ATTACHMENT

Details of the Health Legislation Amendment (eHealth) Regulation 2015

1.      Name of Regulation

This section provides that the title of the Regulation is the Health Legislation Amendment (eHealth) Regulation 2015.

2.      Commencement

This section provides that the Regulation takes effect on the day after it is registered on the Federal Register of Legislative Instruments.

3.      Authority

This section provides that the Regulation is made under the Healthcare Identifiers Act 2010 (HI Act) and the My Health Records Act 2012 (My Health Records Act).

4.       Schedules

This section provides that each instrument that is specified in a Schedule to the Regulation is amended or repealed as set out in the applicable items in the Schedule concerned.  Any other item in a Schedule to the regulation has effect according to its terms.

Schedule 1--Amendments relating to the Health Legislation Amendment (eHealth) Act 2015

The items in the Schedule amend and repeal the Healthcare Identifiers Regulations 2010 (HI Regulations) and the Personally Controlled Electronic Health Records Regulation 2012 (PCEHR Regulation) as set out below.

Healthcare Identifiers Regulations 2010

Item 1

Item 1 inserts the heading "Part 1--Preliminary" before regulation 1 for ease of reading.

Item 2

Item 2 inserts regulation 2A to make clear that new Schedule 1 to the HI Regulations (inserted by item 15) applies as part of the HI Regulations.

Items 3-7         Definitions

Item 3 inserts a note after the definitions heading of existing regulation 3 to clarify that a number of expressions used in the HI Regulations are defined in the HI Act, including healthcare provider organisation and individual healthcare provider.

Item 4 and 6 inserts definitions for the following terms used in new regulations into existing regulation 3: ABN, ACN, My Health Records Act and verification service.

The verification service that will initially be used for the purposes of the My Health Record system is the Document Verification Service operated by the Attorney-General's Department.

Item 5 repeals the definition of PCEHR Act in existing regulation 3, due to the name change to My Health Records Act as made by the amending Act.

Item 7 repeals the note at the end of existing regulation 3, as the note is no longer required.

Item 8             Application to partnerships, trusts and unincorporated associations

Healthcare provider organisations assigned healthcare identifiers under the HI Act, and healthcare provider organisations registered under the My Health Record Act, will be structured in a variety of ways.  For example, healthcare provider organisations could be structured as partnerships, trusts or unincorporated associations, none of which are separate legal entities in their own right.  To ensure that the authorisations, obligations and penalties set out in the HI Regulations apply appropriately to all relevant entities, notwithstanding different structures, item 8 inserts new regulation 3A. 

Regulation 3A clarifies that sections 36B, 36C and 36D of the HI Act apply to the HI Regulations, and obligations, offences (if any are later prescribed) and civil penalty provisions in the HI Regulations, in the same way as they apply to the HI Act, and obligations, offences and civil penalty provisions in the HI Act.

Items 9-13       Prescribing identifying information

Under the HI Act, restrictions apply to the collection, use and disclosure of identifying information.  To enable the necessary identifying information to be collected, used and disclosed as needed to operate the HI Service and the My Health Record system, the correct types of identifying information must be listed in section 7 of the HI Act or be prescribed in the HI Regulations.  There are a number of instances where the collection, use and disclosure of identifying information is currently not covered in section 7 of the HI Act or the current HI Regulations.

Items 9 to 13 updates and prescribes the necessary identifying information for individual healthcare providers, healthcare provider organisations and healthcare recipients to ensure the effective operation of the HI Service and the My Health Record system.

Item 9             Subregulation 5(1)

Existing paragraphs 5(1)(a)-(c) of the HI Regulations prescribe the identifying information of individual healthcare providers to include an email address, telephone number and a fax number.  This information has now been listed in paragraph 7(1)(ba) of the HI Act, therefore item 9 of the Schedule substitutes new subregulation 5(1) that no longer prescribes email addresses, telephone numbers or fax numbers.

The identifying information to be prescribed in new subregulation 5(1) is an expansion of existing paragraph 5(1)(d), which relates to the "status of the healthcare identifier" of the individual healthcare provider.  Subregulation 5(1) prescribes the following information:

(a)    whether the healthcare provider is registered with a registration authority and the status of that registration (such as conditional, suspended, cancelled or lapsed);

(b)   whether the healthcare provider is a member of a professional association of a kind described in paragraph 9A(1)(b) of the HI Act and the status of that membership (such as conditional, suspended, cancelled or lapsed);

(c)    whether the healthcare provider is, or is likely to be, deceased; and

(d)   whether the death of the healthcare provider has been verified.

This information enables the HI Service Operator and the My Health Record System Operator to determine the status of individual healthcare providers' healthcare identifiers.  That is, whether the status of an individual provider's healthcare identifier is recorded by the HI Service Operator as 'active', 'retired' or 'deactivated'.

Paragraph 5(1)(e) prescribes identifying information to include the ABN and ACN of the organisation (whichever is applicable) if the healthcare provider is linked to a healthcare provider organisation.

Items 10-12     Subregulation 5(2)

Item 10 substitutes subregulation 5(2) to clarify that the subregulation is prescribing identifying information of a healthcare provider organisation.

Item 11 repeals existing paragraphs 5(2)(a) to (d) of the HI Regulations and substitutes paragraphs 5(2)(a) and (b) prescribing the following information:

(a)    whether the organisation is registered under Division 2 of Part 3 of the My Health Records Act; and

(b)   whether the healthcare provider organisation has notified the HI Service Operator that the organisation does not wish to use a healthcare identifier, either temporarily or permanently.

Paragraph 5(2)(b) enables the HI Service Operator and the My Health Record System Operator to determine the status of healthcare provider organisations' healthcare identifiers.  That is, whether the status of a healthcare provider organisation's healthcare identifier is recorded by the HI Service Operator as 'active', 'retired' or 'deactivated'.

Item 12 prescribes identifying information to include the names and other identifying information of individual healthcare providers if the organisation is linked to an individual healthcare provider.

Item 13           Subregulation 5(3)

Currently, the HI Regulations do not prescribe any additional information as identifying information of a healthcare recipient.  Operational experience and intended future operations of the HI Service and the My Health Record system mean that some additional identifying information needs to be prescribed, so that the information may be collected, used and disclosed in accordance with the authorisations in the HI Act and the My Health Records Act.  This allows, for example, the various entities involved in the HI Service and the My Health Record system to share information as part of verifying an individual's identity when they wish to opt-out of registration, or to electronically notify a healthcare recipient when their My Health Record is accessed. 

The information prescribed by subregulation 5(3) as identifying information of healthcare recipients is:

(a)    the telephone number of the healthcare recipient;

(b)   the electronic address of the healthcare recipient;

(c)    whether the identity of the healthcare recipient has been verified;

(d)   whether a healthcare identifier assigned to the healthcare recipient has been assigned provisionally (for example, because it has not been possible to verify the identity of the healthcare recipient);

(e)    if information relating to the identity of the healthcare recipient has been, or is to be, verified using a particular form of identification document (such as a driver's licence or passport), details of that document including:

(i)            the document number; and

(ii)          the state or territory in which the document was issued; and

(iii)        the name of the entity that issued the document;

(f)    if information relating to the identity of the healthcare recipient has been, or is to be, verified by using a verification service, the response of that service to any verification inquiry in relation to the healthcare recipient;

(g)   whether the healthcare recipient is, or is likely to be, deceased;

(h)   whether the death of the healthcare recipient has been verified;

(i)     whether the healthcare recipient is a registered healthcare recipient for the purposes of the My Health Records Act;

(j)     whether the healthcare recipient is an authorised representative, or nominated representative, of another healthcare recipient, and the identity of the other healthcare recipient; and

(k)   whether the healthcare recipient, or an authorised representative or nominated representative of the healthcare recipient, has made an election under clause 5 of Schedule 1 to the My Health Records Act that the healthcare recipient not be registered under that Act.

Prescribing this information, in conjunction with the information that is already prescribed in subsection 7(3) of the HI Act, permits information to be collected, used and disclosed as part of verifying healthcare recipients' identities, communicating with healthcare recipients and determining the status of healthcare recipients' healthcare identifiers (such as whether it is recorded by the HI Service Operator as 'active', 'deceased', 'retired', 'expired' or 'resolved').

Item 14

Item 14 repeals existing regulations 6, 7, 8, 12, 13, 14 and 15 which are no longer necessary for the effective operation of the HI Service or have been amended by the below regulations.

Existing regulation 6 creates an obligation on certain healthcare providers to update information about them held by the HI Service Operator.  This regulation is repealed as the obligation to keep information updated has been moved to new section 25E of the HI Act.  New section 25E in the HI Act covers all of the obligations that are prescribed in existing regulation 6.

Regulation 6

Regulation 6 is based on certain parts of existing regulation 7.  Under regulation 6, a healthcare provider organisation must not request the HI Service Operator to disclose a healthcare identifier to the organisation, unless:

(a)    the responsible officer and the organisation maintenance officer for the organisation have had their identity verified; and

(b)   information of the kind in existing paragraphs 5(2)(g) to (l) of the HI Regulations in relation to those officers has been given to the HI Service Operator; and

(c)    the information is accurate, up-to-date and complete.

These requirements establish safeguards, ensuring that the HI Service Operator has current details for key personnel in healthcare provider organisations to which healthcare identifiers are being disclosed, and that the identity of these individuals has been verified.

If the HI Service Operator were to receive a request to disclose a healthcare identifier from a healthcare provider organisation that has made the request in contravention of new subregulation (2), the HI Service Operator may refuse to comply with the request.

Regulation 7

Regulation 7 is based on elements of current regulation 8.  Under subregulation 7(2), if a healthcare provider organisation requests the HI Service Operator to disclose a healthcare identifier, the organisation must, if it is reasonably practicable to do so, give the HI Service Operator enough information to ensure the HI Service Operator can identify by name the individual making the request without having to seek further information.  The example in regulation 7 makes clear that the information may be given as part of the data transmitted to the HI Service Operator from a healthcare provider organisation's practice management software.

If a healthcare provider organisation complies with subregulation 7(2), they do not need to keep records of the identities of the individuals requesting disclosure, or of the identifying information given to the HI Service Operator, because the HI Service Operator will record the information that has been sent to it - see section 10 of the HI Act.

Without records showing which individual within a healthcare provider organisation has accessed a healthcare identifier from the HI Service Operator, the ability to conduct timely and effective investigations may be severely curtailed.  As well as supporting the handling of complaints and investigations, information about which individual has accessed a healthcare identifier from the HI Service Operator may be used in any court proceedings brought as a result of an alleged breach of the Act or Regulations. 

Under subregulation 7(3), if it is not reasonably practicable to give the HI Service Operator the required information at the time a request is made to disclose a healthcare identifier, the healthcare provider organisation must keep a retrievable record of the identity of the individual who accessed the healthcare identifier for the organisation.  The retrievable record may be drawn from a healthcare provider organisation's own records identifying the authorised person.  These records may be kept in logs as part of the healthcare provider organisation's practice management software.

Paragraph 7(3)(c) provides that if, during the "retrieval period" for the individual making the request for disclosure, the HI Service Operator gives the healthcare provider organisation notice in writing requiring the organisation to identify the individual, the provider must identify the individual to the HI Service Operator within 14 days.

Subregulation 7(4) defines a retrieval period for an individual as any period during which the individual is authorised by the healthcare provider organisation to access healthcare identifiers on the organisation's behalf.  If the individual ceases to be authorised by the healthcare provider organisation to access healthcare identifiers on the organisation's behalf, the retrieval period extends for a further seven years starting on the day after the person ceased to be authorised.

Subregulation 7(5) creates a civil penalty, whereby healthcare provider organisations are liable of up to 50 units if the organisation contravenes regulation 7.  Under existing regulation 8 the penalty for failure to identify the individual seeking disclosure of a healthcare identifier is a criminal offence.  However, as part of the amendments to the HI Act and the My Health Records Act to ensure a consistent and graduated range of penalties across both sets of legislation, it was considered appropriate to change the penalty for a failure to identify a person requesting a healthcare identifier to a civil penalty.

Regulation 8

The recent amendments to the HI Act and My Health Records Act provide most of the authorisations currently in regulations 13 and 14 of the HI Regulations, which deal with necessary authorisations for healthcare provider organisations, the My Health Record System Operator and the HI Service Operator to assist healthcare recipients in registering with the My Health Record system.  However, regulation 8 ensures that healthcare providers are authorised to collect, use or disclose to the System Operator the identifying information or healthcare identifier of the healthcare recipient for the purposes of registering the healthcare recipient.

Item 15

Schedule 1 - Application, saving and transitional provisions

Part 1 - Application provisions relating to the Health Legislation Amendment (eHealth) Regulation 2015

Item 15 inserts new Schedule 1 at the end of the HI Regulations to describe how the amendments made by the proposed Regulation would operate and have effect and when the various changes commence.

Clause 1 defines terms used in new Schedule 1 to the HI Regulations, being amending Act (which means the Health Legislation Amendment (eHealth) Act 2015) and amending regulation (which means the Health Legislation Amendment (eHealth) Regulation 2015).

Clause 2 provides that the amendment made by item 8 of Schedule 1 to the proposed Regulation (application to partnerships, trusts and unincorporated associations) applies to obligations arising on or after the "application day" as defined in item 111 of Schedule 1 to the amending Act, and to offence (if any are later prescribed) and civil penalty provisions contravened on or after that day.

Clause 3 provides that regulations 6 and 7 (regarding details of officers and requests by healthcare provider organisations to access healthcare identifiers), as substituted by item 14 of Schedule 1 to the Regulation, apply to requests made on or after the "application day" as defined in item 111 of Schedule 1 to the amending Act.

Clause 4 provides that regulation 8 (authorisation of collection, use and disclosure - healthcare provider assisting a healthcare recipient to register), as substituted by item 14 of Schedule 1 to the Regulation, applies to the collection, use and disclosure of information on or after the "application day" as defined in item 111 of Schedule 1 to the amending Act.

Personally Controlled Electronic Health Records Regulation 2012

Item 16

Item 16 changes the name of the PCEHR Regulation from the "Personally Controlled Electronic Health Records Regulation 2012" to the "My Health Records Regulation 2012" to reflect amendments made by the amending Act.

Item 17

Item 17 inserts regulation 1.1.2A to make clear that new Schedule 1 to the PCEHR Regulation (inserted by item 39) applies as part of the PCEHR Regulation.

Items 18-26     Definitions

Item 18 inserts a note after the definitions heading of existing regulation 1.1.3 to clarify that a number of expressions used in new regulations are defined in the My Health Records Act, including healthcare provider organisation and individual healthcare provider.

Items 19, 21, 23 and 25 inserts definitions for the following terms used in new regulations into existing regulation 1.1.3: ABN, ACN, organisation maintenance officer, responsible officer and verification service.

The verification service that will initially be used for the purposes of the My Health record system is the Document Verification Service operated by the Attorney-General's Department.

Item 20 updates the definition of "Act" to mean "My Health Records Act 2012", reflecting changes made to the My Health Records Act by the amending Act.

Items 22 and 24 repeal the definitions for Remuneration Tribunal Determination and Travel Determination which are no longer necessary due to the repeal of Part 2 of the existing PCEHR Regulation.

Item 26 repeals the note at the end of existing regulation 1.1.3 as the note will no longer be necessary.

Items 27-32     Prescribing Identifying Information

The HI Act and the My Health Records Act restrict the collection, use and disclosure of identifying information.  To enable the necessary identifying information to be collected, used and disclosed as needed to operate the My Health Record system and the HI Service, the correct types of identifying information must be listed in section 9 of the My Health Records Act or be prescribed in the PCEHR Regulations.  There are a number of instances where the collection, use and disclosure of identifying information is currently not covered in section 9 of the My Health Records Act or the current PCEHR Regulation.

Items 27 to 32 update and prescribe the necessary identifying information for individual healthcare providers, healthcare provider organisations and healthcare recipients to ensure the effective operation of the My Health Record system.

Item 27           Regulation 1.1.5

The information prescribed in regulation 1.1.5 is an expansion of existing regulation 1.1.5 which relates to the status of the healthcare identifier of individual healthcare providers.  Regulation 1.1.5 prescribes the following information:

(a)    whether the healthcare provider is registered with a registration authority and the status of that registration (such as conditional, suspended, cancelled or lapsed);

(b)   whether the healthcare provider is a member of a professional association of the kind described in paragraph 9A(1)(b) of the HI Act and the status of that membership (such as conditional, suspended, cancelled or lapsed);

(c)    whether the healthcare provider is, or is likely to be, deceased (that is, whether the status of the provider's healthcare identifier is recorded by the HI Service Operator as 'deceased');

(d)   whether the death of the healthcare provider has been verified (that is, whether the status of the provider's healthcare identifier is recorded by the HI Service Operator as 'retired'); and

(e)    whether the healthcare provider is linked to a healthcare provider organisation and, if so, the name of the organisation and the ABN and ACN of the organisation (whichever is applicable).

This information will enable My Health Record System Operator and the HI Service Operator to determine the status of individual healthcare providers' healthcare identifiers. That is, whether the status of an individual provider's healthcare identifier is recorded by the HI Service Operator as 'active', 'retired' or 'deactivated'.

Items 28-31     Regulation 1.1.6

Item 28 clarifies that the existing regulation is prescribing identifying information of a healthcare provider organisation.

Item 29 repeals existing paragraph 1.1.6(a) of the PCEHR Regulation and substitutes paragraphs 1.1.6(a) and (aa) prescribing the following information:

(a)    whether the organisation is registered under Division 2 of Part 3 of the My Health Records Act;

(b)   whether the healthcare provider organisation has notified the HI Service Operator that the organisation does not wish to use a healthcare identifier, either temporarily or permanently.

Paragraphs 1.1.6(a) and (aa) will enable the My Health Record System Operator and the HI Service Operator to determine the status of healthcare provider organisations' healthcare identifiers.  That is, whether the status of a healthcare provider organisation's healthcare identifier is recorded by the HI Service Operator as 'active' or 'retired'.

Item 30 updates the reference to "a consumer" in existing paragraph 1.1.6(c) to "a healthcare recipient", reflecting changes made to the My Health Records Act by the amending Act.

Item 31 prescribes identifying information of a healthcare provider organisation to also include the names and other identifying information of individual healthcare providers, if the organisation is linked to one or more individual healthcare providers.

Item 32           Regulation 1.1.7

The PCEHR Regulation does not prescribe any additional information as identifying information of a healthcare recipient.  Operational experience and intended future operation of the My Health Record system and the HI Service mean some additional identifying information needs to be prescribed, so that the information may be collected, used and disclosed in accordance with the authorisations in the My Health Records Act and the HI Act.  This allows, for example, the various entities involved in the My Health Record system and the HI Service to share information as part of verifying an individual's identity when they wish to opt-out of registration, or to electronically notify a healthcare recipient when their My Health Record is accessed.   

The information prescribed by regulation 1.1.7 as identifying information is:

(a)    the telephone number of the healthcare recipient;

(b)   the electronic address of the healthcare recipient;

(c)    whether the identity of the healthcare recipient has been verified;

(d)   whether a healthcare identifier assigned to the healthcare recipient has been assigned provisionally (for example, because it has not been possible to verify the identity of the healthcare recipient);

(e)    if information relating to the identity of the healthcare recipient has been, or is to be, verified using a particular form of identification document (such as a driver's licence or passport), details of that document including:

(i)     the document number; and

(ii)   the state or territory in which the document was issued; and

(iii) the name of the entity that issued the document;

(f)    if information relating to the identity of the healthcare recipient has been, or is to be, verified by using a verification service, the response of that service to any verification inquiry in relation to the healthcare recipient;

(g)   whether the healthcare recipient is, or is likely to be, deceased;

(h)   whether the death of the healthcare recipient has been verified;

(i)     whether the healthcare recipient is a registered healthcare recipient for the purposes of the Act;

(j)     whether the healthcare recipient is an authorised representative, or nominated representative, of another healthcare recipient, and the identity of the other healthcare recipient; and

(k)   whether the healthcare recipient, or an authorised representative or nominated representative of the healthcare recipient, has made an election under clause 5 of Schedule 1 to the Act that the healthcare recipient not be registered under the Act.

Item 33           Repeal of Part 2

Current Part 2 of the PCEHR Regulation deals with a number of administrative and procedural matters relating to the Jurisdictional Advisory Committee (JAC) and Independent Advisory Council (IAC). 

The Health Legislation Amendment (eHealth) Act 2015 repealed Divisions 1 and 2 of Part 2 of the My Health Records Act which established the JAC and IAC.  As noted in the explanatory memorandum to the Health Legislation Amendment (eHealth) Bill 2015, it is intended that the Australian Commission for eHealth (yet to be established and now to be known as the Australian Digital Health Agency) will become the System Operator in 2016.  It is intended that new advisory bodies will be established as part of the new Commission, and these bodies will be responsible for providing expert advice to the System Operator about the My Health Record system, including fulfilling the current roles of the IAC and JAC.

Given this situation, Part 2 of the PCEHR Regulation is no longer required.  Item 33 repeals Part 2.

Item 34           Regulation 3.1.1A

Operational experience and the proposed move to the opt-out model have revealed the need for the System Operator to collect additional information before a healthcare recipient will be eligible to be registered.

For the purposes of opt-in registration under subparagraph 40(b)(v) of the My Health Records Act, information about whether the identity of the healthcare recipient has been verified and whether a healthcare identifier assigned to the healthcare recipient has been assigned provisionally (for example, because it has not been possible to verify the identity of the healthcare recipient) is prescribed.

For the purposes of opt-out registration under subparagraph 4(b)(v) of Schedule 1 to the My Health Records Act the same information is prescribed and additionally whether the healthcare recipient is, or is likely to be, deceased and whether the death of the healthcare recipient has been verified.

Prescribing this information will help ensure, for example, that the System Operator does not inadvertently register healthcare recipients who are deceased as part of opt-out registration.

Items 35-37     Regulation 3.1.1

Item 35 amends the heading to existing regulation 3.1.1 to reflect the change from "consumer" to "healthcare recipient", consistent with amendments made by the amending Act.

Currently, regulation 3.1.1 of the PCEHR Regulation prescribes state and territory legislation that is preserved under subsection 41(4) of the My Health Records Act.

Under the new opt-out registration arrangements (set out in Schedule 1 to the My Health Records Act), some state and territory laws still need to be prescribed so that they continue to have effect despite the new authorisation for healthcare providers to upload healthcare information under clause 9 of Schedule 1 of the My Health Records Act.

Item 36 amends existing regulation 3.1.1 so that preserved laws apply regardless of whether:

(a)    the healthcare recipient is registered by the System Operator under Part 3, Division 1 of the My Health Records Act (and therefore subsection 41(4) applies); or

(b)   the healthcare recipient is registered under new Schedule 1 of the My Health Records Act (and therefore uploading of information under clause 9 of Schedule 1 applies). 

The Public Health Act 1991 (NSW) was repealed with effect from 1 September 2012 by section 135 of the Public Health Act 2010 (NSW).  As a result, item 37 repeals existing paragraph 3.1.1(a).

Item 38

Regulation 4.1.1         Prescribed information to be included in a My Health Record

Healthcare recipients may wish to include in their My Health Record certain Veterans' Affairs Department (DVA) medical and claims information.  In practice, this information is provided by DVA to the Chief Executive Medicare for claims processing, and it is the Chief Executive Medicare who provides this information to the System Operator.

As part of the changes made by the amending Act, a number of authorisations previously found in the HI Act were moved to the My Health Records Act.  One particular change was moving previous section 22D of the HI Act, which allowed prescribed information to be included in a My Health Record.  This regulation making power was moved to section 58A (for opt-in healthcare recipients) and clause 8 of Schedule 1 (for opt-out healthcare recipients) of the My Health Records Act.  As a result, item 38 inserts new regulation 4.1.1 which is based on existing regulation 12 of the HI Regulations.

Regulation 4.1.2         Verifying identity of healthcare recipients etc.

As part of running the My Health Record system, the System Operator may need to disclose identifying information about healthcare recipients, authorised representatives and nominated representatives to the operator of a verification service in order to help verify an individual's identity.  It is currently intended that the System Operator will use the Document Verification Service, operated by the Attorney-General's Department, as a verification service.

Therefore, regulation 4.1.2 authorises the Attorney General's Department to collect, use and disclose to the System Operator identifying information of healthcare recipients, authorised representatives and nominated representatives for the purposes of assisting the System Operator to verify the identity of an individual.

Regulation 5.1.1         Subcommittee of the Ministerial Council

New subsection 109(2) of the My Health Records Act requires the Minister to consult with the System Operator and a subcommittee of the Ministerial Council, prescribed by the regulations, before the Minister can make My Health Records Rules.  Similarly, new subclause 1(3) of Schedule 1 of the Act requires the Minster to consult with a subcommittee of the Ministerial Council before making rules relating to opt-out trials.

For the purposes of subsection 109(2)(b) and subclause 1(3) of Schedule 1 to the My Health Records Act , the Australian Health Ministers' Advisory Council is prescribed.  If the Advisory Council ceases to exist--a subcommittee of the Ministerial Council that has been given the Advisory Council's functions in relation to electronic health records is prescribed.

Item 39

Schedule 1 - Application, saving and transitional provisions

Part 1 - Application provisions relating to the Health Legislation Amendment (eHealth) Regulation 2015

Item 39 inserts new Schedule 1 at the end of the PCEHR Regulation to describe how the amendments made by the proposed Regulation will operate and have effect and when the various changes commence.

Clause 1 defines terms used in Division 1 being amending Act (which means the Health Legislation Amendment (eHealth) Act 2015) and amending regulation (which means the Health Legislation Amendment (eHealth) Regulation 2015).

Clause 6.1.2 provides that the amendments made by items 22, 24 and 33 of Schedule 1 to the Regulation (repeal of Part 2 and definitions relating to IAC and JAC) apply on and after the "governance restructure day" as defined in item 112 of Schedule 1 to the amending Act.

Clause 6.1.3 provides that the amendments made by item 34 of Schedule 1 to the Regulation (regulation prescribing information needed for registration) apply in relation to the registration of a healthcare recipient on or after the commencement of that Schedule.

 

 

Statement of Compatibility with Human Rights

Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011

Health Legislation Amendment (eHealth) Regulation 2015

The Regulation is compatible with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011.

Overview of the Regulation

The Regulation makes amendments to the Healthcare Identifiers Regulations 2010 (HI Regulations) and the Personally Controlled Electronic Health Records Regulation 2012 (PCEHR Regulation) to support the changes made by the Health Legislation Amendment (eHealth) Act 2015 and to further support the effective operation of the Healthcare Identifiers Service (HI Service) and the My Health Record system.

The Regulation:

(a)    defines terms used in new regulations and updates references due to amendments made by the Health Legislation Amendment (eHealth) Act 2015;

(b)   clarifies how the HI Regulations apply in relation to partnerships, trusts and unincorporated associations;

(c)    updates and prescribes identifying information of individual healthcare providers, healthcare provider organisations and healthcare recipients;

(d)   repeals regulations no longer necessary due to amendments made by the Health Legislation Amendment (eHealth) Act 2015;

(e)    updates and prescribes the process for disclosing healthcare identifiers and related information required to be given to the HI Service Operator;

(f)    updates the regulation authorising the collection, use or disclosure of identifying information or healthcare identifiers for the purposes of assisted registration;

(g)   prescribes information in relation to a healthcare recipient needed for registration;

(h)   updates preserved state and territory legislation;

(i)     prescribes information that may be included in a My Health Record;

(j)     authorises the Attorney-General's Department to collect, use and disclose identifying information for the purposes of assisting the System Operator to verify the identity of a person; and

(k)   prescribes the Australian Health Ministers' Advisory Council as the subcommittee of the Ministerial Council, for the purposes of consultation prior to making rules.

Human rights implications

The Regulation engages the following human rights:

Right to protection of privacy and reputation

Article 17 of the International Covenant on Civil and Political Rights (ICCPR) prohibits the unlawful or arbitrary interference with a person's privacy and unlawful attacks on a person's reputation.  This right is also reflected in Article 22 of the Convention on the Rights of Persons with Disabilities (CRPD) and Article 16 of the Convention on the Rights of the Child (CRC).

The right to privacy includes respect for informational privacy including the right to respect the storing, use and sharing of private information and right to control the dissemination of private information.  The Regulation engages the right to privacy by:

(a)    prescribing identifying information for individual healthcare providers, healthcare provider organisations and healthcare recipients that can be collected, used and disclosed to various participants;

(b)   prescribing the collection, use or disclosure of identifying information or healthcare identifiers for the purposes of assisted registration;

(c)    prescribing information in relation to a healthcare recipient needed for registration;

(d)   prescribing Department of Veterans' Affairs information that may be included in a My Health Record; and

(e)    authorising the Attorney-General's Department to collect, use and disclose identifying information for the purposes of identity verification.

For the HI Service and the My Health Record system to operate effectively and to ensure the correct healthcare recipient is registered, opted-out (where this is the individual's wish), and matched with the correct health information, identifying information must be prescribed and collection, use and disclosure by the HI Service Operator and various participants in the My Health Record system must be authorised.  Without this information being shared between these parties, the individuals' identities could not be accurately verified and the HI Service and the My Health Records system would not be able to operate effectively or securely, and the expected health improvements would not be realised.  While some additional personal information about healthcare recipients would be authorised for collection, use and disclosure under the amendments made by the Regulation, any effect on the right to privacy is a proportionate, necessary and reasonable way of achieving the policy objective of improved health outcomes for all Australians.

Safeguards in place under both the Healthcare Identifiers Act 2010 and the My Health Records Act 2012, such as access controls and criminal and civil penalties for misuse of identifying information and health information, are a privacy positive outcome.

Conclusion

The Regulation is compatible with human rights because any limitation of the right to privacy is proportionate, necessary and reasonable to achieving improved healthcare for all Australians.

The Hon Sussan Ley, MP

Minister for Health