National Health (Privacy) Rules 2021
I, Elizabeth Hampton, Acting Australian Information Commissioner, make the following instrument.
Dated 12 November 2021
Elizabeth Hampton
Acting Australian Information Commissioner
Part 1—Introduction
1 Name
This instrument is to be known as the National Health (Privacy) Rules 2021.
2 Commencement
This instrument commences on the later of:
(1) The day specified under section 135AA(8) of the National Health Act 1953; and
(2) 1 April 2022.
3 Authority
This instrument is made under section 135AA of the National Health Act 1953.
4 Definitions
Note: A number of expressions used in this instrument are defined in the Act, and have the same meaning in this instrument, including the following:
(a) agency
(b) database
(c) Medicare Benefits Program
(d) old information
(e) personal identification components
(f) Pharmaceutical Benefits Program
(g) pharmaceutical entitlements number
In this instrument:
Act means the National Health Act 1953.
claims information means information to which these Rules relate as defined in section 135AA(1) of the Act; for clarity in these Rules, as is indicated in section 135AA(2), ‘claims information’ does not include information about service providers.
Chief Executive Medicare has the same meaning as in the Human Services (Medicare) Act 1973.
delegate means a Deputy Secretary or First Assistant Secretary of the Department of Health or the Australian Government Chief Medical Officer to whom a delegation has been made by the Secretary of the Department of Health.
Department of Health means the Department of Health or any other successor agency or agencies which may have responsibility under the Administrative Arrangements Order as made from time to time for administration of relevant provisions of the Act or the Health Insurance Act 1973 or for enabling the Chief Executive Medicare to perform health provider compliance functions.
enforcement body is defined in section 6 of the Privacy Act 1988.
Health provider compliance function means a statutory function, duty or power of the Chief Executive Medicare under either the Health Insurance Act 1973 or the Act or the Dental Benefits Act 2008 or the Human Services (Medicare) Act 1973, where a health provider is the subject of the performance of the function or the exercise of the power or duty.
Services Australia is the executive agency created by the order of the Governor-General on 5 December 2019 and includes any successor agency or agencies.
5 Repeal of this instrument
This instrument is repealed at the start of 1 April 2025.
Part 2—Australian Government Agencies
6 Handling of claims information
(1) Agencies must store claims information obtained under the Medicare Benefits Program in a separate database to claims information obtained under the Pharmaceutical Benefits Program.
Part 3—Services Australia and the Department of Health
7 Management of claims information
(1) Services Australia must ensure that claims information obtained under the Medicare Benefits Program is held in a separate database to claims information obtained under the Pharmaceutical Benefits Program. This requirement does not prevent Services Australia from locating each database within the same computer system.
(2) Databases of claims information obtained under the Medicare Benefits Program and the Pharmaceutical Benefits Program (that is, the ‘Medicare Benefits claims database’ and the ‘Pharmaceutical Benefits claims database’) must be kept separate from enrolment and entitlement databases.
(3) For claims information that is not old information, personal identification components must not be included in databases of claims information except as follows:
(a) in the case of the Medicare Benefits claims database, the Medicare card number; and
(b) in the case of the Pharmaceutical Benefits claims database, the Pharmaceutical entitlements number.
(4) Services Australia must establish and maintain detailed technical standards in relation to the Medicare Benefits claims database and the Pharmaceutical Benefits claims database which:
(a) specify access controls applying to each database;
(b) limit access to each database to those officers or contractors who reasonably require access to effectively administer the particular program;
(c) specify the security procedures and controls that exist to prevent unauthorised linkage of records that are held in both databases about the same individual;
(d) identify how any linkages conducted pursuant to sections 8(1) and 10(2) can be traced;
(e) describe the special arrangements for the security of claims information required by sections 9(2) and 10(4); and
(f) specify the destruction schedule for records created pursuant to each circumstance specified in paragraphs (a) to (e) of section 8(1) and paragraphs (a) to (g) of section 10(2) (where practicable).
(5) If Services Australia varies the technical standards established under section 7(4), Services Australia must lodge a Variation Report with the Australian Information Commissioner detailing those variations.
Medicare Personal Identification Number
(6) Services Australia may only maintain a personal identification number (‘Medicare PIN’) to the extent necessary to assist that agency in identifying individuals included in the Medicare Benefits Program and the Pharmaceutical Benefits Program.
(7) Medicare PINs may be stored on databases holding records of claims information.
(8) A Medicare PIN must not:
(a) be based on or derived from a person's name, date of birth, address, telephone number or Medicare card number;
(b) enable an individual's identity to be determined from the Medicare PIN alone; or
(c) reveal any health related or other personal information of the individual.
Disclosures by Services Australia to the Department of Health
(9) Services Australia may disclose claims information to the Department of Health provided that such disclosures do not include personal identification components, except as permitted by section 13 or where directly connected to the Department of Health assisting the Chief Executive Medicare to perform his or her health provider compliance functions in accordance with these Rules. Services Australia may disclose to the Department of Health claims information that contains a Medicare PIN and/or an encrypted form of an individual’s Medicare card number.
(10) Services Australia may not provide to the Department of Health, other than where it is to enable the Chief Executive Medicare to perform a health provider compliance function in accordance with these Rules, any algorithm which enables an encrypted Medicare card number to be unencrypted.
(11) Services Australia may provide to the Department of Health an algorithm which enables an encrypted Medicare card number or a Medicare PIN to be validated as an authentic number of either type.
(12) Other than where its provision is to enable the Chief Executive Medicare to perform a health provider compliance function in accordance with these Rules, Services Australia may only provide to the Department of Health the name corresponding to a Medicare PIN where Services Australia has received a request from the Department of Health conforming to section 13.
(13) Services Australia must keep a record of any disclosures of claims information to the Department of Health in accordance with section 13.
(14) Services Australia may also provide information to the Department of Health as to whether the records attaching to a Medicare PIN relate to an individual who is or was a participant in special schemes such as safety net arrangements under the Medicare Benefits and Pharmaceutical Benefits Programs. That additional information shall not be in a form which reveals the identity of the individual.
(15) Where Services Australia lawfully discloses information to an agency, organisation or individual other than the Department of Health it must not provide both the name and the Medicare PIN unless it is expressly required by or under law (for example, under warrant or subpoena).
8 Linkage of claims information
(1) Services Australia and the Department of Health (where the Department of Health is enabling the Chief Executive Medicare to perform health provider compliance functions) may only link claims information from the Medicare Benefits claims database and the Pharmaceutical Benefits claims database relating to the same individual in the following circumstances:
(a) for internal use that is authorised or required by law and is reasonably necessary, in a specific case or in a specific set of circumstances, for the discharge of statutory functions, duties and powers of the Chief Executive Medicare (including health provider compliance functions) in relation to:
(i) the enforcement of the criminal law;
(ii) the enforcement of a law imposing a pecuniary penalty; or
(iii) the protection of the public revenue;
(i) where that disclosure is required by law;
(ii) to an enforcement body where that disclosure is reasonably necessary, following linkage, in a specific case or in a specific set of circumstances, for:
(a) the enforcement of the criminal law;
(b) the enforcement of a law imposing a pecuniary penalty; or
(c) the protection of the public revenue;
(c) for the purpose of determining an individual's eligibility for a benefit under one program, where eligibility for that benefit is dependent upon services provided under the other program;
(d) where the Chief Executive Medicare believes on reasonable grounds that the linkage is necessary to prevent or lessen a serious and imminent threat to the life or health of any individual; or
(e) for disclosure to an individual where that individual has given their consent.
(2) The discretion referred to in section 8(1) does not permit Services Australia or the Department of Health where the Department of Health is enabling the Chief Executive Medicare to perform health provider compliance functions, to establish a data matching program between the Medicare Benefits claims database and the Pharmaceutical Benefits claims database.
9 Retention and reporting of linked claims information
(1) Where claims information is linked in accordance with section 8(1), Services Australia or the Department of Health where the Department of Health is enabling the Chief Executive Medicare to perform health provider compliance functions, respectively must destroy that linked claims information as soon as practicable after meeting the purpose for which it was linked.
(2) Services Australia and the Department of Health must make special arrangements for the security of records of linked claims information.
(3) Services Australia and the Department of Health must provide the Australian Information Commissioner with a report detailing the handling of linked claims information. The report must be provided annually in a form approved by the Australian Information Commissioner. The report must include the following information for the reporting period::
(a) the number of records linked in accordance with section 8(1);
(b) the number of records linked under each of the circumstances in sections 8(1)(a) to (e);
(c) the number of linked records that were destroyed;
(d) the number of records destroyed that were linked under each of the circumstances in sections 8(1)(a) to (e);
(e) reasons for the retention of any records referred to in section 9(3)(a) that were not destroyed during the reporting period; and
(f) the number of records linked in accordance with section 8(1) that have been retained from previous reporting periods, and reasons for their retention.
(4) The Australian Information Commissioner may make the report referred to in section 9(3) publicly available.
10 Linking old information with personal identification components
(1) Services Australia must store old information from the Medicare Benefits Program and the Pharmaceutical Benefits Program:
(a) in separate databases; and
(b) in a form that does not include any personal identification components.
(2) Services Australia and the Department of Health (where the Department of Health is enabling the Chief Executive Medicare to perform health provider compliance functions) may only link old information to personal identification components by use of a Medicare PIN for the purpose of:
(a) taking action on an unresolved compensation matter;
(b) taking action on an investigation or prosecution;
(c) taking action for recovery of a debt;
(d) determining entitlement on a late lodged claim or finalising the processing of a claim;
(e) determining entitlement for a related service rendered more than five years after the service which is the subject of the old information;
(f) fulfilling a request for that information from the individual concerned or from a person acting on behalf of that individual; or
(g) lawfully disclosing identified information in accordance with the secrecy provisions of relevant legislation and this instrument.
(3) Where old information is linked to personal identification components in accordance with section 10(2), Services Australia and the Department of Health respectively must destroy that linked information as soon as practicable after meeting the purpose for which it was linked.
(4) Services Australia and the Department of Health must make special arrangements for the security of records obtained in accordance with section 10(2).
(5) Services Australia and the Department of Health must provide the Australian Information Commissioner a report detailing the extent to which old information has been linked to personal identification components. The report must be provided annually in a form approved by the Australian Information Commissioner. The report must include the following information for the reporting period:
(a) the number of records linked in accordance with section 10(2);
(b) the number of records linked under each of the circumstances in paragraphs (a) to (g) of section 10(2);
(c) the number of records of old information linked in accordance with section 10(2) that were destroyed;
(d) the number of records destroyed that were linked under each of the circumstances in paragraphs (a) to (g) of section 10(2);
(e) reasons for the retention of any records referred to in paragraph (a) that were not destroyed during the reporting period; and
(f) the number of records of linked old information that have been retained from previous reporting periods, and reasons for their retention.
(6) The Australian Information Commissioner may make the report referred to in section 10(5) publicly available.
(7) Services Australia may collect from the Department of Health, and the Department of Health may disclose to Services Australia, old information for:
(a) a purpose under sections 10(2)(a) to (g); or
(b) inclusion in the databases referred to in section 10(1).
11 Disclosure of identifiable claims information for medical research purposes
(a) Services Australia is satisfied that the individual to whom the information relates has given their informed consent to the use of that information in the research project; or
(b) the disclosure is made for the purposes of medical research to be conducted in accordance with guidelines issued by the National Health and Medical Research Council under section 95 of the Privacy Act 1988.
(2) Before disclosing claims information under section 11(1), Services Australia must obtain a written undertaking from the researcher that the claims information will be securely destroyed at the conclusion of the research project.
(1) Except where it is being used by the Department of Health to enable the Chief Executive Medicare to perform health provider compliance functions in accordance with these Rules or where restricted by this instrument, claims information provided to the Department of Health by Services Australia in accordance with section 7(9) may be used by the Department of Health as authorised by the Secretary of the Department of Health, or delegate.
(2) The Secretary of the Department of Health, or delegate, must not permit the establishment of a system which stores claims information from both the Medicare Benefits Program and Pharmaceutical Benefits Program in a combined form.
(3) Other than where it is linked in accordance with section 8(1) or section 10(2), claims information from the Medicare Benefits Program and Pharmaceutical Benefits Program concerning particular individuals may be linked by a Medicare PIN by the Department of Health only where:
(a) linkage is necessary for a use authorised by the Secretary of the Department of Health, or delegate;
(b) claims information identified by the Medicare PIN or any personal identification components is used solely as a necessary intermediate step to obtain aggregate or de-identified information; and
(c) such linked records are destroyed within one month of their creation.
(4) Claims information from the Medicare Benefits Program and Pharmaceutical Benefits Program shall only be linked in this temporary manner in conjunction with the Medicare PIN where there is no practical alternative.
(5) Claims information may be held indefinitely for policy and research purposes by the Department of Health provided that such claims information does not include personal identification components.
(6) Where the Department of Health discloses claims information it must be reasonably satisfied that the recipient is not in a position to identify the individual to which the information relates unless:
(a) that information is disclosed to Services Australia for the purpose of section 10(7); or
(b) that claims information is released under section 130 of the Health Insurance Act 1973 or section 135A of the Act.
(1) Other than where it is being collected in accordance with section 7(9) to enable the Chief Executive Medicare to perform health provider compliance functions, an officer of the Department of Health may collect from Services Australia the name and other personal identification components corresponding to a Medicare PIN where that is authorised by the Secretary of the Department of Health, or delegate, and is necessary:
(a) to clarify which information relates to a particular individual where doubt has arisen in the conduct of an activity involving the linkage of de-identified information; or
(b) for the purpose of disclosing personal information in a specific case or in a specific set of circumstances as expressly authorised or required by or under law.
(3) The Department of Health must maintain and make publicly available a policy statement outlining its practices of disclosure in relation to paragraph (b) of section 13(1).
(4) The Secretary of the Department of Health, or delegate, must establish procedures to ensure that a request to disclose identified individual information is referred to Services Australia where practicable. Requests for disclosure should only be handled by the Department of Health where it is not practicable for the request to be referred to Services Australia.
(a) a record of that collection is retained by the Department of Health; and
(b) the record is held under strict security by a designated officer.
(6) The Secretary of the Department of Health must advise the Australian Information Commissioner of procedures developed to ensure compliance with sections 13(2), (4) and (5) and any changes to those procedures.
(1) Paper copies of claims information contained in the Medicare Benefits claims database or the Pharmaceutical Benefits claims database may be made where reasonably necessary for a lawful purpose. However, paper copies may not be made of the complete or a major proportion of either the Medicare Benefits claims database or the Pharmaceutical Benefits claims database. Paper copies of information must not be made for the purpose of circumventing the requirements of this instrument.
(2) Services Australia and the Secretary of the Department of Health must keep the Australian Information Commissioner informed, in a manner approved by the Australian Information Commissioner, of any arrangements that Services Australia or the Department of Health make in relation to any delegation or authorisations given that are associated with the implementation of this instrument.
(3) Services Australia and the Department of Health shall take reasonable steps to make all staff aware of the need to protect the privacy of individuals in relation to claims information and of the content of this instrument.
(4) To the extent that this instrument imposes more specific obligations than the Privacy Act or the secrecy provisions of legislation relating to Services Australia and the Department of Health, this instrument prevails.