pdf (465.37 KB)

Key recommendations

The Office of the Privacy Commissioner considers that the exposure draft regulations for the Healthcare Identifier Service enhances the privacy framework provided in the Healthcare Identifiers Bill 2010 (the Bill) to support the establishment of the Healthcare Identifier Service and the use of healthcare identifiers. The Office makes the following comments about the exposure draft regulations:

1. Regulation 10 could be strengthened by limiting the purposes for which healthcare identifiers can be collected. We consider that the collection of a healthcare identifier should be linked to the provision of healthcare to the individual healthcare recipient.
2. The Office suggests that the title of Regulation 10 could be amended to reflect the content of the regulation.
3. The development of guidelines to support proposed Regulation 10 is pleasing. The Office would appreciate the opportunity to be consulted in their development.
4. We consider it is appropriate that Regulation 11 proposes a period of transition for active enforcement of penalty provisions. However, penalties should still be enforced in cases of systemic non-compliance.
5. The development of guidance about data security measures for entities handling healthcare identifiers would support the data security obligation in section 27 of the Bill.

Office of the Privacy Commissioner

1. The Office of the Privacy Commissioner (the Office) is an independent statutory body whose purpose is to promote and protect privacy in Australia. The Office, established under the Privacy Act 1988 (Cth) (the Privacy Act), has responsibilities for the protection of individuals' personal information that is handled by Australian and ACT Government agencies, and personal information held by all large private sector organisations, health service providers and some small businesses.

Preliminary

2. The Office welcomes the opportunity to provide a submission to the Department of Health and Ageing (the Department) on the exposure draft regulations for the Healthcare Identifiers Bill 2010 (the Bill). This was accompanied by a related Consultation Paper issued by the Australian Health Ministers’ Advisory Council. [1]

3. The Office has been involved in advising on privacy issues in relation to electronic health record developments for a number of years including on the healthcare identifiers proposal. In particular, the Office commented on the proposal paper released by the Australian Health Ministers’ Conference in August 2009[2] and to the exposure draft of the Bill in January 2010. [3] The Office also participated in the Senate Standing Committee on Community Affairs inquiry into the Bill. [4]

4. In its submissions the Office has consistently said that the development of e-health initiatives must be supported by strong privacy safeguards. In relation to healthcare identifiers, in our view, such safeguards include defining the purpose for which healthcare identifiers can be collected, used and disclosed and limiting those purposes to prescribed activities; imposing positive obligations on entities handling healthcare identifiers; sanctions for misuse of personal information; and having appropriate oversight mechanisms.

5. Overall, the Office considers that the Bill, as it now stands, provides an appropriate privacy framework to support the establishment of the Service and the handling of individual healthcare identifiers. The proposed regulations serve to support this framework and strengthen the positive obligation on entities to employ good privacy practice in their handling of healthcare identifiers. We have some minor suggestions to enhance the regulations.

Regulation 10

6. Proposed Regulation 10 provides rules about the disclosure of healthcare identifiers by the Service Operator. In addition, it regulates the collection of healthcare identifiers by healthcare providers, including where this occurs through batching searching and bulk downloading.

7. In particular, Regulation 10 places obligations on healthcare providers to ensure that the collection of healthcare identifiers from the Service Operator is supported by appropriate security measures. This includes ensuring that only authorised employees can request healthcare identifiers from the Service and that a record is kept of each person the provider has authorised to access the Service.

8. On the whole, proposed Regulation 10 strengthens the privacy safeguards in the Bill. It does this by placing the onus on healthcare providers to take preventative measures to ensure that their employees access the Service appropriately. Regulation 10 also requires healthcare providers to ensure that their employees receive sufficient information and training about using the Service. These positive obligations will help reduce the likelihood of the Service being inappropriately accessed.

9. However, it is also the case that under the Bill, individuals will not have choice about whether their healthcare identifier is collected by a healthcare provider. In recognition of this requirement, the Bill provides a framework under which the Service Operator is only authorised to disclose healthcare identifiers to healthcare providers where certain requirements are met. This in turn places limits on the purposes for which healthcare providers can collect healthcare identifiers.

10. The collection of healthcare identifiers under the Bill is also limited to healthcare recipients of the healthcare provider, defined as being, an individual who has received, receives, or may receive healthcare. [5] Taken together, the Office understands these provisions prevent healthcare providers from collecting a healthcare identifier for an individual that is not a healthcare recipient of that provider.

11. The Office suggests that the purpose of collection in proposed Regulation 10 could similarly be linked to the provision of healthcare to a healthcare recipient. This could be achieved through adopting the term healthcare recipient from the Bill into Regulation 10(1)(c). Healthcare providers would only then be authorised to request healthcare identifiers for individuals who have received, receive or may receive healthcare from them.

12. If Regulation 10(1)(c) was amended in this way, it would be an offence for a healthcare provider to collect the healthcare identifier of an individual who is not a healthcare recipient of that healthcare provider. In our view, such a limitation would strengthen the safeguards in the Bill that guard against inappropriate collection of healthcare identifiers.

13. The Office also considers that the current title for Regulation 10 may cause confusion. As currently drafted, the title does not reflect that the regulation deals with requests to the Service Operator for disclosure of healthcare identifiers, not disclosures by the Service Operator of healthcare identifiers. We suggest that the title could be amended to reflect the content of the regulation.

Guidelines to support Regulation 10

14. The Office notes that guidelines will be issued by the Service Operator imposing national standards to support Regulation 10. They will be based on national data security standards and cover matters such as access to and disclosure of healthcare identifiers. [6]

15. Given the key role these guidelines will have for the handling of healthcare identifiers, the content of these guidelines will be important. We suggest that in addition to technical standards the guidelines could provide general guidance about data security similar to the advice provided in our Guide to handling personal information security breaches . [7]

16. This Guide gives practical advice about the data security measures organisations and agencies can take to avoid compromising personal information. In our view, this advice could be applied to the handling of healthcare identifiers. Specifically, we suggest that the guidelines could include the following:

• risk assessment - identifying the security risks to personal information held by the organisation and the consequences of a breach of security
• policy development - developing a policy or range of policies that implements measures, practices and procedures to reduce the identified risks to information security
• staff training - training staff and managers in security and fraud awareness, practices and procedures and codes of conduct
• the appointment of a responsible person or position - creating a designated position within the organisation to deal with personal information security breaches. This position could have responsibility for establishing policy and procedures, training staff, co-ordinating reviews and audits and investigating and responding breaches
• technology - implementing privacy enhancing technologies to secure personal information held by organisation, including through such measures as access control, copy protection, intrusion detection, and robust encryption.
• monitor and review - monitoring compliance with the security policy, periodic assessments of new security risks and the adequacy of existing security measures, and ensuring that effective complaint handling procedures are in place
• standards - measuring performance against relevant Australian and international standards as a guide
• privacy impact assessments - evaluating, in a systemic way, the degree to which proposed or existing information systems align with good privacy practice and legal obligations
• audits - undertaking regular audits to detect system weaknesses and/or breaches
• appropriate contract management - conducting appropriate due diligence where services are contracted, particularly in terms of the IT security policies and practices that the service provider has in place and then monitoring compliance to these policies through periodic audits.

17. The Office believes the development of guidelines for healthcare providers about data security is a positive measure. Further, the Office considers it can provide valuable input to the development of the guidelines and would appreciate being consulted as they are developed.

Regulation 11

18. Regulation 11, proposes that the Service Operator can request information from a healthcare provider that is sufficient to identify the person who accessed the service to retrieve a healthcare identifier. This places a positive obligation on healthcare providers to maintain an audit trail or record of all requests to the HI service at an individual employee level. [8]

19. In our view, requiring that access records of authorised employees to the Service be kept is a key accountability measure. Such records also operate as a safeguard to ensure the Service is being used appropriately. Access logs may provide a useful deterrent effect and, by enabling detection of unauthorised access, thereby increase individual accountability. The Office also welcomes the commitment in this regulation to encouraging healthcare providers to improve identity management and security standards.

20. In our view, the introduction of a penalty provision with a period of transition for active enforcement is appropriate. [9] A transition period acknowledges that some healthcare providers may need to make changes to their IT systems and procedures and it is inevitable that this will take time. However, we note that during the transition period as the requirement to provide as much information as possible to the Service Operator will not be removed, healthcare providers will still be obliged to keep access records. [10] In our view, requiring steps to be taken to maintain an access record whilst new technologies are introduced helps to maintain the balance between ensuring appropriate security and allowing sufficient time for providers to transition.

21. Whilst penalties will not be actively enforced during the transition period, we consider that the enforcement of penalty provisions should be discretionary so that penalties for non-compliance can be enforced should a healthcare provider repeatedly fail to take appropriate action. Our Office also suggests during the transition period, educative campaigns or guidance materials be used to encourage all healthcare providers to take proactive steps to improve privacy protection measures and introduce the necessary system audit trails.

Security of healthcare identifiers

22. The Office welcomes that the Bill imposes data security obligations on any entity holding healthcare identifiers. Consistent with the obligations imposed on agencies and organisations to keep information they handle secure [11] , section 27 of the Bill requires that any entity holding healthcare identifiers must take reasonable steps to protect them from misuse, loss and unauthorised access. As well, section 27(b) enables regulations to be made in relation to data security, including that a penalty can be imposed on entities that fail to comply with those regulations. [12]

23. We note that it is not proposed to issue regulations in respect of section 27 at this time. However, the Office welcomes that regulations imposing specific data security requirements and penalties for non-compliance could be made if there is a demonstrated need.

24. Even so, the Office suggests that the data security obligations in section 27 of the Bill could be supported by guidance. In many cases, healthcare providers will already have appropriate security safeguards in place for the personal and health information they hold. However, guidance on data security standards may help entities to improve standards and avoid a situation where inadequate data security measures leads to systemic misuse or loss of healthcare identifiers. Also, such guidance might encourage consistency in the data security standards imposed across different jurisdictions and settings.

25. It is suggested that the guidance material could cover similar matters to those proposed for guidelines to be developed for Regulation 10. In addition, such guidance could assist entities in deciding what reasonable steps are in terms of data security and encourage them to take a holistic approach to personal information security. Entities will need to give consideration to appropriate security safeguards across a range of areas to meet their obligations under section 27 of the Bill. Key areas for data security consideration include:

• physical security - by adopting measures to prevent unauthorised entry to premises, having systems to detect unauthorised access and ensuring computer screens don’t face public areas.
• computer and network security - by adopting measures to protect computer systems and networks from unauthorised access, modification and disclosure. This could include access control for authorised users, such as user passwords, screen saver passwords and limiting access to shared network drives to authorised staff.
• communications security - by protecting communications via data transmission, including email and voice, from interception, and preventing unauthorised intrusion into computer networks.
• personnel security - by adopting procedural and personnel measures for personnel limiting access to personal information by authorised staff for approved purposes and controls to minimise security risks to an organisation's IT systems. Staff need to be aware of the terms of any applicable policies, practices or procedures applying to healthcare identifiers to be able to comply with them.

26. If guidance is developed about such matters, the Office would appreciate being consulted.