Skip to main content
Skip to secondary navigation
Australian Government - Office of the Australian Information Commissioner - Home

Person-controlled Electronic Health Records - Supplementary Paper; Submission to the National Health and Hospitals Reform Commission (May 2009)

Person-controlled Electronic Health Records – Supplementary Paper Submission to the National Health and Hospitals Reform Commission May 2009


Submission to the National Health and Hospitals Reform Commission

May 2009


The Office of the Privacy Commissioner (the Office) welcomes the National Health and Hospitals Reform Commission’s (NHHRC) recognition of the critical importance of privacy in electronic (e-health) systems in its supplementary paper, Person-controlled Electronic Health Records (the paper).[1]

However, the Office suggests there are some key issues which require further consideration. They include the:

  1. implications of the proposal that consumers would be able to add information to their own person-controlled e-health record. System controls will be needed to ensure that health providers know who has entered each piece of information, and that information entered by another provider has not been altered by the consumer
  2. areas that are to be covered in legislation, including safeguards to ensure that consumer access to health services, Medicare or health insurance payments is not adversely affected by the e-health system
  3. processes for complaint handling and audit
  4. capacity of consumers to control access to information which they regard as particularly sensitive[2]
  5. secondary uses of information, and
  6. implications of the approach for equity and participation of disadvantaged consumers.

In the submission, the Office provides input on these key privacy issues and other aspects of the proposed person-controlled e-health system raised in the paper.

Office of the Privacy Commissioner

1. The Office is an independent statutory agency responsible for promoting an Australian culture that respects privacy. The Office, established under the Privacy Act 1988 (Cth) (the Privacy Act), has responsibilities for the protection of individuals' personal information that is handled by Australian and ACT government agencies, and personal information held by all large private sector organisations, health service providers and some small businesses.


2. The Office welcomes the release of the National Health and Hospitals Reform Commission’s (NHHRC) supplementary paper, Person-controlled Electronic Health Records (the paper).

3. In May 2008, the Office made a submission to the NHHRC, which highlighted that strong protections for health information, applied consistently across the sector, are integral to the effectiveness of the health system.[3] As well, in response to the NHHRC’s Interim Report[4], the Privacy Commissioner wrote to the Chair of the NHRRC setting out the Office’s overarching views about health privacy.

4. The Office has a long-standing interest in the development of e-health initiatives as they relate to the collection and handling of personal information and has continually acknowledged the potentially important role that effective e-health information systems could play in promoting better health outcomes for Australians. However, the Office has also noted the privacy challenges raised by e-health information systems. Ensuring that privacy is adequately addressed is fundamental to achieving community trust in e-health information systems, and gaining consumer acceptance and take-up of the new systems.

5. The Office understands that the approach being proposed by the NHHRC is that each consumer would have a series of records (for example, a general practitioner will maintain their own separate record of their interactions with the consumer) linked by an individual identifier. The consumer or ‘person-controlled e-health record’ will be stored within a federated or distributed repository, rather than a centralised database.

6. As the NHHRC’s proposals are quite high level at this stage, the comments in this submission represent the Office’s preliminary views. This submission suggests a number of issues which would benefit from consideration or elaboration in the NHHRC’s final report. The Office looks forward to providing further advice on the proposed person-controlled e-health record as the proposal is developed and details about the operation of the system become available.

The overall approach proposed by the NHHRC

7. The Office welcomes the emphasis in the paper on voluntary participation and the recognition of the critical importance of privacy in e-health systems. In general, the Office believes that individuals should have as much control as possible over their personal health information.

8. The Office agrees with the NHHRC’s view that consumer control over access to their own health information will promote consumer acceptance and uptake of e- health systems. Equally, consumer choice, coupled with strong privacy protections, will help to ensure that the existing high level of community trust in health professionals is maintained.[5]

9. The Office also welcomes the NHHRC’s recommendation that the Commonwealth Government implement community education with consumers on the e-health system as education and awareness is an essential prerequisite for consumers being able to provide informed consent. It will also be very important that individuals fully understand how the system will work, their responsibilities and the consequences of their decisions regarding their own e-health records.

10. The Office notes the NHHRC’s view that consumer control of e-health records will help to promote individual’s involvement in self-management of their own health. At the same time, it will be important to consider how the system will work for those individuals who lack capacity or motivation to take an active role in managing their own e-health records.

11. The NHHRC proposes that a ‘person-controlled electronic health record provides the means for individuals and carers to add information to their own record.’[6] The Office suggests that greater clarity will be needed on how this aspect of the system would work. It is very important that health providers have confidence in the e-health record and feel that it is a useful tool.

12. For this to occur, the provider will need to know where each piece of information in the record has come from, so that they can determine the veracity of the information and what emphasis they want to place on it. They will also need to know that information entered by another provider has not been altered by the consumer.

13. The Office also supports, in principle, the concept of a distributed repository of electronic health information. The Office has previously commented on the increased risks associated with large, centralised databases, which are more likely to face increased pressure for secondary use proposals and can be more attractive targets for hacking and inappropriate data-mining.[7]

Necessity for a comprehensive privacy framework

14. The Office strongly recommends that a multifaceted approach is essential to a robust privacy framework for the national e-health information system. A comprehensive framework for privacy protection should be based on four elements. These four elements can be expressed as:

Design + Technology + Legislation + Oversight

15. In brief, these elements can be explained as:

  • Fundamental system design, including system architecture and the parameters governing what information is collected, consent mechanisms and system access controls
  • Technological measures, including, but not limited to, data security initiatives, measures to enable masking of information that consumers regard as particularly sensitive[8], and standards for interoperability
  • Legislative measures, including defining the extent of the functions of the e-health information system, proscribing purposes that fall outside those functions, and introducing sanctions for misusing any aspect of the system, and
  • Oversight mechanisms that promote confidence in the system by assuring the community that the operation of the system is subject to stringent accountability measures, including provision for audit and independent complaint handling.

Privacy impact assessments

16. The Office suggests that during the development phase of the national e-health information system, privacy impact assessments (PIA) will be critical to identifying the scope of enabling legislation and the privacy protections, both technological and policy based, that need to be built into the system.

17. The OPC’s Privacy Impact Assessment Guide highlights the benefits of conducting a PIA at an early stage in system development. [9] As the Office notes in the Guide, ‘A PIA which incorporates public consultation can help to engender broad community awareness and confidence in the project.’ The Guide also points out that publishing PIAs ‘helps to demonstrate to stakeholders and the community that the project has been critically analysed with privacy in mind.’


18. The Office welcomes the NHHRC’s recommendation that consumer control of electronic health records be underpinned by legislation. The recommendation is consistent with the view expressed by the Office in its submission to the National E-Health Transition Authority’s (NEHTA) Consultation on the Privacy Blueprint for the Individual Electronic Health Record, that supporting legislation is not only desirable but essential to a national e-health information system.[10]

19. Specific legislation to regulate the national e-health system is an important element in establishing and maintaining the community’s confidence and trust in the system in the long term. While many individuals are likely to welcome in-principle the benefits associated with electronic health records, there may be reluctance to participate if key privacy protections are lacking.

20. The Office suggests that it would be useful for the NHHRC to elaborate in its final report on the areas that should be covered in legislation. In the Office’s view, the legislative framework should include:

  • safeguards in relation to consumer participation in the e-health system, including providing that it is not necessary to activate an e-health record in order to access health services, Medicare or health insurance payments
  • transparent and accountable governance mechanisms
  • processes for consumer consent (including authorisation of information upload and health provider access)
  • authorised and prohibited uses and disclosure of information collected
  • processes governing authorised secondary uses of information
  • arrangements for enforcing compliance with the standards that provide protection for privacy and security, and ensure interoperability, which are to be developed by standards bodies, including audit processes
  • uniform complaint-handling mechanisms, and
  • specific sanctions and remedies for privacy breaches.

21. Under the NHHRC’s proposals, a centralised database would still be required for personal identifiers, professional identifiers, and health professional organisations.

22. The Office notes the Council of Australian Governments’ (COAG) agreement that all Australian residents will be allocated an Individual Health Identifier (IHI) to support better linkage of patient information and communication between health providers. As well the recent Australian Health Ministers’ Conference emphasised that strong privacy arrangements, including effective legislation were needed to protect patient health information in line with community expectations.[11]

Complaint handling and audits

23. The Office suggests that the NHHRC consider issues relating to handling of complaints about the e-health information system in its final report. This is an important issue, given that consumers may find it more difficult to identify where they should take any complaint within a distributed repository system.

24. As the Office has suggested previously, it is important that management and rule-setting functions (to be undertaken by the governing body) be separated from oversight functions.[12] Therefore, the Office believes that while the governing body should have responsibilities to monitor day-to-day operations of the system, the functions of system audit and oversight would be carried out within existing accountability structures.

25. In the Office’s view, it would be more efficient and effective for existing bodies to use their regulatory functions rather than for government to establish a new regulatory body. Such an approach would ensure that existing expertise is effectively leveraged while avoiding unnecessary duplication.

26. Accordingly the Office should retain jurisdiction for privacy complaints and audits emerging from a national e-health information system where such complaints fall under the Office’s current jurisdiction.

Capacity of individuals to control their sensitive information

27. While the paper emphasises voluntary participation and consumer control over the information entered into their personal e-health record, there is no discussion of issues relating to particularly sensitive information.[13] The Office is therefore unsure whether consumer capacity to control access to their more sensitive information is implicit in the concept of consumer controlled e-health records.

28. The Office suggests that the national e-health information system should incorporate the capacity for individuals to have greater choice and control over information they believe is especially sensitive. In many cases, an individual may not want all aspects of their e-health record to be accessible to all health service providers with which they interact for a range of conditions. They may, however, want that information to be available to some of their providers.

29. Over the course of a lifetime, a significant proportion of people may experience conditions which they view as highly sensitive and for which they need extra assurances that related information will be handled privately. For example, it is estimated that around 20% of Australians will experience mental illness during their lives and most will experience a mental health problem.[14]

30. Individuals are likely to have particular concerns over the handling of such sensitive health information and seek to minimise the risks of it being mishandled. For example, research in the United States has revealed that one in six adults (17 percent) withholds health information from their health providers due to worries about how it might be disclosed.[15]

31. The Office notes that the NEHTA public opinion survey cited in the paper (showing that 82% of consumers support the establishment of an e-health record) also showed that 79% of respondents thought it is important or very important that sensitive or very personal medical information will be quarantined.[16]

32. It is important to acknowledge that there is not one set of particularly sensitive health information. For different individuals what is particularly sensitive health information will depend on the context of their life circumstance at a particular point in time. For example cultural and religious considerations or sexual orientation may make certain information more sensitive for one individual compared to another.

33. The Office suggests that sensitivity labels assist in providing choice, control and privacy protection to individuals, ensuring confidence that their information will be handled appropriately and will be viewable only by those healthcare providers they have nominated.

34. Sensitivity labels are also likely to promote equitable access to e-health records. For example, some individuals may wish to take part in the e-health system, and gain the benefits which it stands to offer, but may not want every event or medical condition accessible to every provider.

Addressing potential issues about sensitivity labels

35. While recognising the technical challenges that may be involved in developing sensitivity label functionality, the Office believes that if this option is not available, some individuals may choose not to have information entered into their e-health record or not participate in the system. In many cases, these individuals may have stigmatised, chronic or complex conditions that may be better treated through improved information handling.

36. There are various technical methods available to operationalise consumer choices about sensitive information, including the proposed ‘sealed envelope’ approach in the UK and forms of ‘masking’ as implemented in Canada and in the Netherlands.[17] Generally, what these systems have in common is that the individual can request that specific information within their e-health records is available only with their consent.

37. The Office is aware that some stakeholders are concerned that the use of sensitivity labels may be

potentially unsafe (because it hides information from a healthcare provider’s view unless the individual chooses to reveal it) and that it will result in an unworkable administrative environment.[18]

The Office submits that, giving consumers the option to withhold some information from some providers mirrors choices currently available to health consumers.

38. The Office also notes that the personal e-health record is not intended to be a comprehensive record, but rather to provide information that complements existing record-keeping arrangements. As the NHHRC states,

Whatever information a person allows their provider to access greatly enhances that which the provider is able to recall from memory or has stored on their own patient management systems, whether paper-based or electronic. The person-controlled shared electronic health record is just one piece of the puzzle.[19]

39. At the same time, the Office recognises that it is important that individuals understand the potential clinical risks involved with restricting access to information using a sensitivity label. Such choices should, therefore, be accompanied by clear information to ensure individuals are sufficiently informed of the possible consequences of their choices. It may also be necessary to explain any emergency override mechanism that may apply to sensitive care labels.

40. Affording individuals the choice to restrict access to some information may increase the likelihood that they will include in their e-health record information that they may otherwise have withheld completely. In the Office’s view, this is likely to be a better outcome for privacy and clinical care than individuals withholding particularly sensitive health information entirely or avoiding treatment.[20]

41. In regard to the suggestion that sensitivity labels ‘will result in an unworkable administrative environment’[21], the Office considers that sensitivity labels will help ensure a system that meets individuals’ privacy expectations, resulting in greater participation and consequently better health outcomes. While there will be an administrative cost, these costs are likely to be outweighed by the benefits.

Secondary uses of information

42. The paper does not address issues relating to secondary uses of information collected in e-health records. The Office is therefore unsure whether or not there is an assumption that with person-controlled e-health records any secondary uses (including for medical research) would need to be authorised by the consumer.

43. The Office believes that only limited use of the health information contained in an e-health record should be allowed (without the person’s consent) and such uses should be set out in the enabling legislation. Any future uses of a person’s health information that may be thought to have a compelling public interest should also be considered through a parliamentary process.

44. Good privacy practice would mean that individuals would be asked to consent to their health information being used for any purposes that are unrelated to their immediate care. While the use of health information for medical research is generally accorded a high level of importance in the community, given the sensitivity of the information, even this type of secondary use must be carefully balanced with individual privacy.

45. Sensitivity around secondary uses of health information is illustrated by qualitative research conducted by AC Nielsen which indicated a strong preference for health information to be only used for the direct clinical care of the individual, with any other uses being premised on obtaining the individual’s informed consent.[22]

46. The Office’s own community attitude research has found sensitivity around the handling of even de-identified health information for research purposes. Fifty-one percent of all respondents held the view that consent should be sought in these circumstances.[23]

47. Research from both Canada and the UK has found that, in many cases, individuals would be willing for their health information to be used for medical research, but still expect to be asked for their consent.[24]

Implications of a market driven approach to the development of e-health systems

48. The Office notes comments in the paper which indicate that the NHHRC envisages a market driven approach to the development and implementation of personal e-health records.

49. However, it is unclear what this would mean in terms of ‘who pays’ for the personal e-health record. For example, while use of applications such as Google Health and Microsoft is currently free, this may not continue to be the case in the longer term. If it is the consumer who will be required to pay this is likely to be a significant barrier or deterrent to take-up of personal e-health records, particularly for disadvantaged consumers.

50. A further question that arises about such an approach is what would happen to an individual’s e-health record if a particular business (that hosts personal e-health records) goes bankrupt or ceases to trade.

Access to Medicare and health insurance payments

51. The Office notes the NHHRC’s proposal that the Commonwealth mandate that the payment of public and private benefits for all health and aged care services be dependent upon the provider being able to send and receive information in a way that can be integrated into a personal e-health record.

52. The Office is concerned that a possible consequence of this proposal may be that a consumer may be unable to access Medicare benefits (if their health provider is not eligible for Medical Benefit Scheme payment).

53. As noted previously, it is critical that the enabling legislation to the national e-health system contain adequate safeguards to ensure that consumers’ access to health services, Medicare or health insurance payments is not adversely affected by the e-health system in any way.

[2] Under the Privacy Act (Cth) 1988, ‘sensitive information’ has a defined meaning and includes all health information. In the context of this submission, the term ‘sensitive information’ is used to refer to health information that the individual regards as especially sensitive.

[5] The Office’s 2007 Community Attitudes Research found that 91% of respondents trusted the health sector when it came to handling their health information, available at:

[6] NHHRC Supplementary Paper, p12.

[7] Submission to the National E-Health Transition Authority on the Consultation on the Privacy Blueprint – Unique Health Identifiers, 2007, available at,

[8] Under the Privacy Act (Cth) 1988, ‘sensitive information’ has a defined meaning and includes all health information. In the context of this submission, the term ‘sensitive information’ is used to refer to health information that the individual regards as especially sensitive.

[9] Office of the Privacy Commissioner, Privacy Impact Assessment Guide, August 2006, available at

[11] Australian Health Ministers’ Conference Communiqué, 5 March 2009,

[12] Consultation on the Privacy Blueprint for the Individual Electronic Health Record Submission to the NEHTA , 2008,

[13] Under the Privacy Act (Cth) 1988, ‘sensitive information’ has a defined meaning and includes all health information. In the context of this submission, the term ‘sensitive information’ is used to refer to health information that the individual regards as especially sensitive.

[14] Australian Government Department of Health and Ageing What is mental illness? Available at

[15] Harris Poll #25, Many U.S. Adults are Satisfied with Use of Their Personal Health Information, 26 March 2007, survey of 2337 Americans, available at

[17] Pritts J. And Connor, K. (2007) The Implementation of E-consent Mechanisms in Three Countries: Canada, England, and the Netherlands (The ability to mask or limit access to health data),

[18] NEHTA (2009) Privacy Blueprint for the Individual Electronic Health Record, p16.

[19] NHHRC Supplementary Paper, p13.

[20] For example, Goldman & Hudson 2000 „Virtually exposed: Privacy and e-health? Health Affairs Volume 19, Number 6, p 141 note „Without trust that their most sensitive health information will be safeguarded, patients are reticent to fully and honestly disclose personal information and may avoid seeking care altogether – both online and off?.

[21] NEHTA (2009), ibid, p 16.

[22] AC Nielsen, Community Consultation: Health Information Privacy: A Research Report, 1998, p 8.

[23] Community Attitudes to Privacy 2007, page 46, available at

[24] S Page and I Mitchell (2006) „Patients? opinions on privacy, consent and the disclosure of health information for medical research? Chronic Diseases in Canada, vol 27, pp. 60-67; UK National Health Service (2002) Share with care; People’s views on consent and confidentiality of patient information.