pdf (272.79 KB)

Issues Paper 2004: Section 135AA Guidelines Review

Section A: About the Review.. 3

Which Guidelines are being reviewed?. 3

Why have a Review?. 3

Terms of reference. 3

SECTION B: Taking part in the Review.. 5

Appendices to this Issues Paper. 5

Important dates. 5

How to be a part of the Review.. 5

Open Forum Schedule. 5

CITY DATE and TIME VENUE. 5

How to make a submission. 6

More information. 7

Privacy collection statement 7

Section C: Guidelines overview and background. 8

Key legislation. 8

The Privacy Act and the Information Privacy Principles. 8

The National Health Act 8

Other legislation. 9

Federal privacy protection for health information in the private sector. 10

The Purpose of the Guidelines. 10

Part A: Guidelines affecting the HIC. 10

Part B: Guidelines affecting the Department of Health and Ageing. 12

What the Guidelines do not cover. 13

Section D: Issues for consideration. 14

The health environment 14

Separation of the databases. 15

Data linkage. 15

Secondary uses of information. 16

Community attitudes. 17

Consent and access. 18

Data retention. 19

Ease of use of the Guidelines. 20

APPENDIX A Some topics for consideration. 21

APPENDIX B History of the Guidelines. 22

APPENDIX C Sections 135AA and 135AB of the National Health Act 1953 . 24

NATIONAL HEALTH ACT 1953 - SECTION 135AA. 24

NATIONAL HEALTH ACT 1953 - SECTION 135AB. 26

APPENDIX D Medicare and Pharmaceutical Benefits Programs Privacy Guidelines. 28

Medicare and Pharmaceutical Benefits Programs privacy guidelines. 28

Issued under section 135AA of the National Health Act 1953, with Privacy Commissioner’s notes 28

May 1997. 28

Contents. 28

Preface. 28

Introduction. 28

Legal basis. 28

Scope. 30

A. Health Insurance Commission. 31

1. Functional separation of programs. 32

2. Maintenance and disclosure of personal identification number (pin) 34

information. 34

3. Destruction. 36

4. Obtaining old claims information. 37

4a. Use of identified claims information for research purposes. 38

B. Department 38

5. Use of de-identified claims information. 38

6. Name linkage. 39

C. Miscellaneous. 41

Meaning of terms. 42

Table of amendments. 43

Section A: About the Review

Which Guidelines are being reviewed?

This Issues Paper has been prepared as part of a Review of the Medicare and Pharmaceutical Benefits Programs Privacy Guidelines (‘the Guidelines’). These Guidelines are issued by the Privacy Commissioner under section 135AA [1] of the National Health Act1953 (‘ National Health Act ’) and are a function of the Privacy Commissioner under s.27(1)(pa) of the Privacy Act 1988 (‘ Privacy Act ’). [2] Sections C and D of this Issues Paper discuss the Guidelines in greater detail.

Why have a Review?

The Guidelines were first issued by the Office on 24 November 1993 and came into effect on 15 April 1994. The last review of the Guidelines took place in 1995. A number of factors tend to suggest that a review is now timely, including:

• developments in information technology which may have bearing on the handling of electronic records;
• the increasing use of information technology in the planning and provision of health services; and
• community attitudes and expectations regarding the handling of personal information, and in particular sensitive health information, may have altered during this time;

Submissions to the Review will help the Privacy Commissioner to assess the need for any revision or amendments to the Guidelines.

Terms of reference

The Review is a general review of all the provisions of the Guidelines.

The OFPC’s purpose is to ensure that the Guidelines, in their current form, achieve the intent of section 135AA of the National Health Act and are user-friendly in language, style and format.

The Privacy Commissioner invites comment from all interested individuals, agencies and organisations, on all elements and aspects of the Guidelines, including their effect on individuals and on the operation of the Medicare and Pharmaceutical Benefits Scheme (PBS) Programs. Topics for consideration in this Issues Paper are intended as suggestions only and submitters may comment on any aspects of the Guidelines.

The Privacy Commissioner requests that for the purpose of this Review, submission comments are restricted to the Guidelines and their operation (and do not, for example, extend into unrelated areas of the Privacy Act or other legislation).

The Issues Paper sets out information about the review process, including:

• how to take part in the Review, important dates, how to make a submission and contact details for more information about the Issues Paper or the review process;
• background information about the Guidelines, their legislative history, the purpose and scope of the review; and
• possible issues for consideration.

Please note that this is a review of the Guidelines and not a review of section 135AA of the National Health Act 1953 . It is not within the scope of this review or the Privacy Commissioner’s legislative functions to review or amend this legislation.

 

SECTION B: Taking part in the Review

This section provides information on how to take part in this Review, including making submissions and attending consultation forums.

Appendices to this Issues Paper

There are a number of appendices to this Issues Paper. These are:

• Appendix A: Some topics for consideration;
• Appendix B: Legislative history of the Guidelines;
• Appendix C: Sections 135AA and 135AB National Health Act 1953 ; and
• Appendix D: Medicare and Pharmaceutical Benefits Programs Privacy Guidelines (provided as a separate attachment electronically).

Important dates

Submissions close - 4 February 2005

Open Forum meetings - November–December 2004

Review completed - 31 May 2005

How to be a part of the Review

The Office welcomes submissions from interested parties, including agencies, organisations and individuals.

We also welcome your participation in the Open Forums to be held in all State and Territory capital cities during the public consultation period. These Forums will give you an opportunity to raise areas of concern and assist the Office in identifying issues relevant to the Guidelines review. Information on the Forums follows:

Open Forum Schedule

To assist OFPC planning, please confirm your attendance at an Open Forum byemailing to glreview@privacy.gov.au .

CITY

DATE and TIME

VENUE

 

BRISBANE

22 November 10:00 - 12:00

Grand Ballroom, Medina Executive, 15 Ivory Lane

DARWIN

25 November 9:00 - 11:00

Signatures Room, Level 2 Crowne Plaza, 32 Mitchell Street

ADELAIDE

29 November 9:30 - 11:30

Glenroy Room, 1st Floor Mercure Grovesnor Hotel, 125 North Terrace

PERTH

1 December 9:30 - 11:30

e-Central, A Block, Room A236, Royal Street

MELBOURNE

7 December 3:00 - 5:00

Grand Ballroom, Sofitel, 25 Collins Street

HOBART

9 December 9:30 - 11:30

Theatrette, Ground Floor, The Old Woolstore, 1 Macquarie Street

CANBERRA

14 December 10:00 - 12:00

The Hall, University House, Australian National University, Cnr Balmain & Liversidge St

SYDNEY

15 December 10:00 - 12:00

Hearing Room, Level 8, Piccadilly Tower, 133 Castlereagh Street

How to make a submission

There is no specified format for a submission. Submissions may range from a letter addressing one issue to a systematic analysis of the operation of the private sector provisions of the Privacy Act 1988 . Submissions will also be accepted in a range of styles of presentation and in electronic or hard copy form. Similarly, oral and audio submissions will be accepted, including using TTY.

Submissions received in electronic format will become publicly available documents and will be posted on the website of the Office of the Federal Privacy Commissioner unless submitters indicate otherwise. Mark your submission as ‘confidential’ if you do not want it posted on the website. The final report will list the names of all those who made submissions. If you have marked your submission as confidential, but still want your name listed as having made a submission, make this clear on the submission. Otherwise, all that will appear in the list next to the submission number will be the word ‘confidential’.

The suggested topics in the issues paper are presented only as a guide. Participants should not feel the need to address all the topics or be restricted to the issues which the topics raise.

Participants are encouraged to provide data, examples, case studies, or other evidence to support the arguments presented in their submission.

Submissions may be sent to the Office as follows:

Email: glreview@privacy.gov.au

Post: Mr Nicholas Burrage

Guidelines Review

Policy Section

Office of the Federal Privacy Commissioner

GPO Box 5218

SYDNEY NSW 2001

TTY: 1800 620 241

Fax: (02) 9284 9666

More information

If you would like more information about the Issues Paper, the review process or the Open Forums, please contact:

Name: Mr Nicholas Burrage

Telephone: 1300 363 992

Privacy collection statement

This Office will use the information it collects in the course of the Review for the purpose of reviewing the Guidelines. The Office may put submissions received on its website or may list agencies, organisations or individuals who have submitted to the Review.

Requests for access to submissions marked ‘CONFIDENTIAL’ will be determined in accordance with the Freedom of Information Act 1982 (Cth).

The Office will acknowledge receipt of your submission, however, please note the Office will not provide comments on individual submissions.

 

Section C: Guidelines overview and background

This section gives an overview of the Guidelines, including:

• key legislation;
• the purpose and coverage of the Guidelines;
• current practices of the Department of Health and Ageing (‘the Department’) and the Health Insurance Commission (HIC) Programs as they relate to information covered by the Guidelines; and
• other legislation affecting the Programs.

Key legislation

The Privacy Act and the Information Privacy Principles

The Privacy Act , through the eleven Information Privacy Principles (IPPs), regulates the handling of personal information by most Australian government agencies including the personal information collected by the HIC and the Department. [3] Note that there are no particular provisions for the protection of health information under the IPPS.

Personal information is defined in section 6 of the Privacy Act as meaning:

…information or opinion (including information of opinion forming part of a database), whether true or not, and whether recorded in material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.

The IPPs regulate the way Australian government agencies collect, store and secure, maintain records and keep them accurate, allow access and alteration and otherwise use and disclose personal information. [4]

While the Guidelines generally offer some specific protections for Medicare and PBS information, they do not cover all the matters addressed by the IPPs. For example, an individual’s right of access is not addressed in the Guidelines, however, such access is provided for under IPP 6.

The IPPs and the Guidelines co-exist, with the Guidelines providing additional, specific rules for the handling of Medicare and PBS data. For example, the rules concerning the linking, comparing or combining of records or information from the databases or the length of time particular information or data can be retained. More information about the IPPs and federal privacy regulation can be found at www.privacy.gov.au .

The National Health Act

Section 135AA of the National Health Act requires the Privacy Commissioner to issue guidelines relating to personal information held by an Australian government agency and obtained in connection with a claim for payment of a benefit under the Medicare or PBS Programs. The requirement to issue these guidelines is also listed as a function of the Privacy Commissioner under section 27(1)(pa) of the Privacy Act .

Sections 135AA and section 135AB of the National Health Act provide the legislative basis for the Guidelines, specifying the data or information to which they apply and the areas that the Guidelines must cover. These include provisions that:

• require the Privacy commissioner to issue Guidelines;
• set out the information to which the Guidelines apply;
• set out the issues the Guidelines must cover;
• define various terms used in the section;
• set down requirements for consultation, tabling and disallowance;
• define a breach of the Guidelines as “an interference with privacy” under section13 [5] of the Privacy Act ; and
• provide that the Privacy Commissioner may accept and deal with a complaint about a breach of the Guidelines.

The Guidelines are a disallowable instrument under s.46A of the Acts Interpretation Act1901 . [6] If a particular guideline is replaced or varied in some way it must be done by written notice (section 135AA(4) the National Health Act [7] ). Any amendment to the guidelines or the issuing of new guidelines is treated as a disallowable instrument and must undergo the appropriate tabling and gazetting process.

Section 135AA(6) of the National Health Act [8] also requires the Privacy Commissioner to“take reasonable steps to consult with organisations (including agencies) whose interests would be affected by the guidelines”.

Other legislation

As well as the obligations under the Privacy Act and the Guidelines, Medicare and PBS programs are also subject to other legislative provisions. These include the secrecy provisions of the Health Insurance Act 1973 ( Health Insurance Act ) and the National Health Act . The secrecy provisions in both Acts narrowly prescribe the handling of personal information collected in the course of the activities of both the Department and the HIC.

Under these provisions, for example, staff of these agencies are generally prohibited from disclosing personal information from the database to a third party except under strictly controlled circumstances and with the permission of a delegated person who has the authority to release the information. Other secrecy provisions cover the release of personal information for various reasons, including where it may be necessary in the public interest, for example, in the specific release of information to other government agencies in the investigation of fraud, or to assist police in major criminal investigations.

a) Possible issue for discussion

Submissions could discuss the extent to which other current privacy, secrecy, security and confidentiality regulatory provisions provide sufficient privacy protection for the handling of Medicare and PBS claims information.

Federal privacy protection for health information in the private sector

The ten National Privacy Principles [9] (NPPs) in the Privacy Act came into effect in December 2001. The NPPs apply to private sector organisations, unless they are expressly exempt. [10] The NPPs regulate all private sector organisations which provide a health service or handle health information (except in an employee record).

There are particular obligations in the NPPs about the handling of “sensitive information,”which includes all health information. For example, NPP 10 imposes restrictions on whether and how an organisation can collect health information about an individual. NPP 2 imposes stricter limits on how sensitive information may be used or disclosed than is the case for non-sensitive personal information (for example, health information may not be used for direct marketing).

In the second reading speech [11] of the Privacy Amendment (Private Sector) Bill 2000 , the then Attorney-General, Daryl Williams AM QC MP noted that:

The bill provides additional protections in relation to the use and disclosure of health information, as such information is clearly considered by the community to be particularly sensitive.

It is important to note that, generally, the Privacy Act , the IPPs and the NPPs do not cover personal information, including health information, handled by State governments or university researchers.

The Purpose of the Guidelines

The Guidelines provide specific standards and safeguards, additional to the IPPs, in the way individuals’ claims information, stored in computer databases, is handled. This privacy protection of individuals’ Medicare and PBS claims information, extends to such information, held by any agency subject to the Privacy Act.

The Guidelines are legally binding and ensure that Medicare and PBS claims data isonly used for limited purposes and in particular circumstances.

Some significant guidelines include:

• Guideline 1.1 – requires the separate storage of Medicare and PBS Programs claims information;
• Guideline 1.4 – the circumstances in which data from the two programs may be linked;
• Guidelines 1.6, 1.8 and 2 – use of internal personal identification numbers (PIN);
• Guidelines 3 – concerning the destruction of identified data; and
• Guideline 5 – regarding the use of de-identified claims information and the circumstances in which de-identified information may be provided to the Department for policy development, program monitoring and other purposes. [12]

Part A: Guidelines affecting the HIC

Part A of the Guidelines regulates the handling of claims data by the HIC.

The HIC is a statutory authority responsible for administering many health programs, including Medicare, and for the processing, paying and recording of data associated with claims under the PBS and Medicare Programs (see, www.hic.gov.au ). Its functions include monitoring possible fraud and over servicing practices. HIC provides de-identified copies of Medicare and PBS claims data to the Department on a daily basis and, in addition, provides aggregate and statistical data to the Department.

Medicare claims data held by the HIC includes:

• the name and address of the individual;
• the name of the provider (for example, the doctor or hospital) and the provider’s HIC number and ABN number;
• the item number, a number that identifies the type of service provided, (this can also include a general description of the service, such as “Level B surgery consultation”);
• the cost of the service;
• the date the service was provided; and
• whether the service has been paid for.
• PBS information held by the HIC includes:
• the name and address of the individual;
• Medicare number;
• information about the prescription, including the date it was written and issues, the item number, the meaning of the item name, e.g. Panadeine Forte, the type of script, quantity, dosage and any repeats;
• the prescribing doctor;
• the pharmacy supplier; and
• the patient contribution to the cost of the script.

Medicare claims data is not stored by the individual’s name or Medicare card number, but by a Medicare PIN (personal information number) generated internally by the HIC. The Medicare PIN is a unique number for each individual, and is not related to the individual’s Medicare card number, address or date of birth. While an individual’s Medicare claims data will contain the individual’s name and Medicare card number, the data is organised, stored and handled by using an internally generated HIC PIN. It is not possible, for example, for anyone who knows the name, date or birth and/or Medicare number of another person to work out that person’s Medicare PIN.

Key provisions include:

• Guidelines 1.1, 1.2 & 1.4 – require Medicare and PBS claims information to be stored separately in different databases (although the Guidelines do not prevent them frombeing stored on the same computer);
• Guidelines 1.4 – sets down the limited circumstances in which the HIC can link, compare or combine claims information from the two databases;
• Guidelines 1.5 – discourages data-matching between the two databases;
• Guidelines 1.6, 2.1, 2.3 & 2.4 – regulate the use and disclosure of the internal PIN which the HIC uses to identify claimants under the two programs. The PIN does not have any meaning in its own right (for example, it cannot contain the individual’s initials) and the PIN cannot be disclosed in conjunction with the individual’s name. Claims information identified by PIN, but with no other identification information, may be provided to the Department;
• Guidelines 3.1(b) – requires the HIC to destroy its claims information after five years except in limited circumstances;
• Guidelines 3.1(a) – requires the HIC to destroy any linked data sets within 3 months;
• Guideline 4.1 – permits the HIC to obtain from the Department for specified purposes‘old’ claims information (that is, older than five years); and
• Guidelines 4A – permits the disclosure of identified claims information for medical research where the individual has given express and informed consent, or where the disclosure is done in accordance with the guidelines issued under s.95 of the Privacy Act . [13]

The disclosures by the HIC are only regulated in terms of linked data and to the extent that the Medicare PIN is involved. The Guidelines should be read together with the secrecy provisions of the Health Insurance Act and the National Health Act .

Part B: Guidelines affecting the Department of Health and Ageing

The Department is a federal government agency generally responsible for health careplanning and review strategy, policy formulation and some aspects of administration of the two Programs (see www.health.gov.au ).

The Department holds copies of all deidentified claims data for Medicare and the PBS right up to the present time. This information includes, for example, the type of consultation service and the provider’s name. The HIC provides regular updates of this information to the Department.

The Department uses the de-identified claims information to assist with policy development and to review the programs, research, reporting on health system performances, surveys of health trends and to answer requests made from outside the Department for Medicare and PBS data, for example, to provide information about population health trends in particular areas.

Only aggregated statistics (the combined statistics about many individuals brought together for a particular purpose but which do not identify any individual) are released by the Department unless it is considered “necessary in the public interest”. That information is then released in accordance with the secrecy provisions of the Health Act. The Department’s practices in regard to de-identified information are not covered by the Privacy Act as such information would not be ‘personal information’.

Guideline 6 sets out the rules about name linkage, including, that de-identified data can be used by the Department for purposes permitted by the Secretary of the Department. The Secretary must inform the Privacy Commissioner of any delegations or authorisations given in order to implement the Guidelines.

The Guidelines:

• allow the Department to use claims information identified by Medicare PIN (referred to as “de-identified”, as the Department has no knowledge of the name associated with the PIN) in ways permitted by the Secretary; (Guideline 5)
• prevent the Department from permanently combining information from the two programs which is identified by the PIN on the same database. (This is a further means of ensuring the separation of the Medicare and PBS claims information databases (5.2(b); and
• provide that the Department may get the combination “name and PIN” link from the HIC in certain limited circumstances and set out the rules which apply in those instances. (6)

What the Guidelines do not cover

The Guidelines do not apply to information that:

• identifies providers of services (for example, information about a particular doctor or private hospital is not covered by the Guidelines);
• is part of the “eligibility” or “entitlement” databases; or
• is information which is not stored in a computer database. [14]

A database is defined in the Guidelines in the same way it is defined in section 135AA(11)of the National Health Act as “a discrete body of information stored by means of a computer”. The Guidelines are intended to apply only to computer databases. It would not be practicable for them to cover information held on paper records for example, as this would require the removal of patient names from general records.

Please note that the Guidelines do not specify that the Medicare and PBS claims information should be kept in separate computers. The Guidelines prohibit the separate claims information from storage in the same database.

Section D: Issues for consideration

The Office is seeking stakeholders’ views on whether the current Guidelines remain appropriate. As an individual, an agency, an organisation, a medical practitioner, a researcher or other interested party, the Guidelines might affect you in different ways. In your view, the Guidelines may be too restrictive in what they allow or you may think that they need to be tightened to ensure appropriate handling of individuals’ health information. Alternatively, you may think that the Guidelines provide an adequate framework in their current form.

This section sets out some issues which may be relevant to how the Guidelines operate.

The health environment

Since the Guidelines were issued in 1994, many changes have taken place in society. Inparticular, there have been changes in information and communication technologies which have produced faster, more powerful and more accurate computers and software packages. In turn, these advances have also enabled new outcomes in the health sector, with developments in diagnostic tools, medical and surgical care and research. Generally, the ability to collect, store, copy, manipulate and distribute information electronically has increased significantly since 1994.

Any consideration of the Guidelines should bear in mind developments in the wider health sector, including trends towards electronic-health (‘e-health’). Currently, for example, we are witnessing the emergence of electronic health records systems (‘EHRs’) at the local, regional and national levels. Some states are developing types of EHRs, such as OACIS in South Australia [15] and Health e-link in New South Wales (formerly EHR*Net ). [16]

At the national level, the HealthConnect project aims to create a centralised database of individuals’ interactions with the health sector (recorded in summary form). [17] Governments have devoted considerable resources to the implementation of such systems. The Australian government has also provided funding to help health service providers (particularly general practices) obtain high-speed broadband internet connections.

These EHRs potentially will assist clinical treatment by improving information flows between health service providers. It is also claimed that EHRs could help improve the management and planning of the health sector and also be used for valuable medical and pharmaceutical research purposes. Risks exist though, particularly if individuals lose confidence in how their personal health information will be handled in the health sector.

More recently still, the Australian government has announced that computer chip embedded ‘smartcards’ may be phased in to replace the current magnetic strip Medicare cards. [18]

A number of other factors may have a bearing on this review – for example, the pressure to reduce overall costs in health service provision, measurement of health outcomes, demands of health researchers for data, and moves to more co-ordinated health care.

b) Possible issue for consideration.

• Submissions could discuss whether these changes in environmental factors warrant amendment to the Guidelines, what these amendments could be, and what implications may flow from such amendments.

Separation of the databases

The functional separation of the Medicare claims database and PBS claims databases is a requirement of the National Health Act, with the Guidelines detailing how this separation must take place. These databases are close to universal, in the sense that they contain personal and health information on almost all Australian residents. This is unique information which is generally not found in other large government data sources, such as those held by the Australian Electoral Commission, Centrelink or the Australian Taxation Office. Because of their universality and the high sensitivity of the information they contain, the Medicare and PBS databases warrant some special protective measures.

In considering the initial Guidelines, then Federal Privacy Commissioner, Kevin O’Connor, noted that the “functional separation in the use and storage of data is an important principle in seeking to balance privacy interests against other important social interests.” Commissioner O’Connor also argued that “…it is inevitable that the creation of a major new database of personal information together with the bulk transfer of personal information between several different departments, will give rise to privacy concerns”. He went on to note that these risks were heightened by the nature of the information, that is, being related to medical conditions and treatments.

It is important to note though that, generally, it is not possible to identify an individual’s specific condition from Medicare claims data, which indicates visits to a health provider, but does not identify the medical condition. It would not usually be possible to accurately determine from the HIC data alone, an individual’s precise medical condition from PBS claims information data. A particular antibiotic, for example, could be used to treat a large number of conditions. On the other hand, some medications may only have application for a particular type of disease or condition.

The HIC creates a unique personal identification number (PIN) in relation to all persons listed in the two databases. An objective of section 135AA (as given effect through the Guidelines) is to restrict to the HIC, as far as possible, knowledge of the link between the name and internal personal identification number (as set out at Guideline 2).

If information from the two databases were linked, however, it could be possible for a fairly detailed and often specific picture of an individual’s medical history to be developed. Such a rich source of personal information may be of value in many contexts, though individuals may be uncomfortable that so much information about them could be stored in a single source. Storing data in separate databases (sometimes called information ‘silos’) is an inherent solution to the risks posed by the centralisation of individuals’ information, though it may pose problems for the coordination or quality of data.

Data linkage

Generally, when an agency collects information it does so for a specific purpose to meet an activity or function. Data linkage occurs if this information about an individual, collected for one purpose, is combined with information or data about the same individual from another database, where it may have been collected for a different purpose. This linked information can then be used for other purposes, perhaps unrelated to the original purpose of the collections, to create a new personal or health information “picture” or set of information about an individual. The individual may or may not know that this new set of personal information exists.

Developments in information and communications technology have made it easier and more cost effective to create, manipulate and search linked data sets. Increasingly, value is seen in the potential to link individual health data held in different databases.

Data linkage may have positive and negative aspects for the individual. A more complete picture for direct health service provision can lead to efficiencies and better treatment for the individual. It could also mean, though, that health carers may be able to access healthinformation which is not relevant to the purpose at hand and which the individual may notwant them to know about.

The potential for privacy intrusion through the linking and use of sensitive health information held in different databases strongly influenced the law and the development and structure of the current Guidelines. As discussed above, the linking of the two databases could create a rich source of potentially identifiable data about Australians. Clearly, this could raise risks, although if the risks are appropriately managed, linking could also offer opportunities. Essentially, the Guidelines were developed to give effect to the law requiring clear and robust barriers that enabled data linkage between the two programs only in limited circumstances where there are clear and significant public benefits. (Refer to the Attachment ‘History of the Guidelines’)

Inadequate privacy protections for this information may increase the potential for “function creep” – that is, the additional, incremental uses of personal information beyond what was originally intended and which individuals may not expect, nor consider appropriate.

Data linking can also give rise to data matching, which involves bringing together data from different sources and comparing it. In some circumstances, data matching can be a valuable administrative and law enforcement tool, for example by identifying people who are paid benefits to which they are not entitled. At the same time though, data matching poses a particular threat to personal privacy because it involves analysing information about large numbers of people without prior cause for suspicion and may result in unnecessary surveillance of the population. [19]

One way in which the Guidelines seek to balance the possible benefits of limited data linking with the need to keep the databases separate is by requiring that linked data is only retained by the HIC for a limited time (currently 3 months). Such a limitation is to ensure that the two databases aren’t effectively merged by allowing linked data to be retained permanently.

c) Possible issues for discussion

• Submissions could discuss the restriction on the HIC retaining linked data, inparticular whether the 3 month period should be extended, reduced, or maintained.

Secondary uses of information

Health information can be a valuable resource. There are increasing opportunities anddemands to maximise this value by using personal health data for things other than the primary purpose for which it was collected. These ‘secondary uses’ may offer valuable public benefits, although these may not be what the individual expected, nor agreed to, when they first provided their information. Such proposed uses may come from health researchers (both private and publicly funded), health insurers, health administrators and policy makers in the health, welfare and other sectors. Some may seek access to aggregate data, others to de-identified unit data and others to personally identified data.

Accordingly, the question of allowing personal and sensitive health information to be used to pursue health and other outcomes which may be of benefit to the individual or the broader community (in some cases both) is an important one.

Such considerations should also recognise though that there are individual and publicbenefits in protecting the privacy of personal health information (discussed later in this Issues Paper). A basic privacy principle is that personal information should only be used for the purpose for which it was obtained. Departures from this principle need to be justified on strong public interest grounds.

There are a number of possible secondary uses or Medicare and PBS information which may be limited by the current Guidelines. For example, it has been put to the OFPC previously that Medicare and PBS information could be used (including by greater linkage or disclosures) to help to:

1. assess the effectiveness of a particular drug or treatment for a medical condition –for example, the effect of a new drug for a heart condition (information drawn from the PBS database) on the life expectancy of those suffering from the condition (information which may be drawn from the Medicare database);
2. assess adverse drug reactions, including where a drug may have an unforseen side-effect – for example, thalidomide;
3. monitor treatments or equipment – for example, heart pacemakers;
4. determining the best way to achieve efficiencies in health outcomes delivery and directions in health care – for example, where particular needs in communities are greatest;
5. population health oversight, including planning, delivery and monitoring of health outcomes through studies and analysis of the data; and
6. promote statistical research through the provision of de-identified information;
7. aid population and other forms of health research through the provision ofidentified information.

d) Possible issues for discussion

Submissions could discuss:

• how important are each of the various possible secondary uses, as numbered above, particularly when balanced against the need to provide individuals with assurance regarding the privacy of their personal health information?;
• how necessary or valuable is Medicare and PBS information for each of the types of possible secondary uses listed?;
• to what extent, if any, and in what way do the current Guidelines limit or restrict the use of Medicare and PBS data in achieving these secondary uses?; and
• if the current Guidelines limit the use of Medicare and PBS data for these secondary uses, how could they be amended in such a way as to ensure that appropriate privacy protections were retained?

Community attitudes

Generally, individuals value the privacy of their personal information. To varying degrees, individuals need to be confident that they are fully informed as to what happens to their personal information and that they have some control over how the information will be used.

In the context of health care, privacy has additional significance which also serves the public interest. There is a risk that people will be discouraged from seeking medical assistance, particularly for conditions to which a stigma is attached, if they do not have confidence that they have control over who has access to their medical information. This could mean that some people will not seek assistance for some conditions. Or people may decide not to reveal sensitive but pertinent aspects of their symptoms or conditions to a health practitioner and this might have an adverse impact on the accuracy of the diagnosis or the appropriateness of treatment. This, in turn, impacts on both the individual and community – particularly if the condition is progressive or infectious.

Many individuals, for example, may regard health information about treatment or medication relating to health matters such as fertility, cancer, HIV/AIDS or Hepatitis C, mental health, sexuality, genetic testing or drug abuse as particularly sensitive and “private”, even when that information is de-identified. However, the value placed on privacy is a highly personal matter - some individuals may value privacy more or less than others.

Individuals may also have different perceptions of how information technology affects their privacy. These perceptions could be affected by:

• the purposes for which the technology is used;
• individuals’ confidence in the security protections afforded by IT-enabled information handling; and
• the measure of understanding and control individuals feel they have over the way information will be used.

Consumer attitudes to the handling of personal health information may be significant in thecontext of the current review as much of what is covered by the Guidelines may happen without the individual knowing. For example, if the HIC discloses identified health information for medical research under guideline 4A.1(b), the individual may not have consented or even be aware that the disclosure has occurred. While this is a permitted disclosure, agencies should be mindful of individuals’ expectations as to how their health information should be handled.

Consent and access

It is important to recognise that privacy includes more than just confidentiality and security. Privacy also goes to the degree to which individuals are aware of and, wherever possible, consent to how their personal information is used within an organisation or agency (not just how it is disclosed to others). Similarly, privacy also includes notions such as the individual being able to access information held about them and correct information that is inaccurate.

Under the current Guidelines, an individual cannot consent to their Medicare and PBS data being linked and provided to them in a single report. Rather, when an individual requests information from the databases, it is provided in two separate reports. This could hinder the individual’s ability to easily and conveniently access their full claims information.

e) Possible issues for discussion

Submissions could discuss:

• whether an individual should be able to consent to the linking of their own information; and
• to what extent this is a concern for consumers and whether there may be any undesirable consequences if individuals were able to consent to their data being linked for the purpose of providing them with a single summary.

Giving consent to the way personal health information is handled is one way in which individuals maintain a degree of control over their privacy. The key elements to consent are that it must be voluntary, the individual giving consent must be adequately informed and they must have the capacity to understand, provide and communicate their consent. [20]

Research conducted by the OFPC in 2004, [21] suggests that the community expects that anindividual’s consent will be sought before others handle their health information in ways other than that for which it was originally collected. For example:

• 64% of respondents thought permission should be sought before de-identified information is used for research purposes; and
• 64% (66% in 2001) thought that if a unique identifier was used to create a national health database, that inclusion in such a database should be voluntary.

Research recently released by the National Health and Medical Research Council (NHMRC) [22] shows that 53% of health consumers would not mind if their names were given to a researcher in order to invite them to participate in health research. Most people who had not participated in medical research study previously, indicated that they would do so if asked . These results are similar to those reported from UK and New Zealand research, which suggested that many individuals would be happy for their personal health information to be used for research in the public interest, but would still want to be asked for their consent. [23]

Alternatively, health researchers have given reasons why consent-based access to health information can be less than ideal. For example, in the case of population health research, the expense involved in contacting and seeking consent from large numbers of individuals may be prohibitive. The findings from such research may be less useful, particularly if many people do not consent. Certain groups (such as the marginalised or disadvantaged) may be particularly underrepresented in consent based research. [24]

f) Possible issues for discussion

• Submissions could discuss how effectively the Guidelines meet the community’s expectations surround individuals’ control of health information (whether in identified or de-identified form).

Data retention

The HIC is prohibited by the current Guidelines from retaining claims information for longer than five years. If the HIC receives a request from an individual seeking information on their claims history that is older than five years, the HIC cannot provide this information and must request it from the Department. Requests for copies of claims information from individuals may, in such cases, be delayed, causing inconvenience to the individual and possibly material harm, including to their health. It is arguable that if requests from individuals became sufficiently numerous, then it may be appropriate for the retention period to be increased.

g) Possible issue for discussion

Submissions could discuss:

• whether the 5 year retention limit of information on the HIC causes significant problems for consumers, the agency or other stakeholders and if so what the period should be; and
• what if any additional safeguards could be required if the retention period were extended.

Ease of use of the Guidelines

The OFPC is interested in submissions concerning how easy the Guidelines are to use, and how clearly they are drafted, whether the formatting is appropriate and are terms and expressions clearly understood.

The issues discussed above should not restrict submissions from including issues which they think are relevant to the Review and the operation of the Guidelines, for example, State and Territory health information handling practices and laws, including any datalinkage or otherdata handling initiatives, proposed or actual Free Trade Agreements or international trends in the management of similar health information.

h) Possible issues for discussion

• Submissions could discuss any matter to do with the drafting, language and formatting of the Guidelines.

 

APPENDIX A: Some topics for consideration

The following topics are as outlined in the paper and provided as possible issues for consideration. It is not mandatory to use these topics in your submission.

a) To what extent other current privacy, secrecy, security and confidentiality regulatory provisions provide sufficient privacy protection for the handling of Medicare and PBS claims information. Discussed at page 10

b) Whether changes in environmental factors warrant amendment to the Guidelines, what these amendments could be, and what implications may flow from such amendments. Page 15

c) In regard to the restrictions on how long the HIC may retain linked data sets, whether the 3 months period should be extended, reduced, or maintained. Page 17

d) In regard to possible secondary uses of PBS and Medicare claims information:

• how important are each of the numbered secondary uses when balanced against the need to provide individuals with assurance regarding the privacy of their personal health information;
• how necessary or valuable is Medicare and PBS information for each of the types of possible secondary uses listed;
• to what extent, if any, and in what way do the current Guidelines limit or restrict the use of Medicare and PBS data in achieving these secondary uses; and
• if the current Guidelines limit the use of Medicare and PBS data for these secondary uses, how could they be amended in such a way as to ensure that appropriate privacy protections were retained. Page 18

e) Whether an individual should be able to consent to the linking of their own information, including:

• to what extent this is a concern for consumers and whether there may be any undesirable consequences if individuals were able to consent to their data being linked for the purpose of providing them with a single summary. Page 19

f) How effectively the Guidelines meet the community’s expectations surrounding individuals’control of health information (whether in identified or de-identified form). Page 20

g) In regard to the 5 year limit on the HIC retaining claims information, whether this limit causes significant problems for consumers, the agency or other stakeholder, including:

• how long should the HIC be permitted to retain claims information; and
• What if any additional safeguards may be required if the retention period were extended. Page 21

h) Whether any amendments could be made to improve the drafting, language and formatting ofthe Guidelines. Page 21

APPENDIX B: History of the Guidelines

1989

The HIC set out a “Strategy Proposal for the Management of the Pharmaceutical Benefits Program”. The strategy proposed that all pharmacists be connected on-line to the HIC computer system and that Pharmacists’ claims for reimbursement be assessed at the time of dispensing. Some patient identification would be necessary to permit checking of a patient’s eligibility for a full or part concessional payment. This meant that a person applying for concessional benefit would need to produce the entitlement card issued by the Department of Social Security (as it was at that time).

A number of privacy concerns were raised by health providers, the Privacy Commissioner and the public.

The Government decided in light of the privacy concerns that the proposal would not proceed and the privacy concerns would be investigated.

1990

The Government announced new proposals for changes to the Pharmaceutical Benefits Scheme (PBS) including a system of on-line interactive checking of eligibility for pharmaceutical benefits, changes to the safety net threshold, the use of the Medicare card as a primary means of identifying entitlement, on-line eligibility checking and the introduction of electronic lodgement for Pharmaceutical Benefits claims by pharmacists.

The Health Legislation (Pharmaceutical Benefits) Amendment Bill was introduced to Parliament to bring these proposals into effect. The Bill was amended during Parliamentary debate to provide that:

• the interactive eligibility scheme could not come into effect until after the Auditor-General and the Department of Finance had reported to Parliament on the savings estimates of the changes;
• the savings could not be obtained through other similarly or less intrusive eligibility checking systems; and
• the amendments could only come into effect after the Privacy Commissioner had issued privacy guidelines for the conduct of the Medicare and Pharmaceutical Benefits programs (M & PBS program).

Although the interactive eligibility checking scheme for the M & PBS program did not proceed, the requirement for privacy guidelines to be issued for the conduct of the program remained.

The issuing of the Guidelines was delayed pending amendments to sections 135AA and 135AB of the National Health Act and sections 13 and 27 of the Privacy Act by the National Health Amendment Act 1993 (N0.28) . [25]

The Privacy Commissioner’s obligations under the Amendment Act

This Amendment Act provided new areas which the Guidelines must cover and also detailed specific information not covered by the Guidelines (for example, information relating to providers).

1994

The Guidelines were tabled in Parliament in late 1993 and came into effect on 15 April 1994.

The Guidelines require the HIC to destroy with some exceptions, claims information after five years. De-identified claims data (although still retaining the HIC internal personal identification number) older than five years is held by the Department. Shortly after the tabling of the Guidelines, it came to notice that the HIC regularly requests old claims data from the Department. The HIC uses this data for processing late lodged claims, taking action on unresolved compensation matters, fraud investigations and responding to individuals’ requests. The Guidelines did specifically provide for the HIC to obtain this old information from the Department if the HIC became aware of a need for the information after it had destroyed its records.

Amendments

1994

Amendment 1: This amendment to the Guidelines came into effect on 13 May 1994. It setout the circumstances in which the HIC could request old information from the Department. The amendment also set out related security, destruction and record keeping requirements.

1996

Amendment 2: This amendment to the Guidelines came into effect on 1 January 1997. The Guideline was amended so that the HIC must specify in a technical report how it will keep an auditable record of instances where records or information relating to the same patient are linked, compared or combined under Guideline 1.4.

2001

Amendment 3: This amendment to the Guidelines came into effect on 10 October 2000. It enables the HIC to disclose linked data from the Medicare and PBS databases for Coordinated Care trials. The organisations responsible for running the Coordinated Care Trials were able to use Medicare and PBSS data that has been linked by the HIC on behalf of consenting participants, until April 2004.

 

APPENDIX C: Sections 135AA and 135AB of the National Health Act 1953

NATIONAL HEALTH ACT 1953 - SECTION 135AA

Privacy guidelines

Information to which this section applies

(1) Subject to subsection (2), this section applies to information that:

1. is information relating to an individual; and
2. is held by an agency (whether or not the information was obtained by that agency or any other agency after the commencement of this section); and
3. was obtained by that agency or any other agency in connection with a claim for payment of a benefit under the Medicare Benefits Program or the Pharmaceutical Benefits Program.

Information to which this section does not apply

(2) This section does not apply to such information:

1. so far as it identifies:
   1. a person who provided the service or goods in connection with which the claim for payment is made; or
   2. a person who, in his or her capacity as the provider of services, made a referral or request to another person to provide the service or goods; or
2. so far as it is contained in a database that:
   1. is maintained for the purpose of identifying persons who are eligible to be paid benefits under the Medicare Benefits Program or the Pharmaceutical Benefits Program; and
   2. does not contain information relating to claims for payment of such benefits; or
3. so far as it is not stored in a database.

Issuing guidelines

(3) The Privacy Commissioner must, by written notice, issue guidelines relating to information to which this section applies.

Replacing or varying guidelines

(4) At any time, the Privacy Commissioner may, by written notice, issue further guidelines that vary the existing guidelines.

Content of guidelines

(5) So far as practicable, the guidelines must:

1. specify the ways in which information may be stored and, in particular, specify the circumstances in which creating copies of information in paper or similar form is prohibited; and
2. specify the uses to which agencies may put information; and
3. specify the circumstances in which agencies may disclose information; and
4. prohibit agencies from storing in the same database:
   1. information that was obtained under the Medicare Benefits Program;and
   2. information that was obtained under the Pharmaceutical Benefits Program; and
5. prohibit linkage of:
   1. information that is held in a database maintained for the purposes of the Medicare Benefits Program; and
   2. information that is held in a database maintained for the purposes of the Pharmaceutical Benefits Program; unless the linkage is authorised in the way specified in the guidelines; and
6. specify the requirements with which agencies must comply in relation to old information, in particular requirements that:
   1. require the information to be stored in such a way that the personal identification components of the information are not linked with the rest of the information; and
   2. provide for the longer term storage and retrieval of the information; and
   3. specify the circumstances in which, and the conditions subject to which, the personal identification components of the information may later be re-linked with the rest of the information.

(5A) Nothing in this section, or in the guidelines issued by the Privacy Commissioner, precludes the inclusion, in a database of information held by the Health Insurance Commission and relating to claims for benefits under the Pharmaceutical Benefits Program, of the pharmaceutical entitlements number applicable to the person to whom each such claim relates:

1. as a person covered by a benefit entitlement card; or
2. as a person included within a class identified by the Minister in a determination under subsection 86E(1).

Consultation

(6) Before issuing guidelines, the Privacy Commissioner must take reasonable steps to consult with organisations (including agencies) whose interests would be affected by the guidelines .

Disallowance

(7) Guidelines are disallowable instruments for the purposes of section 46A of the Acts Interpretation Act 1901.

When guidelines take effect

(8) Despite section 46A and paragraph 48(1)(b) of the Acts Interpretation Act 1901, guidelines take effect from:

1. the first day on which they are no longer liable to be disallowed; or
2. if the guidelines provide for their commencement after that day—inaccordance with that provision.

Failure to table first guidelines within 6 months

(9) If guidelines issued under subsection (1) are not laid before each House of the Parliament under paragraph 48(1)(c) of the Acts Interpretation Act 1901 (as applied by section 46A of that Act) within 6 months after the commencement of this section, the Privacy Commissioner must report the failure to issue guidelines within that period to each House of the Parliament within 15 sitting days of that House after the end of the period.

Tabling first guidelines after 6 months

(10) Subsection (9) does not render invalid guidelines issued under subsection (3) that are not laid before each House of the Parliament within that period .

Definitions

(11) In this section:

agency has the same meaning as in the Privacy Act 1988 .

"benefit entitlement card" means:

1. a medicare card within the meaning of subsection 84(1); and
2. a card that evidences the person's status as a concessional beneficiary within the meaning of subsection 84(1).

database means a discrete body of information stored by means of a computer.

"Medicare Benefits Program" means the program for providing Medicare benefits under the Health Insurance Act 1973 .

"old information" means information to which this section applies that has been held by one or more agencies for at least the preceding 5 years.

"personal identification components", in relation to information, means so much of the information as includes any of the following:

1. the name of the person to whom the information relates;
2. the person's address;
3. the person's Medicare card number;
4. the person's Pharmaceutical entitlements number.

Pharmaceutical Benefits Program means the program for supplying pharmaceutical benefits and special pharmaceutical products under Part VII of this Act

"pharmaceutical entitlements number", in relation to a person, means:

1. if the person is covered by a medicare card—a medicare number within the meaning of subsection 84(1) that is applicable to the personas a person covered by that card; and
2. if the person is covered by a card that evidences the person's status as a concessional beneficiary within the meaning of subsection 84 (1)—the number applicable to that person as a person covered by that card.

NATIONAL HEALTH ACT 1953 – SECTION 135AB

Breaches of the privacy guidelines

(1) A breach of the guidelines issued under section 135AA constitutes an act or practice involving interference with the privacy of an individual for the purposes of section 13of the Privacy Act 1988 .

(2) An individual may complain to the Privacy Commissioner about an act or practice in relation to the operation of guidelines issued under section 135AA of this Act which may be an interference with the privacy of an individual.

(3) If a complaint is made, Part V of the Privacy Act 1988 applies, with such modifications as the circumstances require, as if the complaint were an IPP complaint (within the meaning of that Act) made under section 36 of that Act.

 

APPENDIX D: Medicare and PharmaceuticalBenefits Programs PrivacyGuidelines

Medicare and Pharmaceutical Benefits Programsprivacy guidelines

Issued under section 135AA of the National Health Act 1953, withPrivacy Commissioner’s notes

May 1997

© Commonwealth of Australia 1997. This work is copyright. It may be reproduced in whole or part for study or training purposes subject to the inclusion of an acknowledgment of the source and nocommercial usage or sale. Reproduction for purposes other than those indicated above require the prior written permission from the Privacy Commissioner. Requests and enquiries concerning reproduction rights should be directed to the Manager, Human Rights and Equal Opportunity Commission, GPO Box 5218, Sydney NSW 1042.

ISBN 0 642 27022 8

Contents

Preface

Introduction

A Health Insurance Commission

B Department

C Miscellaneous

Meaning of terms

Table of amendments

Preface

These Guidelines were first issued on 24 November 1993, under section 135AA of the National Health Act 1953 . A Table of Amendments since that time appears at the end of the document.

The Guidelines commence with an introduction and then contain a number of specific provisions. The numbered Guidelines lay down rules which are legally binding. A breach of a rule constitutes an interference with the privacy of an individual for the purposes of s.13(bb) of the Privacy Act 1988 .

(See further s.135AB, National Health Act 1953 .)

The Guidelines are accompanied by Commissioner’s notes which are in italics. The Commissioner’s notes do not form part of the law and provide interpretive assistance only.

Introduction

Legal basis

These Guidelines are issued by the Privacy Commissioner under section 135AA of theNational Health Act.

The Guidelines have been developed in consultation with the Health Insurance Commission (“the HIC”), the Department of Health, Housing, Local Government and Community Services (“the Department”), representatives of the pharmacy and medical professions and other relevant organisations.

Commissioner’s note

Consultation is required by section 135AA(6) of the National Health Act. Section 4(2) of the National Health Amendment Act 1993 provides that consultations that took place under subsection 135AA(7) of the National Health Act (prior to it being amended by the National Health Amendment Act 1993) are to be taken for consultations under section 135AA(6) as amended.

The Department of Health, Housing, Local Government and Community Services is now called the Department of Health and Family Services.

These Guidelines are disallowable instruments under section 46A of the Acts Interpretation Act 1901 . They take effect from 15 April 1994 unless disallowed by Parliament. The Guidelines may be replaced or varied by written notice by the Privacy Commissioner at anytime. Any such variation would also be subject to disallowance.

Commissioner’s note

See the Table of Amendments at the end of the Guidelines for the date of effect of amendments to the Guidelines.

The Guidelines provide for standards to apply to information about an individual's claims under the Medicare and Pharmaceutical Benefits Programs which is stored in a computer database. The National Health Act (s.135AA(5)) requires that, so far as practicable the Guidelines must:

1. specify the ways in which information may be stored and, in particular, specify the circumstances in which creating copies of information in paper or similar form is prohibited; and
2. specify the uses to which agencies may put information; and
3. specify the circumstances in which agencies may disclose information; and
4. prohibit agencies from storing in the same database:
   1. information that was obtained under the Medicare Benefits Program; and
   2. information that was obtained under the Pharmaceutical Benefits Program; and
5. prohibit linkage of:
   1. information that is held in a database maintained for the purposes of the Medicare Benefits Program; and
   2. information that is held in a database maintained for the purposes of the Pharmaceutical Benefits Program; unless the linkage is authorised in the way specified in the Guidelines; and
6. specify the requirements with which agencies must comply in relation to old information, in particular requirements that:
   1. require the information to be stored in such a way that the personal identification components of the information are not linked with the rest of the information; and
   2. provide for the longer term storage and retrieval of the information; and
   3. specify the circumstances in which, and the conditions subject to which, the personal identification components of the information may later be re-linked with the rest of the information.

Section 135AB of the National Health Act provides that a breach of the Guidelines constitutes an interference with privacy under section 13 of the Privacy Act . An individual may complain to the Privacy Commissioner under section 36 of the Privacy Act about a practice that may be a breach of the Guidelines. A complaint concerning a breach of the Guidelines will be dealt with in the same way as a complaint of a breach of an Information Privacy Principle.

Scope

The National Health Act sets out the information to which the Guidelines apply. Paragraphs 135AA(1) and (2) of the National Health Act provide:

(1) Subject to subsection (2), this section applies to information that:

1. is information relating to an individual; and
2. is held by an agency (whether or not the information was obtained by that agency or any other agency after the commencement of this section); and
3. was obtained by that agency or any other agency in connection with a claim for payment of a benefit under the Medicare Benefits Program or the Pharmaceutical Benefits Program.

(2) This section does not apply to such information:

1. so far as it identifies:
   1. a person who provided the service or goods in connection with which the claim for payment is made; or
   2. a person who, in his or her capacity as the provider of services, made a referral orrequest to another person to provide the service or goods; or
2. so far as it is contained in a database that:
   1. is maintained for the purpose of identifying persons who are eligible to be paid benefits under the Medicare Benefits Program or the Pharmaceutical Benefits Program; and
   2. does not contain information relating to claims for payment of such benefits; or
3. so far as it is not stored in a database.”

Commissioner’s note

The following outline of the scope of the Guidelines is drawn from subsections 135AA(1) and135AA(2) of the National Health Act. It attempts to put the requirements of these sections into simpler language but is not intended to alter or vary the meaning of those sections.

These Guidelines seek to provide privacy protection for Medicare and Pharmaceutical Benefits claims information relating to individuals that is held by any agency under the Privacy Act. Agencies under the Privacy Act include federal and ACT departments and bodies (see section 6 of the Privacy Act for a comprehensive definition).

Commissioner’s note

The HIC and the Department advise that they are presently the only agencies holding information which satisfies the conditions set out under subsections 135AA(1) and (2) as to the information to be regulated by these Guidelines. Consequently these Guidelines are framed in terms of the HIC and the Department's storage, use etc of that information. If the situation arises in future where other agencies are affected by subsections (1) and (2) the Guidelines will be amended. The National Centre for Epidemiology and Population Health holds on a database some Medicare claims information, which has been disclosed to the Centre with the consent of the individuals concerned for a particular research study. Guideline 4A deals specifically with claims information disclosed or used for research purposes.

The Guidelines do not apply to information which identifies a provider of a service under theMedicare or Pharmaceutical Benefits Programs or a provider who refers an individual for a service under these programs. Nor do the Guidelines apply to databases aimed at identifying people eligible to be paid benefits under the two programs.

The Guidelines apply only to the claims information which is stored on a computer database.

These Guidelines apply to all patient claims information collected under the Pharmaceutical Benefits Program and the Medicare Program, and held on a computer database, which is still in existence.

Commissioner’s note

The current position in relation to the retention of claims data is that Pharmaceutical Benefits claims information from November 1986 to date has been retained. Data from the commencement of the Medicare Program on 1 February 1984 is covered by the Guidelines. Medical claims data dating from the period before 1 February 1984 is not covered by the Guidelines. However, the Department has indicated that it would apply the spirit of the Guidelines to data collected prior to 1 February 1984.

These Guidelines do not regulate the disclosure of claims information by the HIC other than:

• in relation to any linkage between Medicare and Pharmaceutical Benefits claimsinformation; and
• to the extent that the internal personal identification number (PIN) is involved.

The Guidelines should be read in conjunction with the secrecy provisions of the relevant health legislation (in particular section 130 of the Health Insurance Act and section 135A ofthe National Health Act ) and the Information Privacy Principles (in section 14 of the Privacy Act ). In some areas the Guidelines set a higher standard for the protection of claims information than is required by the Information Privacy Principles and deal with issues not covered by the Privacy Act (such as the retention, de-identification and destruction of claims information). In these cases the Guidelines override the Information Privacy Principles. Any disclosures of claims information must conform to the Guidelines and the relevant secrecy provisions in health legislation as well as Information Privacy Principle 11 (which limits disclosure of personal information).

These Guidelines do not cover information collected and held by the HIC and Department in carrying out functions under s.100 of the National Health Act (such as Human Growth Hormone Program and Continuing Medication Program) or the Pharmacy Restructuring Program (under Division 4B and 4C of Part VII of the National Health Act ).

Commissioner’s note

The Human Growth Hormone and Continuing Medication Programs are small and specific programs administered by the Department rather than the HIC. Payments in the Human Growth Hormone Program are made by the Department to manufacturers who supply the doctors treating patients receiving the Human Growth Hormone. Claims data is not currently stored on a database. Under the Continuing Medication Program the Department refunds the prescription co-payment for displaced persons accommodated in shelters. Copies of the prescriptions are held by the Department but claims information is not currently stored on a database. Data held in relation to the Pharmacy Restructuring Program does not include patient claims data and therefore does not come within the scope of these Guidelines.

A. Health Insurance Commission

The following standards must be observed by the Health Insurance Commission in managing patient claims information in the conduct of the Medicare and Pharmaceutical Benefits Programs.

1. Functional separation of programs

1.1 Medicare claims information and Pharmaceutical Benefits claims information must notbe held on the same database. Procedures must not be established which permit claims information from either of these programs to be linked, merged or combined, other than in the exceptional circumstances listed in Guideline 1.4.

Commissioner’s note

This Guideline seeks to ensure that functional separation is maintained between the two databases, so as to accord with the individual patient's expectation that sensitive health information given in a particular context is used and managed by the recipient in a way that is consistent and in accordance with that context. It gives a practical expression, in the context of information storage systems, to the privacy principle that information should generally only be used for the purpose for which it was collected.

1.2 To ensure that functional separation is maintained between the two programs:

1. The claims information relevant to each program must be held in a separate database. This requirement does not prevent the HIC from locating each database within the same computer system.
2. Detailed technical standards must be established by the HIC which:
   1. specify access controls applying to each database;
   2. limit access to each database to those officers or contractors who have a reasonable need for access in order to ensure the effective administration ofthe particular program; and
   3. specify the security procedures and controls which have been included in each database or in the system to prevent unauthorised comparison or merging of records held in either database about the same patient.

1.3 These matters must be dealt with in a Technical Standards Report to be held by theHIC and filed with the Privacy Commissioner. Any variations to the technical standards should be the subject of a Variation Report also filed with the Privacy Commissioner.

1.4 The HIC may link, compare or combine records or information from either database relating, or expected to relate, to the same patient in the following circumstances:

1. for internal use where that use is:
   • authorised or required by law, and is reasonably necessary, in a specific case or in a specific set of circumstances, for the discharge of the HIC’s statutory responsibilities in relation to the enforcement of the criminal law or of a law imposing a pecuniary penalty or for the protection of the public revenue; or
2. for the purpose of external disclosure:
   • in a specific case or specific set of circumstances where that disclosure is required by law; or
   • in the specific circumstance of Coordinated Care Trials conducted by the Department between October 2000 and April 2004, where the individual who is the subject of the information has given his/her express and informed consent in writing; or…
3. for the purpose of determining an individual's eligibility for a benefit under one program, where eligibility for that benefit is dependent upon services provided under the other program; or
4. where the HIC believes on reasonable grounds that the linkage is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person.

Commissioner’s note

This Guideline varies Information Privacy Principle 10 in relation to internal use and Information Privacy Principle 11 in relation to external disclosure in the specific circumstances referred to in the Guideline, that is linkage, comparison or combination of records from either of the regulated databases. These variations reflect the special sensitivity attaching to linkage or comparison of records from the two claims databases.

Under section 1.4 (b) amendment 2000 No 1 inserted a second exception for Coordinated Care Trials, under which the HIC may disclose linked data from the Medicare and PBS databases to obtain a person’s complete health picture for the purpose of testing a new system of managing health care for people with multiple or complex care needs.

An illustration of where exception (c) may be used is where specific pharmaceutical benefits may be supplied to a person participating in assisted reproduction programs (including invitro fertilisation).

1.5 The discretion referred to in Guideline 1.4 may not be used to establish a data matching program between the two databases.

Commissioner’s note

A data matching program in this context is intended to refer to the routine comparison of large numbers of records held in each database, using a computer, with a view to identifying matters of interest.

1.6 Where records or information are compared or combined for the purpose of disclosure as permitted by Guideline 1.4(b), the internal personal identification number must not be included in any information to be disclosed unless it is expressly required by law.

Commissioner’s note

A key feature of these Guidelines is to ensure that there is no linkage of both name and internal personal identification number in any disclosure to third parties by either the HICor the Department, unless expressly required by law. Later Guidelines, in particular Guideline 2, deal with the extent to which these two data items may be made available by the HIC to the Department. The object is to restrict to the HIC, as far as possible, knowledge of the name-internal personal identification number link. An example of where the internal personal identification number may be expressly required by law to be disclosed is where there is a warrant or subpoena for the information.

1.7 Where records or information relating to the same patient in either database are compared or combined in conformity with Guideline 1.4(b), (c) and (d) the HIC shall keep a note of that action. The HIC must identify, in the Technical Standards Report, how the action can be traced.

Commissioner’s note

This requirement is supplementary to the obligation under Information Privacy Principle10.2, to maintain a log of use where personal information is used for the enforcement of the criminal law, a law imposing a pecuniary penalty or for protection of the public revenue. Amendment 1996 No 1 amended this Guideline so that the HIC must specify in a technical report how it will keep an auditable record of instances where records or information relating to the same patient are linked, compared, or combined under Guideline 1.4. The previous requirement to include a flag on the database was amended as the HIC advised that it could not comply with it, and that it would have drawn attention to the fact that the subject of a record has had their records matched or combined to the HIC operators.

1.8 Enrolment and entitlement databases must be kept separate from the claims databases. Personal Identification Numbers referred to in Guideline 2 may be included in claims databases. Personal identification components must not be included in claims databases except as follows: in the case of Medicare claims database, the Medicare number; and in the case of the Pharmaceutical Benefits claims database, the Pharmaceutical entitlements number.

Commissioner’s note

This Guideline seeks to reinforce the existing practice of maintaining the enrolment and entitlement databases separately from the claims databases. This is seen as valuable in ensuring that the more detailed personal particulars (such as name and address) kept on the enrolment and entitlement databases are not duplicated in the more active claims processing databases. Previously no personal identification details other than the personal identification numbers referred to in Guideline 2 could be included in the claims database. Amendment 1996 No 1 permitted the use of the Medicare card number on the Medicare claims database, and the Pharmaceutical entitlements number on the Pharmaceutical Benefits claims database. These numbers are integral to the processing of claims and their inclusion on the relevant database does not undermine the policy objective of functional separation of the claims database. Since the Personal Identification Number (PIN) referred to in Guideline 2 is not defined as a ‘personal identification component’, it will continue to be able to be included in the claims database.

2. Maintenance and disclosure of personal identification number (pin) information

Commissioner’s note

The HIC holds unique internal personal identification numbers in relation to all persons listed in the two databases. The internal operation of these databases is conducted by reference to those numbers. The object of these Guidelines is to restrict to the HIC, as far as possible, knowledge of the link between the name and internal personal identification number.

2.1 The HIC may maintain an internal personal identification number to the extent necessary to assist it in clearly identifying each patient included in either program.

Commissioner’s note

This Guideline accords with existing practice.

2.2 In assigning an internal personal identification number to a patient the HIC shall ensure that it is not based on or derived from a person's name, date of birth, address, telephone number or Medicare card number or that it enables an individual's identity to be determined from the internal personal identification number alone. The internal personal identification number must not reveal any health related or other personal information of the patient.

Commissioner’s note

This Guideline seeks to ensure that the internal personal identification number is not designed so as to convey, through codes, information about an individual. This accords with international statements on desirable practice in relation to the use of personal identification numbers in administration.

2.3 A person’s Medicare card number in an encrypted form and the internal personal identification number may be provided to the Department in conjunction with de-identified details of claims for payment under the Medicare Benefits Program or the Pharmaceutical Benefits Program. No other official patient identifying number shall be provided except as permitted by Guideline 2.7. Any algorithm enabling the encrypted Medicare card number or the internal personal identification number to be decoded so as to reveal the identity of a patient shall not be provided to the Department in any circumstances although a business algorithm enabling the encrypted Medicare card number or the internal personal identification number to be validated may be provided to the Department.

Commissioner’s note

It is routine for the HIC to provide de-identified (i.eanonymised) claims data to the Department. The Department uses the de-identified data for a range of public policy purposes for some of which it is necessary to link records relating to the same (unidentified) individual.

Amendment 1996 No 1 permitted the inclusion of the Medicare card number in encrypted form allowing the HIC to identify card level activities, when it obtains old claims information from the Department, while not enabling the Department to decode the number.

The reference to other official patient identifying numbers not being provided (except as provided in Guideline 2.7) is chiefly a reference to the Department of Social Security or Department of Veterans' Affairs concessional entitlement numbers, but applies equally to any official identifying number.

The Guideline seeks to ensure that any decoding algorithm in use in the HIC is not revealed to the Department.

2.4 The patient name corresponding to an internal personal identification number may only be provided to the Department where the HIC has received a request from the Department conforming to Guideline 6.

Commissioner’s note

This Guideline gives the HIC a discretion to provide the name-internal personal identification number link to the Department. This Guideline must be read in conjunction with Guideline 6 which specifies the limited circumstances where that is permissible.

2.5 Where the HIC has given the Department a name or number to enable it to re-identify information in accordance with Guideline 6 the HIC shall keep a note of that action.

Commissioner’s note

This Guideline seeks to ensure that any exercise of a discretion under Guideline 2.4 is logged, so as to assist the Privacy Commissioner in monitoring compliance.

2.6 Where the HIC lawfully discloses information to an agency, organisation or individual other than the Department it must not provide both the name and the internal personal identification number unless it is expressly required by law (for example under warrant or subpoena).

Commissioner’s note

This Guideline must be read in conjunction with Information Privacy Principle 11 and the relevant secrecy provisions in legislation. It seeks to ensure that in circumstances where theHIC makes a lawful disclosure, it only discloses either name information or internal personal identification number information, but not both unless this is expressly required by law.

2.7 The HIC may also supply the Department with information as to whether the records attaching to a particular personal identification number relate to an individual who is or was a participant in special schemes such as safety net arrangements under theMedicare and Pharmaceutical Benefits Programs. That additional information shall notbe in a form which reveals the identity of the individual.

Commissioner’s note

The Department has advised that anonymity of the individual would normally be achieved by the HIC encrypting the relevant entitlement numbers.

3. Destruction

Commissioner’s note

The following Guideline seeks to ensure that long-term retention of data in identified form is avoided. This Guideline addresses the requirement under subsection 135AA(5)(f)(i) of theNational Health Act that data over five years old is stored so that personal identification components are not linked with claims information.

3.1 The HIC shall destroy Medicare and Pharmaceutical Benefits claims information:

1. in the case of data that is the product of the linking, comparing or combining of records or information in accordance with Guideline 1.4 - within 3 months of the data being brought into existence; or
2. in any other case - within 5 years of the date of initial processing of the information;

unless:

3. there is an investigation, prosecution, unresolved compensation matter or action for recovery of debt pending which requires that the information be retained beyond whichever of the limits in paragraph or applies; or
4. the information affects an individual’s entitlement to a related service which could be rendered after the expiry of whichever of the time limits in paragraph or applies.

Commissioner’s note

This Guideline does not prevent the HIC from retaining a summary or sample file of claims which have been stripped of all patient identifiers.

3.2 The HIC must make special arrangements for the security of records which have beenretained under Guideline 3.1(c). These arrangements are to be included in the Technical Standards Report.

Commissioner’s note

The amount of information which would need to be retained after five years is likely to bevery small. The Guideline ensures that the data retained by the HIC is given special protection and is not exposed in the ordinary operating system.

3.3 The HIC shall destroy any information that is retained beyond whichever of the timelimits in Guideline 3.1(a) or (b) applies:

1. within 14 months of the completion of the relevant investigation, prosecution, unresolved compensation matter or action for recovery of debt referred to in Guideline 3.1(c); or
2. as soon as practicable after the circumstances referred to in Guideline 3.1(d) no longer apply;

as the case requires, and the HIC must satisfy the Privacy Commissioner, upon request, that it has adhered to its obligations under this guideline.

Commissioner’s note

Records Disposal Authority 1233, under the Archives Act, establishes a mandatory minimum retention period for records. Amendment 1996 No 1 strengthened this Guideline to require the HIC to destroy information rather than merely establishing procedures to do so; and that it must satisfy the Privacy Commissioner of its adherence to its obligations rather than merely being required to keep the Privacy Commissioner informed of the relevant procedures.

4. Obtaining old claims information

4.1 The HIC may, after supplying the relevant personal identification number or provider number, obtain from the Department, old claims information held by the Department and related to the number supplied where the HIC needs that information to enable itto:

• take action on an unresolved compensation matter
• take action on an investigation or prosecution
• take action for recovery of a debt
• determine entitlement on a late lodged claim
• determine entitlement for a related service rendered more than five years after the service which is the subject of the old claims information
• fulfil a request for that information from the individual concerned or from a personacting on behalf of that individual
• lawfully disclose identified information in accordance with the secrecy provisions of the relevant legislation and these guidelines.

Commissioner’s note

This Guideline regulates the circumstances in which the HIC may obtain from the Department claims information more than five years old.

4.2 Any record of any information obtained under Guideline 4.1 shall be deleted from anydatabase on which it is held as soon as practicable after the action referred to in Guideline 4.1 has been completed; and in any case shall only be retained on any database for a maximum period of 3 months.

4.3 The HIC must make special arrangements for the security of records obtained inaccordance with Guideline 4.1. These arrangements are to be described in a Technical Standards Report.

4.4 Where information is obtained in accordance with Guideline 4.1 the HIC shall keep a note of the action.

Commissioner’s note

This Guideline aims to provide a record of the transaction in the event of an individual complaint.

4a. Use of identified claims information for research purposes

4A.1 Disclosure of Medicare and Pharmaceutical Benefits claims information for medical research must conform to the secrecy provisions in the Health Insurance Act 1973 andthe National Health Act 1953 . In addition identified claims information may only be disclosed for research if:

1. the HIC is satisfied that the individuals who are the subject of that information have given their free and informed consent to the use of that information in the research project; or
2. the disclosure is made for the purposes of medical research to be conducted in accordance with the Medical Research Guidelines issued by the National Healthand Medical Research Council under section 95 of the Privacy Act 1988.

Commissioner’s note

Reference to the Medical Research Guidelines is limited to the MRG in force on 1 January1997, when Guideline 4A came into effect. It cannot refer to the MRG as in force from time to time in the future.

4A.2 These Guidelines do not prevent a researcher to whom information has been disclosed in accordance with guideline 4A.1 from retaining that information once it becomes oldinformation provided that at the conclusion of the research project the researcher either returns the information to the HIC for destruction or securely destroys the information.

Commissioner’s note

This Guideline replaces the previous Guideline 7 to make it clear that disclosures for research purposes must conform to the secrecy provisions and to make it clear that the Guidelines permit disclosures that are made with the consent of the individual or inaccordance with the NH&MRC Medical Research Guidelines.

B. Department

The following standards must be observed by the Department in using claims information received from the HIC.

5. Use of de-identified claims information

5.1 Claims information in computer form provided to the Department by the HIC in deidentified form may be used by the Department as permitted by the Secretary to the Department.

Commissioner’s note

This Guideline seeks to recognise that the Department usually holds claims data in deidentified form. Provided there are adequate controls over the possibility of name linkage, the Department's practices in relation to de-identified data are not affected by the Privacy Act. Guideline 6 seeks to ensure that adequate controls over the possibility of name linkageexist.

5.2 The Secretary must not permit the establishment of a system which maintains the deidentified records from both programs in a combined form on a permanent basis in conjunction with the internal personal identification number.

1. Nothing in this Guideline prevents the retention of de-identified records fromboth programs in a combined form in conjunction with an encrypted form of the internal personal identification number or a new and unrelated number.
2. This Guideline does not prevent Pharmaceutical Benefits and Medicare claims information concerning particular individuals from being temporarily linked by the PIN where:
   1. the linkage is necessary for a use permitted by the Secretary; and
   2. claims information identified by the PIN or any personal identification components (defined in section 135AA(11) of the National Health Act) isused solely as a necessary intermediate step to obtain aggregate or deidentified information; and
   3. claims information temporarily linked in conjunction with the personal identification number is destroyed within 1 month of its creation.

Claims information from the two databases shall only be linked in this temporary manner in conjunction with the internal personal identification number where there is no practical alternative.

Commissioner’s note

This Guideline is seeking to provide a further means of ensuring that the principle of functional separation of Pharmaceutical Benefits and Medicare claims data is maintained. Itis recognised that it may be desirable for health policy purposes for de-identified records tobe compared. By preventing this being done permanently in conjunction with the internal personal identification number, the possibility of a link back to the name or identity of a patient is reduced. Amendment 1996 No 1 clarified the Guideline and also provided that it does not prevent the retention of de-identified records in a combined form in conjunction with an encrypted form of the PIN or a new and unrelated number. Before the amendment, this could only be done using a new and unrelated number. While the Department may encrypt the PIN, it will not have the ability to determine who the PIN relates to.

5.3 De-identified claims information may be held indefinitely for policy and research purposes.

Commissioner’s note

This Guideline accords with current practice. The Department is developing a policy on the retention of de-identified data beyond ten years.

5.4 Where the Department discloses claims information relating to patients in a deidentified form (other than in accordance with Guideline 4 or 6), the Department mustbe reasonably satisfied that the recipient is not in a position to re-identify the information unless the de-identified information has been released under section 130 ofthe Health Insurance Act 1973 or section 135A of the National Health Act 1953 .

Commissioner’s note

This Guideline seeks to ensure that the Department does not disclose de-identified data without having considered the possibility of whether it can be re-identified in the hands of the recipient . Amendment 1996 No 1 amended this Guideline to make an exception where the de-identified information has been released under secrecy provisions in the Department’s own Acts.

Any disclosures must also accord with the Information Privacy Principles in the Privacy Act and the relevant secrecy provisions in health legislation.

6. Name linkage

6.1 An officer of the Department may obtain from the HIC the name and other personal identification components corresponding to the internal personal identification numberwhere that is authorised by the Secretary and is necessary:

1. to clarify which information relates to a particular patient where doubt has arisenin the conduct of an activity involving the comparison or linkage of de-identified information; or
2. for the purpose of disclosing personal information in a specific case or in aspecific set of circumstances as expressly authorised or required by law.

Commissioner’s note

This Guideline recognises that there are limited circumstances in which it is necessary for the Department to have access to name information.

• Exception (a) is addressed to circumstances where technical difficulties arise in theconduct of policy and research activity which mean that data from two databases cannotaccurately be compared without temporary re-identification of the data. The need to check the name is invariably transient, and identified data is not retained as a result.
• Exception (b) is necessary to deal with situations where the Department holds information which is the subject of a formal legal demand or in relation to which it has an express discretion to lawfully disclose information and where it is not practical for the request to be handled by the HIC. Guideline 6.4 provides that the Department should usually consider transferring requests for identified information to the HIC for action.

6.2 The Secretary of the Department must establish procedures which ensure that whereinformation is obtained under paragraph (a) of Guideline 6.1 that information is not retained once the doubt has been clarified.

Commissioner’s note

This Guideline seeks to ensure that procedures are implemented which limit the checking ofname information to as few officers as possible and to ensure that the existence of name information is transient.

6.3 The Department must maintain and make publicly available a policy statement outlining its usual practices of disclosure in relation to paragraph (b) of Guideline 6.1.

Commissioner’s note

This Guideline ensures that where personal information is disclosed in circumstances asexpressly authorised or required by law, the normal practices of disclosure be available for public scrutiny.

6.4 The Secretary of the Department must establish procedures which ensure that a requestto disclose identified patient information is usually referred to the HIC and is onlyhandled by the Department where it is not practical for the request to be referred to the HIC for action.

Commissioner’s note

This Guideline aims to ensure that the principal record keeper of identified information, theHIC, retains control of requests for identified information. If the request is for claims information over five years old the Department should adopt the usual practice of disclosing the relevant claims information (with PIN) to the HIC for the HIC to re-identify. This Guideline recognises that there may be some cases where it is not practicable for this to occur, for example where this may cause unacceptable delays.

This Guideline should be read in conjunction with Guidelines 4 and 6.7 which set out the circumstances and controls on the disclosure by the Department to the HIC of claims information identified by PIN.

6.5 In cases where information is obtained under paragraph (b) of Guideline 6.1, the Secretary of the Department must establish procedures which ensure that

1. a central record of those transactions is retained by the Department, and
2. the central record is held under strict security by a designated officer.

Commissioner’s note

Due to the sensitivity of the Department re-identifying data for the purposes of external disclosure, Guidelines 6.4 and 6.5 introduce a number of measures: first, to establish procedures for the HIC to be the agency that deals with requests for identified data; second,where the Department considers it is necessary to depart from these procedures and dealwith the request itself, to ensure that a secure, single and central log is kept. The log will enable monitoring by the Privacy Commissioner of the scale of any practice, as well as providing a record of the transaction in the event of individual complaint.

6.6 The Secretary must keep the Privacy Commissioner informed of the procedures developed under Guidelines 6.2, 6.4 and 6.5.

6.7 Where the Department has given the HIC Medicare claims information or Pharmaceutical Benefits claims information identified by the personal identification number in accordance with a request under Guideline 4, the Department shall keep a central record for each program of that action.

Commissioner’s note

This Guideline was amended by Amendment 1996 No 1 to clarify that each program should have a separate central record.

Amendment 1996 No 1 removed Part C, comprising Guideline 7, which dealt with research, consequential upon the insertion of new Guideline 4A.

C. Miscellaneous

6.8 Paper copies, or copies in a similar form, of information contained in either database may be made where it is useful for the purpose at hand. However paper copies, orcopies in a similar form, may not be made of the complete or a major proportion of asingle database or all relevant databases. Paper copies of information must not be made for the purpose of circumventing the requirements of these Guidelines.

6.9 The HIC and the Secretary of the Department must keep the Privacy Commissioner informed of any arrangements that the HIC or the Department make in relation to any delegation or authorisations given that are associated with the implementation of these Guidelines.

Commissioner’s note

Under general legislation the HIC and the Secretary of the Department have wide powers ofdelegation. This Guideline provides a mechanism for enabling the Privacy Commissioner to monitor the scope and extent of any delegations and authorisations that relate to claims information and these Guidelines.

6.10 The HIC and Department shall take such steps as are reasonable in the circumstancesto make all staff aware of the need to protect the privacy of individuals in relation to claims information and of the content of these Guidelines.

Commissioner’s note

The HIC and the Department should also take reasonable steps to make all staff aware of the secrecy obligations imposed by the legislation administered by the HIC and the Department and the privacy obligations imposed by the Information Privacy Principles and the Privacy Act. The Information Privacy Principles in the Privacy Act apply to all personal information held.

6.11 To the extent that a Guideline is inconsistent with the Information Privacy Principles the Guideline prevails.

Commissioner’s note

As these Guidelines deal with a particular area of administration they lay down standardswhich seek to be specific to the privacy issues of that area. To ensure that these Guidelines are used as the primary reference for establishing standards, the aim of this Guideline is to ensure that the relevant Guideline prevails in cases where that Guideline sets a higher standard from that which might flow from the application of an Information Privacy Principle .

Meaning of terms

“agency” is defined in section 135AA(11) of the National Health Act 1953 as “having the same meaning as in the Privacy Act 1988 ”;

“the HIC” means the Health Insurance Commission;

“database” is defined in section 135AA(11) of the National Health Act 1953 as “a discrete body of information stored by means of a computer”;

“the Department” means the portfolio department responsible for the Medicare and Pharmaceutical Benefits Program;

Commissioner’s note

The “Department” is currently the Department of Health and Family Services.

“Medicare Benefits Program” is defined in section 135AA(11) of the National Health Act 1953 as “the program for providing Medicare benefits under the Health Insurance Act1973” ;

“Medicare claims information” refers to the information provided in connection with a claim under the Medicare Benefits Program and includes identification information in respect of the person to whom a service attracting Medicare benefit was provided, the person who provided the service, where appropriate the person who requested the service; and the details of the service provided;

“National Health Act” refers to the National Health Act 1953 ;

“old information” is defined in section 135AA(11) of the National Health Act 1953 as “information to which this section [section 135AA of the National Health Act 1953 ] applies that has been held by one or more agencies for at least the preceding 5 years”. In these Guidelines an alternative term, “old claims information” is sometimes used and has the same meaning;

“patient” refers to a person who received a service for which a claim under the Medicare Benefits Program or the Pharmaceutical Benefits Program has been made;

“personal identification components” , in relation to information, is defined in section 135AA(11) of the National Health Act 1953 as “so much of the information as includes any of the following:

1. the name of the person to whom the information relates;
2. the person's address;
3. the person's Medicare card number;
4. the person's Pharmaceutical entitlements number”;

“personal identification number” means the internal identification used by the HIC toidentify individuals eligible to receive Pharmaceutical or Medicare Benefits. It is an internal reference number, separate and unrelated to the Medicare card number;

“Pharmaceutical Benefits claims information” refers to the information provided in connection with a claim for benefit under the Pharmaceutical Benefits Program and includesidentification information in respect of the person to whom pharmaceuticals were supplied, the person who prescribed the service, the person who supplied the benefit; and the details of the service provided;

“Pharmaceutical Benefits Program” is defined in section 135AA(11) of the NationalHealth Act 1953 as “the program for supplying pharmaceutical benefits under Part VII of this [National Health] Act”;

“ Privacy Act ” means the Privacy Act, 1988 ;

Any term used in these Guidelines which is defined in the Privacy Act 1988 has that meaning.

 

Table of amendments

The Guidelines were issued on 24 November 1993 and were published in the Government Gazette, GN 48, on 8 December 1993. The Guidelines came into effect on 15 April 1994.

An amendment to the Guidelines was issued on 22 February 1994 and was published in the Government Gazette, GN 9, on 9 March 1994. The amendment came into effect on 13 May 1994.

Guideline affected How affected

Guideline 4 inserted by 22.2.94 amendment

Guideline 5.4 amended by 22.2.94 amendment

Guideline 6.7 inserted by 22.2.94 amendment

Meaning of terms “old information” amended by22.2.94 amendment

A second amendment to the Guidelines was issued on 30 October 1996 and was published inthe Government Gazette, GN03, on 22 January 1996. The amendment came into effect on 1 January 1997.

Guideline affected How affected

Guideline 1.7 amended by 30.1.96 amendment

Guideline 1.8 amended by 30.1.96 amendment

Guideline 2.3 replaced by 30.1.96 amendment

Guideline 3.1 replaced by 30.1.96 amendment

Guideline 3.2 amended by 30.1.96 amendment

Guideline 3.3 replaced by 30.1.96 amendment

Guideline 4A inserted by 30.1.96 amendment

Guideline 5.2 amended by 30.1.96 amendment

Guideline 5.4 amended by 30.1.96 amendment

Guideline 6.7 replaced by 30.1.96 amendment

Part C omitted by 30.1.96 amendment

A third amendment to the Guidelines was issued on 27 June 2000 and was published in theGovernment Gazette, GN 44, on 8 November 2000. The amendment came into effect on 10October 2000.

Guideline affected How affected

Guideline 1.4 (b). amended by 27.7.00 amendment