Commonwealth of Australia Explanatory Memoranda Commonwealth of Australia Explanatory Memoranda[Index] [Search] [Download] [Bill] [Help]
2008-2009-2010
THE PARLIAMENT OF THE COMMONWEALTH OF AUSTRALIA
HOUSE OF REPRESENTATIVES
HEALTHCARE IDENTIFIERS BILL 2010
HEALTHCARE IDENTIFIERS (CONSEQUENTIAL AMENDMENTS) BILL 2010
EXPLANATORY MEMORANDUM
(Circulated by authority of the Minister for Health and Ageing,
the Honourable Nicola Roxon MP)
HEALTHCARE IDENTIFIERS BILL 2010
HEALTHCARE IDENTIFIERS (CONSEQUENTIAL AMENDMENTS) BILL 2010
OUTLINE
The purpose of the Healthcare Identifiers Bill 2010 ('the Bill') is to
implement a national system for consistently identifying consumers and
healthcare providers and to set out clear purposes for which healthcare
identifiers can be used.
The establishment of this national system, described as a Healthcare
Identifiers Service, is a joint initiative of all Australian Governments
and will put into effect a number of decisions made by the Council of
Australia Governments (COAG).
In February 2006, COAG agreed to a national approach to developing,
implementing and operating systems for healthcare identifiers for
individuals and providers as part of accelerating work on a national
electronic health records system to improve safety for patients and
increase efficiency for healthcare providers. COAG reaffirmed this
decision in 2008 and agreed to universally allocate a unique identifying
number to each individual healthcare recipient in Australia.
On 7 December 2009, COAG signed a National Partnership Agreement for E-
Health This Agreement provides a framework for cooperative jurisdictional
arrangements and responsibilities for e-health and sets out the objectives
and scope for the Healthcare Identifiers Service, as well as relevant
governance, legislative, administrative and financial arrangements.
Communication of health information is a vital part of effective
healthcare. The accurate identification of individuals is critical in all
health communication. Mismatching of patients with their records and
results is a documented problem for the health system and a clear link has
been established between avoidable harm to patients and poor medical
records management.
The costs of adverse events and medical errors are significant. It has
been estimated that 10% of hospital admissions are due to adverse drug
events and that up to 18% of medical errors are due to the inadequate
availability of patient information.[1]
Using an individual healthcare identifier will provide a way for healthcare
providers to more accurately match the right records to the person they are
treating and improve accuracy when communicating information with other
healthcare providers. This will help to avoid medical mix-ups or one
person's information being recorded on another patient's file.
Healthcare identifiers are part of the core national infrastructure
required to support secure electronic communications across Australia's
healthcare system.
Implementation of a national healthcare identifiers system will:
. support secure messaging from one healthcare provider to another by
providing a consistent identifier that can be used in e-communication;
. facilitate electronic communications between providers by providing a
way for healthcare providers to look up the contact details of other
providers; and
. support the implementation of a security and access framework to
ensure the appropriate authorisation and authentication of healthcare
providers who access national e-health infrastructure.
Failing to establish this infrastructure is likely to result in further
duplication or fragmentation of investment, limited uptake and adoption of
e-health initiatives, and limited interoperability of available solutions
creating a 'rail gauge' problem that will become difficult or expensive to
rectify.
E-health implementations overseas demonstrate significant direct
productivity improvements for specialists, GPs and pharmacists by helping
to automate routine interactions between care providers such as referrals,
prescriptions, and image processing. For example:
. E-prescription implementations in Sweden, Boston and Denmark reduce
provider costs and save time to improve productivity per prescription
by over 50%[2]
. E-referrals in Denmark reduced the average time spent on referrals by
97%[3] by providing more effective access to patient information for
both clinicians[4]
. Test ordering and results management systems reduce time spent by
physicians chasing up test results by over 70% in implementations in
America and France.[5]
Australia's National E-Health Strategy outlines solutions for e-
prescriptions, e-referrals and electronic test ordering to minimise the
time spent by care providers in discovering information known by other
providers. The estimated benefit for care provider time, reflecting a
conservative 10% reduction of total time spent on messaging costs for
clinical and ancillary staff and improvements from improved messaging
quality, is in the order of $2.8 billion in net present value over ten
years.[6] The Healthcare Identifiers Service is an important step in
realising these benefits.
The availability of healthcare identifiers is likely to lead to
efficiencies in booking appointments, ordering treatments and sharing
information across the health sector. It is estimated that 25% of a
clinician's time is spent seeking information about the patient[7] and 35%
of referrals are inappropriate due to insufficient direct access to
specialists and insufficient information being passed from primary care to
specialists.[8]
The use of identifiers will also help to reduce time and cost spent on
unnecessary or duplicated treatments such as diagnostic tests. Studies in
hospital environments indicate unnecessary duplicate testing occurs at a
rate of 9% to 17%. Based on an estimate of $36 as the mean cost of tests
prevented and a conservative estimate of a 15% reduction in tests, e-health
could realise benefits of around $800 million in net present value over ten
years.[9]
Healthcare provider organisations who choose to participate in the Service
may incur some costs associated with complying with obligations set out in
legislation and regulations. For example, a healthcare provider
organisation will need to nominate a representative to act on behalf of the
organisation in any interactions with the Healthcare Identifiers Service.
In addition, there may be some costs associated with upgrading of IT
systems to ensure they incorporate appropriate minimum standards and
security features to access to the Healthcare Identifiers Service. As the
Service draws heavily on the same IT infrastructure as Medicare Online, it
is anticipated that most providers will already have this in place. The
other cost associated with participation will be the time required for
staff education and training and standardised reference materials will be
available to minimise any impact associated with this.
There is expected to be some impact on staff time in terms of considering
information supplied to the healthcare provider about how healthcare
identifiers should be implemented and because consumers are likely to seek
advice from their healthcare provider about the new healthcare identifiers
and how they can and cannot be used.
Healthcare providers will be provided with supporting materials and
appropriate sources to refer consumers to for more information. A public
awareness program on the HI Service will provide information to consumers
via a range of methods.
As noted above, it is expected that these start-up costs, and any ongoing
costs, will result in efficiencies in a number of areas. One of the key
benefits is that use of healthcare identifier numbers is likely to result
in improved business practices and more efficient communication with other
providers.
The inclusion of healthcare identifiers in a health records system or a
patient's file will not change how and when healthcare providers share
information about individuals, but will provide a much more reliable way of
referencing information, particularly in electronic communications and
information management systems. Patients will continue to be involved in
decisions about how health information is handled by their healthcare team.
If a health provider is unable to obtain a person's IHI from the HI
Service, or the IHI is not available for any reason, patients will not be
refused treatment. An IHI will also not be required for claiming
healthcare benefits.
It will not alter the way in which anonymous healthcare services are
currently provided. Where it is lawful and practical, individuals can seek
treatment and services on an anonymous basis. In these instances, an IHI
would not be used by the healthcare service.
Pseudonyms are used when seeking healthcare, in special circumstances, such
as for witness protection. These arrangements will continue.
The design of the Healthcare Identifiers Service draws on existing elements
of Medicare Australia's infrastructure including trusted personal
information about individuals, consumer Medicare cards, information
policies, and customer services such as shop front and online services.
For these reasons Medicare Australia will be the operator of the Healthcare
Identifiers Service. An independent review of the Service, including
Medicare Australia's role as operator will be undertaken after two years.
Legislation is required to establish the Healthcare Identifiers Service and
to permit the use and disclosure of healthcare identifiers for specified
purposes. The Bill once enacted will operate in conjunction with the
National Partnership Agreement for E-Health to support the operation of the
Healthcare Identifiers Service.
The Bill establishes arrangements for operating and maintaining the
Healthcare Identifiers Service, including the conferral of functions on the
Chief Executive Officer of Medicare Australia. These functions include:
. assigning, collecting and maintaining identifiers for individuals,
individual healthcare providers and organisations by using information
already held by Medicare Australia for its existing functions;
. collecting information from individuals and other data sources;
. developing and maintaining mechanisms for users to access their own
records and correct or update details;
. using and disclosing healthcare identifiers and associated personal
information, for the purposes of operating the Healthcare Identifiers
Service; and
. disclosing healthcare identifiers for other purposes set out in the
Bill.
The Bill sets out the permitted purposes for which healthcare identifiers
may be used or disclosed and the offences relating to the misuse of
healthcare identifiers and penalties for breaches of the legislation. This
provides a clear framework to support the proper use and disclosure of
healthcare identifiers and ensures that any inappropriate handling of
healthcare identifiers can be addressed.
The Federal Privacy Commissioner will provide independent regulation of how
healthcare identifiers are handled and the operation of the Healthcare
Identifiers Service. This will include handling complaints against
Medicare Australia, as the service operator and private sector healthcare
providers.
Where a state or territory has existing privacy arrangements in place,
including an appropriate regulator, that regulator is to be responsible,
under legislation passed by a state or territory, for handling complaints
relating to healthcare identifiers which are made against a public sector
organisation in their jurisdiction. Until state or territory arrangements
are in place, complaints against a state or territory public body will be
handled by the federal Privacy Commissioner.
The handling of any personal information associated with a healthcare
identifier will continue to be subject to existing privacy arrangements
under Commonwealth, state or territory law that apply to the body holding
the information.
A role for the Ministerial Council responsible under the National
Partnership Agreement for E-Health for oversighting the Healthcare
Identifiers Service has also been included in the Bill.
Key functions of the Ministerial Council to be established in the
legislation include development and review of legislation and regulations
and issuing policy directions to the HI Service Operator.
Annual reports must also be provided to the Ministerial Council by the
Privacy Commissioner and Medicare Australia (as service operator).
Regulations in a number of areas are required to support the operation of
the Healthcare Identifiers Service. Regulations may be made in regards to:
. prescribing additional identifying information to support the
assignment of healthcare identifiers to healthcare providers;
. prescribing bodies as data sources;
. prescribing a service operator other than Medicare Australia; and
. prescribing requirements for assigning a healthcare identifier to a
healthcare recipient or healthcare provider, such as eligibility
criteria for healthcare providers and any security obligations that
healthcare providers must meet to be assigned a healthcare identifiers
and/or participate in the Service.
The development of regulations will be subject to consultation with the
Ministerial Council.
The Healthcare Identifiers (Consequential Amendments) Bill 2010
The purpose of the Healthcare Identifiers (Consequential Amendments) Bill
2010 is to ensure the Healthcare Identifiers Bill 2010 (once enacted)
operates appropriately and effectively. This will be achieved by making
minor amendments to the Health Insurance Act 1973 to authorise the Chief
Executive Officer of Medicare Australia to delegate functions to officers
to support the day-to-day running of the Healthcare Identifiers Service.
In addition, minor amendments to the Privacy Act 1988 will provide for the
Privacy Commissioner's role as the independent regulator of the Healthcare
Identifiers Service.
Financial Impact Statement
As set out in the National Partnership Agreement for E-Health, the
Healthcare Identifiers Service is funded until 30 June 2012 as part of the
$218 million (50:50 cost shared between the Commonwealth and the states and
territories allocated by COAG to the National E-Health Transition Authority
(NEHTA) in November 2008.
Of that $218 million, $52.02 million has been allocated through NEHTA to
fund the operation of the Healthcare Identifiers Service by Medicare
Australia.
|10/11 |11/12 |12/13 |13/14 |
|$26.01m |$26.01m |$0 |$0 |
In addition to the funding that has already been allocated by COAG, $0.5
million funding in 2010-11 and 2011-12 has been allocated by the
Commonwealth to the Office of the Privacy Commissioner to provide
regulatory oversight and advice on the introduction of healthcare
identifiers.
The National Partnership Agreement for E-Health states that the basis for
future funding for the Healthcare Identifiers Service after 30 June 2012
will need to be determined in discussions between the Commonwealth, states
and territories.
HEALTHCARE IDENTIFIERS BILL 2010
NOTES ON CLAUSES
Part 1 - Preliminary
Clause 1 - Short Title
This clause provides that the Bill (once enacted) may be cited as the
Healthcare Identifiers Act 2010.
Clause 2 - Commencement
This clause provides that the Bill (once enacted) commences on the day
after it receives Royal Assent.
The Healthcare Identifiers Service is not due to commence operations until
mid 2010. However, Medicare Australia as the service operator will need to
undertake certain activities to support the implementation of the
Healthcare Identifiers Service. This will include testing the Healthcare
Identifiers Service. To undertake implementation activities such as
testing, Medicare Australia, as the service operator, will require
legislative authority.
Clause 3 - Purpose of this Act
This clause sets out that the purpose of this Bill (once enacted) is to
implement a national system for consistently identifying individual
healthcare recipients and healthcare providers. This will be achieved by
issuing an identifying number to each healthcare recipient and healthcare
provider.
Healthcare identifiers are designed to improve information management and
communication in the delivery of healthcare and related services. There
will also be benefits associated with the use of healthcare identifiers for
other health-related purposes including research and management of health
services.
The Bill (once enacted) will provide a robust framework for healthcare
identifiers by:
. authorising the use of existing Medicare Australia infrastructure;
. setting out appropriate and transparent national governance arrangements;
and
. setting out the permitted uses and disclosures of healthcare identifiers
by the healthcare community.
Healthcare identifiers, when included in a healthcare recipient's health
record, will be subject to the existing privacy laws that apply to personal
health information as well as the specific provisions that are set out in
this Bill.
Clause 4 - Act to bind the Crown
This clause provides that the Bill binds the Crown in each of its
capacities. This means that the Bill is intended to apply (and be observed
by) the Commonwealth and each of the States, the Australian Capital
Territory and the Northern Territory. It also reflects that the Crown
cannot be subject to prosecution.
The note included refers to clause 37(4) of the Bill that requires the
Minister to declare that certain provisions of the Bill do not apply to
state or territory public sector organisations and agencies where a state
or territory has enacted a law which applies consistent provisions relevant
to the handling of healthcare identifiers to its public sector agencies.
Clause 5 - Definitions
This clause sets out key definitions used throughout the Bill to support
the operation of the Healthcare Identifiers Service and handling of
healthcare identifiers. The meaning of some definitions is set out in
other clauses. Key definitions include:
. healthcare means health service, as defined by the Privacy Act - aligning
this definition with existing privacy laws will help to ensure
consistency between privacy arrangements is maintained;
. healthcare provider means all individual healthcare professionals (for
example, general practitioners, specialists, nurses etc) and healthcare
organisations (for example hospitals, medical centres, diagnostic
services and other that provide a health service);
. healthcare recipient means an individual who has received, is receiving
or may receive healthcare in Australia;
. health information means health information, as defined in the Privacy
Act - aligning this definition with existing privacy laws will help to
ensure consistency between privacy arrangements is maintained;
. identified healthcare provider means individual healthcare providers or
organisations that have been assigned a healthcare identifier;
. Ministerial Council is defined by the National Partnership Agreement
(NPA) for E-Health as being the Council of Ministers tasked by the
Council of Australian Governments to undertake key functions related to
the oversight of the Healthcare Identifiers Service, that is the
Australian Health Ministers Conference;
. Privacy Act means the Privacy Act 1988;
. Registration authority means an entity that is responsible under a
Commonwealth, state or territory law for registering members of
particular health profession and would include a national registration
authority, as defined under clause 8.
Clause 6 - meaning of service operator
This clause defines the service operator of the Healthcare Identifiers
Service as the Chief Executive Officer of Medicare Australia, and allows
for any subsequent service operator to be specified in the regulations.
Any decision to change the service operator must be made by the Minister,
in consultation with the Ministerial Council. The requirement for this is
set out in clause 33 and clause 39 of the Bill and the National Partnership
Agreement on E-Health.
Clause 7 - meaning of identifying information
This clause describes the information (including personal information)
required by the service operator to uniquely assign and maintain healthcare
identifiers to healthcare providers (individuals and organisations) and
healthcare recipients. The types of information required will depend on
the type of healthcare identifier to be assigned.
Information required to assign an individual healthcare provider identifier
is outlined in subclause 7(1) and includes (but is not limited to) name,
address, date of birth, sex, healthcare provider type, registration status.
Subclause 7(2) outlines the information required to assign a healthcare
provider identifier for non-individuals (eg. organisations) and includes
(but is not limited to) name, address, ABN.
Subclause 7(3) outlines the information required to assign an individual
healthcare identifier and includes but is not limited to name, address,
Medicare or Veterans' Affairs number, date of birth etc.
The definition also includes other data elements that may need to be used
in some situations to ensure accuracy when assigning and maintaining
healthcare identifiers. Provision has also been made for regulations to
prescribe any additional identifying information that may be required in
the future to support assignment of healthcare provider identifiers under
subclause 7(1) and (2). Development of any such regulations would be
undertaken in consultation with the Ministerial Council as required under
clause 33.
Clause 8 - Meaning of national registration authority
This clause describes a national registration authority as a registration
authority that has been prescribed in regulations for the purpose of this
section.
The regulations will prescribe the National Health Practitioner Boards or
other bodies established by states and territories under the Health
Practitioners Regulation National Law, or in corresponding laws of a state
or territory, as part of a national scheme for the regulation of health
professionals and students.
From July 2010, a national scheme is to be established for the registration
of health practitioners in 10 professions - medical, nursing and midwifery,
pharmacy, physiotherapy, dental, psychology, optometry, osteopathy and
chiropractic. A further 4 professions - Aboriginal and Torres Strait
Islander health practice, Chinese medicine, medical radiation practice,
occupational therapy are expected to added to the scheme in 2012 and other
additional professions may be added in the future.
The national registration boards or other bodies with responsibility for
registering health practitioners are to have responsibility for issuing
healthcare identifiers to individual providers under arrangements set out
in clause 9.
Part 2 - Assigning healthcare identifiers
Clause 9 - Assigning healthcare identifiers
Subclause 9(1) authorises the service operator to assign a healthcare
identifier to a healthcare provider or individual healthcare recipient.
Healthcare providers will only be assigned a healthcare identifier where
they meet criteria set out in regulations under subclause 9(5).
Subclause 9(2) provides for the national registration authority to assign
healthcare identifiers to individual healthcare providers.
Subclause 9(3) sets out the three types of healthcare identifiers that form
the foundation elements of the Healthcare Identifiers Service:
. identifiers for individual healthcare providers;
. identifiers for healthcare provider who are not individuals; and
. identifiers for individual healthcare recipients.
Subclause 9(4) - makes clear that the service operator determines whether
to assign identifiers.
Regulations under subclause 9(5) will set out requirements for assigning
identifiers.
Subclause 9(6) provides that healthcare identifiers are also subject to
clause 7 of the National Privacy Principles (NPPs) in the Privacy Act, so
as to restrict Commonwealth government assigned identifiers from being
adopted by private sector organisations as de-facto common identity
numbers, other than as permitted by this Bill.
Healthcare identifiers are designed to be used by healthcare providers as
unique reference numbers in their own health records systems. For the
private sector to be able to adopt, use and disclose healthcare
identifiers, they must be authorised to do so.
This Bill (once enacted) will provide that authorisation but only for
limited purposes specifically described (see Part 3 for further information
on the permitted uses and disclosures of healthcare identifiers).
Individual healthcare recipients enrolled in Medicare Australia's Medicare
program or with the Department of Veterans' Affairs will not need to do
anything to be assigned a healthcare identifier.
Those not enrolled with Medicare Australia or the Department of Veterans'
Affairs, such as international tourists or long-stay visa holders, can be
assigned a temporary healthcare identifier when they present to a
healthcare provider for treatment. To verify their healthcare identifier,
the individual will need to provide identifying information (as defined in
clause 7(3)) to the service operator.
COAG has agreed that the identifier assigned to individual healthcare
providers for registration purposes should be the same number assigned to
healthcare providers for the purpose of communication and management of
health information.
To support this, individual healthcare providers will be assigned a
healthcare provider identifier through national registration boards
established as part of the national scheme for registration of health
practitioners where their profession is included in the scheme.
For healthcare providers whose professions are not yet included in the
national scheme, or will not be covered by the scheme, the service operator
will be responsible for assigning individual healthcare provider
identifiers, subject to the healthcare provider meeting criteria set out in
regulations and providing identifying information (as defined by clause
7(1)).
To ensure healthcare providers are issued one number only for registration
purposes and communication and information management purposes, information
sharing arrangements between the service operator and a National
Registration Authority are required.
Authority for the sharing of a healthcare provider's identifier and other
identifying information between a National Registration Authority and the
service operator is provided for under other provisions of this Bill and
state and territory legislation establishing the national scheme for the
registration of health practitioners. The authority under this Bill is
provided for in clause 13 (National Registration Authority to disclose to
the service operator) and clause 19 (service operator to disclose to
Registration Authority).
Healthcare providers who are not individuals (for example, healthcare
organisations) or who are sole traders will need to apply direct to the
service operator to be issued with a healthcare identifier for their
organisation, subject to meeting criteria set out in regulations and
providing identifying information (as defined in clause 7(2)). The
identifier issued to a healthcare provider who is a sole trader will be in
addition to their individual healthcare identifier in these circumstances.
This is clarified in the note to the clause.
This Bill (once enacted), in no way limits a healthcare provider's ability
to deliver healthcare services where they have not been assigned a
healthcare provider identifier.
Healthcare identifiers are designed to be used by healthcare providers as
unique reference numbers in their own health records systems. For the
private sector to be able to adopt, use and disclose healthcare
identifiers, they must be authorised to do so. This Bill (once enacted)
will provide that authorisation but only for limited purposes specifically
described (see Part 3 for further information on the permitted uses and
disclosures of healthcare identifiers).
In view of the procedural nature of decisions to assign identifiers and
that they will not affect existing capacity for healthcare to be delivered
those decisions will not be subject to administrative review. There will
be minimal discretion for the service operator in assigning an identifier,
for example, if healthcare providers do not provide 'identifying
information' or meet existing standards for secure electronic exchange of
information.
Clause 10 - Service operator must keep record of healthcare identifiers etc
This clause requires the service operator to keep an up-to-date record of
all healthcare identifiers that have been assigned and any associated
information the service operator has in its possession which relates to the
healthcare identifiers. This includes information about any requests made
by a healthcare provider to the service operator for the disclosure of an
individual's healthcare identifier.
An individual healthcare consumer who has been assigned a healthcare
identifier has a right to access information about themselves which is held
by the service operator. This will include the healthcare identifiers and
any associated personal information (see discussion under clause 18 for
further information).
Part 3 - Use and disclosure of healthcare identifiers and other information
Division 1 - Use and disclosure of identifying information for assignment
of healthcare identifiers
Clause 11 - Disclosure by healthcare providers
Subclause 11(1) authorises a healthcare provider to disclose identifying
information about an individual healthcare consumer to the service
operator, for the purpose of assigning a healthcare identifier to the
individual. The subclause ensures that a healthcare provider does not
breach privacy laws in providing that information to the service operator.
Subclause 11(2) authorises the service operator to collect the information
which has been disclosed to it by the healthcare provider and use it for
assigning an identifier.
As outlined above, most individual healthcare recipients will be
automatically assigned an individual healthcare identifier but for those
who are not (such as tourists or individuals not eligible to enrol in the
Medicare program), it will be possible to obtain a temporary healthcare
identifier from a healthcare provider when the individual presents for
treatment.
In these circumstances, a healthcare provider will provide identifying
information about the individual to the service operator for the purpose of
the service operator assigning a healthcare identifier.
Clause 12 - Disclosure by data sources
Subclause 12(1) provides the authority for a data source (as defined by
subclause 12(2)) to disclose identifying information it holds about an
individual healthcare consumer or healthcare provider for another purpose
to the service operator for the purpose of assigning a healthcare
identifier.
Subclause 12(2) defines a number of data sources including Medicare
Australia, the Department of Veterans' Affairs and data sources prescribed
through regulations.
Data sources are selected on the basis that they can provide high quality
demographic and professional information to support the unique
identification of individuals and healthcare providers and limit the risk
of incorrectly assigning a healthcare identifier.
Medicare Australia and the Department of Veterans' Affairs will provide
existing demographic information to the service operator to support the
assignment of healthcare identifiers to the majority of Australians.
Data sources, such as professional registration bodies, may be prescribed
as required where, in consultation with the Ministerial Council, the
Government is satisfied that they are able to provide adequate assurance
about the quality of demographic and professional information on their
members. Demographic and professional information to support the
assignment of healthcare identifiers to healthcare providers will primarily
be provided by a National Health Practitioner Board or other body
established under the national scheme for the regulation of health
practitioners who are prescribed as a National Registration Authority.
Subclause 12(3) authorises the service operator to collect and use
identifying information disclosed to it by a data source for the purpose of
assigning healthcare identifiers.
Clause 13 - Disclosure by national registration authority
Subclause 13(1) authorises the national registration authority to disclose
the healthcare identifier it assigns and any relevant associated
information to the service operator. Subclause 13(2) authorises the
service operator to collect and use this information to establish and
maintain a record of all healthcare identifiers issued, as required by
clause 10.
This provision is necessary to ensure that where the national registration
boards established as part of the national scheme for registration of
health practitioners assigns individual healthcare identifiers to
healthcare providers, they can disclose the healthcare identifier and
associated information back to the service operator.
Regardless of who issues healthcare identifiers to healthcare providers,
the service operator will be required to keep a record of all healthcare
identifiers assigned and any relevant associated information by clause 10.
Clause 14 - Maintaining healthcare identifiers
This clause permits the drafting of regulations which may require a
healthcare provider participating in the Healthcare Identifiers Service (an
identified healthcare provider) to provide information relevant to the
healthcare provider's healthcare identifier to the service operator.
This intention of this clause is to ensure that healthcare providers are
obliged to update relevant information about themselves which is held by
the service operator (for example, information included in the Healthcare
Provider Directory such as professional status).
Clause 15 - Service operator's duty of confidentiality
This clause sets out the offences and penalties which apply to employees of
the service operator for any unauthorised use or disclosure of information
held by the service operator and to subsequent disclosure.
Subclause 15(1) provides that a person commits an offence if information
was disclosed to the person for a legitimate purpose under Part 2 of the
Bill (once enacted), and the person uses or discloses the information, the
penalty for which is a fine of 120 penalty units (a penalty unit currently
being worth $110), imprisonment for 2 years or both.
The types of inappropriate activities this provision intends to capture
include where an employee uses information held by the service operator
(such as someone else's name and address) and discloses that information to
another person or use it themselves for a purpose that is not permitted.
Subclause 15(2) provides a defence to subclause 15(1) where the person uses
or discloses the information for the purpose for which it was disclosed to
the person or where the purpose is authorised under another law. For
instance where an employee of the service operator uses or discloses
information for a purpose permitted by the Bill once enacted, (noting the
individual making the disclosure bears the evidential burden in accordance
with subsection 13.3(3) of the Criminal Code).
Subclause 15(3) includes a separate offence where information is disclosed
to a person in contravention of subclause 15(1) and the person is aware of
this contravention but uses or discloses the information anyway. A penalty
of 120 penalty units (a penalty unit currently being worth $110),
imprisonment for 2 years or both will apply.
In accordance with subclause 15(4), it is not an offence under subclause
15(3) if an individual uses or discloses the information for the purpose of
reporting a contravention to the appropriate authorities (noting that the
individual reporting the offence bears the evidential burden under
subsection 13.3(3) of the Criminal Code to prove the use or disclosure was
permitted).
As described in the note, where the offence is committed by a body
corporate, a fine of 600 penalty units will apply.
Division 2 - Disclosure of healthcare identifier by service operator
Subdivision A - Request by healthcare provider for healthcare recipient's
healthcare identifier
Clause 16 - Disclosure of healthcare recipient's identifying information by
healthcare provider
This clause authorises healthcare providers participating in the Healthcare
Identifiers Service to disclose identifying information (as defined in
clause 7) to the service operator about individuals for the purpose of
obtaining their healthcare identifier.
The disclosure by a healthcare provider may occur at the time an individual
presents to a healthcare provider for healthcare or as part of a larger
request for a batch download against a healthcare provider's existing
records.
An individual's healthcare identifier will only be disclosed back to the
healthcare provider where an exact match is available. Where an exact
match is unavailable, an error message will be sent to the healthcare
provider from the service operator.
A healthcare provider's ability to undertake batch downloads will help to
facilitate the quick uptake of healthcare identifiers and reduce
administration burdens associated with participation in the Service. A
healthcare provider's patient index will be able to be initially populated
by matching healthcare identifiers to individuals already known to the
healthcare provider. To make a request a provider will need to provide
details of the patient who is on their current records. The records that a
healthcare provider might hold on their current records will be governed by
applicable health records legislation.
Under this clause, the service operator is authorised to collect and use
information disclosed to it by the healthcare provider.
The service operator's ability to disclose the healthcare identifier back
to the healthcare provider is provided for in clause 17.
Subdivision B - Disclosure of healthcare identifier by service operator
Clause 17 - Disclosure to healthcare provider
Subclause 17(1) authorises the service operator to disclose healthcare
identifiers to a healthcare provider participating in the Healthcare
Identifiers Service or individuals employed by the healthcare provider and
authorised to act on their behalf.
Subclause 17(2) authorises the healthcare provider to collect the
healthcare identifier and states in the note that the use or disclosure of
the healthcare identifier for specified purposes is authorised in clause 24
of the Bill.
Authorisation for the healthcare provider to adopt use or disclose
healthcare identifiers is provided under clause 25.
Clause 18 - Disclosure to healthcare recipient
Under this clause the service operator is able to disclose information it
holds about an individual healthcare recipient to the recipient or a person
responsible for them (as defined by subclause 2.5 of the National Privacy
Principle 2) where it has been requested. Information that can be accessed
includes the healthcare identifier, any associated personal information and
the details of healthcare providers who have accessed the individual's
record.
While existing privacy and freedom of information laws regulate access to
information held by Commonwealth public sector bodies, an explicit
statement has been included in this Bill to ensure individuals and persons
responsible for the individual have a clear understanding of their right to
access information held by the service operator and to provide an
appropriate framework for the service operator to make such disclosures.
Clause 19 - Disclosure to registration authority
Subclause 19(1) authorises the service operator to disclose a healthcare
provider's healthcare identifier to a registration authority (as defined in
clause 5) for registration purposes. Subclause 19(2) permits the
registration authority to collect and use the identifier.
A registration authority (defined in clause 5) includes the national
registration boards established as part of the national scheme for
registration of health practitioners for a range of healthcare professions.
Under this scheme, registered healthcare providers in specified
professions will be assigned a persistent, single identifier for
registration purposes.
Health Ministers have agreed that the identifier assigned to healthcare
providers for registration purposes should be the same number assigned to
healthcare providers for the purpose of communication and management of
health information.
Clause 20 - Disclosure for authentication of healthcare provider's identity
Authentication of an individual is used as part of providing secure
electronic communications.
The Healthcare Identifiers Service will use the National Authentication
Service for Health (NASH) to provide security credentials for healthcare
providers. NASH will provide a Public Key Infrastructure (PKI) system for
the healthcare sector which will include issuing and maintaining digital
certificates for healthcare providers.
Healthcare providers will use their authentication credentials when
accessing the Healthcare Identifiers Service electronically. This will
enable the service operator to keep an accurate and up-to-date record of
healthcare providers accessing the Service.
To support these authentication requirements, the service operator will
need to be able to disclose information it holds about a healthcare
provider to an entity responsible for issuing and maintaining digital
certificates.
Subclause 20(1) authorises the service operator to disclose information for
such purposes while subclause 20(2) permits the entity responsible for
issuing and maintaining authentication infrastructure to collect and use
the information for those purposes.
Clause 21 - Access controls
This clause enables regulations to be made which prescribe rules relevant
to the disclosure of healthcare identifiers by the service operator.
The regulations will set out what the service operator or healthcare
provider must do for identifiers to be disclosed. Security obligations on
the service operator and any other body holding healthcare identifiers are
provided for under clause 27.
Any regulations proposed under this clause would be subject to consultation
with the Ministerial Council (see clause 33 for further discussion) and may
impose a penalty for any contravention of the regulation.
Clause 22 - Information about disclosures by service operator
This clause enables regulations to be made which stipulate that where the
service operator discloses a healthcare identifier to an entity, the entity
must provide certain information relevant to that disclosure to the service
operator.
This may include an acknowledgement of the entity's responsibilities in
relation to the appropriate handling of the healthcare identifier or other
participation arrangements necessary to support the appropriate use and
disclosure of healthcare identifiers, such as keeping a record of employees
who have accessed the Service. This will support enquiries made by
individuals with regards to who has accessed their records and the handling
of any complaints.
Any regulations proposed under this clause would be subject to consultation
with the Ministerial Council (see clause 33 for further discussion) and may
impose a penalty for any contravention of the regulation.
Division 3 - Use, disclosure and adoption of healthcare identifier by
healthcare provider
Clause 23 - Disclosure to healthcare recipient
The purpose of this clause is to make it clear that a healthcare provider
can disclose an individual's healthcare identifier to the individual or to
a person responsible for the individual.
A person responsible for an individual is defined by subclause 2.5 of
National Privacy Principle 2 in the Privacy Act and is intended to
recognise existing arrangements for authorised representatives and
guardians in state and territory legislation.
Clause 24 - Use and disclosure for other purposes
It is expected that healthcare identifiers will be included in the existing
information management systems of healthcare providers and used when
communicating information with other providers and managing health
information as part of delivering health services.
Subclause 24(1)(a) sets out the permitted uses and disclosures of
healthcare identifiers by healthcare providers for the purpose of
communication or management of information as part of:
. providing a health service to an individual; or
. the management, funding, monitoring or evaluation of healthcare; or
. provision of indemnity cover for the healthcare provider; or
. research which has been approved by a human research ethics committee.
These purposes are broad enough to cover a range of clinical,
administrative and business activities that are regularly undertaken to
support the delivery of healthcare. For example, management, funding,
monitoring or evaluation of healthcare is intended to include activities
such as quality assurance, quality improvement, policy development,
planning, cost benefit analysis and the compilation of statistics in
relation to those activities.
Subclause 24(1)(b) also authorises a healthcare provider to use or disclose
a healthcare identifier where the provider reasonably believes it is
necessary to lessen or prevent a serious threat to an individual's life,
health or safety or a serious threat to public health or public safety.
Express authority permitting a healthcare provider to use or disclose
healthcare identifiers is necessary in light of the restrictions under
National Privacy Principle 7 of the Privacy Act on private sector
organisations using and disclosing Commonwealth government assigned
identifiers (see discussion under subclause 9(4) for further information).
The healthcare provider does not require the consent of the individual
healthcare consumer in order to use or disclose the healthcare identifier
for the purposes specified.
It should be noted that the permitted uses and discloses only apply to the
healthcare identifiers. The collection, use and disclosure of any personal
information (eg. health information) must be managed in accordance with the
Privacy Act or existing state or territory privacy arrangements. This is
set out in the note to the clause.
The use or disclosure of the identifiers for purposes other than outlined
above will be a breach of the Privacy Act and subject to inquiry and
complaint mechanisms (see clause 26 - offences and penalties).
The limits on the handling of healthcare identifiers will apply to state
and territory public sector bodies through state and territory legislation.
Until such legislation is in place, this Bill (once enacted) will set out
the limits that will apply for the use and disclosure of healthcare
identifiers by state and territory public sector bodies (for further
information on the relationship with state and territory laws, see clause
37).
Subclause 24(2) provides that where a healthcare provider discloses a
healthcare identifier to another entity for a purpose defined by subclause
24(1), the entity is authorised to collect, use or disclose it to a
healthcare provider for the purpose for which it was originally disclosed
to the entity.
This will include for example, when a doctor discloses an individual's
healthcare identifier to a private health insurer and the insurer provides
a healthcare service to that individual, such as a chronic disease
management program.
However, as outlined below in subclause 24(4) the healthcare identifier
cannot be used by the insurer for the purpose of underwriting health
insurance or determining eligibility for or coverage level of, health
insurance. This aligns with the community rating scheme under the Private
Health Insurance Act 2007 (Chapter 3) which supports access to private
health care for all Australians by prohibiting discrimination against
individuals based on their health, age or some other characteristic likely
to result in the need for increased healthcare.
Under subclause 24(3), a healthcare provider who receives a healthcare
identifier from the entity in these circumstances is permitted to collect
it and use or disclose it in accordance with subsection 24(1).
Healthcare identifiers are expected to be used broadly within the
healthcare sector, provided the uses and discloses fall under the
activities described in subclause 24(1). Any activities that fall outside
those activities described in subclause 24(1) are intended to be
prohibited. A specific prohibition has also been included in subclause
24(4) to make it clear that healthcare identifiers cannot be used for the
purpose of an insurer underwriting insurance contract for an individual
healthcare recipient or determining whether the individual is eligible to
receive insurance, or for employment purposes.
Section 25 - Adoption by healthcare provider
Clause 25 provides for healthcare providers to adopt an identifier of a
healthcare recipient as their identifier to that healthcare recipient.
An express authority permitting healthcare providers to adopt healthcare
identifiers is necessary in light of the general prohibition under National
Privacy Principle 7 of the Privacy Act that prevents private sector
organisations adopting Commonwealth government assigned identifiers (see
discussion under subclause 9(4) for further information)
Division 4 - Unauthorised use and disclosure of healthcare identifiers
Clause 26 - Unauthorised use and disclosure of healthcare identifiers
prohibited
Subclause 26(1) provides an offence where a healthcare identifier is
disclosed to a person and the person uses or discloses the healthcare
identifier.
The penalty for such an offence where it is committed by an individual is a
fine of 120 penalty units (a penalty unit currently being worth $110),
imprisonment for 2 years or both. Where the offence is committed by a
corporation, a fine of 600 penalty units will apply.
Subclause 26(2) provides a defence to subclause 26(1) where the person is
authorised under this Bill (once enacted) to use or disclose the healthcare
identifier and the use and disclosure is in accordance with the purposes
defined in subclause 24(1), the use or disclosure is authorised under
another law, or the person discloses the healthcare identifier for the
purpose of, or in connection with, the person's personal, family or
household affairs (within the meaning of section 16E of the Privacy Act).
To rely on this defence, the individual bears the evidential burden in
accordance with subsection 13.3(3) of the Criminal Code.
Division 5 Protection of Healthcare Identifiers
Clause 27 - Protection of Healthcare Identifiers
This clause imposes security obligations on any entity holding a healthcare
identifier to protect it from misuse or loss and for regulations to
prescribe additional requirements.
The clause mirrors requirements set out in NPP4 in Schedule 3 of the
Privacy Act. As under the Privacy Act, the federal Privacy Commissioner
will be able to require agencies and organisations to take action to
address systems failures that led to that misuse or loss.
Part 4 - Interaction with the Privacy Act 1988
Clause 28 - Interaction with the Privacy Act 1988
This clause provides clarification as to how this Bill (once enacted),
operates in conjunction with the Privacy Act and clarifies that an
authorisation under this Bill is an authorisation for the purpose of the
Privacy Act.
Clause 29 - Functions of Privacy Commissioner
Subclause 29(1) provides that an act or practice which contravenes the Bill
or regulations (once enacted) will be considered as a breach of privacy
under the Privacy Act.
Subclause 29(2) allows audits to be undertaken by the Privacy Commissioner
as could be undertaken in relation to personal information.
The Federal Privacy Commissioner will be responsible for providing
independent oversight of the Healthcare Identifiers Service, in accordance
with existing functions allocated under the Privacy Act. This will include
the power to conduct own motion investigations and undertake audits of the
service operator (as a Commonwealth Government agency). As is the current
arrangement, the audit of any private sector organisation is by invitation
only. Audits cannot be undertaken into a state or territory agency as
these are treated as a private sector organisation under the Privacy Act.
Complaints regarding the Healthcare Identifiers Service will be handled by
the Privacy Commissioner in accordance with section 36 of the Privacy Act.
As outlined in the National Partnership Agreement for E-Health, it is
intended that existing state and territory regulators will be responsible
for providing oversight of their public sector bodies in relation to the
handling of healthcare identifiers. This will occur concurrent with any
existing jurisdictional privacy arrangements.
States and territories that do not have existing or sufficient limits and
safeguards on use of healthcare identifiers in place or an appropriate
regulator will need to introduce legislation. In the absence of any such
legislation, the Privacy Commissioner will be responsible for providing
regulatory oversight for state and territory public sector bodies (for
further discussion on the relationship between this Bill (once enacted) and
state and territory laws, see the discussion on clause 37).
Clause 29 - Annual reports by Privacy Commissioner
This clause imposes an obligation on the Privacy Commissioner to prepare an
annual report on compliance and enforcement activities undertaken in
relation to the Healthcare Identifiers Service. A copy of the report must
be provided to the Ministerial Council by 30 September of each year.
As is general practice with annual reports prepared by Commonwealth
agencies, the annual report prepared by the Privacy Commissioner will be
publicly available to ensure an appropriate level of transparency and
accountability.
Part 5 - Healthcare Provider Directory
Clause 31 - Healthcare Provider Directory
Subclause 31(1) requires the service operator to establish and maintain a
Healthcare Provider Directory which will list the details of all healthcare
providers who have been assigned a healthcare identifier and who have
consented to having their details included in the Directory.
Subclause 31(2) enables the service operator to disclose details contained
in the Healthcare Provider Directory to other healthcare providers
participating in the Healthcare Identifiers Service (identified healthcare
providers) or their employees, where they have been authorised to act on
the healthcare provider's behalf.
The establishment of the Healthcare Provider Directory is one of the key
benefits associated with the Healthcare Identifiers Service. The Directory
aims to facilitate communication between healthcare providers by providing
a reliable source of identifying and contact information about other
participating healthcare providers. For example, the Directory will enable
a GP to locate other providers (such as specialists) in a timely manner,
and facilitate communication with other providers when referring patients
or making decisions about the patient's care needs by providing contact
details for electronic messaging.
Part 6 - Oversight role of the Ministerial Council
Clause 32 - Directions to service operator
This clause enables the Minister responsible for oversighting the
Healthcare Identifiers Service, in consultation with the Ministerial
Council to issue written directions to the service operator about the
operation of the Service.
This clause gives effect to the agreement in the National Partnership
Agreement for E-Health for the Ministerial Council to be consulted in
providing directions to the Service Operator. Consultation with the
Ministerial Council recognises the important role states and territories
play in managing the operation of the Healthcare Identifiers Service to
ensure it appropriately supports the needs of national public health
policy.
Any written direction issued under this clause is not a legislative
instrument within the meaning of section 5 of the Legislative Instruments
Act 2003.
Clause 33 - Consultation with Ministerial Council about regulations
This clause imposes an obligation on the Minister responsible for
legislative oversight to consult with the Ministerial Council prior to
making regulations to support the operation of the Healthcare Identifiers
Service.
Consultation with the Ministerial Council recognises the important role
states and territories play in managing the operation of the Healthcare
Identifiers Service to ensure it appropriately supports the needs of
national public health policy.
Clause 34 - Annual reports by service operator
This clause imposes an obligation on the service operator to prepare an
annual report on activities, finances and operation of the service operator
so far as they relate to this Bill and any regulations in force. A copy of
this report must be provided to the Ministerial Council or other entity as
directed by the Ministerial Council no later than 30
September each year.
As is general practice with annual reports prepared by Commonwealth
agencies, the report prepared by the service operator will be publicly
available. This will provide a level of transparency and accountability.
Clause 35 - Review of operation of Act
Subclause 35(1) imposes an obligation on the Minister, in consultation with
the Ministerial Council to oversee a review of the operation of this Bill
(once enacted) within three years of commencement.
This clause is intended to be read in conjunction with the review
requirements set out in the National Partnership Agreement on E-Health,
which states that a review of the Healthcare Identifiers Service must be
conducted after two years and reported on within three years of the
commencement of the Service.
A review is required to ensure the Bill (once enacted) provides the
necessary regulatory support to enable the Healthcare Identifiers Service
to operate efficiently and effectively and to assess Medicare Australia's
role as the service operator.
Consultation with the Ministerial Council recognises the important role
states and territories play in managing the operation of the Healthcare
Identifiers Service to ensure it appropriately supports the needs of
national public health policy.
In accordance with subclause 35(2), a copy of the report must be provided
to the Ministerial Council and tabled in each House of Parliament within 24
sitting days after it has been prepared.
Part 7 - Miscellaneous
Clause 36 - Extent of authorisation
This clause states that where an entity is authorised under this Bill for a
particular purpose, this authorisation applies to a person employed by the
entity whose duties involve supporting that purpose.
This clause will enable for example, nominated employees of healthcare
providers to use and disclose healthcare identifiers where their employer
is authorised to do so. This recognises the roles that employees may have.
The authorisation of employees who do not have a healthcare identifier to
access the Healthcare Identifiers Service is subject to the requirements
set out in clause 17, ie where the entity has given notice of the
authorisation to the service operator.
Clause 37 - Relationship to State and Territory laws
Relationship to State or Territory laws
Subclause 37(1) provides that for this Bill (once enacted) and any state
and territory laws to operate concurrently, where possible. This enables
existing privacy arrangements in states and territories to continue
operation where they do not conflict with the provisions of the Bill.
Subclause 37(2) ensures that were an offence under this Bill is also
provided for in a state or law, the individual can only be convicted of one
of the offences.
Subclause 37(3) provides that nothing in this Bill (once enacted) limits,
restricts or otherwise affects any right or remedy a person would have had
if this Bill wasn't enacted.
Declaration that Act does not apply
Subclause 37(4) states that where the Minister responsible for the
administration of the Act makes a declaration relating to specific
provisions and specified public bodies of a state or territory under
subclause 37(5), the provisions referred to do not apply to those
authorities.
Subclause 37(5) imposes an obligation on the Minister to declare that
certain provisions of this Bill do not apply to state or territory public
bodies in certain circumstances.
The declaration is to be made where a state or territory Minister requests
such a declaration to be made and the Minister responsible for
administering this Act, is satisfied that a law is in force in that state
or territory that has been agreed by the Ministerial Council as
appropriately supporting the handling of healthcare identifiers and any
associated information by public sector agencies in that state or
territory. The requirements for the Ministerial Council to be satisfied
are set out in the National Partnership on E-Health.
A declaration made under this clause is considered a legislative
instrument.
Subclause 37(6) provides the Minister with responsibility for administering
this Bill (once enacted) to revoke a declaration made under subclause 37(4)
where a Minister of a state or territory makes a request or where a state
or territory law previously agreed to by the Ministerial Council is amended
without their agreement.
Subclause 37(7) confirms the situation under the Legislative Instruments
Act 2003 that section 42 and Part 6 of that Act do not apply to a
declaration or revocation made under subclauses (5) and (6).
Clause 38 - Severability - additional effect of Parts 3 and 4
Clause 38 is intended to ensure that the Act is given the widest possible
operation consistent with Commonwealth constitutional legislative power.
Subclause 38(1) provides that without limiting the effect of the Act Parts
3 and 4 also has effect as provided by each of the subclauses 38(2) to
38(10) relying on different elements of Commonwealth power.
Clause 39 - Regulations
Subclause 39(1) enables the Governor-General to make regulations which are
required, necessary or convenient for the operation of, or giving effect
to, the Bill (once enacted).
Consultation with the Ministerial Council must be undertaken prior to the
making of such regulations.
The Bill enables regulations to be made in relation to a number of areas
including:
. prescribing additional identifying information that is necessary to
uniquely identify an entity, relevant to the definition of identifying
information (see clause 7);
. classes of healthcare providers (see clause 9)
. prescribing another entity as a data source (see clause 12(2));
. prescribing another entity as a service operator (see clause 6);
. prescribing a national registration authority (see clause 8) and
. prescribing requirements for assigning a healthcare identifier to a
healthcare recipient or healthcare provider, such as eligibility of
healthcare providers and any security obligations that healthcare
providers need to meet to be assigned a healthcare identifiers and/or
to access the Healthcare Identifiers Service (see clause 9).
Subclause 39(2) provides that the regulations may also provide for the
imposition of a penalty for not more than 50 units (a penalty unit being
worth $110).
Regulations to support this Bill (once enacted) will need to be in place to
support the commencement of Healthcare Identifiers Service. Proposals for
the regulations are currently being drafted and consultation with
stakeholders is expected to be undertaken between March and May 2010, prior
to the regulations being considered by the Ministerial Council.
HEALTHCARE IDENTIFIERS (CONSEQUENTIAL AMENDMENTS) BILL 2010
NOTES ON CLAUSES
Clause 1 - Short Title
This clause provides that the Bill, once enacted, may be cited as the
Healthcare Identifiers (Consequential Amendments) Act 2010.
Clause 2 - Commencement
This part provides for sections 1 to 3 of the Bill to commence upon Royal
Assent. Schedules 1 and 2 are to commence at the same time as the
Healthcare Identifiers Bill 2010 (once enacted).
Clause 3 - Schedule(s)
This clause seeks to make minor amendments to the Health Insurance Act 1973
and the Privacy Act 1988 as follows:
. Schedule 1-Amendment of the Health Insurance Act 1973
Item 1 of this schedule amends section 131(1) of the Health Insurance Act
1973 to include a reference to the Healthcare Identifiers Bill 2010 (once
enacted). This will allow for key functions allocated under the Healthcare
Identifiers Bill 2010 (once enacted) to be delegated by the Minister,
Secretary or Chief Executive Officer of Medicare Australia.
The inclusion of the reference to the Healthcare Identifiers Bill 2010
(once enacted) will enable the Chief Executive Officer of Medicare
Australia to delegate his or her functions to officers within Medicare
Australia. This is necessary to support the day-to-day operation of the
Healthcare Identifiers Service.
. Schedule 2 - Amendment of the Privacy Act 1988
Part 1 - Main Amendments
Item 1 of this schedule amends the definition of agency in section 6(1) of
the Privacy Act to include the service operator of the Healthcare
Identifiers Service. This will make clear that the service operator is a
Commonwealth agency for the purposes of the Privacy Act and will come under
the jurisdiction of the Privacy Commissioner.
In accordance with items 2 and 3 of this schedule, a definition of
healthcare identifier and healthcare identifier offence will be added to
section 6(1) of the Privacy Act to ensure consistency with the Healthcare
Identifiers Bill 2010 (once enacted).
Item 4 of this schedule will add a note to the end of section 13 of the
Privacy Act to clarify that an act or practice that contravenes the
Healthcare Identifiers Bill 2010 (once enacted) is an interference with an
individual's privacy. This aligns with subsection 29(1) of the Healthcare
Identifiers Bill 2010 which applies section 13 of the Privacy Act in
relation to acts or practices that contravene the Bill.
Item 5 of this schedule will add a new clause after section 27 of the
Privacy Act to support the additional functions of the Federal Privacy
Commissioner in relation to the Healthcare Identifiers Bill 2010 (once
enacted). The new clause 27A will clarify that the Privacy Commissioner
has authority to exercise existing functions such as conducting audits of
public sector agencies and own motion investigations in relation to
regulating the handling of healthcare identifiers.
In addition, the Privacy Commissioner will have the authority to
investigate an interference of an individual's privacy under the Healthcare
Identifiers Bill 2010 (once enacted) and where appropriate, attempt to
settle the matter by way of conciliation. This aligns with the functions
for the Privacy Commissioner, as set out in section 29 of the Healthcare
Identifiers Bill 2010.
Item 6 of this schedule will make minor technical amendments to section
28(1) and 28A(1) to recognise the insertion of the new clause 27A under
item 5 of this schedule.
Item 7 of this schedule will add a reference to healthcare identifier
offence in section 49(1)(a) to enable the Privacy Commissioner to refer
matters to the Commissioner of Police or the Department of Public
Prosecutions where, in the course of an investigation, the Privacy
Commissioner thinks an offence has been committed.
Part 2 - Amendments contingent on the Personal Property Securities
(Consequential Amendments) Act 2009
Privacy Act 1988
The Personal Property Securities (Consequential Amendments) Act 2009 makes
a number of amendments to the current Privacy Act but has not yet commenced
operation.
As the Healthcare Identifiers (Consequential Amendments) Bill 2010 proposes
amendments to the current Privacy Act, it is necessary to ensure it
operates consistently with the proposed amendments under the Personal
Property Securities (Consequential Amendments) Act 2009.
Items 9 to 13 of this schedule make minor technical amendments to ensure
the proposed amendments by both Bills appropriately align. Amendments
proposed in these items will commence operation once both item 26 of
Schedule 5 of the Personal Property Securities (Consequential Amendments)
Act 2009 and the Healthcare Identifiers Bill 2010 has commenced.
-----------------------
[1] Australian Institute of Health and Welfare, Australia's Health 2002,
as quoted in Deloitte, National E-Health Strategy, 2008, page 94.
[2] Karl A Stroetmann KA, Jones T, Dobrev A, Stoetmann VN, 'An Evaluation
of the Economic Impact of Ten European E-Health Applications', 2007, as
quoted in Deloitte, National E-Health Strategy, 2008, page 93.
[3] Ibid.
[4] Australian Audit Commission, For Your Information Canberra, 1995, as
quoted in Deloitte, National E-Health Strategy, 2008, page 93.
[5] G J Elwyn and N C H Stott, 'Avoidable Referrals? Analysis of 170
consecutive referrals to secondary care,' BMJ 309, 3 September 1994, as
quoted in Deloitte, National E-Health Strategy, 2008, page 93.
[6] Deloitte, National E-Health Strategy, 2008, page 93.
[7] Australian Audit Commission, For Your Information Canberra, 1995, as
quoted in Deloitte, National E-Health Strategy, 2008, page 93.
[8] G J Elwyn and N C H Stott, 'Avoidable Referrals? Analysis of 170
consecutive referrals to secondary care,' British Medical Journal 309, 3
September 1994, as quoted in Deloitte, National E-Health Strategy, 2008,
page 93.
[9] References cited in Deloitte, National E-Health Strategy, 2008, page
94.