The eHealth record system
From July 2012, Australians can choose to register for their own personally controlled electronic health (eHealth) record.
An eHealth record is an electronic summary of someone’s health information. Initially an eHealth record will contain basic information. As the system develops, healthcare providers will be able to add more information like treatments, medications and allergies.
You can control your own eHealth record, including by choosing to restrict which healthcare provider organisations can access it and what information is included.
The Personally Controlled Electronic Health Records Act 2012 (PCEHR Act) and the Personally Controlled Electronic Health Records Regulation 2012 create the legislative framework for the Australian Government’s personally controlled electronic health (eHealth) record system.
The PCEHR Act limits when and how health information included in an eHealth record can be collected, used and disclosed. Unauthorised collection, use or disclosure of eHealth record information is both a contravention of the PCEHR Act and an interference with privacy.
Follow these tips to protect your eHealth record:
- Read the terms and conditions carefully before you opt-in
- Be aware of the different access settings available to you
- Consider setting up advanced access controls and an ‘access code’
- Read the privacy notices and policies of your healthcare providers and the eHealth record System Operator
- Talk to your healthcare providers regularly about what information they will be adding to and accessing from your eHealth record. Ask how they will involve you in this process
- Check your eHealth record audit trail regularly for unexpected or unauthorised access to your record
- Check your eHealth record regularly to ensure that the documents it contains are kept accurate, up-to-date and complete
- Keep your eHealth record secure, including by protecting your password and only accessing your record from a secure device
- Exercise your privacy rights
- Remember you can choose to opt-out at any time
For an extended version of these tips see Privacy fact sheet 15: Ten tips for protecting the personal information in your eHealth record
Healthcare providers should be aware of the following information:
- Know your obligations under the PCEHR Act: there are serious penalties if you don’t comply
- Understand that while there are new obligations for information stored on the eHealth record system, you must continue to comply with your current legal obligations
- Develop robust processes for handling eHealth records and ensure staff are adequately trained to follow them
- Tell your patients about what information you intend to add to and access from their eHealth record and explain what you will do with the information
- Ensure that you do not collect more information from an eHealth record than is necessary
- Collect, use and disclose information in a patient’s eHealth record only for the limited and authorised purposes allowed under the eHealth record system
- Know how the eHealth record system can be used in an emergency situation
The OAIC’s role in the eHealth record system
The OAIC regulates the handling of personal information under the eHealth record system by individuals, Commonwealth government agencies, private sector organisations and some state and territory agencies (in particular circumstances).
The OAIC’s role includes investigating complaints about the mishandling of health information in an individual’s eHealth record. The OAIC can also conduct ‘own motion investigations’.
The functions and enforcement powers available to the OAIC include:
- seeking a civil penalty from the Courts
- seeking an injunction to prohibit or require particular conduct
- accepting enforceable undertakings
- using existing Privacy Act investigative and enforcement mechanisms, including conciliation of complaints and formal determinations
- accepting data breach notifications from the System Operator, repository operators and portal operators.
The OAIC will issue Enforcement Guidelines which will outline the Commissioner’s approach to enforcement issues under the legislation.
Video: Privacy Commissioner talks privacy and the eHealth record system
Watch our YouTube video to find out about:
- the OAIC’s role in the eHealth record system
- the privacy protections in the eHealth record system
- key privacy messages for healthcare providers
- where to go for more information about privacy and the eHealth record system
Department of Health and Ageing
Enquiries: 1800 723 471
eHealth learning centre: http://publiclearning.ehealth.gov.au/