Health Legislation Amendment (eHealth) Act 2015

(157 of 2015)

An Act to amend the law in relation to healthcare identifiers, electronic health records and other information relating to health, and for related purposes

[Assented to 26 November 2015]

The Parliament of Australia enacts:

1   Short title

This Act may be cited as the Health Legislation Amendment (eHealth) Act 2015.

2   Commencement

 

(1) Each provision of this Act specified in column 1 of the table commences, or is taken to have commenced, in accordance with column 2 of the table. Any other statement in column 2 has effect according to its terms.

Note: This table relates only to the provisions of this Act as originally enacted. It will not be amended to deal with any later amendments of this Act.

      

(2) Any information in column 3 of the table is not part of this Act. Information may be inserted in this column, or information in it may be edited, in any published version of this Act.

3   Schedules

Legislation that is specified in a Schedule to this Act is amended or repealed as set out in the applicable items in the Schedule concerned, and any other item in a Schedule to this Act has effect according to its terms.

Schedule 1   Healthcare identifiers and health records

Part 1   Amendments

Copyright Act 1968

1   After section 44BA

Insert:

44BB Copyright subsisting in works shared for healthcare or related purposes

(1) The copyright in a work is not infringed by an act comprised in the copyright in the work if:

(a) the act is done, or authorised to be done:

(i) for a purpose for which the collection, use or disclosure of health information is required or authorised under the My Health Records Act 2012; or

(ii) in circumstances in which a permitted general situation exists under item 1 of the table in subsection 16A(1) of the Privacy Act 1988 (serious threat to life, health or safety), or would exist if the act were done, or authorised to be done, by an entity that is an APP entity for the purposes of that Act; or

(iii) in circumstances in which a permitted health situation exists under section 16B of the Privacy Act 1988, or would exist if the act were done, or authorised to be done, by an entity that is an organisation for the purposes of that Act; or

(iv) for any other purpose relating to healthcare, or the communication or management of health information, prescribed by the regulations; and

(b) either:

(i) the work is substantially comprised of health information; or

(ii) the work allows for the storage, retrievalor use of health information and it is reasonably necessary to do the act, or authorise it to be done, in circumstances that would otherwise infringe copyright in the work.

(2) In this section:

healthcare has the same meaning as in the My Health Records Act 2012.

health information has the same meaning as in the My Health Records Act 2012.

2   After section 104B

Insert:

104C Copyright subsisting in sound recordings and cinematograph films shared for healthcare or related purposes

(1) The copyright in a cinematograph film or a sound recording is not infringed by an act comprised in the copyright in the film or recording if:

(a) the act is done, or authorised to be done:

(i) for a purpose for which the collection, use or disclosure of health information is required or authorised under the My Health Records Act 2012; or

(ii) in circumstances in which a permitted general situation exists under item 1 of the table in subsection 16A(1) of the Privacy Act 1988 (serious threat to life, health or safety), or would exist if the entity doing the thing were an APP entity for the purposes of that Act; or

(iii) in circumstances in which a permitted health situation exists under section 16B of the Privacy Act 1988, or would exist if the entity doing the thing were an organisation for the purposes of that Act; or

(iv) for any other purpose relating to healthcare, or the communication or management of health information, prescribed by the regulations; and

(b) either:

(i) the film or recording is substantially comprised of health information; or

(ii) the film or recording allows for the storage, retrieval or use of health information and it is reasonably necessary to do the act, or authorise it to be done, in circumstances that would otherwise infringe copyright in the work.

(2) In this section:

healthcare has the same meaning as in the My Health Records Act 2012.

health information has the same meaning as in the My Health Records Act 2012.

Healthcare Identifiers Act 2010

3   After section 3

Insert:

3A Simplified outline of this Act

Under this Act, healthcare identifiers are assigned to healthcare recipients, individual healthcare providers and healthcare provider organisations.

There are strict rules on:

(a) the verification of a person's identity before a healthcare identifier is assigned; and

(b) the purposes for which a healthcare identifier can be collected, used and disclosed; and

(c) the purposes for which the identifying information of a healthcare recipient, a healthcare provider or a healthcare provider organisation can be collected, used and disclosed.

This Act facilitates the use of the healthcare identifier for the purposes of communicating and managing health information about a healthcare recipient (including through the My Health Record system).

This Act also facilitates:

(a) the creation of a Healthcare Provider Directory, to allow healthcare providers to check the professional and business details of healthcare providers; and

(b) the use of authenticated electronic communications by healthcare providers.

4   Section 5

Insert:

Australian law has the same meaning as in the Privacy Act 1988.

5   Section 5

Insert:

authorised representative of a healthcare recipient has the same meaning as in the My Health Records Act 2012.

6   Section 5

Insert:

civil penalty provision has the same meaning as in the Regulatory Powers Act.

7   Section 5

Insert:

court/tribunal order has the same meaning as in the Privacy Act 1988.

8   Section 5 (definition of data source)

Repeal the definition.

9   Section 5 (definitions of Human Services Department and Human Services Minister)

Repeal the definitions.

10   Section 5

Insert:

linked : an individual healthcare provider is linked to a healthcare provider organisation if:

(a) the individual healthcare provider is an employee of the healthcare provider organisation; or

(b) the healthcare provider organisation provides support services or facilities to the individual healthcare provider, to facilitate the provision of healthcare by the individual healthcare provider.

11   Section 5 (definitions of Medicare Benefits Program and medicare program)

Repeal the definitions.

12   Section 5 (definition of Ministerial Council)

Repeal the definition, substitute:

Ministerial Council means the council (however described) established by the Council of Australian Governments that has responsibility for health matters.

13   Section 5

Insert:

My Health Records Act means the My Health Records Act 2012.

14   Section 5

Insert:

network of healthcare provider organisations has the meaning given by subsection 9A(4).

15   Section 5 (definition of network organisation)

Repeal the definition, substitute:

network organisation within a network has the meaning given by subsection 9A(6).

16   Section 5

Insert:

nominated representative of a healthcare recipient has the same meaning as in the My Health Records Act 2012.

17   Section 5 (definition of organisation maintenance officer)

Repeal the definition, substitute:

organisation maintenance officer for a healthcare provider organisation has the meaning given by subsection 9A(8).

18   Section 5

Insert:

personal information has the same meaning as in the Privacy Act 1988.

19   Section 5 (definition of Pharmaceutical Benefits Program)

Repeal the definition.

20   Section 5 (definition of professional and business details)

Repeal the definition.

21   Section 5 (definition of public body)

Repeal the definition.

22   Section 5

Insert:

Regulatory Powers Act means the Regulatory Powers (Standard Provisions) Act 2014.

23   Section 5 (definition of responsible officer)

Repeal the definition, substitute:

responsible officer for a healthcare provider organisation has the meaning given by subsection 9A(7).

24   Section 5 (definition of seed organisation)

Repeal the definition, substitute:

seed organisation for a network has the meaning given by subsection 9A(5).

25   Section 5 (definition of service operator)

Repeal the definition, substitute:

service operator has the meaning given by section 6.

26   After section 5

Insert:

6 Identity of service operator

The service operator is:

(a) the Chief Executive Medicare; or

(b) if a body established by a law of the Commonwealth is prescribed by the regulations to be the service operator - that body.

Note: Section 33 provides that the Minister must consult with the Ministerial Council before making regulations.

27   After paragraphs 7(1)(b) and (2)(b)

Insert:

(ba) the email address, telephone number and fax number of the healthcare provider;

28   At the end of subsection 7(3)

Add:

; (i) other information that is prescribed by the regulations for the purpose of this paragraph.

29   Before section 9

Insert:

9AA Simplified outline of this Part

Healthcare identifiers are assigned to healthcare recipients, individual healthcare providers and healthcare provider organisations.

The service operator assigns healthcare identifiers to healthcare recipients. A national registration authority will usually assign a healthcare identifier to an individual healthcare provider, although there are a number of cases in which a healthcare provider is not registered by such an authority. In those cases, the healthcare identifier is assigned by the service operator. The service operator assigns a healthcare identifier to a healthcare provider organisation.

For a healthcare provider organisation to be assigned a healthcare identifier, the organisation must have at least one employee who is an individual healthcare provider providing healthcare as part of his or her duties, a responsible officer and an organisation maintenance officer. The responsible officer may also bethe organisation maintenance officer. If the organisation is part of, or subordinate to, another healthcare provider organisation, it need not have its own responsible officer.

A sole practitioner may be registered as a healthcare provider organisation.

If the service operator refuses to assign a healthcare identifier, a person whose interests are affected by the decision may ask the service operator to reconsider the decision. A person may apply to the Administrative Appeals Tribunal for review of the service operator's reconsidered decision.

The service operator must keep a record of the healthcare identifiers assigned, and other information relating to the healthcare identifiers including details of requests to the service operator to disclose a healthcare identifier.

30   Subsection 9(6)

After "healthcare identifier", insert "of a healthcare recipient or of an individual healthcare provider".

31   Section 9A

Repeal the section, substitute:

9A Classes of healthcare provider that may be assigned a healthcare identifier by the service operator

Healthcare identifiers for individual healthcare providers

(1) The service operator may, under paragraph 9(1)(a), assign a healthcare identifier to an individual healthcare provider if:

(a) the individual healthcare provider is registered by a registration authority as a member of a health profession; or

(b) the individual healthcare provider is a member of a professional association that:

(i) relates to the healthcare that has been, is, or is to be, provided by the member; and

(ii) has uniform national membership requirements, whether or not in legislation.

Healthcare identifiers for a healthcare provider organisation that is a seed organisation, or is not part of a network

(2) The service operator may, under paragraph 9(1)(a), assign a healthcare identifier to a healthcare provider organisation that is a seed organisation for a network, or that is not part of a network, if:

(a) at least one of the employees of the organisation is an individual who:

(i) is an identified healthcare provider; and

(ii) provides healthcare as part of his or her duties; and

(b) one, and only one of the employees of the organisation is the responsible officer for the organisation; and

(c) either:

(i) the organisation has at least one other employee who is an organisation maintenance officer for the organisation; or

(ii) the responsible officer for the organisation is also the organisation maintenance officer for the organisation.

Healthcare identifiers for network organisations

(3) The service operator may, under paragraph 9(1)(a), assign a healthcare identifier to a healthcare provider organisation that is a network organisation within a network if:

(a) the seed organisation for the network:

(i) has been assigned a healthcare identifier that has not been retired; and

(ii) does not object to the network organisation being assigned a healthcare identifier under this subsection; and

(b) the responsible officer for the seed organisation for the network is also the responsible officer for every network organisation within the network; and

(c) there is an organisation maintenance officer for the network organisation; and

(d) the organisation maintenance officer for the network organisation is:

(i) an employee of the network organisation (the first network organisation ); or

(ii) an employee of the seed organisation for the network; or

(iii) an employee of another network organisation within the network that is hierarchically superior to the first network organisation.

What is a network of healthcare provider organisations?

(4) A network of healthcare provider organisations is a group of healthcare provider organisations each of which satisfies one of the following criteria:

(a) the healthcare provider organisation is part of, or subordinate to, another healthcare provider organisation within the group;

(b) another healthcare provider organisation within the group is part of, or subordinate to, the healthcare provider organisation.

What is the seed organisation for a network?

(5) A healthcare provider organisation is the seed organisation for a network if:

(a) there is at least one other healthcare provider organisation that is part of, or subordinate to, the organisation; and

(b) the organisation is not itself part of, or subordinate to, another healthcare provider organisation.

What is a network organisation within a network?

(6) A healthcare provider organisation is a network organisation within a network if it is part of, or subordinate to, another healthcare provider organisation within the network.

Responsible officers

(7) A person is the responsible officer for a healthcare provider organisation if the duties of the person include the following:

(a) nominating the organisation maintenance officer or officers for the organisation to the service operator;

(b) requesting the assignment or retirement of a healthcare identifier for the organisation;

(c) if there is a network organisation of the organisation:

(i) nominating the organisation maintenance officer for the network organisation to the service operator; and

(ii) requesting the assignment or retirement of a healthcare identifier for the network organisation;

(d) if the organisation is part of a merger or acquisition - requesting the merger or reconfiguration of a healthcare identifier for the organisation.

Organisation maintenance officers

(8) A person is an organisation maintenance officer for a healthcare provider organisation if the duties of the person include the following:

(a) nominating to the service operator at least one additional person to be an organisation maintenance officer of the organisation, if required;

(b) maintaining information that is held by the service operator about the organisation;

(c) providing current details to the service operator about the organisation for inclusion in the Healthcare Provider Directory;

(d) providing any other information requested by the service operator about the organisation for which the organisation maintenance officer is responsible;

(e) if the organisation (the seed organisation ) has a network organisation:

(i) nominating to the service operator another person who meets the employment criteria in paragraph (3)(d) to be the organisation maintenance officer for the network organisation - either on the initiative of the seed organisation or if required by the service operator to do so;

(ii) requesting the assignment or retirement of a healthcare identifier for the network organisation;

(iii) maintaining information that is held by the service operator about the network organisation;

(iv) providing current details to the service operator about the network organisation for inclusion in the Healthcare Provider Directory;

(v) providing any other information requested by the service operator about the network organisation for which the organisation maintenance officer is responsible;

(vi) if the network organisation is part of a merger or acquisition - requesting the merger or reconfiguration of a healthcare identifier for the organisation.

Sole practitioners

(9) The service operator may assign a healthcare identifier under paragraph 9(1)(a) to a healthcare provider organisation that is a sole practitioner even though subsection (2) is not satisfied, if the sole practitioner:

(a) provides healthcare as part of his or her duties; and

(b) performs the duties of a responsible officer and organisation maintenance officer.

Duties of the responsible officer performed by another person

(10) For the purposes of subsection (7), a person does not cease to be a responsible officer for a healthcare provider organisation if a duty mentioned in subsection (7) is performed by another employee of the organisation on behalf of the person.

32   Section 10

Omit "Division 2 or 2A of Part 3", substitute "Division 2 or 3 of Part 3".

33   Part 3 (heading)

Repeal the heading, substitute:

Part 3 - Collection, use and disclosure of healthcare identifiers, identifying information and other information

34   Divisions 1, 2, 2A and 3 of Part 3

Repeal the Divisions, substitute:

Division 1 - Simplified outline of this Part

11 Simplified outline of this Part

This Part authorises the collection, use and disclosure of healthcare identifiers, identifying information and other information.

Healthcare identifiers and other information relating to healthcare recipients

The service operator may collect information about a healthcare recipient from various sources for the purpose of assigning a healthcare identifier to the recipient. Once a healthcare identifier is assigned to a healthcare recipient, the service operator may disclose it to healthcare providers to assist in communicating and managing health information. The healthcare identifier may also be disclosed to other entities to assist in the operation of the My Health Record system.

A healthcare provider can obtain the healthcare identifier of a healthcare recipient from the service operator, so that the healthcare provider can communicate and manage health information. The healthcare provider can use the healthcare identifier in providing healthcare, for example, by using it to access the My Health Record of a healthcare recipient.

Healthcare identifiers and other information relating to healthcare providers

Under Part 2, the service operator must keep a record of the healthcare identifiers that have been assigned and other information relating to healthcare identifiers. As a national registration authority assigns healthcare identifiers to most healthcare providers, the service operator may obtain information for the record from a national registration authority.

Under Part 2, the service operator assigns healthcare identifiers to healthcare providers in a number of cases. The service operator may collect information about a healthcare provider from various sources for the purposes of assigning those identifiers.

The service operator may disclose the healthcare identifiers of healthcare providers to healthcare providers to assist in communicating and managing health information. The healthcare identifier may also be disclosed to other entities to assist in the operation of the My Health Record system.

A healthcare provider can obtain the healthcare identifier of a healthcare provider from the service operator, so that the healthcare provider can communicate and manage health information. This includes the use of the identifier in electronic transmissions. The collection, use and disclosure of identifying information and healthcare identifiers is permitted for the purposes of authenticating a healthcare provider's identity in electronic transmissions.

A person must not use or disclose information collected for the purposes of the Act or healthcare identifiers, except where required or authorised to do so under the Act or in other limited circumstances. Criminal and civil penalties apply if this obligation is breached.

Division 2 - Healthcare recipients

12 Collection, use and disclosure - assigning a healthcare identifier to a healthcare recipient

An entity mentioned in column 1 of an item of the following table, is authorised to take action of the kind described in column 2 of that item with information of the kind described in column 3 of that item in the circumstances described in column 4 of that item.

13 Collection, use and disclosure - establishing and maintaining a record of healthcare identifiers for healthcare recipients

An entity mentioned in column 1 of an item of the following table, is authorised to take action of the kind described in column 2 of that item with information of the kind described in column 3 of that item in the circumstances described in column 4 of that item.

14 Collection, use and disclosure - providing healthcare to a healthcare recipient

(1) An entity mentioned in column 1 of an item of the following table, is authorised to take action of the kind described in column 2 of that item with information of the kind described in column 3 of that item in the circumstances described in column 4 of that item.

(2) This section does not authorise the collection, use or disclosure of the healthcare identifier of a healthcare recipient for the purpose of communicating or managing health information as part of:

(a) underwriting a contract of insurance that covers the healthcare recipient; or

(b) determining whether to enter into a contract of insurance that covers the healthcare recipient (whether alone or as a member of a class); or

(c) determining whether a contract of insurance covers the healthcare recipient in relation to a particular event; or

(d) employing the healthcare recipient.

15 Collection, use and disclosure - My Health Record system

The service operator is authorised to collect, use and disclose:

(a) identifying information of a healthcare recipient, an authorised representative of a healthcare recipient or a nominated representative of a healthcare recipient; and

(b) the healthcare identifier of a healthcare recipient, an authorisedrepresentative of a healthcare recipient or a nominated representative of a healthcare recipient;

for the purposes of the My Health Record system.

16 Collection, use and disclosure - aged care

An entity mentioned in column 1 of an item of the following table, is authorised to take action of the kind described in column 2 of that item with information of the kind described in column 3 of that item in the circumstances described in column 4 of that item.

17 Adopting the healthcare identifier of a healthcare recipient etc.

An entity mentioned in column 1 of an item of the following table, may adopt the healthcare identifier of a healthcare recipient, an authorised representative of a healthcare recipient or a nominated representative of a healthcare recipient, for a purpose mentioned in column 2 of the item.

18 Disclosure of the healthcare identifier of a healthcare recipient to the healthcare recipient etc.

Any of the following entities may disclose the healthcare identifier of a healthcare recipient to the healthcare recipient, or a responsible person (within the meaning of the Privacy Act 1988) for the healthcare recipient:

(a) the service operator;

(b) the My Health Record System Operator;

(c) a healthcare provider.

19 Other information relating to the healthcare identifier of a healthcare recipient may be disclosed by the service operator

The service operator may disclose information included in the record the service operator maintains under section 10 in relation to a healthcare recipient to:

(a) the healthcare recipient; or

(b) a responsible person (within the meaning of the Privacy Act 1988) for the healthcare recipient.

20 Regulations relating to the healthcare identifier and identifying information of a healthcare recipient etc.

Collection, use or disclosure for other purposes

(1) The regulations may authorise the collection, use or disclosure of the following information:

(a) identifying information of a healthcare recipient, authorised representative of a healthcare recipient or nominated representative of a healthcare recipient;

(b) the healthcare identifier of a healthcare recipient, authorised representative of a healthcare recipient or nominated representative of a healthcare recipient.

Adoption for other purposes

(2) The regulations may authorise the adoption of the healthcare identifier of a healthcare recipient, authorised representative of a healthcare recipient or a nominated representative of healthcare recipient in the circumstances prescribed by the regulations.

Purposes for which regulation-making powers in subsections (1) and (2) may be used

(3) However, the regulations may only authorise the collection, use, disclosure or adoption of that information for purposes related to one or more of the following:

(a) providing healthcare to healthcare recipients, or a class of healthcare recipients;

(b) determining whether adequate and appropriate healthcare is available to healthcare recipients, or a class of healthcare recipients;

(c) facilitating the provision of adequate and appropriate healthcare to healthcare recipients, or a class of healthcare recipients;

(d) assisting persons who, because of health issues (including illness, disability or injury), require support;

(e) the My Health Record system.

Procedures relating to the disclosure of healthcare identifiers

(4) The regulations may prescribe rules about the process for disclosing the healthcare identifiers of healthcare recipients, including rules about requests to the service operator to disclose healthcare identifiers of healthcare recipients.

Information about disclosures by service operator

(5) If the service operator discloses a healthcare identifier of a healthcare recipient to an entity, the regulations may require the entity to provide prescribed information to the service operator in relation to the disclosure.

Division 3 - Healthcare providers

21 Collection, use and disclosure - assigning a healthcare identifier to a healthcare provider

An entity mentioned in column 1 of an item of the following table, is authorised to take action of the kind described in column 2 of that item with information of the kind described in column 3 of that item in the circumstances described in column 4 of that item.

22 Collection, use and disclosure - establishing and maintaining a record of healthcare identifiers for healthcare providers

An entity mentioned in column 1 of an item of the following table, is authorised to take action of the kind described in column 2 of that item with information of the kind described in column 3 of that item in the circumstances described in column 4 of that item.

23 Collection, use and disclosure - providing healthcare

An entity mentioned in column 1 of an item of the following table, is authorised to take action of the kind described in column 2 of that item with information of the kind described in column 3 of that item in the circumstances described in column 4 of that item.

24 Collection, use and disclosure - My Health Record system

The service operator is authorised to collect, use and disclose:

(a) identifying information of a healthcare provider; and

(b) the healthcare identifier of a healthcare provider;

for the purposes ofthe My Health Record system.

25 Collection, use and disclosure - enabling authentication in electronic communications

An entity mentioned in column 1 of an item of the following table, is authorised to take action of the kind described in column 2 of that item with information of the kind described in column 3 of that item in the circumstances described in column 4 of that item.

25A Collection, use and disclosure - sharing information with registration authorities

An entity mentioned in column 1 of an item of the following table, is authorised to take action of the kind described in column 2 of that item with information of the kind described in column 3 of that item in the circumstances described in column 4 of that item.

25B Adopting the healthcare identifier of a healthcare provider

An entity mentioned in column 1 of an item of the following table, may adopt the healthcare identifier of a healthcare provider for a purpose mentioned in column 2 of the item.

25C Disclosure of the healthcare identifier of a healthcare provider to the healthcare provider

Any entity who knows the healthcare identifier of a healthcare provider may disclose the healthcare identifier to the healthcare provider.

25D Regulations relating to the healthcare identifier and other information of a healthcare provider

Collection, use or disclosure for other purposes

(1) The regulations may authorise the collection, use or disclosure of the following information:

(a) identifying information of a healthcare provider;

(b) the healthcare identifier of a healthcare provider.

Adoption for other purposes

(2) The regulations may authorise the adoption of the healthcare identifier of a healthcare provider in the circumstances prescribed by the regulations.

Purposes for which regulation-making powers in subsections (1) and (2) may be used

(3) However, the regulations may only authorise the collection, use, disclosure or adoption of that information for purposes related to one or more of the following:

(a) providing healthcare to healthcare recipients, or a class of healthcare recipients;

(b) determining whether adequate and appropriate healthcare is available to healthcare recipients, or a class of healthcare recipients;

(c) facilitating the provision of adequate and appropriate healthcare to healthcare recipients, or a class of healthcare recipients;

(d) assisting persons who, because of health issues (including illness, disability or injury), require support;

(e) the My Health Record system.

Procedures relating to the disclosure of healthcare identifiers

(4) The regulations may prescribe rules about the process for disclosing the healthcare identifiers of healthcare providers, including rules about requests to the service operator to disclose healthcare identifiers of healthcare providers.

Information about disclosures by service operator

(5) If the service operator discloses a healthcare identifier of a healthcare provider to an entity, the regulations may require the entity to provide prescribed information to the service operator in relation to the disclosure.

Information to be provided to the service operator about the healthcare identifier of a healthcare provider

(6) The regulations may require an identified healthcare provider to provide to the service operator information that:

(a) relates to the healthcare provider's healthcare identifier; and

(b) is prescribed by the regulations for the purposes of this section.

25E Obligation to keep information accurate, up-to-date and complete

(1) If a healthcare provider organisation becomes aware that information held by the service operator in relation to the organisation is not accurate, up-to-date and complete, the organisation must:

(a) give the service operator, in writing, accurate, up-to-date and complete information; and

(b) do so within 20 business days after the organisation becomes aware that the information held by the service operator is not accurate, up-to-date and complete.

(2) Subsection (1) does not apply if:

(a) the information that is no longer accurate, up-to-date and complete is personal information that the service operator was only able to lawfully obtain with the consent of the person to whom the information relates; and

(b) instead of giving accurate, up-to-date and complete personal information within the period specified in that subsection, the healthcare provider organisation notifies the service operator within that period, in the manner and form approved by the service operator, that the person to whom the information relates has withdrawn consent for the information to be given to the service operator.

(3) Subsection (1) does not apply if:

(a) the healthcare provider organisation, or an individual healthcare provider who is linked to the healthcare provider organisation, is required by an Australian law, or by a lawful requirement of the national registration authority, to give the national registration authority the accurate, up-to-date and complete information; and

(b) the healthcare provider organisation, or the individual healthcare provider, complies with the requirement.

(4) A person is liable to a civil penalty if:

(a) the person fails to give the service operator information in the circumstances mentioned in subsection (1); and

(b) the person knows or is reckless as to those circumstances.

Civil penalty: 100 penalty units.

35   Division 4 of Part 3

Repeal the heading, substitute:

Division 4 - Unauthorised use and disclosure of healthcare identifiers and other information obtained under this Act

36   Section 26

Repeal the section, substitute:

26 Use and disclosure of healthcare identifiers and other information obtained under this Act

(1) A person must not use or disclose information if:

(a) the person obtains the information in response to a request under section 9B; or

(b) the person obtains the information in the course of establishing or maintaining a record for the purposes of section 10 (a record of healthcare identifiers assigned and other matters, such as requests made to the service operator to disclose those identifiers); or

(c) the information is identifying information and the person obtains the information in circumstances covered by a requirement or authority under this Act; or

(d) the information is the healthcare identifier of a healthcare recipient or an individual healthcare provider.

(2) A person must not use or disclose information if the information is disclosed to the person in contravention of subsection (1).

(3) This section does not apply to the use or disclosure of a healthcare identifier if:

(a) the use or disclosure of the healthcare identifier is required or authorised under this Act; or

(b) the use or disclosure of the healthcare identifier is required or authorised under another Commonwealth law or a court/tribunal order; or

(c) the use or disclosure is:

(i) by the person to whom the healthcare identifier relates; and

(ii) for the purposes of, or in connection with, the personal, family or household affairs of that person (within the meaning of section 16 of the Privacy Act 1988); or

(d) a permitted general situation of the kind described in item 1, 2, 4 or 5 of the table in subsection 16A(1) of the Privacy Act 1988 exists in relation to the use or disclosure, or would exist if the person were an APP entity for the purposes of that Act; or

(e) without limiting the exceptions under this subsection, the use or disclosure is required or authorised by the Information Commissioner, or an equivalent officer or agency of a State or Territory, in exercising powers or performing functions in relation to privacy.

Note: A defendant bears an evidential burden in relation to the matters in subsection (3): see subsection 13.3(3) of the Criminal Code.

(4) This section does not apply to the use or disclosure of information other than a healthcare identifier if:

(a) the use or disclosure of the information is required or authorised under this Act; or

(b) the use or disclosure of the information is required or authorised under another Australian law or a court/tribunal order; or

(c) the information is personal information and the use or disclosure would not be an interference with the privacy of the individual for the purposes of the Privacy Act 1988, or would not be an interference with the privacy of the individual for the purposes of that Act if the person were an agency or an organisation for the purposes of that Act; or

(d) without limiting the exceptions under this subsection, the use or disclosure is required or authorised by the Information Commissioner, or an equivalent officer or agency of a State or Territory, in exercising powers or performing functions in relation to privacy.

Note: A defendant bears an evidential burden in relation to the matters in subsection (4): see subsection 13.3(3) of the Criminal Code.

(5) A person commits an offence if the person contravenes subsection (1) or (2).

Penalty: Imprisonment for 2 years or 120 penalty units, or both.

(6) A person is liable to a civil penalty if:

(a) the person uses or discloses information in circumstances under which the use or disclosure would contravene subsection (1) or (2); and

(b) the person knows or is reckless as to those circumstances.

Civil penalty: 600 penalty units.

37   Before section 28

Insert:

28AA Simplified outline of this Part

If a person is authorised to collect, use or disclose information under this Act, the person will not interfere with the privacy of an individual for the purposes of the Privacy Act 1988 in doing so.

Section 26 imposes a higher standard of privacy in relation to healthcare identifiers than is imposed in relation to other information. If a person uses or discloses a healthcare identifier in circumstances that are not permitted under that section, the person will not only be subject to criminal and civil penalties. That action will also be an interference with privacy for the purposes of the Privacy Act 1988, and can be dealt with as such under that Act.

38   Subsection 29(1)

Omit "An act or practice that contravenes this Act or the regulations in connection with the healthcare identifier of an individual is taken to be:", substitute "An act or practice in connection with a healthcare identifier of a healthcare recipient or an individual healthcare provider that contravenes this Act or the regulations, or would contravene this Act or the regulations but for a requirement relating to state of mind, is taken to be:".

39   Paragraph 29(1)(a)

Omit "of the individual", substitute "of the healthcare recipient or individual healthcare provider".

40   Subsection 29(3)

After "healthcare identifier", insert "of a healthcare recipient or of an individual healthcare provider".

41   Before section 31

Insert:

31AA Simplified outline of this Part

The Healthcare Provider Directory is a directory available to healthcare providers to allow them to find information about other healthcare providers, such as:

(a) the healthcare identifier of a healthcare provider; and

(b) whether an individual healthcare provider is linked to a healthcare provider organisation; and

(c) whether a healthcare provider is registered under the My Health Record system; and

(d) whether a healthcare provider is registered with a registration authority and the status of that registration (such as whether it is conditional, suspended, cancelled or lapsed); and

(e) the type of healthcare provider that an individual is.

42   Section 31

Repeal the section, substitute:

31 Healthcare Provider Directory

(1) The service operator must establish and maintain a record (the Healthcare Provider Directory ) of the professional and business details of identified healthcare providers.

(2) The service operator is authorised to:

(a) collect and use personal information for the purposes of establishing and maintaining the Healthcare Provider Directory; and

(b) disclose personal information on the Healthcare Provider Directory to an identified healthcare provider;

but, except in the circumstances dealt with in section 31A, only with the consent of the individual to whom the personal information relates.

(3) The professional and business details of a healthcare provider disclosed on the Healthcare Provider Directory may include information sufficient to allow the person to whom the information is disclosed to determine any of the following:

(a) the healthcare identifier of a healthcare provider;

(b) identifying information of a healthcare provider;

(c) whether an individual healthcare provider is linked to a particular healthcare provider organisation;

(d) whether a healthcare provider organisation is a registered healthcare provider organisation for the purposes of the My Health Records Act;

(e) whether an individual healthcare provider is registered with a registration authority and the status of that registration (such as conditional, suspended, cancelled or lapsed);

(f) the type of healthcare provider that an individual is.

(4) A person to whom the professional and business details of a healthcare provider is disclosed on the Healthcare Provider Directory is authorised to collect, use and disclose that information:

(a) for the purpose of communicating or managing health information, as part of providing healthcare to a healthcare recipient; or

(b) in any other circumstances in which the collection, use or disclosure of the information is required or authorised by or under an Australian law or a court/tribunal order; or

(c) in any other circumstances in which the collection, use or disclosure of the information would not be an interference with privacy under the Privacy Act 1988.

31A Healthcare Provider Directory - sharing information with the My Health Record System Operator

(1) The service operator is authorised to collect from the My Health Record System Operator, use and disclose to the My Health Record System Operator:

(a) identifying information of a healthcare provider; and

(b) the healthcare identifier of a healthcare provider;

for the purposes of the Healthcare Provider Directory.

(2) The My Health Record System Operator is authorised to use and disclose to the service operator:

(a) identifying information of a healthcare provider; and

(b) the healthcare identifier of a healthcare provider;

for the purposes of the Healthcare Provider Directory.

43   After Part 5

Insert:

Part 5A - Enforcement

31B Simplified outline of this Part

The civil penalty provisions of this Act and the regulations are enforceable under Part 4 of the Regulatory Powers Act. The provisions of this Act and the regulations are also enforceable using enforceable undertakings under Part 6 of the Regulatory Powers Act, and injunctions under Part 7 of the Regulatory Powers Act.

31C Civil penalty provisions

Enforceable civil penalty provisions

(1) Each civil penalty provision of this Act and the regulations is enforceable under Part 4 of the Regulatory Powers Act.

Note: Part 4 of the Regulatory Powers Act allows a civil penalty provision to be enforced by obtaining an order for a person to pay a pecuniary penalty for the contravention of the provision.

Authorised applicant

(2) For the purposes of Part 4 of the Regulatory Powers Act, the Information Commissioner is an authorised applicant in relation to the civil penalty provisions of this Act and the regulations.

Relevant court

(3) For the purposes of Part 4 of the Regulatory Powers Act, each of the following courts is a relevant court in relation to the civil penalty provisions of this Act and the regulations:

(a) the Federal Court of Australia;

(b) the Federal Circuit Court of Australia;

(c) a court of a State or Territory that has jurisdiction in relation to the matter.

Extension to external Territories

(4) Part 4 of the Regulatory Powers Act, as that Part applies in relation to the civil penalty provisions of this Act and the regulations, extends to every external Territory.

Liability of the Crown

(5) Part 4 of the Regulatory Powers Act, as that Part applies in relation the civil penalty provisions of this Act and the regulations, does not make the Crown liable to a pecuniary penalty.

31D Enforceable undertakings

Enforceable provisions

(1) The provisions of this Act and the regulations are enforceable under Part 6 of the Regulatory Powers Act.

Note: Part 6 of the Regulatory Powers Act creates a framework for accepting and enforcing undertakings relating to compliance with provisions.

Authorised person

(2) For the purposes of Part 6 of the Regulatory Powers Act, each of the following persons is an authorised person in relation to the provisions of this Act and the regulations:

(a) the service operator;

(b) the Information Commissioner.

Relevant court

(3) For the purposes of Part 6 of the Regulatory Powers Act, each of the following courts is a relevant court in relation to the provisions of this Act and the regulations:

(a) the Federal Court of Australia;

(b) the Federal Circuit Court of Australia;

(c) a court of a State or Territory that has jurisdiction in relation to the matter.

Enforceable undertaking may be published on website

(4) An authorised person in relation to a provision of this Act and the regulations may publish an undertaking given in relation to the provision on the authorised person's website.

Extension to external Territories

(5) Part 6 of the Regulatory Powers Act, as that Part applies in relation to the provisions of this Act and the regulations, extends to every external Territory.

31E Injunctions

Enforceable provisions

(1) The provisions of this Act and the regulations are enforceable under Part 7 of the Regulatory Powers Act.

Note: Part 7 of the Regulatory Powers Act creates a framework for using injunctions to enforce provisions.

Authorised person

(2) For the purposes of Part 7 of the Regulatory Powers Act, each of the following persons is an authorised person in relation to the provisions of this Act and the regulations:

(a) the service operator;

(b) the Information Commissioner.

Relevant court

(3) For the purposes of Part 7 of the Regulatory Powers Act, each of the following courts is a relevant court in relation to the provisions of this Act and the regulations:

(a) the Federal Court of Australia;

(b) the Federal Circuit Court of Australia;

(c) a court of a State or Territory that has jurisdiction in relation to the matter.

Extension to external Territories

(4) Part 7 of the Regulatory Powers Act, as that Part applies in relation to the provisions of this Act and the regulations, extends to every external Territory.

44   Before section 32

Insert:

31F Simplified outline of this Part

The Minister may give directions to the service operator about the performance of the service operator's functions under this Act, after consulting the Ministerial Council.

The Minister must also consult the Ministerial Council before regulations are made under this Act.

45   At the end of section 34

Add:

(4) If the service operator is required under section 46 of the Public Governance, Performance and Accountability Act 2013 to prepare and give to the Minister an annual report for all or part of a financial year, the service operator is not required to also give a report in relation to that financial year under this section.

46   Section 35

Repeal the section, substitute:

35 Review of the operation of this Act

(1) The Minister must, after consulting the Ministerial Council, appoint an individual to review the operation of this Act and the regulations.

(2) The individual appointed must give a report to the Minister within 3 years after the commencement of Schedule 1 to the Health Legislation Amendment (eHealth) Act 2015.

(3) The Minister must:

(a) provide a copy of the report to the Ministerial Council; and

(b) table a copy of the report in each House of Parliament within 15 sitting days after the report is given to the Minister.

47   Before section 36

Insert:

Division 1 - Simplified outline of this Part

36AA Simplified outline of this Part

If an entity is authorised to collect, use or disclose information under this Act, an employee or contracted service provider of the entity is authorised to do that, provided the duties of the employee or contracted service provider involve implementing the purpose for which the collection, use or disclosure is authorised.

If an entity is authorised to disclose information to a healthcare provider, the entity is authorised to disclose the information to an employee or contracted service provider of the healthcare provider, provided the duties of the employee or contracted service provider involve implementing the purpose for which the disclosure is authorised.

This Act applies to partnerships, unincorporated associations and trusts in the same way as it applies to persons.

The service operator may delegate functions and powers under this Act.

This Part also:

(a) provides for the concurrent operation of State and Territory law; and

(b) deals with the effect Parts 3 and 4 are to have in certain constitutionally significant circumstances.

The Governor-General may make regulations prescribing matters that are required or permitted to be prescribed by this Act, or that are necessary or convenient to be prescribed for carrying out or giving effect to this Act.

Division 2 - Employees, contractors, partnerships, unincorporated associations and trusts

48   After section 36

Insert:

36A Authorisation to disclose to employees and contracted service providers of a healthcare provider

An authorisation under this Act to an entity to disclose information to a healthcare provider for a particular purpose is an authorisation to disclose the information to:

(a) an individual:

(i) who is an employee of the healthcare provider; and

(ii) whose duties involve, or are reasonably connected to, implementing that purpose; or

(b) a contracted service provider of the healthcare provider, if the duties of the contracted service provider under a contract with the healthcare provider involve, or are reasonably connected with,implementing that purpose by providing information technology services relating to the communication of health information, or health information management services, to the healthcare provider; or

(c) an individual:

(i) who is an employee of a contracted service provider to which paragraph (b) applies; and

(ii) whose duties involve implementing that purpose as mentioned in that paragraph.

36B Treatment of partnerships

(1) This Act applies to a partnership as if it were a person, but with the changes set out in this section.

(2) An obligation that would otherwise be imposed on the partnership by this Act is imposed on each partner instead, but may be discharged by any of the partners.

(3) An offence against this Act that would otherwise have been committed by the partnership is taken to have been committed by each partner in thepartnership, at the time the offence was committed, who:

(a) did the relevant act or made the relevant omission; or

(b) aided, abetted, counselled or procured the relevant act or omission; or

(c) was in any way knowingly concerned in, or party to, the relevant act or omission (whether directly or indirectly and whether by any act or omission of the partner).

(4) This section applies to a contravention of a civil penalty provision in a corresponding way to the way in which it applies to an offence.

36C Treatment of unincorporated associations

(1) This Act applies to an unincorporated association as if it were a person, but with the changes set out in this section.

(2) An obligation that would otherwise be imposed on the unincorporated association by this Act is imposed on each member of the association's committee of management instead, but may be discharged by any of the members.

(3) An offence against this Act that would otherwise have been committed by the unincorporated association is taken to have been committed by each member of the association's committee of management, at the time the offence was committed, who:

(a) did the relevant act or made the relevant omission; or

(b) aided, abetted, counselled or procured the relevant act or omission; or

(c) was in any way knowingly concerned in, or party to, the relevant act or omission (whether directly or indirectly and whether by any act or omission of the member).

(4) This section applies to a contravention of a civil penalty provision in a corresponding way to the way in which it applies to an offence.

36D Treatment of trusts with multiple trustees

(1) If a trust has 2 or more trustees, this Act applies to the trust as if it were a person, but with the changes set out in this section.

(2) An obligation that would otherwise be imposed on the trust by this Act is imposed on each trustee instead, but may be discharged by any of the trustees.

(3) An offence against this Act that would otherwise have been committed by the trust is taken to have been committed by each trustee of the trust, at the time the offence was committed, who:

(a) did the relevant act or made the relevant omission; or

(b) aided, abetted, counselled or procured the relevant act or omission; or

(c) was in any way knowingly concerned in, or party to, the relevant act or omission (whether directly or indirectly and whether by any act or omission of the trustee).

(4) This section applies to a contravention of a civil penalty provision in a corresponding way to the way in which it applies to an offence.

Division 3 - Delegations

36E Delegations by the service operator

(1) The service operator may, by writing, delegate one or more of his or her functions and powers to any of the following:

(a) an APS employee in the Department;

(b) if the service operator is not the Chief Executive Medicare - the Chief Executive Medicare;

(c) any other person with the consent of the Minister.

(2) If the service operator is not the Chief Executive Medicare the service operator may only delegate a function or power of the service operator:

(a) to an APS employee in the Department with the agreement of the Secretary; and

(b) to the Chief Executive Medicare with the agreement of the Chief Executive Medicare.

(3) Each of the following must comply with any written directions of the service operator:

(a) a delegate;

(b) if the Chief Executive Medicare delegates under subsection 8AC(3) of the Human Services (Medicare) Act 1973 a function delegated to him or her under this section - a subdelegate.

Division 4 - Constitutional matters

49   After section 38

Insert:

Division 5 - Regulations

Personally Controlled Electronic Health Records Act 2012

50   Section 4

Repeal the section, substitute:

4 Simplified outline of this Act

The My Health Record system is a system for making health information about a healthcare recipient available for the purposes of providing healthcare to the recipient.

A healthcare recipient will have a My Health Record if the recipient registers in the My Health Record system. The Minister may, however, provide that the opt-out model is to apply under My Health Records Rules made under Schedule 1. A healthcare recipient covered by those Rules will be registered in the My Health Record system, and have a My Health Record, unless the recipient elects to opt-out of the system.

The My Health Record system is operated by the System Operator. The System Operator operates the National Repositories Service, that stores key records that form part of a healthcare recipient's My Health Record. Other records are stored by registered repository operators. Together these records make up a healthcare recipient's My Health Record.

If a healthcare recipient is registered in the My Health Record system, a healthcare provider may upload health information about the recipient to the My Health Record system, unless the record is one which the healthcare recipient has advised the healthcare provider not to upload or the record is not to be uploaded under prescribed laws of a State or Territory.

Health information may be collected, used and disclosed from a healthcare recipient's My Health Record for the purpose of providing healthcare to the recipient, subject to any access controls set by the recipient (or if none are set, default access controls). There are other limited circumstances in which health information may be collected, used or disclosed from a My Health Record. Criminal and civil penalties apply if a person collects, uses or discloses information from a My Health Record without authorisation. Enforceable undertakings and injunctions are also available to enforce the provisions of this Act.

An authorisation to collect, use or disclose information under this Act is also an authorisation to do so for the purposes of the Privacy Act 1988. A contraventionof this Act is also an interference with privacy for the purposes of the Privacy Act 1988, and so can be investigated under that Act.

4A Schedule 1

Schedule 1 has effect.

Note: Schedule 1 deals with the opt-out model for registering healthcare recipients in the My Health Record system.

51   Section 5

Insert:

cinematograph film has the same meaning as in the Copyright Act 1968.

52   Section 5 (definition of civil penalty order)

Repeal the definition.

53   Section 5 (definition of civil penalty provision)

Repeal the definition, substitute:

civil penalty provision has the same meaning as in the Regulatory Powers Act.

54   Section 5 (definition of Court)

Repeal the definition.

55   Section 5 (definition of healthcare)

Repeal the definition, substitute:

healthcare means health service within the meaning of subsection 6(1) of the Privacy Act 1988.

56   Section 5 (definition of health information)

Repeal the definition, substitute:

health information has the meaning given by subsection 6(1) of the Privacy Act 1988.

57   Section 5 (definition of independent advisory council

Repeal the definition.

58   Section 5 (definition of jurisdictional advisory committee)

Repeal the definition.

59   Section 5 (definition of Ministerial Council)

Repeal the definition, substitute:

Ministerial Council means the council (however described) established by the Council of Australian Governments that has responsibility for health matters.

60   Section 5

Insert:

Regulatory Powers Act means the Regulatory Powers (Standard Provisions) Act 2014.

61   Section 5

Insert:

sound recording has the same meaning as in the Copyright Act 1968.

62   Section 5

Insert:

work has the same meaning as in the Copyright Act 1968.

63   Subsections 6(9) and 7(6)

Repeal the subsections.

64   After section 7

Insert:

7A Duties of authorised representative or nominated representative

Duty to ascertain will and preferences

(1) An authorised representative or a nominated representative (a representative ) of a healthcare recipient must make reasonable efforts to ascertain the recipient's will and preferences in relation to the recipient's My Health Record.

(2) If it is not possible to ascertain the healthcare recipient's will and preferences, the representative must make reasonable efforts to ascertain the recipient's likely will and preferences in relation to the recipient's My Health Record.

(3) The healthcare recipient's likely will and preferences may be ascertained from sources including the following:

(a) if the representative is a nominated representative - the agreement appointing the representative;

(b) to the extent legally possible, from consultation with people who may be expected to be aware of the recipient's will and preferences.

Duty to give effect to will and preferences

(4) The representative must give effect to the healthcare recipient's will and preferences, or likely will and preferences, ascertained in accordance with subsection (1) or (2).

(5) However, if to do so would pose a serious risk to the healthcare recipient's personal and social wellbeing, the representative must instead act in a manner that promotes the personal and social wellbeing of the healthcare recipient.

Duty if will and preferences cannot be ascertained

(6) If the healthcare recipient's will and preferences, or likely will and preferences, cannot be ascertained, the representative must act in a manner that promotes the personal and social wellbeing of the healthcare recipient.

65   At the end of subsection 9(3)

Add:

; (i) other information that is prescribed by the regulations for the purpose of this paragraph.

66   Subsection 11(2)

Omit "orliable to a pecuniary penalty".

67   At the end of Part 1

Add:

13B System Operator may use electronic communications

(1) If under this Act the System Operator is required to give information in writing, that requirement is taken to have been met if the System Operator gives the information by means of an electronic communication, as defined in the Electronic Transactions Act 1999.

(2) If under this Act the System Operator is permitted to give information in writing, the System Operator is permitted to give the information by means of an electronic communication, as defined in the Electronic Transactions Act 1999.

68   Part 2 (heading)

Repeal the heading, substitute:

Part 2 - The System Operator and the functions of the Chief Executive Medicare

69   After paragraph 15(i)

Insert:

(ia) to establish and operate a test environment for the My Health Record system, and other electronic systems that interact directly with the My Health Record system, in accordance with the requirements (if any) in the My Health Records Rules;

70   Section 16

Repeal the section.

71   Subparagraph 17(2)(b)(ii)

Omit "the record was first uploaded to the National Repositories Service", substitute "the date of birth of the healthcare recipient".

72   Divisions 2 and 3 of Part 2

Repeal the Divisions.

73   Division 1 of Part 3

After the Division heading, insert:

Note: This Division does not apply to a healthcare recipient if the opt-out model applies to the healthcare recipient because of My Health Records Rules made under Schedule 1 to this Act.

74   After subsection 41(3)

Insert:

(3A) A registered healthcare provider organisation is authorised to upload to the My Health Record system a record in relation to a healthcare recipient (the patient ) that includes health information about another healthcare recipient (the third party ), if the health information about the third party is directly relevant to the healthcare of the patient, subject to a law of a State or Territory that is prescribed by the regulations for the purposes of subsection (4).

75   Subsection 41(4)

Omit "A consent referred to in subsection (3) has", substitute "A consent referred to in subsection (3), and an authorisation given under subsection (3A), have".

76   After paragraph 45(b)

Insert:

(ba) upload to a repository a record of a kind specified in the My Health Records Rules for the purposes of subparagraph (b)(ii) unless the record is prepared by a person who, at the time the record is prepared, is:

(i) an individual who is registered by a registration authority within the meaning of the Healthcare Identifiers Act 2010, and whose registration is not conditional, suspended, cancelled or lapsed (other than in circumstances prescribed in the My Health Records Rules); or

(ii) an individual who is a member of a professional association described in paragraph 9A(1)(b) of the Healthcare Identifiers Act 2010, and whose membership is not conditional, suspended, cancelled or lapsed (other than in circumstances prescribed by the My Health Records Rules); or

77   Paragraph 45(c)

Repeal the paragraph, substitute:

(c) upload a record to a repository if uploading the record would involve an infringement of a moral right of the author, within the meaning of the Copyright Act 1968; or

78   After section 45

Insert:

45A Condition of registration - handling old records that are works subject to copyright

Old works must not be uploaded if it would be an infringement of copyright to use the work for healthcare or related purposes

(1) Subsection (2) applies to works made before section 44BB of the Copyright Act 1968 commences.

Note: Section 44BB of the Copyright Act 1968 provides that there is no infringement of copyright if an act comprised in the copyright of a work is done, or authorised to be done, for healthcare or related purposes.

(2) A healthcare provider organisation must not, for the purposes of the My Health Record system, upload the work if it would be an infringement of the copyright in the work for the organisation or another person to do, or authorise to be done, an act comprised in the copyright of the work:

(a) for a purpose for which the collection, use or disclosure of health information is required or authorised under this Act; or

(b) in circumstances in which a permitted general situation exists under item 1 of the table in subsection 16A(1) of the Privacy Act 1988 (serious threat to life, health or safety), or would exist if the act were done, or authorised to be done, by an entity that is an APP entity for the purposes of that Act; or

(c) in circumstances in which a permitted health situation exists under section 16B of the Privacy Act 1988, or would exist if the act were done, or authorised to be done, by an entity that is an organisation for the purposes of that Act; or

(d) for any other purpose relating to healthcare, or the communication or management of health information, prescribed by the regulations.

(3) It is a condition of the registration of a healthcare provider organisation that the organisation complies with the obligation under subsection (2).

45B Condition of registration - handling old sound recordings and cinematograph films that are subject to copyright

(1) Subsection (2) applies to sound recordings and cinematograph films made before section 104C of the Copyright Act 1968 commences.

Note: Section 104C of the Copyright Act 1968 provides that there is no infringement of the copyright if an act comprised in the copyright of a sound recording or cinematograph film is done, or authorised to be done, for healthcare or related purposes.

(2) A healthcare provider organisation must not, for the purposes of the My Health Record system, upload the sound recording or cinematograph film if it would be an infringement of the copyright in the recording or film for the organisation or another person to do an act comprised in the copyright of the recording or film:

(a) for a purpose for which the collection, use or disclosure of health information is required or authorised under this Act; or

(b) in circumstances in which a permitted general situation exists under item 1 of the table in subsection 16A(1) of the Privacy Act 1988 (serious threat to life, health or safety), or would exist if the act were done by an entity that is an APP entity for the purposes of that Act; or

(c) in circumstances in which a permitted health situation exists under section 16B of the Privacy Act 1988, or would exist if the act were done by an entity that is an organisation for the purposes of that Act; or

(d) for any other purpose relating to healthcare, or the communication or management of health information, prescribed by the regulations.

(3) It is a condition of the registration of a healthcare provider organisation that the organisation complies with the obligation under subsection (2).

45C Liability where work uploaded in breach of section 45A or 45B

(1) If any person suffers loss or damage as a result of anything done by an entity that contravenes section 45A or 45B, the person may bring an action for the amount of the loss or damage against the entity in:

(a) the Federal Court of Australia;

(b) the Federal Circuit Court of Australia;

(c) a court of a State or Territory that has jurisdiction in relation to the matter.

(2) The action must be brought within 6 years after the loss or damage was suffered.

(3) In determining the damage suffered by the person, the court may include costs incurred by the person as a result of legal action relating to infringement of copyright.

79   After section 50

Insert:

50A Condition of registration - handling old records that are works subject to copyright

(1) Subsection (2) applies to works made before section 44BB of the Copyright Act 1968 commences.

Note: Section 44BB of the Copyright Act 1968 provides that there is no infringement of copyright if an act comprised in the copyright of a work is done, or authorised to be done, for healthcare or related purposes.

(2) A registered repository operator must not make the work available for the purposes of the My Health Record system, if it would be an infringement of the copyright in the work for the operator or another person to do, or authorise to be done, an act comprised in the copyright of the work:

(a) for a purpose for which the collection, use or disclosure of health information is required or authorised under this Act; or

(b) in circumstances in which a permitted general situation exists under item 1 of the table in subsection 16A(1) of the Privacy Act 1988 (serious threat to life, health or safety), or would exist if the act were done, or authorised to be done, by an entity that is an APP entity for the purposes of that Act; or

(c) in circumstances in which a permitted health situation exists under section 16B of the Privacy Act 1988, or would exist if the act were done, or authorised to be done, by an entity that is an organisation for the purposes of that Act; or

(d) for any other purpose relating to healthcare, or the communication or management of health information, prescribed by the regulations.

(3) It is a condition of the registration of a registered repository operator that the operator complies with subsection (2).

50B Condition of registration - handling old sound recordings and cinematograph films that are subject to copyright

(1) Subsection (2) applies to sound recordings and cinematograph films made before section 104C of the Copyright Act 1968 commences.

Note: Section 104C of the Copyright Act 1968 provides that there is no infringement of the copyright if an act comprised in the copyright of a sound recording or cinematograph film is done, or authorised to be done, for healthcare or related purposes.

(2) A registered repository operator must not, for the purposes of the My Health Record system, make the sound recording or cinematograph film available if it would be an infringement of the copyright in the recording or film for the operator or another person to do any act comprised in the copyright in the recording or film:

(a) for a purpose for which the collection, use or disclosure of health information is required or authorised under this Act; or

(b) in circumstances in which a permitted general situation exists under item 1 of the table in subsection 16A(1) of the Privacy Act 1988 (serious threat to life, health or safety), or would exist if the act were done by an entity that is an APP entity for the purposes of that Act; or

(c) in circumstances in which a permitted health situation exists under section 16B of the Privacy Act 1988, or would exist if the act were done by an entity that is an organisation for the purposes of that Act; or

(d) for any other purpose relating to healthcare, or the communication or management of health information, prescribed by the regulations.

(3) It is a condition of the registration of a registered repository operator that the operator complies with subsection (2).

50C Liability where work uploaded in breach of section 50A or 50B

(1) If any person suffers loss or damage as a result of anything done by an entity that contravenes section 50A or 50B, the personmay bring an action for the amount of the loss or damage against the entity in:

(a) the Federal Court of Australia;

(b) the Federal Circuit Court of Australia;

(c) a court of a State or Territory that has jurisdiction in relation to the matter.

(2) The action must be brought within 6 years after the loss or damage was suffered.

(3) In determining the damage suffered by the person, the court may include costs incurred by the person as a result of legal action relating to infringement of copyright.

50D Authorisation to make health information available to the System Operator

A registered repository operator (other than the Chief Executive Medicare) is authorised to make health information about a registered healthcare recipient that is held by the operator available to the System Operator.

80   At the end of sections 51 and 52

Add:

Note: Under section 53, the System Operator must give the healthcare recipient or other entity notice before cancelling, suspending or varying registration (except in urgent circumstances). The decision to cancel, suspend or vary registration cannot be made before the end of the period specified in the notice.

81   Subsection 53(4)

Omit "with immediate effect", substitute "without following the process outlined in subsections (1) to (3)".

82   Subsection 53(5)

Repeal the subsection, substitute:

(5) A decision under subsection (4) takes effect:

(a) when notice of the decision is given under that subsection; or

(b) if a later time is specified in the notice under that subsection - at that later time.

83   Division 6 of Part 3 (heading)

Repeal the heading, substitute:

Division 6 - Collection, use and disclosure of information for the purposes of the My Health Record System

84   Section 58

Repeal the section, substitute:

58 Collection, use and disclosure of health information by the System Operator

The System Operator may collect, use and disclose health information about a healthcare recipient for the purposes of including the health information in the My Health Record of a registered healthcare recipient.

58A Collection, use and disclosure of healthcare identifiers, identifying information and information identifying authorised representatives and nominated representatives

(1) An entity mentioned in column 1 of an item of the following table, is authorised to take action of the kind described in column 2 of that item with information of the kind described in column 3 of that item in the circumstances described in column 4 of that item.

Note: Under section 15 of the Healthcare Identifiers Act 2010, the service operator under that Act is authorised to collect, use and disclose healthcare identifiers of, and identifying information about, healthcare recipients and their representatives for the purposes of the My Health Record system. The service operator is also authorised to collect, use and disclose healthcare identifiers of, and identifying information about, healthcare providers under section 24 of that Act.

(2) If:

(a) any of the following entities discloses information to the System Operator in circumstances in which the information is authorised to be disclosed under subsection (1):

(i) the Chief Executive Medicare;

(ii) the Veterans' Affairs Department;

(iii) the Defence Department;

(iv) the service operator for the purposes of the Healthcare Identifiers Act 2010;

(v) an entity prescribed for the purposes of item 10 of the table in subsection (1); and

(b) the entity that disclosed the information becomes aware that the information has changed;

that entity must, as soon as practicable after becoming aware of the change, inform the System Operator of the change.

85   Subsections 59(1) and (2) (civil penalty)

Repeal the civil penalties.

86   At the end of section 59

Add:

Fault-based offence

(3) A person commits an offence if the person contravenes subsection (1) or (2).

Penalty: Imprisonment for 2 years or 120 penalty units, or both.

Civil penalty

(4) A person is liable to a civil penalty if the person contravenes subsection (1) or (2).

Civil penalty: 600 penalty units.

87   Subsection 60(1) (civil penalty)

Repeal the civil penalty.

88   At the end of section 60

Add:

Fault-based offence

(3) A person commits an offence if the person contravenes subsection (1).

Penalty: Imprisonment for 2 years or 120 penalty units, or both.

Civil penalty

(4) A person is liable to a civil penalty if the person contravenes subsection (1).

Civil penalty: 600 penalty units.

89   Section 72

Omit "to use" (wherever occurring), substitute "to collect, use"

90   Section 75

Repeal the section, substitute:

75 Data breaches

(1) This section applies to an entity if:

(a) the entity is, or has at any time been, the System Operator, a registered healthcare provider organisation, a registered repository operator, a registered portal operator or a registered contracted service provider; and

(b) the entity becomes aware that:

(i) a person has, or may have, contravened this Act in a manner involving an unauthorised collection, use or disclosure of health information included in a healthcare recipient's My Health Record; or

(ii) an event has, or may have, occurred (whether or not involving a contravention of this Act) that compromises, may compromise, has compromised or may have compromised, the security or integrity of the My Health Record system; or

(iii) circumstances have, or may have, arisen (whether or not involving a contravention of this Act) that compromise, may compromise, have compromised or may have compromised, the security or integrity of the My Health Record system; and

(c) the contravention, event or circumstances directly involved, may have involved or may involve the entity.

Note: This section applies to an entity when the entity becomes aware of a matter referred to in paragraph (b) regardless of when that matter arose or occurred or if the matter is ongoing at the time the entity became aware of the matter.

Notifying the System Operator or Information Commissioner

(2) If:

(a) the entity is a registered healthcare provider organisation, a registered repository operator, a registered portal operator or a registered contracted service provider; and

(b) the entity becomes aware that:

(i) the contravention or event referred to in subsection (1) has or may have occurred; or

(ii) the circumstances referred to in subsection (1) have or may have arisen;

then, as soon as practicable after becoming aware, the entity must notify:

(c) in the case of an entity that is a State or Territory authority or an instrumentality of a State or Territory - the System Operator; or

(d) otherwise - both the System Operator and the Information Commissioner.

Civil Penalty: 100 penalty units.

(3) If:

(a) the entity is the System Operator; and

(b) the entity becomes aware that:

(i) the contravention or event referred to in subsection (1) has or may have occurred; or

(ii) the circumstances referred to in subsection (1) have or may have arisen;

then, as soon as practicable after becoming aware, the entity must notify the Information Commissioner.

(4) If an entity has given notice under subsection (2) or (3) on becoming aware that the contravention, event or circumstances may have occurred or arisen then, despite subsection (2) or (3), the entity need not give notice again on becoming aware that the contravention, event or circumstances has occurred or arisen.

Steps to be taken if contravention, event or circumstances may have occurred or arisen

(5) The entity must, as soon as practicable after becoming aware that the contravention, event or circumstances may have occurred or arisen, do the following things:

(a) so far as is reasonably practicable contain the potential contravention, event or circumstances;

(b) evaluate any risks that, if the contravention, event or circumstances has occurred or arisen, may be related to or arise out of the contravention, event or circumstances;

(c) if there is a reasonable likelihood that the contravention, event or circumstance has occurred or arisen and the effects of the contravention, event or circumstances might be serious for at least one healthcare recipient:

(i) if the entity is not the System Operator - ask the System Operator to notify all healthcare recipients that would be affected; or

(ii) if the entity is the System Operator - notify all healthcare recipients that would be affected.

Note: A contravention of this subsection is not a civil penalty provision. However, contraventions of this Act may have other consequences (for example, cancellation of registration).

Steps to be taken if contravention or event has occurred or the circumstances have arisen

(6) The entity must, as soon as practicable after becoming aware that the contravention or event has occurred or the circumstances have arisen, do the following things:

(a) so far as is reasonably practicable, contain the contravention, event or circumstances and undertake a preliminary assessment of the causes;

(b) evaluate any risks that may be related to or arise out of the contravention, event or circumstances;

(c) if the entity is the System Operator:

(i) notify all affected healthcare recipients; and

(ii) if a significant number of healthcare recipients are affected, notify the general public;

(d) if the entity is not the System Operator - ask the System Operator:

(i) to notify all affected healthcare recipients; and

(ii) if a significant number of healthcare recipients are affected, to notify the general public;

(e) take steps to prevent or mitigate the effects of further contraventions, events or circumstances described in paragraph (1)(b).

Note: A contravention of this subsection is not a civil penalty provision. However, contraventions of this Act may have other consequences (for example, cancellation of registration).

(7) If an entity has given notice, or requested that the System Operator give notice, under paragraph (5)(c) then, despite paragraphs (6)(c) and (d), the entity need not give notice or request the System Operator to give notice under paragraphs (6)(c) and (d).

(8) The System Operator must comply with a request under paragraph (5)(c) or (6)(d).

91   Subsection 77(1) (civil penalty)

Repeal the civil penalty.

92   After subsection 77(2)

Insert:

Fault-based offence

(2A) A person commits an offence if the person contravenes subsection (1).

Penalty: Imprisonment for 2 years or 120 penalty units, or both.

Note: Where a fault element for a physical element of an offence is not stated, see section 5.6 of the Criminal Code for the appropriate fault element.

Civil penalty

(2B) A person is liable to a civil penalty if the person contravenes subsection (1).

Civil penalty: 600 penalty units.

93   Section 78

Repeal the section, substitute:

78 My Health Records Rules must not be contravened

A person that is, or has at any time been:

(a) a registered healthcare provider organisation; or

(b) a registered repository operator; or

(c) a registered portal operator; or

(d) a registered contracted service provider;

must not contravene a My Health Record Rule that applies to the person.

Civil penalty: 100 penalty units.

94   Parts 6 and 7

Repeal the Parts, substitute:

Part 6 - Enforcement

Division 1 - Civil penalties

79 Civil penalty provisions

Enforceable civil penalty provisions

(1) Each civil penalty provision of this Act is enforceable under Part 4 of the Regulatory Powers Act.

Note: Part 4 of the Regulatory Powers Act allows a civil penalty provision to be enforced by obtaining an order for a person to pay a pecuniary penalty for the contravention of the provision.

Authorised applicant

(2) For the purposes of Part 4 of the Regulatory Powers Act, the Information Commissioner is an authorised applicant in relation to the civil penalty provisions of this Act.

Relevant court

(3) For the purposes of Part 4 of the Regulatory Powers Act, each of the following courts is a relevant court in relation to the civil penalty provisions of this Act:

(a) the Federal Court of Australia;

(b) the Federal Circuit Court of Australia;

(c) a court of a State or Territory that has jurisdiction in relation to the matter.

Extension to external Territories

(4) Part 4 of the Regulatory Powers Act, as that Part applies in relation to the civil penalty provisions of this Act, extends to every external Territory.

Liability of the Crown

(5) Part 4 of the Regulatory Powers Act, as that Part applies in relation the civil penalty provisions of this Act, does not make the Crown liable to a pecuniary penalty.

Division 2 - Enforceable undertakings

80 Enforceable undertakings

Enforceable provisions

(1) This Act is enforceable under Part 6 of the Regulatory Powers Act.

Note: Part 6 of the Regulatory Powers Act creates a framework for accepting and enforcing undertakings relating to compliance with provisions.

Authorised person

(2) For the purposes of Part 6 of the Regulatory Powers Act, each of the following persons is an authorised person in relation to the provisions of this Act:

(a) the System Operator;

(b) the Information Commissioner.

Relevant court

(3) For the purposes of Part 6 of the Regulatory Powers Act, each of the following courts is a relevant court in relation to the provisions of this Act:

(a) the Federal Court of Australia;

(b) the Federal Circuit Court of Australia;

(c) a court of a State or Territory that has jurisdiction in relation to the matter.

Enforceable undertaking may be published on website

(4) An authorised person in relation to a provision of this Act may publish an undertaking given in relation to the provision on the authorised person's website.

Extension to external Territories

(5) Part 6 of the Regulatory Powers Act, as that Part applies in relation to the provisions of this Act, extends to every external Territory.

Division 3 - Injunctions

81 Injunctions

Enforceable provisions

(1) This Act is enforceable under Part 7 of the Regulatory Powers Act.

Note: Part 7 of the Regulatory Powers Act creates a framework for using injunctions to enforce provisions.

Authorised person

(2) For the purposes of Part 7 of the Regulatory Powers Act, each of the following persons is an authorised person in relation to the provisions of this Act:

(a) the System Operator;

(b) the Information Commissioner.

Relevant court

(3) For the purposes of Part 7 of the Regulatory Powers Act, each of the following courts is a relevant court in relation to the provisions of this Act:

(a) the Federal Court of Australia;

(b) the Federal Circuit Court of Australia;

(c) a court of a State or Territory that has jurisdiction in relation to the matter.

Extension to external Territories

(4) Part 7 of the Regulatory Powers Act, as that Part applies in relation to the provisions of this Act, extends to every external Territory.

95   Subsection 98(1)

Omit "If the System Operator is the Secretary, the", substitute "The".

96   Subsections 98(3), (4) and (5)

Repeal the subsections, substitute:

(3) If the System Operator is not the Secretary, the System Operator may only delegate a function or power of the System Operator:

(a) to an APS employee in the Department - with the agreement of the Secretary; and

(b) to the Chief Executive Medicare - with the agreement of the Chief Executive Medicare.

(4) Each of the following must comply with any written directions of the System Operator:

(a) a delegate;

(b) if the Chief Executive Medicare delegates under subsection 8AC(3) of the Human Services (Medicare) Act 1973 a function delegated to him or her under this section - a subdelegate.

97   Subsection 100(3)

Repeal the subsection, substitute:

(3) An offence against this Act that would otherwise have been committed by the partnership is taken to have been committed by each partner in the partnership, at the time the offence was committed, who:

(a) did the relevant act or made the relevant omission; or

(b) aided, abetted, counselled or procured the relevant act or omission; or

(c) was in any way knowingly concerned in, or party to, the relevant act or omission (whether directly or indirectly and whether by any act or omission of the partner).

(4) This section applies to a contravention of a civil penalty provision in a corresponding way to the way in which it applies to an offence.

98   Subsection 101(3)

Repeal the subsection, substitute:

(3) An offence against this Act that would otherwise have been committed by the unincorporated association is taken to have been committed by each member of the association's committee of management, at the time the offence was committed, who:

(a) did the relevant act or made the relevant omission; or

(b) aided, abetted, counselled or procured the relevant act or omission; or

(c) was in any way knowingly concerned in, or party to, the relevant act or omission (whether directly or indirectly and whether by any act or omission of the member).

(4) This section applies to a contravention of a civil penalty provision in a corresponding way to the way in which it applies to an offence.

99   Subsection 102(3)

Repeal the subsection, substitute:

(3) An offence against this Act that would otherwise have been committed by the trust is taken to have been committed by each trustee of the trust, at the time the offence was committed, who:

(a) did the relevant act or made the relevant omission; or

(b) aided, abetted, counselled or procured the relevant act or omission; or

(c) was in any way knowingly concerned in, or party to, the relevant act or omission (whether directly or indirectly and whether by any act or omission of the trustee).

(4) This section applies to a contravention of a civil penalty provision in a corresponding way to the way in which it applies to an offence.

100   Section 103

Repeal the section.

101   Section 107

Repeal the section, substitute:

107 Annual reports by the System Operator

The System Operator must include in any annual report prepared by the System Operator and given to the Minister under section 46 of the Public Governance, Performance and Accountability Act 2013:

(a) statistics of the following:

(i) registrations, and cancellations and suspensions of registrations, under this Act;

(ii) use of the My Health Record system by healthcare providers and healthcare recipients;

(iii) complaints received, and investigations undertaken, in relation to the My Health Record system;

(iv) occurrences compromising the integrity or security of the My Health Record system;

(v) enforceable undertakings accepted by the System Operator under this Act;

(vi) proceedings taken by the System Operator in relation to enforceable undertakings or injunctions; and

(b) any other matter prescribed by the regulations.

102   Section 108

Repeal the section, substitute:

108 Review of the operation of the Act

(1) The Minister must, after consulting the Ministerial Council, appoint an individual to review the operation of this Act.

(2) The individual appointed must give a report to the Minister within the later of:

(a) 3 years after the commencement of Schedule 1 to the Health Legislation Amendment (eHealth) Act 2015; or

(b) if the Minister makes My Health Records Rules under clause 2 of Schedule 1 to this Act within 3 years after the commencement of Schedule 1 to the Health Legislation Amendment (eHealth) Act 2015 - 3 years after the day on which the Rules are made.

(3) The Minister must:

(a) provide a copy of the report to the Ministerial Council; and

(b) table a copy of the report in each House of Parliament within 15 sitting days after the report is given to the Minister.

103   Subsection 109(2)

Repeal the subsection, substitute:

Consultation

(2) Before the Minister makes My Health Records Rules, the Minister must consult:

(a) the System Operator; and

(b) a subcommittee of the Ministerial Council, prescribed by the regulations for the purposes of this paragraph.

A failure to consult does not affect the validity of the Rules.

104   At the end of subsection 109(3)

Add:

; (e) requirements relating to the establishment and the operation of a test environment for the My Health Record system, or another electronic system that interacts directly with the My Health Record system.

105   At the end of section 109

Add:

Incorporation of other instruments

(9) Despite subsection 14(2) of the Legislative Instruments Act 2003, the My Health Records Rules may make provision in relation to a matter by applying, adopting or incorporating any matter contained in an instrument or other writing as in force or existing from time to time.

Scope of the My Health Records Rules rule-making power

(10) To avoid doubt, the My Health Records Rules may not do the following:

(a) create an offence or civil penalty;

(b) provide powers of:

(i) arrest or detention; or

(ii) entry, search or seizure;

(c) impose a tax;

(d) set an amount to be appropriated from the Consolidated Revenue Fund under an appropriation in this Act;

(e) directly amend the text of this Act.

(11) My Health Records Rules that are inconsistent with the regulations have no effect to the extent of the inconsistency, but My Health Records Rules are taken to be consistent with the regulations to the extent that the Rules are capable of operating concurrently with the regulations.

106   At the end of the Act

Add:

Schedule 1 - My Health Records for all healthcare recipients

Note: See section 4A.

Part 1 - Opt-out model for the participation of healthcare recipients in the My Health Record system

1 Trial of opt-out model

(1) The Minister may make My Health Records Rules applying Part 2 of this Schedule (the opt-out model ) to a class, or classes, of healthcare recipients.

(2) The Minister must not make rules under subclause (1), unless the Minister is satisfied that applying the opt-out model to that class, or those classes, of healthcare recipients would provide evidence of whether the opt-out model results in participation in the My Health Record system at a level that provides value for those using the My Health Record system.

(3) Before the Minister makes My Health Records Rules under this clause, the Minister must consult a subcommittee of the Ministerial Council, prescribed by the regulations for the purposes of this subclause.

2 Minister may apply the opt-out model to all healthcare recipients after trial

(1) If, having applied the opt-out model under clause 1, the Minister decides that the opt-out model results in participation in the My Health Record system at a level that provides value for those using the My Health Record system, the Minister may make My Health Records Rules applying the opt-out model to all healthcare recipients in Australia.

(2) In making the decision, the Minister may take into account:

(a) the evidence obtained in applying the opt-out model under clause 1; and

(b) any other matter relevant to the decision.

(3) Before the Minister makes My Health Records Rules under this clause, the Minister must consult the Ministerial Council.

Part 2 - Registering all healthcare recipients

Division 1 - Registering healthcare recipients

3 Registration of a healthcare recipient by the System Operator

(1) The System Operator may register a healthcare recipient if:

(a) the healthcare recipient is eligible for registration under clause 4; and

(b) the System Operator is satisfied, having regard to the matters (if any) specified in the My Health Records Rules, that the identity of the healthcare recipient has been appropriately verified; and

(c) the System Operator is satisfied that:

(i) the healthcare recipient has been given the opportunity, in accordance with clause 5, to make an election not to be registered; and

(ii) no such election is in force.

(2) Despite subclause (1), the System Operator must not register a healthcare recipient:

(a) if the System Operator is satisfied that registering the healthcare recipient may compromise the security or integrity of the My Health Record system, having regard to the matters (if any) prescribed by the My Health Records Rules; or

(b) in other circumstances prescribed by the My Health Records Rules.

4 When a healthcare recipient is eligible for registration

A healthcare recipient is eligible for registration if:

(a) a healthcare identifier has been assigned to the healthcare recipient under paragraph 9(1)(b) of the Healthcare Identifiers Act 2010; and

(b) the System Operator has collected the following information in relation to the healthcare recipient:

(i) full name;

(ii) date of birth;

(iii) healthcare identifier, Medicare card number or Department of Veterans' Affairs file number;

(iv) sex;

(v) such other information as is prescribed by the regulations.

5 Healthcare recipient elects not to be registered

(1) A healthcare recipient may, by notice to the System Operator, elect not to be registered.

(2) The notice:

(a) must be in the approved form; and

(b) be lodged at a place, or by a means, specified in the form; and

(c) if:

(i) under the My Health Records Rules, it is provided that the election by a member of a class of healthcare recipients must be given within a period, or on the occurrence of an event, specified in those rules; and

(ii) the healthcare recipient is a member of that class;

the notice of the election must be given to the System Operator within that period, or on the occurrence of that event.

(3) The election begins to be in force on the day on which the healthcare recipient gives notice of the election to the System Operator.

(4) The election ceases to be in force on the day on which an application is made under clause 6 to be registered.

6 Healthcare recipients may apply for registration

(1) A healthcare recipient may apply to the System Operator for registration of the healthcare recipient.

(2) The application must:

(a) be in the approved form; and

(b) include, or be accompanied by, the information and documents required by the form; and

(c) be lodged at a place, or by a means, specified in the form.

(3) If:

(a) a healthcare recipient makes an application in accordance with this clause; and

(b) the healthcare recipient is eligible for registration under clause 4; and

(c) the System Operator is satisfied, having regard to the matters (if any) specified in the My Health Records Rules, that the identity of the healthcare recipient has been appropriately verified;

the System Operator must register the healthcare recipient.

(4) Despite subclause (3), the System Operator must not register a healthcare recipient:

(a) if the System Operator is satisfied that registering the healthcare recipient may compromise the security or integrity of the My Health Record system, having regard to the matters (if any) prescribed by the My Health Records Rules; or

(b) in other circumstances prescribed by the My Health Records Rules.

Division 2 - Information sharing for the purposes of the opt-out system

7 Collection, use and disclosure of health information by the System Operator

The System Operator may collect, use and disclose health information about a healthcare recipient for the purposes of including the health information in the My Health Record of a registered healthcare recipient.

8 Collection, use and disclosure of healthcare identifiers, identifying information and information identifying authorised representatives and nominated representatives

(1) An entity mentioned in column 1 of an item of the following table, is authorised to take action of the kind described in column 2 of that item with information of the kind described in column 3 of that item in the circumstances described in column 4 of that item.

Note: Under section 15 of the Healthcare Identifiers Act 2010, the service operator under that Act is authorised to collect, use and disclose healthcare identifiers of, and identifying information about, healthcare recipients and their representatives for the purposes of the My Health Record system. The service operator is also authorised to collect, use and disclose healthcare identifiers of, and identifying information about, healthcare providers under section 24 of that Act.

(2) If:

(a) any of the following entities discloses information to the System Operator in circumstances in which the information is authorised to be disclosed under subclause (1):

(i) the Chief Executive Medicare;

(ii) the Veterans' Affairs Department;

(iii) the Defence Department;

(iv) the service operator for the purposes of the Healthcare Identifiers Act 2010;

(v) an entity prescribed for the purposes of item 10 of the table in subclause (1); and

(b) the entity that disclosed the information becomes aware that the information has changed;

that entity must, as soon as practicable after becoming aware of the change, inform the System Operator of the change.

Division 3 - Handling health information for the purposes of a healthcare recipient's My Health Record

Subdivision A - Healthcare provider to upload health information

9 Authorisation for healthcare provider to upload health information

(1) A registered healthcare provider organisation is authorised to upload to the My Health Record system any record that includes health information about a registeredhealthcare recipient, subject to the following:

(a) express advice given by the healthcare recipient to the registered healthcare provider organisation that a particular record, all records or a specified class of records must not be uploaded;

(b) a law of a State or Territory that is prescribed by the regulations for the purposes of subclause (3).

(2) A registered healthcare provider organisation is authorised to upload to the My Health Record system a record in relation to a healthcare recipient (the patient ) that includes health information about another healthcare recipient (the third party ), if the health information about the third party is directly relevant to the healthcare of the patient, subject to a law of a State or Territory that is prescribed by the regulations for the purposes of subclause (3).

(3) An authorisation referred to in subclause (1) or (2) has effect despite a law of a State or Territory that requires consent to the disclosure of particular health information:

(a) given expressly; or

(b) given in a particular way;

other than a law of a State or Territory prescribed by the regulations for the purposes of this subclause.

Subdivision B - Functions of the Chief Executive Medicare

10 Registered repository operator

It is a function of the Chief Executive Medicare to seek to become a registered repository operator and, if registered, to operate a repository for the purposes of the My Health Record system in accordance with this Division.

11 Uploading health information to the repository

At any time when the Chief Executive Medicare is a registered repository operator, the Chief Executive Medicare may, at his or her discretion, upload health information held by the Chief Executive Medicare about a registered healthcare recipient to the repository operated by the Chief Executive Medicare.

12 Making health information available to the System Operator

(1) At any time when the Chief Executive Medicare is a registered repository operator, the Chief Executive Medicare may, at his or her discretion, make available to the System Operator health information held by the Chief Executive Medicare about a registered healthcare recipient.

(2) Despite subclause (1), the Chief Executive Medicare must not make health information about a healthcare recipient available to the System Operator, if the healthcare recipient has elected under clause 13 not to have the information made available, and that election is in force.

13 Healthcare recipient may elect not to have health information disclosed to the System Operator

(1) A healthcare recipient may, by notice to the System Operator, elect not to have health information about the healthcare recipient held by the Chief Executive Medicare made available to the System Operator.

(2) The notice under subclause (1):

(a) must be in the approved form; and

(b) be lodged at a place, or by a means, specified in the form; and

(c) if:

(i) under the My Health Records Rules, it is provided that the election by a member of a class of healthcare recipients must be given within a period, or on the occurrence of an event, specified in those rules; and

(ii) the healthcare recipient is a member of that class;

the notice of the election must be given to the System Operator within that period, or on the occurrence of that event.

(3) The election begins to be in force from the day on which the healthcare recipient gives notice of the election to the System Operator.

(4) The election ceases to be in force:

(a) if the healthcare recipient notifies the System Operatorthat the healthcare recipient withdraws the election - from the day on which the notice is given; and

(b) if another time is prescribed by the My Health Records Rules - at that time.

(5) The notice under subclause (4):

(a) must be in the approved form; and

(b) be lodged at a place, or by a means, specified in the form.

14 Health information uploaded or made available may include details of healthcare providers

The health information about a healthcare recipient uploaded under clause 11 or made available under clause 12 may include the name of one or more healthcare providers that have provided healthcare to the healthcare recipient.

15 Way in which repository operated not limited by this Division

Nothing in this Division limits the way in which the repository is to be operated.

Subdivision C - Other registered repository operators

16 Making health information available to the System Operator

A registered repository operator (other than the Chief Executive Medicare) may make available to the System Operator health information held by the registered repository operator about a registered healthcare recipient.

Part 3 - Other consequences of applying the opt-out rules

17 References to other provisions of this Act

If Part 2 of this Schedule applies in relation to a healthcare recipient:

(a) Division 4 of Part 2 of this Act does not apply in relation to the healthcare recipient; and

(b) Division 1 of Part 3 of this Act does not apply in relation to the healthcare recipient; and

(c) section 46 applies as if the reference to "this Part" were a reference to "Part 2 of Schedule 1 to this Act"; and

(d) section 50D does not apply in relation to the healthcare recipient; and

(e) paragraphs 51(2)(d) and (e) do not apply in relation to the healthcare recipient (consent to upload information to the My Health Record system); and

(f) section 57 applies as if a reference to a decision under Part 3 to register a healthcare recipient were a reference to a decision under Part 2 of this Schedule to register the healthcare recipient; and

(g) Division 6 of Part 3 of this Act does not apply in relation to the healthcare recipient; and

(h) in relation to the healthcare recipient, the reference in paragraph 97(1)(b) to a decision under section 41 to refuse to register a healthcare recipient is taken to include a reference to a decision under Part 2 of this Schedule to refuse to register the healthcare recipient; and

(i) if the healthcare recipient is registered under Part 2 of this Schedule - a reference in this Act to a registered healthcare recipient is taken to include a reference to the healthcare recipient.

Privacy Act 1988

107   Subsection 6(1) (definition of health information)

Repeal the definition, substitute:

health information has the meaning given by section 6FA.

108   Subsection 6(1) (definition of health service)

Repeal the definition, substitute:

health service has the meaning given by section 6FB.

109   After section 6F

Insert:

6FA Meaning of health information

The following information is health information :

(a) information or an opinion about:

(i) the health, including an illness, disability or injury, (at any time) of an individual; or

(ii) an individual's expressed wishes about the future provision of health services to the individual; or

(iii) a health service provided, or to be provided, to an individual;

that is also personal information;

(b) other personal information collected to provide, or in providing, a health service to an individual;

(c) other personal information collected in connection with the donation, or intended donation, by an individual of his or her body parts, organs or body substances;

(d) genetic information about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual.

6FB Meaning of health service

(1) An activity performed in relation to an individual is a health service if the activity is intended or claimed (expressly or otherwise) by the individual or the person performing it:

(a) to assess, maintain or improve the individual's health; or

(b) where the individual's health cannot be maintained or improved - to manage the individual's health; or

(c) to diagnose the individual's illness, disability or injury; or

(d) to treat the individual's illness, disability or injury or suspected illness, disability or injury; or

(e) to record the individual's health for the purposes of assessing, maintaining, improving or managing the individual's health.

(2) The dispensing on prescription of a drug or medicinal preparation by a pharmacist is a health service .

(3) To avoid doubt:

(a) a reference in this section to an individual's health includes the individual's physical or psychological health; and

(b) an activity mentioned in subsection (1) or (2) that takes place in the course of providing aged care, palliative care or care for a person with a disability is a health service .

(4) The regulations may prescribe an activity that, despite subsections (1) and (2) is not to be treated as a health service for the purposes of this Act.

110   After subsection 16B(1)

Insert:

(1A) A permitted health situation exists in relation to the collection by an organisation of health information about an individual (the third party ) if:

(a) it is necessary for the organisation to collect the family, social or medical history of an individual (the patient ) to provide a health service to the patient; and

(b) the health information about the third party is part of the family, social or medical history necessary for the organisation to provide the health service to the patient; and

(c) the health information is collected by the organisation from the patient or, if the patient is physically or legally incapable of giving the information, a responsible person for the patient.

Part 2   Rule-making powers, application and transitional provisions

111   Meaning of application day

(1)The application day meansa single day to be fixed by Proclamation for the purposes of this item.

(2) However, if the application day is not fixed for a day that occurs within the period of 6 months beginning on the day this Schedule commences, the application day is on the day after the end of that period.

112   Meaning of governance restructure day

The governance restructure day means a single day to be fixed by Proclamation for the purposes of this item.

113   Copyright amendments

(1) The amendment made by item 1 of this Schedule applies to works made on or after the application day.

(2) The amendment made by item 2 of this Schedule applies to sound recordings and cinematograph films made on or after the application day.

(3) The amendments made by items 77, 78 and 79 of this Schedule (other than the insertion of section 50D into the My Health Records Act 2012) apply to works, sound recordings and cinematograph films uploaded on or after the application day.

(4) Section 50D of the My Health Records Act 2012, as inserted by item 79 of this Schedule, applies to information made available to the System Operator on or after the application day.

114   Assigning healthcare identifiers

The amendment made by item 31 of this Schedule applies to healthcare identifiers assigned on or after the commencement of this Schedule.

115   Information sharing under the Healthcare Identifiers Act 2010

(1) The amendments made by items 34 and 36 of this Schedule (other than the insertion of section 25E into the Healthcare Identifiers Act 2010) apply to the adoption, collection, use and disclosure of healthcare identifiers and other information on or after the application day.

(2) Section 25E of the Healthcare Identifiers Act 2010, as inserted by item 34 of this Schedule, applies where a healthcare provider organisation becomes aware on or after the application day that information held by the service operator in relation to the organisation is not accurate, up-to-date or complete.

(3) Despite the repeal of sections 15 and 26 of the Healthcare Identifiers Act 2010 by items 34 and 36 of this Schedule, those sections, as in force immediately before the commencement of this Schedule, continue to apply to the adoption, collection, use and disclosure of healthcare identifiers and other information before the application day.

116   Section 29 of the Healthcare Identifiers Act 2010

The amendments made by items 38 to 40 of this Schedule apply to acts and practices occurring on or after the application day.

117   Healthcare Provider Directory

The amendment made by item 42 of this Schedule applies on and after the application day.

118   Enforcement under the Healthcare Identifiers Act 2010

(1) Part 4 of the Regulatory Powers (Standard Provisions) Act 2014, as that Part applies under section 31C of the Healthcare Identifiers Act 2010, applies in relation to contraventions of civil penalty provisions occurring on or after the application day.

(2) Part 6 of the Regulatory Powers (Standard Provisions) Act 2014, as that Part applies under section 31D of the Healthcare Identifiers Act 2010, applies in relation to undertakings given on or after the application day.

(3) Part 7 of the Regulatory Powers (Standard Provisions) Act 2014, as that Part applies under section 31E of the Healthcare Identifiers Act 2010, applies in relation to contraventions occurringon or after the application day.

119   Amendments of the Healthcare Identifiers Act 2010 relating to employees, contractors, partnerships, incorporated associations and trusts

(1) Section 36A of the Healthcare Identifiers Act 2010, as inserted by item 48 of this Schedule, applies to the disclosure of information on or after the application day.

(2) Sections 36B, 36C and 36D of the Healthcare Identifiers Act 2010, as inserted by item 48 of this Schedule, apply to:

(a) obligations arising on or after the application day; and

(b) offence and civil penalty provisions contravened on or after the application day.

120   Governance restructure

The amendments made by items 57, 58, 70, 72 and 103 of this Schedule apply on and after the governance restructure day.

121   Duties of authorised representatives and nominated representatives

The amendments made by items 63 and 64 of this Schedule apply to actions taken and decisions made by an authorised representative of a healthcare recipient, or a nominated representative of a healthcare recipient, on or after the application day.

122   System Operator may communicate electronically

The amendment made by item 67 of this Schedule applies to communications on or after the commencement of this Schedule.

123   Retention of records uploaded to National Repositories Service

The amendment made by item 71 of this Schedule applies whether or not the record was uploaded before, on or after the commencement of this Schedule.

124   Uploading information about the status of the registration of a healthcare provider

The amendment made by item 76 of this Schedule applies to information uploaded on or after the application day.

125   Uploading information about third parties

The amendments made by items 74 and 75 of this Schedule apply to information uploaded on or after the application day.

126   Sharing information for the purposes of the My Health Record system - opt-in

The amendment made by item 84 of this Schedule applies to healthcare identifiers and other information collected, used or disclosed on or after the application day.

127   When decisions about status of registration under the My Health Record system come into effect

The amendments made by items 81 and 82 of this Schedule apply to decisions made on or after the day on which this Schedule commences.

128   Contraventions of obligations under sections 59, 60 and 77 of the My Health Records Act 2012

The amendments made by items 85, 86, 87, 88, 91 and 92 of this Schedule apply to contraventions of subsections 59(1), 59(2), 60(1) and 77(1) of the My Health Records Act 2012 that occur on or after the application day.

129   Application of amendments relating to data breach

(1) Section 75 of the My Health Records Act 2012 as inserted by item 90 of this Schedule applies to contraventions, events or circumstances that have or may have occurred or arisen on or after the application day.

(2) Section 75 of the My Health Records Act 2012, as in force immediately before the commencement of this Schedule, continues to apply in relation to contraventions that have or may have occurred, or events or circumstances that have occurred or arisen before the application day, whether or not the entity becomes aware before that day.

130   Consequences of contravening the My Health Records Rules

The amendment made by item 93 of this Schedule applies to contraventions of the My Health Records Rules that occur on or after the application day.

131  Application and saving provision - civil penalties

(1) Part 4 of the Regulatory Powers (Standard Provisions) Act 2014, as that Part applies under Division 1 of Part 6 of the My Health Records Act 2012, applies in relation to contraventions of civil penalty provisions occurring on or after the application day.

(2) Part 6 of the My Health Records Act 2012, as in force immediately before the commencement of this Schedule, continues to apply on and after the application day in relation to contraventions of civil penalty provisions occurring before the application day.

132   Application and saving provision - enforceable undertakings

(1) Part 6 of the Regulatory Powers (Standard Provisions) Act 2014, as that Part applies under Division 2 of Part 6 of the My Health Records Act 2012, applies in relation to undertakings given on or after the application day.

(2) Sections 94 and 95 of the My Health Records Act 2012, as in force immediately before the commencement of this Schedule, continue to apply on and after the application day in relation to the following:

(a) an undertaking given before the application day;

(b) an application for an order made, but not decided, under subsection 95(1) of that Act before the application day;

(c) an order made under subsection 95(2) of that Act before, on or after the application day as a result of an application made before the application day.

133   Application and saving provision - injunctions

(1) Part 7 of the Regulatory Powers (Standard Provisions) Act 2014, as that Part applies under Division 3 of Part 6 of the My Health Records Act 2012, applies in relation to contraventions occurringon or after the application day.

(2) Section 96 of the My Health Records Act 2012, as in force immediately before the commencement of this Schedule, continues to apply on and after the application day in relation to contraventions occurring before the application day.

134   Amendments of the My Health Records Act 2012 relating to partnerships, unincorporated associations and trusts

The amendments made by items 97, 98 and 99 of this Schedule apply to:

(a) obligations arising on or after the application day; and

(b) offence and civil penalty provisions contravened on or after the application day.

135   Repeal of requirement for the System Operator to give an annual report

The amendment made by item 101 of this Schedule applies to financial years beginning on or after the governance restructure day.

136   Rules

(1) The Minister may, by legislative instrument, make rules prescribing matters:

(a) required or permitted by this Actto be prescribed by the rules; or

(b) necessary or convenient to be prescribed for carrying out or giving effect to this Act.

(2) Without limiting subitem (1), the rules may prescribe matters of a transitional nature (including prescribing any saving or application provisions) relating to:

(a) the amendments or repeals made by this Act; or

(b) the enactment of this Act.

(3) Without limiting subitem (2), rules made for the purposes of that subitem may provide that the following Acts have effect with any modifications prescribed by the rules:

(a) the Healthcare Identifiers Act 2010;

(b) the My Health Records Act 2012;

(c) the Privacy Act 1988.

(4) To avoid doubt, the rules may not do the following:

(a) create an offence or civil penalty;

(b) provide powers of:

(i) arrest or detention; or

(ii) entry, search or seizure;

(c) impose a tax;

(d) set an amount to be appropriated from the Consolidated Revenue Fund under an appropriation in this Act;

(e) directly amend the text of this Act.

(5) This Part (other than subitem (4)) does not limit the rules that may be made for the purposes of this item.

Schedule 2   Renaming PCEHR as My Health Record

Healthcare Identifiers Act 2010

1   Section 5

Insert:

My Health Record has the same meaning as in the My Health Records Act 2012.

My Health Record system has the same meaning as in the My Health Records Act 2012.

My Health Record System Operator means the System Operator within the meaning of the My Health Records Act 2012.

2   Section 5

Insert:

participant in the My Health Record system has the same meaning as in the My Health Records Act 2012.

3   Section 5 (definition of participant in the PCEHR system)

Repeal the definition.

4   Section 5

Repeal the following definitions:

(a) definition of PCEHR ;

(b) definition of PCEHR system ;

(c) definition of PCEHR System Operator .

5   Section 5 (definitions of registered portal operator and registered repository operator)

Omit "Personally Controlled Electronic Health Records Act 2012", substitute "My Health Records Act 2012".

6   Subparagraphs 36(ba)(i) and (ii)

Omit "PCEHR", substitute "My Health Record".

Health Insurance Act 1973

7   Subsection 3(1)

Insert:

My Health Record System Operator has the same meaning as System Operator has in the My Health Records Act 2012.

8   Subsection 3(1) (definition of PCEHR System Operator)

Repeal the definition.

9   Subsection 3(1) (definition of registered repository operator)

Omit "Personally Controlled Electronic Health Records Act 2012", substitute "My Health Records Act 2012".

10   Subsection 130(1)

Omit "Personally Controlled Electronic Health Records Act 2012", substitute "My Health Records Act 2012".

National Health Act 1953

11   Subsection 135A(1)

Omit "Personally Controlled Electronic Health Records Act 2012", substitute "My Health Records Act 2012".

12   Subsection 135AA(5AA)

Omit "PCEHR" (wherever occurring), substitute "My Health Record".

13   Subsection 135AA(11)

Insert:

My Health Record has the same meaning as in the My Health Records Act 2012.

My Health Record System Operator has the same meaning as System Operator has in the My Health Records Act 2012.

14   Subsection 135AA(11)

Repeal the following definitions:

(a) definition of PCEHR ;

(b) definition of PCEHR System Operator .

Personally Controlled Electronic Health Records Act 2012

15   Section 1

Omit "Personally Controlled Electronic Health Records Act 2012", substitute "My Health Records Act 2012".

Note: This item amends the short title of the Act. If another amendment of the Act is described by reference to the Act's previous short title, that other amendment has effect after the commencement of this item as an amendment of the Act under its amended short title (see section 10 of the Acts Interpretation Act 1901).

16   Section 5 (definitions of contracted service provider and index service)

Omit "PCEHR" (wherever occurring), substitute "My Health Record".

17   Section 5

Insert:

My Health Record of a healthcare recipient means the record of information that is created and maintained by the System Operator in relation to the healthcare recipient, and information that can be obtained by means of that record, including the following:

(a) information included in the entry in the Register that relates to the healthcare recipient;

(b) health information connected in the My Health Record system to the healthcare recipient (including information included in a record accessible through the index service);

(c) other information connected in the My Health Record system to the healthcare recipient, such as information relating to auditing access to the record;

(d) back-up records of such information.

My Health Records Rules has the meaning given by section 109.

My Health Record system means a system:

(a) that is for:

(i) the collection, use and disclosure of information from many sources using telecommunications services and by other means, and the holding of that information, in accordance with the healthcare recipient's wishes or in circumstances specified in this Act; and

(ii) the assembly of that information using telecommunications services and by other means so far is it is relevant to a particular healthcare recipient, so that it can be made available, in accordance with the healthcare recipient's wishes or in circumstances specified in this Act, to facilitate the provision of healthcare to the healthcare recipient or for purposes specified in this Act; and

(b) that involves the performance of functions under this Act by the System Operator.

18   Section 5

Insert:

participant in the My Health Record system means any of the following:

(a) the System Operator;

(b) a registered healthcare provider organisation;

(c) the operator of the National Repositories Service;

(d) a registered repository operator;

(e) a registered portal operator;

(f) a registered contracted service provider, so far as the contracted service provider provides services to a registered healthcare provider.

19   Section 5 (definition of participant in the PCEHR system)

Repeal the definition.

20   Section 5

Repeal the following definitions:

(a) definition of PCEHR ;

(b) definition of PCEHR Rules ;

(c) definition of PCEHR system .

21   Section 5 (definition of personally controlled electronic health record)

Repeal the definition.

22   Section 5 (definition of registered portal operator)

Omit "PCEHR", substitute "My Health Record".

23   Section 5 (definition of registered repository operator)

Omit "personally controlled electronic health records", substitute "My Health Records".

24   Section 5 (definition of registered repository operator)

Omit "PCEHR", substitute "My Health Record".

25   Section 5 (definitions of this Act and use)

Omit "PCEHR", substitute "My Health Record".

26   Paragraphs 6(3)(a) and (6)(b)

Omit "PCEHR", substitute "My Health Record".

27   Subsection 7(3)

Omit "PCEHR" (wherever occurring), substitute "My Health Record".

28   Section 15

Omit "PCEHR" (wherever occurring), substitute "My Health Record".

29   Paragraph 17(1)(b)

Omit "PCEHR", substitute "My Health Record".

30   Subsection 38(1)

Omit "PCEHR", substitute "My Health Record".

31   Subsections 41(1) to (3)

Omit "PCEHR" (wherever occurring), substitute "My Health Record".

32   Paragraph 43(b)

Omit "PCEHR", substitute "My Health Record".

33   Subsection 44(2)

Omit "PCEHR" (wherever occurring), substitute "My Health Record".

34   Section 45

Omit "PCEHR" (wherever occurring), substitute "My Health Record".

35   Section 46 (heading)

Repeal the heading, substitute:

46 Condition of registration - non-discrimination in providing healthcare to a healthcare recipient who does not have a My Health Record etc.

36   Paragraphs 46(2)(a) and (b)

Omit "PCEHR", substitute "My Health Record".

37   Paragraph 48(a)

Omit "PCEHR", substitute "My Health Record".

38   Subsection 49(2)

Omit "PCEHR" (wherever occurring), substitute "My Health Record".

39   Section 50

Omit "PCEHR", substitute "My Health Record".

40   Subsections 51(2) and (3)

Omit "PCEHR" (wherever occurring), substitute "My Health Record".

41   Section 55 (heading)

Repeal the heading, substitute:

55 My Health Records Rules may specify requirements after registration is cancelled or suspended

42   Section 55

Omit "PCEHR" (wherever occurring), substitute "My Health Record".

43   Paragraph 55(3)(a)

Omit "PCEHRs", substitute "My Health Records".

44   Paragraphs 57(a) and (b)

Omit "PCEHR", substitute "My Health Record".

45   Part 4 (heading)

Repeal the heading, substitute:

Part 4 - Collection, use and disclosure of health information included in a healthcare recipient's My Health Record

46   Division 1 of Part 4 (heading)

Repeal the heading, substitute:

Division 1 - Unauthorised collection, use and disclosure of health information included in a healthcare recipient's My Health Record

47   Section 59 (heading)

Repeal the heading, substitute:

59 Unauthorised collection, use and disclosure of health information included in a healthcare recipient's My Health Record

48   Section 59

Omit "PCEHR" (wherever occurring), substitute "My Health Record".

49   Subsection 60(1)

Omit "PCEHR", substitute "My Health Record".

50   Sections 61 and 62

Omit "PCEHR" (wherever occurring), substitute "My Health Record".

51   Section 63 (heading)

Repeal the heading, substitute:

63 Collection, use and disclosure for management of My Health Record system

52   Sections 63 to 70

Omit "PCEHR" (wherever occurring), substitute "My Health Record".

53   Division 3 of Part 4 (heading)

Repeal the heading, substitute:

Division 3 - Prohibitions and authorisations limited to My Health Record system

54   Section 71 (heading)

Repeal the heading, substitute:

71 Prohibitions and authorisations limited to health information collected by using the My Health Record system

55   Subsections 71(1), (2) and (3)

Omit "PCEHR" (wherever occurring), substitute "My Health Record".

56   Subsection 71(4) (heading)

Repeal the heading, substitute:

Information originally obtained by means of My Health Record system

57   Subsection 71(4)

Omit "PCEHR" (wherever occurring), substitute "My Health Record".

58   Subsections 73(1) and (3)

Omit "PCEHR", substitute "My Health Record".

59   Section 73A

Omit "PCEHR", substitute "My Health Record".

60   Section 73B

Omit "PCEHR" (wherever occurring), substitute "My Health Record".

61   Paragraph 74(1)(a)

Omit "PCEHR", substitute "My Health Record".

62   Section 77

Omit "PCEHR" (wherever occurring), substitute "My Health Record".

63   Subparagraphs 99(c)(i) and (ii)

Omit "PCEHR", substitute "My Health Record".

64   Subsection 106(1)

Omit "PCEHR", substitute "My Health Record".

65   Subparagraph 106(2)(a)(i)

Omit "PCEHR", substitute "My Health Record".

66   Subparagraph 106(2)(a)(ii)

Omit "PCEHRs", substitute "My Health Records".

67   Subparagraph 106(2)(a)(ii)

Omit "PCEHR", substitute "My Health Record".

68   Division 7 of Part 8 (heading)

Repeal the heading, substitute:

Division 7 - My Health Records Rules, regulations and other instruments

69   Section 109 (heading)

Repeal the heading, substitute:

109 Minister may make My Health Records Rules

70   Subsection 109(1)

Omit " PCEHR ", substitute " My Health Record ".

71   Subsection 109(1)

Omit "PCEHR", substitute "My Health Record".

72   Subsection 109(3) (heading)

Repeal the heading, substitute:

My Health Records Rules may relate to registration etc.

73   Subsection 109(3)

Omit "PCEHR" (wherever occurring), substitute "My Health Record".

74   Subsection 109(4A) (heading)

Repeal the heading, substitute:

My Health Records Rules may relate to agreements

75   Subsections 109(4A) and (5)

Omit "PCEHR", substitute "My Health Record".

76   Subsection 109(6) (heading)

Repeal the heading, substitute:

My Health Records Rules may relate to access control mechanisms

77   Subsection 109(6)

Omit "PCEHR" (wherever occurring), substitute "My Health Record".

78   Subsection 109(7) (heading)

Repeal the heading, substitute:

My Health Records Rules may relate to authorised representatives and nominated representatives

79   Subsection 109(7)

Omit "PCEHR", substitute "My Health Record".

80   Subsection 109(7A) (heading)

Repeal the heading, substitute:

My Health Records Rules may relate to research

81   Subsection 109(7A)

Omit "PCEHR", substitute "My Health Record".

82   Subsection 109(8) (heading)

Repeal the heading, substitute:

My Health Records Rules may apply to specified classes of participants

83   Subsection 109(8)

Omit "PCEHR" (wherever occurring), substitute "My Health Record".

84   Subsection 112(2)

Omit "PCEHR", substitute "My Health Record".

Schedule 3   Renaming consumers as healthcare recipients

Health Insurance Act 1973

1   Subsection 3(1) (definition of registered consumer)

Repeal the definition.

2   Subsection 3(1)

Insert:

registered healthcare recipient has the meaning given by the MyHealth Records Act 2012.

National Health Act 1953

3   Subsection 135AA(5AA)

Omit "consumer", substitute "healthcare recipient".

Personally Controlled Electronic Health Records Act 2012

4   Section 5 (definitions of consumer and consumer-only notes)

Repeal the definitions.

5   Section 5

Insert:

healthcare recipient means an individual who has received, receives, or may receive, healthcare.

healthcare recipient-only notes , in relation to a healthcare recipient, means health information included by the healthcare recipient in his or her My Health Record and described in the My Health Record system as healthcare recipient-only notes (whether using that expression or an equivalent expression).

6   Section 5 (definition of registered consumer)

Repeal the definition.

7   Section 5

Insert:

registered healthcare recipient means a healthcare recipient who is registered under section 41.

8   Amendments of listed provisions

Schedule 4   Further consequential amendments

Part 1   Amendments relating to the Legislation Act 2003

Personally Controlled Electronic Health Records Act 2012

1   Subsection 109(9)

Omit "Legislative Instruments Act 2003", substitute "Legislation Act 2003".

Part 2   Amendments relating to delegations

Health Insurance Act 1973

2   Subsection 131(1)

Omit "or the Healthcare Identifiers Act 2010", substitute "or instruments made under this Act".

3   Subsection 131(2)

After "this Act", insert "or an instrument under which the power exists".