Federal Register of Legislation - Australian Government

Primary content

A Bill for an Act to amend the law in relation to healthcare identifiers, electronic health records and other information relating to health, and for related purposes
Administered by: Health
For authoritative information on the progress of bills and on amendments proposed to them, please see the House of Representatives Votes and Proceedings, and the Journals of the Senate as available on the Parliament House website.
Registered 17 Sep 2015
Introduced HR 17 Sep 2015

2013-2014-2015

THE PARLIAMENT OF THE COMMONWEALTH OF AUSTRALIA

HOUSE OF REPRESENTATIVES

HEALTH LEGISLATION AMENDMENT (eHEALTH) BILL 2015

EXPLANATORY MEMORANDUM

(Circulated by authority of the Minister for Health and the Minister for Sport, the Hon Sussan Ley, MP)



HEALTH LEGISLATION AMENDMENT (eHEALTH) BILL 2015

OUTLINE

The Health Legislation Amendment (eHealth) Bill 2015 (the Bill) will amend the Personally Controlled Electronic Health Records Act 2012 (PCEHR Act), Healthcare Identifiers Act 2010 (HI Act), Privacy Act 1988 (Privacy Act), Copyright Act 1968 (Copyright Act), Health Insurance Act 1973 (Health Insurance Act) and National Health Act 1953 (National Health Act).

The primary purpose of the Bill is to make changes to the personally controlled electronic health record (PCEHR) system.  The PCEHR system allows individuals and their healthcare providers to access their key health information online where and when they need it.  A PCEHR is an electronic summary of an individual’s health records.

Background

The Healthcare Identifiers Service (HI Service) is a national system for consistently identifying individuals, individual healthcare providers and healthcare provider organisations for healthcare communication purposes.  It commenced in July 2010 as the result of a joint initiative of all Australian Governments as part of accelerating work on a national electronic health record system to improve patient safety, support safe and efficient sharing and storage of health information, and increase efficiency for healthcare providers.  It is jointly funded by the Commonwealth, states and territories.

As a foundation service to the PCEHR system and other eHealth measures, the HI Service is an important step in realising the benefits expected to be derived from eHealth.

A review of the HI Act and HI Service (HI Review) was undertaken in 2012-13.  It found that the core functionality of the HI Service is operating effectively but given the PCEHR system is now impacting directly on clinical workflows, there are some emerging issues that need to be addressed.  The HI Review made twenty-four recommendations to improve the HI Service.  The report of the HI Review, entitled Healthcare Identifiers Act and Service Review, Final Report 2013, is available on the Department of Health’s website.

The PCEHR system was implemented in July 2012 as a first step towards overcoming some of the issues facing healthcare arising from the fragmentation of health information.  Health information is spread across a vast number of different locations and systems.  In many healthcare situations, quick access to key health information about an individual is not always possible.  Limited access to health information at the point of care can result in a greater risk to patient safety, less than optimal health outcomes, avoidable adverse events, increased costs of care and time wasted in collecting or finding information, unnecessary or duplicated investigations, additional pressure on the health workforce, and reduced participation by individuals in their own healthcare management.

A review of the PCEHR system (PCEHR Review) was undertaken in 2013.  It found that there was overwhelming support for continuing implementation of a consistent electronic health record system for all Australians, but that a change in approach was needed to correct early implementation issues.  The PCEHR Review made thirty-eight recommendations aimed at making the system more useable and able to deliver the expected benefits in a shorter period.  The recommendations include establishing new governance arrangements, moving to an opt-out system for individual participation, and improving system usability and the clinical content of records.  The report of the PCEHR Review, entitled Review of the Personally Controlled Electronic Health Record, December 2013, is available on the Department of Health’s website.

The Government’s response to the recommendations of the PCEHR Review was announced in the 2015-16 Budget and includes strengthening eHealth governance and operations by establishing the Australian Commission for eHealth to manage governance, operation and ongoing delivery for eHealth, trialling new participation arrangements including opt-out, improving system usability and the clinical content of records, revising incentives, and providing education and training to healthcare providers.  The Government also announced that the PCEHR will be renamed the My Health Record.

Trials of participation arrangements (including opt-out trials) are intended to inform future strategies for increasing uptake and meaningful use of the My Health Record.

The Australian Government will continue to lead the national roll out of eHealth technology and services, and work with the states and territories to support eHealth foundations and to finalise a national eHealth strategy to identify the priorities for future Commonwealth and jurisdictional investment in eHealth.

The Bill

The Bill will implement the Government’s response to the PCEHR Review, specifically changes to the PCEHR system to change its name, prepare for new governance arrangements, improve usability of the system, and conduct participation trials.  The Bill will also implement recommendations of the HI Review, and make other minor and clarifying amendments to improve the operation of, and align, the PCEHR system and the HI Service.

The Bill will change the name of the PCEHR system to the My Health Record system.  This change is intended to better reflect the partnership between individuals and healthcare providers in healthcare, noting that individuals will retain all of the personal controls currently available.

The Bill will enable opt-out trials to be undertaken for individuals in a manner that retains the same patient controls as were provided in the PCEHR.  While these trials are operating in defined areas, the existing opt-in system will continue to operate everywhere else in Australia.  If the trials prove successful at improving both clinical and individual use of the system, and the Government decides to implement opt-out nationally, the Bill enables this to occur.

To make way for new governance arrangements that will be established through rules to be made under the Public Governance, Performance and Accountability Act 2013 (PGPA Act), the Bill will abolish the existing PCEHR Jurisdictional Advisory Committee and Independent Advisory Council.

The Bill will simplify the privacy framework by revising the way that permissions to collect, use and disclose information are presented, making it easier for participants in the system to understand what they can and cannot do.  The Bill will also include several new permissions to reflect how entities engage with one another.  These will include a new mechanism enabling entities to be authorised in regulations to use healthcare identifiers for healthcare-related purposes, recognising the need for future health-related entities to be interoperable with the PCEHR system.  This change is consistent with the original purpose and scope of healthcare identifiers.

In order to better protect the sensitive information that can be contained in a PCEHR, and to provide a more graduated framework for responding to inappropriate behaviour that is proportional to the severity of a breach of either the HI Service or PCEHR system, the Bill will introduce new civil and criminal penalties and provide that enforceable undertakings and injunctions are available in both systems.

The Bill will make clear that, unlike information about individuals and healthcare providers, information about healthcare provider organisations is not personal information so does not need the same privacy protections.

Given some current ambiguity in relation to the definition of “health services”, the Bill clarifies that health-related disability, palliative care and aged care services are considered health services, as recommended by the Australian Law Reform Commission.

The Bill clarifies mandatory data breach notification requirements for participants in the system to remove ambiguities and address issues that have been identified in the past three years of operation.  This requirement will extend to registered healthcare provider organisations and registered contracted service operators, replacing their existing contractual obligation to notify breaches.

Finally, the Bill will reflect the Australian Law Reform Commission’s recent recommendations regarding the obligations of people who provide decision-making support.

FINANCIAL IMPACT STATEMENT

In the 2015-16 Budget, the Government announced funding of $485.1 million over four years for the My Health Record system, including new eHealth governance arrangements and trials of participation arrangements, including opt-out.  This includes three years of funding for redevelopment and continued operation of the system.  The table below sets out the elements of funding related to this Bill.

Budget Measure

2015-16

($m)

2016-17

($m)

2017-18

($m)

2019-20

($m)

Total

($m)

My Health Record – a new direction for electronic health records in Australia

30.7

16.4

5.4

5.2

57.7


REGULATION IMPACT STATEMENT

The Office of Best Practice Regulation found this Regulation Impact Statement compliant with best practice and published it on 21 July 2015.

Changes to the PCEHR system

1.      INTRODUCTION

On 3 November 2013 the Australian Government commissioned an external review of the personally controlled electronic health record (PCEHR) system (the Review).  The Review identified a number of issues regarding the system that present an impediment to individual and clinical uptake.  In particular, the Review made recommendations concerning the model for individual participation, the governance arrangements and usability.

Implementation of the Review’s recommendations will improve the credibility, usability and utility of the record for healthcare providers.  These improvements will drive uptake, with healthcare providers more likely to support a system where the direct benefits are clear and the system is designed to sit within clinicians’ existing workflows.  Implementation will also expedite health benefits for individuals by enabling people to better manage their health.  The number of avoidable admissions and adverse drug events will also be reduced.

The Personally Controlled Electronic Health Records Act 2012 (PCEHR Act) and possibly the Healthcare Identifiers Act 2010 will need to be amended to support the changes.

A short form Regulation Impact Statement (RIS) for changes to the PCEHR system has been previously considered by the Government.  This standard form RIS has been provided for the Government’s consideration of the proposed changes in more detail which will be implemented through changes to legislation and infrastructure.

Background

On 1 July 2012 the Australian Government implemented the PCEHR system, supported by the PCEHR Act.  It places the individual at the centre of their own healthcare by enabling access to important health information when and where it is needed, by individuals and their healthcare providers.  A PCEHR is assembled using information created by a range of healthcare providers across the health sector to reflect an individual’s healthcare journey.

Since its implementation more than 2.1 million individuals and more than 7,600 healthcare provider organisations have registered to participate in the PCEHR system.  The system includes capacity to accept, store and share access to documents from and with any participating organisation and has more than 1.7 million clinical records, 70,000 individual‑entered documents and over 192 million Medicare and Pharmaceutical Benefits Scheme claim records uploaded to the system.  The privacy protections that apply to the system ensure individuals have strong protection of their records, and the security arrangements are subject to an ongoing work program to improve security, reduce risks and address threats in a rapidly changing cyber environment.  There is an array of personal controls available to the individual to allow them to control access to their record to the extent that they prefer.

Participation in the PCEHR system is voluntary for individuals and organisations (healthcare provider organisations, contracted service providers, repository operators and portal operators).  The system operates on an opt-in basis, which means that any person or organisation wishing to participate in the system needs to register.

2.      RATIONALE FOR GOVERNMENT INTERVENTION

The annual Commonwealth costs of healthcare are forecast to increase by $27 billion to $86 billion by 2025 and over $250 billion by 2050.[1]  Productivity improvements such as those that can be delivered by eHealth are needed to help counter the expected increases in the unit costs associated with the delivery of healthcare.  Leveraging eHealth is one of the few strategies available to drive microeconomic reform to reduce Commonwealth health outlays.

The Australian Government implemented the PCEHR system as a first step towards overcoming some of the issues facing healthcare arising from the fragmentation of health information.  Health information is spread across a vast number of different locations and systems.  In many healthcare situations quick access to key health information about an individual is not always possible.  Limited access to health information at the point of care can result in:

·         a greater risk to patient safety (e.g. as a result of an adverse drug event (ADE) due to a complete medications history not being available – it is estimated that 2.5% of hospital admissions are due to ADEs[2]);

·         increased costs of care and time wasted in collecting or finding information (e.g. when a general practitioner has to call the local hospital to get information because the discharge summary is not available – 36% of visits involve the clinician spending at least five minutes locating information[3]);

·         unnecessary or duplicated investigations (e.g. when a person attends a new provider and their previous test results are not available – 10% of laboratory tests are avoidable through electronic health records[4]);

·         additional pressure on the health workforce (e.g. needing to make diagnosis and treatment decisions with incomplete information); and

·         reduced participation by individuals in their own healthcare management.

The PCEHR system has, however, not realised the full benefits of such a system in its first two years.  While the PCEHR system has the potential to deliver real benefits, some significant design and policy changes need to be made in order to accrue these benefits in a reasonable timeframe.

Government has historically sponsored the development of infrastructure services like this to reduce the burden on business, and remove the possibility of creating further rail gauge issues.  Ongoing refinements made by government to streamline these services will bring about even greater efficiencies, which can be leveraged and further innovations made possible for the benefit of all Australians.

3.      THE PROBLEM

Participation

More than 2.1 million individuals have registered for a PCEHR.  Since the vast majority of individuals don’t have a PCEHR, healthcare providers generally lack any incentive to adopt and contribute to the system.  As a result only 1.7 million clinical documents with key information have been uploaded to the system by clinicians and dispensers.

Governance

The PCEHR Review identified several issues related to governance of eHealth broadly and the PCEHR system in particular, namely:

·         governance processes around the PCEHR system did not adequately represent the industry, were overly bureaucratic in nature and did not effectively balance the needs of government and private sector organisations;

·         engagement and consultation with some key stakeholders, including clinical stakeholders, has not been effective to date;

·         there are currently two significant governance arrangements in place for eHealth and there are perceived benefits in reducing this to one; and

·         there has been a lack of transparency in the decision-making process for the PCEHR system within the National E-Health Transition Authority (NEHTA) structure, whose role is to lead the uptake of eHealth systems of national significance.

The review of the PCEHR system found that governance for eHealth nationally is in need of significant change as it does not have the confidence of the industry.  Multiple factors have contributed to this, including a significant broadening of the remit of NEHTA since its inception.

Further, eHealth governance is not representative of the users of eHealth.  Although the PCEHR system directly affects healthcare providers (private and public), the medical software industry and individuals, the current governance predominantly comprises public organisations.  A prime example of this problem is the NEHTA board which is made up of the heads of the Commonwealth, state and territory health departments.

Usability

The Review found that the system poses usability issues, such as:

·         problems with the efficiency and effectiveness of eHealth applications in clinical systems and their poor fit within clinical practice workflow;

·         complexity in user interfaces, and multiple provider registration systems;

·         lack of integration across the broader eHealth infrastructure;

·         inability to agree and adopt standards in a timely manner;

·         technical compromises made to meet accelerated timeframes; and

·         the absence of standard terminology.

These issues have affected use of the system by healthcare provider organisations.

4.      OBJECTIVE OF GOVERNMENT INTERVENTION

The objective of the system continues to be to address information fragmentation by allowing a person to more easily access their own health information and make their health information securely accessible to healthcare providers involved in their care.

Making the system more useable and reliable is central to gaining the support and acceptance of healthcare providers and individuals, thereby leading to increased use and achievement of the identified benefits.

Changes to governance and the way individuals can choose to participate in the PCEHR system will be implemented in stages through to late 2017.  Trials of participation arrangements, including an opt-out system, will be undertaken in a few selected regions in 2016 and inform a decision, and future approaches, for increasing individual participation in the system from late 2017.

The PCEHR Act will need to be amended to reflect such changes since it prescribes the components of the current governance arrangements and opt-in nature of individual participation.

5.      OPTIONS

This section outlines the options for addressing the problems identified at section 3.  Four options are considered:

·         Option 1: Continuing with business as usual;

·         Option 2: Implementing a public awareness campaign to improve uptake;

·         Option 3A: Making the system opt-out for individuals with associated public awareness raising and education and training for healthcare providers, improving usability and changing the governance arrangements through the creation of a statutory authority.

·         Option 3B: Implementing participation trials, including opt-out, with targeted communications in the trial regions and education and training for healthcare providers, improving usability and changing the governance arrangements through the creation of a statutory authority.

5.1  Option 1: Continuing with business as usual

The status quo would not require any additional regulatory action or legislative change, but does not present a compelling business case.  It could take a further 15 years to realise the benefits sought as it will take that long before a significant proportion of the population has a record, which is a key to increased use by healthcare providers.  It is unlikely that healthcare providers will make use of the system until a significant proportion of the population has a PCEHR.  This will result in limited content being contributed or accessed and minimal benefit being realised.

Individuals would continue to be able to register for a record if they choose.  Many healthcare providers would continue to view the record as not clinically useful due to its limited content and customer coverage.

The Secretary of the Department of Health would continue to be the System Operator, delivering the system in cooperation with the following agencies:

·         Department of Human Services which delivers certain components of the PCEHR system under agreement with the System Operator, and delivers other eHealth services such as the National Authentication Service for Health, the Healthcare Identifiers Service and the Health Professional Online Service that form part of the PCEHR infrastructure; and

·         NEHTA, a company limited by guarantee and funded by the Australian Government and state and territory governments and whose board comprises heads of government health departments, delivers certain components of the PCEHR system under contract with the System Operator.  It leads the uptake of eHealth solutions through the health system.

The System Operator would continue to be advised on the operation of the PCEHR system by two statutory committeesthe Independent Advisory Council (representing individuals from peak stakeholder groups) and the Jurisdictional Advisory Committee (representing the health department of each jurisdiction).  These committees report directly to the System Operator.

As part of business as usual activities and streamlining, improvements would be made to the system’s access controls and the process for individuals to register and access their PCEHR.  The Clinical Usability Program would work with healthcare providers and software vendors to continue to identify system usability improvements.

Stakeholders would continue to have concerns about the system’s usability, transparency and accountability which may undermine their confidence and likelihood to participate.

5.2  Option 2: Implementing a public awareness campaign to improve uptake

This option would not require any regulatory action or legislative change.

The option would see the PCEHR system complemented by a public awareness campaign targeting all Australians.  The intent of this campaign would be to raise community awareness of the PCEHR – its purpose, the information it can contain, how it can be used, who can use it and how it can improve healthcare.

Individuals would continue to be able to register for a record if they choose.  During the Medicare For All campaign of 2013, which included promotion of the PCEHR, there was an increase of approximately 500 people a day registering using the consumer portal.  This dropped back to the pre-existing levels once the campaign finished.  Allowing for a campaign similar to the Medicare For All campaign but of 12 months’ duration and assuming its direct focus on the PCEHR would result in greater effectiveness, it is estimated that an additional 273,000 people would register[5].

As described at option 1, as part of business as usual activities and streamlining, improvements would be made to the system’s access controls and the process for individuals to register and access their PCEHR.  The Clinical Usability Program would work with healthcare providers and software vendors to continue to identify system usability improvements.

It is considered, however, that many healthcare providers would continue to view the record as not clinically useful due to its limited content and customer coverage.

Stakeholders would continue to have concerns about the system’s usability, transparency and accountability which may undermine their confidence and likelihood to participate.

5.3  Option 3A: Making the system opt-out for individuals with associated public awareness raising and education and training for healthcare providers, improving usability and changing the governance arrangements through creation of a statutory authority

The opt-in approach of the system would be changed to an opt-out approach for individuals.  Providing every Australian with a PCEHR without needing to take steps to register would be a fundamental step to delivering a world class PCEHR to the community.  A record would be created for every eligible individual.  That individual may or may not choose to access their record but healthcare providers would be able to access that record for healthcare purposes.

Individuals who wanted to access their PCEHR would need to first register for a myGov user identity and undertake a process to verify their identity.  Once they gain access they would be able to fully exercise the access controls of the record.  Experience over the past two years has shown that only about ten per cent of individuals who have a PCEHR access it and exercise their access controls.  This rate has been used in the consideration of this proposal.

Individuals would have the option of opting out of the system before a record is created for them or by cancelling their record so that it can no longer be accessed or used by healthcare providers if they already have one.  The individual would be able to opt back into the system at any time.

National and international experience in opt-in/opt-out rates for eHealth record systems and other health programs indicates that around one per cent of individuals choose to opt-out[6].  This rate has been used in the consideration of this proposal.  Implementation of opt-out nationally would be supported by an appropriate awareness raising campaign including about the benefits of the eHealth record system, how to set access controls, and details of how to opt-out if that is what someone chooses to do.

This shift in participation rates would give effect to behavioural changes in the healthcare provider industry, although participation by healthcare provider organisations will remain voluntary.  Nearly all individuals would have a record so, combined with other measures to improve the usability of the system and the nature of information it contains, healthcare providers would be more likely to commit to using and contributing to the PCEHR system, thereby increasing the utility of the system by increasing the amount of clinically valuable information in a PCEHR.

This option would also see a major shift in expectations of the governance arrangements to address concerns raised by stakeholders regarding transparency, stakeholder representation and accountability.

The following changes would result in a simplified structure with which the industry and individuals could more easily interact, and would ensure more meaningful consultation is undertaken in the operation and management of the system and the future directions of eHealth more broadly.

A statutory authority would be established to have relative independence from government departments ensuring it is balanced and represents the needs of key stakeholders to facilitate eHealth delivery by the private health sector in partnership with the public health sector.

A governing board would comprise skills-based representatives reflective of key health stakeholders.  Some members would have experience as healthcare providers, care recipients and leadership in governance.  Others would have clinical safety, systems, technical and government expertise.  The new entity would retain jurisdictional input and representation to reflect jurisdictions’ interests as continuing national eHealth funders.

The new organisation’s broad role would be the ongoing development and implementation of the national eHealth strategy, including PCEHR-related responsibilities arising from the Review.  This would include coordinating and managing activities relating to national eHealth infrastructure, solution design, specification and, where necessary, standards development and working with other key agencies to ensure this work is carried out in a coordinated fashion and expected outcomes are delivered to the satisfaction of key stakeholders.  It would also work to improve the usability of the system.

The new organisation would report directly to the Council of Australian Governments’ Health Council.

The current statutory committees that report to the System Operator would be abolished and dedicated advisory committees would be established within the legislative framework establishing the new entity to ensure that the PCEHR system delivers on the following matters:

·         clinical and technical;

·         jurisdictional;

·         individual; and

·         privacy and security.

These committees would have appropriate representational coverage and skills to represent the interests of key stakeholders and report directly to the board.

Assurance on the progress of eHealth would be provided to the Minister for Health through the establishment of an independent assurer who would report regularly and directly to the Minister.  The purpose of this role would be to provide unfiltered advice to the Minister on the real progress on the implementation of the changes to the eHealth record system and stakeholder acceptance.  The role would be fulfilled by an independent organisation with experience in the health sector and in providing assurance in the delivery of complex initiatives.

This option, together with other measures including:

·         improvements to usability, including those described at option 1;

·         the establishment of a core set of clinical information comprising current medications and adverse events, clinical measurements, and pathology and diagnostic imaging reports;

·         improving education and training programs for healthcare providers; and

·         re-focused incentives for healthcare provider organisations to participate in and use the system,

would significantly improve the clinical usability, credibility and utility of the record for healthcare providers and encourage buy-in of the system.

In this option the Government would not trial the methods of implementing opt‑out and different methods of providing communications and education prior to national implementation.  This would pose a risk of failing to properly communicate with the target audience, resulting in an increased number of individuals choosing to opt-out of having a PCEHR, and less organisations choosing to participate, potentially undermining confidence in the value of the system.

5.4  Option 3B: Implementing participation trials, including opt-out, with targeted communications in the trial regions and education and training of healthcare providers, improving usability and changing the governance arrangements through creation of a statutory authority

This option would require regulatory action and legislative change.

In selected areas of Australia (covering a total population of 1 million), based either on population size or type, trials of individual participation arrangements would be conducted, including an opt-out system, and targeted communications would be undertaken together with training for healthcare providers in these areas.  The intent of these trials would be to test the opt-out arrangements and other innovative approaches for driving registration and participation in the system, identify appropriate methods of targeting and delivering critical information to key audiences, assess the effectiveness of the communications and education and training for healthcare providers, and inform future decisions about, and the optimal approaches for, driving individual participation in the system for individuals from late 2017.  These trials would be evaluated over a period of up to nine months.

Outside the trial regions the PCEHR system would continue with business as usual and individuals would continue to be able to register for a record if they choose.  General practitioners, pharmacists and aged care services would be provided with targeted education and training in the trial regions, and more broadly.

In trialling an opt-out system, a record would be created for every eligible individual in the trial except for individuals who choose to opt-out.  Individuals may or may not choose to access their record but healthcare providers would be able to access that record for healthcare purposes.  As described at option 3A, individuals would access their record by first registering for a myGov user identity and will need to go through an identity verification process to access their PCEHR and exercise their access controls.  Experience indicates that about 10 per cent of individuals choose to access their PCEHR.

Individuals in the opt-out trials would have the option of opting out of the system before a record is created for them.  In the case of individuals who already have one, they would continue to be able to cancel them.  Individuals that opt-out would be able to opt back into the system at any time.

As outlined in option 3A, national and international experience in opt-in/opt-out rates for eHealth record systems and other health programs indicates that around one per cent of individuals choose to opt-out[7].

Trials of other innovative approaches for driving individual registration and participation in the system will also be conducted.  The nature of these other trials has not yet been determined.

This shift in participation rates would give effect to behavioural changes in healthcare provider organisations in or providing care in the selected trial regions, although participation by healthcare provider organisations will remain voluntary.  Nearly all individuals in the opt-out trials would have a record and individuals in the other trials would be more likely to have a PCEHR so, combined with other measures to improve the usability of the system and the nature of information it contains (as described at option 1), as well as targeted communications in the trial regions, education and training of healthcare providers, along with re‑focused incentives, these healthcare providers would be more likely to commit to using and contributing to the PCEHR system.

This option would result in improvements to the clinical value of the system and would see a positive impact on healthcare providers across Australia in terms of system use.

This option would also see the same governance changes made as discussed at option 3A and would include the other measures described at option 3A including usability improvements, business as usual activities and streamlining.

Stakeholders that are not part of the trials may continue to have concerns about the value of participating in the system given that the majority of their patients will not have a record.  This is despite the improvements to governance, clinical utility and usability of the system, and the availability of incentives and training.

6.      IMPACT ANALYSIS

This section describes the impacts of the proposed options.  An overview of the costs and benefits, stakeholders impacted and issues associated with each option is provided below.

6.1  Option 1: Continuing with business as usual

Maintaining the status requires no regulatory action by Government.

The risk of adverse outcomes from poor use of the system is likely to persist under the status quo.  Limited use of the system by healthcare providers will affect the amount of clinical information uploaded to a PCEHR.  In the longer term the lack of information in the system would become a disincentive to participate in the system.

Impact on individuals

The regulatory burden on individuals who choose to register for an eHealth record would be unchanged.  Any individual registering can apply through five channels – phone, online, in writing, in person at a Department of Human Services shopfront and at healthcare provider practices that provide assisted registration.

The impact of improvements to individual usability is not yet determined so they cannot be quantified.

Individuals who choose to have a PCEHR will continue to be able to share their health information with their healthcare provider organisations.  However, few healthcare providers use the system as the value proposition is low, so PCEHRs will continue to contain a limited amount of clinically useful information.

Impact on healthcare provider organisations

If an organisation chooses to register to use the system, it needs to complete the registration process to use the system.  Depending on the type of healthcare provider organisation, its needs in terms of start‑up will vary.

A registered organisation is subject to the requirements of PCEHR Act and the participation agreement with the System Operator.  The regulatory burden on individual providers who work in organisations participating in the PCEHR system would be unchanged as system participation is undertaken at the organisational level, not individually.

The regulatory burden on healthcare provider organisations that choose to register to participate in the PCEHR system would be unchanged.

If an organisation is registered, individual providers would continue to be subject to the requirements relating to uploading information to the PCEHR system and using PCEHR information in accordance with an individual’s wishes.

Registered organisations may choose to assist individuals to register for a PCEHR.  If an organisation chooses to provide this assisted registration service, it needs to obtain the necessary software from the Department, free of charge, and must comply with requirements specified in the PCEHR Rules regarding policy and record retention.  In providing assisted registration, an employee of the organisation discusses with the individual the benefits of having a PCEHR and, with the individual’s consent, makes a registration application for the individual.  The regulatory burden on organisations that choose to provide assisted registration would be unchanged.

The impact of improvement to healthcare provider usability is not yet determined so they cannot be quantified.

Those organisations that choose to participate in the PCEHR system will continue to have access to their patients’ PCEHRs (with their patient’s agreement) and be able to upload health information to those PCEHRs.  However, for reasons of usability, low individual participation rates and low healthcare provider organisation rates, PCEHRs will not be fully utilised by organisations and will contain limited information, and therefore will be of limited clinical value.

Impact on software vendors

The medical software industry is not obliged to deliver medical software that is compliant with the requirements of the PCEHR system.  It develops software to meet the needs of its customers (healthcare providers).  To date, vendors have been working to develop and deliver software that facilitates PCEHR access largely as a result of funding provided by NEHTA for software in general practice, pharmacy, public hospitals and aged care.  Increased participation by healthcare provider organisations may increase the customer base of software vendors.  If healthcare providers lose interest in the system because of low participation rates the industry is unlikely to exert pressure on software vendors to deliver PCEHR compliant software.

Impact on Government

The Government will continue to incur increasingly significant healthcare costs and will only begin realising the benefits of the PCEHR system, including a reduction in healthcare costs, when a majority of individuals have a PCEHR which will lead to an increase in the healthcare providers using the system.

6.2  Option 2: Implementing a public awareness campaign to improve uptake

This option requires no regulatory action by Government.

This option would see a negligible increase in the benefits realised from use of the system.  Limited use of the system by healthcare providers will affect the amount of clinical information uploaded to a PCEHR.  In the longer term the lack of information in the system would become a disincentive to participate in the system.

Impact on individuals

The costs and benefits to individuals are largely as described at option 1.  There would be a regulatory cost to those extra people who sign up as a result of the public awareness campaign.

Table 1 identifies the total costs over 10 years from additional individuals registering in the PCEHR system.

 

Average time taken for individual to register[8]                            11 minutes

Individual leisure time[9]                                                                         $27/hour

Average cost per application                                                              $4.86

Number of additional individuals registering[10]                            273,000

 

Total regulatory cost for individuals                                               $1.33 million

 

Impact on healthcare provider organisations

The costs and benefits to healthcare provider organisations are as described at option 1.

Impact on software providers

There is no impact on software vendors, as described at option 1.

Impact on Government

The Government will continue to incur increasingly significant healthcare costs and will only begin realising the benefits of the PCEHR system, including a reduction in healthcare costs, when a majority of individuals have a PCEHR which will lead to an increase in the healthcare providers using the system.  This option would be only marginally more effective than option 1.

The impact on Government will be the cost of undertaking the public awareness campaign.  This cost has not been quantified but is likely to be in the same order of magnitude as the Medicare For All campaign which was undertaken for two months in 2013 at a cost of $8 million.  The proposed public awareness campaign, which would be undertaken over 12 months, would be expected to cost over $50 million.

There will also be a cost for Government to support an increase to the capacity of the system.

6.3  Option 3A: Making the system opt-out for individuals with associated public awareness raising and education and training of healthcare providers, improving usability and changing the governance arrangements through creation of a statutory authority

This option would require amendments to the PCEHR Act to:

·         revise the current consent framework to reflect the opt-out nature of the system while still ensuring that individuals can ask that individual documents not be uploaded, and that healthcare providers remain subject to specified state or territory laws regarding the disclosure of certain types of health information;

·         change the name of the PCEHR where necessary to simplify references to legal aspects such as terms and conditions, and compliance requirements;

·         revise the function of the System Operator as necessary to reflect changes to the governance arrangements; and

·         abolish the Independent Advisory Council and Jurisdictional Advisory Committee (this will also require amendment of the Personally Controlled Electronic Health Records Regulation 2012).

It would also require amendment to other legislation to:

·         establish the new organisation as an inter-jurisdictional statutory authority and prescribe its function and operation; and

·         establish the board and the four committees and specify their function and operation.

These amendments would result in a reduction to the volume of Commonwealth legislation.

Under this option the new organisation would be established under Public Governance, Performance and Accountability Act 2013 (PGPA Act) rules or under its own primary legislation, as an inter‑jurisdictional statutory authority that is a body corporate.

The key advantages in establishing the entity as a statutory authority are:

·         A greater capacity to improve accountability, which could be imposed either under Public Governance, Performance and Accountability Act 2013 (PGPA Act) rules or enabling legislation.  This could include a requirement that the new eHealth entity submit a rolling work plan to the Australian Health Ministers’ Advisory Council and the Council of Australian Governments Health Council for approval on an annual basis, detailing its planned work and priorities for the following three years.  Additionally, any new statutory authority would be subject to the existing accountability mechanisms in the PGPA Act, such as the duty to keep the Ministers informed of its activities.

·         A greater level of ministerial oversight, which could be statutorily imposed.  Rules made under the PGPA Act could also confer State or Territory ministers with oversight of the entity.

·         Ability to impose, through ministerial direction, adherence to particular standards and processes such as procurement, staff engagement, and organisational performance reporting.

·         The agreed role/charter of a statutory authority and the associated governance bodies such as boards and committees would be set in law.  This would allow for easier ongoing management of the entity.

·         The Rules that the Commonwealth Finance Minister can make under the PGPA Act can be made (or amended if necessary) more expediently than the previous approach of passing enabling legislation through the Commonwealth Parliament (although they would still be subject to Parliament’s disallowance process).

·         Moving to a skills-based board (rather than retaining current jurisdictional directorship of the board) would alleviate a range of perceived and real conflict of interest issues.

The main disadvantages of this option are:

·         potential adverse perceptions that this is increasing bureaucracy;

·         establishing a statutory authority under primary legislation could take marginally longer than using a repurposed form of the NEHTA public company entity – approximately six to twelve months. To mitigate this disadvantage a new eHealth entity could be created through PGPA Act rules which would take approximately six to nine months; and

·         without conducting trials to evaluate methods of implementing opt-out and different communications and education approaches, the Government may fail to properly target its audience which could adversely affect participation and public confidence, and could see a reduction to the estimated regulatory savings.

Impact on individuals

In an opt-out system, every eligible individual would automatically get a PCEHR without taking any action.

The move to an opt-out system would represent a significant reduction in current regulatory burden for the community.  Individuals would no longer need to go through a registration process to get a PCEHR.

Table 2 identifies the total savings over 10 years from individuals not having to register in the PCEHR system.

 

Average time taken for individual to register[11]                           11 minutes

Individual leisure time[12]                                                                       $27/hour

Average cost per application                                                              $4.86

Number of individuals registering[13]                                                 5,000,000

 

Total regulatory saving for individuals                                          $24.30 million

 

Those individuals who did not want a PCEHR would need to go through an opt-out process.  There is no explicit cost or burden in having a PCEHR and an individual can choose the extent to which they use or access their PCEHR.  However, some individuals may choose to opt-out if they have unique privacy sensitivities, such as high profile individuals or individuals who are involved in potentially violent domestic or custodial disputes.  It is possible that some people may be uncomfortable with having a record but not sufficiently motivated to opt-out or to set controls to mitigate their concerns.  There is some burden associated with this situation but it has not been quantified.  It will be mitigated by ensuring the process for opting out or setting access controls is as simple as possible.

Table 3 identifies the total cost over 10 years for individuals to opt-out of the PCEHR system.

 

Estimated time taken for individual to opt-out[14]                       6 minutes

Individual leisure time[15]                                                                       $27/hour

Average cost per opt-out                                                                    $2.70

Number of individual opting out[16]                                                   271,400

 

Total regulatory cost for individual                                                 $0.73 million

 

If an individual does not have a PCEHR they will not gain the benefits that making their health information more easily accessible by their healthcare providers would achieve.  However, it would in no way affect their eligibility for health services.

Individuals who want to access their PCEHR and fully exercise their access controls would need to go through a process to verify their identity with the System Operator.  This process would closely resemble the current registration process.

Table 4 identifies the total cost over 10 years for individuals to obtain access to their PCEHR.

 

Estimated time taken for individual to obtain access[17]            11 minutes

Individual leisure time[18]                                                                       $27/hour

Average cost per application                                                              $4.86

Number of individuals obtaining access[19]                                     2,686,860

 

Total regulatory cost for individuals                                               $13.06 million

 

The PCEHR would enable healthcare providers to make more informed decisions about an individual’s care based on more complete information available in the individual’s PCEHR, and would also see a reduction in adverse medical events and in the duplication of treatment and tests.  With access to their key health information, individuals will be able to more actively participate in their own healthcare and will no longer need to remember all of their previous health information to repeat to each healthcare provider that treats them, and they will benefit from improved quality of healthcare and coordination of healthcare delivery.

The reduction in adverse medical events would see improvements to productivity and labour force participation since, over time, it would lead to improved treatment outcomes and less sick leave.  This may increase the community’s trust in the healthcare system.

The PCEHR system is also expected to reduce the time spent, cost and number of healthcare visits required by family members and their dependants, and therefore reduce their healthcare expenditure as families.  This will result in a consequent increase in the disposable income of families.

The reductions in time taken in finding information and the performance of unnecessary investigations would result in improved productivity for the health workforce thus addressing some of the challenge faced by the Commonwealth in the increasing cost of healthcare.

A PCEHR will be of particular benefit to individuals with chronic and complex conditions, older Australians, Indigenous Australians, mothers and newborn children, and individuals living in rural and regional areas, as they are more likely to access healthcare from numerous healthcare providers.

In addition, it would mean that patients and their families will be able to go anywhere in Australia to receive high quality and convenient healthcare, reducing the time and costs associated with undertaking duplicate tests or repeating information.

It is anticipated that benefits in health outcomes of families will be skewed towards vulnerable families as they currently face more challenges in accessing timely and appropriate healthcare and will have more to benefit from improved health outcomes.  These people are also less likely to participate in an opt-in model as they are more likely to be challenged by the registration process.  Vulnerable families may include Aboriginal and Torres Strait Islander families, family carers with a member who has a mental illness, families in which English is a second language, and families with low socio-economic status.  These groups are expected to experience more pronounced benefits as the PCEHR system will help reduce the enormous burden carried by these families.

The impact of improvements to individual usability is not yet determined so they cannot be quantified.

Impact on healthcare provider organisations

The regulatory burden on healthcare provider organisations that choose to register to participate in the PCEHR system would be unchanged, as described at option 1.

The regulatory burden on individual providers who work in organisations participating in the PCEHR system would be unchanged, as described at option 1.

The move to an opt-out system would have a regulatory impact on those registered healthcare provider organisations that currently provide assisted registration to individuals because they would no longer spend any time assisting individuals to apply to register for a PCEHR.  This would result in a savings.

Table 5 identifies the savings over 10 years from organisations no longer providing assisted registration to individuals.

 

Average time to provide assisted registration                            8 minutes

Average salary of officer providing assisted registration[20]     $175,000

Average cost to provide service                                                        $11.76

Number of individuals receiving assisted registration[21]          182,000

 

Total regulatory saving for organisations not

providing assisted registration                                                         $2.14 million

               

Opt-out participation by individuals would change the behaviour of the healthcare provider industry.  Healthcare providers would increasingly utilise the system and realise its benefits in terms of availability of healthcare information to improve healthcare quality and delivery.

Participation for healthcare provider organisations would remain opt-in.  There would be an indirect impact on healthcare provider organisations since opt-out participation for individuals will increase the value of the PCEHR system for providers.  It is estimated that 20 per cent more healthcare provider organisations would register each year.

The governance changes would not have a direct regulatory impact on healthcare providers and organisations.  However integrating the services and ensuring more appropriate stakeholder representation would see improvements to the usability of the system and an increase to the confidence in the system by healthcare providers.  This would likely lead to more healthcare provider organisations registering to participate in the system which, in itself, would impact organisations as described above.

Table 6 identifies the cost over 10 years for an increased volume of organisations to register to participate in the PCEHR system.

 

Average time taken for organisation to register                        2.5 hours

Average salary of officer completing application[22]                    $175,000

Average cost per application                                                              $220.50

Number of additional organisations registering[23]                      2,400

 

Total regulatory costs for additional organisations

to apply to register                                                                                $529,200

               

This option would improve the efficiency in the provision of health services.  Healthcare providers would have access to more complete and consistent information to inform their healthcare decisions, resulting in a reduction in the time wasted duplicating tests and treatment and seeking information from their patients and other healthcare providers, and reducing the occurrence of medication errors.

The impact of improvements to healthcare provider usability is not yet determined so they cannot be quantified.

Impact on software vendors

There is no regulatory impact on software vendors, as described at option 1.

Impact on Government

This option will impose some cost and burden on the Government as there would be a new agency to administer, however, given the nature in which the entity would be established, it would provide better accountability and transparency which would allow the Government to achieve and deliver better outcomes.

There will also be a cost for Government to support an increase to the capacity of the system and to undertake the communication campaigns and training.

The Government would gain significant economic benefits through the health sector and individuals through:

·         reducing hospital admissions;

·         enabling improved individuals care including better management of chronic disease; and

·         enabling a more efficient healthcare system.

6.4  Option 3B: Implementing participation trials, including opt-out, with targeted communications in the trial regions and education and training of healthcare providers, improving usability and changing the governance arrangements through creation of a statutory authority

This option would require legislative amendments as described in option 3A, plus further amendments to the PCEHR Act to enable the system to operate on an opt-out basis in certain trial regions while ensuring it continues as an opt-in system in the remainder of Australia.

Trials of other innovative approaches for driving registrations and participation in an opt-in system would also be conducted.

The statutory authority would be established as described in option 3A.

While this option would result in an increase to short-term regulatory costs, it would enable the Government to develop a robust approach to implementing an opt-out system nationally to assure long-term savings.

Impact on individuals

The impact on individuals would be the same as under option 3A, however it would only affect individuals in trial regions.  These individuals would no longer need to go through a registration process to get a PCEHR. Since the nature of the other trials has not yet been determined, a conservative approach has been taken in this costing to assume that the regulatory cost would apply to the maximum trial population.

Table 7 identifies the total savings from individuals in trial regions not having to register in the PCEHR system.

 

Average time taken for individual to register[24]                           11 minutes

Individual leisure time[25]                                                                       $27/hour

Average cost per application                                                              $4.86

Number of individuals registering[26]                                                 22,000

 

Total regulatory saving for individuals                                          $106,920

 

As described in option 3A, any individuals who don’t want a PCEHR would need to go through an opt-out process.

Table 8 identifies the total cost for individuals in trial regions to opt-out of the PCEHR system.

 

Estimated time taken for individual to opt-out[27]                       6 minutes

Individual leisure time[28]                                                                       $27/hour

Average cost per opt-out                                                                    $2.70

Number of individuals opting out[29]                                                 10,000

 

Total regulatory cost for individual                                                 $27,000

 

If an individual does not have a PCEHR they will not gain the benefits that making their health information more easily accessible by their healthcare providers would achieve.  However, it would in no way affect their eligibility for health services.

As described in option 3A, individuals who want to access their PCEHR and exercise their access controls would need to go through an identity verification process.

Table 9 identifies the total cost for individuals in trial regions to obtain access to their PCEHR.

 

Estimated time taken for individual to obtain access[30]            11 minutes

Individual leisure time[31]                                                                       $27/hour

Average cost per application                                                              $4.86

Number of individuals obtaining access[32]                                     99,000

 

Total regulatory cost for individuals                                               $481,140

 

The PCEHR would enable healthcare providers who are treating individuals from the trial regions to make more informed decisions about an individual’s care based on more complete information available in the individual’s PCEHR.  However it would likely see a negligible reduction in adverse medical events and the duplication of treatment and tests.  With access to their key health information, individuals will be able to more actively participate in their own healthcare and will benefit somewhat from improved quality of healthcare and coordination of healthcare delivery.

A PCEHR will be of particular benefit to individuals with chronic and complex conditions, older Australians, Indigenous Australians, mothers and newborn children, and individuals living in rural and regional areas, as they are more likely to access healthcare from numerous healthcare providers.

The impact of improvements to individual usability is not yet determined so they cannot be quantified.

Impact on healthcare provider organisations

The regulatory burden on healthcare provider organisations that choose to register to participate in the PCEHR system would be unchanged, as described at option 1.

The regulatory burden on individual providers who work in organisations participating in the PCEHR system would be unchanged, as described at option 1.

Opt-out participation in trial regions would, to some degree, change the behaviour of the healthcare providers who treat those individuals.  These healthcare providers would increasingly utilise the system and realise its benefits in terms of availability of healthcare information to improve healthcare quality and delivery, and may feel compelled to register with the system to meet patient demand.

Participation for healthcare provider organisations would remain opt-in.  There would be an indirect impact on healthcare provider organisations in trial regions and those providing treatment to individuals in trial regions, since opt-out participation will increase the value of the PCEHR system for these providers.  It is therefore likely that additional healthcare provider organisations would register during the trials.  Until the trial regions are selected it is not possible to quantify how many additional organisations are likely to register so for the purpose of this proposal it is estimated that 50 additional organisations would register.

The governance changes would not have a direct regulatory impact on healthcare providers and organisations.  However integrating the services and ensuring more appropriate stakeholder representation would see improvements to the usability of the system and an increase to the confidence in the system by healthcare providers.  This would likely lead to more healthcare provider organisations registering to participate in the system which, in itself, would impact organisations as described above.

Table 10 identifies the cost of additional organisations registering to participate in the PCEHR system.

 

Average time taken for organisation to register                        2.5 hours

Average salary of officer completing application[33]                    $175,000

Average cost per application                                                              $220.50

Number of additional organisations registering[34]                      50

 

Total regulatory costs for additional organisations

to apply to register                                                                                $11,025

 

This option would see negligible improvements to efficiency in the provision of health services.

The impact of improvements to healthcare provider usability is not yet determined so they cannot be quantified.

Impact on software vendors

There is no regulatory impact on software vendors, as described at option 1.

Impact on Government

This option will impose some cost and burden on the Government, including the cost to undertake the communication campaigns and training, and to support an increase to the capacity of the system.

The Government would gain negligible economic benefits through the health sector and individuals through:

·         reducing hospital admissions;

·         enabling improved individuals care including better management of chronic disease; and

·         enabling a more efficient healthcare system.

The Government will continue to incur increasingly significant healthcare costs and will only begin realising the benefits of the PCEHR system, including a reduction in healthcare costs, when a majority of individuals have a PCEHR which will lead to an increase in the healthcare providers using the system.

7.      CONSULTATION

The panel undertaking the PCEHR Review considered information from submissions invited from stakeholder groups, unsolicited feedback by interested parties and a series of interviews with key stakeholders.

There is evidence of strong support for the opt-out model.  There are specific user groups that could potentially see significant benefits from having an eHealth record, including people with chronic and complex conditions, the elderly, Aboriginal and Torres Strait Islander peoples, and mothers and newborns.  An opt-out model would help resolve the difficult registration process and enable people to realise the benefits of an eHealth record.

In terms of governance, the Review identified that stakeholders have little confidence in the current PCEHR system for a range of reasons including a lack of transparency, usability, complexity, accountability and proportional representation of its governance.

The Department undertook a national consultation process from 18 July to 9 September 2014 involving clinicians, individual representative groups, jurisdictions, the IT industry and private health and indemnity insurers.  Consultation sessions were held in all capital cities (except Darwin) and Alice Springs, and were led by senior officers of the Department.

The consultations were aimed at obtaining stakeholder views on the intent of the PCEHR Review’s recommendations, any issues or risks for implementation and how these may be overcome.

The key messages from the consultations were:

·         broad support by individuals and providers for the concept of an opt-out national shared electronic health record;

·         the move to opt-out will need strong, effective communication about what it means in terms of privacy, security, and where they can get further advice;

·         healthcare providers support the move to opt-out as one of a range of things that need to happen to encourage adoption, including improvement in usability and content;

·         individuals consider provider participation should also be opt-out given the importance of their participation;

·         providers consider the minimum key content of a PCEHR is allergies, adverse events, a current medication list and transfer of care summaries, and pathology and diagnostic imaging results are very useful; and

·         key information in the PCEHR, such as medications, must be current and easy to find – the biggest concern is around current usability.

The consultations have informed the development of this proposal and the impact analyses, and they will also influence the system design, implementation schedule, and the planning for communication, education and risk management.

8.      RECOMMENDATION

The recommended option is option 3B because:

·         it would achieve the Government’s objectives and would, in the long-term, have a positive impact on the reputation and usefulness of the system;

·         a majority of stakeholders support an opt-out model;

·         it would inform future decisions regarding approaches for the adoption of a national opt‑out system and the delivery of communications, and education and training for healthcare providers.

While option 3B would see a short-term increase in the regulatory impact on individuals and healthcare provider organisations in trial regions, with a net cost of $412,245, it would provide valuable information that would enable the Government to increase participation in and meaningful use of the PCEHR system in a manner that appropriately targets and educates its audience, enhances confidence in the system and sees long-term savings.

Regulatory Burden and Cost Offsets Estimates Table

Option 2

Average annual regulatory costs (from business as usual)

Change in costs ($ million)

Business

Community organisations

Individuals

Total change in costs

Total, by sector

$0

$0

$0.133

$0.133

 

Cost offset ($ million)

Business

Community organisations

Individuals

Total, by source

Agency

$21.7

$0

$0

-$21.7

Are all new costs offset?

Yes, costs are offset

Total (Change in costs – Cost offset) ($ million) = -$21.567

This cost is offset by the regulatory savings of $21.7 million achieved by the National Industrial Chemicals Notifications and Assessment Scheme reforms.

Option 3A

Average annual regulatory costs (from business as usual)

Change in costs ($ million)

Business

Community organisations

Individuals

Total change in costs

Total, by sector

-$0.161

$0

-$1.051

-$1.212

 

Cost offset ($ million)

Business

Community organisations

Individuals

Total, by source

Agency

$0

$0

$0

$0

Are all new costs offset?

Deregulatory—no offsets required

Total (Change in costs – Cost offset) ($ million) = -$1.212

Option 3B

Average annual regulatory costs (from business as usual)

Change in costs ($ million)

Business

Community organisations

Individuals

Total change in costs

Total, by sector

$0.011

$0

$0.401

$0.412

 

Cost offset ($ million)

Business

Community organisations

Individuals

Total, by source

Agency

-$21.7

$0

$0

-$21.7

Are all new costs offset?

Yes, costs are offset

Total (Change in costs – Cost offset) ($ million) = -$21.288

This cost is offset by the regulatory savings of $21.7 million achieved by the National Industrial Chemicals Notifications and Assessment Scheme reforms.

9.      IMPLEMENTATION AND REVIEW

New participation arrangements for individuals, a new governance framework and usability improvements are intended to take effect in stages, alongside a national education and communication campaign.

A post-implementation review will be undertaken after the recommended changes have been in operation for a reasonable period of time.


STATEMENT OF COMPATIBILITY FOR A BILL THAT RAISES HUMAN RIGHTS ISSUES

Statement of Compatibility with Human Rights

Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011

Health Legislation Amendment (eHealth) Bill 2015

This Bill is compatible with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011.

Overview of the Bill

The Health Legislation Amendment (eHealth) Bill 2015 (the Bill) will amend the Personally Controlled Electronic Health Records Act 2012 (to be known as the My Health Records Act), Healthcare Identifiers Act 2010 (HI Act), Privacy Act 1988 (Privacy Act), Copyright Act 1968 (Copyright Act), Health Insurance Act 1973 (Health Insurance Act) and National Health Act 1953 (National Health Act).

As a national shared electronic health record system, the My Health Record system includes capacity to accept, store and share documents from and with participating healthcare provider organisations.  The objective of the system is to address the fragmentation of information across the Australian health system and provide healthcare providers the information they need to inform effective treatment decisions.  The system also gives individuals, and their representatives, online access to the information and documents in the system so they can view and manage their own health information.  To support effective operation of the system, individuals and healthcare providers are uniquely identified using numbers assigned and managed as part of the Healthcare Identifiers Service (HI Service), a foundation service for the My Health Record system.

The Bill seeks to improve the operation and management of the HI Service and the My Health Record system, focusing on increasing participation, meaningful use and usability.  The changes respond to recommendations from the Review of the Personally Controlled Electronic Health Record (PCEHR Review) and the Healthcare Identifiers Act and Service Review, and address issues identified in the early years of operating these systems.  The Government’s response to the PCEHR Review includes changing the name of the personally controlled electronic health record system to the My Health Record system, strengthening governance arrangements, including the establishment of a new Australian Commission for eHealth, improving system usability and clinical content of My Health Records, and conducting trials of different participation arrangements for individuals, including opt-out.

The Bill will enable opt-out participation arrangements for individuals to be trialled in selected regions.  Under opt-out arrangements a My Health Record would be created for everyone unless they say they do not want one.  Individuals will be able to view and manage their information in the My Health Record system and would retain the same patient controls that were developed in the PCEHR.  While these trials are operating, the My Health Record system would continue to operate as an opt-in system (as it is currently) everywhere else in Australia.  The Bill enables opt-out to be implemented nationally if the opt-out trial proves successful and the Government decides to implement opt-out nationally.

The privacy protections that apply to the system ensure individual’s records are strongly protected.  An ongoing work program is continually improving security, reducing risks and addressing threats in a rapidly changing cyber environment.  Individuals can also control access to their My Health Record, allowing them to implement their personal healthcare provider access preferences.

In order to better protect the sensitive information that can be contained in the My Health Record system, and to provide a more graduated framework for responding to inappropriate behaviour, the Bill would introduce new civil and criminal penalties and provide that enforceable undertakings and injunctions are available in both the My Health Record system and the HI Service.  The Bill would also implement a revised mandatory data breach notification requirement for all participants in the system.  This requirement would extend to registered healthcare provider organisations and registered contracted service operators, replacing the existing contractual obligation for those entities to notify breaches.

Finally, the Bill reflects the Australian Law Reform Commission’s recommendations regarding the obligations of people who provide decision-making support.

Human rights implications

The Bill engages the following human rights:

·         right to health (Article 12(1) of the International Covenant on Economic, Social and Cultural Rights);

·         protection of privacy and reputation (Article 17 of the International Covenant on Civil and Political Rights, Article 22 of the Convention on the Rights of Persons with Disabilities and Article 16 of the Convention on the Rights of the Child);

·         right to an effective remedy (Article 2 of the International Covenant on Economic, Social and Cultural Rights);

·         right to a fair hearing and fair trial (Articles 14 and 15 of the International Covenant on Economic, Social and Cultural Rights);

·         rights of people with a disability (Article 12 of the Convention on the Rights of Persons with Disabilities);

·         protection of children and families (Articles 3, 5, 12 and 18 of the Convention on the Rights of the Child); and

·         freedom of expression (Article 19 of the International Covenant on Civil and Political Rights).

Right to health

Article 12(1) of the International Covenant on Economic, Social and Cultural Rights provides for a right to the enjoyment of the highest attainable standard of physical and mental health, which is to be realised progressively within the resources available.  In its General Comment No. 14 (2000), the Committee on the Economic, Social and Cultural Rights notes that information accessibility is an element of the right to health and that this includes “the right to seek, receive and impart information and ideas concerning health issues”, without impairing the right to have health data treated confidentially.

The My Health Record system promotes the right to health by facilitating the sharing of information between healthcare providers and placing the individual at the centre of their healthcare.  Access to patients’ health information through the My Health Record system supports healthcare providers to make quicker and safer treatment decisions and reduces repetition of information for patients and duplication of tests.  Individuals are provided ready access to their own information, empowering them to make informed decisions about their healthcare.

The current participation arrangements have not effectively encouraged use of My Health Records by individuals and subsequently healthcare providers, and are creating a barrier to achieving the benefits to health.  The Bill makes amendments that are designed to promote use of the My Health Record system, improving the ability of the system to assist in the attainment of the right to health.  Making the My Health Record system more useable and reliable is central to gaining the support and acceptance of healthcare providers and individuals, thereby leading to increased use and more effective and efficient provision of healthcare.

Protection of privacy and reputation

Article 17 of the International Covenant on Civil and Political Rights (ICCPR) prohibits arbitrary or unlawful interference with a person’s privacy.  For interferences with privacy not to be ‘arbitrary’, they must be reasonable in the particular circumstances.  Reasonableness, in this context, incorporates notions of proportionality to the end sought and necessity in the circumstances.  This right is also reflected in Article 22 of the Convention on the Rights of Persons with Disabilities (CRPD) and Article 16 of the Convention on the Rights of the Child (CRC).

The Bill engages the right to privacy by allowing for disclosure of personal information to support the provision of effective healthcare to individuals and for management of the My Health Record system.

Amended Part 3 of the HI Act authorises the collection use and disclosure of healthcare identifiers, identifying information and other information relating to identifiers.  The HI Service Operator can collect information about a person from various sources for the purpose of assigning them a healthcare identifier.  The HI Service Operator can disclose the identifier to healthcare providers to assist them in communicating and managing health information.  For example, a healthcare provider can use a patient’s healthcare identifier to access the patient’s My Health Record.  The healthcare identifier can also be disclosed to other entities to assist in operating the My Health Record system and for aged care purposes.  Amended Division 6 of Part 3 of the My Health Records Act relates to collection, use and disclosure of information for the purposes of the My Health Record system.  Section 58 of this Division authorises the My Health Record System Operator to collect, use and disclose health information in an individual’s record, a core function of the system.  Section 58A of this Division provides authority for information about individual’s representatives to be shared for the purposes of the My Health Record system, allowing the relationships between individuals to be recorded and used in the system.

Along with the My Health Record System Operator, identifying information can be collected, used and disclosed by registered repository and portal operators, the Chief Executive Medicare, the Department of Veterans’ Affairs, the Department of Defence and the department for responsible for aged care.  The Minister has a regulation-making power to prescribe additional entities that are authorised to collect, use and disclose identifying information.  Any regulations made for this purpose would be subject to Parliamentary scrutiny.  Participation by these additional entities allows for a comprehensive and interconnected system drawing on multiple sources of information about an individual and connecting disparate data sets.

The My Health Record system empowers individuals to manage their own health information.  The system supports individuals to exercise their rights to control how their information is collected, used and disclosed.  Individuals who have a My Health Record can control who can access their information and what information can be accessed, and can elect to be notified when someone accesses their My Health Record.  Individuals can set the access controls on their My Health Record online or over the phone.  They can limit which healthcare providers can access their My Health Record.  They can nominate representatives, such as a friend or family members, to access the My Health Record and support them in managing their health information.  They can effectively remove records that have been uploaded.  They can also request an email or text message (SMS) be provided when particular events occur, such as if new information is included in their My Health Record or a new healthcare provider organisation accesses their My Health Record.

Once they have a My Health Record an individual can cancel their registration.  No new information will be collected about individuals if they cancel their registration.  Any information collected about that individual up to that point will no longer be shared with participating healthcare providers.  If an individual cancels their registration they can choose to participate again at any time.

The current participation arrangements, which require an individual to actively register, have proved ineffective in facilitating broad use of the My Health Record system and are considered a significant barrier to realising the benefits of the My Health Record system.  Under the opt-out participation arrangements, individuals will be provided an opportunity to advise if they do not wish to participate (opt-out).  The Bill allows for opt-out participation to be trialled in particular locations.  This means My Health Records will be created for people living in a specified location unless they say they do not want one.  Individuals in these locations will be provided information about the My Health Record system so they can make an informed decision about whether or not to participate.  While the trials are underway the current opt-in arrangements will continue in other areas.  If the opt-out trials are found to be successful in increasing participation and meaningful use of the My Health Record system, the Bill allows the opt-out arrangements to be extended to a national level.

Increasing participation in the My Health Record system is intended to drive the use of My Health Records by healthcare providers as part of normal healthcare in Australia.  Increased participation by individuals is anticipated to drive increased and meaningful use by healthcare providers.  Combined with other measures to improve the usability of the system and the clinical content of My Health Records, if nearly all individuals have a My Health Record, healthcare providers will be more likely to commit to using and contributing to the My Health Record system, thereby increasing the utility of the system by increasing the amount of clinically valuable information.  Without a significant increase in use, individuals, healthcare providers and the Australian community will not receive the health and economic benefits that could be gained through the My Health Record system.  These benefits include quick and ready access to information about patients leading to improved and faster treatment decisions, better health outcomes and reduced duplication of tests as the results are more easily shared amongst healthcare providers.

The Bill makes amendments so that if an individual is participating in the My Health Record system they would not need to consent for their health information to be provided to the My Health Record system by a registered repository operator.  This will allow information from a wide range of sources to be included in the system.  Examples include cancer screening registers which store the test results of individuals.  Over time these registers could become repositories for the My Health Record system and an individual’s results incorporated into their My Health Record.  An individual can effectively remove information from their My Health Record at any time if they so choose.

Amended Parts 4, 5 and 6 of the My Health Records Act limit the circumstances in which an individual’s record can be accessed and their personal information collected, used and disclosed, and provides sanctions for unauthorised collection, use and disclosure of information.  This is consistent with the current authorisations and limitations on the handling of personal information in an individual’s record.

Information in the My Health Record system can generally only be collected, used or disclosed for provision of healthcare to the individual and management of the My Health Record system.  Sharing and using information in this way is the primary purpose of the system.

An audit trail of activity in relation to a My Health Record is kept by the System Operator and is available to the individual.  This provides individuals transparent information about who has viewed their personal information.  The optional notifications available to individuals by email or text message (SMS) alert them when new information is included in the record or when new healthcare provider organisations access the record.

Information in the My Health Record system can be used for other purposes identified in Part 4 of the My Health Records Act including if authorised by another law (section 65), for a law enforcement purpose (section 70) or ordered by a court or tribunal (section 69).  These authorisations recognise that from time to time information in the My Health Record system will be relevant for significant decisions, such as investigation of a crime.  This information cannot be disclosed arbitrarily and robust justification must be provided as to why the information is necessary.

The My Health Record System Operator will continue to be able to prepare and provide de‑identified data for research and public health purposes (paragraph 15(ma) of the My Health Records Act).  This authority allows information in the My Health Record system to be used for the benefit of the whole Australian community such as assessment of treatment, identifying trends in disease prevalence and development of government policies.  Individuals will not be personally identifiable from information used for this purpose.  This authority has been in place since 2012 but a framework for preparation and release of data has not yet been developed.  Information will not be used for this purpose until appropriate arrangements are in place to guide how data sets are prepared, who they can be used by and what they can be used for.

The amended HI Act provides that a person must not use or disclose healthcare identifiers or information collected for the purposes of the HI Service, except where authorised to do so.  Criminal and civil penalties apply if this prohibition is breached.

Amended section 75 of the My Health Records Act requires all data breaches be reported to the My Health Record System Operator and/or the Information Commissioner, ensuring that threats to privacy are detected and addressed early.  Currently only entities that are or have been a registered repository operator or a registered portal operator are required to report data breaches to the My Health Record System Operator and the Information Commissioner.  The My Health Record System Operator is required to notify breaches it is involved in to the Information Commissioner.  Registered healthcare provider organisations and registered contracted service providers are not currently subject to this requirement but are instead obliged through contractual arrangements to report data breaches.  The Bill will amend the My Health Records Act so all of these entities are subject to reporting requirements under legislation.  The changes clarify and standardise data breach reporting for all participants, ensuring protection of individual’s personal and health information, allowing steps to be taken to correct any breaches and, if necessary, allowing individuals to take steps to protect their privacy and safety.

Right to effective remedy

The Bill engages Article 2(3) of the ICCPR which guarantees that any person whose rights or freedoms, including the right to protection from arbitrary and unlawful interferences with privacy, are violated shall have an effective remedy determined by competent judicial, administrative or legislative authorities.  New Part 5A of the HI Act and amended Part 6 of the My Health Records Act authorise enforceable undertakings and injunctions to be put in place if a participant has violated another person’s privacy, performed an unauthorised act harming an individual, taken health information from the My Health Record system outside of Australia or failed to report a data breach.

The My Health Record System Operator, the HI Service Operator and the Information Commissioner all have the power to accept an enforceable undertaking.  An enforceable undertaking seeks to have a participant voluntarily agree to remedy any damage a breach has caused, such as making an apology or making a payment to an individual.  It also seeks to ensure the participant changes their acts, practices, procedures or behaviours to ensure it complies with the law.  If the undertaking is not complied with, the participant can be taken to court to enforce the undertaking.  The undertaking can also be published on a website, generating public awareness of the breach and misconduct.  For example, the My Health Record System Operator could request an enforceable undertaking from a registered repository operator that it would keep its software up-to-date if the operator had previously failed to maintain up-to-date software and this had posed a potential weakness in the security of the My Health Record system.

The My Health Record System Operator, HI Service Operator and Information Commissioner can also apply to a court seeking an injunction.  An injunction is a court order that requires a person to take, or refrain from taking, a particular action.  For example, an injunction could be granted requiring a participant in the My Health Record system to update their IT security software before being able to access the system, or to prevent a repository operator taking My Health Record system information outside Australia.

A breach of the My Health Records Act or the HI Act will continue to be considered a breach of the Privacy Act, allowing the Information Commissioner to be able to investigate and make determinations.  For an injunction to be granted, the Information Commissioner, My Health Record System Operator or HI Service Operator is required to apply to a court.  The usual requirements for the grant of an injunction would apply.

The Bill provides for the My Health Record System Operator and the Information Commissioner to make certain types of decisions, such as registration of individuals, portal and repository operators, and for people to be able to seek review of those decisions.  Section 97 of the My Health Records Act continues to provide the opportunity for individuals to request reconsideration of decisions which affect them.  If they are not satisfied by the outcome, they can progress matters to the Administrative Appeals Tribunal.

Right to a fair hearing and fair trial

The civil penalty provisions in the Bill, which in turn rely on the standard civil penalty provisions in the Regulatory Powers (Standard Provisions) Act 2014, may potentially engage the criminal process rights under Article 14 of the ICCPR, if the civil penalty provisions are classified as “criminal” under human rights law.  Even though the Bill labels the provisions as civil penalties, this is not determinative and the nature and severity of the provisions must be assessed.

Under the civil penalty provisions, proceedings are instituted by a public authority with statutory powers of enforcement in a court.  A finding of culpability precedes the imposition of a penalty.  This might make the penalties appear ‘criminal’ however this is not determinative.  While the provisions are deterrent in nature, these penalties generally do not apply to the public at large.  Only a specific group of users, being healthcare providers and other participants in the My Health Record system with access to sensitive information will generally be impacted by these penalties.  Further, the severity of the penalties is not too high, with the highest pecuniary penalty that can be imposed being only 600 units.  This penalty is justified as the My Health Record system deals with privacy sensitive information and the misuse of this information needs to have proportionate penalties to the potential damage to healthcare recipients.  In light of this analysis, the nature and application of the civil penalty provisions suggest that they should not be classed as criminal under human rights law.

Only the Information Commissioner may seek the imposition of civil penalties, and this must be done via an application to a court.  Matters can be considered by the Federal Court of Australia, Federal Circuit Court of Australia or certain courts of states or territories that will have jurisdiction.  These arrangements ensure that the most serious matters are dealt with independently of the My Health Record System Operator and HI Service Operator.

The Bill introduces criminal penalties, including imprisonment, for unauthorised collection, use or disclosure of information from the My Health Record system and holding or handling information outside of Australia (sections 59, 60 and 77).  Potentially criminal behaviour would be referred to the Director of Public Prosecutions who would make an independent decision about whether or not to pursue criminal penalties via the courts.  These arrangements ensure that the most serious matters are dealt with independently of the My Health Record System Operator and HI Service Operator.  Hearings in relation to these matters would be heard by the Federal Court of Australia, Federal Circuit Court of Australia or certain courts of state and territories that will have jurisdiction.  The criminal penalties will align across the HI Act and My Health Records Act.

Rights of people with a disability

The representative arrangements proposed in the amended section 7A of the My Health Records Act engage the right of persons with disabilities to enjoy legal capacity on an equal basis with others under Article 12 of the Convention on the Rights of Persons with Disabilities (CRPD).  Consistent with Article 12, people with a disability are provided equal opportunity to participate in the My Health Record system and make decisions about access to their personal information.  Continuing current arrangements, authorised representatives can support people to interact with the My Health Record system and act on behalf of the individual if they are unable to act for themselves.  These arrangements allow for people with a disability to participate in the My Health Record system, control access to their personal information and withdraw participation in the My Health Record system if they choose to do so.  This functionality also supports Article 22 of the CRPD protecting the privacy of people with a disability.

The Bill shifts the duty of authorised representatives from being required to act in the ‘best interests’ of an individual, to a duty to give effect to the ‘will and preferences’ of the individual.  This change realises the principle that people with disability have an equal right to make decisions and to have those decisions respected, and is consistent with recommendations of the Australian Law Reform Commission in its 2014 report entitled Equality, Capacity and Disability in Commonwealth Law.

If it is not possible to ascertain an individual’s will and preferences, reasonable efforts must be made to ascertain likely will and preferences (including through consultation with relevant people in the person’s life).  Where will or preferences cannot be ascertained, or giving effect to the individual’s will or preferences would pose serious risk to the individual’s personal or social wellbeing, the authorised representative is required to act in a manner to promote the personal and social wellbeing of the individual.  The duty to promote personal and social wellbeing is consistent with the duty imposed on nominees under the National Disability Insurance Scheme Act 2013.

Failure of an authorised representative to meet these duties may result in their appointment being suspended or cancelled, or access to the individual’s My Health Record being blocked under the My Health Records Rules (currently the PCEHR Rules 2012).

Protection of children and families

The Bill engages:

·         Article 3 of the Convention on the Rights of the Child (CRC), providing appropriate legislative measures, supported by administrative arrangements, for children to participate in the system and for parents, or other legal guardians, to act on the child’s behalf;

·         Article 3 of the CRC, requiring the child’s representatives to ascertain and to give effect to the will and preferences of the child;

·         Article 5 of the CRC, recognising the rights, responsibilities and duties of parents, legal guardians and extended family to exercise the rights of a child;

·         Article 18 of the CRC, recognising both parents or any other legal guardians as having shared responsibility and allowing them equal opportunity to act on behalf of a child in relation to the My Health Record system; and

·         Article 12 of the CRC, assuring children who are capable of forming their own views are able to express those views and their views are given due weight.

The existing arrangements allowing parents or other appropriate people to act on behalf of a child (section 6 of the My Health Records Act) are not affected by the Bill.  That Act recognises parental responsibility consistent with the Family Law Act 1975.  A child’s representative can register them for a My Health Record, and supporting Article 16 of the CRC the privacy of children is protected as representatives such as parents and legal guardians can set the privacy controls such as removing information or restricting access to content.  Under opt-out participation arrangements representatives will also be able to withdraw the child from participation.  More than one person can act on behalf of a child, allowing both parents and multiple guardians to make decisions in relation to the My Health Record.

The My Health Records Act continues to allow a child who is capable of making decisions for themselves to take control of their My Health Record, set access controls or cancel their registration (if already registered) if they choose to do so.  The Bill will enable a child who is capable of making decisions for themselves to, like other individuals, opt themselves out of registration in the My Health Record system.  Under subsection 6(3) of the My Health Records Act a person cannot act on behalf of the child if the child wants to manage their own record and is capable of making decisions for themselves.

As with representatives for people with a disability, the Bill shifts the duty of authorised representatives for children from being required to act in the ‘best interests’ of an individual, to a duty to give effect to the ‘will and preferences’ of the individual.  This change realises the principle that children with appropriate maturity have an equal right to make decisions and to have those decisions respected, and is consistent with recommendations of the Australian Law Reform Commission in its 2014 report entitled Equality, Capacity and Disability in Commonwealth Law.

Freedom of Expression

The objective of the My Health Record system is to address information fragmentation by allowing a person to more easily access their own health information and make their health information securely accessible to healthcare providers involved in their care.  This objective promotes the freedom of expression, facilitating individuals receiving information regarding their health and sharing that with their healthcare providers.

While individuals can share their personal information as they see appropriate, healthcare providers, the My Health Record System Operator, the HI Service Operator and other participants in the My Health Record system are restricted in how and when they can use and share information in the My Health Record system.  These restrictions protect the privacy of individuals and identify the primary purposes of the My Health record system as supporting individual’s healthcare.  Trust and confidence in the My Health Record system is paramount to engagement and participation in the My Health Record system.  Without restricting when information can be accessed and used, people would not be willing to share their information through this system.

Conclusion

The Bill provides effective remedies for misuse of sensitive information and presents a contemporary approach to representation for children and people with a disability.  The My Health Record system continues to provide opportunities for individuals to exercise their right to control how their information is collected, used and disclosed.  The wide uptake of My Health Records achieved through opt-out participation will facilitate the My Health Record system becoming an integral part of the Australian health system leading to more effective healthcare and a more sustainable health system.

The Bill is compatible with human rights to the extent that it promotes certain rights, and that for those rights it limits, the limitation is reasonable, necessary and proportionate.

Minister for Health and Minister for Sport, the Hon Sussan Ley, MP
HEALTH LEGISLATION AMENDMENT (eHEALTH) BILL 2015

NOTES ON CLAUSES

For the convenience of readers, these notes will refer to the personally controlled electronic health record (PCEHR), the PCEHR system and the Personally Controlled Electronic Health Records Act 2012 (PCEHR Act) as the My Health Record, the My Health Record system and the My Health Records Act 2012.

Clause 1          Short title

Clause 1 provides that the Health Legislation Amendment (eHealth) Bill (the Bill), once enacted, will be cited as the Health Legislation Amendment (eHealth) Act 2015.

Clause 2          Commencement

This clause specifies when different parts of the Bill, once enacted, will commence.

Clauses 1 to 3, and Schedules 1 to 3, of the Bill will commence upon Royal Assent.  However, application provisions in Part 2 of Schedule 1 will mean that some provisions in Schedules 1 to 3 will not apply until a later time fixed by proclamation.  Having certain provisions apply only after a proclaimed date is necessary as those provisions should not take effect until either:

·         the Department has notified stakeholders of changes that will affect them, and updated its public material about the My Health Record system – Part 2 of Schedule 1 describes that a proclamation will prescribe an application day on which these amendments will take effect, or if that day does not occur within six months of the day Schedule 1 commences (the day the Act receives Royal Assent), these amendments will start immediately after the six month period; or

·         the Australian Commission for eHealth has been established and prescribed as the System Operator – Part 2 of Schedule 1 describes that a proclamation will prescribe a governance restructure day on which these amendments will take effect.  If that day is not prescribed, these amendments will not commence.

Schedule 4 contains further consequential amendments which commence at various specified times.

Clause 3          Schedule

Each Act that is specified in a Schedule to this Bill is amended or repealed as set out in the applicable items in the Schedule concerned, and any other item has effect according to its terms.

SCHEDULE 1—HEALTHCARE IDENTIFIERS AND HEALTH RECORDS

Schedule 1 amends the Copyright Act 1968 (Copyright Act), Healthcare Identifiers Act 2010 (HI Act), PCEHR Act and Privacy Act 1988 (Privacy Act).

PART 1—AMENDMENTS

Part 1 makes amendments primarily in relation to the handling of healthcare identifiers and the information flows relating to the My Health Record system (previously known as the personally controlled electronic health record or PCEHR system).  It includes changes that allow an opt-out My Health Record system to be trialled.

Copyright Act 1969

Item 1             After section 44BA

The My Health Record system enables registered healthcare provider organisations to upload documents containing health information to individuals’ My Health Records, such as reports, specialist letters, pathology and diagnostic imaging results and shared health summaries.  In the future, health records containing sound recordings (such as a recording of a heart beat) and cinematograph films (such as a three dimensional MRI video of a patient’s heart functioning) may also be uploaded to the My Health Record.  Amendments made by this Bill will also allow registered repository operators to make available health records they hold as part of an individual’s My Health Record (new section 50D refers).

Currently, healthcare provider organisations that register to participate in the My Health Record system grant a licence to the System Operator to use, reproduce, copy, modify, adapt, publish and communicate health records they upload for the purposes of providing healthcare and the My Health Record system.  That licence includes the right for the System Operator to sub-license other healthcare provider organisations and participants in the system, so that health records can be shared as part of providing healthcare and for other system purposes.  Under existing arrangements, all healthcare provider organisations are sub-licensed in a participation agreement (contract) when they register with the System Operator to join the My Health Record system.

As part of measures to reduce the regulatory burden on healthcare provider organisations, the registration process will be simplified and the need to enter into participation agreements will be removed.  As it will no longer be possible to rely on contractual licences in participation agreements, an exception to copyright infringement is to be placed in the Copyright Act to ensure that sharing and use of health records does not infringe any copyright that might subsist in health records.

However, sharing and use of health records does not just occur in the My Health Record system.  To enable the provision of healthcare, it is important that the exception to infringement continues to operate in relation to a health record even after it has been downloaded from the My Health Record.  This is because, for example, the record might be downloaded by a registered healthcare provider but then passed on to a treating specialist who may not be registered with the My Health Record system.  That specialist also needs to be able to use and share the health record for the purposes of providing healthcare without infringing any copyright that might subsist in the record.  Outside the My Health Record system, healthcare providers have generally relied on implied licences to share and use health records that might be subject to copyright.

Item 1 inserts new section 44BB into Part III, Division 3 of the Copyright Act to specify that a copyright in a work is not infringed by an act comprised in the copyright in the work if the act is done, or authorised to be done:

·         under subparagraph (i), for a purpose for which the collection, use or disclosure of health information is required or authorised under the amended My Health Records Act.  This will allow for the collection, use and disclosure of works to, in and from the My Health Record system, for the provision of healthcare and other permitted purposes of the My Health Records Act, without infringing any copyright that might subsist in the works.

·         under subparagraph (ii), in circumstances in which a permitted general situation exists under item 1 of the table in subsection 16A(1) of the Privacy Act, or would exist if the act were done, or authorised to be done, by an entity that is an APP entity for the purposes of the Privacy Act.  This exception is intended to ensure that there is no copyright infringement where a work is used in situations where the collection, use and disclosure of personal information is authorised under the Privacy Act in cases of a serious threat to the life, health or safety of an individual or to public health or safety.  Given that not all entities that need to rely on the serious threat to the life, health or safety of an individual or to public health or safety authorisation will be APP entities for the purposes of the Privacy Act, subparagraph (ii) makes it clear that it also applies in circumstances that “would exist if the act were done, or authorised to be done, by an entity that is an APP entity”;

·         under subparagraph (iii), if the circumstances constitute a permitted health situation under the Privacy Act (noting the new circumstances inserted by item 109 of Schedule 1) – this exception to copyright infringement also applies whether or not the entity taking the action is subject to the Privacy Act; or

·         under subparagraph (iv) for any other purpose relating to healthcare, or the communication or management of health information, prescribed by the regulations made under the Copyright Act.  No regulations are planned to support the My Health Record system at this time.  However, innovation and technology are constantly changing, as is the delivery of health services.  Therefore, flexibility is needed and the ability to prescribe other purposes relating to healthcare or the communication or management of health information is necessary to ensure that the exception to copyright infringement operates as intended to facilitate the provision of healthcare including as part of the My Health Record system.  This regulation-making power is intended only as a safety net to address any unforeseen circumstances and will operate in a narrow set of circumstances as regulations can only be made for purposes relating to healthcare or the communication or management of health information.

Under paragraph (b), section 44BB only applies to works:

·        that are substantially comprised of health information; or

·        where the work allows for the storage, retrieval or use of health information and it is reasonably necessary to do the act, or authorise it to be done, in circumstances that would otherwise infringe copyright in the work.

This paragraph is designed to restrict the scope of the exception to health information as defined in the My Health Records Act and a limited class of other works that allow for the storage, retrieval or use of the health record – for example, a computer program that may accompany a digital 3D diagnostic image and which allows the image to be viewed on a treating healthcare provider’s IT system.

“Works” are defined in the Copyright Act as including literary works (such as written health records) and artistic works (such as diagnostic still images, x-rays, etc.).  Section 44BB will apply to all works made on or after the application day.  The exception is not intended to effect an acquisition of property or otherwise affect ownership of any copyright that might exist in a work.  Rather, the exception merely provides that it is not an infringement of copyright to do specified things related to the provision of healthcare, including as part of the My Health Record system.

It will be a condition of the registration of healthcare provider organisations and repository operators under the My Health Records Act that such organisations and operators do not upload or make works available to the My Health Record system that are made before the application day if to do so would breach copyright.  Refer to items 78 to 79 for works that are created before this amendment in item 1 commences.

Item 2 After section 104B

Health records may include sound recordings and cinematograph films.  For example, a recording of a person’s breathing for their treatment as a chronic asthmatic, or an ultrasound of a foetus for the treatment of a prenatal condition.

Item 2 inserts new section 104C into Part IV of the Copyright Act which will apply to sound recordings and cinematograph films.  It specifies that a copyright in a sound recording or cinematograph film is not infringed by an act comprised in the copyright in the work if the act is done, or authorised to be done:

·         under subparagraph (i), for a purpose for which the collection, use or disclosure of health information is required or authorised under the amended My Health Records Act.  This will allow for the collection, use and disclosure of sound recordings and cinematograph films to, in and from the My Health Record system, for the provision of healthcare and other permitted purposes of the My Health Records Act, without infringing any copyright that might subsist in the health information;

·         under subparagraph (ii), in circumstances in which a permitted general situation exists under item 1 of the table in subsection 16A(1) of the Privacy Act, or would exist if the act were done, or authorised to be done, by an entity that is an APP entity for the purposes of the Privacy Act.  This exception is intended to ensure that there is no copyright infringement where a work is used in situations where the collection, use and disclosure of personal information is authorised under the Privacy Act in cases of a serious threat to the life, health or safety of an individual or to public health or safety.  Given that not all entities that need to rely on the serious threat to the life, health or safety of an individual or to public health or safety authorisation will be APP entities for the purposes of the Privacy Act, subparagraph (ii) makes it clear that it also applies in circumstances that “would exist if the act were done, or authorised to be done, by an entity that is an APP entity”;

·         under subparagraph (iii), if the circumstances constitute a permitted health situation under the Privacy Act (noting the new circumstances inserted by item 109 of Schedule 1) – this exception to copyright infringement also applies whether or not the entity taking the action is subject to the Privacy Act; or

·         under subparagraph (iv) for any other purpose relating to healthcare, or the communication or management of health information, prescribed by the regulations made under the Copyright Act.  No regulations are planned to support the My Health Record System at this time.  However, innovation and technology are constantly changing, as is the delivery of health services.  Therefore, flexibility is needed and the ability to prescribe other purposes relating to healthcare or the communication or management of health information is necessary to ensure that the exception to copyright infringement operates as intended to facilitate the provision of healthcare including as part of the My Health Record system.  This regulation-making power is intended only as a safety net to address any unforeseen circumstances and will operate in a narrow set of circumstances as regulations can only be made for purposes relating to healthcare or the communication or management of health information.

Under paragraph (b), section 104C only applies to sound recordings or cinematograph films:

·        that are substantially comprised of health information; or

·        where the sound recording or cinematograph film allows for the storage, retrieval or use of health information and it is reasonably necessary to do the act, or authorise it to be done, in circumstances that would otherwise infringe copyright in the work.

This paragraph is designed to restrict the scope of the exception to health information as defined in the My Health Records Act and a limited class of other sound recordings or cinematograph films that allow for the storage, retrieval or use of the health record.

New section 104C applies to any sound recording or cinematograph film that is created on or after the application day.  It is not intended to effect an acquisition of property or otherwise affect ownership of any copyright that might exist in a sound recording or cinematograph film.  Rather, new section 104C provides that it is not an infringement of copyright to do specified things related to the provision of healthcare, including as part of the My Health Record system.

It will be a condition of the registration of healthcare provider organisations and repository operators under the My Health Records Act that such organisations and operators do not upload or make available sound recordings or cinematograph films made before the application day where to do so would breach copyright.  Refer to items 78 to 79 for material that is created before this amendment commences.

Healthcare Identifiers Act 2010

“For the purposes of the My Health Record system”

In both the HI Act and the My Health Records Act, a number of the authorisations allow collection, use or disclosure of information “for the purposes of the My Health Record system”.  Amongst other things, the purposes of the My Health Record system will require consideration of the System Operator’s functions under section 15 of the My Health Records Act, the purposes and objects of the My Health Records Act, and the powers and obligations of the System Operator and other participants in the My Health Record system.

Items 3, 29, 34, 37, 41, 43, 44 and 47

It is now common practice to include simplified outlines in Acts.  These outlines are intended to assist readers to understand the intent of provisions and apply them.

The HI Act does not currently include any simplified outlines.

These items insert simplified outlines for the HI Act, providing a high level description of what is contained in each Part of the Act and serving as a directory to the whole of the Act.

Items 4-25       Section 5

Section 5 of the HI Act defines certain terms used in the HI Act.  Items 4 to 25 make amendments to several definitions, or insert or remove definitions, as a result of other amendments being made by this Bill.  Changes include:

·         defining Australian law and court/tribunal order in relation to the collection, use or disclosure of Healthcare Provider Directory information (item 42 refers) to ensure they align with the Privacy Act and the Regulatory Powers Act;

·         defining authorised representative and nominated representative for the purposes of new sections 15, 17 and 20 (item 34 refers) to ensure they align with the My Health Records Act;

·         defining civil penalty provision as a result of establishing a civil penalty framework in the HI Act (item 43 refers) to align with the Regulatory Powers (Standard Provisions) Act 2014;

·         defining linked in relation to a healthcare provider’s relationship to an organisation for the purposes of the Healthcare Provider Directory (items 41 and 42 refer);

·         revising Ministerial Council to recognise that the National Partnership Agreement on E‑Health to which the definition made reference has expired, and to provide future flexibility for changes to the responsible senior body – at the time of writing, the Council of Australian Governments Health Council is the relevant Ministerial Council;

·         updating network, network organisation, organisation maintenance officer, responsible officer and seed organisation to correctly cross reference with the amended provisions at new section 9A (item 31 refers);

·         defining personal information for the purposes of new and amended sections 25E, 26, 29 and 31 (items 34, 36, 38 to 40 and 42 refer) to ensure it aligns with the Privacy Act;

·         changing Personally Controlled Electronic Health Records Act to My Health Records Act to reflect the changes made by Schedule 2 of this Bill;

·         defining Regulatory Powers Act for the purpose of new provisions that trigger provisions of the Regulatory Powers (Standard Provisions) Act 2014 to allow for civil penalties, enforceable undertakings and injunctions (see item 43);

·         revising service operator to reflect the new provision inserted by item 26; and

·         removing terms that are no longer used:

o   data source which is no longer necessary because of the new style in which authorisations are prescribed;

o   Medicare Benefits Program, medicare program and Pharmaceutical Benefits Program which are no longer necessary because of the new style in which authorisations are prescribed;

o   professional and business details which is no longer necessary because this information is now detailed as part of new subsection 31(3) (item 42 refers); and

o   public body which is no longer necessary.

Item 26           After section 5

This item inserts new section 6 to define that the HI Service Operator is either the Chief Executive Medicare (as is the case at present) or a body specified in regulations.

While there is presently no intention to make another entity the HI Service Operator, this amendment provides future flexibility should there be a government decision to make a different entity the HI Service Operator.  The same flexibility is already provided in section 14 of the My Health Records Act in relation to the identity of the My Health Record System Operator.

As a result of the words “… a body established by a law of the Commonwealth …” (emphasis added), the identity of a new HI Service Operator is limited to statutory bodies formed under a Commonwealth law.  This would preclude, for example, a company formed under the Corporations Act 2001 from being prescribed as the HI Service Operator.  This will ensure that if a decision is made in the future to change the identity of the HI Service Operator, the new Service Operator will have the same standards of accountability as the current HI Service Operator.

Items 27-28     Section 7

These items amend section 7 to specify additional information as identifying information for the purposes of the HI Service and the My Health Record system.

Subsections 7(1) and 7(2) specify the information about an individual healthcare provider and healthcare provider organisation respectively that is identifying information and therefore can only be collected, used or disclosed for authorised purposes.  These subsections also provide that regulations can be made prescribing additional information as identifying information.  The Healthcare Identifiers Regulations 2010 (HI Regulations) currently specify that, among other things, a provider’s or organisation’s email address, telephone number and fax number are identifying information (regulation 5).  Item 27 simply inserts a new paragraph (ba) in each subsection to include this additional information to align with the equivalent definitions in current section 9 of the My Health Records Act.  The HI Regulations will be amended to remove this information accordingly.

Subsection 7(3) specifies the information about a healthcare recipient that is identifying information and therefore can only be collected, used or disclosed for authorised purposes.  Unlike subsections 7(1) and (2), it does not currently provide that regulations can be made to prescribe additional information as identifying information.  Item 28 inserts a new paragraph (i) which will allow such regulations to be made.  This aligns with the rest of section 7 and with a corresponding change to the My Health Records Act (item 65 refers).

Item 30           Subsection 9(6)

Subsection 9(6) currently states that a healthcare identifier is a government identifier for the purposes of the Privacy Act which means that they are subject to certain restrictions.

Item 30 amends the subsection to provide that only healthcare identifiers for healthcare recipients and individual healthcare providers are government identifiers.  This makes clear that healthcare identifiers for healthcare provider organisations are not government identifiers.

Item 31           Section 9A

Section 9A currently defines the different classes of healthcare provider that may be assigned a healthcare identifier, distinguishing between types of individual healthcare providers and healthcare provider organisations.

Item 31 replaces the section with a new section 9A to simplify the provisions relating to seed and network organisations, and the characteristics needed for an employee to be a responsible officer or an organisation maintenance officer.  Most parts of new section 9A have the same effect as current section 9A of the HI Act.

New subsection 9A(1) specifies that the Service Operator may assign healthcare identifiers to individual healthcare providers registered by registration authorities as a member of a healthcare profession – for example, a medical practitioner or a nurse registered by the Australian Health Practitioner Regulation Agency (AHPRA) under the National Law.  The subsection also permits the Service Operator to assign healthcare identifiers to individual healthcare providers that are members of professional associations that meet specified criteria.

New subsection 9A(2) specifies that the Service Operator may assign healthcare identifiers to healthcare provider organisations that are either seed organisations, or are not part of a “network” (see new subsection 9A(4)), provided that the organisation meets the criteria specified in paragraphs (a) to (c).

New subsection 9A(3) specifies that the Service Operator may assign healthcare identifiers to healthcare provider organisations that are network organisations, provided that the organisation meets the criteria specified in paragraphs (a) to (d).

New subsection 9A(4) specifies when a healthcare provider organisation will be part of a “network”.  In summary, a network of healthcare provider organisations is a group of two or more healthcare provider organisations that satisfy one of the two criteria in paragraphs (a) and (b).

New subsections 9A(5) and (6) describe seed organisations and network organisations.  In summary:

·         a seed organisation is a healthcare provider organisation that is at the head of a network; and

·         a network organisation is any healthcare provider organisation, other than a seed organisation, that is part of a network.

New subsections 9A(7) and (8) set out the characteristics that a person must have to be a responsible officer and an organisation maintenance officer respectively.  It should be noted that these two subsections merely specify the minimum characteristics that individuals must have in order to be responsible officers and organisation maintenance officers.  The provisions do not limit the functions that responsible officers and organisation maintenance officers may perform.  For example, a healthcare provider organisation might nominate an individual to be its responsible officer and also authorise the person to carry out any of the functions that an organisation maintenance officer would usually perform – this is a matter for the healthcare provider organisation.  There is nothing in the amended legislation that would prevent, for example, a responsible officer carrying out tasks that are specified under new subsection 9A(8), even if the responsible officer had not separately applied to the HI Service Operator to be an organisation maintenance officer.

As before, a responsible officer of a seed organisation is also the responsible officer of any network organisation of the seed organisation, meaning that there will only be one responsible officer for a network of healthcare provider organisations.  A responsible officer can delegate their powers and duties without assigning a replacement responsible officer or ceasing to be the responsible officer.

Item 32           Section 10

Section 10 deals with the HI Service Operator’s obligation to keep a record of healthcare identifiers and related information such as requests for healthcare identifiers.  Item 32 simply updates references to Division numbers to reflect changes being made by this Bill.

Item 33           Part 3 (heading)

Item 33 replaces the heading of Part 3 to make clear that Part 3 deals not only with the use and disclosure of healthcare identifiers and other information, but also with the collection of healthcare identifiers and other information.

Item 34           Divisions 1, 2, 2A and 3 of Part 3

Divisions 1, 2, 2A and 3 currently authorise the collection, use and disclosure of healthcare identifiers and other information and are grouped according to type of information or entity taking the action.  Some of these provisions have proven to be ambiguous and many are not set out as clearly and simply as would be ideal.  This has led to some confusion about whether certain actions are or are not authorised.

Item 34 replaces these with restructured provisions to make clear how and why healthcare identifiers and other information can be used, and by whom.  It inserts new Divisions 1, 2 and 3.

New Division 1 provides a simplified outline for Part 3 of the HI Act as previously described.

New Division 2 sets out the authorisations related to the collection, use and disclosure of healthcare identifiers and other information relating to healthcare recipients.

To help readers understand what changes are being made by this amendment, the authorisations are set out in the following table with either a reference to existing equivalent authorisations or with an explanation of why the new authorisation is required.

New section no.

Table item no.

Authorisation

Existing section number or reason for new authorisation

Assigning a healthcare identifier to a healthcare recipient

12

1

An identified healthcare provider may use and disclose to the HI Service Operator a healthcare recipient’s identifying information for the purpose of assisting the HI Service Operator to assign a healthcare identifier to the healthcare recipient.

HI Act: 11(1)

Disclosure is currently authorised under existing subsection 11(1), but use is not as reliance was placed on existing privacy laws for this.  Use is now included in the authorisation to clarify the situation and ensure all necessary authorisations are in one place.

2

The Chief Executive Medicare, Veterans’ Affairs Department and Defence Department may use and disclose to the HI Service Operator a healthcare recipient’s identifying information for the purpose of assisting the HI Service Operator to assign a healthcare identifier to the healthcare recipient.

HI Act: 12(1) and 12(2)

Disclosure is currently authorised, but use is not as reliance was placed on existing privacy laws for this.  Use is now included in the authorisation to clarify the situation and ensure all necessary authorisations are in one place.

3

The HI Service Operator may collect from an identified healthcare provider, the Chief Executive Medicare, the Veterans’ Affairs Department and the Defence Department, and use, a healthcare recipient’s identifying information for the purpose of assigning a healthcare identifier to a healthcare recipient.

HI Act: 11(2) and 12(3)

Keeping a record of healthcare identifiers and related information

13

1

Any entity that has access to a healthcare recipient’s healthcare identifier may use and disclose to the HI Service Operator that healthcare identifier or information that relates to that healthcare identifier for the purposes of assisting the service operator to establish and maintain a record mentioned in section 10.

This clarifies the collection, use and disclosure authorisations needed for the service operator to establish and maintain a record of healthcare identifiers assigned and other matters under section 10 of the HI Act.

2

The HI Service Operator may collect from any entity as referred to in item 1 above, and use, the healthcare identifier of a healthcare recipient and information that relates to that healthcare identifier for the purposes of assisting the service operator to establish and maintain a record mentioned in section 10.

This clarifies the collection, use and disclosure authorisations needed for the service operator to establish and maintain a record of healthcare identifiers assigned and other matters under section 10 of the HI Act.

Providing healthcare to a healthcare recipient

14(1)

1

An identified healthcare provider may use and disclose to the HI Service Operator a healthcare recipient’s identifying information for the purpose of assisting the HI Service Operator to disclose the healthcare recipient’s healthcare identifier to the healthcare provider.

HI Act: 16(1)

Disclosure is currently authorised, but use is not, as reliance was placed on existing privacy laws for this.  Use is now included in the authorisation to clarify the situation and ensure all necessary authorisations are in one place.

2

The HI Service Operator may collect from an identified healthcare provider, use and disclose to an identified healthcare provider a healthcare recipient’s identifying information for the purpose of disclosing the healthcare recipient’s healthcare identifier to the healthcare provider.

HI Act: 16(2)

Collection and use of identifying information is currently authorised but disclosure is not.  Disclosure is now authorised to assist the healthcare provider to correctly match a healthcare recipient to their healthcare identifier.

Experience over the last five years indicates that there is about a 20% failure rate when attempting to identify an individual’s healthcare identifier based on information provided by a healthcare provider organisation.  This failure rate is frequently due to minor typographical errors, differing naming conventions (e.g. Jo vs Joanne) listed against an individual by either the provider or by the HI Service Operator.  This level of failure is resulting in a significant issue in that individuals cannot be correctly linked to their healthcare identifiers, preventing them obtaining many of the benefits of eHealth and the My Health Record system.

Many of these failures could be overcome if the Service Operator were authorised to disclose limited identifying information about an individual back to the healthcare provider organisation seeking the individual’s healthcare identifier.

Under this authorisation, the Service Operator will only disclose information about the individual (not about third parties) and only where the Service Operator is confident they have identified the correct healthcare recipient – e.g. there might be a small typographical error in the first name of the person whose details have been provided by a healthcare provider.

The Service Operator will develop policies to minimise risks associated with disclosure of identifying information to organisations seeking an individual’s healthcare identifier.

3

The HI Service Operator may use and disclose to an identified healthcare provider a healthcare recipient’s healthcare identifier for the purpose of assisting the healthcare provider to communicate or manage health information as part of providing healthcare to the healthcare recipient.

HI Act: 17 (1)

4

An identified healthcare provider may collect from the HI Service Operator a healthcare recipient’s healthcare identifier for the purpose of communicating or managing health information as part of providing healthcare to the healthcare recipient.

HI Act: 17(2)

5

A healthcare provider may use and disclose to another entity a healthcare recipient’s healthcare identifier for the purpose of communicating or managing health information as part of:

·         the provision of healthcare to the healthcare recipient;

·         the management (including investigation or resolution of complaints), funding, monitoring or evaluation of healthcare;

·         the provision of indemnity cover for a healthcare provider; or

·         the conduct of research that has been approved by the Human Research Ethics Committee.

HI Act: 24(1)

6

An entity to whom a healthcare recipient’s healthcare identifier is disclosed as specified in item 5 above may collect, use and disclose a healthcare recipient’s healthcare identifier for the purpose for which it was disclosed to the entity.

HI Act: 24(2) and (3)

14(2)

N/A

Section 14 does not authorise the collection, use or disclosure of a healthcare recipient’s healthcare identifier for the purpose of communicating or managing health information as part of underwriting a contract of insurance that covers the healthcare recipient; determining whether to enter into a health insurance contract that covers the healthcare recipient (whether alone or as a member of a class); determining whether a contract of insurance covers the healthcare recipient in relation to a particular event; or employing a healthcare recipient.

HI Act: 24(4)

My Health Record purposes

15

N/A

The HI Service Operator may collect, use and disclose identifying information about, or a healthcare identifier of:

·         a healthcare recipient;

·         an authorised representative; or

·         a nominated representative,

for the purposes of the My Health Record system.

HI Act: 19A, 19B and 19C

HI Regulations: 15(1)

The collection, use and disclosure by the HI Service Operator was authorised but only in limited circumstances to the System Operator, the Chief Executive Medicare, other Departments and a participant in the My Health Record System.  To ensure the My Health Record system has the necessary legislative authorities, disclosure has been broadened so long as it is for the purposes of the My Health Record system.

Aged care purposes

(These authorisations were included in the HI Act as parts of the amendments made by the Aged Care And Other Legislation Amendment Act 2014)

16

1

An identified healthcare provider may disclose to the Aged Care Department a healthcare recipient’s identifying information for an aged care purpose.

HI Act: 12A(1)

2

The Aged Care Department may collect from an identified healthcare provider, use and disclose to an identified healthcare provider a healthcare recipient’s identifying information for an aged care purpose.

HI Act: 12A(2) and 12A(3)(b)

3

An identified healthcare provider may collect from the Aged Care Department and use a healthcare recipient’s identifying information for an aged care purpose.

HI Act: 12A(5)

4

The Aged Care Department may disclose to the HI Service Operator a healthcare recipient’s identifying information for an aged care purpose.

HI Act: 12(3)(a)

5

The HI Service Operator may collect from the Aged Care Department and use a healthcare recipient’s identifying information for an aged care purpose.

HI Act: 12A(4)

6

The HI Service Operator may use and disclose to the Aged Care Department a healthcare recipient’s healthcare identifier for an aged care purpose.

HI Act: 19D(1)

7

A healthcare provider may disclose to the Aged Care Department a healthcare recipient’s healthcare identifier for an aged care purpose.

HI Act: 23A(1)

8

The Aged Care Department may collect from the HI Service Operator or a healthcare provider, and use, a healthcare recipient’s healthcare identifier for an aged care purpose.

HI Act: 19D(2) and 23A(2)

Adopting a healthcare recipient’s healthcare identifier

17

1

A healthcare provider may adopt a healthcare recipient’s, an authorised representative’s or a nominated representative’s healthcare identifier for use as the healthcare provider’s own identifier of the healthcare recipient, the authorised representative or the nominated representative of the healthcare recipient.

HI Act: 25

Adoption of the healthcare recipient’s identifier was previously authorised in the HI Act.  New section 17 has broadened this authorisation to also include authorised representative’s and nominated representative’s healthcare identifiers, as it may be necessary for healthcare providers to adopt these healthcare identifiers in order to associate the correct representative with the correct healthcare recipient.

2

The System Operator may adopt a healthcare recipient’s, an authorised representative’s or a nominated representative’s healthcare identifier for use as the System Operator’s own identifier for the purposes of the My Health Record system.

HI Act: 22B(1) and 22B(2)

3

A registered repository operator or registered portal operator may adopt a healthcare recipient’s, an authorised representative’s or a nominated representative’s healthcare identifier for use as that entity’s own identifier for the purposes of the My Health Record system.

HI Act: 22B(1) and 22B(2)

Disclosing a healthcare recipient’s healthcare identifier

18

N/A

The HI Service Operator, the System Operator or a healthcare provider may disclose a healthcare recipient’s healthcare identifier to the healthcare recipient or to a responsible person as defined by the Privacy Act.

HI Act: 18(a)  and 23

The HI Act authorised the HI Service Operator and healthcare providers to disclose a healthcare recipient’s healthcare identifier.  Disclosure has been broadened in this new section to further allow the System Operator to also disclose an identifier to the healthcare recipient or to a responsible person.  This will make it easier for healthcare recipients and responsible persons to get an individual’s healthcare identifier.  For example, if they are already dealing with the System Operator, the System Operator will be able to disclose the identifier and it will not be necessary to refer the healthcare recipient or the responsible person to the HI Service Operator.

Disclosing information about  a healthcare recipient’s healthcare identifier

19

N/A

The HI Service Operator may disclose information relating to the healthcare recipient that is included in its record of healthcare identifiers maintained under section 10, to the healthcare recipient or to a responsible person as defined by the Privacy Act.

HI Act: 18(b)

Regulations to provide additional authorisation

20(1), (2) and (3)

N/A

Regulations may authorise the collection, use and disclosure of identifying information about, and a healthcare identifier of:

·         a healthcare recipient;

·         an authorised representative; or

·         a nominated representative,

or authorise the adoption of the healthcare identifier of:

·         a healthcare recipient;

·         an authorised representative; or

·         a nominated representative,

but only for purposes relating to:

·         providing healthcare to healthcare recipients or a class of healthcare recipients;

·         determining whether adequate and appropriate healthcare is available to healthcare recipients or a class of healthcare recipients;

·         facilitating the provision of adequate and appropriate healthcare to healthcare recipients or a class of healthcare recipients;

·         assisting persons who, because of health issues (including illness, disability or injury), require support; or

·         the My Health Record system.

HI Act: section 22E permits regulations to be made authorising the collection, use and disclosure of identifying information and healthcare identifiers for certain purposes related to the My Health Record system.  Disclosure of this information is currently limited to participants in the My Health Record system.

New section 20 broadens the power to allow for future regulations to be made allowing prescribed entities to collect, use, disclose and adopt identifying information and healthcare identifiers, but only for very limited purposes related to the provision of healthcare or to assist people who, because of health issues, require support.  These entities could include, for example, the National Disability Insurance Agency (NDIA) and cancer registers.  Healthcare identifiers are an accurate identifier of an individual, and such entities and individuals may benefit from the entity being able to associate disability or health-related records with an individual’s healthcare identifier.  In the future this may allow, for example, the viewing of certain disability or cancer registry records as part of an individual’s My Health Record.

Currently, entities such as NDIA and cancer registers are not authorised to handle healthcare identifiers or identifying information as they are not healthcare providers within the meaning of the HI Act.  The new power has been designed to allow the appropriate collection, use, disclosure and adoption of healthcare identifiers and identifying information by entities like NDIA and cancer registers, within tight limits related to providing healthcare and assisting individuals who require support because of health issues, without having to amend the Act each time a new entity needs to be authorised.

New Division 3 sets out the authorisations related to the collection, use and disclosure of healthcare identifiers and other information relating to healthcare providers.

To help readers understand what changes are being made by this amendment, the authorisations are set out in the following table with either a reference to existing equivalent authorisations or with an explanation of why the new authorisation is required.

New section no.

Table item no.

Authorisation

Existing section number or reason for new authorisation

Assigning a healthcare identifier to a healthcare provider

21

1

The HI Service Operator may collect from the Chief Executive Medicare, Veterans’ Affairs Department or Defence Department, and use, a healthcare provider’s identifying information for the purpose of assigning a healthcare identifier to the healthcare provider.

HI Act: 12(3)

2

The Chief Executive Medicare, Veterans’ Affairs Department and Defence Department may use and disclose to the service operator identifying information of a healthcare provider for the purpose of assigning a healthcare identifier to the healthcare provider.

HI Act: 12(1) and 12(2)

Disclosure is currently authorised, but use is not as reliance was placed on existing privacy laws for this.  Use is now included in the authorisation to clarify the situation and ensure all necessary authorisations are in one place.

3

The HI Service Operator may collect from a healthcare provider and use information relating to the healthcare provider that is requested by the HI Service Operator under section 9B for the purpose of assigning a healthcare identifier to the healthcare provider.

The authorisation for the collection and use of the information requested under section 9B was implied.  This new item ensures there is express authorisation.

Keeping a record of healthcare providers’ healthcare identifiers

22

1

A national registration authority may use and disclose to the HI Service Operator a healthcare provider’s healthcare identifier or information relating to that healthcare identifier, for the purposes of assisting the HI Service Operator to establish and maintain its  record of healthcare identifiers under section 10.

HI Act: 13(1)

Disclosure is currently authorised, but use is not as reliance was placed on existing privacy laws for this.  Use is now included in the authorisation to clarify the situation and ensure all necessary authorisations are in one place.

2

The HI Service Operator may collect from a national registration authority and use a healthcare provider’s healthcare identifier or information relating to that healthcare identifier, for the purposes of assisting the HI Service Operator to establish and maintain its record of healthcare identifiers under section 10.

HI Act: 13(2)

Providing healthcare to a healthcare recipient

23

1

An identified healthcare provider may use and disclose to the HI Service Operator a healthcare provider’s healthcare identifier for the purpose of assisting the healthcare provider to communicate or manage health information as part of providing healthcare to a healthcare recipient.

HI Act: 22E

HI Regulations: 14

2

The HI Service Operator may collect from an identified healthcare provider a healthcare provider’s identifying information for the purpose of assisting the healthcare provider to communicate or manage health information as part of providing healthcare to a healthcare recipient.

HI Act: 22E

HI Regulations: 14

3

The HI Service Operator may use or disclose to an identified healthcare provider a healthcare provider’s healthcare identifier for the purpose of assisting the healthcare provider to communicate or manage health information as part of providing healthcare to a healthcare recipient.

Hi Act: 17(1) and 22E

HI Regulations: 14

4

An identified healthcare provider may collect from the HI Service Operator a healthcare provider’s healthcare identifier for the purpose of communicating or managing health information as part of providing healthcare to a healthcare recipient.

HI Act: 17(2) and 22E

HI Regulations: 14

 

5

A healthcare provider may collect from another healthcare provider, use and disclose to another healthcare provider the healthcare identifier of a healthcare provider for the purpose of communicating or managing health information, as part of providing healthcare to a healthcare recipient.

HI Act: 24 and 22E

HI Regulations: 14

My Health Record purposes

24

N/A

The HI Service Operator may collect, use and disclose identifying information about, or a healthcare identifier of, a healthcare provider for the purposes of the My Health Record system.

HI Act: 17, 19, 19A, 19B and 19C

The HI Service Operator previously had various authorities to collect, use or disclose healthcare identifiers and identifying information of healthcare providers in certain circumstances.  To ensure the efficiency of the My Health Record system these authorisations have been condensed to one authority to allow collection, use or disclosure for the purposes of the My Health Record system.

Authentication in electronic communications

25

1

The HI Service Operator or a registration authority may use and disclose to any entity identifying information about, or a healthcare identifier of, a healthcare provider for the purpose of enabling the healthcare provider’s identity to be authenticated in electronic transmissions.

HI Act: 20(1)

2

An entity to whom information is disclosed for the purposes of authenticating a healthcare provider’s identity in electronic communications as specified in item 1 above, may collect from any entity, use and disclose to any entity identifying information about, or a healthcare identifier of, a healthcare provider for the purpose of enabling the healthcare provider’s identity to be authenticated in electronic communications.

HI Act: 20(2)

Sharing information with registration authorities

25A

1

The HI Service Operator may use and disclose to a registration authority a healthcare provider’s healthcare identifier for the purpose of assisting the registration authority to register the healthcare provider.

HI Act: 19(1)

Disclosure is currently authorised, but use is not as reliance was placed on existing privacy laws for this.  Use is now included in the authorisation to clarify the situation and ensure all necessary authorisations are in one place.

2

A registration authority may collect and use a healthcare provider’s healthcare identifier for the purpose of registering the healthcare provider or performing any other function of the registration authority under the law.

HI Act: 19(2)

3

The HI Service Operator may collect from a registration authority, use and disclose to a registration authority identifying information about, or a healthcare identifier of, a healthcare provider for the purpose of ensuring that information held by the HI Service Operator or the registration authority is accurate, up-to-date and complete.

This is a new authorisation to ensure information about healthcare providers is kept accurate, up-to-date and complete.

4

A registration authority may collect from the HI Service Operator, use and disclose to the HI Service Operator identifying information about, or a healthcare identifier of, a healthcare provider for the purpose of ensuring that information held by the HI Service Operator or the registration authority is accurate, up-to-date and complete.

This is a new authorisation to ensure information about healthcare providers is kept accurate, up-to-date and complete.

Adopting a healthcare provider’s healthcare identifier

25B

1

The System Operator may adopt a healthcare provider’s healthcare identifier for use as the System Operator’s own identifier for the purposes of the My Health Record system.

HI Act: 22B

2

A registered repository operator or registered portal operator may adopt a healthcare provider’s healthcare identifier for use as that operator’s own identifier for the purposes of the My Health Record system.

HI Act: 22B

3

A participant in the My Health Record system to whom the healthcare identifier is disclosed by a registered repository operator or registered portal operator under section 58A of the My Health Records Act, may adopt a healthcare provider’s healthcare identifier for use in authenticating the identity of the healthcare provider in electronic communications.

HI Act: Based on 20(2)(c)

Providing the healthcare provider’s healthcare identifier to them

25C

N/A

An entity who knows a healthcare provider’s healthcare identifier may disclose that healthcare identifier to the healthcare provider.

New authorisation to allow healthcare providers easy access to their healthcare identifiers which may have been previously unknown to the healthcare provider.

Regulations to provide additional authorisation

25D (1), (2) and (3)

N/A

Regulations may authorise the collection, use or disclosure of the healthcare provider’s healthcare identifier or identifying information, or the adoption of the healthcare provider’s healthcare identifier, but only for purposes relating to:

·         providing healthcare to healthcare recipients or a class of healthcare recipients;

·         determining whether adequate and appropriate healthcare is available to healthcare recipients or a class of healthcare recipients;

·         facilitating the provision of adequate and appropriate healthcare to healthcare recipients or a class of healthcare recipients;

·         assisting persons who, because of health issues, require support; or

·         the My Health Record system.

HI Act: section 22E permits regulations to be made authorising the collection, use and disclosure of identifying information and healthcare identifiers for certain purposes related to the My Health Record system.  Disclosure of this information is currently limited to participants in the My Health Record system.

New section 20 broadens the power to allow for future regulations to be made allowing prescribed entities to collect, use, disclose and adopt identifying information and healthcare identifiers, but only for very limited purposes related to the provision of healthcare or to assist people who, because of health issues, require support.  These entities could include, for example, the National Disability Insurance Agency (NDIA) and cancer registers.  Healthcare identifiers are an accurate identifier of an individual, and such entities and individuals may benefit from the entity being able to associate disability or health-related records with an individual’s healthcare identifier.  In the future this may allow, for example, the viewing of certain disability or cancer registry records as part of an individual’s My Health Record.

Currently, entities such as NDIA and cancer registers are not authorised to handle healthcare identifiers or identifying information as they are not healthcare providers within the meaning of the HI Act.  The new power has been designed to allow the appropriate collection, use, disclosure and adoption of healthcare identifiers and identifying information by entities like NDIA and cancer registers, within tight limits related to providing healthcare and assisting individuals who require support because of health issues, without having to amend the Act each time a new entity needs to be authorised.

Any regulations made under new subsections 20(4) and (5) (relating to healthcare recipients’ healthcare identifiers), and subsections 25D(4) and (5) (relating to healthcare providers’ healthcare identifiers), may establish processes for disclosing healthcare identifiers including rules about requests to the  HI Service Operator to disclose healthcare identifiers, and may require the entity to provide certain information to the HI Service Operator.

Under new subsection 25D(6), the regulations may also require an identified healthcare provider to provide information relating to the healthcare provider’s healthcare identifier or prescribed by the regulations for the purposes of section 25D.  This new subsection is based on existing section 14 of the HI Act.

Subsection 25E(1) places an obligation on healthcare provider organisations to update information about them held by the HI Service Operator, if the provider organisation becomes aware that the information is not accurate, up-to-date and complete.  This subsection is based on existing section 14 and HI Regulation 6 (which will be repealed), but has been expanded to ensure all information held by the HI Service Operator is maintained.  With the move to all healthcare provider organisations being listed in the Healthcare Provider Directory (HPD), it is important that information held by the System Operator be maintained.  If it is not maintained, healthcare providers using the HPD may not be able to rely on the HPD to accurately identify other providers as part of providing healthcare, and to accurately send secure health information to them.  Under subsection 25E(1), information must be updated within 20 business days after the organisation becomes aware that the information held by the Service Operator is not accurate, up-to-date and complete.

Subsection 25E(2) contains one of the two exceptions to the requirement to update information held by the HI Service Operator – that is, if:

·         the information that is not accurate, up-to-date and complete is personal information that the Service Operator could only obtain with the consent of the person to whom it relates; and

·         instead of giving the Service Operator accurate, up-to-date and complete personal information, the healthcare provider organisation tells the Service Operator within the 20 business day timeframe under subsection 25E(1) in the approved manner and form that the person to whom the information relates has withdrawn their consent for the information to be given to the Service Operator.

Subsection 25E(2) is consistent with the changes the Bill makes in removing many of the restrictions that have previously applied to the healthcare identifiers and identifying information of healthcare provider organisations, while retaining those protections in relation to the healthcare identifiers and identifying information of individual healthcare providers.  In line with those changes, this subsection retains consent requirements around personal information, while not extending the exception to cover information about healthcare provider organisations.

Subsection 25E(3) contains the second of the two exceptions to the requirement to update information held by the HI Service Operator – that is, if:

·         a healthcare provider is required by an Australian law, or by a lawful requirement of a national registration authority, to give the registration authority accurate, up-to-date and complete information; and

·         the healthcare provider complies with that requirement.

Subsection 25E(3) is primarily designed to reflect the situation that applies in relation to individual healthcare providers registered by AHPRA (which is a national registration authority under the HI Act and HI regulations) under the National Law.  The National Law obliges healthcare providers regulated by the National Law to keep their details held by AHPRA accurate, up-to-date and complete.  If AHPRA receives updated information, it shares the information with the HI Service Operator – see new section 25A, items 3 and 4 of the table.

A person is liable for a civil penalty of up to 100 penalty units under subsection 25E(4) if they fail to give the HI Service Operator information in the circumstances mentioned in subsection 25E(1), and the person knows or is reckless as to those circumstances.

Item 35           Division 4 of Part 3

Item 35 replaces the heading of Division 4 to make clear that it deals not only with the use and disclosure of healthcare identifiers, but also with the use and disclosure of other information that is obtained under the HI Act.

Item 36           Section 26

Section 26 currently provides that a use or disclosure of a healthcare identifier by a person is prohibited unless it is used or disclosed:

·         for the purpose for which it was disclosed to the person;

·         for a purpose authorised by another law; or

·         for a purpose permitted by section 16 of the Privacy Act (relating to the person’s personal, family or household affairs).

A person who contravenes existing section 26 may incur a criminal penalty of two years’ imprisonment, or 120 penalty units (currently $21,600 for individuals and $108,000 for bodies corporate), or both.[35]

Similarly, section 15 currently provides that a use or disclosure of information by a person is prohibited unless it is used or disclosed:

·         for the purpose for which was disclosed to the person; or

·         for a purpose authorised by another law.

Further, section 15 also provides that the use or disclosure of information by a person who knows that the information was not authorised to be disclosed to them is prohibited.  A criminal penalty of two years’ imprisonment or 120 penalty units, or both, applies to a person who contravenes existing section 15.

Item 36 consolidates existing sections 15 and 26 and inserts new section 26.

New section 26 provides that the use or disclosure of any information obtained under the HI Act, or a healthcare recipient’s or individual healthcare provider’s healthcare identifier, by a person is prohibited unless:

in relation to a healthcare identifier, it is used or disclosed (subsection 26(3) refers):

·         for a purpose authorised by the HI Act;

·         for a purpose authorised by a Commonwealth law or a court/tribunal order;

·         by the person to whom the healthcare identifier relates, and is for the purposes of, or in connection with, the personal family or household affairs of the person (within the meaning of section 16 of the Privacy Act);

·         where an entity considers the use or disclosure is reasonably necessary to lessen or prevent a serious threat to the life, health or safety of an individual, or to public health or safety, and it is unreasonable or impracticable to obtain the individual’s consent to the use or disclosure (item 1, subsection 16A(1) of the Privacy Act).  This exception applies regardless of whether or not the person using or disclosing the healthcare identifier is an APP entity;

·         where an entity has reason to suspect that unlawful activity or misconduct of a serious nature, that relates to the entity’s functions or activities, has been or may be engaged in, and the entity reasonably believes that the use or disclosure is necessary for the entity to take appropriate action (item 2, subsection 16A(1) of the Privacy Act).  This exception applies regardless of whether or not the person using or disclosing the healthcare identifier is an APP entity;

·         where it is reasonably necessary for the establishment, exercise or defence of a legal or equitable claim (item 4, subsection 16A(1) of the Privacy Act).  This exception applies regardless of whether or not the person using or disclosing the healthcare identifier is an APP entity;

·         where it is reasonably necessary for the purposes of a confidential alternative dispute resolution process (item 5, section 16A(1) of the Privacy Act).  This exception applies regardless of whether or not the person using or disclosing the healthcare identifier is an APP entity; or

·         where it is required or authorised to enable the Information Commissioner, or an equivalent officer or agency of a state or territory, to carry out his or her functions in relation to privacy.

in relation to other information (including identifying information), it is used or disclosed (subsection 26(4) refers):

·         for a purpose authorised by the HI Act;

·         for a purpose authorised by another Australian law or a court/tribunal order;

·         in a manner that would not constitute an interference with an individual’s privacy, where the information is personal information; or

·         where it is required or authorised to enable the Information Commissioner, or an equivalent officer or agency of a state or territory, to carry out his orher functions in relation to privacy.

Paragraph 26(3)(b) of the Act provides that disclosure will be authorised if it is required or authorised under another Commonwealth law, while paragraph 26(4)(b) of the Act provides disclosure will be authorised if it is required or authorised under another Australian law.  This is a deliberate difference to ensure that only Commonwealth laws may create exceptions to unauthorised use or disclosure of a healthcare identifier.

A person who contravenes new section 26 may incur:

·         a civil penalty of up to 600 penalty units (currently $108,000 for individuals and $540,000 for bodies corporate), if the person uses or discloses in circumstances that contravene subsections 26(1) or (2), and the person knows or is reckless as to those circumstances – see subsection 26(6); or

·         a criminal penalty of up to two years’ imprisonment and/or 120 penalty units (currently $21,600 for individuals and $108,000 for bodies corporate) – see subsection 26(5).  As the fault element for the offence is not expressly stated in subsection 26(5), section 5.6 of the Criminal Code will apply.

Items 38-40     Section 29

Section 29 currently provides that a collection, use or disclosure of a healthcare identifier that is not authorised by the HI Act is taken to be an interference with privacy, which means that it triggers the functions and powers of the Information Commissioner under the Privacy Act, such as undertaking investigations.  It further provides that healthcare identifiers are treated as personal information for the purposes of the Information Commissioner conducting assessments of an entity’s activities in relation to the handling of personal information.  Healthcare identifiers are otherwise not considered to be personal information.

Items 38 to 40 amend section 29 to provide that only the unauthorised collection, use or disclosure of a healthcare recipient’s or individual healthcare provider’s healthcare identifier is taken to be an interference with privacy, or is treated as personal information for the purpose of the Information Commissioner’s assessments.  This makes clear that healthcare identifiers for healthcare provider organisations are not treated in the same way as those relating to individuals.

Some of the civil penalty provisions inserted into the HI Act by the Bill contain fault elements, meaning that they are not contravened unless the individual had a particular state of mind – for example, they knew or were reckless in relation to certain circumstances.  Item 38, which amends section 29, will ensure that where a person does not breach a civil penalty provision only because they did not have the required state of mind to make out the civil penalty, there will still be an interference with the privacy of the individual, and the Information Commissioner would still, for example, be able to investigate.  This is similar to the mechanism in existing subsection 73(1) of the My Health Records Act.

Item 42           Section 31

Section 31 currently provides that the HI Service Operator must operate a Healthcare Provider Directory (HPD) which lists the professional and business details of individual healthcare providers and healthcare provider organisations that agree to the publication of their information.

Item 42 replaces this with new sections 31 and 31A.

New section 31 requires the HI Service Operator to establish and maintain an HPD of the professional and business details of identified healthcare providers.  That is, healthcare providers who have been assigned a healthcare identifier.  The new section authorises the HI Service Operator to collect, use and disclose identified healthcare provider’s personal information in order to operate the HPD.  This authorisation is subject to the consent of individual healthcare providers.  The effect of this is that the HI Service Operator may not include the personal information of an individual healthcare provider if the provider has elected not to have their details published on the HPD.  The HI Service Operator does not require consent from healthcare provider organisations in order to collect, use and disclose non-personal information about the organisation in the HPD.

The purpose of the HPD is to facilitate communication between healthcare providers by providing a reliable source of identifying and contact information.  This can be useful when sending secure messages, referrals, discharge summaries and forwarding test requests.  The HPD is not a public document – it can only be accessed through patient administration systems or practice management software, or through the Health Professionals Online Service provided by the Department of Human Services.

As part of operating the HPD, the HI Service Operator will only handle information relating to identified individual healthcare providers and identified healthcare provider organisations.

New subsection 31(3) describes the types of information that will be included in the HPD, including information about whether an individual healthcare provider is “linked” to a particular healthcare provider organisation.  An individual healthcare provider organisation will be linked to a healthcare provider organisation if the individual is an employee of the organisation, or if the organisation provides support services or facilities to the individual to facilitate the provision of healthcare by the individual.

New section 31A authorises the HI Service Operator to collect healthcare identifiers and identifying information about a healthcare provider from the System Operator, and use and disclose that information, for the purposes of the HPD.  This ensures that the HI Service Operator has the necessary authority to collect, use and disclose the healthcare provider’s information, subject to the personal information restrictions under subsection 31(2), without having to go to each individual healthcare provider for the information.

Item 43           After Part 5

Item 43 inserts new Part 5A into the HI Act to trigger provisions of the Regulatory Powers (Standard Provisions) Act 2014 (Regulatory Powers Act) in relation to the imposition of the new civil penalties established by item 36.

New section 31B provides a simplified outline for new Part 5A as previously described.

New section 31C triggers the provisions of Part 4 of the Regulatory Powers Act which, among other things, deals with obtaining and enforcing a civil penalty order and the handling of multiple contraventions.  The Information Commissioner is the person who is authorised to apply to a relevant court for a civil penalty order under the HI Act.

Subsection 31C(5) reinforces that the Crown cannot be liable to a pecuniary penalty.

New section 31D triggers the provisions of Part 6 of the Regulatory Powers Act which deals with the ability to accept and enforce acceptable undertakings.  A person may give an undertaking to take certain actions or refrain from certain actions in order to comply with the HI Act.  The Information Commissioner or the Service Operator is authorised to accept and enforce undertakings for the purposes of the HI Act, and publish the undertaking on their websites.

New section 31E triggers the provisions of Part 7 of the Regulatory Powers Act which deals with using injunctions – for example, to prevent someone from taking a particular action.  The Information Commissioner or the Service Operator is authorised to seek injunctions for the purposes of the HI Act.

Since the HI Act applies to Australia and each of its external territories (that is, Christmas Island, Cocos (Keeling) Islands, Ashmore and Cartier Islands, Coral Sea Islands, Heard Island and McDonald Islands, and the Australian Antarctic Territory), for the purposes of new sections 31C, 31D and 31E, the relevant parts of the Regulatory Powers Act will also apply to all external territories in relation to the HI Act.  For the purposes of new sections 31C, 31D and 31E a relevant court is the Federal Court of Australia, the Federal Circuit Court of Australia or a court of a state or territory which has the necessary jurisdiction.

Item 45           At the end of section 34

Section 34 of the HI Act requires that the Service Operator prepare an annual report of the activities, finances and operations of the HI Service.  The Service Operator must provide a copy of the annual report to the Minister and the Ministerial Council by 30 September each year, and the Minister must table the annual report in Parliament within 15 sitting days of receiving a copy.

Section 46 of the Public Governance, Performance and Accountability Act 2013 (PGPA Act) requires that Commonwealth entities prepare an annual report.  New subsection 34(4), inserted by item 45, provides that if the HI Service Operator is required to report under section 46 of the PGPA Act, the Operator is not required to also give a report under section 34 of the HI Act.

Item 46           Section 35

Section 35 of the HI Act requires that a review of the HI Act must be undertaken and a report of that review delivered by 30 June 2013, provided to the Ministerial Council and tabled in Parliament.  The Minister is required to consult with the Ministerial Council before appointing a person to undertake this review.  The HI Review met the requirements of this section.

Item 46 replaces section 35 with a new requirement to undertake a review of the HI Act within three years of the commencement of Schedule 1 of this Bill.  As with the current requirement, the Minister must consult with the Ministerial Council before appointing a person to undertake this review, and the report of the review must be provided to the Ministerial Council and be tabled in Parliament within 15 sitting days after the report is given to the Minister.

Item 47           Before section 36

In addition to inserting a simplified outline to this Part, as previously described, item 47 inserts a new division number and heading into the HI Act to reflect that Part 7 is now separated into five divisions.

Item 48           After section 36

Section 36 of the HI Act currently specifies that the authorisations set out in the Act apply to employees and people acting on behalf of authorised entities, contracted service providers of authorised healthcare provider organisations (and their employees or people acting on their behalf), and contractors of participants in the My Health Record system.

Item 48 inserts a new section 36A into the HI Act to provide that if an entity is authorised to disclose information to a healthcare provider, the authorisation extends to disclosing the information to an employee or person acting on behalf of the healthcare provider, or a contracted service provider of the healthcare provider (or an employee or contractor acting for the contracted service provider).  This reflects the practical operation of healthcare provider organisations that may have a variety of different structures governing their business and impacting on how information is received by the organisation.

Many of the participants in the My Health Record system will be organisations rather than individuals, and those organisations are likely to be structured in a variety of ways.  The HI Act does not currently describe how it applies to entities that are not a legal person – for example, partnerships, unincorporated associations and trusts with multiple trustees.  To ensure that the authorisations, obligations and penalties set out in the HI Act apply appropriately to all relevant entities, notwithstanding different structures, item 48 inserts new sections 36B, 36C and 36D into the HI Act.  These align with sections 100 to 102 of the My Health Records Act, as amended by items 97 to 99.

New section 36B provides that obligations will apply to each partner and may be discharged by any partner.  A criminal provision that would otherwise be contravened by the partnership is taken to have been contravened by each partner in the partnership, at the time the offence was committed, who:

·         did the relevant act or made the relevant omission;

·         aided, abetted, counselled or procured the relevant act or omission; or

·         was in any way knowingly concerned in, or party to, the relevant act or omission (whether directly or indirectly and whether by any act or omission of the partner).

New subsection 36B(4) provides that section 36B applies to a contravention of a civil penalty provision in a corresponding way to the way in which it applies to an offence.

New sections 36C and 36D apply in a similar way to 36B, but in relation to unincorporated associations (and members of the association’s committee of management) and trusts (and multiple trustees) respectively.

The HI Act does not currently expressly allow the Service Operator to delegate any powers or functions.  Where the HI Service Operator is the Chief Executive Medicare, delegation powers are found in the Human Services (Medicare) Act 1973.  As the HI Act is being amended to allow for the regulations to prescribe a Service Operator other than the Chief Executive Medicare, a new delegation power is needed for any future HI Service Operators.

Item 48 also inserts new section 36E into the HI Act, specifying how the Service Operator’s powers and functions may be delegated.  This new section is similar to the System Operator’s delegation power under section 98 of the My Health Records Act, as amended by items 95 and 96.

New section 36E provides that the Service Operator may delegate their powers or functions to:

·         an Australian Public Service employee of the Department of Health (with the Secretary’s agreement if the Chief Executive Medicare is not the Service Operator);

·         (if the Service Operator is not the Chief Executive) the Chief Executive Medicare (but only with the Chief Executive Medicare’s agreement);

·         to any person with the consent of the Minister.

All delegations must be in writing.

Delegates must comply with any written directions by the Service Operator in acting as a delegate.  The Human Services (Medicare) Act 1973 permits the Chief Executive Medicare to sub-delegate to Australian Public Service employees of the Department of Human Services (or other department responsible for Medicare) any powers delegated to him or her.  Sub‑delegates must also comply with any written directions of the Chief Executive Medicare.

Item 49           After section 38

Item 49 inserts a new division number to reflect that Part 7 is now separated into five divisions.  Division 5 deals with the making of regulations for the purposes of the HI Act.

Personally Controlled Electronic Health Records Act 2012

For the convenience of readers and to reflect that the name of this Act is changing to the My Health Records Act 2012, this Act is referred to as the My Health Records Act.

“For the purposes of the My Health Record system”

In both the HI Act and the My Health Records Act, a number of the amendments have clarified the authorisations to allow collection, use or disclosure of information “for the purposes of the My Health Record system”.  Amongst other things, the purposes of the My Health Record system will require consideration of the System Operator’s functions under section 15 of the My Health Records Act, the purposes and objects of the My Health Records Act, and the powers and obligations of the System Operator and other participants in the My Health Record system.

Item 50           Section 4

Section 4 of the My Health Records Act currently provides a simplified outline of the My Health Records Act.  To reflect the updated Act, as amended by this Bill, item 50 replaces this with a new simplified outline.

Item 50 also makes clear that new Schedule 1 to the My Health Records Act (inserted by item 106) applies as part of the My Health Records Act.

Items 51-62     Section 5

Section 5 of the My Health Records Act defines certain terms used in the My Health Records Act.  Items 51 to 62 make amendments to several definitions, or insert or remove definitions, as a result of other amendments being made by this Bill.  Changes include:

·         defining cinematograph film, sound recording and work for the purposes of new copyright provisions inserted by items 78 and 79;

·         updating the definitions of healthcare and health information to refer to the corresponding definitions in the Privacy Act (items 107 to 110 refer), noting that while the Privacy Act refers to a “health service” it has the same meaning as “healthcare” in the My Health Records Act and the HI Act;

·         revising Ministerial Council to recognise that the National Partnership Agreement on E‑Health to which the definition made reference has expired, and to provide future flexibility for changes to the responsible senior body – at the time of writing, the Council of Australian Governments Health Council is the relevant Ministerial Council;

·         defining Regulatory Powers Act for the purpose of new provisions that trigger provisions of the Regulatory Powers (Standard Provisions) Act 2014 to allow for civil penalties, enforceable undertakings and injunctions (see item 94); and

·         removing terms that are no longer used:

o   civil penalty order, civil penalty provision and Court which are no longer necessary because this Bill will trigger the provisions of the Regulatory Powers Act which defines those terms; and

o   Independent Advisory Council and Jurisdictional Advisory Committee to reflect that these committees have been abolished (see item 58).

Items 63-64     Subsections 6(9) and 7(6) and new section 7A

Sections 6 and 7 of the My Health Records Act ensure that children and individuals with limited or no capacity can have a My Health Record.  These sections set out the criteria for becoming an authorised or nominated representative of a person and the obligations of a representative.  The provisions also specify how representatives are treated for the purposes of the My Health Records Act – for example, where a healthcare recipient (previously referred to as a “consumer”) has an authorised representative, the authorised representative is entitled to do any thing that the Act authorises or requires the consumer to do, and the consumer is not entitled to do any thing that the Act otherwise requires or authorises the consumer to do.

Representatives are currently required to act in the best interests of the person they are representing and have regard to any directions given by that person.

In light of international changes in the treatment of individuals who require supported decision-making, recognising that one person cannot necessarily determine what is in the best interests of another person, in 2014 the Australian Law Reform Commission recommended in its ALRC Report 124 entitled Equality, Capacity and Disability in Commonwealth Laws, that a person providing decision-making support should, instead of acting in the person’s best interests, give effect to the ‘will and preferences’ of the person to whom they provide decision‑making support.

Items 63 and 64 give effect to this intention by removing the current obligations of representatives to act in a healthcare recipient’s best interests and, instead, inserting a new section 7A which provides that an authorised or nominated representative must give effect to the will and preferences of the person for whom they are a representative.

Under subsection 7A(1), an authorised representative or a nominated representative must make reasonable efforts to ascertain the will and preferences of the healthcare recipient.  If this is not possible, subsection 7A(2) requires the representative to make reasonable efforts to ascertain the healthcare recipient’s likely will and preferences in relation to his or her My Health Record.

Subsection 7A(3) includes a non-exhaustive list of sources from which the healthcare recipient’s will and preferences may be able to be ascertained.  The reference to “to the extent legally possible” in paragraph 7A(3)(b) is intended to ensure that seeking to ascertain the likely will and preferences of a healthcare recipient is not undertaken in a way that would, for example, interfere with the privacy of the healthcare recipient.

To the extent it is possible to ascertain the healthcare recipient’s will and preferences, or likely will and preferences, subsection 7A(4) requires representatives to give effect to the healthcare recipient’s will and preferences or likely will and preferences.  However, if to do so would pose a serious risk to healthcare recipient’s personal and social wellbeing, the representative must act in way that would promote the healthcare recipient’s personal and social wellbeing (subsection 7A(5)).

In terms of how these obligations will apply to parents or guardians of minors, the minor’s will or preference, if they have one, should still be ascertained.  The older the minor gets the more likely it is that they will have a will and preference, or likely will and preference, in relation to their My Health Record, and the parent or guardian should ascertain this.  If the minor does not have a will or preference or it cannot be ascertained – for example they are too young to understand – subsection 7A(6) will apply and the representative must act in a manner that best promotes the personal and social wellbeing of the healthcare recipient.  Current subsection 6(3) of the My Health Records Act will continue to apply.  That subsection specifies the circumstances in which a minor is taken not to have an authorised representative and may thus take control of their own My Health Record.

Item 65           At the end of subsection 9(3)

This item amends subsection 9(3) to allow regulations to be made specifying additional information as identifying information for the purposes of the My Health Record system (and HI Service).  This change is consistent with a similar change being made to the HI Act – see item 27 to 28.

Item 66           Subsection 11(2)

This item reflects that since new Part 6 of the My Health Records Act (inserted by item 94) specifically sets out that the Crown is not liable to a pecuniary penalty, subsection 11(2) no longer needs to make this statement.

Item 67           At the end of Part 1

The My Health Records Act imposes obligations on the System Operator to notify individuals and entities of certain decisions in writing, and enables the System Operator to provide information, for example, in relation to the ability to appeal a decision suspending a participant’s registration.  As well as more formal communications such as those relating to decisions about registration and appeal rights, the System Operator needs to be able to communicate electronically with healthcare recipients and participants in relation to day-to-day operations and administrative matters.

Item 67 inserts new section 13B which provides that such notifications and communications may be given electronically, such as through email or a message to a mobile phone.  This section makes reference to the Electronic Transactions Act 1999 which deals with matters that are conducted electronically and generally requires that communications from government bodies cannot be sent electronically without a person’s consent.  Given the electronic nature of the My Health Record system, and the numbers of healthcare recipients and participants involved, the System Operator needs to be able to communicate electronically where this is appropriate and the System Operator has a relevant electronic address or mobile phone number.  At present, healthcare recipients are not required to provide electronic contact details, such as an e-mail address or mobile phone number.  However, where this information has been provided to the System Operator, the System Operator may use those contact details to communicate electronically with the healthcare recipient, where appropriate.

Item 68           Part 2 (heading)

This item replaces the existing heading of Part 2 to reflect the abolition of the Jurisdictional Advisory Committee and Independent Advisory Council (item 72 refers).

Item 69           After paragraph 15(i)

Section 15 of the My Health Records Act sets out the functions of the System Operator.

The My Health Record system is an electronic system that interacts with the software and IT systems of a wide range of entities.  The My Health Record system needs to support a range of technical specifications and needs to support effective use by healthcare providers.  To enable the My Health Record system to operate as intended, in an effective and efficient manner, the System Operator needs to be able to operate a test environment that tests not only the My Health Record system but also other systems that interact with the My Health Record system – for example, the HI Service and the National Authentication Service for Health (NASH), and clinical information system software packages used by healthcare providers to access the My Health Record system.

While several functions of the System Operator deal with the operation of the actual system, and paragraph 15(o) provides that the System Operator can do anything conducive or incidental to the performance of its functions, item 69 inserts a new function expressly providing that it is a function of the System Operator to establish and operate a test environment.

Under new paragraph 15(ia) the System Operator must establish and operate a test environment for the My Health Record system and other electronic system with which it interacts directly, subject to the requirements (if any) in the My Health Records Rules.  My Health Records Rules may, for example, prescribe criteria that an entity must meet before it can utilise the test environment.  Subject to any Rules that may be made, access to and use of the test environment is not restricted to participants in the My Health Record system.

It is important to note that any test environment established will not use real health, personal or identifying information and will be entirely isolated from the “live” or “production” My Health Record system.

Item 70           Section 16

Section 16 currently requires that the System Operator have regard to the decisions of the Jurisdictional Advisory Committee and Independent Advisory Council.  These bodies are being abolished (item 72 refers) so item 70 removes this requirement.

The framework establishing the Australian Commission for eHealth and its advisory committees may establish arrangements for how advice by those committees will be taken into account by the Commission in making decisions regarding the My Health Record system.

Item 71           Paragraph 17(2)(b)

Currently, section 17 deals with the National Repositories Service which is a repository operated by the System Operator that ensures there is capacity to store a minimum set of health information in the My Health Record system for registered healthcare recipients.  This includes for example, but not limited, to shared health summaries, event summaries, discharge summaries, specialist letters and healthcare recipient-only notes.

The System Operator is currently required to store any information uploaded to the National Repositories Service for 30 years after the death of the healthcare recipient, or if that date is unknown, for 130 years from the date it is uploaded.  This long-term storage of information is intended to support the longevity of a minimum data set in the My Health Record system.

Item 71 amends this requirement to provide that, where a date of death is unknown, the information must be stored for 130 years from the healthcare recipient’s date of birth.  This is being changed to align more closely with the requirement that information be available for around 30 years after the healthcare recipient dies.  At present, if information about a 90 year old is uploaded to the National Repositories Service, and their date of death is unknown, the system is potentially storing this information for more than 100 years from the likely date of their death, well in excess of the period it would be stored if the date of death was known.

Any information stored by the National Repositories Service after the healthcare recipient dies will continue to be subject to the same privacy protections that applied while the healthcare recipient was alive.

It is important to note that these retention requirements apply only to the National Repositories Operator and not to any registered repository operators, which are already subject to Commonwealth, state and/or territory requirements for retaining health records.

Item 72           Divisions 2 and 3 of Part 2

Divisions 2 and 3 of Part 2 currently establish, and specify the purpose and composition of, the Independent Advisory Council and the Jurisdictional Advisory Committee.  These bodies provide advice to the System Operator. 

In 2016 it is intended that the Australian Commission for eHealth (yet to be established) will become the System Operator.  It is intended that new advisory bodies will be established as part of the new Commission, and these bodies will be responsible for providing expert advice to the System Operator about the My Health Record system, including fulfilling the current roles of the Independent Advisory Council and Jurisdictional Advisory Committee.

Item 72 therefore removes Divisions 2 and 3.

Item 73           Division 1 of Part 3

Division 1 of Part 3 provides for the registration of healthcare recipients.  Since new Schedule 1 to the My Health Records Act (inserted by item 106) will allow the Minister to apply arrangements for an opt-out system to certain groups or to the whole of Australia, the requirements regarding the eligibility of healthcare recipients, how they can apply to register and conditions of that registration, would not apply where opt-out arrangements are in force.

To make clear that Division 1 of Part 3 does not apply if the Minister has applied opt-out arrangements, item 73 inserts a note into the Division.

Items 74-75     Section 41

Section 41 provides for the registration of healthcare recipients and currently provides that a healthcare recipient must give standing consent for registered healthcare provider organisations to upload health information to the healthcare recipient’s My Health Record.  Despite this consent, the registered healthcare provider organisation cannot upload particular information if the healthcare recipient has instructed them not to, and must not upload information without the express or written consent of the healthcare recipient if required by preserved state or territory laws.

A preserved law for the purposes of the My Health Record system refers to a law prescribed by regulation 3.1.1 of the Personally Controlled Electronic Health Records Regulation 2012 (which will be amended to also cover new subsection 41(3A)).  These preserved laws generally prohibit the disclosure, without express or written consent, of identifying information in relation to healthcare recipients who have been tested for Acquired Immune Deficiency Syndrome, HIV or cervical cancer, or confidential information associated with notifiable conditions, contagious conditions, environmental health events, perinatal history, cancer history or pap smear history.

Item 74 inserts new subsection 41(3A) which recognises that health information about a healthcare recipient may include relevant information about a third party.  For example, in relation to the person’s ongoing treatment of hypertension, the information may reference the fact that the person’s mother has a heart condition.  Similar to current subsection 41(3), new subsection 41(3A) provides that a registered healthcare provider organisation must not upload third party information if a preserved law of a state or territory applies, unless the requirements of the applicable preserved law have been met.

Subsection 41(4) currently provides that the standing consent given by the healthcare recipient under subsection 41(3) has effect despite state or territory laws that may require that consent to be given in a particular manner, except where a preserved law applies.  This means that if any state or territory Act cannot operate concurrently with the My Health Records Act, it will be overridden by the My Health Records Act, unless it is a preserved law.  Item 75 simply updates this subsection to ensure that the new authorisation relating to third party information (inserted by item 74) also has effect in this way.

Item 76           After paragraph 45(6)

Section 45 currently imposes conditions on registered healthcare provider organisations on how and what they can upload to a healthcare recipient’s My Health Record.

The condition at paragraph 45(b), among other things, requires that a shared health summary and any other record specified by the My Health Records Rules be authored by a healthcare provider with a healthcare identifier.  The My Health Records Rules currently specify that all other documents must also be authored by a healthcare provider with a healthcare identifier.

This condition ensures that health information contained in a My Health Record (other than that authored by the healthcare recipient and included in healthcare recipient-only notes) has been created by people qualified to do so.

Item 76 inserts a new paragraph 45(ba) that requires authors of records to also be an identified healthcare provider whose registration or membership as applicable is not conditional, suspended, cancelled or lapsed, other than in circumstances prescribed in My Health Records Rules.  This ensures that at the time a healthcare provider authors a document that is uploaded to the My Health Record system, they are qualified and permitted to do so.  For example, a healthcare provider’s professional registration can be suspended for reasons ranging from forgetting to pay annual registration fees to being investigated for reasons of conduct and public safety.  Where, for example, a provider’s registration is suspended or cancelled because they are engaged in professional misconduct, it may not be appropriate for the healthcare provider to be authoring records that are uploaded to the My Health Record system where those records may be relied upon by other providers treating a healthcare recipient.  It is intended that the My Health Records Rules will prescribe specific circumstances where, despite a healthcare provider’s registration or membership being conditional, suspended, cancelled or lapsed, it is still appropriate for the provider to author records that are uploaded to the My Health Record system.  One situation where it might be appropriate is where a provider’s registration or membership has conditions limiting their practice to a geographical area.

Items 77-78     Section 45

As described in relation to items 1 and 2, copyright may exist in documents or other material uploaded to the My Health Record system.  Therefore, it is necessary to ensure that any use of this material by the System Operator, other participants in the My Health Record system or users of the material after the materials have been downloaded from the My Health Record system does not infringe any copyright that might subsist in the materials.

A condition currently imposed on registered healthcare provider organisations by paragraph 45(c) is that healthcare providers must not upload information to the My Health Record system if it would constitute an infringement of copyright or moral rights.  This means a healthcare provider can only upload information produced by the healthcare provider organisation on behalf of which they are acting, or for which the provider has permission to do so from the copyright owner.

As part of being registered, healthcare provider organisations currently grant a licence to the System Operator to use, reproduce, copy, modify, adapt, publish and communicate the information they upload, including the right for the System Operator to sub-license other healthcare providers and participants in the My Health Record system to do the same acts.  This licence is granted by way of a contract (called a participation agreement) with the System Operator.  The need to enter into participation agreements is being removed in order to simplify the registration process for organisations, and an exception to copyright infringement is being established instead (items 1 and 2 refer).

While the new copyright exceptions established by items 1 and 2 will ensure that any works, films or sound recordings made on or after the date the exceptions commence can be uploaded to the My Health Record system, and can be used in the system and subsequently used following the download of material from the system, without infringing copyright, they do not deal with material made before commencement of items 1 and 2.

Item 77 amends existing paragraph 45(c) of the My Health Records Act to reflect the new copyright exceptions being inserted by items 1 and 2.  Under item 77, there remains a requirement that healthcare providers must not upload a record to the My Health Record system if to do so would result in a moral rights infringement.

Item 78 inserts new sections 45A, 45B and 45C to deal with material made before the new copyright exceptions in sections 44BB and 104C of the Copyright Act commence.

New sections 45A and 45B impose a condition on registered healthcare provider organisations prohibiting them from uploading works (which extend beyond literary works and include diagnostic images and computer programs), films or sound recordings made before commencement of the new copyright exceptions, if any of the actions described at paragraphs 45A(2)(a) to (d) or 45B(2)(a) to (d) would constitute an infringement of copyright.  This covers actions such as someone (whether or not the uploading organisation) accessing the information through the My Health Record system, or subsequent use of the information once it is downloaded from the My Health Record system.


 

This means that:

·         if the healthcare provider organisation that wishes to upload material created before commencement of sections 44BB and 104C of the Copyright Act owns the copyright in the material, there will be no infringement so they may upload it; or

·         if the healthcare provider organisation that wishes to upload material created before commencement of sections 44BB and 104C of the Copyright Act does not own the copyright in the material, they must not upload it unless the copyright owner grants a licence to the System Operator – for example, to use, reproduce, copy, modify, adapt, publish and communicate the material, including the right to sub-license others.

In practice, it is anticipated that most healthcare organisations will not upload old material (that is, materials or records created before the copyright exceptions in sections 44BB and 104C of the Copyright Act commence) unless they own copyright in it.  One possible exception is where the information is clinically critical or directly relevant to the healthcare of a healthcare recipient.  In this case the uploading provider will need to ensure that uploading the material or records will not result in an infringement of the copyright.

Sections 45A and 45B do not effect an acquisition of property or otherwise affect ownership of any copyright that might exist in records or other materials.  They merely prohibit uploading of materials or records created before commencement of sections 44BB and 104C of the Copyright Act if the uploading or subsequent use would result in an infringement of copyright.

New section 45C provides that if loss or damage is suffered by any person – for example, by the owner of copyright in material uploaded to the My Health Record system in contravention of the prohibition in sections 45A or 45B – the person suffering loss or damage may bring an action against the uploading healthcare provider to recover the amount of the loss or damage.  Actions must commence within six years of the loss or damage being suffered, and may include a claim for costs incurred as a result of bringing the copyright infringement action.  This provision ensures that it is the entity uploading in contravention of sections 45A or 45B that is liable for any loss or damage suffered, and not any other party (such as the System Operator, participants in the My Health Record system or subsequent users of the materials or records that have been uploaded in contravention of sections 45A and 45B).

Item 79           After section 50

Repository operators may register to participate in the My Health Record system and may upload information to a registered healthcare recipient’s My Health Record – for example, see current section 38 and new section 50D inserted by this item.

Similar to material and records uploaded by healthcare providers, copyright may subsist in material or records made available to the My Health Record system by registered repository operators.  As a result, it is necessary to ensure that any use of this material by the System Operator, other participants in the My Health Record system or users of the material after the materials have been downloaded from the My Health Record system does not infringe any copyright that might subsist in the materials.

While the new copyright exceptions established by items 1 and 2 will ensure that any works, films or sound recordings created on or after the date the exceptions commence can be uploaded to the My Health Record system, and can be used in the system and subsequently used following the download of material from the system, without infringing copyright, they do not deal with material created before commencement of items 1 and 2.

Item 79 therefore inserts new sections 50A, 50B and 50C to deal with material created before the new copyright exceptions commence.

New sections 50A and 50B are similar to new sections 45A and 45B (which apply to healthcare provider organisations) and impose a condition on registered repository operators prohibiting them from uploading works (in the case of section 50A) or films or sound recordings (in the case of section 50B) if any of the actions described at paragraphs 50A(2)(a) to (d) or 50B(2)(a) to (d) would constitute an infringement of copyright.  This covers actions such as someone (whether or not the repository operator that makes the materials available to the My Health Record system) accessing the information through the My Health Record system, or subsequent use of the information once it is downloaded from the My Health Record system.

This means that:

·         if the repository operator that wishes to make the materials (created before commencement of sections 44BB and 104C of the Copyright Act) available to the system owns the copyright in the material, there will be no infringement so they may make the material available; or

·         if the repository operator that wishes to make the materials (created before commencement of sections 44BB and 104C of the Copyright Act) available to the system does not own the copyright in the material, they must not upload it unless the copyright owner grants a licence to the System Operator – for example, to use, reproduce, copy, modify, adapt, publish and communicate the material, including the right to sub-license others.

In practice it is anticipated that most repository operators will not upload old material (that is, material or records created before the copyright exceptions in sections 44BB and 104C of the Copyright Act commence) unless they own copyright in it.  One possible exception is where the information is clinically critical or directly relevant to the healthcare of a healthcare recipient.  In this case the repository operator that makes the material or records available to the My Health Record system will need to ensure that uploading the material or records will not result in an infringement of the copyright.

Sections 50A and 50B do not effect an acquisition of property or otherwise affect ownership of any copyright that might exist in records or other materials.  They merely prohibit making materials or records created before commencement of sections 44BB and 104C of the Copyright Act available to the system if to do so, or any subsequent use of the materials or records, would result in an infringement of copyright.

New section 50C provides that if loss or damage is suffered by any person – for example, by the owner of copyright in material made available to the My Health Record system in contravention of the prohibition in sections 50A or 50B – the person suffering loss or damage may bring an action against the repository operator that made the material available to recover the amount of the loss or damage.  Actions must commence within six years of the loss or damage being suffered, and may include a claim for costs incurred as a result of bringing the copyright infringement action.  This provision ensures that it is the entity making the materials available in contravention of sections 50A or 50B that is liable for any loss or damage suffered, and not any other party (such as the System Operator, participants in the My Health Record system or subsequent users of the materials or records that have been made available in contravention of sections 50A and 50B).

Items 80-82     Sections 51-53

Division 4 of Part 3 of the My Health Records Act deals with the cancellation, suspension and variation of the registration of a healthcare recipient or participant in the My Health Record system.  If the System Operator decides to cancel, suspend or vary the registration of a healthcare recipient or a participant, whether upon request or for other reasons, the System Operator must generally give written notice to that person or entity and provide the reasons for that decision and provide other information about rights for a review of that decision.

There has been some confusion about when cancellations, suspensions or variations come into force.

These items remove this confusion by:

·         inserting a note below sections 51 and 53 explaining the operation of section 53 and how it relates to sections 51 and 52; and

 

·         amending the language of subsections 53(4) and (5), including to make them more consistent with the language used in subsection 51(7).

Item 83           Division 6 (heading)

This item replaces the existing heading of Division 6 of Part 3 to reflect changes made by item 84 which now provides a different range of authorisations.

Item 84           Section 58

Section 58 currently authorises the use and disclosure to the System Operator of identifying information about healthcare recipients, healthcare provider organisations, authorised representatives and nominated representatives by certain Commonwealth entities to verify identities and allow the System Operator to carry out its functions.  It also requires these entities to notify the System Operator of any changes to this information.

As part of restructuring the authorisations of the My Health Records Act and the HI Act to make clear how and why certain information can be used, item 84 replaces this section with new sections 58 and 58A.  New section 58 encompasses some of the authorisations relating to the My Health Record system that were previously contained in Division 2A of Part 3 of the HI Act.

To help readers understand what changes are being made by this amendment, the authorisations are set out in the following table with either a reference to existing equivalent authorisations or with an explanation of why the new authorisation is required.

New section no.

Table item no.

Authorisation

Existing section number or reason for new authorisation

Including health information in a My Health Record

58

N/A

The System Operator may collect, use and disclose health information about a healthcare recipient for the purposes of including health information in a healthcare recipient’s My Health Record.

The System Operator currently takes these actions on the basis of healthcare recipients’ implied consent.  With new section 58, the System Operator is now expressly authorised.

Section 58 is intended to be broad enough to allow for the collection, use and disclosure of third party health information, where this is to be included in a healthcare recipient’s My Health Record – for example, as part of the family medical history of the healthcare recipient. Supporting amendments to other provisions of the My Health Records Act and the Privacy Act also help deal with, and place limits on the collection, use and disclosure of, third party information.

Section 58 mirrors clause 7 of Schedule 1 of the My Health Records Act.

My Health Record system purposes

58A(1)

1

The System Operator may collect, use and disclose identifying information about, or a healthcare identifier of:

·         a healthcare recipient;

·         an authorised representative;

·         a nominated representative; or

·         a healthcare provider,

for the purposes of the My Health Record system.

HI Act: 22A(2) and (3)

2

The System Operator may collect, use and disclose information relevant to whether a person is an authorised representative or nominated representative of another person, for the purposes of determining whether a person is an authorised representative or nominated representative of another person.

HI Act: 22A(3) and 22E

HI Regulations: 15

My Health Records Act: 6 and 7 (implied)

This new item clarifies and condenses existing authorisations into an express authorisation in the My Health Records Act that permits the System Operator to collect, use and disclose information relevant to determining whether someone is an authorised or nominated representative.

3

Registered repository operators and registered portal operators may collect, use and disclose to a participant in the My Health Record system a healthcare identifier of:

·         a healthcare recipient;

·         an authorised representative;

·         a nominated representative; or

·         a healthcare provider,

for the purposes of the My Health Record system.

HI Act: 22C

4

The HI Service Operator may collect from the System Operator, use and disclose to the System Operator information relevant to whether a person is an authorised representative or nominated representative of another person, for the purposes of assisting the System Operator to determine whether a person is an authorised representative or nominated representative of another person.

HI Act: 22E

HI Regulations: 15

My Health Records Act: 6 and 7 (implied)

This new item clarifies and condenses existing authorisations into an express authorisation in the My Health Records Act that permits the HI Service Operator to collect, use and disclose information relevant to determining whether someone is an authorised or nominated representative.

5

The Chief Executive Medicare may collect from the System Operator, use and disclose to the System Operator identifying information about a person who is or may be:

·         a healthcare recipient;

·         an authorised representative; or

·         a nominated representative,

for the purposes of assisting the System Operator to verify the identity of the person, or otherwise for the purposes of the My Health Record system.

My Health Records Act: 22D and 58

While use and disclosure were previously authorised, this new section clarifies that the Chief Executive Medicare may collect the necessary information from the System Operator.

6

The Chief Executive Medicare may collect from the System Operator, use and disclose to the System Operator information relevant to whether a person is an authorised representative or nominated representative of another person, for the purposes of assisting the System Operator to determine whether a person is an authorised representative or nominated representative of another person.

HI Act: 22E

HI Regulations: 15

My Health Records Act: 6 and 7 (implied)

This new item clarifies and condenses existing authorisations into an express authorisation in the My Health Records Act, that permits the Chief Executive Medicare to collect, use and disclose information relevant to determining whether someone is an authorised or nominated representative.

7

The Chief Executive Medicare may collect, use and disclose to a participant in the My Health Record system identifying information about, or a healthcare identifier of:

·         a healthcare recipient;

·         an authorised representative; or

·         a nominated representative,

for the purposes of including health information in the healthcare recipient’s My Health Record.

It is not necessary to subject this authorisation to the healthcare recipient’s consent to make the information available to the System Operator (in an opt-in setting) because section 38 already does this.  This authorisation enables a healthcare identifier to be attached to the healthcare recipient’s information so that it can be loaded into the repository operated by the Chief Executive Medicare.

8

The Veterans’ Affairs Department and Defence Department may use and disclose to the System Operator identifying information about, or a healthcare identifier of a person who is or may be:

·         a healthcare recipient;

·         an authorised representative; or

·         a nominated representative,

for the purposes of assisting the System Operator to verify the identity of the person.

My Health Records Act: 58

While use and disclosure were previously authorised, this new section clarifies that the Veterans’ Affairs Department or Defence Department can collect the necessary information from the System Operator.

9

The Veterans’ Affairs Department and Defence Department may collect from the HI Service Operator, use and disclose to a participant in the My Health Record system identifying information about, or a healthcare identifier of:

·         a healthcare recipient;

·         an authorised representative; or

·         a nominated representative,

for the purposes of including prescribed information in the healthcare recipient’s My Health Record.

 

It is not necessary to subject this authorisation to the healthcare recipient’s consent to make the information available to the System Operator (in an opt-in setting) because section 38 already does this.   This authorisation enables a healthcare identifier to be attached to the healthcare recipient’s information so that it can be loaded into the repository operated by the Chief Executive Medicare.

The reference to “prescribed information” provides for the possibility that, in future, other kinds of Commonwealth agency records may be identified which may be of value to include in healthcare recipients’ My Health Records.  For example, the Departments of Defence or Veterans’ Affairs may have records about current and former service men and women that relate to health services they have received.  Regulations may be made to allow healthcare identifiers to be attached to prescribed classes of records so they can be included in the My Health Record system.

10

An entity prescribed by regulations may collect, use and disclose to another prescribed entity identifying information about a person who is or may be:

·         a healthcare recipient;

·         an authorised representative; or

·         a nominated representative,

for the purposes of assisting the System Operator to verify the identity of the person.

As part of running the My Health Record system, including verifying identities, the System Operator may need to disclose identifying information about a healthcare recipient, an authorised representative or a nominated representative to an entity, and that entity will need authorisation to collect, use and disclose that information.  An example of the need to make regulations in relation to opt-out is included in clause 8, item 10 of Schedule 1.

 

The Note to this table refers readers to section 15 of the HI Act which authorises the HI Service Operator to collect, use and disclose healthcare identifiers and identifying information about healthcare recipients, authorised representatives and nominated representatives for the purposes of the My Health Record system.  This means that the HI Service Operator relies on the authorisations provided by both the HI Act and My Health Records Act to interact with the My Health Record system.

New subsection 58(2) requires that if at any time the Chief Executive Medicare, Veterans’ Affairs Department, Defence Department, HI Service Operator or a prescribed entity (item 10 of table at subsection 58(1) refers) becomes aware that the information it has provided to the System Operator has changed, the entity must notify the System Operator.  This ensures the System Operator has and uses the most up-to-date information for identity verification and other My Health Record system purposes.

Items 85-88     Sections 59 and 60

Existing section 59 provides that the collection, use or disclosure of health information in a healthcare recipient’s My Health Record by a person is prohibited unless it is authorised by the My Health Records Act.

A person who contravenes section 59 may incur a civil penalty of up to 120 penalty units (currently $21,600 for individuals and $108,000 for bodies corporate).  It is only to be taken to be a contravention if the person knows or is reckless to whether the collection, use or disclosure is unauthorised.  If a person accidentally collects, uses or discloses this information they do not contravene section 59 and are not liable for a civil penalty under the My Health Records Act (although under section 73 of the My Health Records Act, there may still be an interference with privacy and the Information Commissioner may still be able to investigate).

Items 85 to 86 make amendments to provide that a person who contravenes section 59 may now incur:

·         a civil penalty of up to 600 penalty units (currently $108,000 for individuals and $540,000 for bodies corporate); or

·         a criminal penalty of up to two years’ imprisonment and/or 120 penalty units (currently $21,600 for individuals and $108,000 for bodies corporate).

Section 60 provides that the use or disclosure of health information in a healthcare recipient’s My Health Record by a person who knows or is reckless to whether the information was not authorised to be disclosed to them is prohibited, unless it is for the purpose of an investigation into that original disclosure.  A person who contravenes section 60 may currently incur a civil penalty of up to 120 penalty units (currently $21,600 for individuals and $108,000 for bodies corporate).

Items 87 to 88 make amendments to provide that a person who contravenes section 60 may now incur:

·         a civil penalty of up to 600 penalty units (currently $108,000 for individuals and $540,000 for bodies corporate); or

·         a criminal penalty of up to two years’ imprisonment and/or 120 penalty units (currently $21,600 for individuals and $108,000 for bodies corporate).  The fault elements for the new criminal offences created under subsections 59(3) and 60(3) are contained in existing sections 59 and 60 – that is knowledge or recklessness.  If these fault elements are not satisfied, there will be no breach of either the civil or the criminal provisions in sections 59 or 60 (although there may still be an interference with privacy under the Privacy Act – see subsection 73(1) of the My Health Records Act).

The new criminal penalties in the My Health Records Act (and new civil penalties in the HI Act) are designed to better protect the sensitive information that can be contained in a My Health Record, and to provide a more graduated framework for responding to inappropriate behaviour that is proportional to the severity of a breach of either the My Health Record system or the HI Service.

To ensure that all aspects of the amended My Health Records Act and the HI Act are understood by participants in the My Health Record system and other affected people, it is intended that a significant communications strategy will be implemented explaining all key aspects of the new legislative arrangements, including the criminal and civil penalty provisions.

Item 89           Section 72

Section 72 reflects that the My Health Records Act operates in conjunction with the Privacy Act by specifying that any authorisation set out in the My Health Records Act to use or disclose health information is treated as an authorisation under the Privacy Act.  This ensures that any use or disclosure done in accordance with the My Health Records Act does not contravene the Privacy Act.

Section 72 does not currently refer to the collection of health information because each of the collections authorised by the My Health Records Act is already authorised by the Privacy Act.  However, to remove doubt about the extent to which actions under the My Health Records Act do not contravene the Privacy Act, item 89 amends section 72 to make clear that any authorisation in the My Health Records Act to collect health information is treated as an authorisation under the Privacy Act.

Item 90           Section 75

Section 75 currently requires that any entity that is or has been the System Operator, a registered repository operator or a registered portal operator must notify the System Operator and/or the Information Commissioner of:

·         a potential or actual unauthorised collection, use or disclosure of health information in a healthcare recipient’s My Health Record; or

·         potential or actual breach of the security or integrity of the My Health Record system.

Item 90 replaces current section 75 with a new section 75 to address ambiguities that have been identified by the System Operator in its implementation, and to centralise data breach reporting requirements for all participants in the My Health Record system.

To whom does section 75 apply?

New section 75 applies to any entity that is or has been the System Operator, a registered healthcare provider organisation, a registered repository operator, a registered portal operator, or a registered contracted service provider.  Data breach reporting is not a new obligation for registered healthcare providers organisations and registered contracted service providers – they are currently subject to a contractual requirement to report breaches as part of their participation agreement with the System Operator which will no longer be required.

What does an entity have to report?

Under new paragraph 75(1)(b) data breach reporting applies in relation to:

·         the unauthorised collection, use and disclosure of health information in an individual’s My Health Record;

·         any event that has, or may have, occurred that compromises, may compromise, has compromised or may have compromised the security or integrity of the My Health Record system; or

·         any circumstances that have, or may have arisen (whether or not involving a contravention of the Act), that compromise, may compromise, have compromised or may have compromised the security or integrity of the My Health Record system.

The drafting of paragraph 75(1)(b) clarifies that any events or circumstances that have or may have occurred or arisen do not have to also involve a contravention of the My Health Records Act.

The data breach obligation does not apply to information that is contained in, or has been downloaded from the My Health Record system into, healthcare providers’ clinical information systems.  However, data breach reporting under this section is required if healthcare providers’ clinical information systems (or acts or omissions of the healthcare provider, whether or not involving a contravention of the My Health Records Act) compromise, may compromise, have compromised or may have compromised the security or integrity of the My Health Record system.  For example if a healthcare provider’s clinical information system is infected with a virus that allows a hacker to access information in the My Health Record system using the healthcare provider’s IT or verification credentials, this will need to be reported.

It is intended that further guidance and education material will be made available in relation to reporting data breaches, including setting out examples of when data breach reporting will or will not be required.

When does an entity have to report?

There has been some uncertainty about whether the current section 75 requirement applies only to events or circumstances that currently exist or may exist in the future, or whether it also includes events or circumstances that have happened but which no longer pose a risk because they have been addressed or no longer exist.  New section 75 makes clear that data breach reporting relates to events or circumstances that have existed, currently exist or may exist in the future.  Under new section 75, even if a ‘breach’ has been resolved by a participant there will still be an obligation for the participant to report it.

Another uncertainty has arisen around whether it is necessary to notify a data breach before it is certain that a data breach has in fact occurred.  Determining whether or not a data breach has occurred can take time, particularly where advice is required.  However, it is critical that the System Operator and affected healthcare recipients be notified of a data breach so they can take any necessary action to mitigate risks they may face, or to improve the security of the My Health Record system.  For this reason new section 75 requires that relevant entities must notify the System Operator or Information Commissioner about a potential data breach.  If there is a possibility that a breach had occurred but that possibility has not yet been confirmed, a lack of certainty about whether in fact there has been a been a breach should not be a used as a reason for postponing data breach reporting and carrying out any necessary remedial actions.

An entity must report as soon as practicable after becoming aware of the contravention or event or circumstances referred to in subsection 75(1).  The meaning of “as soon as practicable” is discussed below.

What steps does the entity have to take?

Subsections 75(5) and (6) set out the steps that the entity must take depending on whether the contravention, event or circumstance:

·         may have occurred or arisen; or

·         has been confirmed as having occurred or arisen.

A.    Where the contravention, event or circumstance may have occurred or arisen (potential breach) – subsection 75(5)

Where there is a potential data breach, the entity must take steps to contain and evaluate the breach.  If there is a reasonable likelihood that a data breach has occurred and its effects may be serious for at least one healthcare recipient, then the entity must ask the System Operator to notify all healthcare recipients that would be affected (if the entity is the System Operator then it must notify all affected healthcare recipients).  The “seriousness” of each data breach should be assessed on a case by case basis and should take into consideration all the relevant circumstances.

The entity should then take some time and conduct some initial investigations to assess whether a breach has or may have occurred, however there is an expectation that this occurs within days rather than weeks or longer.

If or when the entity determines that an actual data breach occurred, and they have already given notice of the data breach, they are not required to notify affected stakeholders again but they are required to take steps to contain and evaluate the breach and mitigate its effects.

If the threshold of “a reasonable likelihood” of the contravention, event or circumstances having occurred is not reached, it is not necessary to report the breach.  However, the actions at paragraphs 75(5)(a) and (b) must still be carried out where relevant.

B.     Where the contravention, event or circumstance has occurred or arisen (confirmed breach) – subsection 75(6)

Where there is a data breach, the entity must as soon as practicable take steps to contain and evaluate the breach and notify affected healthcare recipients, and if it is a significant number of healthcare recipients, notify the general public.  Like subsection 75(5), if the entity is not the System Operator, the entity must ask the System Operator to notify affected healthcare recipients, and if necessary, the general public.  Finally, the entity must take steps to prevent or mitigate the effects of further contraventions, events or circumstances from occurring in the future.

What does “as soon as practicable” mean?

To help participants understand what is meant by the need to notify “as soon as practicable”, it is important to consider the intent of the data breach notification requirements, which is to allow the System Operator to take any steps needed to ensure information in the My Health Record is protected and, equally importantly, to allow affected healthcare recipients to take steps to minimise any risks that they may face and to ensure their information is protected to their satisfaction.  For example, if a participant in the My Health Record discovers malicious software in their IT systems that connects to the My Health Record system, and that malicious software may provide a ‘back door’ into health records in the My Health Record system, the entity would be expected to notify a data breach as soon as they discover the malicious software since it could undermine the security of the My Health Record system.

Items 91-92     Section 77

Section 77 provides that the System Operator, registered repository operators, registered portal operators and registered contracted service providers must not hold, take, process or handle My Health Record information outside Australia.  Contravention of this existing prohibition may incur a civil penalty of up to 120 penalty units (currently $21,400 for individuals and $108,000 for bodies corporate).

Consistent with the changes being made to section 59 and 60 of the My Health Records Act, and the changes to the HI Act, items 91 to 92 make amendments to provide that a contravention of section 77 may now incur:

·         a civil penalty of up to 600 penalty units (currently $108,000 for individuals and $540,000 for bodies corporate); or

·         a criminal penalty of up to two years’ imprisonment and/or 120 penalty units (currently $21,600 for individuals and $108,000 for bodies corporate).

The new criminal penalties in the My Health Records Act (and new civil penalties in the HI Act) are designed to better protect the sensitive information that can be contained in a My Health Record, and to provide a more graduated framework for responding to inappropriate behaviour that is proportional to the severity of a breach of either the My Health Record system or the HI Service.

Unlike sections 59 and 60 of the My Health Records Act, section 77 does not specify any fault elements as part of the existing civil or the new criminal penalties.  This means that the criminal offence established by item 92 triggers the application of the Criminal Code Act 1995.  As indicated by the Note, while the fault element for the offence is not expressly stated, the appropriate fault elements in section 5.6 of the Criminal Code will apply.

To ensure that all aspects of the amended My Health Records Act and the HI Act are understood by participants in the My Health Record system and other affected people, it is intended that a significant communications strategy will be implemented explaining all key aspects of the new legislative arrangements, including the criminal and civil penalty provisions.

Item 93           Section 78

Section 78 currently provides that a person who is or has been a registered repository operator or registered portal operator must not contravene the My Health Records Rules.  A person who contravenes this section may incur a civil penalty of 80 penalty units (currently $14,400 for individuals or $72,000 for bodies corporate).

As part of measures to centralise and align the obligations of all participants in the My Health Record system, and to reflect the increase to civil penalties as a result of the introduction of criminal penalties for certain provisions, item 93 replaces this section with a new section 78.

New section 78 provides that a person who is or has been at any time a registered healthcare provider organisation, a registered repository operator, a registered portal operator or a registered contracted service provider must not contravene the My Health Records Rules that apply to that person.  The civil penalty for contravention of new section 78 is 100 penalty units (currently $18,000 for individuals or $90,000 for bodies corporate).

Item 94           Parts 6 and 7

Currently, Parts 6 and 7 of the My Health Records Act set out arrangements relating to civil penalties, such as how a civil penalty order is obtained and how they relate to criminal proceedings, and provide for other enforcement measures in the form of enforceable undertakings and injunctions.

Item 94 replaces Parts 6 and 7 with a new Part 6 that triggers the equivalent provisions of the Regulatory Powers (Standard Provisions) Act 2014 (Regulatory Powers Act).  This ensures that the My Health Records Act aligns with standard Commonwealth arrangements regarding civil penalties, enforceable undertakings and injunctions.

New section 79 triggers the provisions of Part 4 of the Regulatory Powers Act which, among other things, deals with obtaining and enforcing a civil penalty order and the handling of multiple contraventions.  The Information Commissioner is an authorised applicant who may apply to a relevant court for a civil penalty order under the My Health Records Act.

New section 79 reinforces that the Crown cannot be liable to a pecuniary penalty.

New section 80 triggers the provisions of Part 6 of the Regulatory Powers Act which deals with accepting and enforcing undertakings relating to compliance with provisions.  A person may give an undertaking to take certain actions or refrain from certain actions in order to comply with the My Health Records Act.  The Information Commissioner or the Service Operator are authorised to accept and enforce undertakings for the purposes of the My Health Records Act, and publish the undertaking on their websites.

New section 81 triggers the provisions of Part 7 of the Regulatory Powers Act which deals with obtaining, imposing and discharging injunctions – for example, to prevent someone from taking an action.  The System Operator and the Information Commissioner are both authorised to apply to a relevant court for an injunction.

Since the My Health Records Act applies to Australia and each of its external territories (that is, Christmas Island, Cocos (Keeling) Islands, Ashmore and Cartier Islands, Coral Sea Islands, Heard Island and McDonald Islands, and the Australian Antarctic Territory), for the purposes of new sections 79, 80 and 81, the relevant parts of the Regulatory Powers Act will also apply to all external territories in relation to the My Health Records Act.

For the purposes of new sections 79, 80 and 81, a relevant court is the Federal Court of Australia, the Federal Circuit Court of Australia or a court of a state or territory which has the necessary jurisdiction.

Items 95-96     Section 98

Currently, section 98 provides that the System Operator may delegate his or her functions or powers to an Australian Public Service employee of the Department of Health, the Chief Executive Medicare, or another person with the Minister’s consent.

Given that the Australian Commission for eHealth is expected to become the System Operator, items 95 and 96 amend section 98 to include in addition to the above delegations,  delegations that are appropriate for when Australian Commission for eHealth becomes the System Operator.

Amended subsection 98(3) provides that if the System Operator is not the Secretary, the System Operator may delegate his or her powers or functions to an Australian Public Service employee of the Department of Health (with the Secretary’s agreement) or to the Chief Executive Medicare (with the Chief Executive Medicare’s agreement).

Delegates must comply with any written directions of the System Operator.  The Human Services (Medicare) Act 1973 permits the Chief Executive Medicare to sub-delegate to Australian Public Service employees of the Department of Human Services (or other department responsible for Medicare) any powers delegated to him or her.  Sub-delegates must also comply with any written directions of the Chief Executive Medicare.

Items 97-100   Sections 100-103

Current sections 100 to 102 of the My Health Records Act set out how the provisions of the My Health Records Act affect partnerships, unincorporated associations and trusts with multiple trustees.

Items 97 to 99 replace subsections 100(3), 101(3) and 102(3) to reflect the introduction of criminal penalties into the My Health Records Act.  These new subsections ensure that a criminal penalty that would otherwise have been committed by either a partnership, an unincorporated association or a trustee is taken to have been committed by each respective partner, member or trustee, at the time the offence was committed, who:

·         did the relevant act or made the relevant omission;

·         aided, abetted, counselled or procured the relevant act or omission; or

·         was in any way knowingly concerned in, or party to, the relevant act or omission (whether (directly or indirectly) whether by an act or omission by the relevant partner, member or trustee.

New subsections 100(4), 101(4) and 102(4) ensure that a contravention of a civil penalty provision applies in a corresponding way to the way in which they apply to an offence.

These changes align with new sections 36B, 36C and 36D in the HI Act (item 48 refers).

Item 100 repeals current section 103 which is no longer necessary due to the above changes.

Item 101         Section 107

Section 46 of the Public Governance, Performance and Accountability Act 2013 (PGPA Act) requires that Commonwealth entities prepare an annual report.

It is intended that the Australian Commission for eHealth will be established as a Commonwealth entity and will be subject to the requirements of the PGPA Act.  Therefore, both now, and in the future if the Australian Commission for eHealth takes over as System Operator, the System Operator will be subject to the reporting requirements, whether under the existing My Health Records Act or under section 46 of the PGPA Act.  As a result, it will no longer be necessary to include a separate annual report obligation  in the My Health Records Act if the Australian Commission for eHealth takes over as System Operator.

Item 101 will therefore repeal current section 107 of the My Health Records Act and replace the requirement to prepare an annual report with a requirement that the System Operator, when preparing an annual report in accordance with the PGPA Act, include in that report certain information about the My Health Record system, such as statistics about registrations and system usage.  New section 107 also provides that regulations may prescribe other matters that must be included in this annual report.

Current section 107 of the My Health Records Act will be repealed, and new section 107 will come into force, on governance restructure day.  This means that the current reporting obligation in section 107 will continue until the Australian Commission for eHealth takes over as System Operator.

Item 102         Section 108

Item 102 replaces current section 108 of the My Health Records Act with a new requirement to undertake a review of the My Health Records Act within three years of the commencement of this Bill or, if the Minister has made My Health Records Rules to apply the opt-out model nationally, within three years of the date those Rules are made.  As with the current requirement, the Minister must consult with the Ministerial Council before appointing a person to undertake this review, and the report of the review must be provided to the Ministerial Council and tabled in Parliament within 15 sitting days of the Minister receiving a copy.

Items 103-105             Section 109

Current section 109 of the My Health Records Act allows the Minister to make My Health Records Rules in relation to a variety of matters.

Subsection 109(2) currently requires that the Minister consult with the Independent Advisory Council (IAC) and Jurisdictional Advisory Committee (JAC) before making any Rules.  To reflect the abolition of JAC and IAC (see item 67) and to recognise that the Australian Commission for eHealth is proposed to soon become the System Operator, item 103 replaces subsection 109(2) with a requirement that the Minister consult with the System Operator and a subcommittee of the Ministerial Council.  In terms of this subcommittee, in practice the Minister will consult with the Australian Health Ministers’ Advisory Council.  As with current subsection 109(2), any failure to consult does not invalidate the Rules.

Item 104 establishes a new matter about which the Minister can make My Health Records Rules.  Given the new function of the System Operator to operate a test environment (item 69 refers), item 104 inserts new paragraph 109(3)(e) which allows Rules to set out requirements relating to that test environment.

Item 105 inserts new subsections 109(9), (10) and (11).

New subsection 109(9) allows the My Health Records Rules to incorporate other material which may change from time to time.  The ability to incorporate in My Health Records Rules material that may change from time to time is important to ensure that the technical standards and security of the My Health Record system are maintained in rapidly changing environments.  In particular, it is intended that some Australian standards and written security manuals issued by the System Operator may be incorporated into My Health Records Rules.

It would not be practical for the Rules to refer to such material as it exists at a particular point in time since it is likely to be subject to frequent change or may change at short notice.  Without the amendment, participants in the My Health Record system may be forced to comply with outdated requirements.  If standards and security manuals change and participants in the My Health Record system no longer comply, it may pose a security or privacy risk for the system.  New subsection 109(9) therefore ensures ongoing compliance.

In practice, the System Operator would ensure that any such material that is referenced in the My Health Records Rules is made available to affected parties for free or at a minimal cost.  Administrative arrangements would also be put in place to ensure that affected entities are given as much notice as possible of a change so they can ensure they comply with the new requirements when they take effect.  There would also be a measure of common sense applied so that if material changed suddenly and affected entities had insufficient time to comply with the new requirements, they would not be penalised immediately.

New subsections 109(10) and (11) are inserted to reflect recommendations made by the Senate to establish clear parameters about what can and cannot be dealt with in subordinate legislation, and how subordinate legislation interacts.  New subsection 109(10) clarifies that the My Health Records Rules cannot do things which are intended to be determined by Parliament through primary legislation, such as creating penalties or imposing taxes.  New subsection 109(11) provides that the My Health Records Rules are taken to be consistent with the My Health Records Regulations to the extent that they are capable of operating concurrently.  However, if any Rules cannot operate concurrently with the Regulations, the Rules do not apply to the extent of the inconsistency.

Item 106         At the end of the Act

Participation trials

The My Health Records Act currently provides that the system will operate on an opt-in basis for individuals and other entities.  This means that healthcare recipients can choose to apply to the System Operator to register for a My Health Record, and healthcare provider organisations, contracted service providers (to health provider organisations), repository operators and portal operators can choose to apply to the System Operator to be registered to participate in the system.  An opt-in system operates on the basis of the healthcare recipient’s consent for their information to be included in the My Health Record system and for that information to be shared and used for healthcare and other purposes.

As part of the Government’s response to the PCEHR Review, trials will be conducted in several regions in Australia to implement different participation arrangements for healthcare recipients, including trials of operating on an opt-out basis.  The purpose of these trials is to inform the Government on future changes to the My Health Record system to improve participation and usage, including whether to change the system to operate on an opt-out basis nationally.

Some of the other trials will involve different education and communication arrangements but will still revolve around opt-in participation by healthcare recipients, so no amendments to the My Health Records Act would be required to support these.  However, amendment to the My Health Records Act is required to enable trials (and, if necessary, national implementation) of opt-out arrangements.  These different participation models are designed to gather evidence, which will be used to improve the effectiveness of the My Health Record system, such as evidence of the education and training required and any privacy issues faced by individuals.

Opt-out system

In an opt-out system, healthcare recipients would automatically be registered for a My Health Record without the need to apply or give consent, unless they elect to opt-out.  This ability to opt-out is a privacy positive protection and allows healthcare recipients to control their own health and privacy.

In an opt-out setting, if a healthcare recipient does not choose to opt-out, they will still have an extensive range of privacy positive options for protecting the information in their My Health Record (these privacy positive options are also available for healthcare recipients who opt‑in under the current arrangements).  In summary, healthcare recipients who do not opt-out and are registered will still be able to:

·         set access controls restricting access to their My Health Record entirely or restricting access to certain information in their My Health Record;

·         request that their healthcare provider not upload certain information or documents to their My Health Record, in which case the healthcare provider will be required not to upload that information or those documents;

·         request that their Medicare data not be included in their My Health Record, in which case the Chief Executive Medicare will be required not to make the data available to the System Operator;

·         monitor activity in relation to their My Health Record using the audit log or via electronic messages alerting them that someone has accessed their My Health Record;

·         effectively remove documents from their My Health Record;

·         make a complaint if they consider there has been a breach of privacy; and

·         cancel their registration (that is, cancel their My Health Record).

In any opt-out arrangements, it is intended that healthcare recipients would be given a reasonable amount of notice before opt-out is implemented so they could learn about the My Health Record system, and would be given a reasonable amount of time to decide whether or not to opt-out.  Various methods would be made available to healthcare recipients to opt-out, for example, online, in person or by phone.

Healthcare providers, contracted service providers, repository operators and portal operators would still need to opt-in and apply for registration should they wish to participate in the My Health Record system, regardless of any opt-out arrangements for healthcare recipients.

Amendments to My Health Records Act to allow opt-out arrangements

Item 106 inserts Schedule 1 into the My Health Records Act which provides the authorisations necessary for opt-out trial regions to be selected, for the System Operator to register healthcare recipients and therefore obtain their identifying information without application or consent, for their health information to be uploaded to the My Health Record system, and for participants in the My Health Record system to use this information for healthcare and other purposes as is currently permitted under opt-in arrangements.  Further, new Schedule 1 enables opt-out to be implemented nationally should the Government decide to do so if evidence shows that the opt-out trials have demonstrated the value of adopting opt‑out arrangements.

New Part 1 of Schedule 1 provides rule-making powers for the Minister to impose opt-out participation for healthcare recipients.  Clause 1 provides that the Minister can make My Health Records Rules that will prescribe the opt‑out arrangements to a class or classes of healthcare recipients and therefore to apply the authorisations in Schedule 1 to those specified healthcare recipients.  The authorisations in this Schedule will also apply to participants in the My Health Record system in relation to their role in providing healthcare of the healthcare recipients in the trials.

These trial Rules are not required to be confined to a timeframe, however if a timeframe is specified in the Rules and the trial concludes and no decision is made to opt-out nationally or extend the trials, the system will revert to operating as it currently does and the Schedule will no longer apply.  However, a healthcare recipient registered under Schedule 1 will continue to have a My Health Record (including after the trials have finished) unless they or their representative cancel their registration under current section 51 of the Act.

In making the trial Rules under clause 1, the Minister must:

·         be satisfied that applying opt-out to the class, or classes, of healthcare recipients will provide evidence of whether the opt-out arrangements result in participation in the My Health Record system at a level that provides value to those using the My Health Record system;

·         consult with the subcommittee to the Ministerial Council.  In practice, the Australian Health Ministers’ Advisory Council will be consulted.

An administrative framework will be established for the selection of trial sites, including selection criteria, and this framework will be made public.  The selection of trial sites will not be preferential or give financial or other benefit to particular states or territories or parts of states or territories.  Rather, trial sites will be selected on the basis that a population and its health services are representative of the broader community’s characteristics and needs, and will allow evidence to be gathered enabling a decision to be made about participation arrangements, including opt-out.

Clause 2 provides that, at any point after the introduction of the opt-out trials, the Minister can make My Health Records Rules that apply the opt-out model for the whole of Australia, provided the outcomes of the opt-out trials have demonstrated the value in adopting an opt‑out model.  The trials do not need to be confined to any timeframes, and could still be in place, when the Minister decides there is enough evidence to make a decision to apply the opt-out model nationally.  In making Rules to apply the opt-out arrangements nationally, the Minister must consider the evidence of the opt-out trials and any other relevant matters.  Before the Minister can make Rules applying the opt-out arrangements nationally, the Ministerial Council must be consulted.

New Part 2 of Schedule 1 provides the authorisations necessary for the system to operate on an opt-out basis for healthcare recipients, whether it is for trial sites or nationally.

If the Minister has applied the opt-out arrangements to trial sites or nationally, it means that Part 2 applies in place of certain other provisions of the Act, such as the requirements for healthcare recipients to apply for registration and to give standing consent to the uploading of their health information (see clause 17 of Schedule 1 for more details).

Clause 3 enables the System Operator to register an eligible healthcare recipient (for eligibility, see clause 4) if satisfied that the healthcare recipient’s identity has been verified, and that the healthcare recipient has been given an appropriate opportunity to opt-out and has not chosen to do so.  If a healthcare recipient has previously cancelled their registration (and at the time of opt-out being implemented remains unregistered), the System Operator will not register the healthcare recipient, however the healthcare recipient has the opportunity to change their mind at any point and apply to be registered (see clause 6).  The System Operator must not register a healthcare recipient if doing so could compromise the security or integrity of the My Health Record system – for example, if the healthcare recipient is known by the System Operator to have previously committed fraudulent activity relating to the system.  This clause also provides that the My Health Records Rules may prescribe other circumstances in which the System Operator must not register a healthcare recipient.

Clause 4 sets out the eligibility criteria for healthcare recipients to be registered.  These are the same as those prescribed in current section 40 of the My Health Records Act.  That is, that the healthcare recipient has a healthcare identifier and the following information is available – full name, date of birth, healthcare identifier or Medicare card number or Department of Veterans’ Affairs file number, sex, and other information specified in regulations.  At this stage, there are no regulations proposed to collect any further information.  However, the regulation-making power is necessary to allow flexibility in the future if different forms of identifying information are needed for a healthcare recipient to be eligible.  Unlike current section 40 of the My Health Records Act, healthcare recipients are not required to provide this information as part of the registration process.  Rather, under the opt-out arrangements in Schedule 1, the System Operator is simply authorised to collect the information.  In practice, the System Operator will collect the information from the HI Service Operator (Chief Executive Medicare).

Clause 5 ensures that healthcare recipients can choose to opt-out.  To opt-out, a healthcare recipient will need to notify the System Operator and provide sufficient information so the System Operator can verify his or her identity.  This process is intended to be as simple as possible, using a less stringent standard of identity verification than is currently used in the registration process, as opting out poses a much lower privacy risk to healthcare recipients than to those registering.  This is intended to mitigate the risk of healthcare recipients who want to opt-out but are unable to do so or find the process too difficult.

In any opt-out arrangements, healthcare recipients will be given a reasonable opportunity to choose to opt-out.  For example, in opt-out trials there will be an advertised period for healthcare recipients to opt-out, and in a national opt-out system it may be provided as a tick‑box on an application form to register newborns or immigrants with Medicare.  It will be critical in any setting that healthcare recipients are provided as much information as possible about the My Health Record system to help them decide whether or not to opt-out, and are provided support to make that decision where necessary.

Various opt-out channels are being developed which will enable healthcare recipients in a range of circumstances to be able to opt-out.  For example, an online channel will enable healthcare recipients to opt-out themselves and their children who are under 18 years, using their Medicare card and either a driver licence, passport or Immicard.  For those without online access, with communication disabilities, or without these identity documents, other channels will be available, such as phone and in person.

If a healthcare recipient chooses to opt-out, it will have effect on the same day they notify the System Operator.  If a healthcare recipient changes their mind and wants a My Health Record, they may apply to register under clause 6.

If a healthcare recipient has been registered as part of an opt-out trial, they may choose to cancel their My Health Record at any time, and may subsequently choose to register again.

It is important to distinguish the difference between opt-out and cancellation.  Opt-out applies before a My Health Record is created – a healthcare recipient may choose to opt-out, which means a My Health Record will not be created for them and no information will have been compiled.  Cancellation applies after a My Health Record is created – a healthcare recipient may choose to cancel their My Health Record after it is created; information about the healthcare recipient will have been compiled between the time the My Health Record was created and cancelled and will be retained by the System Operator but cannot be accessed by any entity.

Clause 6 provides for those healthcare recipients subject to the opt-out model who have either opted-out, or who have previously cancelled their registration, but who subsequently change their minds and want to register for a My Health Record.  Clause 6 also allows registration in opt-out trial sites to occur immediately, should a healthcare recipient so wish, without having to wait for the pre‑determined opt-out opportunity to lapse.  For example, in the opt-out trials it may be several weeks before a My Health Record is created for healthcare recipients who choose not to opt-out.

Clause 6 allows healthcare recipients to apply to register for a My Health Record.  These arrangements reflect those already set out in Division 1 of Part 3 of the My Health Records Act, except that the healthcare recipient will not need to give consent to the uploading of their health information since this is already authorised under new Schedule 1.

New Division 2 of Schedule 1 sets out the authorisations that will operate where the opt-out model is applied.

These new authorisations largely reflect the authorisations that are already provided in the My Health Records Act at new sections 58 and 58A, except where additional authorisations are required in place of a healthcare recipient’s consent.

To help readers how these new authorisations operate, they are set out in the following table with either a reference to existing equivalent authorisations or with an explanation of why the new authorisation is required.

New section no.

Table item no.

Authorisation

Equivalent existing section number or reason for new authorisation

Including health information in a My Health Record

7

N/A

The System Operator may collect, use and disclose health information about a healthcare recipient for the purposes of including the health information in the healthcare recipient’s My Health Record.

The System Operator currently takes these actions on the basis of healthcare recipients’ implied consent.  With clause 7, the System Operator is expressly authorised.

Clause 7 is intended to be broad enough to allow for the collection, use and disclosure of third party health information, where this is to be included in a healthcare recipient’s My Health Record – for example, as part of the family medical history of the healthcare recipient.

Supporting amendments to other provisions of the My Health Records Act and the Privacy Act also help deal with, and place limits on the collection, use and disclosure of, third party information.

Clause 7 of Schedule 1 mirrors new section 58 of the My Health Records Act.

Including health information in a My Health Record

8(1)

1

The System Operator may collect, use and disclose identifying information about, or a healthcare identifier of:

·         a healthcare recipient;

·         an authorised representative;

·         a nominated representative; or

·         a healthcare provider,

for the purposes of the My Health Record system.

HI Act: 22A(2) and (3)

2

The System Operator may collect, use and disclose information relevant to whether a person is an authorised representative or nominated representative of another person, for the purposes of determining whether a person is an authorised representative or nominated representative of another person.

HI Act: 22A(3) and 22E

HI Regulations: 15

My Health Records  Act: 6 and 7 (implied)

This new item clarifies and condenses existing authorisations into an express authorisation in the My Health Records  Act that permits the System Operator in the opt-out system to collect, use and disclose information relevant to determining whether someone is an authorised or nominated representative.

This is needed to ensure that the relevant person is the authorised or nominated representative, especially when they are electing to opt-out a healthcare recipient.

3

A registered repository operator or registered portal operator may collect, use  and disclose to a participant in the My Health Record system the healthcare identifier of:

·         a healthcare recipient;

·         an authorised representative;

·         a nominated representative; or

·         a healthcare provider,

for the purposes of the My Health Record system.

HI Act: 22C

4

The HI Service Operator may collect from the System Operator, use and disclose to the System Operator information relevant to whether a person is an authorised representative or nominated representative of another person, for the purposes of assisting the System Operator to determine whether a person is an authorised representative or nominated representative of another person.

HI Act: 22E

HI Regulations: 15

My Health Records  Act: 6 and 7 (implied)

This new item clarifies and condenses existing authorisations into an express authorisation in the My Health Records  Act, that permits the HI Service Operator in the opt-out system to collect, use and disclose information relevant to determining whether someone is an authorised or nominated representative.

This is needed to ensure that the relevant person is the authorised or nominated representative, especially when they are electing to opt-out a healthcare recipient.

5

The Chief Executive Medicare may collect from the System Operator, use and disclose to the System Operator identifying information about a person who is or may be:

·         a healthcare recipient;

·         an authorised representative; or

·         a nominated representative,

for the purposes of assisting the System Operator to verify the identity of the person, or otherwise for the purposes of the My Health Record system.

My Health Records  Act: 22D and 58

While use and disclosure were previously authorised, this new clause and item clarify that the Chief Executive Medicare may collect the necessary information from the System Operator in the opt-out system, which is needed to verify the identity of the person.

6

The Chief Executive Medicare may collect from the System Operator, use and disclose to the System Operator information relevant to whether a person is an authorised representative or nominated representative of another person, for the purposes of assisting the System Operator to determine whether a person is an authorised representative or nominated representative of another person.

HI Act: 22E

HI Regulations: 15

My Health Records  Act: 6 and 7 (implied)

This new item clarifies and condenses existing authorisations into an express authorisation in the My Health Records Act, that permits the Chief Executive Medicare in the opt-out system to collect, use and disclose information relevant to determining whether someone is an authorised or nominated representative.

This is needed to ensure that the relevant person is the authorised or nominated representative, especially when they are electing to opt-out a healthcare recipient.

7

The Chief Executive Medicare may collect, use and disclose to a participant in the My Health Record system identifying information about, or a healthcare identifier of:

·         a healthcare recipient;

·         an authorised representative; or

·         a nominated representative,

if:

·         it is for the purpose of including health information in the healthcare recipient’s My Health Record; and

·         the healthcare recipient has not elected to opt‑out (and that decision is still in force).

This new authorisation is designed to allow the Chief Executive Medicare to collect, use and disclose identifying information or a healthcare identifier to include the information in the healthcare recipient’s My Health Record.  This authorisation is necessary in opt-out arrangements as it is not possible to get healthcare recipient’s consent as is the case under opt-in arrangements.

8

The Veterans’ Affairs Department and Defence Department may use and disclose to the System Operator identifying information about a person who is or may be:

·         a healthcare recipient;

·         an authorised representative; or

·         a nominated representative,

for the purposes of assisting the System Operator to verify the identity of the person.

My Health Records  Act: 58

While use and disclosure were previously authorised, this new clause and item number clarify that the Veterans’ Affairs Department or Defence Department can collect the necessary information from the System Operator, which is needed to assist the System Operator to verify the identity of the person.

9

The Veterans’ Affairs Department and Defence Department may collect from the HI Service Operator, use and disclose to a participant in the My Health Record system, identifying information about, or a healthcare identifier of:

·         a healthcare recipient;

·         an authorised representative; or

·         a nominated representative,

if:

·         it is for the purpose of including prescribed information in the healthcare recipient’s My Health Record; and

·         the healthcare recipient has not elected to opt‑out (and that decision is still in force).

This new authorisation is included to allow the Veterans’ Affairs Department or Defence Department to collect, use and disclose identifying information or a healthcare identifier for the purpose of including prescribed information in the healthcare recipient’s My Health Record.  This authorisation is necessary in opt-out arrangements as it is not possible to get healthcare recipient’s consent as is the case under opt-in arrangements.

The reference to “prescribed information” provides for the possibility that, in future, other kinds of Commonwealth agency records may be identified which may be of value to include in healthcare recipients’ My Health Records.  For example, the Departments of Defence or Veterans’ Affairs may have records about current and former service men and women that relate to health services they have received.  Regulations may be made to allow healthcare identifiers to be attached to prescribed classes of records so they can be included in the My Health Record system.

10

A prescribed entity may collect, use and disclose to another prescribed entity identifying information about a person who is or may be:

·         a healthcare recipient;

·         an authorised representative; or

·         a nominated representative,

for the purposes of assisting the System Operator to verify the identity of the person.

As part of running the My Health Record system, including verifying identities in the opt-out system, the System Operator may need to disclose identifying information about a healthcare recipient, an authorised representative or a nominated representative, and that entity will need authorisation to collect, use and disclose that information.  For example, the regulations will likely authorise the Document Verification Service (run by the Attorney-General’s Department) to collect identifying information, to help correctly identify a person seeking to opt-out of being registered. This would be necessary to ensure that the System Operator is opting out the right person.

 

The Note to this table refers readers to section 15 of the HI Act which authorises the HI Service Operator to collect, use and disclose healthcare identifiers and identifying information about healthcare recipients, authorised representatives and nominated representatives for the purposes of the My Health Record system.  This means that the HI Service Operator relies on the authorisations provided by both the HI Act and My Health Records Act to interact with the My Health Record system.

Subclause 8(2) requires that if at any time the Chief Executive Medicare, Veterans’ Affairs Department, Defence Department, HI Service Operator or a prescribed entity (item 10 of table at subclause 8(1) refers) becomes aware that the information it has provided to the System Operator has changed, the entity must notify the System Operator.  This ensures the System operator has and uses the most up-to-date information for identity verification and other My Health Record system purposes.

New Division 3 of Schedule 1 inserts new clauses 9 to 16 which mirror existing provisions in the My Health Records Act which cannot operate without consent.

New clause 9 mirrors current subsection 41(3) and (4) and new subsection 41(3A) (item 68 refers).  It authorises registered healthcare provider organisations to upload health information to a healthcare recipient’s My Health Record, which may include information about a third party, unless:

·         the healthcare recipient asks the healthcare provider organisation not to upload it; or

·         a preserved law prohibits the organisation from disclosing it without the express or written consent of the healthcare recipient.

New clauses 10 to 14 mirror current section 38 by requiring the Chief Executive Medicare to apply to become a registered repository operator, allowing the Chief Executive Medicare to include health information about a registered healthcare recipient in that repository, and allowing the Chief Executive Medicare to make this information available to the System Operator at the Chief Executive Medicare’s discretion.  This information cannot be provided to the System Operator if the healthcare recipient has instructed the Chief Executive Medicare not to do so. 

Clause 13 includes a mechanism that permits healthcare recipients registered under Schedule 1 to elect not to have Medicare information (MBS, PBS, AODR and ACIR) made available to the System Operator for inclusion in their My Health Record.  The mechanism allows healthcare recipients to change their mind about whether or not they want Medicare information included.  Under subclause 12(2), Chief Executive Medicare must comply with any election made by a healthcare recipient.

Under clause 14, information made available by the Chief Executive Medicare may include the names of healthcare providers who have provided care to the healthcare recipient.

New clause 15 makes clear that Division 3 does not limit the way the Chief Executive Medicare can operate the repository.

New clause 16 mirrors new section 50D (inserted by item 73) which provides that registered repository operators may make available to the System Operator a registered healthcare recipient’s health information for inclusion in her or his My Health Record.

New clause 17 provides that specified provisions of the My Health Records Act do not apply or are modified whenever the opt-out model is applied, either in trials or nationally, because they are replaced by clauses set out in Schedule 1, are unnecessary in an opt-out setting or require modification to operate in an opt-out setting.  For example:

·         the requirement relating to the Chief Executive Medicare’s repository in section 38 of the My Health Records  Act;

·         the provisions relating to the registration of a healthcare recipient in Part 3, Division 1 of the My Health Records  Act;

·         the provisions relating to non-discrimination in section 46 of the My Health Records  Act;

·         the authorisation for registered repository operators to upload health information under section 50D of the My Health Records  Act;

·         the authorisations for the Chief Executive Medicare, Veterans’ Affairs Department and Defence Department to use and disclose healthcare identifiers and identifying information for identity verification purposes or for the purposes of the My Health Record system, and to notify the System Operator when this information changes; and

·         the ability for the System Operator to cancel, suspend or vary and healthcare recipient’s registration under paragraphs 51(2)(d) and (e) of the My Health Records  Act on the basis that the healthcare recipient’s consent has been withdrawn or is no longer valid.

Additionally, new clause 17 clarifies that any reference to a registered healthcare recipient in the Act, includes a reference to a healthcare recipient who is registered under Part 2.

Privacy Act 1988

Items 99-101

In 2008, the Australian Law Reform Commission (ALRC) published the report For Your Information: Australian Privacy Law and Practice (ALRC Report 108), which recommended changes to the definition of health service to remove some ambiguities about what is or is not considered to be a health service.  For example, a palliative care service would generally be considered a health service, however it arguably did not meet a strict interpretation of the previous definition – that is, it would not improve the individual’s health or treat the individual’s illness.

Items 100 and 101 replace the current definition of health service with a new section 6FB which provides that a health service is an activity performed in relation to an individual that is intended or claimed (expressly or otherwise) by the individual or the person performing it:

·         to assess, maintain or improve the individual’s health.  This element of the definition is similar to current subparagraph (a)(i) of the definition of health service.  “Record” has been moved to a new paragraph in the definition – see below;

·         where the individual’s health cannot be maintained or improved – to manage the individual’s health.  This part of the definition is intended to ensure that palliative care services fall within the definition of health service, consistent with ALRC recommendations;

·         to diagnose the individual’s illness, disability or injury.  This element of the definition is similar to subparagraph (a)(ii) of the existing definition.  “Injury” has been added  consistent with the recommendations of the ALRC;

·         to treat the individual’s illness, disability or injury, or suspected illness, disability or injury.  This element of the definition is similar to subparagraph (a)(iii) of the existing definition.  Again, “injury” has been added  consistent with the recommendations of the ALRC;

·         to record the individual’s health for the purposes of assessing, maintaining, improving or managing the individual’s health.  The act of “recording” an individual’s health has been separated out (it was previously part of subparagraph (a)(i) of the definition of health service).  The reference to “record” is important for a number of reasons, including for the link it provides to authorisations as part of the My Health Records Act.  For this reason, “record” has been retained as part of the definition of health service, despite an ALRC recommendation that it be removed.

Subsection 6FB(2) is unchanged in substance from existing paragraph (b) of the definition of health service.

Subsection 6FB(3)  is intended to provide clarification, consistent with recommendations made by the ALRC, that:

·         a reference in section 6FB to an individual’s health includes the individual’s physical or psychological health;

·         an activity mentioned in subsections 6FB(1) or (2) that takes place in the course of providing aged care, palliative care or care for a person with a disability is a health service.

A regulation-making power has been included in new subsection 6FB(4) that enables regulations to be made prescribing an activity that, despite subsections 6FB(1) and (2), is not to be treated as a health service for the purposes of the Privacy Act.  This regulation-making power is designed to enable services to be excluded from the definition of health service where it considered appropriate.  The regulation-making power is consistent with the ARLC’s recommendations.

Items 99 and 101 replace the definition of health information with a new section 6FA to reflect these changes to health service.

Item 102         After subsection 16B(1)

Section 16B of the Privacy Act sets out permitted health situations in relation to the collection, use or disclosure of health information.

Item 102 of the Bill inserts subsection 16B(1A) as a new permitted health situation in the Privacy Act.  Subsection 16B(1A) is based on current Public Interest Determinations No. 12 Collection of Family, Social and Medical Histories (PID 12) and Public Interest Determinations No. 12A Collection of Family, Social and Medical Histories (PID 12A), and is designed to authorise the same things that the existing PID 12 and PID 12A authorise.

PART 2—RULE-MAKING POWERS, APPLICATION AND TRANSITION PROVISIONS

Part 2 describes how the changes set out in Part 1 of the Bill will operate and have effect and when the various changes will commence.

Item 128         Rules

Subitem 128(3) of Schedule 1 makes express provision for rules made for the purpose of subitem 128(2) to modify the operation of:

·         the Healthcare Identifiers Act 2010;

·         the Personally Controlled Electronic Health Records Act 2012;

·         the Privacy Act 1988.

This provision is likely to be regarded as a “Henry VIII clause”, in that it may allow the Minister to modify the operation of the specified Acts by making rules.  This power may result in the operation of primary legislation being expressly or impliedly amended by subordinate legislation.  In general, primary legislation should not create a power to make a legislative instrument which can modify the operation of an Act, however this clause is needed for transition purposes.  It is consistent with similar rule-making powers in other amendment Bills.

The purpose of this provision is to allow the Minister to deal with any unforseen or unintended consequences that may arise at a later date, specifically regarding the opt-out trials and the changes in governance of the System Operator to the Australian Commission for eHealth.  In particular, as it is intended that the Australian Commission for eHealth will be made under the PGPA Act and PGPA Rules at a later date, this provision is intended to help avoid any unintended consequences from this change.  The rule-making power provides legislative authority to address a range of practical situations that might arise with a transfer of functions or when a machinery of government change occurs. Where a rule is made that could potentially modify the application of an Act, which another Minister is responsible for, it is intended for those rules to be made only after that other Minister has been consulted.

Paragraph 128(4)(e) prohibits the making of rules that directly amend the text of the Act. “Directly amend” means to make an amendment that would need to be incorporated in any reprint of the Act by the Government Printer (see section 2 of the Acts Publication Act 1905).  Paragraph 128(4)(e) does not prohibit a rule that modifies the effect of a provision, such as by providing that a provision has effect as if it had been amended in a specified way, but does not make a direct amendment of any Act.

Subitem 128(4) places other restrictions on the rule-making power.

SCHEDULE 2—RENAMING PCEHR AS MY HEALTH RECORD

Schedule 2 amends the HI Act, Health Insurance Act 1973 (Health Insurance Act), National Health Act 1953 (National Health Act) and PCEHR Act to change the name of the personally controlled electronic health record to the My Health Record. 

This change is intended to recognise that a health record is the result of a partnership between a healthcare recipient and a healthcare provider.  Further, the name change reflects that it is becoming unnecessary to differentiate between digital and physical information so rather than refer to it as an eHealth record, it is simply a health record.  The personal controls available to healthcare recipients to manage access to their My Health Record will not be reduced as a result of this change.

All references to the following terms, including in definitions, headings, notes and the title of the PCEHR Act, will be changed as set out below:

·         participant in the PCEHR system becomes participant in the My Health Record system;

·         PCEHR becomes My Health Record;

·         Personally Controlled Electronic Health Records Act 2012 becomes My Health Records Act 2012;

·         PCEHR Rules becomes My Health Records Rules;

·         PCEHR system becomes My Health Record system; and

·         PCEHR System Operator becomes My Health Record System Operator.

SCHEDULE 3—RENAMING CONSUMERS AS HEALTHCARE RECIPIENTS

Schedule 3 amends the Health Insurance Act, National Health Act and My Health Records Act to change all references from “consumer” to “healthcare recipient”, including those in definitions and headings.  This change reflects the same language used in the HI Act, helping further align the two Acts.

SCHEDULE 4—FURTHER CONSEQUENTIAL AMENDMENTS

Part 1 of Schedule 4 amends the reference to the “Legislative Instrument Act 2003” in the My Health Records Act to the new name of Legislation Act 2003.

Part 2 of Schedule 4 amends parts of section 131 of the Health Insurance Act.  Item 2 in Part 2 amends subsection 131(1) of the Health Insurance Act by omitting “or the Healthcare Identifiers Act 2010” and substituting “or instruments made under this Act”.  Item 3 in Part 2 amends subsection 131(2) of the Health Insurance Act by inserting “or an instrument under which the power exists” after “this Act”.  These amendments are designed to clarify when the Minister, the Secretary and the Chief Executive Medicare may delegate their powers.



[1] Australian Government’s 2010 Intergenerational Report

[2] Aus NZ Health Policy 2009, Roughead et al.

[3] JAMA 2005, Smith et al.

[4] Health Affairs 2012, McCormick et al.

[5] This assumes that, over 12 months, there would be a 150% increase to the registrations achieved by the two month Medicare For All campaign.

[6] Research by McKinsey & Company, 2014.  This research was undertaken on publicly available information and input from selected expert interviews on prominent examples of electronic health record systems around the world at different stages of evolution.  The systems that operate on an opt-out basis use opt-out mechanisms that are comparable to those that would likely be used in the PCEHR system.

[7] Research by McKinsey & Company, 2014.  This research was undertaken on publicly available information and input from selected expert interviews on prominent examples of electronic health record systems around the world at different stages of evolution.  The systems that operate on an opt-out basis use opt-out mechanisms that are comparable to those that would likely be used in the PCEHR system.

[8] Advice provided by Department of Human Services which manages the individual registration process

[9] Figure provided by the Office of Best Practice Regulation

[10] Based on current registration rates, it is expected that about 500,000 individuals will register each year.

[11] Advice provided by Department of Human Services which manages the individual registration process

[12] Figure provided by the Office of Best Practice Regulation

[13] Based on current registration rates, it is expected that about 500,000 individuals will register each year.

[14] The opt-out process has not been decided but is expected to be much simpler than the registration process since it will not require the same extent of identity verification because there is a significant lower risk of privacy breach.

[15] Figure provided by Office of Best Practice Regulation

[16] Based on an annual opt-out rate of 1% of population – 230,000 in year 1; 1% of population growth (assume 2%) from year 2

[17] This is expected to closely follow the identity verification undertaken in the current registration process so the current average registration time has been adopted.

[18] Figure provided by the Office of Best Practice Regulation

[19] Based on current access rates, it is expected that about 10% of the population with PCEHRs would seek to get access to their PCEHR (27.14 million less 271,400 who opt out).

[20] This takes into account a $100,000 salary plus other operating labour costs and overheads.

[21] Based on current assisted registration rates, about 50 individuals register through assisted registration per day. 

[22] This takes into account a $100,000 salary plus other operating labour costs and overheads.

[23] Based on current registration rates, about 1,200 healthcare provider organisations will register each year.  In an opt-out system it estimated an additional 20 per cent (240) organisations will register each year.

[24] Advice provided by Department of Human Services which manages the individual registration process

[25] Figure provided by the Office of Best Practice Regulation

[26] Based on current registration rates, it is expected that about 500,000 individuals will register each year which represents about 2.2% of the population.  By applying this percentage to the 1,000,000 individuals to be part of the trials, it is expected that 22,000 individuals would otherwise register.

[27] The opt-out process has not been decided but is expected to be much simpler than the registration process since it will not require the same extent of identity verification because there is a significant lower risk of a privacy breach.

[28] Figure provided by Office of Best Practice Regulation

[29] Based on 1 million individuals being opted in, minus 1% who choose to opt out

[30] This is expected to closely follow the identity verification undertaken in the current registration process so the current average registration time has been adopted.

[31] Figure provided by the Office of Best Practice Regulation

[32] Based on 990,000 individuals having a PCEHR

[33] This takes into account a $100,000 salary plus other operating labour costs and overheads.

[34] Until the trial regions are selected it is not possible to quantify how many additional organisations are likely to register so for the purpose of this proposal it is estimated that 50 additional organisations would register.

[35] As of September 2015, section 4AA of the Crimes Act 1914 provides that a penalty unit is $180.  This amount will be indexed according to the Consumer Price Index in July every three years from 2018.