Part 1 — Introduction
1.1 The Australian Government has allocated funding to the Office of the Australian Information Commissioner (OAIC) during 2012-13 and 2013-14 to oversee the privacy aspects of the handling of healthcare identifiers and the functioning of the Healthcare Identifiers Service (HI Service). This includes providing advice on privacy obligations in relation to healthcare identifiers and liaising with state and territory regulators.
1.2 The OAIC is required to conduct up to two privacy audits of the HI Service Operator (HI SO) under its Memorandum of Understanding (MOU) with the Department of Health and Ageing (DoHA). The MOU relates to the provision of dedicated privacy related services under the Privacy Act 1988 (Cth) (Privacy Act), the Healthcare Identifiers Act 2010 (Cth) (HI Act) and the Personally Controlled Electronic Health Records Act 2012 (Cth) (PCEHR Act), for the period 29 November 2012 to 30 June 2014.
1.3 This report relates to the OAIC’s first audit of the HI SO under the MOU.
1.4 On 1 July 2011, the Department of Human Services (DHS) began delivering the services and payments previously provided by Medicare Australia. This led to consequential amendments to the HI Act where the Chief Executive Medicare has taken over the role of HI SO from the former Chief Executive Officer of Medicare Australia. The legislative amendments did not impact operations of the HI Service. Therefore, while DoHA and the OAIC have an MOU, DoHA does not administer the HI Service.
1.5 The OAIC previously conducted two audits of the HI SO in 2010-11. Both audits focused on the assignment and allocation of healthcare identifiers. Since then, the functions performed by the HI SO have incrementally increased.
Part 2 — Description of audit
2.1 The purpose of the audit was to assess whether the HI SO’s handling of healthcare identifier information is in accordance with the Information Privacy Principles (IPPs) in s 14 of the Privacy Act, the HI Act and the Healthcare Identifiers Regulations 2010 (Cth) (HI Regulations).
2.2 Specifically, the audit reviewed the HI SO’s collection, use and disclosure of healthcare identifier information and the identifying information associated with healthcare identifiers.
2.3 The audit was conducted pursuant to s 27(1)(h) of the Privacy Act, which states that a function of the Australian Information Commissioner (Commissioner) is to ‘...conduct audits of records of personal information maintained by agencies for the purpose of ascertaining whether the records are maintained according to the Information Privacy Principles.’
2.4 The HI Service, which commenced on 1 July 2010, was established to implement and maintain a national system for uniquely identifying healthcare organisations, individual healthcare providers and healthcare recipients by assigning to them healthcare identifiers.
2.5 The HI Service forms the basis of other eHealth initiatives, such as the Personally Controlled Electronic Health Record (PCEHR or eHealth Record).
2.6 A healthcare identifier is a unique 16 digit number which is used to ensure the right health information is associated with the right individual.
2.7 The HI Act specifies that healthcare identifiers are to be used for healthcare and related management purposes only, with penalties in place for misuse by the HI SO or users of the HI Service.
2.8 The HI Service assigns three types of healthcare identifiers:
- Individual Healthcare Identifier (IHI)—for individuals receiving healthcare services
- Healthcare Provider Identifier-Individual (HPI-I)—for individual healthcare professionals involved in providing patient care
- Healthcare Provider Identifier-Organisation (HPI-O)—for organisations (such as hospitals or health clinics) where healthcare is provided.
2.9 Along with healthcare identifiers, the associated identifying information held by the HI Service includes demographic details, such as an individual’s name, date of birth, gender, address details and (in the case of HPI-Is) specialty details. These details are utilised to uniquely identify individuals and healthcare providers.
2.10 Every person with an active Medicare enrolment or Department of Veterans’ Affairs (DVA) registration is assigned an IHI. Individuals visiting or residing in Australia who are not eligible to claim Medicare Benefits or register with DVA can also be assigned an IHI at their request.
2.11 Individual healthcare providers are assigned an HPI-I by a registration authority or through direct application to the HI SO.
2.12 As at June 2013, the HI Service recorded a total of 25 285 096 assigned IHIs and 638 014 assigned HPI-Is.
Australian Health Practitioner Regulation Agency
2.13 The Australian Health Practitioner Regulation Agency (AHPRA) is a national registration authority, within the definitions of ss 5 and 8 of the HI Act. Specifically, AHPRA is responsible for handling the registration and renewal processes for specific healthcare professions across Australia.
2.14 If a healthcare provider belongs to one of the professions registered by AHPRA, AHPRA assigns the individual healthcare provider an HPI-I, otherwise healthcare providers must register with the HI Service to obtain their HPI-I.
eHealth Program database
2.15 The HI Service’s eHealth Program (EHP) database was purposely built to store HPI-Is, HPI-Os and associated identifying information. The EHP can be accessed by healthcare providers (individuals and organisations), along with their:
- authorised employees
- responsible officers
- organisation maintenance officers
- contracted service providers
in order to access information about other healthcare providers.
2.16 According to HI SO staff and chapter 10 of the HI SO’s policy document FR.POLHPI-IPL100, the EHP database can be accessed by healthcare providers via the Health Professional Online Service (HPOS), an interface available on the DHS website for healthcare providers to:
- create a network HPI-O record
- search the Healthcare Provider Directory (discussed below)
- access the EHP database to update their details
- conduct a direct search of the EHP database to find the details of another healthcare provider (discussed below).
2.17 Healthcare providers can also directly search the EHP database or search the HPD via an online business-to-business (B2B) transaction, where healthcare providers have software applications in place which allow them to directly interact in real time with the HI SO.
Healthcare Provider Directory
2.18 Under s 31 of the HI Act, the HI SO is required to maintain the Healthcare Provider Directory (HPD), which if a healthcare provider consents, contains their professional and business details. The HPD includes HPI-I and HPI-O information which is collected from the EHP database. The HPD allows healthcare providers to search for and locate other providers who have consented to have their details available in the HPD in order to facilitate communication between providers.
2.19 The HPD is not available for public view and can only be accessed by healthcare providers registered with the HI Service with either:
- an HPI-I
- both an HPI-I and HPI-O
- authorised employees of an organisation with an HPI-O.
2.20 As of June 12 2013, 12 598 individual healthcare providers and healthcare provider organisations were listed in the HPD.
Consumer Directory Maintenance System
2.21 The HI Service uses Medicare’s existing Consumer Directory Maintenance System (CDMS) database to store IHI records.
2.22 Individuals can use Medicare Online Services to search for their IHI information.
2.23 Healthcare providers can use online channels (B2B and HPOS) to search for IHI information.
2.24 The scope of the audit was an examination of the collection, use and disclosure of IHIs, HPI-Is and associated identifying information by the HI SO, after the healthcare identifier record has been created and the IHI or HPI-I has been assigned and allocated by the HI SO or, in the case of most HPI-Is, AHPRA.
2.25 The objective of the audit was to assess the HI SO’s handling of records of personal information in accordance with its obligations under the IPPs which relate to the collection (IPPs 1-3), use (IPPs 9-10) and disclosure (IPP 11) of personal information by Australian Government agencies.
2.26 The audit also assessed whether the HI SO was handling its records in accordance with its obligations under the HI Act and the HI Regulations in relation to collection, use and disclosure of healthcare identifier information.
2.27 The audit did not assess the HI SO’s handling of HPI-O information.
2.28 AHPRA’s handling of healthcare identifier information was outside the scope of the audit.
Timing, location and methodology
2.29 The auditors conducted the fieldwork component of the audit on 18 and 19 June 2013 at the DHS offices at 186 Reed Street, Greenway, ACT.
2.30 The audit fieldwork included:
- a document review of notices, policies and other documents
- interviews with staff from the operations, legal, policy and system design areas of the HI Service and the HI SO
- the HI SO demonstrating how various aspects of the system operates and demonstrating electronic training.
Information obtained during the audit
2.31 The HI SO provided several documents prior to and during the fieldwork for this audit. This included recent versions of the HI SO’s internal processes, policies and procedures relevant to the collection, use and disclosure of HPI-I and IHI records. A full list of the information obtained is at Appendix A.
2.32 The auditors’ observations and an assessment of information obtained during the audit show that the HI SO’s healthcare identifier records within scope of the audit are generally maintained in accordance with the IPPs in the Privacy Act, the HI Act and the HI Regulations.
2.33 The auditors are of the opinion that there is a low level of risk regarding the HI SO’s personal information handling practices and make one recommendation.
2.34 A recommendation is a suggested course of action or a control measure that, if put in place by the agency, will (in the opinion of the OAIC) minimise the risks identified around how personal information is handled against the relevant criterion.
2.35 The use of recommendations to the exclusion of ‘best privacy practice’ is a change in practice by the OAIC made in 2012 when the OAIC published a new manual to guide its public sector audits. The term ‘best privacy practice suggestion’ was used in the previous Healthcare Identifiers Service audit by the OAIC published in August 2012. The use of recommendations by the OAIC in this report does not itself reflect a change in the risk profile of the HI SO.
2.36 To the extent possible, the OAIC publishes final audit reports in full or in an abridged version on its website, www.oaic.gov.au. It is sometimes inappropriate to publish all or part of a report because of statutory secrecy provisions or for reasons of privacy, confidentiality, security or privilege.
Part 3 — Audit issues
3.1 The following findings and recommendations relate to the auditors’ consideration of the HI SO’s collection, use and disclosure of healthcare identifier information, in accordance with the IPPs in the Privacy Act, the HI Act and the HI Regulations.
3.2 The IPPs are available at www.oaic.gov.au
IPP 1 issues — Manner and purpose of collection of personal information
IPP 1 provides that an agency shall not collect personal information unless the collection is for a lawful purpose directly related to the collector’s functions or activities and the collection is necessary or directly related to that purpose.
3.3 Healthcare identifiers are generated by the HI SO. The HI SO provided AHPRA with 5.1 million HPI-Is for assignment to their registrants. These numbers have been quarantined by the HI Service for AHPRA to assign.
3.4 The HI SO collects HPI-Is and associated identifying information from healthcare providers and AHPRA.
3.5 The HI SO also collects identifying information associated with IHIs.
Authorised collection of healthcare recipient identifying information under the HI Act
3.6 Section 7(3) of the HI Act sets out the identifying information that the HI SO can collect regarding healthcare recipients, including:
- if applicable, the Medicare number
- if applicable, the Veterans’ Affairs Department file number
- date of birth and date of birth accuracy indicator
- if part of a multiple birth, the order of birth
- if applicable, date of death and date of death accuracy indicator.
3.7 Under s 16 of the HI Act, the HI SO is authorised to collect identifying information of a healthcare recipient from a healthcare provider for the purpose of disclosing the healthcare recipient’s IHI to the healthcare provider. This occurs so that the healthcare provider can communicate or manage health information as part of providing healthcare to the healthcare recipient.
Authorised collection of HPI-I information under the HI Act
3.8 The auditors were advised that the HI SO collects HPI-I information from:
- healthcare providers
- AHPRA, where a healthcare provider is registered by AHPRA.
3.9 Section 7(1) of the HI Act sets out the identifying information that the HI SO can collect from an individual healthcare provider for performing functions under the HI Act. This includes:
- date of birth, and the date of birth accuracy indicator
- type of healthcare provider
- if the healthcare provider is registered by a registration authority (eg AHPRA), the registration authority’s identifier for the healthcare provider
- if the healthcare provider is registered by a registration authority, the status of the registration (such as conditional, suspended or cancelled).
3.10 Regulation 5 of the HI Regulations extends the definition of ‘identifying information’ and permits the collection of an email address, a phone number, a fax number and status of the healthcare provider (eg active, deactivated or retired).
3.11 Under s 13 of the HI Act, the HI SO is authorised to collect HPI-I information from a national registration authority (AHPRA). The HI SO collects this information so that it can fulfil its obligations under s 10 of the HI Act to maintain an accurate record of all assigned healthcare identifiers.
3.12 The HI SO collects identifying information from healthcare providers for the purpose of assigning HPI-Is to individual healthcare providers.
Collection of HPI-Is and identifying information from AHPRA
3.13 AHPRA generates and assigns its own identifier for each provider. This is also collected by the HI SO along with the HPI-I and other identifying information.
3.14 The collection from AHPRA occurs via a secure file transfer protocol (SFTP). At the beginning of each day, the HI SO receives in batch form, the HPI-I information from AHPRA which the HI SO uses to maintain its record of all assigned identifiers. The HI SO advised the auditors that this process for collecting the information from AHPRA will soon change from a daily batch collection to a real time B2B transmission.
3.15 The auditors are of the view that the collection described above appears to be clear, reasonable, and for a lawful purpose directly related and necessary to the HI SO’s functions and activities.
3.16 The HI SO’s practices comply with the limitations imposed by both the HI Act and HI Regulations with reference to the collection of HPI-I information from AHPRA.
3.17 The auditors have made no privacy recommendations to the HI SO for this part of the audit.
IPP 2 issues — Solicitation of personal information from individual concerned
IPP 2 provides that, where a collector solicits and collects personal information directly from an individual, it must inform the individual of the purpose of collection, any legal authorisation or requirement for the collection, and any person, body or agency to which it usually discloses that information.
3.18 The HI SO uses the following application forms when it collects information from healthcare providers and individual healthcare recipients:
- 2888 - Application to create, verify or merge an Individual Healthcare Identifier
- 4484 - Application to request a pseudonym Individual Healthcare Identifier record
- 2977 - Application to Register a Healthcare Provider
- 2999 - Application to Amend a Healthcare Provider Record .
3.19 The auditors note that information collected in the forms listed above is consistent with the information that the HI SO is authorised to collect under s 7 of the HI Act and Regulation 5 of the HI Regulations.
3.20 The application form 2977 wholly, and application forms 2888 and 4484 partly, relate to the creation and assignment of a healthcare identifier record. Even though the assignment process was generally out of scope of this audit, to ensure a consistent approach to the use of privacy notices by the HI SO, the auditors assessed all application forms.
3.21 All of the application forms contain privacy notices which generally inform health providers and individuals of the purpose for which the HI SO is collecting the information and the circumstances under which the HI SO may use and disclose the information.
3.22 In particular, all of the notices state that ‘…information is collected for Social Security, Family Assistance, Medicare, Child Support and CRS purposes.’
3.23 Further the notices state ‘Your information will be used for the assessment and administration of payments and services…may also be used within Human Services where you have provided consent or it is required or authorised by law.’
3.24 The notices also mention that ‘Human Services may disclose your information to Commonwealth Departments, other persons, bodies, agencies ONLY where you have provided consent or it is required or authorised by law.’
3.25 The privacy notices in every application form was almost identical.
3.26 The auditors were advised that the HI Service Operations team, the DHS Forms and Letters area and the Legal Services Division share the responsibility for drafting, developing and reviewing the application forms and privacy notices.
3.27 The forms and the privacy notices are based on standardised templates used by DHS, which have been amended to suit the purposes of the HI SO.
3.28 Application form 2977 was last updated in 2013, whereas the other forms were last updated in 2011.
3.29 Healthcare providers can use application forms 2977 and 2999 to consent to their details appearing on the HPD.
3.30 The Legal Services Division advised that DHS has not received any complaints about the notices.
3.31 The National E-Health Transition Authority (NEHTA) is responsible for stakeholder engagement, including releasing communications and promotional material concerning healthcare identifiers and the HI SO.
3.32 DHS and the HI SO are responsible for creating and maintaining the application forms listed above and any other privacy notices used in other channels where information is collected from healthcare recipients and healthcare providers, such as online via HPOS or B2B transmission.
3.33 The auditors were informed that the HI SO does not assign any healthcare identifiers over the phone. This only occurs via written application forms or online.
3.34 A HPI-I can only be assigned via AHPRA registration or by the 2977 paper based registration form (with supporting evidence of identity) that is submitted to the HI SO by a non-AHPRA registered health professional. The auditors were informed that the vast majority of HPI-Is are assigned by AHPRA, with only a very small amount of HPI-Is assigned by the HI SO in response to a completed application form.
3.35 Individuals can view and make limited changes to their IHIs and IHI history though Medicare Online Services which are accessed on the DHS website or via myGov.
3.36 Healthcare providers can access a patient’s IHI information via B2B transmission.
3.37 HPI-I Information is also collected by the HI SO online via HPOS. Healthcare providers can use HPOS to consent to their details appearing on the HPD which then can be accessed by other providers. Healthcare providers also use HPOS to conduct a direct search of the EHP database, which includes the details of both healthcare providers on the HPD and not on the HPD.
3.38 Direct healthcare provider searches of the EHP database by healthcare providers can also occur via B2B transmission.
3.39 The auditors are of the view that notices provided to individuals and healthcare providers require further consideration to ensure compliance with IPP 2.
3.40 IPP 2 notices have to contain information about:
- why the agency is collecting the information (the purpose of collection)
- the agency’s legal authority (if any) to collect the information; and
- to whom the agency usually gives that kind of information (usual disclosures).
3.41 Further, the Plain English Guidelines to Information Privacy Principles 1-3 (IPP Guidelines) state that if an agency knows information collected will also be used for other purposes, the agency should normally tell the person when it collects the information. The privacy notices considered by the auditors do not state that other healthcare providers will be able to directly search the EHP database and that this occurs in order to facilitate greater amount of communication and secure messaging between healthcare providers (discussed below).
3.42 The IPP Guidelines also note that an IPP 2 notice should refer to each provision of legislation which requires an agency to collect the personal information; or specifically authorises an agency to collect the information. If the legislation does not refer to a specific power, but only gives the agency a general function which includes collecting personal information, the IPP 2 notice should still refer to the legislation.
3.43 The auditors acknowledge that the relevant application forms contain information separately from the privacy notice which, to a certain extent, generally outlines or implies how IHI and HPI-I information may be used and disclosed. The IPP Guidelines state that there is no particular form for an IPP 2 notice. An agency can give the notice in any way as long as it makes the person aware of the relevant details. Further, if the agency collects personal information by asking the person to fill in a form, the IPP 2 notice can be printed on the form. The IPP Guidelines state that this is usually the best way of giving IPP 2 details when an agency uses a form to collect personal information.
3.44 However, the privacy notices and other information in the application forms do not refer to the specific legislation authorising this collection and do not clearly explain what the healthcare identifier information collected from individuals will be used for and the usual disclosures.
3.45 The IPP Guidelines states that an agency should try to give a person it collects personal information from a full and clear picture of whom the information is likely to be given to. The privacy notices do not state the usual disclosures which may occur, such as IHI disclosures to healthcare providers or to the PCEHR system operator.
3.46 The applicable notices do not refer to HPI-I disclosures following a direct healthcare provider search of the EHP database by another healthcare provider. Where a healthcare provider is creating a new HPI-I record by using an application form, there is a privacy risk that the healthcare provider may not be aware that their HPI-I information may be disclosed following a healthcare provider search.
3.47 As indicated above, healthcare providers use application forms and HPOS to consent to their details appearing on the HPD. The absence of any specific references in both the application forms and HPOS to usual disclosures of HPI-Is (such as a healthcare provider search), may give the false impression that the only disclosure of HPI-Is which is likely to occur is through the HPD following the provider’s consent.
3.48 It is not certain whether healthcare identifier information collected via online channels such as Medicare Online Services, HPOS or B2B transmissions is subject to a privacy notice which clearly explains how this information will be used and disclosed.
3.49 The auditors were advised that the HI Service is under a contractual arrangement with NEHTA is responsible for communication material and activities to healthcare providers about the HI Service. The OAIC understands that any changes to communications and promotional material concerning healthcare identifiers and the HI Service will need to be approved by NEHTA and may be outside the control of the HI SO.
Recommendation 1 – Amend privacy notices
3.50 It is recommended that privacy notices contained in or referred to in relevant application forms and online channels be amended and updated to:
- refer to the specific legislation authorising the collection of healthcare identifier information
- clearly explain what healthcare identifier information collected from healthcare recipients and healthcare providers will be used for and the usual authorised disclosures, such as:
- in the case of IHI disclosures: to healthcare providers or to the PCEHR system operator
- in the case of HPI-I disclosures: following a direct healthcare provider search of the EHP database by another healthcare provider.
3.51 Implementing this recommendation will also assist to address the issues raised under the ‘healthcare provider disclosures’ heading later in the report.
IPP 3 issues — Solicitation of personal information generally
IPP 3 provides that, where a collector solicits and collects personal information generally it must take steps that are reasonable in the circumstances to ensure that, having regard to the purpose for which the information is collected, the information is relevant to that purpose, up to date and complete, and that the collection does not intrude to an unreasonable extent on the individuals’ personal affairs.
3.52 AHPRA data needs to meet certain standards and formats before it can be accepted by the HI SO. The EHP database checks and rejects identically matched data as this indicates a possible duplicate. The HI SO subsequently advises AHPRA of the exact match and asks it either check its records or send updates to the existing record.
3.53 The HI SO advised that it does not disclose any information to AHPRA. The HI SO cannot amend data received from AHPRA or create a new record. The HI SO can only add new details to a record previously created by AHPRA.
3.54 There were no privacy issues noted by the auditors in terms of the HI SO’s compliance with IPP 3 as the HI SO has systems in place to ensure the relevance and accuracy of the personal information it collects from third parties such as AHPRA.
3.55 Where the HI SO is requesting information about the healthcare provider, for example, in cases where HPI-Is are assigned by AHPRA, the personal information is collected by AHPRA directly from the individual healthcare provider. This again ensures that the collection process is as open and transparent as possible.
3.56 The auditors have made no privacy recommendations to the HI SO for this part of the audit.
IPP 9 and IPP 10 issues — Personal information to be used only for relevant purposes and limits on the use of personal information
IPP 9 provides that a record-keeper who has possession or control of a record that contains personal information shall not use the information except for a purpose to which the information is relevant.
IPP 10.1 provides that a record keeper who has possession or control of a record that contains personal information that was obtained for a particular purpose shall not use the information for any other purpose unless one or more of certain exceptions apply.
IPP 10.2 provides that, where personal information is used under IPP 10.1(d) the record keeper shall include in the record containing that information a note of the use.
3.57 Sections 11, 11A, 13, Division 2 and Division 2A of the HI Act and Regulation 14 of the HI Regulations govern the use of healthcare identifiers and associated identifying information.
3.58 The HI SO informed the auditors that it uses healthcare identifiers for authorised purposes under the HI Act and HI Regulations. These purposes are to:
- allow those authorised to access the HI Service to search for and retrieve healthcare identifiers
- keep information associated with healthcare identifiers up-to-date and accurate
- deactivate or retire healthcare identifiers which are no longer needed
- work with other bodies (such as AHPRA) who can also assign healthcare identifiers under the HI Act to maintain a single complete record of all healthcare identifiers which have been assigned
- maintain the HPD to facilitate communication between providers.
3.59 Access to the records stored on the EHP database is limited to four teams within DHS. These teams require access to this database in order to complete their duties. The teams are:
- HI processing team (also known as Tier 2), which receives the application forms for healthcare providers and processes them
- HI Operations team (also known as Tier 3 support), which is responsible to resolution of difficult applications, for processing during peak times and for quality checking of processing
- Online Technical Support & eCertificates Section, which is responsible for requesting and dispatching Public Key Infrastructure (PKI) certificates
- National Authentication Service for Health (NASH) operations team, which is responsible for the processing requests for NASH Public Key Infrastructure (PKI) certificates.
3.60 Demographic information of healthcare recipients is stored within the CDMS database along with the demographic information for other programs administered by Medicare. Access to the CDMS database is provided to all front line Tier 1 DHS staff, both in service centres and telephone call centres to enable them to answer questions from members of the public or complete processing activities. Access is also provided to Tier 2 and Tier 3 support areas that deal with difficult or complex applications or situations.
3.61 Access to pseudonyms IHI records processing and information is restricted to four staff members with a higher level security clearance within the HI Service Operations team.
3.62 The HI SO informed the auditors that it has strict measures in place to restrict staff misuse of healthcare identifier information, including the establishment of the HI System Log to track staff use of IHI and HPI information.
3.63 According to HI SO policy documents FR.POLHPI-IPL100 and FR.POLIHIPL100 and interviews with HI SO staff, the HI System Log records all access to healthcare identifier records stored on the EHP and CDMS databases, including access attempts and failed authentication requests carried out on all healthcare identifier records.
3.64 The auditors were informed that the Fraud and Compliance section within DHS has in place an audit team which regularly monitors the HI System Log and also assesses patterns of internal access to healthcare identifier records by HI Service staff.
3.65 The audit team regularly reviews any suspicious, inappropriate or irregular access to determine if further investigation is warranted.
3.66 The audit team regularly produces a user access tracking report which reveals what information DHS/HI SO staff are accessing and for how long. The OAIC auditors saw copies of the latest report. The HI SO advised that there have been no reports which suggest misuse or inappropriate behaviour by DHS staff.
3.67 Regular reports are also run to ensure removal of team members that have left or moved to a different area and do not require access.
3.68 The auditors were informed that DHS conducts mandatory privacy training for the entire department. All new DHS staff are required to undertake two days of induction training which includes a presentation on privacy issues and the handling of personal information.
3.69 In addition, as part of meeting their performance requirements each staff member is required to complete a 15 to 20 minute e-learning module which broadly covers privacy requirements under the IPPs. DHS staff need to answer a set of questions and must answer most of them correctly to properly meet the requirements of the training. The staff member’s manager is then notified when the staff member has successfully completed the module. Refresher training is also provided on an annual basis.
3.70 The HI SO also informed the auditors that Legal Services is working with the Training and Development area within DHS to create a new e-learning package based on the Australian Privacy Principles (APPs), which will commence on 12 March 2014. The APPs will replace the existing IPPs that currently apply to Australian government agencies and the National Privacy Principles (NPPs) that currently apply to businesses.
3.71 For each major release or new addition to the HI Service, training is conducted for relevant staff. A technical advisor conducts this training for Tier 2 personnel who are located in Melbourne. Training is also provided on new issues once a month or as required.
3.72 The auditors look positively on the HI SO’s performance of regular audits of its HI System Log to identify any staff misuse of healthcare identifier information and having regular privacy training for HI SO staff.
3.73 The auditors observed that the HI SO have taken reasonable steps to limit the use of healthcare identifiers and meet the requirements of the HI Act.
3.74 The auditors did not closely observe or monitor staff use of healthcare identifier information during the course of this audit.
3.75 The auditors have made no privacy recommendations to the HI SO for this part of the audit.
IPP 11 issues — Limits on disclosure of personal information
IPP 11.1 provides that a record keeper who has possession or control of a record that contains personal information shall not disclose the information to a person, body or agency (other than the individual concerned) unless one or more exceptions apply.
One relevant exception, IPP 11.1(a), says the individual is reasonably likely to have been aware, or made aware with an appropriate notice, that the information of that kind is usually passed to that person, body or agency.
IPP 11.2 provides that, where personal information is disclosed under IPP 11.1(e) the record keeper shall include in the record containing that information a note of the disclosure.
IPP 11.3 provides that, where personal information is disclosed under IPP 11.1, the parties who receive that information must not use or disclose the information for a purpose other than the purpose for which the information was given to them.
3.76 According to the HI Service’s annual report, in 2011–12, the HI SO disclosed 13 182 937 IHIs through web services.
3.77 According to HI Service Monthly Business Process Reports of March 2013, 2 245 425 IHI searches took place via B2B transmission and 5942 IHI searches took place via Medicare Online Services. In the same month there were 422 962 searches for HPI-Is.
3.78 Under ss 11A, 16-21, 22E and 24A of the HI Act and Regulation 7 of the HI Regulations, the HI SO is authorised to disclose healthcare identifiers and associated identifying information to:
- healthcare providers (including in certain circumstances, their employees and Contracted Service Providers) for the purpose of communicating or managing health information as part of providing healthcare to an individual
- healthcare recipients or responsible persons acting on their behalf who request their healthcare identifier
- registration authorities such as the AHPRA
- Chief Executive Medicare
- other government departments
- entities established to provide healthcare provider authentication services for the purposes of issuing security credentials to authenticate a healthcare provider’s identity in electronic transmissions
- the PCEHR System Operator.
3.79 The HI SO informed the auditors that it observes strict measures surrounding the disclosure of healthcare identifier information. The measures implemented by the auditee include:
- the HI System Log which monitors HI SO staff disclosure of healthcare identifier information
- securing the consent of healthcare providers prior to disclosing their personal information in the HPD.
3.80 Disclosures are also governed by HI SO policy documents FR.POLHPI-IPL100 and FR.POLIHIPL100 along with a number of procedure documents.
Disclosure of HPI-Is
3.81 The HI SO informed the auditors that it mainly discloses HPI-I information:
- to other healthcare providers through the HPD (accessed via HPOS or B2B) and over the phone (if the provider has consented to their details appearing on the HPD)
- following a direct healthcare provider search of the EHP database by another healthcare provider (through HPOS or B2B)
- to the PCEHR system operator as permitted under s 22 of the HI Act.
Disclosures through the HPD
3.82 For healthcare providers to access HPOS they need to authenticate via a PKI certificate. Terms and conditions for using HPOS, which apply to both the HI SO and external users of HPOS are displayed when users login. Clauses 12-14 of the terms and conditions require that personal information not be disclosed except in the course of performing duties using the HPOS services.
3.83 According to policy document FR.POLHPI-IPL100, users can search for the HPD using either the HPI-I number or via a demographic search. Search results can include gender, provider or specialty details and contact information. However, the extent of the details returned will depend on what information the provider has consented to including on the HPD. For those who consent to being on the HPD, at a minimum the healthcare provider’s name and business address will be displayed in the HPD. However a healthcare provider may retrieve their own record details in the search results.
3.84 The only way for healthcare providers to include their details in the HPD is through HPOS, over the phone or through a written application form submitted to HI SO’s Melbourne office. HPD information can also be processed in the Tier 3 support area.
3.85 Access to the HPD is restricted to healthcare providers who have a Medicare PKI certificate. Authorised employees, responsible officers or organisation maintenance officers can also retrieve HPI-Is by accessing the HPD through HPOS, B2B or over the phone.
Direct healthcare provider search of the EHP database
3.86 Healthcare providers who have a HPI-I, their responsible officers and organisation maintenance officers who have a DHS/HI PKI certificate can undertake a direct healthcare provider search of the EHP database.
3.87 This functionality is a web based search which can occur via HPOS or B2B transmission. The auditors were informed that healthcare provider batch searching will be made available in the future via B2B web services (though not on HPOS). However, single one to one searching was available via B2B at the time of the audit.
3.88 The auditors were informed, and the auditors agree, that the HI Act allows the HI SO to disclose HPI-Is to another healthcare provider via a healthcare provider search.
3.89 As consent is required to place healthcare provider details on the HPD, there is a difference between those registered on the HPD and those registered on the EHP database. The auditors were informed that stakeholders requested that the HI Service be able to disclose HPI-Is. Therefore, direct healthcare provider searches were established to facilitate greater amount of communication and secure messaging between healthcare providers.
3.90 According to Chapter 3 of the HI SO’s document Business Specification Search for Provider individual(OLSUHI108) and chapter 10 of policy document FR.POLHPI-IPL100, two types of healthcare provider searches occur via HPOS and B2B:
- general identifier number search, which requires the HPI-I number or AHPRA identifier and the healthcare provider’s surname
- demographic search, which requires the healthcare provider’s family name, given name, gender, date of birth and address.
3.91 The first search is to confirm that a number relates to a healthcare provider. The second search is to obtain the number of a healthcare provider.
3.92 The auditors were informed that healthcare provider search results are narrowly defined so that if the search criteria entered does not match, it will not return any results and will only state ‘multiple search results found’, with no extra details provided. The policy document FR.POLHPI-IPL100 states that searches of the EHP database will return error messages where more than 50 matches are found or no matches found.
3.93 A direct healthcare provider search returns the user’s search criteria, the HPI-I and its status (ie active, deactivated or retired).
3.94 As with the HPD, a direct healthcare provider search is restricted to healthcare providers and their responsible officers and organisation maintenance officers who have a Medicare PKI certificate.
3.95 Authorised employees of healthcare providers cannot log onto HPOS at all and cannot undertake a healthcare provider search via HPOS because the HI SO does not issue them PKI Keys. When a user has logged on to HPOS, the EHP database cannot distinguish between authorised and unauthorised users within a healthcare organisation who may be using the interface. There is a requirement for the HI SO under the HI Act to know who is requesting access as well as where a request is coming from. Therefore, to ensure that unauthorised persons are not conducting these searches, individual PKI certificates are required. However, authorised employees can conduct a search if it is carried out using a B2B transmission. The auditors were informed that under the HI Act medical practices must meet requirements to ensure that the HI SO can identify the authorised employee who is undertaking a search.
3.96 Access logs for HPI-Is exist; however, they are not as easily retrievable or available to healthcare providers as IHI logs are to healthcare recipients.
3.97 As indicated earlier, the auditors did not observe any privacy notices which specifically discuss usual disclosures of HPI-I information to other healthcare providers following a direct healthcare provider search of the EHP database.
Disclosure of IHIs
3.98 The auditors observed that authorised healthcare providers or authorised representatives of a healthcare recipient can access an IHI record.
3.99 According to policy document FR.POLIHIPL100, following a request from a healthcare provider, DHS customer service officers (CSOs) can search for and retrieve an IHI record using the individual’s demographic information (surname, date of birth, gender), which is mandatory and either a:
- Medicare card number
- IHI number
- DVA file number.
3.100 The only information that may be disclosed to a healthcare provider (other than the search criteria used) is the:
- IHI number
- IHI record status
- IHI number status.
3.101 An example is ‘8003601234567890 + verified + active’.
3.102 Healthcare providers can access the IHI information of their patients via B2B transmission with the HI Service or over the phone.
3.103 The auditors were advised that the HI Service does not allow for ‘browsing’ of records. A request by an authorised healthcare provider for a patient’s identifier will only reveal an IHI when there is a single and exact match with the patient information provided by the healthcare provider. Each time a healthcare identifier is accessed, the details of who requested the identifier is recorded and is included in the patient’s IHI history.
3.104 Individuals can view their own IHIs and IHI history though Medicare Online Services (which is accessed on the DHS website), over the phone or in person at DHS service centres.
3.105 Individuals can register for Medicare Online Services if they are enrolled in Medicare, aged 14 or older and living in Australia.
3.106 Each person on an individual’s Medicare card who is aged 14 or older must have a separate myGov account to link to their Medicare Online Services account.
3.107 To access Medicare Online Services, following the first log on, the individual is asked to create a myGov account (my.gov.au) which will link to Medicare Online Services. With a myGov account the individual can access their IHI history with a username and password. For security purposes, they are also asked a set of questions based on information they have already provided to Centrelink, Medicare or Child Support.
3.108 Individuals can only use Medicare Online Services to view their IHI and IHI history and update their Individual Healthcare Identifier number ‘alternate names’. No other information can be altered using this channel.
Disclosures over the phone
3.109 DHS staff can disclose IHIs and HPI-Is over the phone, provided that the identity of the individual seeking the information is verified. Regular Tier 1 DHS Customer Service Officers (CSOs) handle these calls, with Tier 2 and Tier 3 CSOs within the HI SO handling more complicated calls.
3.110 The auditors were informed that the majority of calls are from healthcare providers requesting HPI-I information.
3.111 Healthcare providers can access their own HPI-I information over the phone. However, the disclosure of HPI-I information to other persons over the phone can only occur if the healthcare provider has an HPD record.
3.112 Responsible officers and organisation maintenance officers cannot request HPI-Is over the phone. Patients do not need HPI-Is and cannot access them.
3.113 CSOs who handle requests to access IHI and HPI-I information over the phone refer to a set of policies and procedures, which include:
- Policy FR.POLHPI-IPL100, which applies to searches conducted by CSOs who are responding to requests for HPI-I information
- Policy FR.POLIHIPL100, which applies to searches conducted by CSOs who are responding to requests for IHI information
- HI SO policy material also has a link that takes staff to the DoHA web site, specifically to a set of frequently asked questions (FAQs) which contain information concerning disclosures made by the HI SO. These FAQs are used for the purposes of informing callers where they can find further information.
3.114 The HI SO also has specific procedure documents which outline the steps CSOs need to follow when undertaking specific transactions over the phone (procedure documents are listed in Appendix A).
3.115 These procedures include steps that CSOs need to follow when searching for details on the EHP or CDMS databases.
3.116 HI Service procedures also outline a security check process where the caller must provide a certain amount of information to determine their identity and before the disclosure of healthcare identifier information occurs over the phone. CSOs are required to complete a minimum amount of fields before disclosure can occur.
3.117 When retrieving their own HPI-I information over the phone, the healthcare provider is asked for their HPI-I number or if they are unable to supply this information, their surname, date of birth and contact details.
3.118 When an individual is retrieving their own IHI over the phone, their name, gender and date of birth of the individual is required. When the request for an IHI comes from a provider or authorised employee, the requestor’s HPI-I or HPI-O is required and a security check on the provider is conducted to verify their identity.
3.119 The CSOs refer to set reference material which provides guidance on how to respond to particular situations. The auditors were advised that regular privacy training is mandatory DHS wide for all CSO staff and is provided to Tier 1, 2 and 3. Specific training regarding the disclosure of healthcare identifiers is not provided for all CSOs. However e-reference material and the department’s security checking procedures are provided to all staff to ensure that proper disclosure processes are followed.
Disclosures to the PCEHR system operator
3.120 In relation to individual consumers, the auditors were advised that healthcare identifier disclosures by the HI SO to the PCEHR System Operator assist with the establishment and registration of an individual’s PCEHR. The myGov website creates the links between the two systems. The HI Service notifies the PCEHR System Operator that a PCEHR registered person’s IHI details have been updated in the HI SO.
3.121 In relation to assisted registration under the PCEHR system, healthcare providers can set up a PCEHR by using their patient’s IHI information.
3.122 From the healthcare provider perspective, the HI SO also maintains the Provider Participation Register (PPR), which is used to allow healthcare providers to register and maintain PCEHR registration details via HPOS.
3.123 The PPR contains HPI-I information which is collected from the EHP database. Specifically, information on the PPR includes HPI-Is and their status. The auditors were informed that in the future this may also include the healthcare provider’s surname.
3.124 The auditors were informed that the HI SO does not disclose healthcare identifier information to other government agencies other than the PCEHR System Operator.
Healthcare Provider disclosures
3.125 Section 17 of the HI Act allows the HI SO to disclose HPI-Is to other health care providers through a healthcare provider search. However, s 17 of the HI Act refers only to healthcare identifiers and does not specifically authorise the HI SO to use or disclose identifying information ‘associated’ with a healthcare identifier for the purposes of facilitating communication between healthcare providers.
3.126 The result from a healthcare provider search includes the information entered by the user as search critiera, the HPI-I and its status (ie active, deactivated retired). The auditors note that if the result includes identifying information, even though it was initially entered by the user as part of the search criteria, this amounts to a disclosure.
3.127 In addition, IPP 11 provides that information in the possession or control of a record keeper should not be disclosed except for the limited purposes set out in IPP 11. IPP 11(1)(a) allows information to be disclosed if the individual would reasonably be aware that information of that kind is usually passed onto that person, body or agency, or has been made aware of being given notice under IPP 2(e).
3.128 The notices used in relevant application forms and online channels by the HI SO under IPP 2(e) should be clear so that individuals are aware of the usual disclosures involving their healthcare identifier information. This will ensure that disclosures involving HPI-Is and associated identifying information, following a direct healthcare provider search of the EHP database by another healthcare provider, are authorised under IPP 11(1)(a). Implementing recommendation 1 will assist to address this issue.
Disclosures over the phone
3.129 The auditors acknowledge that CSOs are trained not just in disclosing and protecting HIs but in a range of personal information held by DHS. The auditors focused on policies and training materials relating to the disclosure of IHIs, HPI-Is and identifying information over the telephone. The auditors were limited in their ability to review all training, policies and controls across DHS.
3.130 The HI SO has policies, procedures and other written guidance materials which govern the disclosure of healthcare identifiers.
3.131 CSOs have access to policies which deal with providing healthcare identifier information over the phone and they can also refer callers to Tier 2 or Tier 3 staff.
3.132 The policies about healthcare identifier information do not make it explicit that information should be verified by the CSO and not disclosed to the caller to verify.
3.133 If staff referred to those policies alone, there is a risk that CSOs may inadvertently disclose information by providing individuals over the phone with the answers to identity verification questions for example CSOs should be asking ‘what is your name?’ as opposed to ’are you Joe Wilson?’.
3.134 Similarly where a request to disclose information yields multiple search results, there is a privacy risk that CSOs, relying on those policies alone, may reveal each search result to the customer instead of not advising customers that ‘multiple results have been found’ and requesting further information from the customer to narrow the search.
3.135 The auditors note that they saw no evidence or had reason to suspect that DHS staff were inadvertently disclosing healthcare identifiers or identifying information and the above comments relate to risks identified after reviewing the policies.
3.136 However the auditors suggest that the HI SO consider updating its policy for disclosing healthcare identifiers over the telephone to include specific guidance on how to prevent inadvertent disclosures over the phone. For example, the guidance could instruct CSOs to ask customers to provide further information and warn against asking leading questions during identity verification checks.
3.137 The auditors have made no privacy recommendations to the HI SO for this part of the audit.
Part 4 — Summary of recommendations
Recommendation 1 - Amend privacy notices
3.138 It is recommended that privacy notices contained in or referred to in relevant application forms and online channels be amended and updated to:
- refer to the specific legislation authorising the collection of healthcare identifier information
- clearly explain what the healthcare identifier information collected from healthcare recipients and healthcare providers will be used for and the usual authorised disclosures, such as:
- in the case of IHI disclosures: to healthcare providers or to the PCEHR system operator
- in the case of HPI-I disclosures: following a direct healthcare provider search of the EHP database by another healthcare provider.
DHS accepts the recommendation and makes the following comment:
- The department has recently reviewed its approach to privacy notices and Healthcare Identifiers Service forms now directly refer to the Healthcare Identifiers Act 2010 and provide a link to further information on the use and disclosure of personal information.
The OAIC obtained the following information from the HI Service prior to and during the audit: