EXPLANATORY STATEMENT

 

 

Select Legislative Instrument 2010 No. 190

 

Healthcare Identifiers Act 2010

 

Healthcare Identifiers Regulations 2010

 

Subsection 39(1) of the Healthcare Identifiers Act 2010 (the Act) provides that the

Governor-General may make regulations prescribing matters which are required or permitted by the Act, or matters which are necessary or convenient in order to carry out or give effect to the Act.

 

The Act implements a national system for consistently identifying consumers and healthcare providers and sets out clear purposes for which healthcare identifiers may be used. The establishment of this national system, described as the Healthcare Identifiers Service, is a joint initiative of all Australian Governments and puts into effect a number of decisions made by the Council of Australian Governments.

 

Part 2 of the Act outlines the process for assigning healthcare identifiers to healthcare recipients, individual healthcare providers and healthcare provider organisations. Part 3 of the Act deals with the use and disclosure of healthcare identifiers and other information. Part 3 also contains a number of provisions dealing with penalties for unauthorised disclosure or use of healthcare identifiers. Part 4 of the Act outlines how the Act interacts with the Privacy Act 1988, including outlining the Privacy Commissioner’s role in monitoring, compliance and enforcement activities associated with the Healthcare Identifiers Service. Part 5 establishes the Healthcare Provider Directory. Part 6 of the Act outlines the role of the Ministerial Council in providing oversight of the Healthcare Identifiers Service.

 

Subsection 39(2) of the Act provides that regulations may provide for the imposition of a penalty of not more than 50 penalty units (one penalty unit is currently worth $110).

 

The Regulations set out provisions relating to the assignment, collection, use, adoption and disclosure of healthcare identifiers. Consistent with the scope of the Act, the Regulations do not seek to regulate other aspects of electronic health – for example, electronic health records. While healthcare identifiers are a foundation element of future electronic health initiatives, it is envisaged that further legislation will be required to deal with significant new electronic health initiatives such as electronic health records.

 

Section 33 of the Act provides that the Minister for Health and Ageing (the Minister) must consult with the Ministerial Council before the Governor-General makes a regulation under the Act. The Minister consulted with the Ministerial Council of Commonwealth, State and Territory Health Ministers. The Act specifies no other conditions that need to be met before the power to make the Regulations may be exercised.

 

Details of the Regulations are set out in the Attachment.

 

 

 

Exposure draft Regulations for the Health Identifiers Service were released for public consultation on 12 March 2010. Consultation closed on 9 April 2010 and a total of 52 written submissions were received. In light of stakeholder feedback received during consultation and through subsequent discussions, revised exposure draft Regulations were released by the Minister for Health and Ageing on 2 June 2010.

 

The following Commonwealth agencies were consulted in the preparation of the Healthcare Identifiers Regulations: Office of the Privacy Commissioner, Department of Human Services, Medicare Australia, Australian Institute of Health and Welfare, Attorney-General’s Department, Department of Prime Minister and Cabinet. The Office of Legislative Drafting and Publishing drafted the HI Regulations. State and territory health officials and representatives from National E-health Transition Authority were consulted in the preparation of the Healthcare Identifiers Regulations.

 

A Preliminary Assessment was completed and OBPR gave written confirmation that a RIS/BCC was not required for the Regulations.

 

The Regulations are a legislative instrument for the purposes of the Legislative Instruments Act 2003.

 

The Regulations commence on 1 July 2010.

 

Under section 35 of the Act, a review of the operation of the Act and Regulations must be conducted and a report prepared before 30 June 2013. The Minister must provide a copy of the report to the Ministerial Council. The Minister must also table the report in each House of Parliament within 15 sitting days after the report is prepared.

 

 

 

 

 

ATTACHMENT

 

DETAILS OF THE HEALTHCARE IDENTIFIERS REGULATIONS 2010

 

Regulation 1 – Name of Regulations

 

This regulation provides that the title of the Regulations is the Healthcare Identifiers Regulations 2010.

 

Regulation 2 - Commencement

 

This regulation provides that the Regulations commence on 1 July 2010.

 

Regulation 3 - Definitions

 

Under regulation 3, National Law means the law that has been, or is intended to be, enacted by each State and Territory as part of establishing a national registration and accreditation scheme to regulate healthcare providers in specified professions.

 

Regulation 4 - National registration authorities

 

Section 8 of the Act provides that national registration authorities may be prescribed by regulation.

 

Regulation 4 prescribes as national registration authorities; a National Health Practitioner Board established under the National Law; and if it is authorised under the National Law to assign healthcare identifiers – the Australian Health Practitioner Regulation Agency.

 

Regulation 5 – Identifying information

 

Paragraphs 7(1)(g) and 7(2)(e) of the Act provide that the Regulations may prescribe identifying information for individual healthcare providers and healthcare provider organisations respectively.

 

Regulation 5 prescribe an e-mail address, a phone number and a fax number as identifying information for individual healthcare providers and healthcare provider organisations in addition to those types of identifying information already specified in subsections 7(1) and 7(2) of the Act.

 

Regulation 6 – Updating healthcare provider information held by the service operator

 

Section 14 of the Act provides that the Regulations may prescribe information that healthcare providers must provide to the service operator in relation to the healthcare provider’s healthcare identifier.

 

Regulation 6 requires the reporting of certain changes in circumstances and identifying information in relation to the following people and entities:

 

(a) individual healthcare providers who have been assigned a healthcare identifier but who are not regulated under the National Law; and

 

(b) healthcare provider organisations.

 

Reporting is necessary so that the service operator is made aware of changes in circumstances and events that may impact on whether or not it is appropriate to allow an individual healthcare provider or a healthcare provider organisation to continue accessing the Healthcare Identifiers Service. For example, if an organisation ceased providing healthcare it would be inappropriate to allow that organisation to continue accessing healthcare identifiers assigned to healthcare recipients from the Healthcare Identifiers Service. Reporting is also necessary for other purposes, such as ensuring that information in the Healthcare Provider Directory (see section 31 of the Act) is kept up-to-date.

 

Regulation 6 applies to those persons specified in subregulation 6(1). The range of persons specified reflects the fact that healthcare providers (in particular entities) may be structured in a variety of ways. The range of persons specified also reflect the fact that only legal entities may be held criminally liable. Given the desire to impose a criminal penalty in certain situations under regulation 6, and the fact that some healthcare provider organisations might not be legal entities in their own right, it was considered appropriate in this particular circumstance to extend liability to those persons specified in subparagraphs 6(1)(a)(ii) to (iv). This is especially the case given the serious privacy-related consequences that might flow from a failure to report certain changes in circumstances, such as the service operator disclosing multiple healthcare identifiers to a person who has been deregistered or who no longer provides healthcare. Given the potentially significant risks that may result from non-compliance with regulation 6, and the desire to adopt an approach consistent with that taken in the Act in relation to breaches, a criminal penalty was considered appropriate should the prescribed changes in circumstance not be reported.

 

As subregulation 6(4) does not specify fault elements, the automatic fault elements in section 5.6 of the Criminal Code Act 1995 apply to the physical elements in that subregulation. Consequently, to establish an offence under subregulation 6(4) the prosecution would need to prove beyond reasonable doubt that the person intentionally failed to notify the service operator of a relevant change of circumstances under paragraph 6(2)(a). This will ensure that a person mentioned in subregulation 6(1) cannot be convicted of an offence under subregulation 6(4) unless they had the requisite intention.

 

While subregulations 6(2) and 6(3) require reporting of any change of circumstance or identifying information specified in those regulations, it is only be an offence to fail to report a change in circumstance specified in paragraph 6(2)(a) within the required timeframe. Where a prescribed change in circumstance or identifying information occurs, subregulations 6(2) and 6(3) require a report to be made to the service operator within 28 days of the person becoming aware of the change.

 

Regulation 6 does not apply to individual healthcare providers who are regulated under the National Law. This is because the National Law already imposes obligations on individuals regulated under it to report certain changes in circumstances and specified events. Where an individual is regulated by the National Law, and reports a change of circumstance or other specified event under that Law, the relevant National Board or the Australian Health Practitioner Regulation Agency will, as necessary, inform the service operator.

 

If an individual healthcare provider is not regulated by the National Law and is assigned a healthcare identifier by the service operator (because they fall within a class specified in section 9A of the Act), but the individual healthcare provider is later regulated under the National Law, regulation 6 will cease to apply to the individual from the time that the individual is regulated under the National Law – see subparagraph 6(1)(a)(v). This situation may occur if, for example, individual healthcare providers in the professions of Aboriginal and Torres Strait Islander health practice, Chinese medicine, medical radiation practice and occupational therapy were to be assigned a healthcare identifier by the service operator and, as planned, those four professions are subsequently regulated under the National Law from 2012.

 

Regulation 7 – Rules about requesting disclosure of healthcare identifiers from the service operator

 

Section 17 of the Act authorises the service operator to disclose healthcare identifiers to an identified healthcare provider and, subject to certain conditions, employees of the healthcare provider, contracted service providers and employees of contracted service providers. In addition, section 36 of the Act extends an authorisation of a healthcare provider for a particular purpose under the Act and regulations to also authorise an employee of the healthcare provider, a contracted service provider of the healthcare provider and an employee of a contracted service provider. Section 21 of the Act provides that the Regulations may prescribe rules about the disclosure of healthcare identifiers by the service operator, including rules about requests to the service operator to disclose healthcare identifiers.

 

Under subregulation 7(1), a healthcare provider is authorised to request the service operator to disclose a healthcare identifier that has been assigned to a healthcare recipient to the person making the request if paragraphs 7(1)(a) to (c) apply in relation to the healthcare provider. Paragraphs 7(1)(a) to (c) establish safeguards around access to healthcare identifiers assigned to healthcare recipients. In particular, those paragraphs require that the relevant healthcare provider has been assigned a healthcare identifier and still falls within a class of healthcare providers that are entitled to be assigned a healthcare identifier at the time the request for disclosure is made, that the healthcare identifier is to be used or disclosed to manage or communicate information supporting the provision of healthcare, and that the person making the request for disclosure provides healthcare or has duties in relation to its provision either as an employee of the healthcare provider or as an employee of a contracted service provider.

 

Under subregulation 7(3), a person mentioned in subregulation 7(2) commits an offence if the elements specified in paragraphs 7(3)(a) to (c) are satisfied. That is, a request for disclosure of a healthcare identifier is made to the service operator, any of paragraphs 7(1)(a) to (c) do not apply, and the service operator discloses a healthcare identifier. Failure by a healthcare provider to comply with subregulation 7(1) might, for example, result in the service operator disclosing multiple healthcare identifiers to individuals who have no role in relation to the provision of healthcare or to organisations which no longer provide healthcare. Given this situation, and the desire to adopt an approach consistent with that taken in the Act in relation to breaches, a criminal penalty was considered appropriate should the elements of subregulation 7(3) be made out.

 

As subregulation 7(3) does not specify fault elements, the automatic fault elements in section 5.6 of the Criminal Code Act 1995 apply to the physical elements in paragraphs 7(3)(a) to (c). This means that to establish this offence the prosecution would need to prove beyond reasonable doubt that the person intended for the healthcare provider to request disclosure of a healthcare identifier from the service operator; was reckless as to whether the circumstances mentioned in paragraphs 7(1)(a), 7(1)(b) and 7(1)(c) applied; and was reckless as to whether the service operator disclosed a healthcare identifier to the healthcare provider.

 

This will ensure that a person mentioned in subregulation 7(2) cannot be convicted of an offence under subregulation 7(3) unless the prosecution satisfies the requisite fault elements.

 

Similar to subregulation 6(1), the range of persons that specified in subregulation 7(2) reflects the fact that healthcare providers may be structured in a variety of ways. The range of persons similarly reflects the fact that only legal entities may be held criminally liable. In practice, it is likely that many requests for disclosure of healthcare identifiers assigned to healthcare recipients will be made by administrative staff working in a healthcare provider organisation. In other cases, a request for disclosure may be made by a contracted service provider acting on behalf of a healthcare provider. However, as a matter of policy, it was not considered appropriate to impose liability on such persons for a breach of subregulation 7(1) given that knowledge about whether paragraphs 7(1)(a) to (c) are satisfied would primarily be available only to the healthcare provider. Given these factors, it was considered appropriate in this particular circumstance to extend liability for a breach of paragraphs 7(1)(a) to (c) to those persons specified in paragraphs 7(2)(b) to (d), especially given the serious privacy-related consequences that could potentially flow from a failure to comply with subregulation 7(1).

 

Under subregulation 7(4), a healthcare provider that seeks disclosure of a healthcare identifier from the service operator is required to ensure that details of the provider’s responsible officer and organisation maintenance officer held by the service operator are kept up-to-date, and that relevant staff of the provider are made aware of their obligations under the Act and the Regulations.

 

Regulation 8 – Maintaining records about healthcare identifiers disclosed by the service operator

 

Section 22 of the Act provides that, if the service operator discloses a healthcare identifier to an entity, the Regulations may require the entity to provide prescribed information to the service operator in relation to that disclosure. As explained in the Explanatory Memorandum to the Healthcare Identifiers Bill 2010, such information may include “… keeping a record of employees [of healthcare providers] who have accessed the [Healthcare Identifiers] Service. This would support enquiries made by individuals with regards to who has accessed their records and the handling of any complaints”.

 

Without records showing which individual has accessed a healthcare identifier from the service operator, the ability to conduct timely and effective investigations may be severely curtailed. As well as supporting the handling of complaints and investigations, information about which individual has accessed a healthcare identifier from the service operator may be used in any court proceedings brought as a result of an alleged breach of the Act or Regulations. The name of an individual who accessed a healthcare identifier from the service operator will not be disclosed to a healthcare recipient who enquired about which parties had accessed their records, unless the individual in question was an identified healthcare provider. In most situations, it is envisaged that a request to the service operator for disclosure of a healthcare identifier will be made on behalf of a healthcare provider organisation. In such cases, a healthcare recipient enquiring about who had accessed their records will be given name of the healthcare provider organisation that had requested disclosure.

 

Subregulation 8(1) requires that healthcare providers that request disclosure of a healthcare identifier must either:

 

(a) give sufficient information at the time disclosure is requested to permit the service operator to identify by name the individual making the request on behalf of the healthcare provider, without the service operator having to seek further information from any other person. Under this first option, a healthcare provider will not be required to keep its own records of which individual requested disclosure of healthcare identifiers on its behalf from the service operator; or

 

(b) if the healthcare provider does not comply with 8(1)(a), keep a retrievable record of each individual who accessed healthcare identifiers from the service operator on behalf of the healthcare provider and, on request, give that record to the service operator. Subregulation 8(2) specifies the requirements for the retrievable record, including the information it must contain and the period of time for which it must be kept. Under this second option, the identity of the individual making the request does not need to be sent to the service operator at the time disclosure is requested. However, certain other information will be sent at the time the request for disclosure is made, including the identity of the healthcare provider organisation which was the source of the request for disclosure.

 

In both cases, the service operator is required to keep a record of the information it receives – see section 10 of the Act.

 

If, at some time in the future, it was necessary to determine which individual had accessed a healthcare identifier from the service operator, the service operator will be able to access its log and either determine the identity of the individual or determine the identity of the healthcare provider organisation from which the request originated. In the latter case, the service operator is able to ask the healthcare provider for the provider’s record showing which individual requested disclosure.

 

The obligations under subregulation 8(1) apply regardless of whether a request for disclosure under subregulation 7(1) is made by a healthcare provider or, as permitted under section 36 of the Act, by an employee of the healthcare provider, a contracted service provider of the healthcare provider or an employee of a contracted service provider.

 

Similar to subregulations 6(1) and 7(2), the range of persons specified in subregulation 8(3) reflects the fact that healthcare providers may be structured in a variety of ways, and that only legal entities may be held criminally liable. Given the desire to impose a criminal penalty under regulation 8, and the fact that some healthcare provider organisations might not be legal entities in their own right, it was considered appropriate in this particular circumstance to extend liability for a breach of subregulation 8(1) to those persons specified in paragraphs 8(3)(b) to (d). Extending liability in these circumstances also reflects the fact that the people specified in subregulation 8(3) are likely to be in a position to put in place systems to ensure that the healthcare provider organisation for which they have responsibility complies with subregulation 8(1). The individual making the actual request for disclosure, who in most cases will be a person in an administrative role at the healthcare provider, is unlikely to be in a position to ensure such systems are in place. Consequently, it would be inappropriate to impose liability on the individual who actually sought disclosure of a healthcare identifier on behalf of the healthcare provider should subregulation 8(1) be breached.

 

Under subregulation 8(4), a person mentioned in subregulation 8(3) commits an offence if a healthcare provider does not comply with paragraph 8(1)(a) and does not, on written request from the service operator, supply a copy of its retrievable record that shows the identity of the individual who accessed a healthcare identifier from the service operator on behalf of the healthcare provider. A person has 14 days to comply with a request to provide a copy of the healthcare provider’s retrievable record (paragraph 8(4)(b)). Failure by a healthcare provider to keep a retrievable record, assuming that the healthcare provider does not comply with paragraph 8(1)(a), may mean that it is not possible to conduct an effective investigation into why a disclosure of a healthcare identifier occurred. This might result in a potentially significant adverse affect on public confidence in the safeguards surrounding the Healthcare Identifiers Service. Given this situation, and the desire to adopt an approach consistent with that taken in the Act in relation to breaches, a criminal penalty was considered appropriate should subregulation 8(4) be breached.

 

As subregulation 8(4) does not specify fault elements, the automatic fault elements in section 5.6 of the Criminal Code Act 1995 – in this case, intention – apply to the physical elements in paragraphs 8(4)(a) to (b). To establish this offence the prosecution would need to prove beyond reasonable doubt that the person intended not to comply with subregulation 8(1)(a), and intended not to provide information in compliance with paragraph 8(4)(b).

 

This will ensure that a person mentioned in subregulation 8(3) cannot be convicted of an offence under subregulation 8(4) unless they had the requisite intention.

 

Transition period

 

While subregulation 8(4) commences at the same time as the other provisions in the Regulations, it is acknowledged that many healthcare providers are likely to be transitioning to an improved state of identity management and information security over the next couple of years as the uptake of the Healthcare Identifiers Service, and other electronic health initiatives, becomes more widespread. It is considered important that during this period obligations be clearly established from the outset in terms of the information that must be provided to the service operator either at the time a request for disclosure is made or as part of a retrievable record. A penalty has been included under subregulation 8(4) to make clear that the obligation to provide a retrievable record is enforceable where a healthcare provider does not comply with paragraph 8(1)(a). However, given the need for a period of transition outlined above, a policy decision has been made to allow a two year period following commencement of the Regulations during which subregulation 8(4) will generally not be enforced. The grace period applies only in relation to subregulation 8(4). It does not apply in relation to any other offence provision in the Regulations or in the Act.

 

The focus of the two year grace period is educative, helping healthcare providers to incorporate improved identity management and information security standards in their systems. Healthcare providers are expected to comply with regulation 8 to the extent they are able to during the grace period. The existence of the grace period does not remove the obligation on a healthcare provider to provide the service operator on request as much detail as they have on their records about a particular request for disclosure of a healthcare identifier to assist in any enquiry or investigation.

 

In the two year period following commencement of the Regulations, there may be situations where enforcement of subregulation 8(4) is warranted notwithstanding the general policy of allowing a grace period. While it is not be possible to specify all the circumstances where enforcement of subregulation 8(4) may be warranted during the initial two year period, it is envisaged that enforcement action may be considered where, for example, a healthcare provider has systems in place that allow it to comply with paragraph 8(1)(b) but the healthcare provider repeatedly refuses to provide a copy of its retrievable record.

 

Following the end of the two year grace period, subregulation 8(4) will be enforced.