Health Legislation Amendment (eHealth Bill) 2015 introduced into the House of Representatives

September 18, 2015 |

Yesterday the Government introduced and read for a first and second time the Health Legislation Amendment (eHealth) Bill 2015.

The Bill is a 126 page behemoth which will warrant close scrutiny.  Briefly it is worth noting some notable features of the Bill:

  • Part 3 provides for the collection, use and disclosure of the healthcare identifiers, identifying information and other information. The simplified outline describes the process as:

This Part authorises the collection, use and disclosure of healthcare identifiers, identifying information and other information.

Healthcare identifiers and other information relating to healthcare recipients

The service operator may collect information about a healthcare recipient from various sources for the purpose of assigning a healthcare identifier to the recipient. Once a healthcare identifier is assigned to a healthcare recipient, the service operator may disclose it to healthcare providers to assist in communicating and managing health information. The healthcare identifier may also be disclosed to other entities to assist in the operation of the My Health Record system.

A healthcare provider can obtain the healthcare identifier of a healthcare recipient from the service operator, so that the healthcare provider can communicate and manage health information. The healthcare provider can use the healthcare identifier in providing healthcare, for example, by using it to access the My Health Record of a healthcare recipient.

Healthcare identifiers and other information relating to healthcare providers

Under Part 2, the service operator must keep a record of the healthcare identifiers that have been assigned and other information relating to healthcare identifiers. As a national registration authority assigns healthcare identifiers to most healthcare providers, the service operator may obtain information for the record from a national registration authority.

Under Part 2, the service operator assigns healthcare identifiers to healthcare providers in a number of cases. The service operator may collect information about a healthcare provider from various sources for the purposes of assigning those identifiers.

The service operator may disclose the healthcare identifiers of healthcare providers to healthcare providers to assist in communicating and managing health information. The healthcare identifier may also be disclosed to other entities to assist in the operation of the My Health Record system.

A healthcare provider can obtain the healthcare identifier of a healthcare provider from the service operator, so that the healthcare provider can communicate and manage health information. This includes the use of the identifier in electronic transmissions. The collection, use and disclosure of identifying information and healthcare identifiers is permitted for the purposes of authenticating a healthcare provider’s identity in electronic transmissions.

A person must not use or disclose information collected for the purposes of the Act or healthcare identifiers, except where required or authorised to do so under the Act or in other limited circumstances. Criminal and civil penalties apply if this obligation is breached.

Clause 20 (regulations relating to the healthcare identifier and identifying information of a health care recipient make it clear that the regulations will determine the scope (and restriction) of the “authorisation” to collect, use or disclose identifying information, its use for other purposes (subject to limitations set out in clause 20(3).  A similar approach is adopted in clause 25D, relating to the healthcare identifier.  Division 6 deals with collection, use and disclosure of information in the My Record System.

  • Clause 25E requires the health care information up to date and complete.
  • Division 4 sets out provisions prohibiting misuse of information.
  • Regarding the operation of the Privacy Act the simplified outline is clear when it states:

If a person is authorised to collect, use or disclose information under this Act, the person will not interfere with the privacy of an individual for the purposes of the Privacy Act 1988 in doing so.

Section 26 imposes a higher standard of privacy in relation to healthcare identifiers than is imposed in relation to other information. If a person uses or discloses a healthcare identifier in circumstances that are not permitted under that section, the person will not only be subject to criminal and civil penalties. That action will also be an interference with privacy for the purposes of the Privacy Act 1988, and can be dealt with as such under that Act.

  • There are enforcement provisions.  Civil Penalty provisions in clause 31C and Part 6 (clause 79) with the Information Commissioner being the authorised applicant.  There is also scope for enforceable undertakings in section 31D and clause 80 and injunctive relief in clauses 31E and 81 in relation to which both the service (or system) operator and the Information Commissioner have authorisation to take such action. There is a specific requirement that My Health Records not be contravened (Clause 78) with a civil penalty of 100 penalty points attaching to a contravention.  There are criminal penalties.  For example a breach of clause 26 relating to the unauthorised use and disclosure of health care identifiers attracts criminal penalties.
  • Schedule 1, Part 1 provides that the My Record system will probably (the Minister may make My Health Record rules)  adopt an opt out model.  This is also described in the outline  which provides:

The My Health Record system is a system for making health information about a healthcare recipient available for the purposes of providing healthcare to the recipient.

A healthcare recipient will have a My Health Record if the recipient registers in the My Health Record system. The Minister may, however, provide that the opt?out model is to apply under My Health Records Rules made under Schedule 1. A healthcare recipient covered by those Rules will be registered in the My Health Record system, and have a My Health Record, unless the recipient elects to opt?out of the system.

The My Health Record system is operated by the System Operator. The System Operator operates the National Repositories Service, that stores key records that form part of a healthcare recipient’s My Health Record. Other records are stored by registered repository operators. Together these records make up a healthcare recipient’s My Health Record.

If a healthcare recipient is registered in the My Health Record system, a healthcare provider may upload health information about the recipient to the My Health Record system, unless the record is one which the healthcare recipient has advised the healthcare provider not to upload or the record is not to be uploaded under prescribed laws of a State or Territory.

Health information may be collected, used and disclosed from a healthcare recipient’s My Health Record for the purpose of providing healthcare to the recipient, subject to any access controls set by the recipient (or if none are set, default access controls). There are other limited circumstances in which health information may be collected, used or disclosed from a My Health Record. Criminal and civil penalties apply if a person collects, uses or discloses information from a My Health Record without authorisation. Enforceable undertakings and injunctions are also available to enforce the provisions of this Act.

An authorisation to collect, use or disclose information under this Act is also an authorisation to do so for the purposes of the Privacy Act 1988. A contravention of this Act is also an interference with privacy for the purposes of the Privacy Act 1988, and so can be investigated under that Act.

That said, clause 7A requires an authorised representative of a health care recipient to make reasonable efforts to ascertain the recipients will and preferences regarding his or her My Health Record.

  • There are data notification requirements and procedures set out in clause 75 with civil penalties for a failure to notify the system operator or the information Commissioner as required.

The second reading speech is not particularly lengthy.  It provides:

I am pleased to introduce the Health Legislation Amendment (eHealth) Bill 2015, which implements the government’s recent $485 million budget announcement on eHealth. These changes are just one small aspect of the government’s broader digital health agenda.
This bill takes the first important steps to reboot our national electronic health records system to deliver an effective system that will help improve the health of all Australians, as well as realising the benefits that instant access to and sharing of electronic health records can provide.
A review of the personally controlled electronic health record in 2013 found that there was overwhelming support to continue implementing a national and consistent shared electronic health record system for all Australians, but that a change in approach was needed to correct a number of early implementation issues, and a lack of confidence in the system from clinicians and consumers due to these issues.
The Healthcare Identifiers Service, a key foundation of the electronic health record system, was also the subject of a review in 2013. This review found that some adjustments are required to improve its operation to better support access to and sharing of information in the electronic health record system.
This bill implements the recommendations from both of these reviews which are aimed at facilitating increased participation in the system and improvements in the usability and clinical content available in the system for individuals and their healthcare providers.
Firstly, the personally controlled electronic health record will be renamed My Health Record—which is a simpler, more meaningful and clearer name for individuals to relate to.
The system is currently an opt-in system, where you have to actively apply to have your electronic health record created, and as it stands only around one in 10 Australians have an electronic health record set up. The review
concluded that this is not a large enough population to make it an effective national system, nor is it worth the time for doctors to use it.
Healthcare providers have overwhelmingly indicated through the review process that, if the majority of their patients have a My Health Record, they would be much more willing to use it. This means more doctors would add their patients’ health information to it, and this will improve the overall value of the system for both patients and the healthcare providers who care for them.
To increase uptake by individuals, the government will be conducting trials of different participation
arrangements in 2016 to identify the optimal approaches for maximising participation in the system. This will include trials of opt-out participation arrangements.
Individuals in opt-out trials will automatically have a My Health Record created for them unless they opt out, which they will be able to do in a number of ways. Extensive communication will be undertaken in the trials before trials begin to allow individuals to make an informed decision about whether or not to opt out. The process and the criteria for selecting locations to conduct the trials will be made publicly available before the trial sites are selected, and this bill provides that I, as the responsible minister, in consultation with the states and territories, will be able to make rules under the act to apply opt-out participation arrangements to a particular geographic area, allowing these trials to occur.
 
Importantly, individuals will continue to be able to control access to their My Health Record through a range of existing access control settings in the system. This includes the ability to instruct healthcare providers not to upload certain information into their health record.

Outside the opt-out trials, the My Health Record system will continue to operate on an opt-in basis.
If the trials provide evidence that an opt-out system is a better approach for improving participation in the My Health Record system, the bill provides the ability for the government to extend opt-out arrangements nationally, in consultation with the states and territories.
Given the nature of information that may be contained in a My Health Record, the bill will increase the range of enforcement and penalty options available if someone intentionally or deliberately misuses the information or commits an act that may compromise the security or integrity of the system. This is an important protection for consumers who have their health information contained within their health record. Criminal penalties will now be available, in addition to the existing civil penalties and other sanctions, such as enforceable undertakings and injunctions. However, neither civil nor criminal penalties are triggered if someone simply makes a mistake.
Additionally, the enforcement and penalty options available for the Healthcare Identifiers Service will be aligned with those for the My Health Record system.
The bill also provides for a number of consequential amendments and additional clarifications. The scope of what is considered to be a health service and health information has long been subject to some ambiguity, and in 2008 the Australian Law Reform Commission recommended changes to the Commonwealth Privacy Act to remove uncertainty.
This bill implements those recommendations, amending the Privacy Act to make it clear that a health related disability, palliative care or aged-care service is considered to be a health service, and information about an illness or injury, and medical information about a genetic relative, is considered to be health information.
These clarifications reflect current practice in the health sector and will facilitate integration of health information and health related services to support improved continuity of care for patients.
The bill will make way for forthcoming changes to the governance of digital health in Australia.
The Australian Commission for eHealth will be established in coming months to oversee the operation and evolution of national e-health systems. Among other things this commission will become the system operator of the My Health Record. This commission is intended to remove the complexities associated with the current governance arrangements, strengthen accountability and improve transparency and stakeholder involvement, and it was another key recommendation of the PCEHR review.
An implementation task force is currently being established to design, establish and transition to the new governance arrangements. The task force will oversee the transition of functions from the Department of Health and the National E-Health Transition Authority to the new organisation. The National E-Health Transition Authority will be disbanded.
The Department of Health will continue to be responsible for the policy underlying national digital health programs, and for the supporting legislation.
In line with government’s cutting red tape strategy, the bill will reduce burden by making amendments that will mean healthcare organisations will no longer need to enter into a participation agreement with the system operator. Entering into these agreements can be complex, and time consuming for organisations, and it is simply another barrier, and more paperwork that needs to be completed before organisations can participate in the My Health Record system.
We just do not know what kinds of new and innovative digital health services are just around the corner. The way in which services are provided and who provides them may become important to the efficient delivery of health care. If we do not anticipate innovation, our current processes and protections may prohibit new services and the providers of these services from becoming part of the My Health Record system.
 Having said that, it is equally important that we continue to protect the integrity of the My Health Record system and the Healthcare Identifiers Service and exercise effective controls over who is able to become a service provider in the digital health system.
For these reasons, the bill will establish a mechanism that will allow the government to make regulations to authorise new entities to handle healthcare identifiers and other protected information. This power will be limited to circumstances that relate directly to providing or facilitating health care or assisting individuals who require support for health reasons.
As part of measures to simplify and streamline the My Health Record system, the bill will establish new copyright arrangements. At present, healthcare organisations participating in the My Health Record system, and the system operator, rely on copyright licences to use information in the system without infringing anyone’s copyright.
In place of licences, the bill will establish new copyright exceptions in the Copyright Act. These will ensure that upload, download and use of works in the My Health Record system do not infringe copyright.
The bill will make a range of other amendments intended to clarify and improve the My Health Record system and Healthcare Identifiers Service.
The My Health Record system has the potential to change the nature of health care in Australia and become a widely accepted everyday part of good healthcare management. These improvements we are making get us closer to reaching that goal. I commend the bill to the House.
Debate adjourned

The introduction of the bill has been reported in Govt introduces bill for opt-out e-health records which provides:

New criminal penalties for breaches.

The federal government has introduced a bill into parliament that will enable it to transform its stalled e-health records regime by automatically creating a record for every Australian by default.

The bill entered parliament before the Department of Health commenced pilots of the new ‘opt-out’ approach to getting healthcare recipients registered for an electronic record.

The bulk of the pilots are due to be carried out in 2015-16, at a range of sites.

The new laws will allow health authorities to automatically set up online accounts for selected participants using names, addresses and health identification numbers pulled out of the Medicare database.

Once the pilots are complete, the legislation – if passed – will allow for the opt-out approach to be expanded to all Australian healthcare recipients, should the trials prove successful.

The bill, which seeks to replace existing legislation governing the personally controlled electronic health record (PCEHR), also expands the mandatory reporting regime for information security breaches, and introduces new criminal penalties for unlawful disclosure of information.

The penalties come with a maximum sentence of two years’ jail, and civil fines for organisations capped at $540,000.

Should the bill become law, all registered healthcare providers and their service providers will be brought into the mandatory reporting regime, which previously only applied to information repository and portal operators.

A new organisation called the Australian Commission for eHealth will be set up in 2016 to operate the system, which would also receive a statutory name change to My Health Record under the bill.

The existing PCEHR Jurisdictional Advisory Committee and Independent Advisory Council are abolished under the bill.

2 Responses to “Health Legislation Amendment (eHealth Bill) 2015 introduced into the House of Representatives”

  1. Health Legislation Amendment (eHealth Bill) 2015 introduced into the House of Representatives | Australian Law Blogs

    […] Health Legislation Amendment (eHealth Bill) 2015 introduced into the House of Representatives […]

  2. samuel

    Thanks for the excellent blog.

Leave a Reply