Federal Register of Legislation - Australian Government

Primary content

Healthcare Identifiers Act 2010

Authoritative Version
  • - C2016C00366
  • In force - Superseded Version
  • View Series
Act No. 72 of 2010 as amended, taking into account amendments up to Acts and Instruments (Framework Reform) (Consequential Provisions) Act 2015
An Act to provide for healthcare identifiers, and for related purposes
Administered by: Health
Registered 27 Apr 2016
Start Date 05 Mar 2016
End Date 30 Jun 2016

Healthcare Identifiers Act 2010

No. 72, 2010

Compilation No. 11

Compilation date:                              5 March 2016

Includes amendments up to:            Act No. 157, 2015

Registered:                                         27 April 2016

 

 

 

 

 

 

 

 

This compilation includes commenced amendments made by Act No. 126, 2015

About this compilation

This compilation

This is a compilation of the Healthcare Identifiers Act 2010 that shows the text of the law as amended and in force on 5 March 2016 (the compilation date).

The notes at the end of this compilation (the endnotes) include information about amending laws and the amendment history of provisions of the compiled law.

Uncommenced amendments

The effect of uncommenced amendments is not shown in the text of the compiled law. Any uncommenced amendments affecting the law are accessible on the Legislation Register (www.legislation.gov.au). The details of amendments made up to, but not commenced at, the compilation date are underlined in the endnotes. For more information on any uncommenced amendments, see the series page on the Legislation Register for the compiled law.

Application, saving and transitional provisions for provisions and amendments

If the operation of a provision or amendment of the compiled law is affected by an application, saving or transitional provision that is not included in this compilation, details are included in the endnotes.

Editorial changes

For more information about any editorial changes made in this compilation, see the endnotes.

Modifications

If the compiled law is modified by another law, the compiled law operates as modified but the modification does not amend the text of the law. Accordingly, this compilation does not show the text of the compiled law as modified. For more information on any modifications, see the series page on the Legislation Register for the compiled law.

Self‑repealing provisions

If a provision of the compiled law has been repealed in accordance with a provision of the law, details are included in the endnotes.

  

  

  

  


Contents

Part 1—Preliminary                                                                                                             1

1............ Short title............................................................................................. 1

2............ Commencement................................................................................... 1

3............ Purpose of this Act............................................................................. 1

3A......... Simplified outline of this Act.............................................................. 1

4............ Act to bind the Crown......................................................................... 2

4A......... External Territories.............................................................................. 2

5............ Definitions.......................................................................................... 2

6............ Identity of service operator.................................................................. 8

7............ Meaning of identifying information..................................................... 9

8............ Meaning of national registration authority....................................... 10

Part 2—Assigning healthcare identifiers                                                               11

9AA...... Simplified outline of this Part............................................................ 11

9............ Assigning healthcare identifiers........................................................ 12

9A......... Classes of healthcare provider that may be assigned a healthcare identifier by the service operator         13

9B......... Information that may be requested before assigning healthcare identifiers               17

9C......... Review of decision not to assign a healthcare identifier.................... 18

10.......... Service operator must keep record of healthcare identifiers etc......... 19

Part 3—Collection, use and disclosure of healthcare identifiers, identifying information and other information                                                                                                           20

Division 1—Simplified outline of this Part                                                       20

11.......... Simplified outline of this Part............................................................ 20

Division 2—Healthcare recipients                                                                       22

12.......... Collection, use and disclosure—assigning a healthcare identifier to a healthcare recipient       22

13.......... Collection, use and disclosure—establishing and maintaining a record of healthcare identifiers for healthcare recipients.......................................................................................................... 23

14.......... Collection, use and disclosure—providing healthcare to a healthcare recipient         24

15.......... Collection, use and disclosure—My Health Record system.............. 27

16.......... Collection, use and disclosure—aged care........................................ 28

17.......... Adopting the healthcare identifier of a healthcare recipient etc.......... 29

18.......... Disclosure of the healthcare identifier of a healthcare recipient to the healthcare recipient etc.  30

19.......... Other information relating to the healthcare identifier of a healthcare recipient may be disclosed by the service operator.......................................................................................................... 30

20.......... Regulations relating to the healthcare identifier and identifying information of a healthcare recipient etc.                31

Division 3—Healthcare providers                                                                       33

21.......... Collection, use and disclosure—assigning a healthcare identifier to a healthcare provider       33

22.......... Collection, use and disclosure—establishing and maintaining a record of healthcare identifiers for healthcare providers.......................................................................................................... 34

23.......... Collection, use and disclosure—providing healthcare....................... 35

24.......... Collection, use and disclosure—My Health Record system.............. 37

25.......... Collection, use and disclosure—enabling authentication in electronic communications            37

25A....... Collection, use and disclosure—sharing information with registration authorities   38

25B....... Adopting the healthcare identifier of a healthcare provider................ 40

25C....... Disclosure of the healthcare identifier of a healthcare provider to the healthcare provider        40

25D....... Regulations relating to the healthcare identifier and other information of a healthcare provider                41

25E........ Obligation to keep information accurate, up‑to‑date and complete.... 42

Division 4—Unauthorised use and disclosure of healthcare identifiers and other information obtained under this Act                                                                                       44

26.......... Use and disclosure of healthcare identifiers and other information obtained under this Act     44

Division 5—Protection of healthcare identifiers                                          47

27.......... Protection of healthcare identifiers.................................................... 47

Part 4—Interaction with the Privacy Act 1988                                                  48

28AA.... Simplified outline of this Part............................................................ 48

28.......... Interaction with the Privacy Act 1988................................................ 48

29.......... Functions of Information Commissioner.......................................... 48

30.......... Annual reports by Information Commissioner.................................. 49

Part 5—Healthcare Provider Directory                                                                 50

31AA.... Simplified outline of this Part............................................................ 50

31.......... Healthcare Provider Directory........................................................... 50

31A....... Healthcare Provider Directory—sharing information with the My Health Record System Operator       51

Part 5A—Enforcement                                                                                                     53

31B....... Simplified outline of this Part............................................................ 53

31C....... Civil penalty provisions.................................................................... 53

31D....... Enforceable undertakings.................................................................. 54

31E........ Injunctions........................................................................................ 55

Part 6—Oversight role of Ministerial Council                                                    57

31F........ Simplified outline of this Part............................................................ 57

32.......... Directions to service operator............................................................ 57

33.......... Consultation with Ministerial Council about regulations................... 57

34.......... Annual reports by service operator................................................... 57

35.......... Review of the operation of this Act................................................... 58

Part 7—Miscellaneous                                                                                                       59

Division 1—Simplified outline of this Part                                                       59

36AA.... Simplified outline of this Part............................................................ 59

Division 2—Employees, contractors, partnerships, unincorporated associations and trusts    60

36.......... Extent of authorisation...................................................................... 60

36A....... Authorisation to disclose to employees and contracted service providers of a healthcare provider           61

36B....... Treatment of partnerships.................................................................. 61

36C....... Treatment of unincorporated associations......................................... 62

36D....... Treatment of trusts with multiple trustees.......................................... 62

Division 3—Delegations                                                                                            64

36E........ Delegations by the service operator................................................... 64

Division 4—Constitutional matters                                                                     65

37.......... Relationship to State and Territory laws............................................ 65

38.......... Severability—additional effect of Parts 3 and 4................................ 66

Division 5—Regulations                                                                                            69

39.......... Regulations....................................................................................... 69

Endnotes                                                                                                                                    70

Endnote 1—About the endnotes                                                                            70

Endnote 2—Abbreviation key                                                                                72

Endnote 3—Legislation history                                                                             73

Endnote 4—Amendment history                                                                           75


An Act to provide for healthcare identifiers, and for related purposes

Part 1Preliminary

  

1  Short title

                   This Act may be cited as the Healthcare Identifiers Act 2010.

2  Commencement

                   This Act commences on the day after this Act receives the Royal Assent.

3  Purpose of this Act

             (1)  The purpose of this Act is to provide a way of ensuring that an entity that provides, or an individual who receives, healthcare is correctly matched to health information that is created when healthcare is provided.

             (2)  This purpose is to be achieved by assigning a unique identifying number to each healthcare provider and healthcare recipient.

3A  Simplified outline of this Act

Under this Act, healthcare identifiers are assigned to healthcare recipients, individual healthcare providers and healthcare provider organisations.

There are strict rules on:

       (a)     the verification of a person’s identity before a healthcare identifier is assigned; and

      (b)     the purposes for which a healthcare identifier can be collected, used and disclosed; and

       (c)     the purposes for which the identifying information of a healthcare recipient, a healthcare provider or a healthcare provider organisation can be collected, used and disclosed.

This Act facilitates the use of the healthcare identifier for the purposes of communicating and managing health information about a healthcare recipient (including through the My Health Record system).

This Act also facilitates:

       (a)     the creation of a Healthcare Provider Directory, to allow healthcare providers to check the professional and business details of healthcare providers; and

      (b)     the use of authenticated electronic communications by healthcare providers.

4  Act to bind the Crown

             (1)  This Act binds the Crown in right of the Commonwealth, of the States, of the Australian Capital Territory, of the Northern Territory and of Norfolk Island.

Note:          The Minister must, in certain circumstances, declare that certain provisions of this Act do not apply to the public bodies of a specified State or Territory: see subsection 37(4).

             (2)  This Act does not make the Crown liable to be prosecuted for an offence.

4A  External Territories

                   This Act extends to every external Territory.

5  Definitions

                   In this Act:

aged care, in relation to a person, has the same meaning as in:

                     (a)  if the Aged Care Act 1997 applies in relation to the person—that Act; and

                     (b)  if the Aged Care (Transitional Provisions) Act 1997 applies in relation to the person—that Act.

Aged Care Department means the Department administered by the Aged Care Minister.

Aged Care Minister means the Minister administering the Aged Care Act 1997.

aged care purpose means:

                     (a)  the purpose of enabling the Aged Care Department to create and maintain a record about aged care provided to a person by an approved provider (within the meaning of the Aged Care Act 1997); or

                     (b)  the purpose of the Aged Care Department verifying the identity of a person who is receiving, or who is to receive, aged care.

Australian Childhood Immunisation Register means the Australian Childhood Immunisation Register kept under Part 2 of the Australian Immunisation Register Act 2015.

Australian law has the same meaning as in the Privacy Act 1988.

authorised representative of a healthcare recipient has the same meaning as in the My Health Records Act 2012.

Chief Executive Medicare has the same meaning as in the Human Services (Medicare) Act 1973.

civil penalty provision has the same meaning as in the Regulatory Powers Act.

contracted service provider, of a healthcare provider, means an entity that provides:

                     (a)  information technology services relating to the communication of health information; or

                     (b)  health information management services;

to the healthcare provider under a contract with the healthcare provider.

court/tribunal order has the same meaning as in the Privacy Act 1988.

date of birth accuracy indicator means a data element that is used to indicate how accurate a recorded date of birth is.

date of death accuracy indicator means a data element that is used to indicate how accurate a recorded date of death is.

Defence Department means the Department that:

                     (a)  deals with matters arising under section 1 of the Defence Act 1903; and

                     (b)  is administered by the Minister who administers that section.

employee, of an entity, includes:

                     (a)  an individual who provides services for the entity under a contract for services; or

                     (b)  an individual whose services are made available to the entity (including services made available free of charge).

entity means:

                     (a)  a person; or

                     (b)  a partnership; or

                     (c)  any other unincorporated association or body; or

                     (d)  a trust; or

                     (e)  a part of another entity (under a previous application of this definition).

healthcare means health service within the meaning of subsection 6(1) of the Privacy Act 1988.

healthcare identifier has the meaning given by section 9.

healthcare provider means:

                     (a)  an individual healthcare provider; or

                     (b)  a healthcare provider organisation.

Healthcare Provider Directory has the meaning given by subsection 31(1).

healthcare provider organisation means an entity, or a part of an entity, that has conducted, conducts, or will conduct, an enterprise that provides healthcare (including healthcare provided free of charge).

Example:    A public hospital, or a corporation that runs a medical centre.

healthcare recipient means an individual who has received, receives, or may receive, healthcare.

health information has the meaning given by subsection 6(1) of the Privacy Act 1988.

Human Research Ethics Committee has the meaning given by:

                     (a)  the National Statement on Ethical Conduct in Human Research issued in March 2007 by the Chief Executive Officer of the National Health and Medical Research Council under the National Health and Medical Research Council Act 1992; or

                     (b)  if that Statement is amended—that Statement as amended.

Note:          In 2010, the text of the Statement was accessible through the National Health and Medical Research Council website (www.nhmrc.gov.au).

identified healthcare provider means a healthcare provider who has been assigned a healthcare identifier under section 9.

identifying information has the meaning given by section 7.

individual healthcare provider means an individual who:

                     (a)  has provided, provides, or is to provide, healthcare; or

                     (b)  is registered by a registration authority as a member of a particular health profession.

law includes:

                     (a)  an Act or legislative instrument; or

                     (b)  an Act or legislative instrument of a State or Territory.

linked: an individual healthcare provider is linked to a healthcare provider organisation if:

                     (a)  the individual healthcare provider is an employee of the healthcare provider organisation; or

                     (b)  the healthcare provider organisation provides support services or facilities to the individual healthcare provider, to facilitate the provision of healthcare by the individual healthcare provider.

Ministerial Council means the council (however described) established by the Council of Australian Governments that has responsibility for health matters.

My Health Record has the same meaning as in the My Health Records Act 2012.

My Health Records Act means the My Health Records Act 2012.

My Health Record system has the same meaning as in the My Health Records Act 2012.

My Health Record System Operator means the System Operator within the meaning of the My Health Records Act 2012.

national registration authority has the meaning given by section 8.

network of healthcare provider organisations has the meaning given by subsection 9A(4).

network organisation within a network has the meaning given by subsection 9A(6).

nominated representative of a healthcare recipient has the same meaning as in the My Health Records Act 2012.

organisation maintenance officer for a healthcare provider organisation has the meaning given by subsection 9A(8).

participant in the My Health Record system has the same meaning as in the My Health Records Act 2012.

personal information has the same meaning as in the Privacy Act 1988.

professional association means an organisation that:

                     (a)  is a separate legal entity under a law of the Commonwealth or a State or Territory; and

                     (b)  has the following characteristics:

                              (i)  its members practise the same healthcare profession;

                             (ii)  it has enough membership to be considered representative of the healthcare profession practised by its members;

                            (iii)  it sets its own admission requirements, including acceptable qualifications;

                            (iv)  it sets and publishes standards of practice and ethical conduct;

                             (v)  it aims to maintain the standing of the healthcare profession practised by its members;

                            (vi)  it has written rules, articles of association, by‑laws or codes of conduct for its members;

                           (vii)  it has the ability to impose sanctions on members who contravene the association’s written rules, articles of association, by‑laws or codes of conduct;

                          (viii)  it sets requirements to maintain its members’ professional skills and knowledge by continuing professional development; and

                     (c)  has members who:

                              (i)  may take part in decisions affecting their profession; and

                             (ii)  have the right to vote at meetings of the association; and

                            (iii)  have the right to be recognised as being members of the professional association.

registration authority means an entity that is responsible under a law for registering members of a particular health profession.

registered portal operator has the same meaning as in the My Health Records Act 2012.

registered repository operator has the same meaning as in the My Health Records Act 2012.

Regulatory Powers Act means the Regulatory Powers (Standard Provisions) Act 2014.

responsible officer for a healthcare provider organisation has the meaning given by subsection 9A(7).

retirement, for a healthcare provider organisation’s healthcare identifier, means a state imposed by the service operator on the healthcare identifier so that it may no longer be used by the healthcare provider organisation to identify the healthcare provider organisation.

seed organisation for a network has the meaning given by subsection 9A(5).

service operator has the meaning given by section 6.

sole practitioner means a person who is both an individual healthcare provider and a healthcare provider organisation.

State or Territory authority has the meaning given by the Privacy Act 1988.

under this Act includes under the regulations.

Veterans’ Affairs Department means the Department that:

                     (a)  deals with matters arising under:

                              (i)  section 1 of the Australian Participants in British Nuclear Tests (Treatment) Act 2006; or

                             (ii)  section 1 of the Military Rehabilitation and Compensation Act 2004; or

                            (iii)  section 1 of the Veterans’ Entitlements Act 1986; and

                     (b)  is administered by the Minister who administers that section.

6  Identity of service operator

                   The service operator is:

                     (a)  the Chief Executive Medicare; or

                     (b)  if a body established by a law of the Commonwealth is prescribed by the regulations to be the service operator—that body.

Note:          Section 33 provides that the Minister must consult with the Ministerial Council before making regulations.

7  Meaning of identifying information

             (1)  Each of the following is identifying information of a healthcare provider who is an individual, if the service operator requires it for the purpose of performing the service operator’s functions under this Act in relation to the healthcare provider:

                     (a)  the name of the healthcare provider;

                     (b)  the address of the healthcare provider;

                   (ba)  the email address, telephone number and fax number of the healthcare provider;

                     (c)  the date of birth, and the date of birth accuracy indicator, of the healthcare provider;

                     (d)  the sex of the healthcare provider;

                     (e)  the type of healthcare provider that the individual is;

                      (f)  if the healthcare provider is registered by a registration authority—the registration authority’s identifier for the healthcare provider and the status of the registration (such as conditional, suspended or cancelled);

                     (g)  other information that is prescribed by the regulations for the purpose of this paragraph.

             (2)  Each of the following is identifying information of a healthcare provider that is not an individual, if the service operator requires it for the purpose of performing the service operator’s functions under this Act in relation to the healthcare provider:

                     (a)  the name of the healthcare provider;

                     (b)  the address of the healthcare provider;

                   (ba)  the email address, telephone number and fax number of the healthcare provider;

                     (c)  if applicable, the ABN (within the meaning of the A New Tax System (Australian Business Number) Act 1999) of the healthcare provider;

                     (d)  if applicable, the ACN (within the meaning of the Corporations Act 2001) of the healthcare provider;

                     (e)  other information that is prescribed by the regulations for the purpose of this paragraph.

             (3)  Each of the following is identifying information of a healthcare recipient, if the service operator requires it for the purpose of performing the service operator’s functions under this Act in relation to the healthcare recipient:

                     (a)  if applicable, the Medicare number of the healthcare recipient;

                     (b)  if applicable, the Veterans’ Affairs Department file number of the healthcare recipient;

                     (c)  the name of the healthcare recipient;

                     (d)  the address of the healthcare recipient;

                     (e)  the date of birth, and the date of birth accuracy indicator, of the healthcare recipient;

                      (f)  the sex of the healthcare recipient;

                     (g)  for a healthcare recipient who was part of a multiple birth—the order in which the healthcare recipient was born;

Example: The 2nd of twins.

                     (h)  if applicable, the date of death, and the date of death accuracy indicator, of the healthcare recipient;

                      (i)  other information that is prescribed by the regulations for the purpose of this paragraph.

8  Meaning of national registration authority

                   A national registration authority is a registration authority that is prescribed by the regulations for the purposes of this section.

Part 2Assigning healthcare identifiers

  

9AA  Simplified outline of this Part

Healthcare identifiers are assigned to healthcare recipients, individual healthcare providers and healthcare provider organisations.

The service operator assigns healthcare identifiers to healthcare recipients. A national registration authority will usually assign a healthcare identifier to an individual healthcare provider, although there are a number of cases in which a healthcare provider is not registered by such an authority. In those cases, the healthcare identifier is assigned by the service operator. The service operator assigns a healthcare identifier to a healthcare provider organisation.

For a healthcare provider organisation to be assigned a healthcare identifier, the organisation must have at least one employee who is an individual healthcare provider providing healthcare as part of his or her duties, a responsible officer and an organisation maintenance officer. The responsible officer may also be the organisation maintenance officer. If the organisation is part of, or subordinate to, another healthcare provider organisation, it need not have its own responsible officer.

A sole practitioner may be registered as a healthcare provider organisation.

If the service operator refuses to assign a healthcare identifier, a person whose interests are affected by the decision may ask the service operator to reconsider the decision. A person may apply to the Administrative Appeals Tribunal for review of the service operator’s reconsidered decision.

The service operator must keep a record of the healthcare identifiers assigned, and other information relating to the healthcare identifiers including details of requests to the service operator to disclose a healthcare identifier.

9  Assigning healthcare identifiers

             (1)  The service operator is authorised to assign a number (a healthcare identifier) to uniquely identify:

                     (a)  a healthcare provider to whom section 9A applies; or

                     (b)  a healthcare recipient.

             (2)  A national registration authority is authorised to assign a number (a healthcare identifier) to uniquely identify a healthcare provider, if:

                     (a)  the healthcare provider is an individual who is a member of a particular health profession; and

                     (b)  the national registration authority is responsible under a law for registering members of that health profession.

             (3)  The types of healthcare identifiers include:

                     (a)  an identifier that is assigned to an individual healthcare provider; and

                     (b)  an identifier that is assigned to a healthcare provider organisation; and

                     (c)  an identifier that is assigned to a healthcare recipient.

Note:          A sole practitioner may be assigned:

(a)    a healthcare identifier of the type mentioned in paragraph (3)(a); and

(b)    a different healthcare identifier of the type mentioned in paragraph (3)(b).

             (4)  In exercising a power under subsection (1), the service operator is not required to consider whether a healthcare provider or healthcare recipient agrees to having a healthcare identifier assigned to the healthcare provider or healthcare recipient.

             (6)  A healthcare identifier of a healthcare recipient or of an individual healthcare provider is a government related identifier for the purposes of the Privacy Act 1988.

9A  Classes of healthcare provider that may be assigned a healthcare identifier by the service operator

Healthcare identifiers for individual healthcare providers

             (1)  The service operator may, under paragraph 9(1)(a), assign a healthcare identifier to an individual healthcare provider if:

                     (a)  the individual healthcare provider is registered by a registration authority as a member of a health profession; or

                     (b)  the individual healthcare provider is a member of a professional association that:

                              (i)  relates to the healthcare that has been, is, or is to be, provided by the member; and

                             (ii)  has uniform national membership requirements, whether or not in legislation.

Healthcare identifiers for a healthcare provider organisation that is a seed organisation, or is not part of a network

             (2)  The service operator may, under paragraph 9(1)(a), assign a healthcare identifier to a healthcare provider organisation that is a seed organisation for a network, or that is not part of a network, if:

                     (a)  at least one of the employees of the organisation is an individual who:

                              (i)  is an identified healthcare provider; and

                             (ii)  provides healthcare as part of his or her duties; and

                     (b)  one, and only one of the employees of the organisation is the responsible officer for the organisation; and

                     (c)  either:

                              (i)  the organisation has at least one other employee who is an organisation maintenance officer for the organisation; or

                             (ii)  the responsible officer for the organisation is also the organisation maintenance officer for the organisation.

Healthcare identifiers for network organisations

             (3)  The service operator may, under paragraph 9(1)(a), assign a healthcare identifier to a healthcare provider organisation that is a network organisation within a network if:

                     (a)  the seed organisation for the network:

                              (i)  has been assigned a healthcare identifier that has not been retired; and

                             (ii)  does not object to the network organisation being assigned a healthcare identifier under this subsection; and

                     (b)  the responsible officer for the seed organisation for the network is also the responsible officer for every network organisation within the network; and

                     (c)  there is an organisation maintenance officer for the network organisation; and

                     (d)  the organisation maintenance officer for the network organisation is:

                              (i)  an employee of the network organisation (the first network organisation); or

                             (ii)  an employee of the seed organisation for the network; or

                            (iii)  an employee of another network organisation within the network that is hierarchically superior to the first network organisation.

What is a network of healthcare provider organisations?

             (4)  A network of healthcare provider organisations is a group of healthcare provider organisations each of which satisfies one of the following criteria:

                     (a)  the healthcare provider organisation is part of, or subordinate to, another healthcare provider organisation within the group;

                     (b)  another healthcare provider organisation within the group is part of, or subordinate to, the healthcare provider organisation.

What is the seed organisation for a network?

             (5)  A healthcare provider organisation is the seed organisation for a network if:

                     (a)  there is at least one other healthcare provider organisation that is part of, or subordinate to, the organisation; and

                     (b)  the organisation is not itself part of, or subordinate to, another healthcare provider organisation.

What is a network organisation within a network?

             (6)  A healthcare provider organisation is a network organisation within a network if it is part of, or subordinate to, another healthcare provider organisation within the network.

Responsible officers

             (7)  A person is the responsible officer for a healthcare provider organisation if the duties of the person include the following:

                     (a)  nominating the organisation maintenance officer or officers for the organisation to the service operator;

                     (b)  requesting the assignment or retirement of a healthcare identifier for the organisation;

                     (c)  if there is a network organisation of the organisation:

                              (i)  nominating the organisation maintenance officer for the network organisation to the service operator; and

                             (ii)  requesting the assignment or retirement of a healthcare identifier for the network organisation;

                     (d)  if the organisation is part of a merger or acquisition—requesting the merger or reconfiguration of a healthcare identifier for the organisation.

Organisation maintenance officers

             (8)  A person is an organisation maintenance officer for a healthcare provider organisation if the duties of the person include the following:

                     (a)  nominating to the service operator at least one additional person to be an organisation maintenance officer of the organisation, if required;

                     (b)  maintaining information that is held by the service operator about the organisation;

                     (c)  providing current details to the service operator about the organisation for inclusion in the Healthcare Provider Directory;

                     (d)  providing any other information requested by the service operator about the organisation for which the organisation maintenance officer is responsible;

                     (e)  if the organisation (the seed organisation) has a network organisation:

                              (i)  nominating to the service operator another person who meets the employment criteria in paragraph (3)(d) to be the organisation maintenance officer for the network organisation—either on the initiative of the seed organisation or if required by the service operator to do so;

                             (ii)  requesting the assignment or retirement of a healthcare identifier for the network organisation;

                            (iii)  maintaining information that is held by the service operator about the network organisation;

                            (iv)  providing current details to the service operator about the network organisation for inclusion in the Healthcare Provider Directory;

                             (v)  providing any other information requested by the service operator about the network organisation for which the organisation maintenance officer is responsible;

                            (vi)  if the network organisation is part of a merger or acquisition—requesting the merger or reconfiguration of a healthcare identifier for the organisation.

Sole practitioners

             (9)  The service operator may assign a healthcare identifier under paragraph 9(1)(a) to a healthcare provider organisation that is a sole practitioner even though subsection (2) is not satisfied, if the sole practitioner:

                     (a)  provides healthcare as part of his or her duties; and

                     (b)  performs the duties of a responsible officer and organisation maintenance officer.

Duties of the responsible officer performed by another person

           (10)  For the purposes of subsection (7), a person does not cease to be a responsible officer for a healthcare provider organisation if a duty mentioned in subsection (7) is performed by another employee of the organisation on behalf of the person.

9B  Information that may be requested before assigning healthcare identifiers

             (1)  The service operator may request an individual healthcare provider to provide the following information before assigning the healthcare provider a healthcare identifier:

                     (a)  identifying information of the healthcare provider;

Note:       Identifying information is defined in section 7.

                     (b)  information that shows that section 9A applies to the healthcare provider.

             (2)  The service operator may request a healthcare provider organisation to provide the following information before assigning the healthcare provider a healthcare identifier:

                     (a)  identifying information of the healthcare provider;

Note:       Identifying information is defined in section 7.

                     (b)  information that shows that section 9A applies to the healthcare provider;

                     (c)  information identifying the healthcare provider’s responsible officer and organisation maintenance officer, including the person’s name, work address, work email address, work telephone number or work fax number.

             (3)  The healthcare provider must give the information in any form requested by the service operator.

Example:    A healthcare provider may be asked for original documentation, or for the information to be given in writing or in a statutory declaration.

             (4)  If the service operator is not satisfied by the information given, it does not have to assign a healthcare identifier to the healthcare provider.

9C  Review of decision not to assign a healthcare identifier

             (1)  This section applies to a decision by the service operator not to assign a healthcare identifier to a healthcare provider under paragraph 9(1)(a).

Note:          This section does not apply to a decision to assign a healthcare identifier to a healthcare recipient under paragraph 9(1)(b), or a decision by a national registration authority not to assign a healthcare identifier to an individual healthcare provider under subsection 9(2).

             (2)  The service operator must give written notice of the decision to a person whose interests are affected by the decision, including a statement:

                     (a)  that the person may apply to the service operator to reconsider the decision; and

                     (b)  of the person’s rights to seek review under subsection (8) of a reconsidered decision.

             (3)  A failure of the service operator to comply with subsection (2) does not affect the validity of the decision.

             (4)  A person whose interests are affected by the decision may, by written notice to the service operator within 28 days after receiving notice of the decision, ask the service operator to reconsider the decision.

             (5)  A request under subsection (4) must mention the reasons for making the request.

             (6)  The service operator must:

                     (a)  reconsider the decision within 28 days after receiving the request; and

                     (b)  give to the person who requested the reconsideration written notice of the result of the reconsideration and of the grounds for the result.

             (7)  The notice must include a statement that the person may apply to the Administrative Appeals Tribunal for review of the reconsideration.

             (8)  A person may apply to the Administrative Appeals Tribunal for a review of a decision of the service operator made under subsection (6).

10  Service operator must keep record of healthcare identifiers etc.

                   The service operator must establish and maintain an accurate record of:

                     (a)  healthcare identifiers that have been assigned; and

                     (b)  the information that the service operator has that relates to those healthcare identifiers, including details of requests made to the service operator for the service operator to disclose those healthcare identifiers under Division 2 or 3 of Part 3.

Part 3Collection, use and disclosure of healthcare identifiers, identifying information and other information

Division 1Simplified outline of this Part

11  Simplified outline of this Part

This Part authorises the collection, use and disclosure of healthcare identifiers, identifying information and other information.

Healthcare identifiers and other information relating to healthcare recipients

The service operator may collect information about a healthcare recipient from various sources for the purpose of assigning a healthcare identifier to the recipient. Once a healthcare identifier is assigned to a healthcare recipient, the service operator may disclose it to healthcare providers to assist in communicating and managing health information. The healthcare identifier may also be disclosed to other entities to assist in the operation of the My Health Record system.

A healthcare provider can obtain the healthcare identifier of a healthcare recipient from the service operator, so that the healthcare provider can communicate and manage health information. The healthcare provider can use the healthcare identifier in providing healthcare, for example, by using it to access the My Health Record of a healthcare recipient.

Healthcare identifiers and other information relating to healthcare providers

Under Part 2, the service operator must keep a record of the healthcare identifiers that have been assigned and other information relating to healthcare identifiers. As a national registration authority assigns healthcare identifiers to most healthcare providers, the service operator may obtain information for the record from a national registration authority.

Under Part 2, the service operator assigns healthcare identifiers to healthcare providers in a number of cases. The service operator may collect information about a healthcare provider from various sources for the purposes of assigning those identifiers.

The service operator may disclose the healthcare identifiers of healthcare providers to healthcare providers to assist in communicating and managing health information. The healthcare identifier may also be disclosed to other entities to assist in the operation of the My Health Record system.

A healthcare provider can obtain the healthcare identifier of a healthcare provider from the service operator, so that the healthcare provider can communicate and manage health information. This includes the use of the identifier in electronic transmissions. The collection, use and disclosure of identifying information and healthcare identifiers is permitted for the purposes of authenticating a healthcare provider’s identity in electronic transmissions.

A person must not use or disclose information collected for the purposes of the Act or healthcare identifiers, except where required or authorised to do so under the Act or in other limited circumstances. Criminal and civil penalties apply if this obligation is breached.

Division 2Healthcare recipients

12  Collection, use and disclosure—assigning a healthcare identifier to a healthcare recipient

                   An entity mentioned in column 1 of an item of the following table, is authorised to take action of the kind described in column 2 of that item with information of the kind described in column 3 of that item in the circumstances described in column 4 of that item.

 

Collection, use and disclosure for the purpose of assigning a healthcare identifier to a healthcare recipient

Item

Column 1

Entity

Column 2

Permitted action

Column 3

Information

Column 4

Circumstances

1

identified healthcare provider

use

disclose to the service operator

identifying information of a healthcare recipient

the use or disclosure is for the purpose of assisting the service operator to assign a healthcare identifier to the healthcare recipient

2

Chief Executive Medicare

Veterans’ Affairs Department

Defence Department

use

disclose to the service operator

identifying information of a healthcare recipient

the use or disclosure is for the purpose of assisting the service operator to assign a healthcare identifier to the healthcare recipient

3

service operator

collect from:

(a) an identified healthcare provider; or

(b) the Chief Executive Medicare; or

(c) the Veterans’ Affairs Department; or

(d) the Defence Department

use

identifying information of a healthcare recipient

the collection or use is for the purpose of assigning a healthcare identifier to a healthcare recipient

13  Collection, use and disclosure—establishing and maintaining a record of healthcare identifiers for healthcare recipients

                   An entity mentioned in column 1 of an item of the following table, is authorised to take action of the kind described in column 2 of that item with information of the kind described in column 3 of that item in the circumstances described in column 4 of that item.

 

Collection, use and disclosure for the purpose of establishing and maintaining a record of healthcare identifiers for healthcare recipients

Item

Column 1

Entity

Column 2

Permitted action

Column 3

Information

Column 4

Circumstances

1

any entity that has access to the healthcare identifier of a healthcare recipient

use

disclose to the service operator

healthcare identifier of the healthcare recipient

information that relates to the healthcare identifier of the healthcare recipient

the use or disclosure is for the purposes of assisting the service operator to establish and maintain a record mentioned in section 10 (a record of healthcare identifiers assigned and other matters, such as requests made to the service operator to disclose those identifiers)

2

service operator

collect from any entity that has access to the healthcare identifier of a healthcare recipient

use

healthcare identifier of the healthcare recipient

information that relates to the healthcare identifier of the healthcare recipient

the collection or use is for the purposes of establishing and maintaining a record mentioned in section 10 (a record of healthcare identifiers assigned and other matters, such as requests made to the service operator to disclose those identifiers)

14  Collection, use and disclosure—providing healthcare to a healthcare recipient

             (1)  An entity mentioned in column 1 of an item of the following table, is authorised to take action of the kind described in column 2 of that item with information of the kind described in column 3 of that item in the circumstances described in column 4 of that item.

 

Collection, use and disclosure for the purpose of providing healthcare to a healthcare recipient

Item

Column 1

Entity

Column 2

Permitted action

Column 3

Information

Column 4

Circumstances

1

identified healthcare provider

use

disclose to the service operator

identifying information of a healthcare recipient

 

the use or disclosure is for the purpose of assisting the service operator to disclose the healthcare identifier of the healthcare recipient to the healthcare provider

2

service operator

collect from an identified healthcare provider

use

disclose to an identified healthcare provider

identifying information of a healthcare recipient

the collection, use or disclosure is for the purpose of disclosing the healthcare identifier of the healthcare recipient to the healthcare provider

3

service operator

use

disclose to an identified healthcare provider

healthcare identifier of a healthcare recipient

the use or disclosure is for the purpose of assisting the healthcare provider to communicate or manage health information, as part of providing healthcare to the healthcare recipient

4

identified healthcare provider

collect from the service operator

healthcare identifier of a healthcare recipient

the collection is for the purpose of communicating or managing health information, as part of providing healthcare to the healthcare recipient

5

healthcare provider

use

disclose to another entity

healthcare identifier of a healthcare recipient

the use or disclosure is for the purpose of communicating or managing health information as part of:

(a) the provision of healthcare to the healthcare recipient; or

(b) the management (including the investigation or resolution of complaints), funding, monitoring or evaluation of healthcare; or

(c) the provision of indemnity cover for a healthcare provider; or

(d) the conduct of research that has been approved by a Human Research Ethics Committee

6

entity to whom healthcare identifier of a healthcare recipient is disclosed for a purpose mentioned in column 4 of item 5

collect

use

disclose

healthcare identifier of a healthcare recipient

the collection, use or disclosure is for the purpose for which the information was disclosed

             (2)  This section does not authorise the collection, use or disclosure of the healthcare identifier of a healthcare recipient for the purpose of communicating or managing health information as part of:

                     (a)  underwriting a contract of insurance that covers the healthcare recipient; or

                     (b)  determining whether to enter into a contract of insurance that covers the healthcare recipient (whether alone or as a member of a class); or

                     (c)  determining whether a contract of insurance covers the healthcare recipient in relation to a particular event; or

                     (d)  employing the healthcare recipient.

15  Collection, use and disclosure—My Health Record system

                   The service operator is authorised to collect, use and disclose:

                     (a)  identifying information of a healthcare recipient, an authorised representative of a healthcare recipient or a nominated representative of a healthcare recipient; and

                     (b)  the healthcare identifier of a healthcare recipient, an authorised representative of a healthcare recipient or a nominated representative of a healthcare recipient;

for the purposes of the My Health Record system.

16  Collection, use and disclosure—aged care

                   An entity mentioned in column 1 of an item of the following table, is authorised to take action of the kind described in column 2 of that item with information of the kind described in column 3 of that item in the circumstances described in column 4 of that item.

 

Collection, use and disclosure for an aged care purpose

Item

Column 1

Entity

Column 2

Permitted action

Column 3

Information

Column 4

Circumstances

1

identified healthcare provider

disclose to the Aged Care Department

identifying information of a healthcare recipient

the disclosure is for an aged care purpose

2

Aged Care Department

collect from an identified healthcare provider

use

disclose to an identified healthcare provider

identifying information of a healthcare recipient

the collection, use or disclosure is for an aged care purpose

3

identified healthcare provider

collect from the Aged Care Department

use

identifying information of a healthcare recipient

the collection or use is for an aged care purpose

4

Aged Care Department

disclose to the service operator

identifying information of a healthcare recipient

the disclosure is for an aged care purpose

5

service operator

collect from the Aged Care Department

use

identifying information of a healthcare recipient

the collection or use is for an aged care purpose

6

service operator

use

disclose to the Aged Care Department

healthcare identifier of a healthcare recipient

the use or disclosure is for an aged care purpose

7

healthcare provider

disclose to the Aged Care Department

healthcare identifier of a healthcare recipient

the disclosure is for an aged care purpose

8

Aged Care Department

collect from the service operator or a healthcare provider

use

healthcare identifier of a healthcare recipient

the collection or use is for an aged care purpose

17  Adopting the healthcare identifier of a healthcare recipient etc.

                   An entity mentioned in column 1 of an item of the following table, may adopt the healthcare identifier of a healthcare recipient, an authorised representative of a healthcare recipient or a nominated representative of a healthcare recipient, for a purpose mentioned in column 2 of the item.

 

Adopting the healthcare identifier of a healthcare recipient

Item

Column 1

Entity

Column 2

Purpose

1

healthcare provider

for use as the healthcare provider’s own identifier of the healthcare recipient, the authorised representative of a healthcare representative or the nominated representative of a healthcare recipient

2

My Health Record System Operator

for use as the My Health Record System Operator’s own identifier for the purposes of the My Health Record system

3

registered repository operator

registered portal operator

for use as that operator’s own identifier for the purposes of the My Health Record system

18  Disclosure of the healthcare identifier of a healthcare recipient to the healthcare recipient etc.

                   Any of the following entities may disclose the healthcare identifier of a healthcare recipient to the healthcare recipient, or a responsible person (within the meaning of the Privacy Act 1988) for the healthcare recipient:

                     (a)  the service operator;

                     (b)  the My Health Record System Operator;

                     (c)  a healthcare provider.

19  Other information relating to the healthcare identifier of a healthcare recipient may be disclosed by the service operator

                   The service operator may disclose information included in the record the service operator maintains under section 10 in relation to a healthcare recipient to:

                     (a)  the healthcare recipient; or

                     (b)  a responsible person (within the meaning of the Privacy Act 1988) for the healthcare recipient.

20  Regulations relating to the healthcare identifier and identifying information of a healthcare recipient etc.

Collection, use or disclosure for other purposes

             (1)  The regulations may authorise the collection, use or disclosure of the following information:

                     (a)  identifying information of a healthcare recipient, authorised representative of a healthcare recipient or nominated representative of a healthcare recipient;

                     (b)  the healthcare identifier of a healthcare recipient, authorised representative of a healthcare recipient or nominated representative of a healthcare recipient.

Adoption for other purposes

             (2)  The regulations may authorise the adoption of the healthcare identifier of a healthcare recipient, authorised representative of a healthcare recipient or a nominated representative of healthcare recipient in the circumstances prescribed by the regulations.

Purposes for which regulation‑making powers in subsections (1) and (2) may be used

             (3)  However, the regulations may only authorise the collection, use, disclosure or adoption of that information for purposes related to one or more of the following:

                     (a)  providing healthcare to healthcare recipients, or a class of healthcare recipients;

                     (b)  determining whether adequate and appropriate healthcare is available to healthcare recipients, or a class of healthcare recipients;

                     (c)  facilitating the provision of adequate and appropriate healthcare to healthcare recipients, or a class of healthcare recipients;

                     (d)  assisting persons who, because of health issues (including illness, disability or injury), require support;

                     (e)  the My Health Record system.

Procedures relating to the disclosure of healthcare identifiers

             (4)  The regulations may prescribe rules about the process for disclosing the healthcare identifiers of healthcare recipients, including rules about requests to the service operator to disclose healthcare identifiers of healthcare recipients.

Information about disclosures by service operator

             (5)  If the service operator discloses a healthcare identifier of a healthcare recipient to an entity, the regulations may require the entity to provide prescribed information to the service operator in relation to the disclosure.

Division 3Healthcare providers

21  Collection, use and disclosure—assigning a healthcare identifier to a healthcare provider

                   An entity mentioned in column 1 of an item of the following table, is authorised to take action of the kind described in column 2 of that item with information of the kind described in column 3 of that item in the circumstances described in column 4 of that item.

 

Collection, use and disclosure for the purpose of assigning a healthcare identifier to a healthcare provider

Item

Column 1

Entity

Column 2

Permitted action

Column 3

Information

Column 4

Circumstances

1

service operator

collect from:

(a) the Chief Executive Medicare; or

(b) the Veterans’ Affairs Department; or

(c) the Defence Department

use

identifying information of a healthcare provider

the collection or use is for the purpose of assigning a healthcare identifier to the healthcare provider

2

Chief Executive Medicare

Veterans’ Affairs Department

Defence Department

use

disclose to the service operator

identifying information of a healthcare provider

the use or disclosure is for the purpose of assisting the service operator to assign a healthcare identifier to the healthcare provider

3

service operator

collect from a healthcare provider

use

information requested by the service operator under section 9B

the collection or use is for the purpose of assigning a healthcare identifier to the healthcare provider

22  Collection, use and disclosure—establishing and maintaining a record of healthcare identifiers for healthcare providers

                   An entity mentioned in column 1 of an item of the following table, is authorised to take action of the kind described in column 2 of that item with information of the kind described in column 3 of that item in the circumstances described in column 4 of that item.

 

Collection, use and disclosure for the purpose of establishing and maintaining a record of healthcare identifiers for healthcare providers

Item

Column 1

Entity

Column 2

Permitted action

Column 3

Information

Column 4

Circumstances

1

a national registration authority

use

disclose to the service operator

healthcare identifier of a healthcare provider

information that relates to the healthcare identifier of a healthcare provider

the use or disclosure is for the purposes of assisting the service operator to establish and maintain a record mentioned in section 10 (a record of healthcare identifiers assigned and other matters, such as requests made to the service operator to disclose those identifiers)

2

service operator

collect from a national registration authority

use

healthcare identifier of a healthcare provider

information that relates to the healthcare identifier of a healthcare provider

the collection or use is for the purposes of establishing and maintaining a record mentioned in section 10 (a record of healthcare identifiers assigned and other matters, such as requests made to the service operator to disclose those identifiers)

23  Collection, use and disclosure—providing healthcare

                   An entity mentioned in column 1 of an item of the following table, is authorised to take action of the kind described in column 2 of that item with information of the kind described in column 3 of that item in the circumstances described in column 4 of that item.

 

Collection, use and disclosure for the purpose of providing healthcare

Item

Column 1

Entity

Column 2

Permitted action

Column 3

Information

Column 4

Circumstances

1

identified healthcare provider

use

disclose to the service operator

identifying information of a healthcare provider

the use or disclosure is for the purpose of assisting the healthcare provider to communicate or manage health information, as part of providing healthcare to a healthcare recipient

2

service operator

collect from an identified healthcare provider

identifying information of a healthcare provider

the collection is for the purpose of assisting the healthcare provider to communicate or manage health information, as part of providing healthcare to a healthcare recipient

3

service operator

use

disclose to an identified healthcare provider

healthcare identifier of a healthcare provider

the use or disclosure is for the purpose of assisting the healthcare provider to communicate or manage health information, as part of providing healthcare to a healthcare recipient

4

identified healthcare provider

collect from the service operator

healthcare identifier of a healthcare provider

the collection is for the purpose of communicating or managing health information, as part of providing healthcare to a healthcare recipient

5

healthcare provider

collect from another healthcare provider

use

disclose to another healthcare provider

healthcare identifier of a healthcare provider

the collection, use or disclosure is the purpose of communicating or managing health information, as part of providing healthcare to a healthcare recipient

24  Collection, use and disclosure—My Health Record system

                   The service operator is authorised to collect, use and disclose:

                     (a)  identifying information of a healthcare provider; and

                     (b)  the healthcare identifier of a healthcare provider;

for the purposes of the My Health Record system.

25  Collection, use and disclosure—enabling authentication in electronic communications

                   An entity mentioned in column 1 of an item of the following table, is authorised to take action of the kind described in column 2 of that item with information of the kind described in column 3 of that item in the circumstances described in column 4 of that item.

 

Collection, use and disclosure for the purpose of facilitating electronic communications

Item

Column 1

Entity

Column 2

Permitted action

Column 3

Information

Column 4

Circumstances

1

service operator

registration authority

use

disclose to any entity

identifying information of a healthcare provider

healthcare identifier of a healthcare provider

the use or disclosure is for the purpose of enabling the healthcare provider’s identity to be authenticated in electronic transmissions

2

an entity to whom information is disclosed for the purposes of enabling a healthcare provider’s identity to be authenticated in electronic communications

collect from any entity

use

disclose to any entity

identifying information of a healthcare provider

healthcare identifier of a healthcare provider

the collection, use or disclosure is for the purpose of enabling the healthcare provider’s identity to be authenticated in electronic transmissions

25A  Collection, use and disclosure—sharing information with registration authorities

                   An entity mentioned in column 1 of an item of the following table, is authorised to take action of the kind described in column 2 of that item with information of the kind described in column 3 of that item in the circumstances described in column 4 of that item.

 

Collection, use and disclosure for the purpose of sharing information with registration authorities

Item

Column 1

Entity

Column 2

Permitted action

Column 3

Information

Column 4

Circumstances

1

service operator

use

disclose to a registration authority

 

healthcare identifier of a healthcare provider

 

the use or disclosure is for the purpose of assisting the registration authority to register the healthcare provider

2

registration authority

collect

use

healthcare identifier of a healthcare provider

the collection or use is for one of the following purposes:

(a) registering the healthcare provider;

(b) performing any other function of the registration authority under an Australian law

3

service operator

collect from a registration authority

use

disclose to a registration authority

identifying information of a healthcare provider

healthcare identifier of a healthcare provider

the collection, use or disclosure is for the purpose of ensuring that information held by the service operator or the registration authority is accurate, up‑to‑date and complete

4

registration authority

collect from the service operator

use

disclose to the service operator

identifying information of a healthcare provider

healthcare identifier of a healthcare provider

the collection, use or disclosure is for the purpose of ensuring that information held by the service operator or the registration authority is accurate, up‑to‑date and complete

25B  Adopting the healthcare identifier of a healthcare provider

                   An entity mentioned in column 1 of an item of the following table, may adopt the healthcare identifier of a healthcare provider for a purpose mentioned in column 2 of the item.

 

Adopting the healthcare identifier of a healthcare provider

Item

Column 1

Entity

Column 2

Purpose

1

My Health Record System Operator

 

for use as the My Health Record System Operator’s own identifier for the purposes of the My Health Record system

2

registered repository operator

registered portal operator

for use as that operator’s own identifier for the purposes of the My Health Record system

3

a participant in the My Health Record system to whom the healthcare identifier is disclosed by a registered repository operator or a registered portal operator under section 58A of the My Health Records Act

for use in authenticating the identity of the healthcare provider in electronic transmissions

25C  Disclosure of the healthcare identifier of a healthcare provider to the healthcare provider

                   Any entity who knows the healthcare identifier of a healthcare provider may disclose the healthcare identifier to the healthcare provider.

25D  Regulations relating to the healthcare identifier and other information of a healthcare provider

Collection, use or disclosure for other purposes

             (1)  The regulations may authorise the collection, use or disclosure of the following information:

                     (a)  identifying information of a healthcare provider;

                     (b)  the healthcare identifier of a healthcare provider.

Adoption for other purposes

             (2)  The regulations may authorise the adoption of the healthcare identifier of a healthcare provider in the circumstances prescribed by the regulations.

Purposes for which regulation‑making powers in subsections (1) and (2) may be used

             (3)  However, the regulations may only authorise the collection, use, disclosure or adoption of that information for purposes related to one or more of the following:

                     (a)  providing healthcare to healthcare recipients, or a class of healthcare recipients;

                     (b)  determining whether adequate and appropriate healthcare is available to healthcare recipients, or a class of healthcare recipients;

                     (c)  facilitating the provision of adequate and appropriate healthcare to healthcare recipients, or a class of healthcare recipients;

                     (d)  assisting persons who, because of health issues (including illness, disability or injury), require support;

                     (e)  the My Health Record system.

Procedures relating to the disclosure of healthcare identifiers

             (4)  The regulations may prescribe rules about the process for disclosing the healthcare identifiers of healthcare providers, including rules about requests to the service operator to disclose healthcare identifiers of healthcare providers.

Information about disclosures by service operator

             (5)  If the service operator discloses a healthcare identifier of a healthcare provider to an entity, the regulations may require the entity to provide prescribed information to the service operator in relation to the disclosure.

Information to be provided to the service operator about the healthcare identifier of a healthcare provider

             (6)  The regulations may require an identified healthcare provider to provide to the service operator information that:

                     (a)  relates to the healthcare provider’s healthcare identifier; and

                     (b)  is prescribed by the regulations for the purposes of this section.

25E  Obligation to keep information accurate, up‑to‑date and complete

             (1)  If a healthcare provider organisation becomes aware that information held by the service operator in relation to the organisation is not accurate, up‑to‑date and complete, the organisation must:

                     (a)  give the service operator, in writing, accurate, up‑to‑date and complete information; and

                     (b)  do so within 20 business days after the organisation becomes aware that the information held by the service operator is not accurate, up‑to‑date and complete.

             (2)  Subsection (1) does not apply if:

                     (a)  the information that is no longer accurate, up‑to‑date and complete is personal information that the service operator was only able to lawfully obtain with the consent of the person to whom the information relates; and

                     (b)  instead of giving accurate, up‑to‑date and complete personal information within the period specified in that subsection, the healthcare provider organisation notifies the service operator within that period, in the manner and form approved by the service operator, that the person to whom the information relates has withdrawn consent for the information to be given to the service operator.

             (3)  Subsection (1) does not apply if:

                     (a)  the healthcare provider organisation, or an individual healthcare provider who is linked to the healthcare provider organisation, is required by an Australian law, or by a lawful requirement of the national registration authority, to give the national registration authority the accurate, up‑to‑date and complete information; and

                     (b)  the healthcare provider organisation, or the individual healthcare provider, complies with the requirement.

             (4)  A person is liable to a civil penalty if:

                     (a)  the person fails to give the service operator information in the circumstances mentioned in subsection (1); and

                     (b)  the person knows or is reckless as to those circumstances.

Civil penalty:          100 penalty units.

Division 4Unauthorised use and disclosure of healthcare identifiers and other information obtained under this Act

26  Use and disclosure of healthcare identifiers and other information obtained under this Act

             (1)  A person must not use or disclose information if:

                     (a)  the person obtains the information in response to a request under section 9B; or

                     (b)  the person obtains the information in the course of establishing or maintaining a record for the purposes of section 10 (a record of healthcare identifiers assigned and other matters, such as requests made to the service operator to disclose those identifiers); or

                     (c)  the information is identifying information and the person obtains the information in circumstances covered by a requirement or authority under this Act; or

                     (d)  the information is the healthcare identifier of a healthcare recipient or an individual healthcare provider.

             (2)  A person must not use or disclose information if the information is disclosed to the person in contravention of subsection (1).

             (3)  This section does not apply to the use or disclosure of a healthcare identifier if:

                     (a)  the use or disclosure of the healthcare identifier is required or authorised under this Act; or

                     (b)  the use or disclosure of the healthcare identifier is required or authorised under another Commonwealth law or a court/tribunal order; or

                     (c)  the use or disclosure is:

                              (i)  by the person to whom the healthcare identifier relates; and

                             (ii)  for the purposes of, or in connection with, the personal, family or household affairs of that person (within the meaning of section 16 of the Privacy Act 1988); or

                     (d)  a permitted general situation of the kind described in item 1, 2, 4 or 5 of the table in subsection 16A(1) of the Privacy Act 1988 exists in relation to the use or disclosure, or would exist if the person were an APP entity for the purposes of that Act; or

                     (e)  without limiting the exceptions under this subsection, the use or disclosure is required or authorised by the Information Commissioner, or an equivalent officer or agency of a State or Territory, in exercising powers or performing functions in relation to privacy.

Note:          A defendant bears an evidential burden in relation to the matters in subsection (3): see subsection 13.3(3) of the Criminal Code.

             (4)  This section does not apply to the use or disclosure of information other than a healthcare identifier if:

                     (a)  the use or disclosure of the information is required or authorised under this Act; or

                     (b)  the use or disclosure of the information is required or authorised under another Australian law or a court/tribunal order; or

                     (c)  the information is personal information and the use or disclosure would not be an interference with the privacy of the individual for the purposes of the Privacy Act 1988, or would not be an interference with the privacy of the individual for the purposes of that Act if the person were an agency or an organisation for the purposes of that Act; or

                     (d)  without limiting the exceptions under this subsection, the use or disclosure is required or authorised by the Information Commissioner, or an equivalent officer or agency of a State or Territory, in exercising powers or performing functions in relation to privacy.

Note:          A defendant bears an evidential burden in relation to the matters in subsection (4): see subsection 13.3(3) of the Criminal Code.

             (5)  A person commits an offence if the person contravenes subsection (1) or (2).

Penalty:  Imprisonment for 2 years or 120 penalty units, or both.

             (6)  A person is liable to a civil penalty if:

                     (a)  the person uses or discloses information in circumstances under which the use or disclosure would contravene subsection (1) or (2); and

                     (b)  the person knows or is reckless as to those circumstances.

Civil penalty:          600 penalty units.

Division 5Protection of healthcare identifiers

27  Protection of healthcare identifiers

                   An entity must:

                     (a)  take reasonable steps to protect healthcare identifiers the entity holds from:

                              (i)  misuse and loss; and

                             (ii)  unauthorised access, modification or disclosure; and

                     (b)  comply with any requirements prescribed by the regulations for the protection of healthcare identifiers the entity holds.

Note:          The regulations may provide for the imposition of a penalty for contravention of a regulation: see subsection 39(2).

Part 4Interaction with the Privacy Act 1988

  

28AA  Simplified outline of this Part

If a person is authorised to collect, use or disclose information under this Act, the person will not interfere with the privacy of an individual for the purposes of the Privacy Act 1988 in doing so.

Section 26 imposes a higher standard of privacy in relation to healthcare identifiers than is imposed in relation to other information. If a person uses or discloses a healthcare identifier in circumstances that are not permitted under that section, the person will not only be subject to criminal and civil penalties. That action will also be an interference with privacy for the purposes of the Privacy Act 1988, and can be dealt with as such under that Act.

28  Interaction with the Privacy Act 1988

                   An authorisation to collect, use or disclose a healthcare identifier or identifying information under this Act is also an authorisation to collect, use or disclose the healthcare identifier or identifying information for the purpose of the Privacy Act 1988.

29  Functions of Information Commissioner

Breach of this Act is an interference with privacy

             (1)  An act or practice in connection with a healthcare identifier of a healthcare recipient or an individual healthcare provider that contravenes this Act or the regulations, or would contravene this Act or the regulations but for a requirement relating to state of mind, is taken to be:

                     (a)  for the purposes of the Privacy Act 1988, an interference with the privacy of the healthcare recipient or individual healthcare provider; and

                     (b)  covered by section 13 of that Act.

Note:          The act or practice may be the subject of a complaint under section 36 of that Act.

             (2)  For the purpose of applying Part V of that Act (Investigations) in relation to the act or practice, treat a State or Territory authority as if it were an organisation (within the meaning of that Act).

Assessment by Information Commissioner

             (3)  For the purpose of paragraph 33C(1)(a) of the Privacy Act 1988, a healthcare identifier of a healthcare recipient or of an individual healthcare provider is taken to be personal information.

30  Annual reports by Information Commissioner

             (1)  The Information Commissioner must, as soon as practicable after the end of each financial year, prepare a report on the Information Commissioner’s compliance and enforcement activities under this Act during the financial year.

             (2)  The Information Commissioner must give a copy of the report to the Minister, and to the Ministerial Council, no later than on 30 September after the end of the financial year to which the report relates.

             (3)  The Minister must table a copy of the report in each House of Parliament within 15 sitting days after the Information Commissioner gives a copy of the report to the Minister.

Part 5Healthcare Provider Directory

  

31AA  Simplified outline of this Part

The Healthcare Provider Directory is a directory available to healthcare providers to allow them to find information about other healthcare providers, such as:

       (a)     the healthcare identifier of a healthcare provider; and

      (b)     whether an individual healthcare provider is linked to a healthcare provider organisation; and

       (c)     whether a healthcare provider is registered under the My Health Record system; and

      (d)     whether a healthcare provider is registered with a registration authority and the status of that registration (such as whether it is conditional, suspended, cancelled or lapsed); and

       (e)     the type of healthcare provider that an individual is.

31  Healthcare Provider Directory

             (1)  The service operator must establish and maintain a record (the Healthcare Provider Directory) of the professional and business details of identified healthcare providers.

             (2)  The service operator is authorised to:

                     (a)  collect and use personal information for the purposes of establishing and maintaining the Healthcare Provider Directory; and

                     (b)  disclose personal information on the Healthcare Provider Directory to an identified healthcare provider;

but, except in the circumstances dealt with in section 31A, only with the consent of the individual to whom the personal information relates.

             (3)  The professional and business details of a healthcare provider disclosed on the Healthcare Provider Directory may include information sufficient to allow the person to whom the information is disclosed to determine any of the following:

                     (a)  the healthcare identifier of a healthcare provider;

                     (b)  identifying information of a healthcare provider;

                     (c)  whether an individual healthcare provider is linked to a particular healthcare provider organisation;

                     (d)  whether a healthcare provider organisation is a registered healthcare provider organisation for the purposes of the My Health Records Act;

                     (e)  whether an individual healthcare provider is registered with a registration authority and the status of that registration (such as conditional, suspended, cancelled or lapsed);

                      (f)  the type of healthcare provider that an individual is.

             (4)  A person to whom the professional and business details of a healthcare provider is disclosed on the Healthcare Provider Directory is authorised to collect, use and disclose that information:

                     (a)  for the purpose of communicating or managing health information, as part of providing healthcare to a healthcare recipient; or

                     (b)  in any other circumstances in which the collection, use or disclosure of the information is required or authorised by or under an Australian law or a court/tribunal order; or

                     (c)  in any other circumstances in which the collection, use or disclosure of the information would not be an interference with privacy under the Privacy Act 1988.

31A  Healthcare Provider Directory—sharing information with the My Health Record System Operator

             (1)  The service operator is authorised to collect from the My Health Record System Operator, use and disclose to the My Health Record System Operator:

                     (a)  identifying information of a healthcare provider; and

                     (b)  the healthcare identifier of a healthcare provider;

for the purposes of the Healthcare Provider Directory.

             (2)  The My Health Record System Operator is authorised to use and disclose to the service operator:

                     (a)  identifying information of a healthcare provider; and

                     (b)  the healthcare identifier of a healthcare provider;

for the purposes of the Healthcare Provider Directory.

Part 5AEnforcement

  

31B  Simplified outline of this Part

The civil penalty provisions of this Act and the regulations are enforceable under Part 4 of the Regulatory Powers Act. The provisions of this Act and the regulations are also enforceable using enforceable undertakings under Part 6 of the Regulatory Powers Act, and injunctions under Part 7 of the Regulatory Powers Act.

31C  Civil penalty provisions

Enforceable civil penalty provisions

             (1)  Each civil penalty provision of this Act and the regulations is enforceable under Part 4 of the Regulatory Powers Act.

Note:          Part 4 of the Regulatory Powers Act allows a civil penalty provision to be enforced by obtaining an order for a person to pay a pecuniary penalty for the contravention of the provision.

Authorised applicant

             (2)  For the purposes of Part 4 of the Regulatory Powers Act, the Information Commissioner is an authorised applicant in relation to the civil penalty provisions of this Act and the regulations.

Relevant court

             (3)  For the purposes of Part 4 of the Regulatory Powers Act, each of the following courts is a relevant court in relation to the civil penalty provisions of this Act and the regulations:

                     (a)  the Federal Court of Australia;

                     (b)  the Federal Circuit Court of Australia;

                     (c)  a court of a State or Territory that has jurisdiction in relation to the matter.

Extension to external Territories

             (4)  Part 4 of the Regulatory Powers Act, as that Part applies in relation to the civil penalty provisions of this Act and the regulations, extends to every external Territory.

Liability of the Crown

             (5)  Part 4 of the Regulatory Powers Act, as that Part applies in relation the civil penalty provisions of this Act and the regulations, does not make the Crown liable to a pecuniary penalty.

31D  Enforceable undertakings

Enforceable provisions

             (1)  The provisions of this Act and the regulations are enforceable under Part 6 of the Regulatory Powers Act.

Note:          Part 6 of the Regulatory Powers Act creates a framework for accepting and enforcing undertakings relating to compliance with provisions.

Authorised person

             (2)  For the purposes of Part 6 of the Regulatory Powers Act, each of the following persons is an authorised person in relation to the provisions of this Act and the regulations:

                     (a)  the service operator;

                     (b)  the Information Commissioner.

Relevant court

             (3)  For the purposes of Part 6 of the Regulatory Powers Act, each of the following courts is a relevant court in relation to the provisions of this Act and the regulations:

                     (a)  the Federal Court of Australia;

                     (b)  the Federal Circuit Court of Australia;

                     (c)  a court of a State or Territory that has jurisdiction in relation to the matter.

Enforceable undertaking may be published on website

             (4)  An authorised person in relation to a provision of this Act and the regulations may publish an undertaking given in relation to the provision on the authorised person’s website.

Extension to external Territories

             (5)  Part 6 of the Regulatory Powers Act, as that Part applies in relation to the provisions of this Act and the regulations, extends to every external Territory.

31E  Injunctions

Enforceable provisions

             (1)  The provisions of this Act and the regulations are enforceable under Part 7 of the Regulatory Powers Act.

Note:          Part 7 of the Regulatory Powers Act creates a framework for using injunctions to enforce provisions.

Authorised person

             (2)  For the purposes of Part 7 of the Regulatory Powers Act, each of the following persons is an authorised person in relation to the provisions of this Act and the regulations:

                     (a)  the service operator;

                     (b)  the Information Commissioner.

Relevant court

             (3)  For the purposes of Part 7 of the Regulatory Powers Act, each of the following courts is a relevant court in relation to the provisions of this Act and the regulations:

                     (a)  the Federal Court of Australia;

                     (b)  the Federal Circuit Court of Australia;

                     (c)  a court of a State or Territory that has jurisdiction in relation to the matter.

Extension to external Territories

             (4)  Part 7 of the Regulatory Powers Act, as that Part applies in relation to the provisions of this Act and the regulations, extends to every external Territory.

Part 6Oversight role of Ministerial Council

  

31F  Simplified outline of this Part

The Minister may give directions to the service operator about the performance of the service operator’s functions under this Act, after consulting the Ministerial Council.

The Minister must also consult the Ministerial Council before regulations are made under this Act.

32  Directions to service operator

             (1)  After consulting the Ministerial Council, the Minister may, by legislative instrument, give directions to the service operator about the performance of the service operator’s functions under this Act.

Note 1:       Section 42 (disallowance) of the Legislation Act 2003 does not apply to the direction—see regulations made for the purposes of paragraph 44(2)(b) of that Act.

Note 2:       Part 4 of Chapter 3 (sunsetting) of the Legislation Act 2003 does not apply to the direction—see regulations made for the purposes of paragraph 54(2)(b) of that Act.

             (2)  The service operator must comply with a direction given under subsection (1).

33  Consultation with Ministerial Council about regulations

                   Before the Governor‑General makes a regulation for the purpose of this Act, the Minister must consult with the Ministerial Council.

34  Annual reports by service operator

             (1)  The service operator must, as soon as practicable after the end of each financial year, prepare a report on the activities, finances and operations of the service operator during the financial year, so far as they relate to this Act and the regulations.

             (2)  The service operator must give a copy of the report to:

                     (a)  the Minister; and

                     (b)  either:

                              (i)  the Ministerial Council; or

                             (ii)  if the Ministerial Council directs the service operator to give the report to another entity—that other entity;

no later than on 30 September after the end of the financial year to which the report relates.

             (3)  The Minister must table a copy of the report in each House of Parliament within 15 sitting days after the service operator gives a copy of the report to the Minister.

             (4)  If the service operator is required under section 46 of the Public Governance, Performance and Accountability Act 2013 to prepare and give to the Minister an annual report for all or part of a financial year, the service operator is not required to also give a report in relation to that financial year under this section.

35  Review of the operation of this Act

             (1)  The Minister must, after consulting the Ministerial Council, appoint an individual to review the operation of this Act and the regulations.

             (2)  The individual appointed must give a report to the Minister within 3 years after the commencement of Schedule 1 to the Health Legislation Amendment (eHealth) Act 2015.

             (3)  The Minister must:

                     (a)  provide a copy of the report to the Ministerial Council; and

                     (b)  table a copy of the report in each House of Parliament within 15 sitting days after the report is given to the Minister.

Part 7Miscellaneous

Division 1Simplified outline of this Part

36AA  Simplified outline of this Part

If an entity is authorised to collect, use or disclose information under this Act, an employee or contracted service provider of the entity is authorised to do that, provided the duties of the employee or contracted service provider involve implementing the purpose for which the collection, use or disclosure is authorised.

If an entity is authorised to disclose information to a healthcare provider, the entity is authorised to disclose the information to an employee or contracted service provider of the healthcare provider, provided the duties of the employee or contracted service provider involve implementing the purpose for which the disclosure is authorised.

This Act applies to partnerships, unincorporated associations and trusts in the same way as it applies to persons.

The service operator may delegate functions and powers under this Act.

This Part also:

       (a)     provides for the concurrent operation of State and Territory law; and

      (b)     deals with the effect Parts 3 and 4 are to have in certain constitutionally significant circumstances.

The Governor‑General may make regulations prescribing matters that are required or permitted to be prescribed by this Act, or that are necessary or convenient to be prescribed for carrying out or giving effect to this Act.

Division 2Employees, contractors, partnerships, unincorporated associations and trusts

36  Extent of authorisation

                   An authorisation under this Act to an entity (the first entity) for a particular purpose is an authorisation to:

                     (a)  an individual:

                              (i)  who is an employee of the first entity; and

                             (ii)  whose duties involve implementing that purpose; or

                     (b)  a contracted service provider of the first entity, if:

                              (i)  the first entity is a healthcare provider; and

                             (ii)  the duties of the contracted service provider under a contract with the healthcare provider involve implementing that purpose by providing information technology services relating to the communication of health information, or health information management services, to the healthcare provider; or

                   (ba)  a person (the contractor) performing services under a contract between the contractor and the first entity, if:

                              (i)  the first entity is a participant in the My Health Record system, other than a healthcare provider or a contracted service provider; and

                             (ii)  the purpose relates to the My Health Record system; or

                     (c)  an individual:

                              (i)  who is an employee of a contracted service provider to which paragraph (b) applies or of a contractor to which paragraph (ba) applies; and

                             (ii)  whose duties involve implementing that purpose as mentioned in whichever of those paragraphs applies.

36A  Authorisation to disclose to employees and contracted service providers of a healthcare provider

                   An authorisation under this Act to an entity to disclose information to a healthcare provider for a particular purpose is an authorisation to disclose the information to:

                     (a)  an individual:

                              (i)  who is an employee of the healthcare provider; and

                             (ii)  whose duties involve, or are reasonably connected to, implementing that purpose; or

                     (b)  a contracted service provider of the healthcare provider, if the duties of the contracted service provider under a contract with the healthcare provider involve, or are reasonably connected with, implementing that purpose by providing information technology services relating to the communication of health information, or health information management services, to the healthcare provider; or

                     (c)  an individual:

                              (i)  who is an employee of a contracted service provider to which paragraph (b) applies; and

                             (ii)  whose duties involve implementing that purpose as mentioned in that paragraph.

36B  Treatment of partnerships

             (1)  This Act applies to a partnership as if it were a person, but with the changes set out in this section.

             (2)  An obligation that would otherwise be imposed on the partnership by this Act is imposed on each partner instead, but may be discharged by any of the partners.

             (3)  An offence against this Act that would otherwise have been committed by the partnership is taken to have been committed by each partner in the partnership, at the time the offence was committed, who:

                     (a)  did the relevant act or made the relevant omission; or

                     (b)  aided, abetted, counselled or procured the relevant act or omission; or

                     (c)  was in any way knowingly concerned in, or party to, the relevant act or omission (whether directly or indirectly and whether by any act or omission of the partner).

             (4)  This section applies to a contravention of a civil penalty provision in a corresponding way to the way in which it applies to an offence.

36C  Treatment of unincorporated associations

             (1)  This Act applies to an unincorporated association as if it were a person, but with the changes set out in this section.

             (2)  An obligation that would otherwise be imposed on the unincorporated association by this Act is imposed on each member of the association’s committee of management instead, but may be discharged by any of the members.

             (3)  An offence against this Act that would otherwise have been committed by the unincorporated association is taken to have been committed by each member of the association’s committee of management, at the time the offence was committed, who:

                     (a)  did the relevant act or made the relevant omission; or

                     (b)  aided, abetted, counselled or procured the relevant act or omission; or

                     (c)  was in any way knowingly concerned in, or party to, the relevant act or omission (whether directly or indirectly and whether by any act or omission of the member).

             (4)  This section applies to a contravention of a civil penalty provision in a corresponding way to the way in which it applies to an offence.

36D  Treatment of trusts with multiple trustees

             (1)  If a trust has 2 or more trustees, this Act applies to the trust as if it were a person, but with the changes set out in this section.

             (2)  An obligation that would otherwise be imposed on the trust by this Act is imposed on each trustee instead, but may be discharged by any of the trustees.

             (3)  An offence against this Act that would otherwise have been committed by the trust is taken to have been committed by each trustee of the trust, at the time the offence was committed, who:

                     (a)  did the relevant act or made the relevant omission; or

                     (b)  aided, abetted, counselled or procured the relevant act or omission; or

                     (c)  was in any way knowingly concerned in, or party to, the relevant act or omission (whether directly or indirectly and whether by any act or omission of the trustee).

             (4)  This section applies to a contravention of a civil penalty provision in a corresponding way to the way in which it applies to an offence.

Division 3Delegations

36E  Delegations by the service operator

             (1)  The service operator may, by writing, delegate one or more of his or her functions and powers to any of the following:

                     (a)  an APS employee in the Department;

                     (b)  if the service operator is not the Chief Executive Medicare—the Chief Executive Medicare;

                     (c)  any other person with the consent of the Minister.

             (2)  If the service operator is not the Chief Executive Medicare the service operator may only delegate a function or power of the service operator:

                     (a)  to an APS employee in the Department with the agreement of the Secretary; and

                     (b)  to the Chief Executive Medicare with the agreement of the Chief Executive Medicare.

             (3)  Each of the following must comply with any written directions of the service operator:

                     (a)  a delegate;

                     (b)  if the Chief Executive Medicare delegates under subsection 8AC(3) of the Human Services (Medicare) Act 1973 a function delegated to him or her under this section—a subdelegate.

Division 4Constitutional matters

37  Relationship to State and Territory laws

Relationship to State and Territory laws

             (1)  A law of a State or Territory has effect to the extent that the law is capable of operating concurrently with this Act or the regulations.

             (2)  However, if:

                     (a)  a person’s act or omission is both:

                              (i)  an offence under this Act; and

                             (ii)  an offence under the law of a State or Territory; and

                     (b)  that person is convicted of either of those offences;

the person is not liable to be convicted of the other offence.

             (3)  Nothing in this Act or the regulations limits, restricts or otherwise affects any right or remedy that a person would have had if this Act had not been enacted.

Declarations that Act does not apply

             (4)  A provision of this Act or the regulations does not apply to the public bodies of a State or Territory if a declaration made under subsection (5) is in force in relation to that provision and that State or Territory.

             (5)  The Minister must, by legislative instrument, declare that specified provisions of this Act and the regulations do not apply to the public bodies of a specified State or Territory if:

                     (a)  a Minister of the State or Territory, by written notice, requests the Minister to make the declaration; and

                     (b)  the Minister is satisfied that a law in force in the State or Territory contains provisions that have been agreed to by the Ministerial Council.

             (6)  The Minister may, by legislative instrument, revoke the declaration if:

                     (a)  a Minister of the State, by written notice, requests the Minister to do so; or

                     (b)  a provision in the State or Territory law, which had been agreed to by the Ministerial Council, is amended without the agreement of the Ministerial Council.

             (7)  Section 42 (disallowance) of the Legislation Act 2003 does not apply to a declaration or revocation made under subsection (5) or (6) of this section.

Note:          Part 4 of Chapter 3 (sunsetting) of the Legislation Act 2003 does not apply to such a declaration or revocation (see subsection 54(1) of that Act).

38  Severability—additional effect of Parts 3 and 4

             (1)  Without limiting their effect apart from each of the following subsections of this section, Parts 3 and 4 have effect in relation to a collection, use or disclosure of information as provided by that subsection.

             (2)  Parts 3 and 4 also have the effect they would have if their operation in relation to a collection, use or disclosure of information were expressly confined to a collection, use or disclosure taking place in the course of, or in relation to, trade or commerce:

                     (a)  between Australia and places outside Australia; or

                     (b)  among the States; or

                     (c)  within a Territory, between a State and a Territory or between 2 Territories.

             (3)  Parts 3 and 4 also have the effect they would have if their operation in relation to a collection, use or disclosure of information were expressly confined to a collection, use or disclosure using a postal, telegraphic, telephonic or other like service (within the meaning of paragraph 51(v) of the Constitution).

             (4)  Parts 3 and 4 also have the effect they would have if their operation in relation to a collection, use or disclosure of information were expressly confined to a collection, use or disclosure in relation to census or statistics (within the meaning of paragraph 51(xi) of the Constitution).

             (5)  Parts 3 and 4 also have the effect they would have if their operation in relation to a collection, use or disclosure of information were expressly confined to a collection, use or disclosure in relation to aliens (within the meaning of paragraph 51(xix) of the Constitution).

             (6)  Parts 3 and 4 also have the effect they would have if their operation in relation to a collection, use or disclosure of information were expressly confined to a collection, use or disclosure by, or to, a trading, foreign or financial corporation (within the meaning of paragraph 51(xx) of the Constitution).

             (7)  Parts 3 and 4 also have the effect they would have if their operation in relation to a collection, use or disclosure of information were expressly confined to a collection, use or disclosure in relation to the provision of:

                     (a)  sickness or hospital benefits; or

                     (b)  medical or dental services (but not so as to authorise any form of civil conscription);

(within the meaning of paragraph 51(xxiiiA) of the Constitution).

             (8)  Parts 3 and 4 also have the effect they would have if their operation in relation to a collection, use or disclosure of information were expressly confined to a collection, use or disclosure:

                     (a)  in relation to which the Commonwealth is under an obligation under an international agreement, including, the International Covenant on Civil and Political Rights, and in particular Article 17 of the Covenant; or

Note:       The text of the Covenant is set out in Australian Treaty Series 1980 No. 23 ([1980] ATS 23). In 2010, a text of a Covenant in the Australian Treaties Series was accessible through the Australian Treaties Library on the AustLII website (www.austlii.edu.au).

                     (b)  that is of international concern, including the international concern reflected by the Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, recommended by the Council of the Organisation for Economic Co‑operation and Development on 23 September 1980.

Note:       In 2010, the text of the Guidelines was accessible through the Organisation for Economic Co‑operation and Development website (www.oecd.org).

             (9)  Parts 3 and 4 also have the effect they would have if their operation in relation to a collection, use or disclosure of information were expressly confined to a collection, use or disclosure by, or to, the Commonwealth or a Commonwealth authority.

           (10)  Parts 3 and 4 also have the effect they would have if their operation in relation to a collection, use or disclosure of information were expressly confined to a collection, use or disclosure taking place in a Territory.

Division 5Regulations

39  Regulations

             (1)  The Governor‑General may make regulations prescribing matters:

                     (a)  required or permitted to be prescribed by this Act; or

                     (b)  necessary or convenient to be prescribed for carrying out or giving effect to this Act.

Note:          Before the Governor‑General makes a regulation for the purpose of this Act, the Minister must consult with the Ministerial Council: see section 33.

             (2)  Without limiting subsection (1), the regulations may provide for the imposition of a penalty of not more than 50 penalty units for contravention of a regulation.


Endnotes

Endnote 1—About the endnotes

The endnotes provide information about this compilation and the compiled law.

The following endnotes are included in every compilation:

Endnote 1—About the endnotes

Endnote 2—Abbreviation key

Endnote 3—Legislation history

Endnote 4—Amendment history

Abbreviation key—Endnote 2

The abbreviation key sets out abbreviations that may be used in the endnotes.

Legislation history and amendment history—Endnotes 3 and 4

Amending laws are annotated in the legislation history and amendment history.

The legislation history in endnote 3 provides information about each law that has amended (or will amend) the compiled law. The information includes commencement details for amending laws and details of any application, saving or transitional provisions that are not included in this compilation.

The amendment history in endnote 4 provides information about amendments at the provision (generally section or equivalent) level. It also includes information about any provision of the compiled law that has been repealed in accordance with a provision of the law.

Editorial changes

The Legislation Act 2003 authorises First Parliamentary Counsel to make editorial and presentational changes to a compiled law in preparing a compilation of the law for registration. The changes must not change the effect of the law. Editorial changes take effect from the compilation registration date.

If the compilation includes editorial changes, the endnotes include a brief outline of the changes in general terms. Full details of any changes can be obtained from the Office of Parliamentary Counsel.

Misdescribed amendments

A misdescribed amendment is an amendment that does not accurately describe the amendment to be made. If, despite the misdescription, the amendment can be given effect as intended, the amendment is incorporated into the compiled law and the abbreviation “(md)” added to the details of the amendment included in the amendment history.

If a misdescribed amendment cannot be given effect as intended, the abbreviation “(md not incorp)” is added to the details of the amendment included in the amendment history.

 

Endnote 2—Abbreviation key

 

ad = added or inserted

o = order(s)

am = amended

Ord = Ordinance

amdt = amendment

orig = original

c = clause(s)

par = paragraph(s)/subparagraph(s)

C[x] = Compilation No. x

    /sub‑subparagraph(s)

Ch = Chapter(s)

pres = present

def = definition(s)

prev = previous

Dict = Dictionary

(prev…) = previously

disallowed = disallowed by Parliament

Pt = Part(s)

Div = Division(s)

r = regulation(s)/rule(s)

ed = editorial change

reloc = relocated

exp = expires/expired or ceases/ceased to have

renum = renumbered

    effect

rep = repealed

F = Federal Register of Legislation

rs = repealed and substituted

gaz = gazette

s = section(s)/subsection(s)

LA = Legislation Act 2003

Sch = Schedule(s)

LIA = Legislative Instruments Act 2003

Sdiv = Subdivision(s)

(md) = misdescribed amendment can be given

SLI = Select Legislative Instrument

    effect

SR = Statutory Rules

(md not incorp) = misdescribed amendment

Sub‑Ch = Sub‑Chapter(s)

    cannot be given effect

SubPt = Subpart(s)

mod = modified/modification

underlining = whole or part not

No. = Number(s)

    commenced or to be commenced

 

 

Endnote 3—Legislation history

 

Act

Number and year

Assent

Commencement

Application, saving and transitional provisions

Healthcare Identifiers Act 2010

72, 2010

28 June 2010

29 June 2010 (s 2)

 

Healthcare Identifiers (Consequential Amendments) Act 2010

73, 2010

28 June 2010

Sch 3: 1 Nov 2010 (s 2(1) item 5)

Statute Law Revision Act 2011

5, 2011

22 Mar 2011

Sch 1 (items 60–63): 22 Mar 2011 (s 2(1) item 2)

Human Services Legislation Amendment Act 2011

32, 2011

25 May 2011

Sch 4 (items 152–158): 1 July 2011 (s 2(1) item 3)

Personally Controlled Electronic Health Records (Consequential Amendments) Act 2012

64, 2012

26 June 2012

Sch 1 (items 1–25): 29 June 2012 (s 2(1) item 2)

Privacy Amendment (Enhancing Privacy Protection) Act 2012

197, 2012

12 Dec 2012

Sch 5 (items 37–41, 164) and Sch 6 (items 1, 15–19): 12 Mar 2014 (s 2(1) items 3, 16, 19)

Sch 6 (items 1, 15–19)

Aged Care and Other Legislation Amendment Act 2014

126, 2014

4 Dec 2014

Sch 3: 5 Dec 2014 (s 2(1) item 4)

Norfolk Island Legislation Amendment Act 2015

59, 2015

26 May 2015

Sch 2 (item 213): 1 July 2016 (s 2(1) item 5)
Sch 2 (items 356–396): 18 June 2015 (s 2(1) item 6)

Sch 2 (items 356–396)

Acts and Instruments (Framework Reform) (Consequential Provisions) Act 2015

126, 2015

10 Sept 2015

Sch 1 (items 253–255): 5 Mar 2016 (s 2(1) item 2)

Australian Immunisation Register (Consequential and Transitional Provisions) Act 2015

139, 2015

12 Nov 2015

Sch 1 (item 4): 1 Jan 2016 (s 2(1) item 2)
Sch 2 (items 34, 35): awaiting commencement (s 2(1) item 3)

Health Legislation Amendment (eHealth) Act 2015

157, 2015

26 Nov 2015

Sch 1 (items 3–49, 111–136) and Sch 2 (items 1–6): 27 Nov 2015 (s 2(1) item 2)

Sch 1 (items 111–136)

 

Endnote 4—Amendment history

 

Provision affected

How affected

Part 1

 

s 3A.....................................

ad No 157, 2015

s 4........................................

am No 59, 2015

s. 4A....................................

ad. No. 64, 2012

s. 5.......................................

am No 32, 2011; No 64, 2012; 197, 2012; No 126, 2014; No 139, 2015; No 157, 2015

s 6........................................

ad No 157, 2015

s 7........................................

am No 157, 2015

Part 2

 

s 9AA..................................

ad No 157, 2015

s 9........................................

am No 197, 2012; No 157, 2015

s 9A.....................................

rs No 157, 2015

s. 10.....................................

am. No. 64, 2012; No 157, 2015

Part 3

 

Part 3 heading......................

rs No 157, 2015

Division 1

 

Division 1 heading...............

rs No 64, 2012; No 157, 2015

Division 1............................

rs No 157, 2015

s 11......................................

rs No 157, 2015

s. 11A..................................

ad. No. 64, 2012

 

rep No 157, 2015

Division 2

 

Division 2............................

rs No 157, 2015

s. 12.....................................

am. No. 32, 2011

 

rs No 157, 2015

s 12A...................................

ad No 126, 2014

 

rep No 157, 2015

s 13......................................

rs No 157, 2015

s 14......................................

rs No 157, 2015

s 15......................................

rs No 157, 2015

s 16......................................

rs No 157, 2015

s 17......................................

rs No 157, 2015

s. 18.....................................

am No 64, 2012; No 197, 2012

 

rs No 157, 2015

s 19......................................

rs No 157, 2015

s. 19A..................................

ad. No. 64, 2012

 

rep No 157, 2015

s. 19B..................................

ad. No. 64, 2012

 

rep No 157, 2015

s. 19C..................................

ad. No. 64, 2012

 

rep No 157, 2015

s 19D...................................

ad No 126, 2014

 

rep No 157, 2015

s. 20.....................................

am. No. 64, 2012

 

rs No 157, 2015

Division 2A.........................

ad. No. 64, 2012

 

rep No 157, 2015

Division 3

 

Division 3............................

rs No 157, 2015

s 21......................................

rs No 157, 2015

s 22......................................

rs No 157, 2015

s. 22A..................................

ad. No. 64, 2012

 

rep No 157, 2015

s. 22B..................................

ad. No. 64, 2012

 

rep No 157, 2015

s. 22C..................................

ad. No. 64, 2012

 

rep No 157, 2015

s. 22D..................................

ad. No. 64, 2012

 

rep No 157, 2015

 

am No 139, 2015 (amdt never applied (Sch 2 item 35))

s. 22E..................................

ad. No. 64, 2012

 

rep No 157, 2015

s 23......................................

am No 197, 2012

 

rs No 157, 2015

s 23A...................................

ad No 126, 2014

 

rep No 157, 2015

s 24......................................

rs No 157, 2015

s. 24A..................................

ad. No. 64, 2012

 

rep No 157, 2015

s 25......................................

rs No 157, 2015

s 25A...................................

ad No 157, 2015

s 25B...................................

ad No 157, 2015

s 25C...................................

ad No 157, 2015

s 25D...................................

ad No 157, 2015

s 25E...................................

ad No 157, 2015

Division 4

 

Division 4 heading...............

rs No 157, 2015

s 26......................................

am No 197, 2012

 

rs No 157, 2015

Part 4

 

s 28AA................................

ad No 157, 2015

s 29......................................

am No. 73, 2010; No 197, 2012; No 157, 2015

s. 30.....................................

am. No. 73, 2010

Part 5

 

s 31AA................................

ad No 157, 2015

s 31......................................

rs No 157, 2015

s 31A...................................

ad No 157, 2015

Part 5A

 

Part 5A.................................

ad No 157, 2015

s 31B...................................

ad No 157, 2015

s 31C...................................

ad No 157, 2015

s 31D...................................

ad No 157, 2015

s 31E...................................

ad No 157, 2015

Part 6

 

s 31F....................................

ad No 157, 2015

s 32......................................

am No 126, 2015

s 34......................................

am No 157, 2015

s 35......................................

rs No 157, 2015

Part 7

 

Division 1

 

Division 1............................

ad No 157, 2015

s 36AA................................

ad No 157, 2015

Division 2

 

Division 2 heading...............

ad No 157, 2015

s 36......................................

am. No. 5, 2011; No. 64, 2012; No 157, 2015

s 36A...................................

ad No 157, 2015

s 36B...................................

ad No 157, 2015

s 36C...................................

ad No 157, 2015

s 36D...................................

ad No 157, 2015

Division 3

 

Division 3............................

ad No 157, 2015

s 36E...................................

ad No 157, 2015

Division 4

 

Division 4 heading...............

ad No 157, 2015

s 37......................................

am No 126, 2015

Division 5

 

Division 5 heading...............

ad No 157, 2015