Site Changes

On 1 November 2010 the Office of the Privacy Commissioner was integrated into the Office of the Australian Information Commissioner and a new website established at www.oaic.gov.au.

Note 1: Major changes to the Privacy Act 1988 will come into effect in March 2014. Agencies, businesses and not for profits need to start preparing for these changes. For more information go to our privacy law reform page at www.oaic.gov.au
Note 2: From 12 March 2013 content is no longer being added to, or amended, on this site, consequently some information may be out of date. For new privacy content visit the www.oaic.gov.au website.

The eHealth record system

From July 2012, Australians can choose to register for their own personally controlled electronic health (eHealth) record.

An eHealth record is an electronic summary of someone’s health information. Initially an eHealth record will contain basic information. As the system develops, healthcare providers will be able to add more information like treatments, medications and allergies.

You can control your own eHealth record, including by choosing to restrict which healthcare provider organisations can access it and what information is included.

The Personally Controlled Electronic Health Records Act 2012 (PCEHR Act) and the Personally Controlled Electronic Health Records Regulation 2012 create the legislative framework for the Australian Government’s personally controlled electronic health (eHealth) record system.

The PCEHR Act limits when and how health information included in an eHealth record can be collected, used and disclosed. Unauthorised collection, use or disclosure of eHealth record information is both a contravention of the PCEHR Act and an interference with privacy.

Follow these tips to protect your eHealth record:

Read the terms and conditions carefully before you opt-in
Be aware of the different access settings available to you
Consider setting up advanced access controls and an ‘access code’
Read the privacy notices and policies of your healthcare providers and the eHealth record System Operator
Talk to your healthcare providers regularly about what information they will be adding to and accessing from your eHealth record. Ask how they will involve you in this process
Check your eHealth record audit trail regularly for unexpected or unauthorised access to your record
Check your eHealth record regularly to ensure that the documents it contains are kept accurate, up-to-date and complete
Keep your eHealth record secure, including by protecting your password and only accessing your record from a secure device
Exercise your privacy rights
Remember you can choose to opt-out at any time

For an extended version of these tips see Privacy fact sheet 15: Ten tips for protecting the personal information in your eHealth record

Healthcare providers should be aware of the following information:

Know your obligations under the PCEHR Act: there are serious penalties if you don’t comply
Understand that while there are new obligations for information stored on the eHealth record system, you must continue to comply with your current legal obligations
Develop robust processes for handling eHealth records and ensure staff are adequately trained to follow them
Tell your patients about what information you intend to add to and access from their eHealth record and explain what you will do with the information
Ensure that you do not collect more information from an eHealth record than is necessary
Collect, use and disclose information in a patient’s eHealth record only for the limited and authorised purposes allowed under the eHealth record system
Know how the eHealth record system can be used in an emergency situation

The OAIC’s role in the eHealth record system

The OAIC regulates the handling of personal information under the eHealth record system by individuals, Commonwealth government agencies, private sector organisations and some state and territory agencies (in particular circumstances).

The OAIC’s role includes investigating complaints about the mishandling of health information in an individual’s eHealth record. The OAIC can also conduct ‘own motion investigations’.

The functions and enforcement powers available to the OAIC include:

seeking a civil penalty from the Courts
seeking an injunction to prohibit or require particular conduct
accepting enforceable undertakings
using existing Privacy Act investigative and enforcement mechanisms, including conciliation of complaints and formal determinations
accepting data breach notifications from the System Operator, repository operators and portal operators.

The OAIC will issue Enforcement Guidelines which will outline the Commissioner’s approach to enforcement issues under the legislation.

Video: Privacy Commissioner talks privacy and the eHealth record system

Watch our YouTube video to find out about:

the OAIC’s role in the eHealth record system
the privacy protections in the eHealth record system
key privacy messages for healthcare providers
where to go for more information about privacy and the eHealth record system

Other information:

Privacy fact sheet 14: Healthcare Identifiers and the eHealth record system

PCEHR Rules 2012

PCEHR (Participation Agreements) Rules 2012

More information about Healthcare Identifiers

Department of Health and Ageing

Enquiries: 1800 723 471

Website: http://www.ehealth.gov.au/internet/ehealth/publishing.nsf/content/home

eHealth learning centre: http://publiclearning.ehealth.gov.au/