Publication date: September 2014

This resource is for healthcare organisations and individual healthcare providers in the private sector. This includes healthcare providers such as general practices, private hospitals and allied healthcare professionals.  For public sector health service providers, see Individual healthcare identifiers: obligations for public health service providers.

The resource focuses on compliance obligations in relation to the handling of individual healthcare identifiers (IHIs) by healthcare providers. Healthcare providers who have enquiries regarding technical or administrative aspects of the Healthcare Identifiers Service (HI Service) should contact the HI Service Operator, the Services Australia.

The Healthcare Identifiers Act and Regulations

The Healthcare Identifiers Act 2020 (HI Act) and the Healthcare Identifiers Regulations 2010 (HI Regulations):

  • establish the Healthcare Identifiers Service (HI Service)
  • limit the purposes for which IHIs and the associated identifying information may be collected, used, disclosed and adopted
  • impose penalties for breaches of certain provisions of the HI Act
  • impose data quality and data security obligations.

The Privacy Act

The Privacy Act 1998 sets out the Australian Privacy Principles (APPs) that regulate the handling of personal information by both Australian Government agencies and some private sector organisations. An individual healthcare identifier (IHI) may be considered to be personal information for the purposes of the Privacy Act, where it can be used to identify a person or where a person can reasonably be identified in the circumstances. Where an IHI is personal information, it is further considered to be sensitive information, which is a subcategory of personal information, under the Privacy Act. The Privacy Act sets out particular rules that apply to the handling of sensitive information for the purpose of providing healthcare. When handling an IHI, a healthcare provider therefore needs to be aware of their obligations under both the HI Act and the Privacy Act.

The role of Office of the Australian Information Commissioner

The HI Act requires the Office of the Australian Information Commissioner (OAIC) to oversee private healthcare providers’ compliance with the HI Act and HI Regulations, in relation to their handling of IHIs and identifying information. Under the HI Act any breach of the Act or Regulations in connection with an IHI or identifying information will also be a breach of the Privacy Act 1988 (Cth).[1]

Accessing the HI Service to collect IHIs

IHIs may only be collected from the HI Service by authorised persons, who need to access IHIs for their duties. Authorised persons may include:

  • a healthcare provider which has been assigned a Healthcare Provider Identifier – Individual (HPI-I) or Healthcare Provider Identifier – Organisation (HPI-O)
  • other users authorised by the healthcare provider organisation which may include:
    • an authorised employee of a healthcare provider who requires access to IHI records to assist with patient administration
    • an authorised employee of a contracted service provider of the healthcare provider who requires access to IHI records to assist with patient administration.

If a healthcare provider organisation is authorised to collect IHIs for a particular purpose, an employee or an employee of a contracted service provider is also authorised to collect IHIs on their behalf, where their duties involve, or are reasonably connected to, implementing that purpose.[2]

Healthcare providers may only collect IHIs for the purpose of communicating or managing health information, as part of providing healthcare to a patient. It is an offence under the HI Act to collect an IHI from the HI Service for another purpose.[3]

Healthcare providers may collect IHIs for their existing patients through a bulk download from the HI Service. This process involves the provision of a batch file with each patient’s identity details is provided to the HI Service. The HI Service will attempt to match the information with IHIs for those patients. The HI Service will only return IHIs when an exact match is found. If an exact match is not found, an error message will be returned to the healthcare provider.

Compliance tips

Healthcare providers should only download their patients’ IHIs if this is necessary for communicating or managing health information as part of providing the patient with healthcare. Healthcare providers should carefully consider whether they need to collect IHIs for patients who have not used their services for a long time.

Healthcare providers must ensure that they transfer batch files securely, for example as an encrypted file. If unsure of the requirements, providers may wish to contact the HI Service Operator for further information.

Disclosing ‘identifying information’ to the HI Service

The HI Act also authorises healthcare providers to disclose ‘identifying information’ of a healthcare recipient to the HI Service for the purpose of the HI Service assigning them a healthcare identifier, and for the purpose of the HI Service Operator disclosing the healthcare recipient’s healthcare identifier to the healthcare provider (s 16 HI Act).

‘Identifying information’ is defined in s 7 of the HI Act and includes the individual’s name, address, date of birth, sex, Medicare number, Department of Veterans’ Affairs file number (if applicable) and order of birth in the case of a multiple birth.

Compliance tip

When collecting IHIs from the HI Service, healthcare providers should not provide any more information than is generally needed to uniquely identify each patient (name, sex and date of birth).

Where the details provided are insufficient to uniquely identify the patient, the HI Service will request further identity details such as the patient’s Medicare number or Veterans’ Affairs number.

What notice do I have to provide to patients?

When collecting a patient’s personal information, including an IHI, from a third party, healthcare providers must take reasonable steps to ensure the patient is or has been made aware of certain matters (APP 5). Healthcare providers may choose to include information about the collection of a patient’s IHI as part of a collection notice provided to patients in relation to collecting information for the purpose of providing healthcare, and could also address how individual healthcare identifiers are handled by the healthcare provider in their APP 1 privacy notice.

Using and disclosing IHIs

Authorised uses and disclosures

Healthcare providers may only use or disclose an IHI for a purpose permitted under the HI Act that is, to communicate or manage health information as part of:

  • the provision of healthcare to the patient
  • the management (including investigating or resolving complaints), funding, monitoring or evaluation of healthcare
  • the provision of medical indemnity cover for a healthcare provider
  • the conduct of research that has been approved by a Human Research Ethics Committee
  • lessening or preventing a serious threat to an individual’s life, health or safety or to public health or safety
  • purposes authorised under another law. For example, a provider may be legally compelled to disclose an individual’s IHI if issued a subpoena by a court for the provision of information.[4]

The use or disclosure of an IHI for an unauthorised purpose is an offence under the HI Act.[5]

If a staff member of a healthcare provider uses or discloses an IHI for an unauthorised purpose (for example, while using their employer’s resources but acting outside the scope of their employment), they may have committed an offence. The healthcare provider organisation, however, may still be accountable for a breach of privacy.[6]

The HI Act allows the disclosure of an IHI as required or authorised by law. For example, a provider may be legally compelled to disclose an individual’s IHI if issued a subpoena by a court for the provision of information.

Prohibited uses and disclosures

The HI Act expressly prohibits IHIs from being used or disclosed for the purpose of communicating or managing health information as part of:

  • underwriting a contract of insurance that covers the healthcare recipient
  • determining whether to enter into a contract of insurance that covers the healthcare recipient (whether alone or as a member of a class)
  • determining whether a contract of insurance covers the healthcare recipient in relation to a particular event
  • non-healthcare related employment purposes.[7]

Records of access to the Healthcare Identifier Service

To ensure that a record of every access to the HI Service is maintained, healthcare providers are required to do either one of the following:

  • give the HI Service enough information to identify, by name, the authorised user making the request. That information may be given, for example, as part of the data sent to the HI Service from the healthcare provider’s practice management software. In this case the provider does not need to keep its own record of individual staff members’ access
  • keep its own retrievable record of each occasion an individual authorised user has accessed an IHI. The record must include either:
    • the staff member’s name, or
    • other information that can be used to identify the staff member. [8]

If the provider keeps its own records, it only needs to inform the HI Service of the identity of the organisation, rather than the identity of the individual authorised user requesting the IHI, when accessing the HI Service. The healthcare provider must retain the relevant records for as long as a staff member is authorised to access IHIs from the HI Service, and for seven years from the day after they cease to be authorised.[9]

If the HI Service makes a written request for the access record, the organisation must provide a copy to the HI Service with 14 days of receiving the request. It is an offence under the HI Act for a healthcare provider to intentionally not comply with such a request.[10]

Quality of personal information

Handling IHIs

APP 10 requires private healthcare providers to take reasonable steps to make sure that the personal information they collect, use or disclose is accurate, up to date and complete. More information about what constitutes ‘reasonable steps’ is available in Chapter 10 of the APP Guidelines.

Healthcare providers must have systems and processes in place to ensure that:

  • they are referencing patient records with the correct identifier
  • the information that they are referencing with the identifier is accurate, complete and up to date.

For more information, see Privacy guidance regarding individual healthcare identifiers (IHIs) on COVID-19 digital vaccination certificates.

Security of personal information

Private healthcare providers must take reasonable steps to protect the personal information, including IHIs, they hold from misuse, loss, and unauthorised access, modification or disclosure.[11]

Additionally, under APP 11 private healthcare providers must also take reasonable steps to protect their records of healthcare identifiers and other personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure. More information about information security is available in the OAIC’s Guide to Information Security.

Providers should integrate information security safeguards for personal information they hold (including healthcare identifiers and identifying information) into their systems and processes.

In order to participate in the HI Service, healthcare providers are required to have IT systems that incorporate minimum standards and security features. Healthcare providers should ensure that their software conforms with these requirements. Further information is available from the HI Service Operator.

Compliance tip

It is good privacy practice to implement audit trails within an organisation’s internal systems of individual staff member access to patients’ personal information, including IHIs (after they are initially downloaded from the HI Service), to prevent and detect improper use or disclosure. (This would be in addition to the requirement under the Regulations outlined above for healthcare providers to either keep a record, or notify the HI Service, of each individual user’s access to the HI Service).

Adoption, use and disclosure of IHIs

APP 9 places restrictions on the adoption, use and disclosure of government related identifiers, including IHIs, unless an exception applies. One exception is if the adoption, use or disclosure is required or authorised by or under an Australian law.

The HI Act authorises the collection, use, disclosure and adoption of IHIs by private healthcare providers for the purposes set out in the HI Act, which means that healthcare providers will be compliant with APP 9 when handling IHIs in accordance with the HI Act. This means that providers may adopt the IHIs of their patients as their own identifiers to uniquely identify their patients.[12]

Anonymous and pseudonymous healthcare

APP 2 requires private healthcare providers to provide patients with treatment and services on an anonymous or pseudonymous basis, wherever this is lawful and practicable.[13]

IHIs do not alter the way in which anonymous and pseudonymous healthcare services are provided to patients. When a patient is receiving healthcare services on a pseudonymous basis, patients can also choose to be issued with a pseudonymous IHI.[14] Patients should not be refused treatment because they do not wish their healthcare provider to access their IHI.

For more information, see Privacy guidance regarding individual healthcare identifiers (IHIs) on COVID-19 digital vaccination certificates.

Footnotes

[1] See s 29(1) of the HI Act.

[2] See s 36 of the HI Act

[3] See s 14 of the HI Act and r 10 of the HI Regulations. A penalty of up to 50 penalty units ($11,100) may apply.

[4] See s 26(5) of the HI Act

[5] See s 26 of the HI Act. A person convicted of this offence may be imprisoned for two years or fined 120 penalty units ($26,640), or both. If a body corporate is convicted of this offence, a court may impose a fine of up to 600 penalty units ($133,200).

[6] See s 29 of the HI Act

[7] See s 14(2) of the HI Act

[8] See r 12 of the HI Regulations

[9] See r 12(4) of the HI Regulations

[10] See r 12(5) of the HI Regulations. A penalty of up to 50 penalty units ($11,100) may apply.

[11] See s 27 of the HI Act

[12] See s 23, 24 and 25 of the HI Act. See also the OAIC’s APP Guidelines www.oaic.gov.au/privacy/applying-privacy-law/app-guidelines/chapter-9-app-9-adoption-use-or-disclosure-of-government-related-identifiers

[13] See the OAIC’s APP Guidelines – Chapter 2

[14] www.servicesaustralia.gov.au/individual-healthcare-identifiers

OAIC logo
Contact us 1300 363 992

Monday to Thursday 10 am to 4 pm (AEST/AEDT)

Acknowledgement of Country

The OAIC acknowledges Traditional Custodians of Country across Australia and their continuing connection to land, waters and communities. We pay our respect to First Nations people, cultures and Elders past and present.

© Commonwealth of Australia