Federal Register of Legislation - Australian Government

Primary content

Healthcare Identifiers Act 2010

Authoritative Version
  • - C2014C00807
  • In force - Superseded Version
  • View Series
Act No. 72 of 2010 as amended, taking into account amendments up to Aged Care and Other Legislation Amendment Act 2014
An Act to provide for healthcare identifiers, and for related purposes
Administered by: Health
Registered 11 Dec 2014
Start Date 05 Dec 2014
End Date 26 Nov 2015

Healthcare Identifiers Act 2010

No. 72, 2010

Compilation No. 8

Compilation date:                              5 December 2014

Includes amendments up to:            Act No. 126, 2014

Registered:                                         11 December 2014

 

About this compilation

This compilation

This is a compilation of the Healthcare Identifiers Act 2010 that shows the text of the law as amended and in force on 5 December 2014 (the compilation date).

This compilation was prepared on 10 December 2014.

The notes at the end of this compilation (the endnotes) include information about amending laws and the amendment history of provisions of the compiled law.

Uncommenced amendments

The effect of uncommenced amendments is not shown in the text of the compiled law. Any uncommenced amendments affecting the law are accessible on ComLaw (www.comlaw.gov.au). The details of amendments made up to, but not commenced at, the compilation date are underlined in the endnotes. For more information on any uncommenced amendments, see the series page on ComLaw for the compiled law.

Application, saving and transitional provisions for provisions and amendments

If the operation of a provision or amendment of the compiled law is affected by an application, saving or transitional provision that is not included in this compilation, details are included in the endnotes.

Modifications

If the compiled law is modified by another law, the compiled law operates as modified but the modification does not amend the text of the law. Accordingly, this compilation does not show the text of the compiled law as modified. For more information on any modifications, see the series page on ComLaw for the compiled law.

Self‑repealing provisions

If a provision of the compiled law has been repealed in accordance with a provision of the law, details are included in the endnotes.

  

  

  


Contents

Part 1—Preliminary                                                                                                             1

1............ Short title............................................................................................. 1

2............ Commencement................................................................................... 1

3............ Purpose of this Act............................................................................. 1

4............ Act to bind the Crown......................................................................... 1

4A......... External Territories.............................................................................. 2

5............ Definitions.......................................................................................... 2

7............ Meaning of identifying information..................................................... 8

8............ Meaning of national registration authority....................................... 10

Part 2—Assigning healthcare identifiers                                                               11

9............ Assigning healthcare identifiers........................................................ 11

9A......... Classes of providers for the purposes of paragraph 9(1)(a).............. 12

9B......... Information that may be requested before assigning healthcare identifiers               16

9C......... Review of decision not to assign a healthcare identifier.................... 16

10.......... Service operator must keep record of healthcare identifiers etc......... 18

Part 3—Use and disclosure of healthcare identifiers and other information        19

Division 1—Use and disclosure of identifying information                    19

11.......... Disclosure by healthcare providers................................................... 19

11A....... Use and disclosure of identifying information.................................. 19

12.......... Disclosure by data sources................................................................ 19

12A....... Disclosure for an aged care purpose................................................. 20

13.......... Disclosure by national registration authority..................................... 21

14.......... Maintaining healthcare identifiers...................................................... 21

15.......... Service operator’s duty of confidentiality.......................................... 21

Division 2—Disclosure of healthcare identifier by service operator 23

Subdivision A—Request by healthcare provider for healthcare recipient’s healthcare identifier           23

16.......... Disclosure of healthcare recipient’s identifying information by healthcare provider 23

Subdivision B—Disclosure of healthcare identifier by service operator  23

17.......... Disclosure to healthcare provider...................................................... 23

18.......... Disclosure to healthcare recipient...................................................... 24

19.......... Disclosure to registration authority................................................... 25

19A....... Disclosure to PCEHR System Operator........................................... 25

19B....... Disclosure to Chief Executive Medicare........................................... 25

19C....... Disclosure to other Departments....................................................... 25

19D....... Disclosure to Aged Care Department................................................ 26

20.......... Disclosure for authentication of healthcare provider’s identity.......... 26

21.......... Access controls................................................................................. 27

22.......... Information about disclosures by service operator............................ 27

Division 2A—Collection, use and disclosure of healthcare identifiers and identifying information for purposes of the PCEHR System                                                 28

22A....... Collection, use and disclosure by PCEHR System Operator............ 28

22B....... Adoption by PCEHR System Operator, registered repository operator or registered portal operator       29

22C....... Collection, use and disclosure by registered repository operators or registered portal operators              29

22D....... Collection, use and disclosure by the Chief Executive Medicare and Departments  30

22E........ Regulations may authorise collection, use and disclosure related to the PCEHR system          31

Division 3—Use, disclosure and adoption of healthcare identifier by healthcare provider        32

23.......... Disclosure to healthcare recipient...................................................... 32

23A....... Disclosure to Aged Care Department................................................ 32

24.......... Use and disclosure for other purposes.............................................. 32

24A....... Collection, use and disclosure of healthcare identifier of healthcare provider with consent      34

25.......... Adoption by healthcare provider....................................................... 34

Division 4—Unauthorised use and disclosure of healthcare identifiers 35

26.......... Unauthorised use and disclosure of healthcare identifiers prohibited 35

Division 5—Protection of healthcare identifiers                                          36

27.......... Protection of healthcare identifiers.................................................... 36

Part 4—Interaction with the Privacy Act 1988                                                  37

28.......... Interaction with the Privacy Act 1988................................................ 37

29.......... Functions of Information Commissioner.......................................... 37

30.......... Annual reports by Information Commissioner.................................. 37

Part 5—Healthcare Provider Directory                                                                 39

31.......... Healthcare Provider Directory........................................................... 39

Part 6—Oversight role of Ministerial Council                                                    40

32.......... Directions to service operator............................................................ 40

33.......... Consultation with Ministerial Council about regulations................... 40

34.......... Annual reports by service operator................................................... 40

35.......... Review of operation of Act............................................................... 41

Part 7—Miscellaneous                                                                                                       42

36.......... Extent of authorisation...................................................................... 42

37.......... Relationship to State and Territory laws............................................ 43

38.......... Severability—additional effect of Parts 3 and 4................................ 44

39.......... Regulations....................................................................................... 46

Endnotes                                                                                                                                    47

Endnote 1—About the endnotes                                                                            47

Endnote 2—Abbreviation key                                                                                48

Endnote 3—Legislation history                                                                             49

Endnote 4—Amendment history                                                                           50


An Act to provide for healthcare identifiers, and for related purposes

Part 1Preliminary

  

1  Short title

                   This Act may be cited as the Healthcare Identifiers Act 2010.

2  Commencement

                   This Act commences on the day after this Act receives the Royal Assent.

3  Purpose of this Act

             (1)  The purpose of this Act is to provide a way of ensuring that an entity that provides, or an individual who receives, healthcare is correctly matched to health information that is created when healthcare is provided.

             (2)  This purpose is to be achieved by assigning a unique identifying number to each healthcare provider and healthcare recipient.

4  Act to bind the Crown

             (1)  This Act binds the Crown in right of the Commonwealth, of the States, of the Australian Capital Territory, of the Northern Territory and of Norfolk Island.

Note:          The Minister must, in certain circumstances, declare that certain provisions of this Act do not apply to the public bodies of a specified State or Territory: see subsection 37(4).

             (2)  This Act does not make the Crown liable to be prosecuted for an offence.

4A  External Territories

                   This Act extends to every external Territory.

5  Definitions

                   In this Act:

aged care, in relation to a person, has the same meaning as in:

                     (a)  if the Aged Care Act 1997 applies in relation to the person—that Act; and

                     (b)  if the Aged Care (Transitional Provisions) Act 1997 applies in relation to the person—that Act.

Aged Care Department means the Department administered by the Aged Care Minister.

Aged Care Minister means the Minister administering the Aged Care Act 1997.

aged care purpose means:

                     (a)  the purpose of enabling the Aged Care Department to create and maintain a record about aged care provided to a person by an approved provider (within the meaning of the Aged Care Act 1997); or

                     (b)  the purpose of the Aged Care Department verifying the identity of a person who is receiving, or who is to receive, aged care.

Australian Childhood Immunisation Register means the Australian Childhood Immunisation Register kept under section 46B of the Health Insurance Act 1973.

Chief Executive Medicare has the same meaning as in the Human Services (Medicare) Act 1973.

contracted service provider, of a healthcare provider, means an entity that provides:

                     (a)  information technology services relating to the communication of health information; or

                     (b)  health information management services;

to the healthcare provider under a contract with the healthcare provider.

data source has the meaning given by subsection 12(2).

date of birth accuracy indicator means a data element that is used to indicate how accurate a recorded date of birth is.

date of death accuracy indicator means a data element that is used to indicate how accurate a recorded date of death is.

Defence Department means the Department that:

                     (a)  deals with matters arising under section 1 of the Defence Act 1903; and

                     (b)  is administered by the Minister who administers that section.

employee, of an entity, includes:

                     (a)  an individual who provides services for the entity under a contract for services; or

                     (b)  an individual whose services are made available to the entity (including services made available free of charge).

entity means:

                     (a)  a person; or

                     (b)  a partnership; or

                     (c)  any other unincorporated association or body; or

                     (d)  a trust; or

                     (e)  a part of another entity (under a previous application of this definition).

healthcare means health service within the meaning of subsection 6(1) of the Privacy Act 1988.

healthcare identifier has the meaning given by section 9.

healthcare provider means:

                     (a)  an individual healthcare provider; or

                     (b)  a healthcare provider organisation.

Healthcare Provider Directory has the meaning given by subsection 31(1).

healthcare provider organisation means an entity, or a part of an entity, that has conducted, conducts, or will conduct, an enterprise that provides healthcare (including healthcare provided free of charge).

Example:    A public hospital, or a corporation that runs a medical centre.

healthcare recipient means an individual who has received, receives, or may receive, healthcare.

health information has the meaning given by subsection 6(1) of the Privacy Act 1988.

Human Research Ethics Committee has the meaning given by:

                     (a)  the National Statement on Ethical Conduct in Human Research issued in March 2007 by the Chief Executive Officer of the National Health and Medical Research Council under the National Health and Medical Research Council Act 1992; or

                     (b)  if that Statement is amended—that Statement as amended.

Note:          In 2010, the text of the Statement was accessible through the National Health and Medical Research Council website (www.nhmrc.gov.au).

Human Services Department means the Department administered by the Human Services Minister.

Human Services Minister means the Minister administering the Human Services (Medicare) Act 1973.

identified healthcare provider means a healthcare provider who has been assigned a healthcare identifier under section 9.

identifying information has the meaning given by section 7.

individual healthcare provider means an individual who:

                     (a)  has provided, provides, or is to provide, healthcare; or

                     (b)  is registered by a registration authority as a member of a particular health profession.

law includes:

                     (a)  an Act or legislative instrument; or

                     (b)  an Act or legislative instrument of a State or Territory.

Medicare Benefits Program means the program for providing Medicare benefits under the Health Insurance Act 1973.

medicare program has the same meaning as in the Human Services (Medicare) Act 1973.

Ministerial Council has the meaning given by:

                     (a)  the National Partnership Agreement on E‑Health made on 7 December 2009 between the Commonwealth, the States, the Australian Capital Territory and the Northern Territory; or

                     (b)  if that Agreement is amended—that Agreement as amended.

Note:          In 2010, the text of the Agreement was accessible through the Council of Australian Governments website (www.coag.gov.au).

national registration authority has the meaning given by section 8.

network organisation has the meaning given by subsection 9A(6).

organisation maintenance officer:

                     (a)  for a seed organisation—has the meaning given by paragraph 9A(3)(c); and

                     (b)  for a network organisation—has the meaning given by paragraph 9A(6)(b).

participant in the PCEHR system has the same meaning as in the Personally Controlled Electronic Health Records Act 2012.

PCEHR has the same meaning as in the Personally Controlled Electronic Health Records Act 2012.

PCEHR system has the same meaning as in the Personally Controlled Electronic Health Records Act 2012.

PCEHR System Operator means the System Operator within the meaning of the Personally Controlled Electronic Health Records Act 2012.

Pharmaceutical Benefits Program means the program for providing pharmaceutical benefits under the National Health Act 1953.

professional and business details of a healthcare provider includes the healthcare provider’s healthcare identifier.

professional association means an organisation that:

                     (a)  is a separate legal entity under a law of the Commonwealth or a State or Territory; and

                     (b)  has the following characteristics:

                              (i)  its members practise the same healthcare profession;

                             (ii)  it has enough membership to be considered representative of the healthcare profession practised by its members;

                            (iii)  it sets its own admission requirements, including acceptable qualifications;

                            (iv)  it sets and publishes standards of practice and ethical conduct;

                             (v)  it aims to maintain the standing of the healthcare profession practised by its members;

                            (vi)  it has written rules, articles of association, by‑laws or codes of conduct for its members;

                           (vii)  it has the ability to impose sanctions on members who contravene the association’s written rules, articles of association, by‑laws or codes of conduct;

                          (viii)  it sets requirements to maintain its members’ professional skills and knowledge by continuing professional development; and

                     (c)  has members who:

                              (i)  may take part in decisions affecting their profession; and

                             (ii)  have the right to vote at meetings of the association; and

                            (iii)  have the right to be recognised as being members of the professional association.

public body, of a State or Territory, means:

                     (a)  the Crown in right of the State or Territory; or

                     (b)  a State or Territory authority of that State or Territory; or

                     (c)  the head (however described) of a Department of State of the State or Territory; or

                     (d)  the Parliament of the State, or the legislature of the Territory (whichever is applicable); or

                     (e)  a member of the Parliament of the State, or of the legislature of the Territory (whichever is applicable).

registration authority means an entity that is responsible under a law for registering members of a particular health profession.

registered portal operator has the same meaning as in the Personally Controlled Electronic Health Records Act 2012.

registered repository operator has the same meaning as in the Personally Controlled Electronic Health Records Act 2012.

responsible officer has the meaning given by paragraph 9A(3)(b).

retirement, for a healthcare provider organisation’s healthcare identifier, means a state imposed by the service operator on the healthcare identifier so that it may no longer be used by the healthcare provider organisation to identify the healthcare provider organisation.

seed organisation has the meaning given by subsections 9A(3) and (4).

service operator means the Chief Executive Medicare.

sole practitioner means a person who is both an individual healthcare provider and a healthcare provider organisation.

State or Territory authority has the meaning given by the Privacy Act 1988.

under this Act includes under the regulations.

Veterans’ Affairs Department means the Department that:

                     (a)  deals with matters arising under:

                              (i)  section 1 of the Australian Participants in British Nuclear Tests (Treatment) Act 2006; or

                             (ii)  section 1 of the Military Rehabilitation and Compensation Act 2004; or

                            (iii)  section 1 of the Veterans’ Entitlements Act 1986; and

                     (b)  is administered by the Minister who administers that section.

7  Meaning of identifying information

             (1)  Each of the following is identifying information of a healthcare provider who is an individual, if the service operator requires it for the purpose of performing the service operator’s functions under this Act in relation to the healthcare provider:

                     (a)  the name of the healthcare provider;

                     (b)  the address of the healthcare provider;

                     (c)  the date of birth, and the date of birth accuracy indicator, of the healthcare provider;

                     (d)  the sex of the healthcare provider;

                     (e)  the type of healthcare provider that the individual is;

                      (f)  if the healthcare provider is registered by a registration authority—the registration authority’s identifier for the healthcare provider and the status of the registration (such as conditional, suspended or cancelled);

                     (g)  other information that is prescribed by the regulations for the purpose of this paragraph.

             (2)  Each of the following is identifying information of a healthcare provider that is not an individual, if the service operator requires it for the purpose of performing the service operator’s functions under this Act in relation to the healthcare provider:

                     (a)  the name of the healthcare provider;

                     (b)  the address of the healthcare provider;

                     (c)  if applicable, the ABN (within the meaning of the A New Tax System (Australian Business Number) Act 1999) of the healthcare provider;

                     (d)  if applicable, the ACN (within the meaning of the Corporations Act 2001) of the healthcare provider;

                     (e)  other information that is prescribed by the regulations for the purpose of this paragraph.

             (3)  Each of the following is identifying information of a healthcare recipient, if the service operator requires it for the purpose of performing the service operator’s functions under this Act in relation to the healthcare recipient:

                     (a)  if applicable, the Medicare number of the healthcare recipient;

                     (b)  if applicable, the Veterans’ Affairs Department file number of the healthcare recipient;

                     (c)  the name of the healthcare recipient;

                     (d)  the address of the healthcare recipient;

                     (e)  the date of birth, and the date of birth accuracy indicator, of the healthcare recipient;

                      (f)  the sex of the healthcare recipient;

                     (g)  for a healthcare recipient who was part of a multiple birth—the order in which the healthcare recipient was born;

Example: The 2nd of twins.

                     (h)  if applicable, the date of death, and the date of death accuracy indicator, of the healthcare recipient.

8  Meaning of national registration authority

                   A national registration authority is a registration authority that is prescribed by the regulations for the purposes of this section.

Part 2Assigning healthcare identifiers

  

9  Assigning healthcare identifiers

             (1)  The service operator is authorised to assign a number (a healthcare identifier) to uniquely identify:

                     (a)  a healthcare provider to whom section 9A applies; or

                     (b)  a healthcare recipient.

             (2)  A national registration authority is authorised to assign a number (a healthcare identifier) to uniquely identify a healthcare provider, if:

                     (a)  the healthcare provider is an individual who is a member of a particular health profession; and

                     (b)  the national registration authority is responsible under a law for registering members of that health profession.

             (3)  The types of healthcare identifiers include:

                     (a)  an identifier that is assigned to an individual healthcare provider; and

                     (b)  an identifier that is assigned to a healthcare provider organisation; and

                     (c)  an identifier that is assigned to a healthcare recipient.

Note:          A sole practitioner may be assigned:

(a)    a healthcare identifier of the type mentioned in paragraph (3)(a); and

(b)    a different healthcare identifier of the type mentioned in paragraph (3)(b).

             (4)  In exercising a power under subsection (1), the service operator is not required to consider whether a healthcare provider or healthcare recipient agrees to having a healthcare identifier assigned to the healthcare provider or healthcare recipient.

             (6)  A healthcare identifier is a government related identifier for the purposes of the Privacy Act 1988.

9A  Classes of providers for the purposes of paragraph 9(1)(a)

Individual healthcare providers

             (1)  This section applies to an individual healthcare provider who is registered by a registration authority as a member of a health profession.

             (2)  This section also applies to an individual healthcare provider who is a member of a professional association that:

                     (a)  relates to the healthcare that has been, is, or is to be, provided by the member; and

                     (b)  has uniform national membership requirements, whether or not in legislation.

Healthcare provider organisations

             (3)  This section also applies to a healthcare provider organisation (a seed organisation) that has:

                     (a)  an employee who:

                              (i)  is an identified healthcare provider; and

                             (ii)  provides healthcare as part of his or her duties; and

                     (b)  only one employee (the responsible officer) to act on behalf of the seed organisation in its dealings with the service operator in relation to the following:

                              (i)  nominating to the service operator at least one employee to be an organisation maintenance officer for the seed organisation;

                             (ii)  nominating to the service operator any network organisation of the seed organisation for which the nominated organisation maintenance officer is to be responsible;

                            (iii)  requesting the assignment or retirement of a healthcare identifier for the seed organisation;

                            (iv)  requesting the merger or reconfiguration of a healthcare identifier for the seed organisation if the seed organisation was part of a merger or acquisition; and

Example: A request after merger activity between 2 healthcare provider organisations if one is a seed organisation, or the acquisition of one healthcare provider organisation by another if one is a seed organisation.

                     (c)  an employee (an organisation maintenance officer) to act on behalf of the seed organisation in its dealings with the service operator, including:

                              (i)  nominating to the service operator, if required, at least one additional employee to be an organisation maintenance officer for the seed organisation or any network organisation of the seed organisation; and

                             (ii)  nominating to the service operator any network organisation of the seed organisation for which an additional organisation maintenance officer is to be responsible; and

                            (iii)  requesting the assignment or retirement of a healthcare identifier for any network organisation of the seed organisation; and

                            (iv)  maintaining information that is held by the service operator about the seed organisation, and about any network organisation of the seed organisation for which the organisation maintenance officer is responsible; and

                             (v)  for the seed organisation, or for any network organisation of the seed organisation for which the organisation maintenance officer is responsible, that has consented to its details being included in the Healthcare Provider Directory—providing current details to the service operator about the organisation for inclusion in the Directory; and

                            (vi)  providing any further information requested by the service operator about the seed organisation, or about any network organisation of the seed organisation for which the organisation maintenance officer is responsible; and

                           (vii)  requesting the merger or reconfiguration of a healthcare identifier for any network organisation of the seed organisation, if the network organisation was part of a merger or acquisition.

Note:       More than one employee may be an organisation maintenance officer. An employee may be any or all of the following: the responsible officer, an organisation maintenance officer and an authorised employee (see section 17).

             (4)  A sole practitioner is taken to be a healthcare provider organisation to which subsection (3) applies if he or she provides healthcare and performs the roles of responsible officer and organisation maintenance officer.

             (5)  For the purposes of paragraph (3)(b), a delegate of the responsible officer, who is another employee of the seed organisation, is taken to be the responsible officer.

             (6)  This section also applies to a healthcare provider organisation (a network organisation) that:

                     (a)  is part of, or subordinate to, a seed organisation that:

                              (i)  has been assigned a healthcare identifier that has not been retired; and

                             (ii)  does not object to the network organisation being a network organisation of the seed organisation; and

                     (b)  has a person (an organisation maintenance officer) who complies with subsection (7) to act on behalf of the network organisation in its dealings with the service operator, including:

                              (i)  nominating to the service operator, if required, at least one additional employee to be an organisation maintenance officer for any network organisation of the seed organisation; and

                             (ii)  nominating to the service operator any network organisation of the seed organisation for which an additional organisation maintenance officer is to be responsible; and

                            (iii)  requesting the assignment or retirement of a healthcare identifier for any network organisation of the seed organisation; and

                            (iv)  maintaining information that is held by the service operator about any network organisation of the seed organisation for which the organisation maintenance officer is responsible; and

                             (v)  for any network organisation that the organisation maintenance officer is responsible for and that has consented to its details being included in the Healthcare Provider Directory—providing current details to the service operator about the organisation for inclusion in the Directory; and

                            (vi)  providing any further information requested by the service operator about any network organisation of the seed organisation for which the organisation maintenance officer is responsible; and

                           (vii)  requesting the merger or reconfiguration of a healthcare identifier for any network organisation of the seed organisation, if the network organisation is part of a merger or acquisition.

Example: A request after merger activity between the network organisation and another healthcare provider organisation, or the acquisition of one healthcare provider organisation by another if one is the network organisation.

             (7)  For the purposes of paragraph (6)(b), the person must be an employee of:

                     (a)  the network organisation (the first network organisation); or

                     (b)  the seed organisation of the first network organisation; or

                     (c)  another network organisation that is:

                              (i)  linked to the seed organisation of the first network organisation; and

                             (ii)  hierarchically superior to the first network organisation.

9B  Information that may be requested before assigning healthcare identifiers

             (1)  The service operator may request an individual healthcare provider to provide the following information before assigning the healthcare provider a healthcare identifier:

                     (a)  identifying information of the healthcare provider;

Note:       Identifying information is defined in section 7.

                     (b)  information that shows that section 9A applies to the healthcare provider.

             (2)  The service operator may request a healthcare provider organisation to provide the following information before assigning the healthcare provider a healthcare identifier:

                     (a)  identifying information of the healthcare provider;

Note:       Identifying information is defined in section 7.

                     (b)  information that shows that section 9A applies to the healthcare provider;

                     (c)  information identifying the healthcare provider’s responsible officer and organisation maintenance officer, including the person’s name, work address, work email address, work telephone number or work fax number.

             (3)  The healthcare provider must give the information in any form requested by the service operator.

Example:    A healthcare provider may be asked for original documentation, or for the information to be given in writing or in a statutory declaration.

             (4)  If the service operator is not satisfied by the information given, it does not have to assign a healthcare identifier to the healthcare provider.

9C  Review of decision not to assign a healthcare identifier

             (1)  This section applies to a decision by the service operator not to assign a healthcare identifier to a healthcare provider under paragraph 9(1)(a).

Note:          This section does not apply to a decision to assign a healthcare identifier to a healthcare recipient under paragraph 9(1)(b), or a decision by a national registration authority not to assign a healthcare identifier to an individual healthcare provider under subsection 9(2).

             (2)  The service operator must give written notice of the decision to a person whose interests are affected by the decision, including a statement:

                     (a)  that the person may apply to the service operator to reconsider the decision; and

                     (b)  of the person’s rights to seek review under subsection (8) of a reconsidered decision.

             (3)  A failure of the service operator to comply with subsection (2) does not affect the validity of the decision.

             (4)  A person whose interests are affected by the decision may, by written notice to the service operator within 28 days after receiving notice of the decision, ask the service operator to reconsider the decision.

             (5)  A request under subsection (4) must mention the reasons for making the request.

             (6)  The service operator must:

                     (a)  reconsider the decision within 28 days after receiving the request; and

                     (b)  give to the person who requested the reconsideration written notice of the result of the reconsideration and of the grounds for the result.

             (7)  The notice must include a statement that the person may apply to the Administrative Appeals Tribunal for review of the reconsideration.

             (8)  A person may apply to the Administrative Appeals Tribunal for a review of a decision of the service operator made under subsection (6).

10  Service operator must keep record of healthcare identifiers etc.

                   The service operator must establish and maintain an accurate record of:

                     (a)  healthcare identifiers that have been assigned; and

                     (b)  the information that the service operator has that relates to those healthcare identifiers, including details of requests made to the service operator for the service operator to disclose those healthcare identifiers under Division 2 or 2A of Part 3.

Part 3Use and disclosure of healthcare identifiers and other information

Division 1Use and disclosure of identifying information

11  Disclosure by healthcare providers

             (1)  An identified healthcare provider is authorised to disclose identifying information of a healthcare recipient to the service operator for the purpose of the service operator assigning a healthcare identifier to the healthcare recipient.

             (2)  The service operator is authorised:

                     (a)  to collect the information; and

                     (b)  to use the information for the purpose of assigning a healthcare identifier to the healthcare recipient.

11A  Use and disclosure of identifying information

                   The service operator is authorised to use, and to disclose to the PCEHR System Operator, identifying information for any purpose for which the PCEHR System Operator is authorised to collect, use or disclose the identifying information under Division 2A.

12  Disclosure by data sources

             (1)  A data source is authorised to disclose identifying information of a healthcare provider, or of a healthcare recipient, to the service operator for the purpose of the service operator assigning a healthcare identifier to the healthcare provider or healthcare recipient.

             (2)  Each of the following is a data source:

                     (a)  the Human Services Department;

                     (b)  the Veterans’ Affairs Department;

                     (c)  the Defence Department.

             (3)  The service operator is authorised:

                     (a)  to collect the information; and

                     (b)  to use the information for the purpose of assigning a healthcare identifier to the healthcare provider or healthcare recipient.

             (4)  This section does not apply to identifying information if:

                     (a)  the data source is the Human Services Department; and

                     (b)  the identifying information was not obtained in connection with a medicare program.

12A  Disclosure for an aged care purpose

Disclosure by identified healthcare provider

             (1)  An identified healthcare provider is authorised to disclose identifying information of a healthcare recipient to the Aged Care Department for an aged care purpose.

             (2)  The Aged Care Department is authorised:

                     (a)  to collect the information; and

                     (b)  to use the information for an aged care purpose.

Disclosure by Aged Care Department

             (3)  The Aged Care Department is authorised to disclose identifying information of a healthcare recipient for an aged care purpose to:

                     (a)  the service operator; or

                     (b)  an identified healthcare provider.

             (4)  The service operator is authorised:

                     (a)  to collect the information; and

                     (b)  to use the information for an aged care purpose.

             (5)  The identified healthcare provider is authorised:

                     (a)  to collect the information; and

                     (b)  to use the information for an aged care purpose.

13  Disclosure by national registration authority

             (1)  A national registration authority is authorised to disclose:

                     (a)  a healthcare identifier; or

                     (b)  information that the national registration authority has that relates to a healthcare identifier;

to the service operator for the purpose of the service operator establishing or maintaining the record mentioned in section 10.

             (2)  The service operator is authorised:

                     (a)  to collect the healthcare identifier or information; and

                     (b)  to use the healthcare identifier or information for the purpose of establishing or maintaining the record mentioned in section 10.

14  Maintaining healthcare identifiers

                   The regulations may require an identified healthcare provider to provide to the service operator information that:

                     (a)  relates to the healthcare provider’s healthcare identifier; and

                     (b)  is prescribed by the regulations for the purposes of this section.

15  Service operator’s duty of confidentiality

             (1)  A person commits an offence if:

                     (a)  information was disclosed to the person for the purpose of Part 2 or this Division; and

                     (b)  the person:

                              (i)  uses the information; or

                             (ii)  discloses the information.

Penalty:  Imprisonment for 2 years or 120 penalty units, or both.

Note:          If a body corporate is convicted of an offence against subsection (1), subsection 4B(3) of the Crimes Act 1914 allows a court to impose a fine of up to 600 penalty units.

             (2)  Subsection (1) does not apply if the person uses or discloses the information for:

                     (a)  the purpose for which the information was disclosed to the person; or

                     (b)  a purpose that is authorised under another law.

Note:          A defendant bears an evidential burden in relation to the matters in subsection (2): see subsection 13.3(3) of the Criminal Code.

             (3)  A person commits an offence if:

                     (a)  information was disclosed to the person in contravention of subsection (1); and

                     (b)  the person knows that the disclosure of the information to the person contravened that subsection; and

                     (c)  the person:

                              (i)  uses the information; or

                             (ii)  discloses the information.

Penalty:  Imprisonment for 2 years or 120 penalty units, or both.

Note:          If a body corporate is convicted of an offence against subsection (3), subsection 4B(3) of the Crimes Act 1914 allows a court to impose a fine of up to 600 penalty units.

             (4)  Subsection (3) does not apply if the person discloses the information for the purpose of an appropriate authority investigating the contravention mentioned in paragraph (3)(b).

Note:          A defendant bears an evidential burden in relation to the matter in subsection (4): see subsection 13.3(3) of the Criminal Code.

Division 2Disclosure of healthcare identifier by service operator

Subdivision ARequest by healthcare provider for healthcare recipient’s healthcare identifier

16  Disclosure of healthcare recipient’s identifying information by healthcare provider

             (1)  An identified healthcare provider is authorised to disclose identifying information of a healthcare recipient to the service operator for the purpose of the service operator disclosing the healthcare recipient’s healthcare identifier to the healthcare provider under section 17.

             (2)  The service operator is authorised:

                     (a)  to collect the information; and

                     (b)  to use the information for the purpose of disclosing the healthcare recipient’s healthcare identifier to the healthcare provider under section 17.

Subdivision BDisclosure of healthcare identifier by service operator

17  Disclosure to healthcare provider

             (1)  For the purpose of an identified healthcare provider communicating or managing health information, as part of providing healthcare to a healthcare recipient, the service operator is authorised to disclose a healthcare identifier to:

                     (a)  an identified healthcare provider (the collecting provider); or

                     (b)  an employee (the authorised employee) of an identified healthcare provider, if that identified healthcare provider has, by notice to the service operator, authorised the employee to act on behalf of that identified healthcare provider under this section; or

                     (c)  a contracted service provider (the authorised service provider) of an identified healthcare provider, if that identified healthcare provider has, by notice to the service operator, authorised the contracted service provider to act on behalf of that identified healthcare provider under this section.

             (2)  The collecting provider, authorised employee or authorised service provider is authorised to collect the healthcare identifier.

Note 1:       Section 24 authorises a healthcare provider to use, or to disclose, a healthcare identifier:

(a)    for the purpose of communicating or managing health information, as part of the provision of healthcare to a healthcare recipient; or

(b)    for certain other purposes.

                   The authorisation extends to certain employees and contracted service providers of the healthcare provider: see section 36.

Note 2:       Section 25 authorises a healthcare provider to adopt the healthcare identifier of a healthcare recipient as the healthcare provider’s own identifier of the healthcare recipient. The authorisation extends to certain employees and contracted service providers of the healthcare provider: see section 36.

18  Disclosure to healthcare recipient

                   The service operator may, if asked to do so by a healthcare recipient or a responsible person (within the meaning of the Privacy Act 1988) for a healthcare recipient, disclose to the healthcare recipient or responsible person:

                     (a)  the healthcare recipient’s healthcare identifier (if any); or

                     (b)  information that:

                              (i)  relates to the healthcare recipient or to the healthcare recipient’s healthcare identifier; and

                             (ii)  is included in the record the service operator maintains under section 10.

19  Disclosure to registration authority

             (1)  The service operator is authorised to disclose an identified healthcare provider’s healthcare identifier to a registration authority for the purpose of the registration authority registering the healthcare provider.

             (2)  The registration authority is authorised:

                     (a)  to collect the healthcare identifier; and

                     (b)  to use the healthcare identifier for the purpose of the registration authority:

                              (i)  registering the healthcare provider; or

                             (ii)  performing any other function of the registration authority under a law.

19A  Disclosure to PCEHR System Operator

                   The service operator is authorised to use, and to disclose to the PCEHR System Operator, a healthcare identifier for a purpose for which the PCEHR System Operator is authorised to collect, use or disclose the healthcare identifier under Division 2A.

19B  Disclosure to Chief Executive Medicare

                   The service operator is authorised:

                     (a)  to use a healthcare identifier, and identifying information held by the service operator; and

                     (b)  to disclose to the Chief Executive Medicare a healthcare identifier, and identifying information held by the service operator;

for a purpose for which the Chief Executive Medicare is authorised to collect, use or disclose the healthcare identifier under Division 2A.

19C  Disclosure to other Departments

                   The service operator is authorised:

                     (a)  to use a healthcare identifier, and identifying information held by the service operator, of a healthcare recipient; and

                     (b)  to disclose to the Veterans’ Affairs Department, the Defence Department or such other Department as is prescribed, a healthcare identifier, and identifying information held by the service operator, of a healthcare recipient;

for a purpose for which that Department is authorised to collect, use or disclose the healthcare identifier under Division 2A.

19D  Disclosure to Aged Care Department

             (1)  The service operator is authorised:

                     (a)  to use a healthcare identifier of a healthcare recipient; and

                     (b)  to disclose a healthcare identifier of a healthcare recipient to the Aged Care Department;

for an aged care purpose.

             (2)  The Aged Care Department is authorised:

                     (a)  to collect the healthcare identifier; and

                     (b)  to use the healthcare identifier for an aged care purpose.

20  Disclosure for authentication of healthcare provider’s identity

             (1)  The service operator or a registration authority is authorised to use, and disclose to an entity, an identified healthcare provider’s healthcare identifier and identifying information for the purpose of enabling the healthcare provider’s identity to be authenticated in electronic transmissions (for example, as part of a public key infrastructure).

             (2)  The entity is authorised:

                     (a)  to collect the healthcare identifier; and

                     (b)  to use and disclose the healthcare identifier for the purpose of enabling the healthcare provider’s identity to be authenticated in electronic transmissions; and

                     (c)  to adopt the healthcare identifier as the entity’s own identifier of the healthcare provider for the purpose of enabling the healthcare provider’s identity to be authenticated in electronic transmissions.

21  Access controls

                   The regulations may prescribe rules about the disclosure of healthcare identifiers by the service operator, including rules about requests to the service operator to disclose healthcare identifiers.

22  Information about disclosures by service operator

                   If the service operator discloses a healthcare identifier to an entity, the regulations may require the entity to provide prescribed information to the service operator in relation to that disclosure.

Note:          The regulations may provide for the imposition of a penalty for contravention of a regulation: see subsection 39(2).

Division 2ACollection, use and disclosure of healthcare identifiers and identifying information for purposes of the PCEHR System

22A  Collection, use and disclosure by PCEHR System Operator

             (1)  This section applies if a healthcare recipient or a healthcare provider is applying, or has applied, for registration or is registered under the Personally Controlled Electronic Health Records Act 2012.

             (2) The PCEHR System Operator is authorised:

                     (a)  to collect identifying information of the healthcare recipient or healthcare provider from the service operator; and

                     (b)  to collect the healthcare identifier of the healthcare recipient or healthcare provider; and

                     (c)  to use and disclose the identifying information and healthcare identifier;

for the purpose of verifying the identity of the healthcare recipient or healthcare provider and for other purposes of the PCEHR system, subject to the Personally Controlled Electronic Health Records Act 2012.

             (3) If the healthcare recipient has an authorised representative or a nominated representative, the PCEHR System Operator is authorised:

                     (a)  to collect identifying information of the authorised representative or nominated representative from the service operator; and

                     (b)  to collect the healthcare identifier of the authorised representative or nominated representative; and

                     (c)  to use and disclose the identifying information and healthcare identifier;

for the purpose of verifying the identity of the authorised representative or nominated representative and for other purposes of the PCEHR system, subject to the Personally Controlled Electronic Health Records Act 2012.

22B  Adoption by PCEHR System Operator, registered repository operator or registered portal operator

             (1)  The PCEHR System Operator, a registered repository operator or a registered portal operator is authorised to adopt the healthcare identifier of a healthcare recipient or a healthcare provider as its own identifier of the recipient or the provider, so far as is reasonably necessary for the purposes of the PCEHR system.

             (2)  The PCEHR System Operator, a registered repository operator or a registered portal operator is authorised to adopt the healthcare identifier of an authorised representative or a nominated representative of a healthcare recipient as its own identifier of the authorised representative or nominated representative, so far as is reasonably necessary for the purposes of the PCEHR system.

22C  Collection, use and disclosure by registered repository operators or registered portal operators

                   A registered repository operator or a registered portal operator is authorised:

                     (a)  to collect the healthcare identifier of a healthcare recipient or healthcare provider, or an authorised representative or nominated representative of a healthcare recipient; and

                     (b) to use the healthcare identifier; and

                     (c)  to disclose the healthcare identifier to a participant in the PCEHR system;

for the purposes of the PCEHR system, subject to the Personally Controlled Electronic Health Records Act 2012.

22D  Collection, use and disclosure by the Chief Executive Medicare and Departments

             (1)  The Chief Executive Medicare, the Veterans’ Affairs Department, the Defence Department and such other Departments as are prescribed are authorised:

                     (a)  to collect identifying information of a healthcare recipient from the service operator; and

                     (b)  to collect the healthcare identifier of a healthcare recipient; and

                     (c) to use the healthcare identifier and identifying information; and

                     (d)  to disclose the healthcare identifier and identifying information to a participant in the PCEHR system.

             (2)  The authorisation of the Chief Executive Medicare under subsection (1) is limited to collections, uses and disclosures for the purposes of including, in the healthcare recipient’s PCEHR, information about the healthcare recipient:

                     (a)  that is any of the following:

                              (i)  information that relates to the Medicare Benefits Program or the Pharmaceutical Benefits Program;

                             (ii)  information included on the Australian Childhood Immunisation Register;

                            (iii)  information included on the register administered by the Commonwealth that records the decision made by an individual about whether to become an organ and tissue donor for transplantation after death; and

                     (b)  that the healthcare recipient has consented to being included in his or her PCEHR.

             (3)  The authorisation of a Department under subsection (1) is limited to collections, uses and disclosures for the purposes of including, in the healthcare recipient’s PCEHR, information about the healthcare recipient:

                     (a)  that is information prescribed by the regulations; and

                     (b)  that the healthcare recipient has consented to being included in his or her PCEHR.

             (4)  Despite paragraphs (2)(b) and (3)(b), the consent of the healthcare recipient is not required for the uploading of information by the Chief Executive Medicare in accordance with paragraph 38(2)(a) of the Personally Controlled Electronic Health Records Act 2012.

22E  Regulations may authorise collection, use and disclosure related to the PCEHR system

                   The regulations may authorise a person:

                     (a)  to collect identifying information of a healthcare recipient, a healthcare provider, an authorised representative of a healthcare recipient or a nominated representative of a healthcare recipient from the service operator; and

                     (b)  to collect the healthcare identifier of a healthcare recipient, a healthcare provider, an authorised representative of a healthcare recipient or a nominated representative of a healthcare recipient; and

                     (c)  to use the identifying information and healthcare identifier; and

                     (d)  to disclose the identifying information and healthcare identifier to a participant in the PCEHR system;

so far as the collection, use or disclosure:

                     (e)  relates to a collection, use or disclosure of health information that is authorised under the Personally Controlled Electronic Health Records Act 2012; or

                      (f)  is reasonably necessary for the performance of a function or the exercise of a power in relation to the PCEHR system.

Division 3Use, disclosure and adoption of healthcare identifier by healthcare provider

23  Disclosure to healthcare recipient

                   A healthcare provider is authorised to disclose a healthcare recipient’s healthcare identifier to:

                     (a)  the healthcare recipient; or

                     (b)  a responsible person (within the meaning of the Privacy Act 1988) for the healthcare recipient.

23A  Disclosure to Aged Care Department

             (1)  A healthcare provider is authorised to disclose a healthcare recipient’s healthcare identifier to the Aged Care Department for an aged care purpose.

             (2)  The Aged Care Department is authorised:

                     (a)  to collect the healthcare identifier; and

                     (b)  to use the healthcare identifier for an aged care purpose.

24  Use and disclosure for other purposes

Use and disclosure for other purposes

             (1)  A healthcare provider is authorised to use a healthcare identifier, or to disclose a healthcare identifier to an entity, (including a healthcare identifier disclosed to the healthcare provider for any purpose under a previous application of this section) if:

                     (a)  the purpose of the use or disclosure is to communicate or manage health information as part of:

                              (i)  the provision of healthcare to a healthcare recipient; or

                             (ii)  the management (including the investigation or resolution of complaints), funding, monitoring or evaluation of healthcare; or

                            (iii)  the provision of indemnity cover for a healthcare provider; or

                            (iv)  the conduct of research that has been approved by a Human Research Ethics Committee; or

                     (b)  the healthcare provider reasonably believes that the use or disclosure is necessary to lessen or prevent:

                              (i)  a serious threat to an individual’s life, health or safety; or

                             (ii)  a serious threat to public health or public safety.

             (2)  The entity is authorised:

                     (a)  to collect the healthcare identifier; and

                     (b)  to use the healthcare identifier, or to disclose the healthcare identifier to a healthcare provider, for the purpose for which it was disclosed to the entity.

             (3)  A healthcare provider to which a healthcare identifier is disclosed under paragraph (2)(b) is authorised to collect the healthcare identifier.

Note 1:       Subsection (1) authorises the healthcare provider to use, or to disclose, the healthcare identifier. Section 25 authorises the healthcare provider to adopt the healthcare identifier.

Note 2:       An entity may also use, or disclose, a healthcare identifier for a purpose that is authorised under another law: see paragraph 26(2)(b).

Certain purposes excluded

             (4)  This section does not authorise the use or disclosure of the healthcare identifier of a healthcare recipient for the purpose of communicating or managing health information as part of:

                     (a)  underwriting a contract of insurance that covers the healthcare recipient; or

                     (b)  determining whether to enter into a contract of insurance that covers the healthcare recipient (whether alone or as a member of a class); or

                     (c)  determining whether a contract of insurance covers the healthcare recipient in relation to a particular event; or

                     (d)  employing the healthcare recipient.

24A  Collection, use and disclosure of healthcare identifier of healthcare provider with consent

                   The service operator or another entity may collect, use or disclose a healthcare provider’s healthcare identifier for a purpose relating to the provision of healthcare if:

                     (a)  the healthcare provider has consented to the collection, use or disclosure; and

                     (b)  the collection, use or disclosure is in accordance with any limitations to which the consent is subject.

25  Adoption by healthcare provider

                   A healthcare provider is authorised to adopt the healthcare identifier of a healthcare recipient (including a healthcare identifier disclosed to the healthcare provider for any purpose under section 24) as the healthcare provider’s own identifier of the healthcare recipient.

Note:          This Division authorises the collection, use, disclosure and adoption of only healthcare identifiers, and information relating to healthcare identifiers. The collection, use, disclosure or adoption of other personal information (e.g. health information), is dealt with in other legislation, including the Privacy Act 1988.

Division 4Unauthorised use and disclosure of healthcare identifiers

26  Unauthorised use and disclosure of healthcare identifiers prohibited

Offence

             (1)  A person commits an offence if:

                     (a)  a healthcare identifier is disclosed to the person; and

                     (b)  the person:

                              (i)  uses the healthcare identifier; or

                             (ii)  discloses the healthcare identifier.

Penalty:  Imprisonment for 2 years or 120 penalty units, or both.

Note:          If a body corporate is convicted of an offence against subsection (1), subsection 4B(3) of the Crimes Act 1914 allows a court to impose a fine of up to 600 penalty units.

             (2)  However, subsection (1) does not apply if:

                     (a)  the person:

                              (i)  is authorised to use, or to disclose, the healthcare identifier for a purpose that is authorised under this Act; and

                             (ii)  uses or discloses the healthcare identifier for that purpose; or

                     (b)  the person uses or discloses the healthcare identifier for a purpose that is authorised under another law; or

                     (c)  the person uses or discloses the healthcare identifier only for the purpose of, or in connection with, the person’s personal, family or household affairs (within the meaning of section 16 of the Privacy Act 1988).

Note:          A defendant bears an evidential burden in relation to the matters in subsection (2): see subsection 13.3(3) of the Criminal Code.

Division 5Protection of healthcare identifiers

27  Protection of healthcare identifiers

                   An entity must:

                     (a)  take reasonable steps to protect healthcare identifiers the entity holds from:

                              (i)  misuse and loss; and

                             (ii)  unauthorised access, modification or disclosure; and

                     (b)  comply with any requirements prescribed by the regulations for the protection of healthcare identifiers the entity holds.

Note:          The regulations may provide for the imposition of a penalty for contravention of a regulation: see subsection 39(2).

Part 4Interaction with the Privacy Act 1988

  

28  Interaction with the Privacy Act 1988

                   An authorisation to collect, use or disclose a healthcare identifier or identifying information under this Act is also an authorisation to collect, use or disclose the healthcare identifier or identifying information for the purpose of the Privacy Act 1988.

29  Functions of Information Commissioner

Breach of this Act is an interference with privacy

             (1)  An act or practice that contravenes this Act or the regulations in connection with the healthcare identifier of an individual is taken to be:

                     (a)  for the purposes of the Privacy Act 1988, an interference with the privacy of the individual; and

                     (b)  covered by section 13 of that Act.

Note:          The act or practice may be the subject of a complaint under section 36 of that Act.

             (2)  For the purpose of applying Part V of that Act (Investigations) in relation to the act or practice, treat a State or Territory authority as if it were an organisation (within the meaning of that Act).

Assessment by Information Commissioner

             (3)  For the purpose of paragraph 33C(1)(a) of the Privacy Act 1988, a healthcare identifier is taken to be personal information.

30  Annual reports by Information Commissioner

             (1)  The Information Commissioner must, as soon as practicable after the end of each financial year, prepare a report on the Information Commissioner’s compliance and enforcement activities under this Act during the financial year.

             (2)  The Information Commissioner must give a copy of the report to the Minister, and to the Ministerial Council, no later than on 30 September after the end of the financial year to which the report relates.

             (3)  The Minister must table a copy of the report in each House of Parliament within 15 sitting days after the Information Commissioner gives a copy of the report to the Minister.

Part 5Healthcare Provider Directory

  

31  Healthcare Provider Directory

             (1)  The service operator must establish and maintain a record (the Healthcare Provider Directory) of the professional and business details of the healthcare providers who have consented to those details being included in the Healthcare Provider Directory.

             (2)  The service operator may disclose the professional or business details of a healthcare provider who is listed in the Healthcare Provider Directory to:

                     (a)  an identified healthcare provider; or

                     (b)  an employee of an identified healthcare provider, if that identified healthcare provider has, by notice to the service operator, authorised the employee to act on behalf of that identified healthcare provider under this section; or

                     (c)  a contracted service provider of an identified healthcare provider, if that identified healthcare provider has, by notice to the service operator, authorised the contracted service provider to act on behalf of that identified healthcare provider under this section.

Part 6Oversight role of Ministerial Council

  

32  Directions to service operator

             (1)  After consulting the Ministerial Council, the Minister may, by legislative instrument, give directions to the service operator about the performance of the service operator’s functions under this Act.

Note 1:       Section 42 (disallowance) of the Legislative Instruments Act 2003 does not apply to the directions—see section 44 of that Act.

Note 2:       Part 6 (sunsetting) of the Legislative Instruments Act 2003 does not apply to the directions—see section 54 of that Act.

             (2)  The service operator must comply with a direction given under subsection (1).

33  Consultation with Ministerial Council about regulations

                   Before the Governor‑General makes a regulation for the purpose of this Act, the Minister must consult with the Ministerial Council.

34  Annual reports by service operator

             (1)  The service operator must, as soon as practicable after the end of each financial year, prepare a report on the activities, finances and operations of the service operator during the financial year, so far as they relate to this Act and the regulations.

             (2)  The service operator must give a copy of the report to:

                     (a)  the Minister; and

                     (b)  either:

                              (i)  the Ministerial Council; or

                             (ii)  if the Ministerial Council directs the service operator to give the report to another entity—that other entity;

no later than on 30 September after the end of the financial year to which the report relates.

             (3)  The Minister must table a copy of the report in each House of Parliament within 15 sitting days after the service operator gives a copy of the report to the Minister.

35  Review of operation of Act

             (1)  The Minister must, after consulting the Ministerial Council, appoint an individual:

                     (a)  to review the operation of this Act and the regulations; and

                     (b)  to prepare a report on the review before 30 June 2013.

             (2)  The Minister must:

                     (a)  provide a copy of the report to the Ministerial Council; and

                     (b)  table a copy of the report in each House of Parliament within 15 sitting days after the report is prepared.

Part 7Miscellaneous

  

36  Extent of authorisation

                   An authorisation under this Act to an entity (the first entity) for a particular purpose is an authorisation to:

                     (a)  an individual:

                              (i)  who is an employee of the first entity; and

                             (ii)  whose duties involve implementing that purpose; or

                     (b)  a contracted service provider of the first entity, if:

                              (i)  the first entity is a healthcare provider; and

                             (ii)  the duties of the contracted service provider under a contract with the healthcare provider involve implementing that purpose by providing information technology services relating to the communication of health information, or health information management services, to the healthcare provider; or

                   (ba)  a person (the contractor) performing services under a contract between the contractor and the first entity, if:

                              (i)  the first entity is a participant in the PCEHR system, other than a healthcare provider or a contracted service provider; and

                             (ii)  the purpose relates to the PCEHR system; or

                     (c)  an individual:

                              (i)  who is an employee of a contracted service provider to which paragraph (b) applies or of a contractor to which paragraph (ba) applies; and

                             (ii)  whose duties involve implementing that purpose as mentioned in whichever of those paragraphs applies.

37  Relationship to State and Territory laws

Relationship to State and Territory laws

             (1)  A law of a State or Territory has effect to the extent that the law is capable of operating concurrently with this Act or the regulations.

             (2)  However, if:

                     (a)  a person’s act or omission is both:

                              (i)  an offence under this Act; and

                             (ii)  an offence under the law of a State or Territory; and

                     (b)  that person is convicted of either of those offences;

the person is not liable to be convicted of the other offence.

             (3)  Nothing in this Act or the regulations limits, restricts or otherwise affects any right or remedy that a person would have had if this Act had not been enacted.

Declarations that Act does not apply

             (4)  A provision of this Act or the regulations does not apply to the public bodies of a State or Territory if a declaration made under subsection (5) is in force in relation to that provision and that State or Territory.

             (5)  The Minister must, by legislative instrument, declare that specified provisions of this Act and the regulations do not apply to the public bodies of a specified State or Territory if:

                     (a)  a Minister of the State or Territory, by written notice, requests the Minister to make the declaration; and

                     (b)  the Minister is satisfied that a law in force in the State or Territory contains provisions that have been agreed to by the Ministerial Council.

             (6)  The Minister may, by legislative instrument, revoke the declaration if:

                     (a)  a Minister of the State, by written notice, requests the Minister to do so; or

                     (b)  a provision in the State or Territory law, which had been agreed to by the Ministerial Council, is amended without the agreement of the Ministerial Council.

             (7)  Neither section 42 (disallowance) nor Part 6 (sunsetting) of the Legislative Instruments Act 2003 applies to a declaration or revocation made under subsection (5) or (6) of this section.

38  Severability—additional effect of Parts 3 and 4

             (1)  Without limiting their effect apart from each of the following subsections of this section, Parts 3 and 4 have effect in relation to a collection, use or disclosure of information as provided by that subsection.

             (2)  Parts 3 and 4 also have the effect they would have if their operation in relation to a collection, use or disclosure of information were expressly confined to a collection, use or disclosure taking place in the course of, or in relation to, trade or commerce:

                     (a)  between Australia and places outside Australia; or

                     (b)  among the States; or

                     (c)  within a Territory, between a State and a Territory or between 2 Territories.

             (3)  Parts 3 and 4 also have the effect they would have if their operation in relation to a collection, use or disclosure of information were expressly confined to a collection, use or disclosure using a postal, telegraphic, telephonic or other like service (within the meaning of paragraph 51(v) of the Constitution).

             (4)  Parts 3 and 4 also have the effect they would have if their operation in relation to a collection, use or disclosure of information were expressly confined to a collection, use or disclosure in relation to census or statistics (within the meaning of paragraph 51(xi) of the Constitution).

             (5)  Parts 3 and 4 also have the effect they would have if their operation in relation to a collection, use or disclosure of information were expressly confined to a collection, use or disclosure in relation to aliens (within the meaning of paragraph 51(xix) of the Constitution).

             (6)  Parts 3 and 4 also have the effect they would have if their operation in relation to a collection, use or disclosure of information were expressly confined to a collection, use or disclosure by, or to, a trading, foreign or financial corporation (within the meaning of paragraph 51(xx) of the Constitution).

             (7)  Parts 3 and 4 also have the effect they would have if their operation in relation to a collection, use or disclosure of information were expressly confined to a collection, use or disclosure in relation to the provision of:

                     (a)  sickness or hospital benefits; or

                     (b)  medical or dental services (but not so as to authorise any form of civil conscription);

(within the meaning of paragraph 51(xxiiiA) of the Constitution).

             (8)  Parts 3 and 4 also have the effect they would have if their operation in relation to a collection, use or disclosure of information were expressly confined to a collection, use or disclosure:

                     (a)  in relation to which the Commonwealth is under an obligation under an international agreement, including, the International Covenant on Civil and Political Rights, and in particular Article 17 of the Covenant; or

Note:       The text of the Covenant is set out in Australian Treaty Series 1980 No. 23 ([1980] ATS 23). In 2010, a text of a Covenant in the Australian Treaties Series was accessible through the Australian Treaties Library on the AustLII website (www.austlii.edu.au).

                     (b)  that is of international concern, including the international concern reflected by the Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, recommended by the Council of the Organisation for Economic Co‑operation and Development on 23 September 1980.

Note:       In 2010, the text of the Guidelines was accessible through the Organisation for Economic Co‑operation and Development website (www.oecd.org).

             (9)  Parts 3 and 4 also have the effect they would have if their operation in relation to a collection, use or disclosure of information were expressly confined to a collection, use or disclosure by, or to, the Commonwealth or a Commonwealth authority.

           (10)  Parts 3 and 4 also have the effect they would have if their operation in relation to a collection, use or disclosure of information were expressly confined to a collection, use or disclosure taking place in a Territory.

39  Regulations

             (1)  The Governor‑General may make regulations prescribing matters:

                     (a)  required or permitted to be prescribed by this Act; or

                     (b)  necessary or convenient to be prescribed for carrying out or giving effect to this Act.

Note:          Before the Governor‑General makes a regulation for the purpose of this Act, the Minister must consult with the Ministerial Council: see section 33.

             (2)  Without limiting subsection (1), the regulations may provide for the imposition of a penalty of not more than 50 penalty units for contravention of a regulation.


Endnotes

Endnote 1—About the endnotes

The endnotes provide information about this compilation and the compiled law.

The following endnotes are included in every compilation:

Endnote 1—About the endnotes

Endnote 2—Abbreviation key

Endnote 3—Legislation history

Endnote 4—Amendment history

Endnotes about misdescribed amendments and other matters are included in a compilation only as necessary.

Abbreviation key—Endnote 2

The abbreviation key sets out abbreviations that may be used in the endnotes.

Legislation history and amendment history—Endnotes 3 and 4

Amending laws are annotated in the legislation history and amendment history.

The legislation history in endnote 3 provides information about each law that has amended (or will amend) the compiled law. The information includes commencement details for amending laws and details of any application, saving or transitional provisions that are not included in this compilation.

The amendment history in endnote 4 provides information about amendments at the provision (generally section or equivalent) level. It also includes information about any provision of the compiled law that has been repealed in accordance with a provision of the law.

Misdescribed amendments

A misdescribed amendment is an amendment that does not accurately describe the amendment to be made. If, despite the misdescription, the amendment can be given effect as intended, the amendment is incorporated into the compiled law and the abbreviation “(md)” added to the details of the amendment included in the amendment history.

If a misdescribed amendment cannot be given effect as intended, the amendment is set out in the endnotes.

Endnote 2—Abbreviation key

 

A = Act

orig = original

ad = added or inserted

par = paragraph(s)/subparagraph(s)

am = amended

    /sub‑subparagraph(s)

amdt = amendment

pres = present

c = clause(s)

prev = previous

C[x] = Compilation No. x

(prev…) = previously

Ch = Chapter(s)

Pt = Part(s)

def = definition(s)

r = regulation(s)/rule(s)

Dict = Dictionary

Reg = Regulation/Regulations

disallowed = disallowed by Parliament

reloc = relocated

Div = Division(s)

renum = renumbered

exp = expires/expired or ceases/ceased to have

rep = repealed

    effect

rs = repealed and substituted

F = Federal Register of Legislative Instruments

s = section(s)/subsection(s)

gaz = gazette

Sch = Schedule(s)

LI = Legislative Instrument

Sdiv = Subdivision(s)

LIA = Legislative Instruments Act 2003

SLI = Select Legislative Instrument

(md) = misdescribed amendment

SR = Statutory Rules

mod = modified/modification

Sub‑Ch = Sub‑Chapter(s)

No. = Number(s)

SubPt = Subpart(s)

o = order(s)

underlining = whole or part not

Ord = Ordinance

    commenced or to be commenced

 

Endnote 3—Legislation history

 

Act

Number and year

Assent

Commencement

Application, saving and transitional provisions

Healthcare Identifiers Act 2010

72, 2010

28 June 2010

29 June 2010

 

Healthcare Identifiers (Consequential Amendments) Act 2010

73, 2010

28 June 2010

Schedule 3: 1 Nov 2010 (see s. 2(1))

Statute Law Revision Act 2011

5, 2011

22 Mar 2011

Schedule 1 (items 60–63): Royal Assent

Human Services Legislation Amendment Act 2011

32, 2011

25 May 2011

Schedule 4 (items 152–158): 1 July 2011

Personally Controlled Electronic Health Records (Consequential Amendments) Act 2012

64, 2012

26 June 2012

Schedule 1 (items 1–25): 29 June 2012 (see F2012L01398)

Privacy Amendment (Enhancing Privacy Protection) Act 2012

197, 2012

12 Dec 2012

Sch 5 (items 37–41, 164): 12 Mar 2014

Aged Care and Other Legislation Amendment Act 2014

126, 2014

4 Dec 2014

Sch 3: 5 Dec 2014 (s 2(1) item 4)

 

Endnote 4—Amendment history

 

Provision affected

How affected

Part 1 heading

 

s. 4A....................................

ad. No. 64, 2012

s. 5.......................................

am. No. 32, 2011; Nos 64 and 197, 2012; No 126, 2014

Part 2 heading

 

s 9........................................

am No 197, 2012

s. 10.....................................

am. No. 64, 2012

Part 3 heading

 

Division 1 heading...............

rs. No. 64, 2012

s. 11A..................................

ad. No. 64, 2012

s. 12.....................................

am. No. 32, 2011

s 12A...................................

ad No 126, 2014

Division 2 heading

 

Subdivision B heading

 

s. 18.....................................

am Nos 64 and 197, 2012

s. 19A..................................

ad. No. 64, 2012

s. 19B..................................

ad. No. 64, 2012

s. 19C..................................

ad. No. 64, 2012

s 19D...................................

ad No 126, 2014

s. 20.....................................

am. No. 64, 2012

Division 2A heading............

ad. No. 64, 2012

s. 22A..................................

ad. No. 64, 2012

s. 22B..................................

ad. No. 64, 2012

s. 22C..................................

ad. No. 64, 2012

s. 22D..................................

ad. No. 64, 2012

s. 22E..................................

ad. No. 64, 2012

Division 3 heading

 

s 23......................................

am No 197, 2012

s 23A...................................

ad No 126, 2014

s. 24A..................................

ad. No. 64, 2012

Division 4 heading

 

s 26......................................

am No 197, 2012

Part 4 heading

 

s 29......................................

am No. 73, 2010; No 197, 2012

s. 30.....................................

am. No. 73, 2010

Part 7 heading

 

s. 36.....................................

am. No. 5, 2011; No. 64, 2012