pdf (605.22 KB)

KEY RECOMMENDATIONS

The Office of the Privacy Commissioner (the Office) welcomes the opportunity to comment on the exposure draft for the Healthcare Identifiers Bill 2010 (the Bill). The Office would make following recommendations about the Bill:

1. The Office be consulted if regulations are made prescribing additional information the HI Service Operator can collect to assign identifiers to healthcare providers.
2. Individuals be notified that their healthcare identifier may be collected through batch searching and bulk downloading.
3. Regulations be made imposing data security requirements for batch searching and bulk downloading process and the Office be consulted if such regulations are made.
4. In respect of the handling of healthcare identifiers for insurance and employment purposes, section 16 of the Bill should be consistent with the intent of the Government’s response to ARLC recommendation 62-2.
5. The compliance and enforcement mechanisms that will apply, are set out in a specific section of the Bill and in the Explanatory Memorandum.
6. Consequential amendments are made to section 13 and 28 of the Privacy Act, to clarify how the offence provisions in the Bill interact with the compliance functions in the Privacy Act.
7. Further consideration is given to the offence and compliance mechanisms to:
   • determine whether data security obligations should be prescribed in the Bill
   • limit complaints that will be dealt with under the Privacy Act to those concerning individuals and individual healthcare providers only;
   • clarify the regulation of state and territory authorities; and
   • clarify the interaction of the penalty provisions in the Bill with the Office’s compliance functions.

OFFICE OF THE PRIVACY COMMISSIONER

1. The Office of the Privacy Commissioner (the Office) is an independent statutory body whose purpose is to promote and protect privacy in Australia. The Office, established under the Privacy Act 1988 (Cth) (the Privacy Act), has responsibilities for the protection of individuals' personal information that is handled by Australian and ACT Government agencies, and personal information held by all large private sector organisations, all private sector health service providers and some small businesses.

Background

2. The Office is pleased to have the opportunity to provide a submission to the Department of Health and Ageing (the Department) on the exposure draft Healthcare Identifiers Bill 2010 (the Bill) and related Release Note [1] .

3. The Bill will establish the Healthcare Identifiers Service (HI Service), a national service which will assign unique individual health identifiers (IHIs) for all individuals receiving healthcare in Australia and all individual and organisational healthcare providers (HPI-Is and HPI-Os). Collectively, these identifiers are defined in the Bill as `healthcare identifiers’. Initially, these healthcare identifiers will be used to provide secure and accurate electronic communication between healthcare providers and for record management.

4. The Office notes that the Bill has been drafted to take account of the key issues raised in the proposal paper issued by the Australian Health Ministers’ Conference (AHMC) in November 2009 (the AHMC proposal paper) [2] . The provisions of the Bill also give effect to the Council of Australian Governments (COAG) National Partnership Agreement on E-Health (the Partnership Agreement), signed on 7 December 2009 [3] . Among other things, the Partnership Agreement sets out the privacy arrangements that will support the HI Service.

5. The Office also recognises that the Bill is a fundamental building block in the implementation of the national e-health system. The Office has previously indicated its support for the creation of a national e-health scheme, provided that the scheme was underpinned by enabling legislation and appropriate privacy protections [4] .

GENERAL COMMENTS ABOUT THE BILL

6. The Bill’s primary purpose is to set out the functions of the HI Service Operator (the service operator) including regulating the assignment of healthcare identifiers by the service operator. It also defines the purposes for which healthcare identifiers can be used and disclosed by the service operator, healthcare providers and other authorised entities.

7. The Office welcomes the fact that the Bill limits the amount of information that will need to be collected for assigning healthcare identifiers and the purposes for which healthcare identifiers can be used and disclosed. The Office also welcomes the inclusion of strong enforcement and compliance mechanisms which will provide a mechanism for individuals to seek redress should a healthcare identifier be misused.

8. Primarily, our comments relate to the handling of healthcare identifiers issued to individuals (IHIs) rather than healthcare identifiers issued to individual healthcare providers (HPI-Is) or healthcare provider organisations (HPI-Os).

Collection of information to assign healthcare identifiers

9. As the Office understands it, all individuals who receive healthcare, or have received healthcare in the past, will automatically be assigned an IHI. Given the mandatory nature of the assignment of IHIs, it is important that appropriate privacy protections are in place regarding the personal information collected to generate an IHI and the purposes for which an IHI can be used and disclosed.

10. Personal information should not be collected about individuals unless the information is necessary for the specific purpose or function [5] . This is particularly important where individuals do not have a choice about whether their information will be collected for a particular purpose.

11. Limiting the amount of personal information that will be associated with a healthcare identifier will assist the service operator to comply with its requirement to ensure that the personal information it handles is accurate, complete and up-to-date [6] .

12. In this regard, the Office welcomes the Bill clearly defining the identifying information that can be collected about individuals for the purpose of assigning an IHI. Further, the Office also notes the collection of the identifying information by the service operator will be limited to what is necessary to assign a healthcare identifier.

13. In terms of healthcare providers, the Bill also defines what information will be collected by the service operator to assign a HPI-I or HPI-O. Regulations can also be made to specify additional information that may be required in order to assign these identifiers. The Office would appreciate the opportunity to be consulted if regulations were made to prescribe such matters.

Collection of IHIs by healthcare providers

14. Among other things, the HI Service aims to benefit individuals by delivering improved safety for patients, for example, by minimising the likelihood of information being sent to the wrong healthcare provider or being associated with the wrong patient [7] . However, the benefits that could be realised from the establishment of the HI Service will rely on the extent to which healthcare providers use IHIs in delivering services to their patients.

15. To encourage healthcare providers to access the HI Service, it is proposed that healthcare providers will be able to batch search and collect IHIs for existing patients, via a bulk download [8] . In practice this will enable a healthcare provider to collect their patients’ IHIs, for the purpose of including the identifier on those patients’ records, before the individual presents themselves for a healthcare service.

16. The Office understands that healthcare providers will only be able to collect a patient’s IHI where the identifying information they give to the service operator matches the identifying information held on the service operator’s database. In the case of batch searches lodged with the service operator, the AHMC proposal paper states that the IHI will only be returned to the healthcare provider where an exact match is found. Further, no other information other than the IHI will be disclosed to the healthcare provider by the service operator. Where an exact match is not found as part of a batch search, an error message will be generated by the service operator [9] .

17. While the Office recognises the benefits that could result from allowing batch searching and bulk downloading of existing patients’ IHIs, this process may generate some community concern. This concern could potentially arise as bulk downloads could include a wide number of individuals, some of whom may no longer be active patients of the healthcare provider. For example, an individual may have sought treatment in the past for a particularly sensitive medical condition from a healthcare provider who was not their regular practitioner and from whom they have not sought any further treatment.

18. Concerns such as this could arise irrespective of the fact that, at present, the only information the healthcare provider will collect from the service operator is the IHI itself, and the purposes for which the IHI can be used are strictly limited.

19. Community attitudes research conducted by our Office found that, generally, community trust in how their health information is handled by healthcare providers is increasing. However, this result must be considered in the context that health information is subject to stronger controls under the Privacy Act.

20. Under the Privacy Act, healthcare providers generally must have the individual’s consent to the collection and handling of their health information. When individuals were asked specifically about their attitude to being included on a national health database, 76% said that their inclusion on such a database should be voluntary [10] . The Office believes that, the practice of bulk downloading may have the potential to impact on the community confidence in the HI Service, in the absence of a consent process for collection of their IHI. The Office would make the following suggestions to assist in alleviating any potential community concerns.

21. Firstly, the proposal could be enhanced by including a requirement to make individuals aware that their IHI may be collected by a healthcare provider they have dealt with in the past. This information could include: the circumstances under which healthcare providers will be able to collect their IHI; specify the information that will be disclosed to the healthcare provider by the service operator; and clarify that their IHI can only be used by the healthcare provider for prescribed purposes and where the healthcare provider is providing them with a healthcare service.

22. Notice to individuals about the collection of their IHI by could be given as part of a public awareness campaign and include notices being placed in public access area of healthcare providers’ premises. The Office notes that individual will be able to access the information held about them on the HI Service and be able to find out who has accessed their information [11] . This would promote transparency in the process and is consistent with the access rights provided under the Privacy Act [12] . As such, if notice about collection is provided to individuals, it could include information about how they could also get access to `audit trail’ records maintained against their IHI.

23. Secondly, appropriate data security controls should be included in the batch search and bulk download process. These controls should regulate what information healthcare providers can give to the service operator during this process and what the service operator will do with identifying information it receives that does not match identifying information it holds. Setting out such data security requirements in regulation could establish a strong framework in which to regulate the batch searching and bulk download process. The Office notes the Bill provides that regulations can be made as required and permitted or as necessary or convenient to give effect to the Act, including the imposition of a penalty for contravention of such regulations [13] . The Office would welcome the opportunity to be consulted if regulations were made about such matters.

24. Thirdly, the Office suggests that guidance be provided to professional healthcare associations about how the batch searching and collection of IHIs by healthcare providers can be limited to active patients of a healthcare provider.

Use and Disclosure of IHIs

25. The Office supports the Bill prescribing the purposes for which IHIs can be used and disclosed by healthcare providers, the service operator and authorised entities. This is important given the mandatory nature of the assignment of IHIs to individuals.

26. The Office also supports the Bill expressly excluding the handling of IHIs for insurance business and employment purposes. This is in line with the Government’s response to recommendation 62-2 in the ALRC Inquiry which stated that the definition of `health service’ in the Privacy Act should expressly exclude activities performed for reasons other than care and treatment [14] .

27. However it is not clear whether the provision in section 16 of the Bill will have this effect because the Bill uses different terminology from that used in the Privacy Act. Specifically, the Bill uses the term `healthcare’ rather than `health service’ and the Bill excludes the handling of identifiers for purposes of an insurance business (or employment) rather than activities performed for such purposes. This could result in organisations being unclear as to whether it can handle an identifier for a particular purpose.

28. The Office suggests that the wording of section 16 of the Bill should be consistent with the intent of the Government’s response to ARLC recommendation 62-2.

Interaction with the Privacy Act

29. The Partnership Agreement envisages that the HI Service will be subject to uniform national privacy arrangements and encompassing offence and compliance mechanisms. Accordingly, it is pleasing to note that the Bill includes offence provisions including criminal penalties for unauthorised use and disclosure of healthcare identifiers and intends to provide, as far as possible, a nationally consistent compliance regime for individuals.

30. The Office notes that, under the Partnership Agreement, state and territory privacy and related regulators and our Office will be responsible for compliance and enforcement activities under the HI Service. To ensure that the provisions are applied consistently in all jurisdictions, the Office suggests that the compliance and enforcement mechanisms are set out in a specific section of the Bill and in the Explanatory Memorandum.

31. Further, the Office suggests that the offence and compliance mechanisms in the Bill could be reviewed to determine whether:

• data security obligations should be prescribed in the Bill
• complaints about identifiers issued to healthcare organisations should be dealt with under the Privacy Act;
• the regulation of state and territory authorities may need further consideration; and
• the penalty provisions interact as intended with the Office’s compliance functions.

These issues are expanded on below.

The scope of interferences with privacy

32. The Partnership Agreement states that our Office will have general responsibility for undertaking compliance and enforcement activities in relation to`... other parties not covered by the compliance and enforcement activities to be conducted by State and Territory regulators.. .’ [15] .

33. To give effect to this intent, section 18 of the Bill provides that:

• an authorisation under that Act to collect use and disclose information is also an authorisation to do those things under the Privacy Act;
• an act or practice that is an offence under the Act will be an interference with privacy under Part 13 of the Privacy Act; and
• if an individual complains Part V of the Privacy Act will apply as if the complaint were made under section 36 of the Privacy Act.

34. The Office understands that where a complaint is made about the misuse of a healthcare identifier, the act or practice would be assessed in terms of the use and disclosure provisions in the HI Act. However, the Privacy Commissioner will be relying on their investigation and enforcement power under Part V of the Privacy Act to investigate a complaint alleging a breach of the HI Act. Further, the Privacy Commissioner will be also be relying on the provisions in section 13 of the Privacy Act to determine that the act and practice complained about under the HI Act is also an interference with the privacy of the individual.

35. To clarify the intention of these provisions, the Office suggests that these are set out in a specific section of the Bill and in the Explanatory Memorandum. For example, the Bill could include a section that defines what constitutes an interference with privacy, similar to those set out in section 173 of the Personal Property Security Register Act 2009 [16] .

36. In addition, to ensure the privacy related provisions within Commonwealth legislation are consistent, the Office suggests that consequential amendments are made to section 28 of the Privacy Act providing the Privacy Commissioner with functions in relation to health identifiers. Further, an amendment to section 13 of the Privacy Act could be made adding a note that sets out the unauthorised acts and practices under the Bill that would be an interference with privacy. Such provisions could be modelled on those set out, respectively, in clauses 29 and 26 of the Personal Property Security Register (Consequential Amendments) Bill 2009 [17] .

37. Generally, section 18(5)(a), could be interpreted as imposing an obligation on our Office to accept a complaint about a breach of the IHI legislation, without it being subject to assessment about whether it met the requirements of a complaint under section 36 of the Privacy Act. In practical terms this may impose a requirement on the Office to accept oral complaints about alleged misuse of a healthcare identifier. Whereas, under section 36, complaints must be in writing and, in most cases, the complainant must have tried to resolve the matter in the first instance with the respondent. The Office suggests that section 18(5)(a) could be re-drafted to ensure that it is consistent with the Privacy Commissioner’s current complaint handling powers.

Data Security

38. It is understood the Bill is intended to regulate the prescribed purposes for which healthcare identifiers can be used and disclosed. Where a healthcare identifier is used or disclosed for any other purpose it will be offence and also an interference with privacy. The Office is pleased that the Bill sets out an exhaustive list of the authorised purposes for which healthcare identifiers can be used and disclosed.

39. However, the Office considers that these provisions could be further enhanced to protect individuals in situations where the loss of their healthcare identifier occurs because a healthcare provider does not have adequate data security requirements in place.

40. The loss of an individual’s healthcare identifier in this context could suggest a systemic weakness in the data security requirements of a healthcare provider. As the Office understands it, in these circumstances, the Bill provides that any subsequent use or disclosure of the compromised healthcare identifier would be an offence and an interference with privacy. However, while the person who misuses the individual’s healthcare identifier may be subject to criminal penalties under the Bill, there may be no mechanism for the Privacy Commissioner to enforce a change of practices with the healthcare provider.

41. As the Bill is intended to provide an exhaustive list of the acts and practices in relation to healthcare identifiers that will be an offence and an interference with privacy, the Office suggests that it include a data security requirement. Such a provision could be modelled on the data security principles in the Privacy Act.

Identifiers issued to healthcare organisations

42. The Bill regulates the handling of all healthcare identifiers, including identifiers issued to healthcare providers who are organisations. Under the Privacy Act, the Privacy Commissioner can make a decision that an act or practice is an interference with the privacy of an individual, if the complaint falls within section 13 of the Privacy Act. This section requires that the act or practice complained about relates to the personal information of an individual.

43. During the ALRC Inquiry the question of whether the Privacy Act should be extended to corporations and other commercial entities was considered. The Inquiry found that such a change would be inconsistent with the concept of privacy as a protection for individuals. Further, this report claimed such a change was unnecessary as commercial entities may have alternative remedies available to them to protect the privacy of their information [18] .

44. Section 13 of the Privacy Act defines what constitutes an interference with privacy as being acts or practices that are an `... interference with privacy of an individual ...’. Given the wording of section 13, the Office does not consider that the Privacy Act can regulate acts and practices relating to the handling of healthcare identifiers where the information is not personal information about an individual.

45. For these reasons and given that the intent and purpose of the Privacy Act, the Office suggests that its role under the Bill should be clarified so that it is limited to interferences with privacy relating to the personal information of individuals.

Regulation of states and territories

46. In terms of the compliance mechanism under the Bill, the Office notes that under section 18(5)(b), a state or territory authority to is deemed to be an organisation for the purposes of the Privacy Act. The Office is unsure whether this provision is sufficient to ensure that complaints received about state and territory authorities could be investigated by our Office.

47. Under section 6F of the Privacy Act a State or Territory authority, or prescribed instrumentality, can be prescribed as an organisation. For example, Privacy (Private Sector) Amendment Regulations 2002 (No. 1) prescribes some State energy providers as organisations under s6F [19] . Before such a regulation can be made, the Minister who has responsibility for the Privacy Act must be satisfied that the State or Territory has requested that the authority be prescribed for those purposes and consult with the Privacy Commissioner about desirability of regulating the handling of personal information practices of that state or territory authority.

48. However, the Office is unsure whether section 6F of the Privacy Act would provide effective regulation of the handling of healthcare identifiers by state and territory authorities where those bodies are not organisations as defined in the Privacy Act. For example, if that authority had a turnover of $3m or less or were not a health service provider as defined in the Privacy Act. It may also not provide effective regulation of state and territory bodies for intra-state activities such as where a healthcare identifier is transferred across a state or territory boundary.

49. The Office is concerned that the Privacy Commissioner’s ability to carry out investigation and enforcement functions in relations healthcare identifiers may be limited, if the regulation of state and territory authorities under the Bill is not established appropriately.

50. The Office suggests that further consideration regarding how state and territory authorities can be regulated under the Bill may be required.

Penalty provisions

51. The Office welcomes the inclusion of criminal and civil penalties for misuse of healthcare identifiers and compliance mechanisms for individuals that will enable them to seek remedies and redress if misuse of their identifier has occurred. This is consistent with the ALRC’s recommendation about the protections that should accompany the introduction of unique health identifiers [20] . The Government’s response also confirmed that such protections were integral to the national e-health framework [21] .

52. However, the ability of an individual to seek compensation for an interference with privacy should not be dependent only on whether the criminal aspects of an offence under the HI Act can be proven. As section 18(3) of the Bill is currently worded, the Privacy Commissioner would have to form a view that a `healthcare identifier offence’ to establish that there had been an interference with privacy under section 13 of the Privacy Act.

53. Given the other provisions in the Bill, the policy intent of the AHMC proposal paper and the National Partnership Agreement, the Office considers that it is not intended to limit the Privacy Commissioner’s powers in this way. Therefore, the Office suggests that section 18(3) be amended to remove the requirement that a healthcare identifier offence is a necessary factor in determining that an interference with privacy has occurred.

54. Under section 49 of the Privacy Act, the Privacy Commissioner is required to refer a matter to the Director of Public Prosecutions or the Commissioner of Police where they form a view that certain offences may have been committed. The Office suggests that a similar requirement could be included in section 49 of the Privacy Act in relation to healthcare identifier offences.