliance with their data security, accuracy and reporting requirements.

The audit scope did not extend to any assessment of the effectiveness, advantages or disadvantages of the HI Service. 

Medicare Australia administers programs on behalf of various Commonwealth government agencies including, for example, the Australian Organ Donor Register and the National Bowel Cancer Screening Register.  While there are different purposes for which information can be collected, used and disclosed Medicare Australia has overarching policies and procedures that regulate how it handles the personal information it holds. 

The auditors noted that Medicare Australia's existing policy framework has been leveraged for the HI Service. 

2.4 Timing and Location

The auditors conducted the audit on Wednesday 20 October and Thursday 21 October 2010 at Medicare Australia's Business office at 186 Reed Street, Greenway, ACT.

2.5 Information obtained prior to the audit

The following documentation was provided by Medicare Australia prior to the commencement of the audit:

  • a current organisation chart for the relevant areas of Medicare Australia that handle healthcare identifier information
  • an outline of personal information data flows within Medicare Australia as it relates to the handling of healthcare identifier information
  • an outline of personal information data flows to any external third parties as it relates to the handling of healthcare identifier information
  • details of who within Medicare Australia has access to healthcare identifier information and access limitations in place
  • summary information around any relevant computer systems documentation and specifications including systems security and any IT Security Policy in relation to healthcare identifier information
  • copies of staff instructions/memorandums addressing the legal and privacy obligations in relation to healthcare identifier information
  • details of Medicare Australia's staff training concerning the legal and privacy obligations on the handling of healthcare identifiers information by the HI Service, including a copy of any training material presented to participants.

2.6 Audit opinion

The auditors' observations show that Medicare Australia handles personal information relating to the HI Service in accordance with the IPPs in the Act. 

The audit team holds the opinion that Medicare Australia is compliant in meeting its obligations under the Act.

The auditors did not identify any privacy risks in relation to Medicare Australia's handling of personal information.

2.7 Follow up review

A follow up review may be undertaken after six months has elapsed from the date of the final report or as indicated by the Director, Compliance.

2.8 Reporting

Final reports of audits of ACT and Australian government agencies commenced after 1 July 2002 are generally published on the Office of the Australian Information Commissioner's web site (available at http://www.privacy.gov.au/law/apply/audit).

We also generally discuss IPP audit findings and recommendations that are considered relevant to good privacy practice across the public sector in our Annual Report.

Back to Contents

Part 3 — Audit issues

The following findings relate to the auditors' consideration of Medicare Australia's handling of healthcare identifier information is in accordance with the HI Act, the Healthcare Identifiers Regulations 2010 and the Information Privacy Principles (IPPs) in the Privacy Act.

The audit assessed whether these procedures are in accordance with the Information IPPs in section 14 of the the Act. 

3.1 IPPs 1-3: Collection of personal information

  • IPP 1 provides that personal information shall not be collected unless the collection is for a lawful purpose directly related to the collector's functions and activities and necessary or directly related to that purpose.
  • IPP 2 provides that, where a collector solicits and collects personal information directly from an individual, it must inform the individual of the purpose of collection, any legal authorisation or requirement for the collection, and any person, body or agency to which it usually discloses that information.
  • IPP 3 provides that, where a collector solicits and collects personal information generally it must take steps reasonable in the circumstances to ensure that, having regard to the purpose for which the information is collected, the information is relevant to that purpose, up to date and complete, and that the collection does not intrude to an unreasonable extent on the individuals' personal affairs.

Observations

3.1.1 The HI Act received Royal Assent on 28 June 2010. The purpose of the HI Act is to assign unique identifiers to individuals and healthcare providers to ensure health information created is accurately matched to a healthcare recipient, that is, an individual who has, is or will receive healthcare.

3.1.2 Section 5 of the HI Act defines the Chief Executive Officer (CEO) of Medicare Australia as the Service Operator of the HI Service until 30 June 2012. Various functions are assigned to the Service Operator under the HI Act.

3.1.3 The CEO of Medicare Australia is authorised to enter into service arrangements with Commonwealth agencies to perform service delivery functions and to provide service delivery functions as required by those service arrangements under Section 7 of the Medicare Australia Act 1973 (Cth) (the MA Act).

3.1.4 In terms of collection of personal information, section 7(3) of the HI Act sets out the identifying information that can be collected by the Service Operator for performing functions under the HI Act in relation to healthcare recipients, that is, an individual who has received, receives or may receive healthcare.

3.1.5 The auditors note that the legislative framework that underpins the HI Service confers the functions of the Service Operator on Medicare Australia[1]. Related to that function, Medicare Australia is authorised to collect the identifying information for limited prescribed purposes under the HI Act including for the purpose of assigning healthcare identifiers.

3.1.6 Section 9(1)(b) of the HI Act authorises the Service Operator to assign healthcare identifiers to a healthcare recipient. The data sources from which the Service Operator can collect identifying information for the purposes of assigning healthcare identifiers are prescribed in section 12(2). At present the data sources are prescribed to be Medicare Australia, Department of Veterans' Affairs and the Department of Defence.

3.1.7 Section 1 in IHI Policy document FR.PLIHIPL100, specifes that Medicare Enrolment records held in Medicare Australia's Consumer Directory Maintenance System (CDMS) were used for the initial creation of individual healthcare identifier (IHI) records. Medicare Australia commenced collection of the identifying information necessary to allow for the creation of healthcare identifiers on 26 June 2010. However, the auditors observed that the assignment date of healthcare identifiers created by Medicare Australia was 1 July 2010, being the date the HI Service commenced.

3.1.8 The auditors note that section 7(1) of the MA Act allows the CEO of Medicare Australia to undertake preparatory work that is incidental to the service arrangements it has entered into.

3.1.9 The IHI Policy document FR.PLIHIPL100 also specifies at 1.1.3 the demographic details that must be held with the IHI record. The auditors note that the demographic details specified at 1.1.3 are consistent with the identifying information that the Service Operator is authorised to collect under s7(3) of the HI Act.

3.1.10 The auditors also note that the demographic details specified at 1.1.3 do not require a given name as well as a preferred family name, and that the preferred family name field will accept an entry of only one letter in length; however an IHI will only be provided if a unique match is made. The policy proposals developed and agreed to by the Australian Health Ministers' Conference (AHMC)[2] specify that anonymous and pseudonymous healthcare options for healthcare recipients not be affected by the assignment of IHIs.

3.1.11 The auditors observe that Medicare Australia's policies and procedures for recording demographic details against IHIs ensure that it does not collect identifying information where a healthcare recipient elects to have healthcare delivered pseudonyously. The introduction of the HI Service has not changed the way an individual would seek healthcare anonymously.

3.1.12 In addition, the policy proposals agreed to by the AHMC specify that IHIs can be created as either verified or unverified IHIs. Medicare Australia's IHI Policy document FR.PLIHIPL100 sets out at 6.1.1 and 7.1.1 how to create unverified IHI records and verified non Medicare enrolled IHIs.

3.1.13 The auditors observed that Medicare Australia issued verified IHIs for healthcare recipients for 'known customers'of Medicare Australia and the Department of Veterans' Affairs. These records are held in Medicare Australia's CDMS and achieve the status of 'known customer' where their evidence of identify has been validated. Policy document FR.POLIHIPC22 describes the enrolment process used by Medicare Australia for creating verified IHIs.

3.1.14 The auditors note that Medicare Australia was authorised to collect identifying information from prescribed data sources including Medicare Australia and the Department of Veterans' Affairs under s12(2) of the HI Act. The auditors observed that the information collected by Medicare Australia to assign verified IHIs was as set out in 1.1.3 of IHI Policy document FR.PLIHIPL100 and is consistent with the provisions set out in s7(3) of the HI Act.

3.1.15 The auditors also observed test results Medicare Australia generated of an IHI enquiry which showed the identifying information stored with an IHI record. The result was consistent with the information the Service Operator is authorised to collect under s7(3) of the HI Act.

3.1.16 The auditors observed that the information that will be collected by Medicare Australia to verify unverified IHIs and non Medicare enrolled IHIs is consistent with the information the Service Operator is authorised to collect under s7(3) of the HI Act.

3.1.17 Section 9(4) of the HI Act provides that the Service Operator does not have to consider whether a healthcare provider or recipient has agreed to the assignment of a healthcare identifier. However, where Medicare Australia collects personal information directly from healthcare recipients to verify unverified IHIs and non Medicare enrolled IHIs, notice is given to the healthcare recipient.

3.1.18 In such cases, healthcare recipients are required to complete an application form where manual verification is required before an IHI is issued or verified. The auditors observed that the application form 'Application to create, verify or merge an Individual Healthcare Identifier (2880) form includes a notice that is consistent with the requirements of IPP2(e).

Privacy Issues

3.1.19 There were no privacy issues noted by auditors in terms of Medicare Australia's compliance with IPPs 1, 2 and 3.

3.1.20  In particular, the auditors formed the view that the collection of personal information about healthcare recipients from authorised data sources was lawful and directly related to the functions conferred on Medicare Australia as the Service Operator of the HI Service. The auditors also formed the view that the personal information collected by Medicare Australia was necessary for and related to its functions and activites.

3.1.21  The auditors also found that where Medicare Australia collects personal information directly from healthcare recipients, it provides them with a collection notice that is consistent with its obligations under IPP2(e).

3.1.22  The HI Act limits the personal information that can be collected by the Service Operator to perform its functions.  The auditors found that Medicare Australia's policy and procedures are consistent with its obligations under the HI Act. 

3.2 IPP 4: Storage and Security of Personal Information

  • IPP 4 (a) requires a record keeper who has possession or control of a record that contains personal information to ensure that the record is protected by security safeguards reasonable in the circumstances against loss, unauthorised access, use, modification, disclosure and other misuse.
  • IPP 4 (b) requires that, if it is necessary for the record to be given to a person in connection with the provision of a service to the record keeper, everything reasonably within the record keeper's power be done to prevent unauthorised use or disclosure of information contained in the record.

Observations

Security — physical environment

3.2.1 The auditors observed appropriate physical security measures in place at Medicare Australia's Business Office, located at 186 Reed St, Tuggeranong, ACT.

3.2.2 The auditors noted there is a security desk on the ground floor of the building. In order for a visitor to gain access to Medicare Australia's offices, they must first sign in with security personnel and receive a visitor's pass which they must display and return before leaving the building. Medicare Australia's policy is that visitors are to be accompanied by a Medicare Australia employee at all times when visiting the building.

3.2.3 Swipe passes are used by employees on the ground floor to access the lift and office floors.

3.2.4 The auditors were advised by Medicare Australia's HI Service Tier Three Policy Project Team that Medicare Australia employs a clear desk policy and practice. Medicare Australia's Tier Two HI Services Team also described the clear desk policy which it implements and which relates to the security of IHIs.

3.2.5 The auditors were advised that both the HI Service Tier Three Policy Project Team and Tier Two HI Services Team use locked cabinets for securing any paperwork relating to the HI Service, notably registration of HPIs and HPOs. Further, when paperwork is no longer required for operational purposes, it is stored on an archive file and sent to the archive unit.

3.2.6 The auditors were advised that the Tier Three Project and Policy Team uses a dedicated and secure fax for managing any paper documentation transmitted to the Australia's Reed St Business Office. Medicare Australia's Tier Two HI Services Team confirmed that documents are not currently scanned for transmission to the Tier Three Project and Policy Team.

Security — general electronic environment

3.2.7 Medicare Australia's computer system displays standard automatic computer use policy prompts on screen reminding staff of appropriate and permitted use of the electronic system.

3.2.8 The auditors were advised that Medicare Australia has a policy requiring staff to lock workstations when they are left unattended. As an additional security measure, Medicare Australia's standard operating environment automatically locks workstations if left inactive for longer than 10 minutes

3.2.9 The auditors were advised that Medicare Australia employees are only provided with computer program access based on their designated functions and areas of responsibility. The auditors were provided with examples of senior staff not having accesss to Medicare Australia's production database when they are working from home, and/or where they are not required to access particular information held by Medicare Australia.

3.2.10 In addition, a limited number of staff may be provided with 12 month approval to use their own IHI number at work for work related purposes.

3.2.11 At the time of the audit, due to low demand Medicare Australia's Provider and Public Enquiries (Tier One) Teams were referring all HI enquiries to the Tier Two HI Services Team.

3.2.12 Medicare Australia's TierTwo HI Services Team was established for the purpose of handling general and complex enquiries related to registration processing for the HI Service. Any enquiries which can't be resolved by the TierTwo HI Services Team are referred to the Tier Three Policy Project Team. HI Service security and authentication Public Key Intrastructure (PKI) enquiries are responded to by existing Medicare Australia PKI Helpdesk arrangements.

3.2.13 The auditors were advised that the Tier Three Policy Project Team is responsible for escalated issues relating to the HI Service, quality control, which includes checking registrations by individual healthcare providers, the resolution of any complex issues and the clarification of policies and procedures.

3.2.14 Medicare Australia's Tier Three Policy Project Team members computer access is subject to the usual IT security including user IDs and passwords which are changed every six weeks. There are additional passwords for various applications/forms.

3.2.15 The auditors were advised that Medicare Australia's data backup is managed by IBM in line with the Defence Signals Directorate - Australian Government Standards.

3.2.16 Medicare Australia's Internal Audit Team is responsible for weekly checks on unauthorised use of its electronic systems by staff (browsing).

Security — electronic system build

3.2.17 The auditors were advised that Medicare Australia had penetration testing of 'Business to Business' (B2B) conducted by an external company and that the report was due the same week as the audit, the week ending 22 October 2010. Penetration testing will continue to be performed for each major system enhancement.

3.2.18 In addition, the auditors were advised that 86 vendors had requested materials to enable them to commence building the necessary software required for accessing B2B and that one had completed its testing phase and has permission to be operational.

3.2.19 The auditors were advised of the technical requirements of the B2B authentication and patient verification processes which are designed to protect personal information.

3.2.20 The auditors were advised that the HI Service had received from AHPRA the records of health professionals who had been assigned a HPI-I by AHPRA. Medicare Australia advised the current data rejection rate was around 17% however Medicare Australia was working closley with AHPRA to reduce the rejection rate. Medicare Australia advised the auditors that 95% of the rejections related to errors with addresses.

Security — procedural steps

3.2.21 The auditors spoke via teleconference with the The TierTwo HI Services Team (located offsite in Melbourne, Victoria) who described the security measures in place to protect individuals' personal information when dealing with members of the public.

3.2.22 Medicare Australia's Tier Two HI Services team described during the teleconference the steps involved in a 'minor' security check when taking a telephone call in relation to IHIs. Such a minor check involves obtaining the caller's name, date of birth, Medicare number, first names of others on the Medicare card and address.

3.2.23 The auditors were advised that where a component of the above criteria was missing that a 'major' security check was conducted to ensure the security of both the ID check and the handling of the individual IHI. This process involves a series of additional questions about the caller's Medicare history, for example details of the last doctor they visited, or, the date of birth of any children listed on the Medicare card.

3.2.24 The auditors were advised that where HPI-Os and HPI-Is request IHIs in the online environment they may be provided in a batch service in groups of up to 100 records.

3.2.25 Where an off-line batch search takes place, the IHIs will be sent by priority post on a USB stick with PKI encryption and password protection for security purposes. In addition, some software packages may be designed to search in batches of 2000 records per request, with unlimited capacity of up to five million on a USB stick. Medicare Australia will, in such situations download data using PKIs.

3.2.26 The Medicare Australia IT Division staff outlined the security measures in place for protecting IHIs. They included adherence with the Defence Signals Directorate which is the Government Standard for such services, the use of regular security assessments, penetration tests of B2Bs via an external service which has highlighted some B2B issues to be reviewed and rectified prior to the next schedulded release known as Release 3B.

3.2.27 In relation to internal use, staff utilise their user ID and passwords and internal audits are conducted in relation to unauthorised access. In addition, staff accessing their IHIs for business purposes enter such access on a log and have approval to do so for a 12 month period.

Privacy issues

3.2.28 Whilst there were no specific issues identified in the audit in relation to security of personal information regarding the handling of IHIs, it should be noted that the HI Service is not fully operational at this point and IHI activity is extremely limited.

3.2.29 Whilst evidence of security measures was apparent, further auditing will be required in future to ensure that reasonable steps are taken to protect personal information in all operational aspects of the HI Service.

3.3 IPP 5: Information relating to records kept by record-keeper

  • IPP 5.1 requires that, where a record keeper has possession or control of records containing personal information, the record keeper will take reasonable steps in the circumstances to enable any person to ascertain the nature of the information held, the main purposes for which the information is used, and the steps a person should take to obtain access to the record.
  • IPP 5.3 and 5.4 also requires that, where a record keeper has possession or control of records containing personal information, the record keeper will maintain and make available to the public and the Privacy Commissioner a listing of the personal information it holds.  The listing will include the nature and purposes of keeping the record, the classes of individuals about whom records are kept, retention periods and access conditions to the records, and steps that should be taken by persons wishing to access the record.  This listing is known as the agency's Personal Information Digest (PID).

Observations

3.3.1 Medicare Australia, as a Commonwealth agency, already has an existing PID. The auditors noted that Medicare Australia's PID is available on this Office's website at: http://www.privacy.gov.au/materials/types/pids?sortby=62.

3.3.2 The auditors noted that the HI Service was not in existence at the time Medicare Australia's last PID was published (to the end of the 2009-10 financial year). Medicare Australia advised reference will be made to the HI Service in the next PID.

3.3.3 The auditors note that one of Medicare Australia's core functions is the handling of personal information, as reflected in its PID. Medicare Australia's role in relation to the HI Service will not change its IPP 5 obligations.

Privacy issues

3.3.4 There were no issues identified in the audit in relation to Medicare Australia's PID as it relates to the HI Service.

3.4 IPP 6 Issues: Access to records containing personal information

  • IPP 6 provides that, where a record keeper has possession or control of a record that contains personal information, the individual concerned shall be entitled to have access to that record except where one or more of certain exceptions under Commonwealth law apply.

Observations

3.4.1 The auditors were advised that if an individual requests access to their personal information, Medicare Australia encourages the individual to register online. Once an individual is registered online, they can access all their personal information contained in the HI Service themselves electronically.

3.4.2 If an individual requests access to their personal information at a Medicare office, Medicare Australia employees will provide the individual with their audit log on the spot.

3.4.3 The auditors were advised that, where an individual contacts Medicare Australia by phone requesting a copy of their audit log, the individual will be referred to the HI Service Tier 2 team which has processes in place to assist with this request.

3.4.4 If a request for access to personal information is more complex, Medicare Australia has other process in place to help individuals obtain access to their personal information. Generally, individuals would be referred to Freedom of Information Officer in Medicare Australia's Release of Information area.

3.4.5 The auditors were advised that there have only been two requests from an individual who on both occasions did not identify himself by name. The individual requested Medicare Australia remove his IHI identification from the HI Service. However, as the individual would not identify himself or put his request in writing, it was not possible for Medicare Australia to action the matter further.

3.4.6 The auditors were advised that this was the only complaint or request that Medicare Australia had received regarding the HI Service.

Privacy issues

3.4.7 The audit did not identify any specific issues regarding individuals' access to the personal information held in the HI Service.

3.5 IPP 7: Alteration of records containing personal information

  • IPP 7 requires a record keeper who has possession or control of a record that contains personal information to take such steps that are reasonable in the circumstances to ensure the record is accurate, and, having regard for the purpose for which the information was collected, relevant, up to date, complete and not misleading. 
  • Where, despite an individual's request, the record keeper is not willing to correct, delete or amend personal information in the record and no decision or recommendation under an applicable Commonwealth law applies, the record keeper shall, following an individual's request, take reasonable steps to attach to the record any statement provided by that individual of the correction, deletion or addition sought.

Observations

3.5.1 The audit did not identify any specific issues regarding alteration of personal information in relation to the HI Service.

3.6 IPP 8: Record-keeper to check accuracy etc of personal information before use

  • IPP 8 provides that a record keeper who has possession or control of a record that contains personal information shall not use that information without taking steps that are reasonable in the circumstances to ensure that, having regard for the purpose for which the information is proposed to be used, the information is accurate, up to date, and complete.

Observations

3.6.1 Given the current lack of operational activity in relation to the HI Service, both IPP 7 and IPP 8 were jointly considered. The auditors found no evidence of issues relating to the alteration or accuracy of records containing personal information. It was noted that a number of steps are currently in place to confirm an individual's identity. Evidence of Identity (EOI) as a form of verification checking indicate that reasonable steps are in place which will promote the accuracy of personal information held by Medicare Australia in relation to IHIs.

3.6.2 In relation to requests for the alteration of records held containing personal information by Medicare Australia in the context of IHIs, Medicare Australia staff advised during the audit that the complaints process may well be an avenue for such requests in situations where errors, real and potential, are raised by individuals.

Privacy issues

3.6.3 The audit did not identify any specific issues about the steps taken to ensure the accuracy of personal information in relation to the HI Service.

3.7 IPP 9: Personal information to be used only for relevant purposes

  • IPP 9 provides that a record keeper who has possession or control of a record that contains personal information shall not use that information except for a relevant purpose.

Observations

3.7.1 The HI Act prescribes at section 11(2)(b) the purposes for which the Service Operator can use the personal information collected about healthcare recipients.

3.7.2 The activities set out in Medicare Australia's IHI Policy FR.POLIHIPL100 ensure that personal information collected about healthcare recipients is limited to the relevant purposes set out in the HI Act.

Privacy issues

3.7.3 The audit did not identify any issues that indicated that the Service Operator was not compliant with IPP 9.

3.8 IPP 10 - 11 Issues: Limits on the use and disclosure of personal information

  • IPP 10.1 provides that a record keeper who has possession or control of a record that contains personal information that was obtained for a particular purpose shall not use the information for any other purpose unless one or more of certain exceptions apply.
  • IPP 10.2 provides that, where personal information is used under IPP 10.1(d) the record keeper shall include in the record containing that information a note of the use.
  • IPP 11.1 provides that a record keeper who has possession or control of a record that contains personal information shall not disclose the information to a person, body or agency (other than the individual concerned) unless one or more of certain exceptions apply.
  • IPP 11.2 provides that, where personal information is disclosed under IPP 11.1(e) the record keeper shall include in the record containing that information a note of the disclosure.
  • IPP 11.3 provides that, where personal information is disclosed under IPP 11.1, the parties who receive that information must not use or disclose the information for a purpose other than the purpose for which the information was given to them.

Observations

3.8.1 Under the HI Act, healthcare identifers are considered to be personal information.

3.8.2 Division 2 of the HI Act provides the service operator is authorised to disclose a healthcare identifier to:

  • an identified healthcare provider (the collecting provider);
  • an employee (the authorised employee) of an identified healthcare provider; or
  • a contracted service provider (the authorised service provider) of an identified healthcare provider.

3.8.3 Medicare Australia is therefore allowed to disclose IHIs to HPI-Is and HPI-Os in prescribed circumstances.

3.8.4 The auditors noted there was no other personal information other than IHIs used or disclosed by Medicare Australia in relation to the HI Service.

3.8.5 The auditors noted that the collecting provider, authorised employee or authorised service provider is authorised to collect IHIs under section 17 of theHI Act.

3.8.6 The auditors observed a Medicare Australia officer perform a test enquiry on her own IHI. The auditors noted the test enquiry was consistent with both the IHI Policy document FR.PLIHIPL100 and the legislative requirements of the HI Act.

3.8.7 The auditors noted that the healthcare providers are required to comply with limits on disclosure of the IHIs under IPP 11 as a condition of use.

Privacy issues

3.8.8 The auditors did not identify any specific issues regarding the use and disclosure of personal information through the HI Service.

3.9 Other Privacy Issues

Training

3.9.1 All Medicare Australia staff are provided privacy training at induction. In addition, all Medicare Australia staff have mandatory privacy refresher training every year which forms part of their performance agreement.

3.9.2 The auditors were advised that part of the privacy training consists of mandatory modules containing electronic quizzes which have rotating questions.

3.9.3 The auditors were informed that privacy training materials specifically relating to the HI Service, have been rolled out to all Medicare Australia staff.

Back to Contents

Part 4 — Summary of recommendations

4.1 The auditors made no recommendations regarding this audit.

Back to Contents

Footnotes

[1] The term 'Service Operator' is used when referring to the legislative provisions in the HI Act, as opposed to the day to day functions carried out by Medicare Australia in its role as the Service Operator.

[2] Building the foundation for an e-health future...update on legislative proposals for healthcare identifiers', Australian Health Ministers' Conference, November 2009, p14 http://www.health.gov.au/internet/main/publishing.nsf/Content/7EB863F2246F5A72CA2575ED00817A5B/$File/FINAL%20Update%20Proposals%20HI%20Service%20Nov%2009.pdf

Back to Contents