Health Legislation Amendment (eHealth Bill) 2015 introduced into the House of Representatives
September 18, 2015 |
Yesterday the Government introduced and read for a first and second time the Health Legislation Amendment (eHealth) Bill 2015.
The Bill is a 126 page behemoth which will warrant close scrutiny. Briefly it is worth noting some notable features of the Bill:
- Part 3 provides for the collection, use and disclosure of the healthcare identifiers, identifying information and other information. The simplified outline describes the process as:
This Part authorises the collection, use and disclosure of healthcare identifiers, identifying information and other information.
Healthcare identifiers and other information relating to healthcare recipients
The service operator may collect information about a healthcare recipient from various sources for the purpose of assigning a healthcare identifier to the recipient. Once a healthcare identifier is assigned to a healthcare recipient, the service operator may disclose it to healthcare providers to assist in communicating and managing health information. The healthcare identifier may also be disclosed to other entities to assist in the operation of the My Health Record system.
A healthcare provider can obtain the healthcare identifier of a healthcare recipient from the service operator, so that the healthcare provider can communicate and manage health information. The healthcare provider can use the healthcare identifier in providing healthcare, for example, by using it to access the My Health Record of a healthcare recipient.
Healthcare identifiers and other information relating to healthcare providers
Under Part 2, the service operator must keep a record of the healthcare identifiers that have been assigned and other information relating to healthcare identifiers. As a national registration authority assigns healthcare identifiers to most healthcare providers, the service operator may obtain information for the record from a national registration authority.
Under Part 2, the service operator assigns healthcare identifiers to healthcare providers in a number of cases. The service operator may collect information about a healthcare provider from various sources for the purposes of assigning those identifiers.
The service operator may disclose the healthcare identifiers of healthcare providers to healthcare providers to assist in communicating and managing health information. The healthcare identifier may also be disclosed to other entities to assist in the operation of the My Health Record system.
A healthcare provider can obtain the healthcare identifier of a healthcare provider from the service operator, so that the healthcare provider can communicate and manage health information. This includes the use of the identifier in electronic transmissions. The collection, use and disclosure of identifying information and healthcare identifiers is permitted for the purposes of authenticating a healthcare provider’s identity in electronic transmissions.
A person must not use or disclose information collected for the purposes of the Act or healthcare identifiers, except where required or authorised to do so under the Act or in other limited circumstances. Criminal and civil penalties apply if this obligation is breached.
Clause 20 (regulations relating to the healthcare identifier and identifying information of a health care recipient make it clear that the regulations will determine the scope (and restriction) of the “authorisation” to collect, use or disclose identifying information, its use for other purposes (subject to limitations set out in clause 20(3). A similar approach is adopted in clause 25D, relating to the healthcare identifier. Division 6 deals with collection, use and disclosure of information in the My Record System.
- Clause 25E requires the health care information up to date and complete.
- Division 4 sets out provisions prohibiting misuse of information.
- Regarding the operation of the Privacy Act the simplified outline is clear when it states:
If a person is authorised to collect, use or disclose information under this Act, the person will not interfere with the privacy of an individual for the purposes of the Privacy Act 1988 in doing so.
Section 26 imposes a higher standard of privacy in relation to healthcare identifiers than is imposed in relation to other information. If a person uses or discloses a healthcare identifier in circumstances that are not permitted under that section, the person will not only be subject to criminal and civil penalties. That action will also be an interference with privacy for the purposes of the Privacy Act 1988, and can be dealt with as such under that Act.
- There are enforcement provisions. Civil Penalty provisions in clause 31C and Part 6 (clause 79) with the Information Commissioner being the authorised applicant. There is also scope for enforceable undertakings in section 31D and clause 80 and injunctive relief in clauses 31E and 81 in relation to which both the service (or system) operator and the Information Commissioner have authorisation to take such action. There is a specific requirement that My Health Records not be contravened (Clause 78) with a civil penalty of 100 penalty points attaching to a contravention. There are criminal penalties. For example a breach of clause 26 relating to the unauthorised use and disclosure of health care identifiers attracts criminal penalties.
- Schedule 1, Part 1 provides that the My Record system will probably (the Minister may make My Health Record rules) adopt an opt out model. This is also described in the outline which provides:
The My Health Record system is a system for making health information about a healthcare recipient available for the purposes of providing healthcare to the recipient.
A healthcare recipient will have a My Health Record if the recipient registers in the My Health Record system. The Minister may, however, provide that the opt?out model is to apply under My Health Records Rules made under Schedule 1. A healthcare recipient covered by those Rules will be registered in the My Health Record system, and have a My Health Record, unless the recipient elects to opt?out of the system.
The My Health Record system is operated by the System Operator. The System Operator operates the National Repositories Service, that stores key records that form part of a healthcare recipient’s My Health Record. Other records are stored by registered repository operators. Together these records make up a healthcare recipient’s My Health Record.
If a healthcare recipient is registered in the My Health Record system, a healthcare provider may upload health information about the recipient to the My Health Record system, unless the record is one which the healthcare recipient has advised the healthcare provider not to upload or the record is not to be uploaded under prescribed laws of a State or Territory.
Health information may be collected, used and disclosed from a healthcare recipient’s My Health Record for the purpose of providing healthcare to the recipient, subject to any access controls set by the recipient (or if none are set, default access controls). There are other limited circumstances in which health information may be collected, used or disclosed from a My Health Record. Criminal and civil penalties apply if a person collects, uses or discloses information from a My Health Record without authorisation. Enforceable undertakings and injunctions are also available to enforce the provisions of this Act.
An authorisation to collect, use or disclose information under this Act is also an authorisation to do so for the purposes of the Privacy Act 1988. A contravention of this Act is also an interference with privacy for the purposes of the Privacy Act 1988, and so can be investigated under that Act.
That said, clause 7A requires an authorised representative of a health care recipient to make reasonable efforts to ascertain the recipients will and preferences regarding his or her My Health Record.
- There are data notification requirements and procedures set out in clause 75 with civil penalties for a failure to notify the system operator or the information Commissioner as required.
The second reading speech is not particularly lengthy. It provides:
The introduction of the bill has been reported in Govt introduces bill for opt-out e-health records which provides:
New criminal penalties for breaches.
The federal government has introduced a bill into parliament that will enable it to transform its stalled e-health records regime by automatically creating a record for every Australian by default.
The bill entered parliament before the Department of Health commenced pilots of the new ‘opt-out’ approach to getting healthcare recipients registered for an electronic record.
The bulk of the pilots are due to be carried out in 2015-16, at a range of sites.
The new laws will allow health authorities to automatically set up online accounts for selected participants using names, addresses and health identification numbers pulled out of the Medicare database.
Once the pilots are complete, the legislation – if passed – will allow for the opt-out approach to be expanded to all Australian healthcare recipients, should the trials prove successful.
The bill, which seeks to replace existing legislation governing the personally controlled electronic health record (PCEHR), also expands the mandatory reporting regime for information security breaches, and introduces new criminal penalties for unlawful disclosure of information.
The penalties come with a maximum sentence of two years’ jail, and civil fines for organisations capped at $540,000.
Should the bill become law, all registered healthcare providers and their service providers will be brought into the mandatory reporting regime, which previously only applied to information repository and portal operators.
A new organisation called the Australian Commission for eHealth will be set up in 2016 to operate the system, which would also receive a statutory name change to My Health Record under the bill.
The existing PCEHR Jurisdictional Advisory Committee and Independent Advisory Council are abolished under the bill.
[…] Health Legislation Amendment (eHealth Bill) 2015 introduced into the House of Representatives […]