This resource is for healthcare organisations and individual healthcare providers in the public sector. (Note: for private sector healthcare providers there is an equivalent privacy resource — Compliance obligations of private healthcare providers)
The resource focuses on compliance obligations in relation to the handling of individual healthcare identifiers (IHIs) by healthcare providers. Healthcare providers who have enquiries regarding technical or administrative aspects of the Healthcare Identifiers Service (HI Service) should contact the HI Service Operator, the Services Australia.
The Healthcare Identifiers Act and Regulations
- establish the Healthcare Identifiers Service (HI Service)
- limit the purposes for which (IHIs) and the associated identifying information may be collected, used, disclosed and adopted
- impose penalties for breaches of certain provisions of the HI Act
- impose data quality and data security obligations.
The role of the Office of the Australian Information Commissioner
The HI Act requires the Office of the Australian Information Commissioner (OAIC) to oversee state and territory healthcare providers’ compliance with the HI Act and Regulations in relation to their handling of IHIs. The HI Act states that any breach of the HI Act or HI Regulations in connection with an IHI or identifying information will also be a breach of the Privacy Act 1988 (Cth). The OAIC handles complaints about the handling of IHIs and identifying information by state and territory healthcare providers, and conducts assessments of privacy aspects of the HI Service.
Each state and territory is able to make laws so that a local regulator oversees the handling of healthcare identifiers by state or territory bodies, such as public hospitals. Until this occurs, the OAIC has jurisdiction over the handling of healthcare identifiers and identifying information by state and territory healthcare providers.
What legislation do state and territory healthcare providers have to comply with?
When handling IHIs, state and territory healthcare providers must comply with:
- the HI Act and HI Regulations
- any existing obligations they may have under their state or territory privacy or information handling legislation.
Accessing the HI Service to collect Individual Healthcare Identifiers
IHIs may only be collected from the HI Service by authorised persons, who need to access IHIs for their duties. Authorised persons may include:
- a healthcare provider which has been assigned a HPI-I or HPI-O
- other users authorised by the healthcare provider organisation which may include:
- an authorised employee of a healthcare provider who requires access to IHI records to assist with patient administration
- an authorised employee of a contracted service provider of the healthcare provider who requires access to IHI records to assist with patient administration.
If a healthcare provider organisation is authorised to collect IHIs for a particular purpose, an employee or an employee of a contracted service provider is also authorised to collect IHIs on their behalf, where their duties involve, or are reasonably connected to, implementing that purpose.
Healthcare providers may only collect IHIs for the purpose of communicating or managing health information, as part of providing healthcare to a patient. It is an offence under the HI Act to collect an IHI from the HI Service for another purpose.
Healthcare providers may collect IHIs for their existing patients through a bulk download from the HI Service. In this process a batch file with each patient’s identity details is provided to the HI Service and the HI Service will attempt to match the information with IHIs for those patients. The HI Service will only return IHIs when an exact match is found. If an exact match is not found, an error message will be returned to the healthcare provider.
Healthcare providers should only download their patients’ IHIs if this is necessary for communicating or managing health information as part of providing the patient with healthcare. Healthcare providers should carefully consider whether they need to collect IHIs for patients who have not used their services for a long time.
Healthcare providers must ensure that they transfer batch files securely, for example as an encrypted file. If unsure of the requirements, providers may wish to contact the HI Service Operator for further information.
Disclosing ‘identifying information’ to the HI Service
The HI Act also authorises healthcare providers to disclose ‘identifying information’ of a healthcare recipient to the HI Service for the purpose of the HI Service assigning them a healthcare identifier, and for the purpose of the HI Service Operator disclosing the healthcare recipient’s healthcare identifier to the healthcare provider (s 16 HI Act).
‘Identifying information’ is defined in s 7 of the HI Act and includes the individual’s name, address, date of birth, sex, Medicare number, Department of Veterans’ Affairs file number (if applicable) and order of birth in the case of a multiple birth.
When collecting IHIs from the HI Service, healthcare providers should not provide any more information than is generally needed to uniquely identify each patient (name, sex and date of birth).
Where the details provided are insufficient to uniquely identify the patient, the HI Service will request further identity details such as the patient’s Medicare number or Veterans’ Affairs number.
What notice do I have to provide?
Using and disclosing Individual Healthcare Identifiers
Authorised uses and disclosures
Healthcare providers may only use or disclose an IHI for a purpose permitted under the HI Act, that is, to communicate or manage health information as part of:
- the provision of healthcare to the patient
- the management (including investigating or resolving complaints), funding, monitoring or evaluation of healthcare
- the provision of medical indemnity cover for a healthcare provider
- the conduct of research that has been approved by a Human Research Ethics Committee
- lessening or preventing a serious threat to an individual’s life, health or safety or to public health or safety
- purposes authorised under another law.
The use or disclosure of an IHI for any other purpose is an offence under the HI Act.
If a staff member uses or discloses an IHI for any unauthorised purpose when carrying out their employment duties, they may have committed an offence. The healthcare provider organisation, however, may still be accountable for a breach of privacy.
The HI Act allows the disclosure of an IHI as required or authorised by law. For example, a provider may be legally compelled to disclose an individual’s IHI if issued a subpoena by a court for the provision of information.
Prohibited uses and disclosures
The HI Act expressly prohibits IHIs from being used or disclosed for the purpose of communicating or managing health information as part of:
- underwriting a contract of insurance that covers the healthcare recipient
- determining whether to enter into a contract of insurance that covers the healthcare recipient (whether alone or as a member of a class)
- determining whether a contract of insurance covers the healthcare recipient in relation to a particular event, or
- non-healthcare related employment purposes.
Records of access to the Healthcare Identifier Service
To ensure that a record of every access to the HI Service is maintained, healthcare providers are required to do either one of the following:
- give the HI Service enough information to identify, by name, the authorised user making the request. That information may be given as, for example, part of the data sent to the HI Service from the healthcare provider’s practice management software. In this case the provider does not need to keep its own record of individual staff members’ access
- keep its own retrievable record of each occasion an individual authorised user has accessed an IHI. The record must include either:
- the staff member’s name, or
- other information that can be used to identify the staff member.
If the provider keeps its own records, it only needs to inform the HI Service of the identity of the organisation, rather than the identity of the individual authorised user requesting the IHI, when accessing the HI Service.
The healthcare provider must retain the relevant records for as long as a staff member is authorised to access IHIs from the HI Service, and for seven years from the day after they cease to be authorised.
If the HI Service makes a written request for the access record, the organisation must provide a copy to the HI Service with 14 days of receiving the request. It is an offence under the HI Act for a healthcare provider to intentionally not comply with such a request.
Quality of personal information
All state and territory government healthcare providers should have procedures in place to ensure that their records of personal information are accurate. In many cases they will be specifically required to do so by state or territory privacy or information handling legislation.
Healthcare providers must have systems and processes in place to ensure that:
- they are referencing patient records with the correct identifier
- the information that they are referencing with the identifier is accurate, complete and up-to-date.
Security of personal information
State and territory healthcare providers must take reasonable steps to protect the healthcare identifiers they hold from misuse, loss, and unauthorised access, modification or disclosure.
Additionally, many state and territory healthcare providers will similarly be required to have data security procedures in place under state or territory privacy or information handling legislation. Providers should integrate information security safeguards for healthcare identifiers into their systems and processes.
In order to participate in the HI Service, healthcare providers are required to have IT systems that incorporate minimum standards and security features. Healthcare providers should ensure that their software conforms with these requirements. Further information is available from the HI Service Operator.
It is good privacy practice to implement audit trails within an organisation’s internal systems of individual staff member access to patients’ personal information, including IHIs (after they are initially downloaded from the HI Service), to prevent and detect improper use or disclosure. (This would be in addition to the requirement under the Regulations outlined above for healthcare providers to either keep a record, or notify the HI Service, of each individual user’s access to the HI Service).
Anonymous and pseudonymous healthcare
IHIs do not alter the way in which anonymous and pseudonymous healthcare services are provided. When a patient is receiving healthcare services on a pseudonymous basis, patients can also choose to be issued with a pseudonymous IHI. Patients should not be refused treatment because they do not wish their healthcare provider to access their IHI.
 See s 29(1) of the HI Act which says that any breach of the HI Act or Regulations in connection with an IHI or an individual’s identifying information is a breach of the Privacy Act. Section 29 brings state and territory authorities into the jurisdiction of the OAIC for the handling of IHIs.
 See s 36A of the HI Act
 See s 14 of the HI Act and r 10 of the HI Regulations. A penalty of up to 50 penalty units ($11,100) may apply.
 See s 26(5) of the HI Act.
 See s 26 of the HI Act. A person convicted of this offence may be imprisoned for two years or fined 120 penalty units ($26,640), or both. If a body corporate is convicted of this offence, a court may impose a fine of up to 600 penalty units ($133,200).
 See s 29 of the HI Act
 See s 14(2) of the HI Act
 See r 12 of the HI Regulations
 See r 12(4) of the HI Regulations
 See r 12(5) of the HI Regulations. A penalty of up to 50 penalty units ($11,100) may apply.
 See s 27 of the HI Act
 See Explanatory Memorandum to the Healthcare Identifiers Bill 2010, p. 5