Health Legislation Amendment (Data-matching and Other Matters) Act 2019 (121 of 2019)

Schedule 1   Data-matching

Part 1   Main amendments

National Health Act 1953

1   After Part VIII

Insert:

Part VIIIA - Data-matching

132A Definitions

In this Part:

authorised Commonwealth entity means a Commonwealth entity that is authorised under subsection 132B(2) to match information under subsection 132B(1) on the Chief Executive Medicare's behalf.

Commonwealth entity has the same meaning as in the Public Governance, Performance and Accountability Act 2013.

general treatment has the same meaning as in the Private Health Insurance Act 2007.

Health Practitioner Regulation National Law means:

(a) for a State or Territory other than Western Australia - the Health Practitioner Regulation National Law set out in the Schedule to the Health Practitioner Regulation National Law Act 2009 (Qld), as it applies (with or without modification) as a law of the State or Territory; or

(b) for Western Australia - the Health Practitioner Regulation National Law (WA) Act 2010 (WA), so far as that Act corresponds to the Health Practitioner Regulation National Law set out in the Schedule to the Health Practitioner Regulation National Law Act 2009 (Qld).

inappropriate practice has the same meaning as in Part VAA of the Health Insurance Act 1973.

permitted purpose : each of the following is a permitted purpose for the matching of data:

(a) identifying whether a person may have, under a medicare program, claimed or been paid a benefit that exceeds the amount of the benefit that was payable to the person;

(b) recovering overpayments of benefits under a medicare program;

(c) detecting or investigating contraventions of a law of the Commonwealth relating to a medicare program;

(d) detecting or investigating whether a person may have engaged in inappropriate practice;

(e) analysing services, benefits, programs or facilities that are provided for under a medicare program, in connection with the purposes mentioned in paragraphs (a) to (d);

(f) educating healthcare providers about medicare program requirements.

Note: The Privacy Act 1988 contains provisions relevant to the use and disclosure of information under this Act.

personal information has the same meaning as in the Privacy Act 1988.

132B Data-matching by the Chief Executive Medicare

(1) Subject to this Part, the Chief Executive Medicare may, for a permitted purpose, match any of the following information:

(a) information that is held or has been obtained by the Chief Executive Medicare for the purpose of a medicare program;

(b) therapeutic goods information (within the meaning of subsection 61(1) of the Therapeutic Goods Act 1989) that has been disclosed under subsection 132C(1) of this Act;

(c) information that has been disclosed to the Chief Executive Medicare under section 132D;

(d) information that has been provided to the Chief Executive Medicare in accordance with the Health Practitioner Regulation National Law for a State or Territory;

(e) information that has been provided to the Chief Executive Medicare in accordance with any of the following Acts:

(i) the Australian Participants in British Nuclear Tests and British Commonwealth Occupation Force (Treatment) Act 2006;

(ii) the Military Rehabilitation and Compensation Act 2004;

(iii) the Safety, Rehabilitation and Compensation (Defence-related Claims) Act 1988;

(iv) the Treatment Benefits (Special Access) Act 2019;

(v) the Veterans' Entitlements Act 1986;

(f) any other information that may be lawfully provided to the Chief Executive Medicare (other than information that may only be obtained by the Chief Executive Medicare for the purpose of performing functions under the My Health Records Act 2012).

Note 1: For the purposes of paragraph (1)(a) - to avoid doubt, information that is held or has been obtained by the Chief Executive Medicare for the purpose of a medicare program includes information in a document that has been produced to the Chief Executive Medicare or to a Departmental employee (within the meaning of the Human Services (Medicare) Act 1973) in accordance with section 129AAD of the Health Insurance Act 1973.

Note 2: This subsection constitutes an authorisation for the purposes of the Privacy Act 1988.

Data-matching by authorised Commonwealth entity on Chief Executive Medicare's behalf

(2) Subject to this Part, the Chief Executive Medicare may, in writing, authorise a Commonwealth entity to match information under subsection (1) on the Chief Executive Medicare's behalf for a permitted purpose.

Note: This subsection constitutes an authorisation for the purposes of the Privacy Act 1988.

(3) An authorised Commonwealth entity:

(a) must comply with any other terms and conditions relating to the matching of the information that are determined, in writing, by the Chief Executive Medicare; and

(b) must, if requested to do so by the Chief Executive Medicare, disclose the results of the matching to the Chief Executive Medicare.

Information must not be matched until Minister's principles have commenced

(4) Information must not be matched under subsection (1) by the Chief Executive Medicare or an authorised Commonwealth entity until after the principles made by the Minister under subsection 132F(1) have commenced.

132C Secretary may disclose therapeutic goods information to the Chief Executive Medicare

(1) The Secretary may disclose to the Chief Executive Medicare therapeutic goods information (within the meaning of subsection 61(1) of the Therapeutic Goods Act 1989) for the purpose of facilitating the matching of that information under subsection 132B(1).

Note: This subsection constitutes an authorisation for the purposes of the Privacy Act 1988.

(2) The Chief Executive Medicare may use information disclosed in accordance with subsection (1) for the purpose of facilitating the matching of that information under subsection 132B(1).

132D Private health insurer may disclose information about hospital or general treatment to the Chief Executive Medicare

(1) A private health insurer may disclose to the Chief Executive Medicare information relating to hospital treatment or general treatment provided to a person who is insured under an insurance policy of the insurer, for the purpose of facilitating the matching of that information under subsection 132B(1), if:

(a) the insurance policy was taken out after the commencement of this section; or

(b) the insurance policy provided that information of that kind may be disclosed if the disclosure is authorised under an Australian law; or

(c) the insurer had notified the person under subclause 5.1 of the Australian Privacy Principles in Schedule 1 to the Privacy Act 1988 that information of that kind may be disclosed if the disclosure is authorised under an Australian law.

Note: This subsection constitutes an authorisation for the purposes of the Privacy Act 1988.

(2) A private health insurer may disclose the information under subsection (1) on the private health insurer's own initiative, or on request by the Chief Executive Medicare.

(3) If information is disclosed to the Chief Executive Medicare in accordance with subsection (1), the disclosure is taken to be an authorised disclosure for the purposes of section 323-1 of the Private Health Insurance Act 2007.

132E Breach of provision of this Part is an interference with privacy

A breach of a provision of this Part in relation to an individual constitutes an act or practice involving interference with the privacy of the individual for the purposes of section 13 of the Privacy Act 1988.

Note: The act or practice may be the subject of a complaint under section 36 of the Privacy Act 1988.

132F Data-matching principles

(1) The Minister must, by legislative instrument, make principles in relation to the matching of information under subsection 132B(1) by:

(a) the Chief Executive Medicare; and

(b) an authorised Commonwealth entity.

(2) Without limiting subsection (1), the principles must:

(a) require the Chief Executive Medicare to establish and maintain a publicly available register of the kinds of information matched by the Chief Executive Medicare or an authorised Commonwealth entity under subsection 132B(1); and

(b) require the Chief Executive Medicare to keep records of information matched by the Chief Executive Medicare under subsection 132B(1); and

(c) require an authorised Commonwealth entity to keep records of information matched by the Commonwealth entity under subsection 132B(1); and

(d) require the Chief Executive Medicare and an authorised Commonwealth entity to take reasonable steps to destroy personal information that has been matched under subsection 132B(1) if the information is no longer needed for any purpose for which the information was matched; and

(e) require the Chief Executive Medicare and an authorised Commonwealth entity to take reasonable steps to ensure that personal information that is matched under subsection 132B(1) is accurate, complete and up to date; and

(f) require the Chief Executive Medicare and an authorised Commonwealth entity not to match information for a permitted purpose under subsection 132B(1) unless the Chief Executive Medicare is satisfied that the matching is reasonably necessary for that purpose.

(3) In making principles under subsection (1), the Minister must take into account the guidelines (if any) on data-matching in Australian Government administration made by the Information Commissioner under paragraph 28(1)(a) of the Privacy Act 1988.