Bills Digest no. 100 2011–12

PDF version [950 KB]

WARNING:
This Digest was prepared for debate. It reflects the legislation as introduced and does not canvass subsequent amendments. This Digest does not have any official legal status. Other sources should be consulted to determine the subsequent official status of the Bill.

Dr Rhonda Jolly
Social Policy Section
7 February 2012 

Contents
Purpose
Background
Committee consideration
Stakeholder comments
Financial implications
Key provisions
Concluding comments

---

Date introduced:  23 November 2011

House:  House of Representatives
Portfolio:  Health and Ageing
Commencement:  Sections 1 and 2 on Royal Assent. Sections 3 to 112 on day or days to be fixed by Proclamation or by the later date of 1 July 2012 or the day the Act receives Royal Assent.

Links: The links to this Bill, its Explanatory Memorandum and second reading speech can be found on the the Bill's home page, or through http://www.aph.gov.au/Parliamentary_Business/Bills_Legislation. When Bills have been passed and received Royal Assent, they become Acts, which can be found at the ComLaw website at http://www.comlaw.gov.au/.

Purpose

The Personally Controlled Electronic Health Records Bill 2011 (the Bill) will establish the framework for a national personally controlled electronic health record (PCEHR) system.

The Bill will also establish the regulatory framework under which the system will operate and a privacy regime which will govern the system, and which will operate in tandem with federal, state and territory privacy laws.

Background

Background information relating to the concept of e health—its definition and development in Australia and overseas—is comprehensively dealt with in the Parliamentary Library’s research paper, The e health revolution—easier said than done. This paper also contains discussion of the development of policy for the personally controlled electronic health system.[1]

A brief summary of the background information contained in the Library’s e health paper can be found in Box 1 below. The paper can be found at: http://parlinfo.aph.gov.au/parlInfo/search/display/display.w3p;query=Id%3A%22library%2Fprspub%2F1232345%22

Box 1: e health and PCEHR background

Committee consideration

This Bill and the Personally Controlled Electronic Health Records (Consequential Amendments) Bill 2011 have been referred to the Senate Community Affairs Legislation Committee for inquiry and possible report by 29 February 2012.

Reasons for referral and principal issues for consideration by the Committee have been listed as:

• privacy issues/ privacy breaches/ penalties for breaches
• security of information on the PCEHR
• questions about the design, functionality, and capability of the PCEHR
• questions regarding the use of consultants, contractors, and tenders let or hired by the National E-Health Transition authority (NEHTA) in regard to the development of the PCEHR
• the level of functionality of the PCEHR at 1 July 2012
• questions around the continuation of NEHTA after 1 July 2012
• the products that NEHTA designed, made, tested, certified for use in the PCEHR, and
• any other issues the Committee considers appropriate.

The inquiry therefore deals with more wide-ranging issues than the scope and operation of the PCEHR as detailed in this proposed legislation. In particular, the inquiry has been tasked with examining the actions of NEHTA in developing the PCEHR. It will also consider the possible ongoing role of NEHTA.

This Digest does not deal with these issues in detail. However, some discussion can be found in the Library’s e health paper, which was referenced earlier. The Digest also makes reference to stakeholder claims that standards, which should be in place to ensure the efficient operation of the system, are either inadequate or do not exist and that NEHTA is attempting to bypass proper process in order to meet the proposed July 1 start date for the PCEHR.

Forty six submissions to the Senate inquiry, which closed on 12 January 2012, were received. Some comment on these submissions is in the section on stakeholder observations later in this Digest.

Details of the Senate inquiry are at: http://www.aph.gov.au/Parliamentary_Business/Committees/Senate_Committees?url=clac_ctte/pers_cont_elect_health_rec_11/index.htm

Policy position of non-government parties/independents

Opposition

Detail of the Howard Government’s approach to e health in general and the concept of a personal e health record for patients can be found in the Library’s paper on this issue. Information in Box 2 below is an extract from that paper which considers recent Opposition approaches to e health.

Box 2: current opposition views on e health

More recently, specific criticism surfaced of the Opposition’s ‘lack of a viable alternative’ to the Government’s PCEHR plans.^[19] In response, Dr Southcott argued that opposition policy was still in development; the Opposition was in fact focussed on making sure the current Government’s program ‘ran smoothly and on budget’.^[20] With regards to this commitment, it should be noted that the Opposition has raised a number of questions about the PCEHR during recent Senate Estimates hearings, particularly in relation to the matters raised for consideration by the Senate inquiry into this legislation. At the time of writing this Digest, the Department of Health and Ageing has provided answers to most of these questions.[21] Some stakeholders complained, however, that they had relied on these answers being available to inform their submissions to Senate inquiry, but that this was not forthcoming before the final submission date.[22]

Other

Prior to the 2010 election the Australian Greens committed to support initiatives for e health which may be advanced by either a Labor or Coalition Government, ‘as long as strong data security and privacy protections are in place’ and individuals were given control over decisions about access to their records.[23] An election summary of policies noted:

The Greens support establishing an e-health system to enhance patient care, as long as the privacy of healthcare consumers is protected. We supported the Healthcare Identifiers Bill is [sic] last session of parliament which establishes the foundation of a future electronic health record system. The Greens believe that universal data will contribute to reducing the incidence of misadventure, save costs and inform performance across our health system.[24]

Stakeholder comments

Stakeholder comments on e health issues in general, and in recent times, on the design and operation of the PCEHR are many and varied. Some stakeholder views regarding aspects of the PCEHR are discussed in the Library’s paper on e health and are briefly summarised in Box 3 below.

Box 3: some key PCEHR issues

Standards issues

In addition to the issues raised in Box 3, there has been concern expressed by a number of stakeholders, including the Medical Software Industry Association, that technical standards and system interoperability of the PCEHR will be inadequate.[39] Security experts have also expressed ‘alarm’ about whether the system will work, arguing that the technology to guarantee security does not exist.[40] One source, for example, criticised the Department of Health and Ageing and NEHTA for wasting ten months and $200 million to produce ‘nothing’ in the way of standards.[41] A report by Direkt for NEHTA released in May 2011 was also critical of the progress NEHTA had made in developing essential standards.^[42]

In response to this type of criticism NEHTA announced the establishment of so called internal ‘tiger teams’ which were intended to produce technical standards by mid-November 2011 so there would be time for a Standards Australia review before the PCEHR commenced operation. The approach was labelled risky and a panic response by the chairman of one standards committee. This source claimed that while Standards Australia and other national bodies follow a tedious and slow process governed by the International Standards Organisation, the alternative of not conducting a rigorous assessment was worse.[43]

On 17 November 2011 NEHTA released a specifications and standards plan for software vendors. The plan outlined the timeframes and process for the release of standards for the PCEHR. To coincide with the plan, specifications for the PCEHR Event Summary document were published. NEHTA announced that specifications for other PCEHR components, including Discharge Summaries, would be progressively released. According to NEHTA, the plan was informed by feedback from software developers and implementers and the standards development community, as well as consultation on the Concept of Operations document and lessons from e health test sites.[44]

In December 2011, however, the Australian reported that the tiger teams process was ‘in disarray, following delays in finding volunteers and the late release of thousands of pages of both old and new documentation still to be pulled into shape as useable specifications’.[45]

In light of such delays in the critical process of establishing and deploying infrastructure for the PCEHR system, Dr Ian Colclough’s submission to the Senate inquiry echoes what it appears a number of other stakeholders have been thinking—the basic components of the PCEHR are far from ready to be deployed.[46] Colclough has suggested in fact that ‘more work needs to be done before a national rollout of an untried and unproven PCEHR system is permitted to proceed’ and that the passage of this Bill is ‘premature’.[47]

The submission to the Senate inquiry from the Medical Software Industry Association (MSIA), whose members include Cerner, Cisco, iSoft and Microsoft, added its criticism to Dr Colclough’s concerns about the issue of PCEHR readiness. MSIA effectively delivered what has been labelled a ‘scathing criticism’ of the handling of the e health record project.[48] It was particularly disparaging about NEHTA, claiming that while there was much ‘trumpeting’ about the release of the vendor portal launched in November 2011, there were a range of system useability issues which NEHTA had not addressed.[49] These included that documents which developers were expected to use were out of date or not final, as well as numerous other examples of ‘poor planning, failure to complete to deadlines and a range of other unacceptable behaviour that contravene normal Australian business practices’. In MSIA’s view, this did not inspire the confidence of soft ware vendors.[50]

Prior to publication of the MSIA submission, in late January 2012 NEHTA announced postponement of the implementation of primary care desktop software development at a number of trial implementation sites. According to NEHTA, the decision was prompted after technical incompatibilities were identified in internal checks which occurred after the November release of specifications.[51] And while NEHTA, DoHA and the Government continue to stress 1 July as the key implementation date for the PCEHR, this delay may be the first in a number of similar setbacks, should claims such as those made by MSIA be proven to be correct.[52]

Ian Colclough’s comments are worth noting in this context:

Standards Organisations cannot expect the standards they are proposing will be readily adopted until the Standards Organisation can prove that the proposed standards will work and, equally importantly, that they can be implemented successfully before being formally designated as a ‘Standard’.

This raises some very important commercial and strategic considerations for health software vendors and for NEHTA. Who should ‘carry the risk’ of proving that the intended standards being developed and then recommended can be implemented and will work?

The complex nature of the healthcare environment dictates that standards must be allowed to evolve over time and not be enforced in the form of an ultimatum for all and sundry to adopt. It should first be proven that the proposed standards work in a controlled live environment and, as such, are acceptable to the vendor community.

Only then is it reasonable to consider the implications of subsequently mandating the standards and exploiting market forces to drive their uptake; perhaps through the use of certification and accreditation procedures.

Consequently, mandating standards prematurely should be avoided if at all possible. A more pragmatic and less risky approach is to create a collaborative environment which is conducive to allowing standards to evolve; an environment which is based on consensus and in which the ‘healthICT’ vendor community is closely involved. This needs to be done in a way which sensibly supports health software vendors who work at the coalface delivering solutions.[53]

Further issues raised in submissions to Senate inquiry

In addition to the comments noted above, a number of general comments on e health and on the PCEHR proposals were made to the Senate Community Affairs Committee inquiry into this Bill and a related consequential amendments Bill.[54] Some of these are noted in this section.

The Australian Privacy Foundation (APF) expressed considerable angst that, in its view, it had not been able to engage in meaningful consultation with the Department of Health and Ageing (DoHA) and NEHTA, despite ‘systematic and transparent’ attempts to do so over several years.[55] In light of this situation the APF saw this Bill as ‘disappointing’. It listed a number of complaints including:

• poor governance arrangements under which ‘[m]otherhood statements and general governance principles are documented without any form of operationalisation ‘. Specifically, the APF was concerned that government agencies ‘will steward all information’ stored in PCEHRs and that there ‘are no complaints mechanisms embedded in the Bills’
• an ‘unseemly rush’ to ‘retrofit’ international system standards to Australian PCEHR architecture. The APF considers this will make it create an ‘island Australia’ in which businesses and consumers are unable to interact with other countries, and
• Government and other agencies are ‘devoid of responsibility for adverse health errors, stolen or misused data from centralised databases and practitioner ICT systems’.[56]

In light of the APF’s comments, it should be noted that DoHA commissioned law firm Minter Ellison to review the privacy aspects of the PCEHR with the intention of achieving an ‘appropriate balance between the competing interests of access to health information and minimising any unnecessary and avoidable privacy intrusions’.[57] The Minter Ellison report, published in November 2011 contained 112 recommendations, of which 95 were accepted either in full of in part.[58] In terms of governance, it should be acknowledged that many of the recommendations in the report provide a potential basis from which subordinate legislation through regulations can address at least some stakeholder concerns.[59]

The Australian Psychological Society (APS) has raised concern that while the Concept of Operations outlined an ‘effective removal’ records option under which consumers could delete or restrict access, it is not clear if the PCEHR will then still contain a reference to the removed item. From discussions with NEHTA and other bodies the APS believes also that ‘despite their removal, effectively removed records can still be obtained from the System Operator by the consumers or even under court orders’. In other words, the removed records are still archived by the System Operator.[60] As details of this option will not be known until rules and regulations are made, the APS has called for clarification. However, as the APS also points out, this is an important privacy aspect which many would consider should not be left to supplementary legislative instruments.

As is noted throughout the section which discusses the provisions in this Bill, many of the submissions to the Senate Inquiry and to previous public consultations have expressed serious disquiet about the lack of detail provided in the legislation. Aged and Community Services Australia (ACSA) has remarked that rules and regulation have not been drafted, so they may vary over time, ‘yet they are to contain significant particulars of the PCEHR system’. Until the rules are drafted, ACSA continues, aged care providers (and indeed, all providers and consumers alike) ‘cannot know conclusively whether they will be even able to fulfil the requirements to participate in the PCEHR system ’.[61]

The Australian Osteopathic Association has been equally concerned that so much will be left to subordinate legislation. It has specifically requested that the Senate Committee inquiry ‘require’ DoHA to disclose details so that interested parties can assess how the PCEHR system will actually operate.[62]

Certain professions are anxious about the financial burdens implementation of the PCEHR will place on them. They see themselves as bearing increased infrastructure and business costs without support or incentives from government and maintain that as a result the effectiveness of the system will be diminished.[63] Similarly, at least one hospital provider is uneasy about the financial risks it will incur ‘in the hope that by enabling hospital technology systems to utilise the potential benefits of the electronic record, sufficient clinicians and consumers will themselves voluntarily utilise the record’.[64]

Financial implications

The 2010–11 Budget committed funding of $466.7 million over two years to establish ‘the key components’ of a personally controlled electronic health record system’.[65]

The Explanatory Memorandum to the Personally Controlled Electronic Health Records (Consequential Amendments) Bill 2011 provides the following table:[66]

 

As noted in the Parliamentary Library paper on e health, University of Sydney surgery professor, Mohamed Khadra, has described the $467 million allocated for the PCEHR as ‘a drop in the ocean’.[67] It has been recently reported also that healthcare organisations, medical providers and the software industry are sceptical about Government commitment to providing financial support for e health in general.[68] 

Key provisions

This Bill consists of eight parts. The Explanatory Memorandum discusses each of these parts in considerable depth. The following section discusses provisions in the legislation that have raised, or may raise future concerns with stakeholders.  The section refers to submissions received to the Government’s Exposure Draft of the PCEHR legislation and to those received in response to the referral of this Bill to the Senate Community Affairs Committee for investigation.

The Exposure Draft of the PCEHR Bill was released by the Government on 30 September 2011. Fifty one submissions were received to the Exposure Draft and these were consulted in preparing the current Bill. Some submissions to the Senate inquiry note that the current Bill has taken into consideration certain suggestions made to the Exposure Draft. For example, the Office of the Australian Information Privacy Commissioner acknowledges that the PCEHR Bill now includes that one of the functions of the operator of the system is to educate consumers and other participants among other additions to the Exposure Draft.[69]

As well as addressing issues raised in submissions to the Senate inquiry this Digest refers to a number of issues which were raised in the Exposure Draft and which appear not to have been addressed in the current legislation.

Part 1—Preliminary

This part states the title of the proposed legislation, deals with commencement and the object of the Act and provides a simplified outline of the proposed Act before considering a number of definitions to be used in the PCEHR system.

Healthcare and nominated healthcare provider  

Part 1 clause 5 defines a series of terms and phrases used in the legislation. These include the definition of a PCEHR and the PCEHR system. Reponses to the Exposure Draft elicited no substantial objections to the majority of definitions in clause 5. However, one response from Medibank considered that the definition of healthcare in the Exposure Draft was too limited. Medibank suggested that the legislation would be improved by the inclusion of a reference to the prevention of diseases, injuries or conditions. Similarly, the definition appeared to exclude instances such as some treatment affecting fertility under the definition of healthcare.[70]  As the Explanatory Memorandum points out, many of the terms defined in the Bill are aligned with the Healthcare Identifiers Act 2010 and the Privacy Act 1988.[71] The definition of healthcare which Medibank found wanting is one such definition.

There has been some issue also with the definition of healthcare provider in clause 5. The legislation defines a healthcare provider as an individual healthcare provider or a healthcare provider organisation, but the Australian Privacy Foundation (APF) finds this inadequate, as does the Pharmacy Guild of Australia.[72]

By far the most controversial of the definitions in the Bill has related to which health professionals will be recognised as nominated healthcare providers.  The Bill proposes in clause 5 that medical practitioners within the meaning of the National Law, nurses within the meaning of the National law and certain categories of Aboriginal and Torres Strait Islander health practitioners within the meaning of the National Law are the categories of practitioners specifically eligible for recognition.  Individuals, or an individual included in a class, may later be prescribed by the regulations, but some groups have argued that additional categories should be added to the definition. The Australian College of Midwives considers midwives should be one of these categories because of ‘the enduring therapeutic relationships’ midwives have with women for the course of their reproductive life cycle.[73] The Pharmaceutical Society of Australia recommends that the category be expanded to all nationally registered health professions.[74] The Pharmacy Guild of Australia argues that pharmacists are ‘frontline’ contacts for patients and so well placed to be nominated healthcare providers.[75] The Australian Osteopathic Association believes the Bill as it stands diminishes the professional standing of many health practitioners.[76]

Details are again not clear about who will ultimately be eligible as a nominated healthcare provider—the list may remain restricted or there may be ‘open slather’, depending on the regulations. There is the danger that patient privacy could be jeopardised if too many groups are able to create and maintain shared health records and it could be argued that this is the reason a core group of practitioners has been identified in the legislation. At the same time, there should be concern that regulations may later provide indiscriminate access to records.

One further issue in relation to the nominated healthcare provider is the AMA’s call for remuneration to be provided to medical practitioners for using the PCEHR. The AMA argues this will provide some compensation to these practitioners for the risks, costs and challenges they will incur in creating and maintaining shared health records, ‘for free’.[77]

Authorised representatives and nominated representatives

Clause 6 sets out and defines the concept of authorised representative of a consumer proposed under the legislation. The Explanatory Memorandum describes an authorised representative as a person who ‘will be able to register a consumer for a PCEHR and manage the access controls of the PCEHR on behalf of the consumer’.[78] Clause 7 defines a nominated representative of a consumer. A nominated representative essentially differs from an authorised representative in that the role undertaken is more informal and a consumer can still retain access control of his or her PCEHR.  The Explanatory Memorandum provides a detailed discussion and examples of how these concepts will apply to those under and over the age of 18 years.

Clauses 6 and 7 have raised some concern. Subclause 6(3) provides that the entity which is to be responsible for creating and administering the PCEHR, the System Operator, can decide if a person under the age of 18 years is capable of managing his or her own PCEHR. MDA National Australia has questioned if a System Operator would be actually able to determine if persons under the age of 18 years are capable of making decisions, given the inconsistency in laws which exist across the states and territories.[79] Further, MDA asks if a System Operator of any kind should have the power to decide if a person is capable of making these types of decisions. In MDA’s view, such decisions are more appropriately in the hands of a medical practitioner. On the other hand, it should be noted that a medical practitioners is not involved in the decision to award a Medicare card to a young person 15 years or over who applies for one. This decision is an administrative one made by Medicare once appropriate identification is produced.[80]

The Australian Dental Association (ADA) has also expressed concerns about minors’ ability to manage their own health records. The ADA believes allowing minors even graduated control over their PCEHR may create a precedent which could have unintended consequences. It considers there are considerable risks that health practitioners may not receive adequate and relevant information to enable them to provide effective care if minors are given this type of control.[81]

There has also been concern expressed about the processes by which the System Operator will be ‘satisfied’ about the appropriateness of persons to act as authorised or nominated representatives or whether a consumer is capable of making decisions about his or her PCEHR. A joint submission to the Senate inquiry from Aged and Community Services (ACS) and the Aged Care Association of Australia (ACAA) pointed out some difficulties with the term. The legislation is silent, for example, on ‘the process or threshold of the relevant satisfaction’ and other important details, such as ‘when satisfaction might lapse’.[82] Similarly, this submission questions the level of informed consent required, how consent is to be obtained and what occurs if consent is withdraw or lapses due to incapacity.

It can be assumed that these processes will be articulated in rules and regulations which will be able to be made under clauses 109 and 112. However, there is no certainty that this will be included in the rules and/or regulations. Nor is it certain that a rule and/or regulation will be made in this instance, as clause 109 states only that the Minister may make rules relating to various aspects of the operation of the PCEHR system. Clause 112 states that the Governor–General may make regulations prescribing matters to carry out or give effect to the Act (once enacted).

The Victorian Minister for Health, David Davis, in his submission to the Exposure Draft Bill noted that the Bill referred to proposed regulations in ‘multiple places’ and that there was an indication of ‘known’ areas where rules were likely , but there was ‘ no detail of their content’.[83] Minister Davis rightly identified that the PCEHR Rules would be ‘crucial to understanding the impact of implementing the PCEHR and its ongoing operation on existing clinical processes’.  At the same time, however, Davis considered it appropriate that the rules were not enshrined in core legislation.[84] From the tone of many submissions to the Exposure Draft, it appears that this is not generally the view of stakeholders.

In the view of the APF, clause 11 is also problematic. This clause states that the Crown is not liable for prosecution or pecuniary penalties for offences under the legislation. The APF believes the clause absolves governments and their agents from any responsibility for the handling of personal clinical information.[85] The Explanatory Memorandum counters, however, by noting that this type of clause is common in Commonwealth legislation and its existence does not mean that the Crown is exempt from sanctions:

If the Crown in any of its capacities does not comply with its obligations under this Bill, other remedies are potentially available. For example, it may be subject to a declaration or injunction, investigated by the Information Commissioner under the Privacy Act, investigated by the Ombudsman, subject to Parliamentary scrutiny or subject to claims for breach of statutory duty. Further, while the Crown may have immunity in certain regards, the employees and contractors of the Crown will not necessarily have any such immunity. Finally, nothing in the Bill prevents an individual who suffers loss or damage from seeking to recover that loss or damage from the person who caused it.[86]

Part 2—the System Operator, advisory bodies and other matters

Part 2 of this Bill sets out the proposed governance arrangement for the PCEHR system. This part establishes the System Operator and two advisory bodies—the Jurisdictional Advisory Committee and the Independent Advisory Council. Part 2 also set out the function of the Chief Executive Medicare in relation to the PCEHR.

System Operator

There has been considerable concern expressed about the identity and role of the System Operator. While the legislation provides under paragraph 14(1)(b) that once the PCEHR is operational that a new body may be established and prescribed in regulations to act as the System Operator, at least initially it is intended that the role will be assigned to a bureaucrat—the Secretary of the Department of Health and Ageing. In its response to this situation as described in the Exposure Draft, the Pharmacy Guild of Australia expressed concern:

... the appropriate governance framework [for the System Operator] is yet to be determined and that the Secretary of the Department of Health and Ageing will fulfil the role. Governance of such an important system should not [emphasis in original] be vested in a single person who may or may not choose to follow the advice from the Jurisdictional Advisory Committee and the Independent Advisory Council.[87]

This view was echoed in a number of submissions to the Exposure Draft, although at least one submission to the current Senate inquiry ‘understood’ the difficulty in establishing an independent System Operator initially.[88]

In contrast to the concern expressed by stakeholders about bestowing significant control over personal information on a bureaucrat, the Explanatory Memorandum argues that having the Secretary of the Department of Health and Ageing as the System Operator will ensure accountability and transparency.[89] In addition, the arrangement will deliver a smooth transition from arrangements made to accommodate the PCEHR ‘system build’ and provide coordination for jurisdictional and stakeholder involvement.[90]

The Explanatory Memorandum notes also that it is intended that discussions will continue with states and territories with regards to the development of ‘an inter-jurisdictional national e-health body’.[91] The establishment of such a body may indeed allay the concerns of critics, but while it remains only a possibility and the situation exists where a bureaucrat is entrusted with what for many seems excessive control over the PCEHR system, it seems unlikely that these objections will cease. In addition, at least one stakeholder is concerned that consultations about an alternative system operator body may only take place between the federal and states and territory governments, without for example, reference to input from Indigenous people.[92]

Limitations on the functions of the System Operator under clause 15 appear to be of minor concern. Primarily, as David Davis notes, paragraph 15(b)(0) provides that a function of the System Operator is to do anything incidental or conducive to the performance of any of the functions listed in the clause. Davis assumes that this function has been deliberately made broad ‘to prevent a narrow or literal interpretation’ from hampering the operation of the PCEHR system, and that the expansive scope of the statement could be reconsidered.[93]

On the other hand, the broad nature of the System Operator’s powers, as noted by Davis, has caused considerable disquiet. Clause 16 requires the System Operator to have regard to advice and recommendations made by a Jurisdictional Advisory Committee and an Independent Advisory Council. A number of submissions to the Exposure Draft pointed out that this requirement does not include a direction for the System Operator to take that advice. As a result, some groups, such as the National Aboriginal Community Controlled Health Organisation (NACCHO), believe:

... the ‘unlimited power of the System Operator is a potential threat to the integrity of the PCEHR. By allowing the System Operator to take advice, but not be required to act on that said advice, it allows for the System Operator to be negligent and dismissive of potential issues arising.[94]

The Office of the Australian Information Commissioner (OAIC) submits also that it is not sufficiently clear whether any future System Operator will be subject to the Privacy Act.[95] The OAIC notes that while the Explanatory Memorandum states that this will be the case, ‘there is no corresponding provision in the PCEHR Bill’; further, that it is intended the OAIC will provide comprehensive privacy oversight and that this will be achieved by establishing the System Operator as an ‘agency’ for the purposes of the Privacy Act. However, the OAIC recommends that this is specifically stated in clause 14.

The Explanatory Memorandum makes no attempt to justify the System Operator’s powers, simply noting that advice and recommendations from the advisory committees and the System Operator’s subsequent decisions ‘may be made public to provide for public scrutiny and transparency’.[96] There is no guarantee, however, in either the Explanatory Memorandum or the legislation, that advice and/or decisions will actually be made public.

In addition, the Explanatory Memorandum advises that the System Operator and its advisory bodies may draw on expert advice ‘as appropriate’ and that this includes advice from the Australian Information Commissioner in relation to privacy matters.[97] But yet again, there is nothing in the actual legislation which requires the System Operator to do so. The question could be raised therefore about whether the Information Commissioner should in fact be mentioned in the legislation in this instance. Additionally, with regards to the powers of the Information Commissioner in general, it could be asked if these should be more formally elaborated upon in the legislation, rather than being obliquely referred to for the most part throughout the legislation with reference to the Privacy Act 1988 (the Privacy Act).

In both its submissions to the Exposure Draft and to the Senate inquiry, the Australian Psychological Society points out also that it is not clear in the legislation to whom consumers can turn when they have issues or complaints against the PCEHR System Operator. Clause 97 states that decisions made by the System Operator will be subject to merits review and the clause lists to what types of decisions this would apply, but it does not make reference to complaints about the System Operator itself.[98] Its submission to the Senate inquiry adds that there should be a one stop shop for all complaints about the system. In addition, the Senate submission considers efficient ‘operational infrastructure’ for the PCEHR requires that a cross agency committee, which consists at least of representatives from DoHA, the Department of Human Services and the Department of Broadband Communications and the Digital Economy, is set up.[99]

Advisory committees

Global information security company, Giesecke and Devrient, consider in particular that if the Secretary the Department of Health and Ageing continues as the System Operator, there is a clear requirement for ‘strong and wide ranging powers’ to be granted to both the Jurisdictional Advisory Committee and the Independent Advisory Council.[100]

The Royal Australasian College of Surgeons (RACS) submission to the Exposure Draft focussed on the issue of the independence of the Independent Advisory Committee, suggesting that the Department of Health and Ageing would have considerable influence over clinical advice provided to the Committee and that this would affect its ‘rigor and effectiveness’.[101] According to RACS, this was a long way from the governance principles articulated in the Government’s legislative issues paper.[102] These principles were those first articulated in the National E-Health Strategy—accountability, transparency, appropriate stakeholder representation, sustainability, support for activity at multiple levels, effective leadership and coordination and balancing local innovation and national outcomes.[103]

The Consumers e-Health Alliance (CeHA) proffered a solution to improve governance which entailed the Independent Advisory Council providing advice to the Minister, rather than the System Operator. CeHA sees this approach as maintaining a necessary separation between the ownership and operation of the PCEHR, while at the same time delivering a ‘continuum of community engagement’.[104]

There are likely to be further questions about the composition of the Independent Advisory Committee as proposed in this Bill. The Health Consumers Council (HCC) was unhappy with the provision in the Exposure Draft that one knowledge requirement for each member of the Independent Advisory Council was that of ‘consumers’ receipt of health care’. The HCC called for this to be changed to require that an independent consumers’ representative; that is, a representative not associated with a healthcare provider, was a member of the Council.[105]

While the HCC is likely to be pleased that under the proposed legislation three members of the Council must have ‘experience in or knowledge of consumers’ receipt of healthcare’, it is likely still to note that there is no specific requirement for any of these to be independent of healthcare organisations or providers.[106] Moreover, this group and others may also be concerned about the lack of specificity with regards to the experience and/or expertise of Council Members across a broad spectrum of areas ranging from law and privacy to health informatics and information technology (clause 27(2)(b)). The Australian College of Midwives, for example, argues that places on the Independent Advisory Council should be allocated to registered nurses and midwives because no profession is able to speak for others on matters outside its scope of practice and this will occur unless nursing is specifically represented.[107]

The Aboriginal Medical Service Alliance of the Northern Territory (AMSANT) was not convinced that the needs of Aboriginal people will be best served by the state and territory representatives appointed by health departments. AMSANT noted that many aboriginal health services ‘have continued issues with their respective state and territory health departments, [so] to have representation exclusively by them would serve only to repress their needs’.[108]

The Australian Medical Association suggested that the System Operator could be made more accountable if a requirement were included in legislation that advice provided by the Jurisdictional Advisory Committee (and it could be argued the Independent Advisory Committee) must be published on the System Operator’s website within ten days of that advice being provided to the System Operator. Further, that the System Operator’s reasons for accepting or not accepting that advice should also be published on the System Operator’s website within ten days of a decision being made.[109]

The Consumers Health Forum has since expressed its concern that the System Operator is under no obligation to accept recommendations from the Jurisdictional Advisory Committee and the Independent Advisory Committee. CHF called for a requirement for the System Operator to provide a rationale for any decision not to accept recommendations for the advisory committees to be included in the legislation.[110] The Aboriginal Medical Service Alliance of the Northern Territory is of a similar view. It recommends that the System Operator should ‘have a unilateral agreement between itself and the two independent advisory groups before initiating any significant actions that may affect health outcomes’.[111]

Part 3—Registration

Part 3 of the proposed Bill sets out the eligibility criteria for registration for participants in the PCEHR system. It also sets out obligations which the System Operator must fulfil in the registration process and the obligations of participants in the system.

Voluntary registration

A number of issues have been raised in conjunction with the proposed registration requirements in the Bill. Clause 39 indicates that registration for the PCEHR will be voluntary; no consumers who choose to ‘opt out’ by not registering will be denied access to healthcare services and medical benefits, as long as they comply with eligibility requirements. This voluntary nature of consumer registration prompted Epworth Hospital to argue in its submission to the Exposure Draft that there can be no uniform national PCEHR system unless consumers are denied any ability to opt out of the system.[112]

Pseudonyms

A contentious issue has been whether registration by pseudonym will be allowed under the PCEHR. The Explanatory Memorandum confirms that clause 40 will allow consumers to register using a pseudonym, if they have obtained a pseudonymous healthcare identifier from the Healthcare Identifiers Service.[113] The Office of the Australian Information Commissioner (the Information Commissioner/OAIC) supports giving individuals the clear option to transact pseudonymously to protect their privacy, where this is lawful and practicable.[114]

At the same time, other organisations are opposed to registration by pseudonym. The ADA believes there is potential for pseudonyms to be misused fraudulently.[115] The Australian Nursing Federation has also been opposed to allowing the use of pseudonyms on the grounds it may lead fragmentation or duplication of healthcare records and documentation errors and duplication of health information.[116] The Royal Australian and New Zealand College of Psychiatrists calls the proposal ‘potentially dangerous’ because it may mean medical practitioners only have access to incomplete records. This college suggests that some alert must be in place to warn practitioners and to allow them to refuse to treat patients ‘they conscientiously believe they cannot help adequately’.[117]

Other consumer registration issues

A number of other issues have been raised in relation to consumer registration. These include what are seen as omissions in the registration process. The Office of the New South Wales Privacy Commissioner argues that registration as specified under clause 39 should have provided for a trans-gender category, for example.[118] Further, David Davis expresses concern that registration processes specified under clause 40 may not sufficiently identify consumers who will possibly be able to register online or by telephone.[119] The ADA also notes its concern about the lack of personal identification required to release personal medical records and to establish a PCEHR for consumers. The ADA considers that the identification required before a consumer is registered in the PCEHR system should be at least consistent with that which is needed when people apply for a Medicare Card, drivers licence or a passport.[120]

AMSANT has called for more accommodation of the needs of Aboriginal people in the registration process through the provision of adequate translation services to ensure privacy is not compromised.[121] While no submission made the point, it could be argued that this issue would be equally applicable to persons of non-English speaking background.

The Explanatory Memorandum argues there is provision in the proposed Bill for regulations to be made which will be able to deal with such issues (paragraph 40(b)(v)).[122] The Explanatory Memorandum lists a number of matters that may be addressed in PCEHR Rules and the types of documentation required for registration for example. Whether these matters are resolved by the regulations, however, does depend on what is contained in those regulations.[123]

In at least one instance, it has been suggested that regulations may prove inadequate. South Australia Health points out issues in relation to the registration of new born infants, quoting the Government’s Concept of Operations document which concedes that these consumers may not have a verified healthcare identifier and that alternative processes will be put in place to deal with this situation. This is not addressed in the legislation and indeed, South Australian Health suggests that the note to clause 41 which prevents the System Operator from registering a consumer in circumstances other than those cited in the clause may not permit the registration of newborn infants under the PCEHR system.[124]

Davis points out also that clause 41 requires the System Operator only to decide to register a consumer; rather than that it must register a consumer who satisfies registration eligibility.[125] Clauses such as this therefore give the System Operator a considerable amount of discretion and while again it may be that the regulations will deal with these types of matters, it remains that this language is embedded in the legislation and equally it is not clear what exactly will be in the regulations.

Registration of healthcare providers

Comments on Divisions 2, 3 and 4 of Part 3, which deal with the registration of healthcare provider organisations, appear to have elicited less comment than conditions relating to the registration of consumers.

A general comment by Medical Software Industry Association (MSIA) is worth noting. The MSIA considers that it is critical healthcare providers and organisations are made aware of rules of operation for all parties from the outset. But at present there are only statements about what rules may be made by the Minister, so uncertainty exists with respect to storage, administration and participant requirements; all essential aspects of governance.[126]

The MSIA saw paragraph 45(c), which provides that organisations must not upload records that could infringe copyright, as problematic. The MSIA considered:

 This could be a hard call for a registered nurse or exhausted health professional not trained in intellectual property. The only safe course would be to err on the side of caution and not share the information which could prove useful to the care team and improve the health care of the consumer.[127]  

It recommended clarifying the clause. This could occur, for example, if the creator of a record noted copyright in that record and if there was an intention to allow or disallow it to be shared within the PCEHR.

The Insurance Council of Australia believed clause 46, which requires healthcare providers not to discriminate against those not registered under the PCEHR system, may in fact prohibit practitioners from refusing treatment on legitimate grounds.  The Council called for clarification of this provision, so that practitioners will not be inadvertently affected. In a similar vein, the Royal Australasian College of Physicians (RACP) commented:

Consumers may experience differences in their care because they have concealed relevant information because of the nature of the information that has been concealed rather than the mere fact they have concealed information. Thus, a person who conceals the information that they have diabetes may not receive healthcare aimed at managing the condition, including complications.[128]

RACP suggested that it was made a condition of registration that a healthcare provider does not refuse to provide healthcare to a registered consumer only because the consumer has set particular access controls on his or her PCEHR.[129]

Storage of records

Paragraph 48(c) which intends to require repository and portal operators to locate the central management and control of their services in Australia at all times the operators are registered, has attracted some comment. The Office of the Australian Information Commissioner (OAIC) welcomed the proposed requirement as stated in the Exposure Draft.[130] The OAIC also supported the requirement (under clause 77) that records held by these operators (and registered service providers and the System Operator) for the purposes of the PCEHR system, (whether or not the records are also held for other purposes), must not be held or taken outside Australia. OAIC believed that storing and processing health information in other jurisdictions may reduce the security of this information and limit avenues for redress in the event information was misused or mishandled.

A joint submission from Records and Information Management Professionals Australasia and the Australian Society of Archivists on the Exposure Draft was equally supportive of records being located within the geographical boundaries of Australia, so that local privacy and other legislative regimes will apply.[131]

The Microsoft submission to the Exposure Draft argued on the other hand that healthcare information stored in a PCEHR will not necessarily be better secured and protected simply by virtue of data being held within Australia. Microsoft considered the exclusion of storage repositories and portals located outside of Australia will prevent many well-credentialed corporations from providing services to healthcare consumers in the PCEHR system.[132]

In the context of this discussion it should be noted that not every state in Australia has privacy legislation. South Australia, for example, does not currently have a state-based privacy statute. However, the South Australian government has issued an administrative instruction requiring its government agencies to generally comply with a set of Information Privacy Principles. Similarly, there is no legislative privacy regime in the public sector in Western Australia. In that state, various confidentiality provisions cover government agencies and some of the privacy principles are provided for in the Freedom of Information Act 1992 (WA).[133]

Privacy issues were raised by MSIA in relation to what now constitute a number of clauses in Part 4 of the proposed legislation. Clause 50 provides that registered repository, portal or contracted service providers must provide information included in the PCEHR of a consumer if requested to do so by the System Operator. As there are no rules to clarify this provision the MSIA argued that it may be possible that situations occur ‘where consumers would not have provided the information if they had been aware this was a possibility. This would not therefore constitute truly informed consent and could pose a serious threat to privacy’.[134]

Clause 57 requires that the entries made in the Register to be established by the System Operator can include ‘such administrative information as is necessary for the purposes of the proper operation of the PCEHR system’. In MSIA’s view, this is an ‘unduly open’ clause which could have an impact on privacy. Therefore, the type of information to be recorded requires specification from the outset.[135]

Part 4—collection, use and disclosure of health information included in a registered consumer’s PCEHR

Part 4 of this Bill describes the uses for which information relating to a PCEHR can be collected, used and disclosed. This part also deals with civil penalties that may be imposed if information is collected used or disclosed recklessly.

Clarification of terminology

The AMA was uncertain of the difference between the terms ‘access’, ‘collection’ and ‘use’ in this part, and sought clarification.[136]

Civil penalties issues

The Victorian Health Minister viewed the civil penalty scheme elaborated upon in the Exposure Draft with concern. In his opinion it captured conduct which ranges from that which was serious and may warrant criminal sanctions to very minor infringements which should not attract significant penalties (clauses 59 and 60).

On the other hand, the APF viewed the civil penalties as ineffective, given that a person who breaches the PCEHR must be proven to be reckless and knowingly so in the use and disclosure of information. The APF asked, seemingly with tongue in cheek, what penalties would apply in the context of unintentional breaches of community information.  It suggested such penalties could include, but not be limited to, compensation to the aggrieved parties or the availability of class action in the case of major breaches.[137]

Disclosure and control

The OAIC in particular made extensive comments on use and disclosure clauses in the Exposure Draft. Importantly, the OAIC endorsed the emphasis placed in the legislation on individual control of consumers’ health information. This continues to be a focus in this Bill, for example, (under paragraph 61(1)(b)(i)). According to the OAIC, ‘it is important that individuals are able to choose whether to have a PCEHR, and if they choose to have a PCEHR, that they are able to choose what information will be included and who will have access to it, to the extent practicable’.[138]

Further to the OAIC’s comment, Dr Rod Phillips from the Royal Children’s Hospital is unhappy that while adults can choose to open a PCEHR, they cannot choose to delete it fully or partially. Phillips believes that if people are given an option to delete information permanently after a ‘cooling off’ period that there will be more consumer acceptance of the PCEHR. The same ability option is even more important for children Phillips believes.[139]

In opposition, and as noted in the Parliamentary Library paper on e health, the Australian Medical Association (AMA) has been highly critical of the intention that consumers would retain control of their e health records. The AMA considers patient control sets a ‘very dangerous precedent that could undermine all the potential benefits of an electronic health record’.[140]

Additionally, the ADA has argued that if consumers are worried about sensitive information then they should not ‘opt in’, but those who do so should not have the ability to withhold selected information, as this will compromise the integrity of the record and not deliver envisaged improvements in patient care.

It is absolutely essential the practitioners who have access to PCEHRs have confidence that the record is complete and can be used to influence clinical decisions. If practitioners lose confidence in the PCEHR System (due to consumers making decisions as to what health information to disclose – creating the risk that medically relevant information is omitted from health practitioner’s clinical assessments), they will stop using it and it will fail.[141]

The ADA considers that if the legislation is not changed and practitioners are forced to rely on records that may be incomplete, then a provision must be included to indemnify health practitioners from any liability arising from their reliance on consumers’ PCEHRs.[142] Medical Defence Organisation, Avant, submitted it was similarly concerned about the effect of consumers choosing to exclude or limit practitioner access to health information. Avant’s solution was that the System Operator should be required to inform practitioners if limitations were on consumer records.[143]

Another issue of concern in relation to clause 61 involves a situation where no controls may have been set on the disclosure of information. Clause 61 authorises a participant in the PCEHR to collect, use and disclose health information of a registered consumer if the information is for the purpose of providing healthcare to the consumer and if it is in accordance with access controls set by the consumer. If there are no access controls set, then use and disclosure access is to be in accordance with ‘default access controls’ specified by the PCEHR, or if these do not exist, then access control is set by the System Operator.

It would be useful in the MSIA’s view if paragraph 61(b)(ii) actually specified what default settings would apply and that these were to be privacy compliant.[144] Neither is it appropriate, according to the AMA, that the System Operator is able to set default controls should there be no specification in PCEHR rules. The AMA argues however, that certain information should be available by default to medical practitioners and this should include pathology and diagnostic imaging results, hospital discharge summaries and medications dispensed.[145]

The Consumers’ Health Forum submission to the current Senate inquiry objects to the removal of the option for consumers to label their record ‘no access’; it acknowledges that the Concept of Operations document for the PCEHR justifies this on the grounds that it may be necessary to access information in an emergency (see the following paragraphs for discussion), but nevertheless CHF is convinced the option should be reinstated. CHF consultations found unanimous support for reinstatement with consumers describing the no access option ‘as a “deal-breaker’ in terms of their participation in the PCEHR system’.[146]

Paragraph 63(a) authorises the collection and use of information from the PCEHR system for the management or operation of the PCEHR system if consumers would ‘reasonably expect’ this to be done. However, the MSIA argues that realistically many consumers will be unaware of how the system will operate and that there is insufficient detail in this provision to engender confidence that privacy and consent to disclosure will be respected. Individuals should have a right to full disclosure of the collections of data to which others will have access and could affect the profile of the individual concerned.[147]

Paragraph 64(1)(a)(i) and(ii) allow for the disclosure of information in case of an emergency, that is if collection use or disclosure of health information is ‘necessary to lessen or prevent a serious threat to an individual’s life, health or safety’ and it is ‘unreasonable or impracticable to obtain the consumer‘s consent’.  Epworth Healthcare notes that there is no definition of what would constitute a serious threat for the purposes of the legislation.[148] Some discussion and guiding principles along the lines of National Privacy Principle 6 may rectify this situation. This could be included in the definitions in clause 5 or in regulations which may later be specified; however, at present, detail is lacking.

A submission from the Royal Children’s Hospital reads into the consent issue that clause 64 would apply if a consumer was unconscious, even if the consumer has explicitly stated that he or she forbids access to parts of the PCEHR. The submission argues:

 This is inconsistent with Australian medical law under which medical care cannot be forced on any competent adult. The wish of a person who states in advance that they will not receive blood products if they are dying is recognized by law. This situation is analogous [sic] with a person who states they do not want certain information in their PCEHR to be available even in an emergency.[149]

In contrast, practitioner and academic Dr Kathryn Antioch cites the case of an emergency situation during a national public health threat where it is critical that practitioners have access to entire PCEHR records in order to mitigate the crisis.[150]

Use of information for research

Clause 66 will enable identified health information to be used for research purposes if a consumer has consented. According to the Explanatory Memorandum, unlike the position under the National Privacy Principles, the PCEHR legislation will not regulate de-identified information, a position which Medibank thinks should be reversed as de-identified information should be of significant interest to medical research centres.[151] NACCHO considers on the other hand, that this requirement for consent to use identified information only should remain. This is because in NACCHO’s view unless de-identified data is completely cleansed of all identifiable fields, persons in some Aboriginal communities may be identified and this could cause Aboriginal people to ‘abandon’ the PCEHR.[152]

The Bupa Health Dialog submission to the current Senate inquiry argues that ‘it is essential that de-identified clinical data held in the PCEHR system is made available to organisations for secondary uses that will enable delivery of improvements in the health outcomes for all Australians’.[153] However, the Royal Australian College of General Practitioners points out, at the time a person gives consent for collection, use and disclosure of information all potential research uses cannot be known. Hence, a person is unable to give fully informed consent.[154] On the other hand, it could be argued it is likely that most expected uses of data could be covered under some form of limited disclosure agreement that could be developed after consultation with consumer and privacy groups.

Clause 69 which allows the disclosure of information to courts and tribunals is also criticised by NACCHO which, while it acknowledges the need to uphold the law, all the same believes that this aspect of the legislation could be ‘potentially used as a method to track people’s current location and travels’.[155] Medibank criticises this clause because it argues the clause does not take into account that in certain legal proceedings disclosure is required to be made directly to a party or to a prospective party to possible proceedings.[156]

The OAIC supports civil penalties for unauthorised use or disclosure of health information in the PCEHR system, where these relate to sufficiently serious misconduct.  The OAIC is disturbed that under subclause 71(4) health information that was originally obtained from the PCEHR system, where such information was ‘stored in such a way that it was capable of being obtained other than by means of the PCEHR system’, and the information was obtained ‘by those other means’ is not to be subject to penalties under the legislation.  Instead, existing privacy and health laws are to apply depending on the jurisdiction.[157] The OAIC’s argues that for some entities therefore, there may be no privacy law applying to consumer’s health information once it is downloaded from the PCEHR system.[158]

The OAIC is unsure of the policy reasons for this exemption. In the OAIC’s opinion, individuals have an interest in clear and consistent privacy protections applying to their health information in the PCEHR system, irrespective of where a person accesses it and how that person subsequently stores the information. This is particularly important given that the PCEHR system will transform the way in which health information is shared across jurisdictions, making it much easier for individuals’ health information to be transferred between healthcare providers.[159]

The OAIC and privacy concerns

Part 4 Division 4 of the Bill, which deals with interaction with the Privacy Act, is substantially unchanged from the Exposure Draft Bill.[160] This division in the Exposure Draft prompted considerable comment from the OAIC. Essentially, the OAIC was concerned that the clauses in this division did not sufficiently clarify the powers of the Commissioner or clearly state the relevant sections of the Privacy Act which applied in the cases of breaches of privacy.

Section 64 of the Exposure Draft Bill (clause 72 of the proposed legislation) for example stated that ‘an authorisation to use or disclose health information under this Act is also an authorisation to use or disclose the health information for the purposes of the Privacy Act’. The OAIC suggested that this clause was clarified so that uses or disclosures of health information which are authorised under the legislation fall within the ‘required or authorised by law’ exception to the National Privacy Principle 2.1’.[161]

The OAIC noted with reference to powers of the Information Commissioner, that its discussions with the Department of Health and Ageing indicated that clause 65 in the Exposure Draft, that is, clause 73 in the proposed legislation, is intended to authorise the Information Commissioner to receive complaints about an act or practice that contravenes the proposed legislation in connection with a consumer’s health information. The Commissioner can then investigate the act or practice in accordance with the OAIC’s functions and powers in Part V of the Privacy Act. However, the OAIC was concerned that the Exposure Draft clause did not specifically state this. It argued with reference to the Exposure Draft:

 ... the Draft Bill (and amendments to the Privacy Act) could make the Commissioner’s role in regulating contraventions of the Draft Bill more certain, particularly with regard to applying Part V and ss 13 and 13A of the Privacy Act. This Part of the Draft Bill could also set out how the civil penalty provisions are intended to interact practically with other privacy laws (including State and Territory privacy laws).[162]

Further, the OAIC considered it unclear whether the Information Commissioner could undertake an investigation under subsection 40(2) of the Privacy Act in the absence of a complaint.[163] Additionally, the OAIC considered the Information Commissioner’s power to investigate complaints about anyone who may have breached a civil penalty provision (including state or territory authorities) was also not clear in the Exposure Draft. As the substance of this clause has not changed, it can be argued that this concern continues to be valid for the proposed legislation.

A note to clause 73 refers only to the Commissioner’s power to investigate a complaint under section 36 of the Privacy Act, where a complaint has been made by an affected individual, but in the OAIC’s opinion, there are ‘strong reasons’ for allowing the Commissioner to commence his or her own investigation under subsection 40(2) of the Privacy Act in relation to possible contraventions of civil penalty provisions.[164] It notes that this power could be important given that mandatory data breach notification requirements in the proposed legislation (under Part 5) do not apply to all entities that may collect health information from the PCEHR system.[165]

In recommending clarification of the Information Commissioner’s powers, the OAIC notes that section 27A was inserted in the Privacy Act by the Healthcare Identifiers (Consequential Amendments) Act 2010 to clarify the Commissioner’s functions in relation to a contravention of that Act and that the Privacy Act could be similarly amended in relation to the PCEHR.[166]

The OAIC considered that the Exposure Draft did not make it clear whether an interference with privacy of individual as described now in clause 73 would be covered by section 13 or section 13A of the Privacy Act. Section 13 describes interferences with privacy by agencies and other entities, while section 13A describes interferences with privacy by organisations. An entity, such as an individual or a state of territory authority, which contravenes the privacy of an individual may, however, be one not defined in the Privacy Act. The OAIC suggests therefore that greater certainty could be achieved by stating when a contravention would be an interference with the privacy of an individual under either section 13 or section 13A of the Privacy Act.[167]

According to the OAIC, another effect of what is now proposed clause 73 would be that some uses or disclosures that are permissible under an exception to the National Privacy Principles would be ‘interferences with privacy’ under sections 13 and 13A of the Privacy Act. For example, under National Privacy Principle 2.1(d), a healthcare provider organisation covered by the Privacy Act could disclose health information for research purposes in certain circumstances.[168] However, for health information included in a consumer’s PCEHR, such a disclosure may in fact be an ‘interference with privacy’ for the purposes of the Privacy Act as it is not specifically authorised in Part 4, division 2 of the proposed legislation.

The OAIC expressed further concern that there was inconsistency between the proposed legislation and the Privacy Act, given that sections 13 and 13A of the Privacy Act prescribe acts or practices that interfere with the privacy of an individual, rather than the privacy of a consumer as stated in clause 73.  For greater certainty, the OAIC proposes therefore, that its investigative powers are clarified in the Bill and the Explanatory Memorandum.[169]

Complaints handling processes in the Exposure Draft needed to be clarified according to the OAIC, but it does not appear that the proposed Bill has attempted to do this. However, the OAIC understood from discussion with the Department of Health and Ageing:

 ... that consumers will be encouraged to raise any privacy complaints with the System Operator in the first instance, before such complaints are escalated to an appropriate privacy regulator. Based upon the Commissioner’s experience as a privacy regulator, this procedure will help to ensure that complaints are resolved as quickly as possible, while also preserving the relationship between consumers and PCEHR participants to the extent possible. However, in the OAIC’s opinion, this procedure should not override privacy regulators’ discretion to decide to investigate a complaint in the absence of an initial complaint to the System Operator.[170]

In its submission to the Senate inquiry the OAIC stressed a similar point arguing once again that clarification is necessary in and listing what it sees are minimum complaints handling requirements, such as what constitutes the complaints referral process and whether an individual must first complain to a respondent before making a complaint to the System Operator of the OAIC. [171]

Secondly, the OAIC noted that the Exposure draft and its companion document did not clarify the process for a privacy regulator to refer a complaint to another privacy regulator. It suggested therefore that PCEHR legislation allow that an individual should make a privacy complaint to the System Operator in the first instance before such a complaint is escalated to a privacy regulator. Regulators should also be allowed to decide to receive complaints in the absence of an initial complaint.[172]

In effect, as its submission to the current Senate inquiry indicates:

The OAIC believes that the interaction between the PCEHR Bill and the Privacy Act remains uncertain in several aspects. Initially, greater clarity could be achieved by amending the

Privacy Act to confirm that the Information Commissioner may investigate anyone who may have contravened a civil penalty provision in the PCEHR Bill (even if that person would otherwise be exempt under the Privacy Act).[173]

 

Part 5—other civil penalties

Part 5 of this Bill sets out civil penalties for breaches in the use of the PCEHR and non-compliance with requirements imposed under the PCEHR system.

The AMA finds the requirement in clause 74(1) that requires authorised users who access a PCEHR to notify the System Operator on each occasion they do so, to be ‘a new and burdensome responsibility on already busy practices’.[174]  The Explanatory Memorandum sees this requirement as essential in enabling the System Operator to maintain a comprehensive access audit trail. It argues in defence of this requirement that healthcare organisations are best placed to ensure that their IT systems are configured to provide the necessary information to the System Operator.[175] But the AMA argues there is no assurance ‘IT systems configured in this way will be tested, proven and widely available when the PCEHR is launched’. It recommends thereof that these penalty provisions should not commence until such systems are available at a reasonable price.[176]

Part 6—civil penalty supporting provisions

Part 6 of this Bill describes the details of how the civil penalties will be applied.

Part 7—voluntary enforceable undertakings and injunctions

Part 7 of this Bill sets out how voluntary undertaking will be used as part of the PCEHR system to improve compliance with obligations.

Under clause 75 of the Bill, the System Operator, registered repository operators and registered portal operators will be generally required to notify data breaches to the System Operator, and in some cases the Information Commissioner, and to take certain steps after becoming aware of the breach. The OAIC considered other entities, such as registered healthcare provider organisations, should also be subject to data breach notification provisions. This would ensure, for example, that the System Operator could be made aware of a data breach (or potential data breach) known to a healthcare provider organisation and improve the operator’s ability to respond to, or contain the breach.[177]

In the OAIC’s opinion, the Information Commissioner’s power to investigate an alleged breach of the data breach notification provisions under clause 75 may also be unclear in some circumstances. For example, if an entity fails to notify the Commissioner of a data breach, and the breach is not ‘in connection with a consumer’s health information included in a registered consumer’s PCEHR’, the Commissioner may not have the power under clause 73 to investigate this contravention. The OAIC also notes that the Information Commissioner has been given no additional power to advise and assist persons after they have notified the office of a data breach. It suggests therefore that the legislation includes clarification of what powers it is intended that Commissioner have in relation to investigation of alleged contraventions of the civil penalty provisions and to provide advice to complainants.[178]

There appear to be no significant concerns about the remaining provisions dealing with penalties, apart from the Royal Australasian College of Physicians questioning of the wording in paragraph 90 (1)(d) and the Australian Association of Pathology Practices (AAPP) arguing that the penalties are ‘steep’.  The RACP seeks clarification of the term ‘party to’ in relation to the contravention of a civil penalty provision.  It is not clear in the College’s opinion what level of knowledge would be required for a person to be party to a contravention.[179] The AAPP considers penalties of $66 000 plus criminal penalties represent substantial risks for providers.[180]

In relation to these types of concerns, the Explanatory Memorandum makes the point that the voluntary enforceable undertakings in Part 7 of the proposed legislation ‘are a key element of the graduated responses available under the Bill. They can be used as an effective control of behaviour and can result in systemic changes being made’.[181] It could be argued on the other hand that given the sensitivity of the information involved in the PCEHR that penalties may not represent a sufficiently adequate deterrent.

Part 8—other matters

Part 8 of this Bill allows for PCEHR rules and regulations to be made. It also provides details of reporting and review requirements for the system, the treatment of certain participating entities and allows for the delegation of certain powers.

As noted earlier in this digest, clause 97, which lists the types of decisions made by the System Operator that are subject to review, has caused some concern amongst stakeholders. This is because there does not appear to be a means through which people can complain about the System Operator itself.[182] Concerns about clause 98 may yet be expressed along similar lines. Subclause 98(1) allows the System Operator, if it is the Secretary of the Department of Health and Ageing, to delegate ‘one or more of his or her function and powers’ to employees of the Department , the Chief Executive Medicare and other person (with the consent of the Minister).  Given the sensitivity of information to be divulged to unknown bureaucrats, at as yet undisclosed levels within the Department of Health, and with the sole discretion of the Department Secretary, it would appear that there needs to be more stringent requirements on what employees of DoHA should be able to access consumer information.

Indeed, the APF finds it unacceptable that critical privacy protection may be in delegated legislation:

All protections must be in statutes, in order to ensure that they have been considered and directly expressed by the Parliament. Delegating them to statutory instruments makes them appear unimportant. It also risks them never being delivered, and enables the protections to be readily compromised by subsequent amendments that can be processed without publicity and without consideration by the Committee process or the Parliament.

In short, the credibility of such protections as are being proposed is shot to ribbons by the failure to put them high on the agenda. The Department is greatly undermining its own scheme by its intransigence on this matter alone.[183]

The ADA objects to clause 99. According to the Explanatory Memorandum, this clause ensures that the Bill’s authorisations extend to employees, contracted service provider and contractors of those organisations where appropriate.[184]  The ADA is of the view, however, that this clause:

... will result in additional risks for employers and insurers and consequently increased costs for specialists, patients and taxpayers. The prospect of these costs and risks may inhibit support for [the] PCEHR by clinicians.[185]

Clause 109 states that the Minister may, by legislative instrument, make rules ‘about matters required or permitted by this Act’. Subclause 109(2) says that the Minister must consult the Jurisdictional Advisory Committee, before making rules, but failure to do so does not invalidate any rules subsequently made.  The Pharmacy Guild is unhappy that only the Jurisdictional Committee is to be consulted in the making of rules process. It asks why technical experts are not to be consulted given that it is suggested that rules may relate to technical specifications (subclause 109(4)).

Box 4: brief summary of points of contention

Concluding comments

As has been revealed throughout this digest, there are a number of bottom line key issues in relation to the PCEHR upon which the various stakeholders have commented.

For consumer organisations, that the PCEHR ensures the protection of the privacy of individuals is paramount to all consideration of the system. Hence, these groups argue that the PCEHR cannot be successful unless it first and foremost serves the interests of health consumers. They consider that if the system is to do so, there must be assurances that consumers will participate in the system governance, that its administration and operation will be transparent and accountable and that consumers will have access to, and ultimate control of their health information.

Other stakeholders argue that privacy must be compromised in some instances to ensure the efficient operation of the PCEHR. Medical professionals view consumer control as dangerous—both from the perspective that important information may not be available to them to deliver effective treatment and for medico legal reasons.

Further to these concerns, for consumer groups (and, indeed many stakeholders), there is the issue of what will actually be in rules and regulations which accompany the Bill (once enacted). While it is usual for regulations to be made following the passage of legislation, in this instance it may have been circumspect to have produced a companion document detailing proposed rules and regulations, given that sensitive information relating to all Australians is the ultimate focus of the legislation. Previewing such rules and regulations may have alleviated some of the more important concerns which have been expressed about the privacy of individuals generally and the potential lack of accountability, specifically that of the principal PCEHR administrator, the System Operator.

While it is not strictly the subject of this digest, concerns about how the technical aspects of the PCEHR system will function and, indeed, whether they will actually function, have been raised in submissions to the Exposure Draft legislation, to the Senate inquiry into this Bill and in other instances and these represent a bottom line in terms of whether Australia has taken the right approach to e health records.[186]

Concerns have been raised by the medical software industry about the overall design of the PCEHR system and consumers and medical professionals have also expressed disquiet about certain aspects. As this digest has noted in passing, there have been complains from industry ranging from accusations of ineffective oversight and failure of administrators to acknowledge design flaws, to warnings that the system will not succeed because its implementation has been ill considered and rushed. In terms of rushing the implementation of the system for instance, disquiet over the role of the System Operator noted in the previous paragraph may have been dispelled if time were available to establish a specific body for this purpose before the system is implemented. As noted in the Parliamentary Library paper on e health, taking time to get the whole system right has worked well in jurisdictions such as Denmark where a series of strategies for an overall e health system have been progressively shaping implementation and engaging health professionals and consumers.

The PCEHR Bill has attempted to address the issues which stakeholders have indicated are critical to their acceptance of the PCEHR and it is clear that consultations have produced some concessions and changes to the original PCEHR proposals. However, despite these compromises there continues to be uncertainty surrounding how the privacy applications and administrative and technical machinery of the PCEHR system will affect those who provide it, those who consume it and those who monitor it. As such, the potential for the system to improve health outcomes, a claim which is rarely questioned, has become almost a secondary consideration in discussions of the PCEHR.

Members, Senators and Parliamentary staff can obtain further information from the Parliamentary Library on (02) 6277 2429.

---

---

[Index] [Search] [Download] [Help]