Replacement Explanatory Memorandum
Circulated By the Authority of the Minister for Health and Ageing, the Hon. Nicola Roxon MP
Notes On Clauses - Healthcare Identifiers Bill 2010
Part 1 - Preliminary
Clause 1 - Short Title
This clause provides that the Bill (once enacted) may be cited as the Healthcare Identifiers Act 2010.
Clause 2 - Commencement
This clause provides that the Bill (once enacted) commences on the day after it receives Royal Assent.
The Healthcare Identifiers Service is not due to commence operations until mid 2010. However, Medicare Australia as the service operator will need to undertake certain activities to support the implementation of the Healthcare Identifiers Service. This will include testing the Healthcare Identifiers Service. To undertake implementation activities such as testing, Medicare Australia, as the service operator, will require legislative authority.
Clause 3 - Purpose of this Act
This clause sets out that the purpose of this Bill (once enacted) is to implement a national system for consistently identifying individual healthcare recipients and healthcare providers. This will be achieved by issuing an identifying number to each healthcare recipient and healthcare provider.
Healthcare identifiers are designed to improve information management and communication in the delivery of healthcare and related services. There will also be benefits associated with the use of healthcare identifiers for other health-related purposes including research and management of health services.
The Bill (once enacted) will provide a robust framework for healthcare identifiers by:
- •
- authorising the use of existing Medicare Australia infrastructure;
- •
- setting out appropriate and transparent national governance arrangements; and
- •
- setting out the permitted uses and disclosures of healthcare identifiers by the healthcare community.
Healthcare identifiers, when included in a healthcare recipient's health record, will be subject to the existing privacy laws that apply to personal health information as well as the specific provisions that are set out in this Bill.
Clause 4 - Act to bind the Crown
This clause provides that the Bill binds the Crown in each of its capacities. This means that the Bill is intended to apply (and be observed by) the Commonwealth and each of the States, the Australian Capital Territory and the Northern Territory. It also reflects that the Crown cannot be subject to prosecution.
The note included refers to clause 37(4) of the Bill that requires the Minister to declare that certain provisions of the Bill do not apply to state or territory public sector organisations and agencies where a state or territory has enacted a law which applies consistent provisions relevant to the handling of healthcare identifiers to its public sector agencies.
Clause 5 - Definitions
This clause sets out key definitions used throughout the Bill to support the operation of the Healthcare Identifiers Service and handling of healthcare identifiers. The meaning of some definitions is set out in other clauses. Key definitions include:
- •
- healthcare means health service, as defined by the Privacy Act - aligning this definition with existing privacy laws will help to ensure consistency between privacy arrangements is maintained;
- •
- healthcare provider means all individual healthcare professionals (for example, general practitioners, specialists, nurses etc) and healthcare organisations (for example hospitals, medical centres, diagnostic services and other that provide a health service);
- •
- healthcare recipient means an individual who has received, is receiving or may receive healthcare in Australia;
- •
- health information means health information, as defined in the Privacy Act - aligning this definition with existing privacy laws will help to ensure consistency between privacy arrangements is maintained;
- •
- identified healthcare provider means individual healthcare providers or organisations that have been assigned a healthcare identifier;
- •
- Ministerial Council is defined by the National Partnership Agreement (NPA) for E-Health as being the Council of Ministers tasked by the Council of Australian Governments to undertake key functions related to the oversight of the Healthcare Identifiers Service, that is the Australian Health Ministers Conference;
- •
- Privacy Act means the Privacy Act 1988;
- •
- Registration authority means an entity that is responsible under a Commonwealth, state or territory law for registering members of particular health profession and would include a national registration authority, as defined under clause 8.
Clause 6 - meaning of service operator
This clause defines the service operator of the Healthcare Identifiers Service as the Chief Executive Officer of Medicare Australia, and allows for any subsequent service operator to be specified in the regulations.
Any decision to change the service operator must be made by the Minister, in consultation with the Ministerial Council. The requirement for this is set out in clause 33 and clause 39 of the Bill and the National Partnership Agreement on E-Health.
Clause 7 - meaning of identifying information
This clause describes the information (including personal information) required by the service operator to uniquely assign and maintain healthcare identifiers to healthcare providers (individuals and organisations) and healthcare recipients. The types of information required will depend on the type of healthcare identifier to be assigned.
Information required to assign an individual healthcare provider identifier is outlined in subclause 7(1) and includes (but is not limited to) name, address, date of birth, sex, healthcare provider type, registration status.
Subclause 7(2) outlines the information required to assign a healthcare provider identifier for non-individuals (eg. organisations) and includes (but is not limited to) name, address, ABN.
Subclause 7(3) outlines the information required to assign an individual healthcare identifier and includes but is not limited to name, address, Medicare or Veterans' Affairs number, date of birth etc.
The definition also includes other data elements that may need to be used in some situations to ensure accuracy when assigning and maintaining healthcare identifiers. Provision has also been made for regulations to prescribe any additional identifying information that may be required in the future to support assignment of healthcare provider identifiers under subclause 7(1) and (2). Development of any such regulations would be undertaken in consultation with the Ministerial Council as required under clause 33.
Clause 8 - Meaning of national registration authority
This clause describes a national registration authority as a registration authority that has been prescribed in regulations for the purpose of this section.
The regulations will prescribe the National Health Practitioner Boards or other bodies established by states and territories under the Health Practitioners Regulation National Law, or in corresponding laws of a state or territory, as part of a national scheme for the regulation of health professionals and students.
From July 2010, a national scheme is to be established for the registration of health practitioners in 10 professions - medical, nursing and midwifery, pharmacy, physiotherapy, dental, psychology, optometry, osteopathy and chiropractic. A further 4 professions - Aboriginal and Torres Strait Islander health practice, Chinese medicine, medical radiation practice, occupational therapy are expected to added to the scheme in 2012 and other additional professions may be added in the future.
The national registration boards or other bodies with responsibility for registering health practitioners are to have responsibility for issuing healthcare identifiers to individual providers under arrangements set out in clause 9.
Part 2 - Assigning healthcare identifiers
Clause 9 - Assigning healthcare identifiers
Subclause 9(1) authorises the service operator to assign a healthcare identifier to a healthcare provider or individual healthcare recipient. Healthcare providers will only be assigned a healthcare identifier where they meet criteria set out in regulations under subclause 9(5).
Subclause 9(2) provides for the national registration authority to assign healthcare identifiers to individual healthcare providers.
Subclause 9(3) sets out the three types of healthcare identifiers that form the foundation elements of the Healthcare Identifiers Service:
- •
- identifiers for individual healthcare providers;
- •
- identifiers for healthcare provider who are not individuals; and
- •
- identifiers for individual healthcare recipients.
Subclause 9(4) - makes clear that the service operator determines whether to assign identifiers.
Regulations under subclause 9(5) will prescribe requirements for assigning the identifiers and the different criteria for each type of identifier. Public consultation on the proposed regulations, including arrangements for assigning healthcare identifiers is being undertaken and is due to conclude on 9 April 2010.
The assignment of identifiers is essentially procedural and any detriment that may flow if an identifier is not assigned will be minimal. It will not affect the capacity for a healthcare provider to deliver healthcare or for a recipient to receive healthcare. An applicant can reapply to the Service Operator with additional information at any time.
Clause 9(5) of the HI Bill allows for appropriate review mechanisms to be implemented through regulations if, in future, it is considered to be warranted.
Subclause 9(6) provides that healthcare identifiers are also subject to clause 7 of the National Privacy Principles (NPPs) in the Privacy Act, so as to restrict Commonwealth government assigned identifiers from being adopted by private sector organisations as de-facto common identity numbers, other than as permitted by this Bill.
Healthcare identifiers are designed to be used by healthcare providers as unique reference numbers in their own health records systems. For the private sector to be able to adopt, use and disclose healthcare identifiers, they must be authorised to do so.
This Bill (once enacted) will provide that authorisation but only for limited purposes specifically described (see Part 3 for further information on the permitted uses and disclosures of healthcare identifiers).
Individual healthcare recipients enrolled in Medicare Australia's Medicare program or with the Department of Veterans' Affairs will not need to do anything to be assigned a healthcare identifier.
Those not enrolled with Medicare Australia or the Department of Veterans' Affairs, such as international tourists or long-stay visa holders, can be assigned a temporary healthcare identifier when they present to a healthcare provider for treatment. To verify their healthcare identifier, the individual will need to provide identifying information ( as defined in clause 7(3)) to the service operator.
COAG has agreed that the identifier assigned to individual healthcare providers for registration purposes should be the same number assigned to healthcare providers for the purpose of communication and management of health information.
To support this, individual healthcare providers will be assigned a healthcare provider identifier through national registration boards established as part of the national scheme for registration of health practitioners where their profession is included in the scheme.
For healthcare providers whose professions are not yet included in the national scheme, or will not be covered by the scheme, the service operator will be responsible for assigning individual healthcare provider identifiers, subject to the healthcare provider meeting criteria set out in regulations and providing identifying information ( as defined by clause 7(1)).
To ensure healthcare providers are issued one number only for registration purposes and communication and information management purposes, information sharing arrangements between the service operator and a National Registration Authority are required.
Authority for the sharing of a healthcare provider's identifier and other identifying information between a National Registration Authority and the service operator is provided for under other provisions of this Bill and state and territory legislation establishing the national scheme for the registration of health practitioners. The authority under this Bill is provided for in clause 13 (National Registration Authority to disclose to the service operator) and clause 19 (service operator to disclose to Registration Authority).
Healthcare providers who are not individuals (for example, healthcare organisations) or who are sole traders will need to apply direct to the service operator to be issued with a healthcare identifier for their organisation, subject to meeting criteria set out in regulations and providing identifying information ( as defined in clause 7(2)). The identifier issued to a healthcare provider who is a sole trader will be in addition to their individual healthcare identifier in these circumstances. This is clarified in the note to the clause.
This Bill (once enacted), in no way limits a healthcare provider's ability to deliver healthcare services where they have not been assigned a healthcare provider identifier.
Healthcare identifiers are designed to be used by healthcare providers as unique reference numbers in their own health records systems. For the private sector to be able to adopt, use and disclose healthcare identifiers, they must be authorised to do so. This Bill (once enacted) will provide that authorisation but only for limited purposes specifically described (see Part 3 for further information on the permitted uses and disclosures of healthcare identifiers).
In view of the procedural nature of decisions to assign identifiers and that they will not affect existing capacity for healthcare to be delivered those decisions will not be subject to administrative review. There will be minimal discretion for the service operator in assigning an identifier, for example, if healthcare providers do not provide 'identifying information' or meet existing standards for secure electronic exchange of information.
Clause 10 - Service operator must keep record of healthcare identifiers etc
This clause requires the service operator to keep an up-to-date record of all healthcare identifiers that have been assigned and any associated information the service operator has in its possession which relates to the healthcare identifiers. This includes information about any requests made by a healthcare provider to the service operator for the disclosure of an individual's healthcare identifier.
An individual healthcare consumer who has been assigned a healthcare identifier has a right to access information about themselves which is held by the service operator. This will include the healthcare identifiers and any associated personal information (see discussion under clause 18 for further information).
Part 3 - Use and disclosure of healthcare identifiers and other information
Division 1 - Use and disclosure of identifying information for assignment of healthcare identifiers
Clause 11 - Disclosure by healthcare providers
Subclause 11(1) authorises a healthcare provider to disclose identifying information about an individual healthcare consumer to the service operator, for the purpose of assigning a healthcare identifier to the individual. The subclause ensures that a healthcare provider does not breach privacy laws in providing that information to the service operator.
Subclause 11(2) authorises the service operator to collect the information which has been disclosed to it by the healthcare provider and use it for assigning an identifier.
As outlined above, most individual healthcare recipients will be automatically assigned an individual healthcare identifier but for those who are not (such as tourists or individuals not eligible to enrol in the Medicare program), it will be possible to obtain a temporary healthcare identifier from a healthcare provider when the individual presents for treatment.
In these circumstances, a healthcare provider will provide identifying information about the individual to the service operator for the purpose of the service operator assigning a healthcare identifier.
Clause 12 - Disclosure by data sources
Subclause 12(1) provides the authority for a data source (as defined by subclause 12(2)) to disclose identifying information it holds about an individual healthcare consumer or healthcare provider for another purpose to the service operator for the purpose of assigning a healthcare identifier.
Subclause 12(2) defines a number of data sources including Medicare Australia, the Department of Veterans' Affairs and data sources prescribed through regulations.
Data sources are selected on the basis that they can provide high quality demographic and professional information to support the unique identification of individuals and healthcare providers and limit the risk of incorrectly assigning a healthcare identifier.
Medicare Australia and the Department of Veterans' Affairs will provide existing demographic information to the service operator to support the assignment of healthcare identifiers to the majority of Australians.
Data sources, such as professional registration bodies, may be prescribed as required where, in consultation with the Ministerial Council, the Government is satisfied that they are able to provide adequate assurance about the quality of demographic and professional information on their members. Demographic and professional information to support the assignment of healthcare identifiers to healthcare providers will primarily be provided by a National Health Practitioner Board or other body established under the national scheme for the regulation of health practitioners who are prescribed as a National Registration Authority.
Subclause 12(3) authorises the service operator to collect and use identifying information disclosed to it by a data source for the purpose of assigning healthcare identifiers.
Clause 13 - Disclosure by national registration authority
Subclause 13(1) authorises the national registration authority to disclose the healthcare identifier it assigns and any relevant associated information to the service operator. Subclause 13(2) authorises the service operator to collect and use this information to establish and maintain a record of all healthcare identifiers issued, as required by clause 10.
This provision is necessary to ensure that where the national registration boards established as part of the national scheme for registration of health practitioners assigns individual healthcare identifiers to healthcare providers, they can disclose the healthcare identifier and associated information back to the service operator.
Regardless of who issues healthcare identifiers to healthcare providers, the service operator will be required to keep a record of all healthcare identifiers assigned and any relevant associated information by clause 10.
Clause 14 - Maintaining healthcare identifiers
This clause permits the drafting of regulations which may require a healthcare provider participating in the Healthcare Identifiers Service (an identified healthcare provider) to provide information relevant to the healthcare provider's healthcare identifier to the service operator.
This intention of this clause is to ensure that healthcare providers are obliged to update relevant information about themselves which is held by the service operator (for example, information included in the Healthcare Provider Directory such as professional status).
Clause 15 - Service operator's duty of confidentiality
This clause sets out the offences and penalties which apply to employees of the service operator for any unauthorised use or disclosure of information held by the service operator and to subsequent disclosure.
Subclause 15(1) provides that a person commits an offence if information was disclosed to the person for a legitimate purpose under Part 2 of the Bill (once enacted), and the person uses or discloses the information, the penalty for which is a fine of 120 penalty units (a penalty unit currently being worth $110), imprisonment for 2 years or both.
The types of inappropriate activities this provision intends to capture include where an employee uses information held by the service operator (such as someone else's name and address) and discloses that information to another person or use it themselves for a purpose that is not permitted.
Subclause 15(2) provides a defence to subclause 15(1) where the person uses or discloses the information for the purpose for which it was disclosed to the person or where the purpose is authorised under another law. For instance where an employee of the service operator uses or discloses information for a purpose permitted by the Bill once enacted, noting the individual making the disclosure bears the evidential burden in accordance with subsection 13.3(3) of the Criminal Code.
At common law the prosecution bears the persuasive burden of proving the guilt of the accused beyond reasonable doubt. The Healthcare Identifiers Bill 2010 will not change this. However, in accordance with the December 2007 Guide to the Framing of Commonwealth Offences, Civil Penalties and Enforcement Powers, the onus of evidential proof can be reversed where the facts in issue in the defence are peculiarly within the knowledge of the accused or where proof by the prosecution of a particular matter would be extremely difficult or expensive whereas it could be readily and cheaply provided by the accused.
Information relevant to whether a use or disclosure of a healthcare identifier is authorised will be peculiarly within the knowledge of the defendant and it is for this reason that the onus of evidential proof has been revised for this particular offence.
Subclause 15(3) includes a separate offence where information is disclosed to a person in contravention of subclause 15(1) and the person is aware of this contravention but uses or discloses the information anyway. A penalty of 120 penalty units (a penalty unit currently being worth $110), imprisonment for 2 years or both will apply.
In accordance with subclause 15(4), it is not an offence under subclause 15(3) if an individual uses or discloses the information for the purpose of reporting a contravention to the appropriate authorities (noting that the individual reporting the offence bears the evidential burden under subsection 13.3(3) of the Criminal Code to prove the use or disclosure was permitted - for an explanation of the reversal of the onus of evidential proof, see clause 15(2)).
As described in the note, where the offence is committed by a body corporate, a fine of 600 penalty units will apply.
Division 2 - Disclosure of healthcare identifier by service operator
Subdivision A - Request by healthcare provider for healthcare recipient's healthcare identifier
Clause 16 - Disclosure of healthcare recipient's identifying information by healthcare provider
This clause authorises healthcare providers participating in the Healthcare Identifiers Service to disclose identifying information ( as defined in clause 7) to the service operator about individuals for the purpose of obtaining their healthcare identifier.
The disclosure by a healthcare provider may occur at the time an individual presents to a healthcare provider for healthcare or as part of a larger request for a batch download against a healthcare provider's existing records.
An individual's healthcare identifier will only be disclosed back to the healthcare provider where an exact match is available. Where an exact match is unavailable, an error message will be sent to the healthcare provider from the service operator.
A healthcare provider's ability to undertake batch downloads will help to facilitate the quick uptake of healthcare identifiers and reduce administration burdens associated with participation in the Service. A healthcare provider's patient index will be able to be initially populated by matching healthcare identifiers to individuals already known to the healthcare provider. To make a request a provider will need to provide details of the patient who is on their current records. The records that a healthcare provider might hold on their current records will be governed by applicable health records legislation.
Under this clause, the service operator is authorised to collect and use information disclosed to it by the healthcare provider.
The service operator's ability to disclose the healthcare identifier back to the healthcare provider is provided for in clause 17.
Subdivision B - Disclosure of healthcare identifier by service operator
Clause 17 - Disclosure to healthcare provider
Subclause 17(1) authorises the service operator to disclose healthcare identifiers to a healthcare provider participating in the Healthcare Identifiers Service or individuals employed by the healthcare provider and authorised to act on their behalf.
Subclause 17(2) authorises the healthcare provider to collect the healthcare identifier and states in the note that the use or disclosure of the healthcare identifier for specified purposes is authorised in clause 24 of the Bill.
Authorisation for the healthcare provider to adopt use or disclose healthcare identifiers is provided under clause 25.
Clause 18 - Disclosure to healthcare recipient
Under this clause the service operator is able to disclose information it holds about an individual healthcare recipient to the recipient where it has been requested. The service operator is also able to disclose information it holds about an individual to a person responsible for that individual (as defined by subclause 2.5 of the National Privacy Principle 2). NPP 2.5 is to be read in conjunction with NPP 2.4 and, where necessary, NPP 2.6 to 2.8. NPP 2.4(a) relevantly provides that a person will be responsible for an individual if the individual is physically or legally incapacitated, or physically cannot communicate consent to disclosure (paragraphs (b)-(d) of NPP 2.4 are not relevant in terms of the service operator disclosing healthcare identifiers).
Information that can be disclosed includes the healthcare identifier, any associated personal information and the details of healthcare providers who have accessed the individual's record.
While existing privacy and freedom of information laws regulate access to information held by Commonwealth public sector bodies, an explicit statement has been included in this Bill to ensure individuals and persons responsible for the individual have a clear understanding of their right to access information held by the service operator and to provide an appropriate framework for the service operator to make such disclosures.
Clause 19 - Disclosure to registration authority
Subclause 19(1) authorises the service operator to disclose a healthcare provider's healthcare identifier to a registration authority ( as defined in clause 5) for registration purposes. Subclause 19(2) permits the registration authority to collect and use the identifier.
A registration authority ( defined in clause 5) includes the national registration boards established as part of the national scheme for registration of health practitioners for a range of healthcare professions. Under this scheme, registered healthcare providers in specified professions will be assigned a persistent, single identifier for registration purposes.
Health Ministers have agreed that the identifier assigned to healthcare providers for registration purposes should be the same number assigned to healthcare providers for the purpose of communication and management of health information.
Clause 20 - Disclosure for authentication of healthcare provider's identity
Authentication of an individual is used as part of providing secure electronic communications.
The Healthcare Identifiers Service will use the National Authentication Service for Health (NASH) to provide security credentials for healthcare providers. NASH will provide a Public Key Infrastructure (PKI) system for the healthcare sector which will include issuing and maintaining digital certificates for healthcare providers.
Healthcare providers will use their authentication credentials when accessing the Healthcare Identifiers Service electronically. This will enable the service operator to keep an accurate and up-to-date record of healthcare providers accessing the Service.
To support these authentication requirements, the service operator will need to be able to disclose information it holds about a healthcare provider to an entity responsible for issuing and maintaining digital certificates.
Subclause 20(1) authorises the service operator to disclose information for such purposes while subclause 20(2) permits the entity responsible for issuing and maintaining authentication infrastructure to collect and use the information for those purposes.
Clause 21 - Access controls
This clause enables regulations to be made which prescribe rules relevant to the disclosure of healthcare identifiers by the service operator.
The regulations will set out what the service operator or healthcare provider must do for identifiers to be disclosed. Security obligations on the service operator and any other body holding healthcare identifiers are provided for under clause 27.
Any regulations proposed under this clause would be subject to consultation with the Ministerial Council (see clause 33 for further discussion) and may impose a penalty for any contravention of the regulation.
Clause 22 - Information about disclosures by service operator
This clause enables regulations to be made which stipulate that where the service operator discloses a healthcare identifier to an entity, the entity must provide certain information relevant to that disclosure to the service operator.
This may include an acknowledgement of the entity's responsibilities in relation to the appropriate handling of the healthcare identifier or other participation arrangements necessary to support the appropriate use and disclosure of healthcare identifiers, such as keeping a record of employees who have accessed the Service. This will support enquiries made by individuals with regards to who has accessed their records and the handling of any complaints.
Any regulations proposed under this clause would be subject to consultation with the Ministerial Council (see clause 33 for further discussion) and may impose a penalty for any contravention of the regulation.
Division 3 - Use, disclosure and adoption of healthcare identifier by healthcare provider
Clause 23 - Disclosure to healthcare recipient
The purpose of this clause is to make it clear that a healthcare provider can disclose an individual's healthcare identifier to the individual or to a person responsible for the individual.
A healthcare provider is able to disclose information it holds about an individual to a person responsible for that individual (as defined by subclause 2.5 of the National Privacy Principle 2). NPP 2.5 is to be read in conjunction with NPP 2.4 and, where necessary, NPP 2.6 to 2.8. NPP 2.4(a) relevantly provides that a person will be responsible for an individual if the individual is physically or legally incapacitated, or physically cannot communicate consent to disclosure (paragraphs (b)-(d) of NPP 2.4 are not relevant in terms of the service operator disclosing healthcare identifiers).
Clause 24 - Use and disclosure for other purposes
It is expected that healthcare identifiers will be included in the existing information management systems of healthcare providers and used when communicating information with other providers and managing health information as part of delivering health services.
Subclause 24(1)(a) sets out the permitted uses and disclosures of healthcare identifiers by healthcare providers for the purpose of communication or management of information as part of:
- •
- providing a health service to an individual; or
- •
- the management, funding, monitoring or evaluation of healthcare; or
- •
- provision of indemnity cover for the healthcare provider; or
- •
- research which has been approved by a human research ethics committee.
These purposes are broad enough to cover a range of clinical, administrative and business activities that are regularly undertaken to support the delivery of healthcare. For example, management, funding, monitoring or evaluation of healthcare is intended to include activities such as quality assurance, quality improvement, policy development, planning, cost benefit analysis and the compilation of statistics in relation to those activities.
Subclause 24(1)(b) also authorises a healthcare provider to use or disclose a healthcare identifier where the provider reasonably believes it is necessary to lessen or prevent a serious threat to an individual's life, health or safety or a serious threat to public health or public safety.
Express authority permitting a healthcare provider to use or disclose healthcare identifiers is necessary in light of the restrictions under National Privacy Principle 7 of the Privacy Act on private sector organisations using and disclosing Commonwealth government assigned identifiers (see discussion under subclause 9(4) for further information). The healthcare provider does not require the consent of the individual healthcare consumer in order to use or disclose the healthcare identifier for the purposes specified.
It should be noted that the permitted uses and discloses only apply to the healthcare identifiers. The collection, use and disclosure of any personal information (eg. health information) must be managed in accordance with the Privacy Act or existing state or territory privacy arrangements. This is set out in the note to the clause.
The use or disclosure of the identifiers for purposes other than outlined above will be a breach of the Privacy Act and subject to inquiry and complaint mechanisms (see clause 26 - offences and penalties).
The limits on the handling of healthcare identifiers will apply to state and territory public sector bodies through state and territory legislation. Until such legislation is in place, this Bill (once enacted) will set out the limits that will apply for the use and disclosure of healthcare identifiers by state and territory public sector bodies (for further information on the relationship with state and territory laws, see clause 37).
Subclause 24(2) provides that where a healthcare provider discloses a healthcare identifier to another entity for a purpose defined by subclause 24(1), the entity is authorised to collect, use or disclose it to a healthcare provider for the purpose for which it was originally disclosed to the entity.
This will include for example, when a doctor discloses an individual's healthcare identifier to a private health insurer and the insurer provides a healthcare service to that individual, such as a chronic disease management program.
However, as outlined below in subclause 24(4) the healthcare identifier cannot be used by the insurer for the purpose of underwriting health insurance or determining eligibility for or coverage level of, health insurance. This aligns with the community rating scheme under the Private Health Insurance Act 2007 ( Chapter 3) which supports access to private health care for all Australians by prohibiting discrimination against individuals based on their health, age or some other characteristic likely to result in the need for increased healthcare.
Under subclause 24(3), a healthcare provider who receives a healthcare identifier from the entity in these circumstances is permitted to collect it and use or disclose it in accordance with subsection 24(1).
Healthcare identifiers are expected to be used broadly within the healthcare sector, provided the uses and discloses fall under the activities described in subclause 24(1). Any activities that fall outside those activities described in subclause 24(1) are intended to be prohibited. A specific prohibition has also been included in subclause 24(4) to make it clear that healthcare identifiers cannot be used for the purpose of an insurer underwriting insurance contract for an individual healthcare recipient or determining whether the individual is eligible to receive insurance, or for employment purposes.
Section 25 - Adoption by healthcare provider
Clause 25 provides for healthcare providers to adopt an identifier of a healthcare recipient as their identifier to that healthcare recipient.
An express authority permitting healthcare providers to adopt healthcare identifiers is necessary in light of the general prohibition under National Privacy Principle 7 of the Privacy Act that prevents private sector organisations adopting Commonwealth government assigned identifiers (see discussion under subclause 9(4) for further information)
Division 4 - Unauthorised use and disclosure of healthcare identifiers
Clause 26 - Unauthorised use and disclosure of healthcare identifiers prohibited
Subclause 26(1) provides an offence where a healthcare identifier is disclosed to a person and the person uses or discloses the healthcare identifier.
The penalty for such an offence where it is committed by an individual is a fine of 120 penalty units (a penalty unit currently being worth $110), imprisonment for 2 years or both. Where the offence is committed by a corporation, a fine of 600 penalty units will apply.
Subclause 26(2) provides a defence to subclause 26(1) where the person is authorised under this Bill (once enacted) to use or disclose the healthcare identifier and the use and disclosure is in accordance with the purposes defined in subclause 24(1), the use or disclosure is authorised under another law, or the person discloses the healthcare identifier for the purpose of, or in connection with, the person's personal, family or household affairs (within the meaning of section 16E of the Privacy Act). To rely on this defence, the individual bears the evidential burden in accordance with subsection 13.3(3) of the Criminal Code ( for an explanation of the reversal of the onus of evidential proof, see clause 15(2)).
Division 5 Protection of Healthcare Identifiers
Clause 27 - Protection of Healthcare Identifiers
This clause imposes security obligations on any entity holding a healthcare identifier to protect it from misuse or loss and for regulations to prescribe additional requirements.
The clause mirrors requirements set out in NPP4 in Schedule 3 of the Privacy Act. As under the Privacy Act, the federal Privacy Commissioner will be able to require agencies and organisations to take action to address systems failures that led to that misuse or loss.
Part 4 - Interaction with the Privacy Act 1988
Clause 28 - Interaction with the Privacy Act 1988
This clause provides clarification as to how this Bill (once enacted), operates in conjunction with the Privacy Act and clarifies that an authorisation under this Bill is an authorisation for the purpose of the Privacy Act.
Clause 29 - Functions of Privacy Commissioner
Subclause 29(1) provides that an act or practice which contravenes the Bill or regulations (once enacted) will be considered as a breach of privacy under the Privacy Act.
Subclause 29(2) allows audits to be undertaken by the Privacy Commissioner as could be undertaken in relation to personal information.
The Federal Privacy Commissioner will be responsible for providing independent oversight of the Healthcare Identifiers Service, in accordance with existing functions allocated under the Privacy Act. This will include the power to conduct own motion investigations and undertake audits of the service operator (as a Commonwealth Government agency). As is the current arrangement, the audit of any private sector organisation is by invitation only. Audits cannot be undertaken into a state or territory agency as these are treated as a private sector organisation under the Privacy Act.
Complaints regarding the Healthcare Identifiers Service will be handled by the Privacy Commissioner in accordance with section 36 of the Privacy Act.
As outlined in the National Partnership Agreement for E-Health, it is intended that existing state and territory regulators will be responsible for providing oversight of their public sector bodies in relation to the handling of healthcare identifiers. This will occur concurrent with any existing jurisdictional privacy arrangements.
States and territories that do not have existing or sufficient limits and safeguards on use of healthcare identifiers in place or an appropriate regulator will need to introduce legislation. In the absence of any such legislation, the Privacy Commissioner will be responsible for providing regulatory oversight for state and territory public sector bodies (for further discussion on the relationship between this Bill (once enacted) and state and territory laws, see the discussion on clause 37).
Clause 29 - Annual reports by Privacy Commissioner
This clause imposes an obligation on the Privacy Commissioner to prepare an annual report on compliance and enforcement activities undertaken in relation to the Healthcare Identifiers Service. A copy of the report must be provided to the Ministerial Council by 30 September of each year.
As is general practice with annual reports prepared by Commonwealth agencies, the annual report prepared by the Privacy Commissioner will be publicly available to ensure an appropriate level of transparency and accountability.
Part 5 - Healthcare Provider Directory
Clause 31 - Healthcare Provider Directory
Subclause 31(1) requires the service operator to establish and maintain a Healthcare Provider Directory which will list the details of all healthcare providers who have been assigned a healthcare identifier and who have consented to having their details included in the Directory.
Subclause 31(2) enables the service operator to disclose details contained in the Healthcare Provider Directory to other healthcare providers participating in the Healthcare Identifiers Service (identified healthcare providers) or their employees, where they have been authorised to act on the healthcare provider's behalf.
The establishment of the Healthcare Provider Directory is one of the key benefits associated with the Healthcare Identifiers Service. The Directory aims to facilitate communication between healthcare providers by providing a reliable source of identifying and contact information about other participating healthcare providers. For example, the Directory will enable a GP to locate other providers (such as specialists) in a timely manner, and facilitate communication with other providers when referring patients or making decisions about the patient's care needs by providing contact details for electronic messaging.
Part 6 - Oversight role of the Ministerial Council
Clause 32 - Directions to service operator
This clause enables the Minister responsible for oversighting the Healthcare Identifiers Service, in consultation with the Ministerial Council to issue written directions to the service operator about the operation of the Service.
This clause gives effect to the agreement in the National Partnership Agreement for E-Health for the Ministerial Council to be consulted in providing directions to the Service Operator. Consultation with the Ministerial Council recognises the important role states and territories play in managing the operation of the Healthcare Identifiers Service to ensure it appropriately supports the needs of national public health policy.
Any written direction issued under this clause is not a legislative instrument within the meaning of section 5 of the Legislative Instruments Act 2003.
Clause 33 - Consultation with Ministerial Council about regulations
This clause imposes an obligation on the Minister responsible for legislative oversight to consult with the Ministerial Council prior to making regulations to support the operation of the Healthcare Identifiers Service.
Consultation with the Ministerial Council recognises the important role states and territories play in managing the operation of the Healthcare Identifiers Service to ensure it appropriately supports the needs of national public health policy.
Clause 34 - Annual reports by service operator
This clause imposes an obligation on the service operator to prepare an annual report on activities, finances and operation of the service operator so far as they relate to this Bill and any regulations in force. A copy of this report must be provided to the Ministerial Council or other entity as directed by the Ministerial Council no later than 30 September each year.
As is general practice with annual reports prepared by Commonwealth agencies, the report prepared by the service operator will be publicly available. This will provide a level of transparency and accountability.
Clause 35 - Review of operation of Act
Subclause 35(1) imposes an obligation on the Minister, in consultation with the Ministerial Council to oversee a review of the operation of this Bill (once enacted) within three years of commencement.
This clause is intended to be read in conjunction with the review requirements set out in the National Partnership Agreement on E-Health, which states that a review of the Healthcare Identifiers Service must be conducted after two years and reported on within three years of the commencement of the Service.
A review is required to ensure the Bill (once enacted) provides the necessary regulatory support to enable the Healthcare Identifiers Service to operate efficiently and effectively and to assess Medicare Australia's role as the service operator.
Consultation with the Ministerial Council recognises the important role states and territories play in managing the operation of the Healthcare Identifiers Service to ensure it appropriately supports the needs of national public health policy.
In accordance with subclause 35(2), a copy of the report must be provided to the Ministerial Council and tabled in each House of Parliament within 24 sitting days after it has been prepared.
Part 7 - Miscellaneous
Clause 36 - Extent of authorisation
This clause states that where an entity is authorised under this Bill for a particular purpose, this authorisation applies to a person employed by the entity whose duties involve supporting that purpose.
This clause will enable for example, nominated employees of healthcare providers to use and disclose healthcare identifiers where their employer is authorised to do so. This recognises the roles that employees may have. The authorisation of employees who do not have a healthcare identifier to access the Healthcare Identifiers Service is subject to the requirements set out in clause 17, ie where the entity has given notice of the authorisation to the service operator.
Clause 37 - Relationship to State and Territory laws
Relationship to State or Territory laws
Subclause 37(1) provides that for this Bill (once enacted) and any state and territory laws to operate concurrently, where possible. This enables existing privacy arrangements in states and territories to continue operation where they do not conflict with the provisions of the Bill.
Subclause 37(2) ensures that were an offence under this Bill is also provided for in a state or law, the individual can only be convicted of one of the offences.
Subclause 37(3) provides that nothing in this Bill (once enacted) limits, restricts or otherwise affects any right or remedy a person would have had if this Bill wasn't enacted.
Declaration that Act does not apply
Subclause 37(4) states that where the Minister responsible for the administration of the Act makes a declaration relating to specific provisions and specified public bodies of a state or territory under subclause 37(5), the provisions referred to do not apply to those authorities.
Subclause 37(5) imposes an obligation on the Minister to declare that certain provisions of this Bill do not apply to state or territory public bodies in certain circumstances.
The declaration is to be made where a state or territory Minister requests such a declaration to be made and the Minister responsible for administering this Act, is satisfied that a law is in force in that state or territory that has been agreed by the Ministerial Council as appropriately supporting the handling of healthcare identifiers and any associated information by public sector agencies in that state or territory. The requirements for the Ministerial Council to be satisfied are set out in the National Partnership on E-Health.
A declaration made under this clause is considered a legislative instrument.
Subclause 37(6) provides the Minister with responsibility for administering this Bill (once enacted) to revoke a declaration made under subclause 37(4) where a Minister of a state or territory makes a request or where a state or territory law previously agreed to by the Ministerial Council is amended without their agreement.
Subclause 37(7) confirms the situation under the Legislative Instruments Act 2003 that section 42 and Part 6 of that Act do not apply to a declaration or revocation made under subclauses (5) and (6).
Clause 38 - Severability - additional effect of Parts 3 and 4
Clause 38 is intended to ensure that the Act is given the widest possible operation consistent with Commonwealth constitutional legislative power. Subclause 38(1) provides that without limiting the effect of the Act Parts 3 and 4 also has effect as provided by each of the subclauses 38(2) to 38(10) relying on different elements of Commonwealth power.
Clause 39 - Regulations
Subclause 39(1) enables the Governor-General to make regulations which are required, necessary or convenient for the operation of, or giving effect to, the Bill (once enacted).
Consultation with the Ministerial Council must be undertaken prior to the making of such regulations.
The Bill enables regulations to be made in relation to a number of areas including:
- •
- prescribing additional identifying information that is necessary to uniquely identify an entity, relevant to the definition of identifying information ( see clause 7);
- •
- classes of healthcare providers (see clause 9)
- •
- prescribing another entity as a data source ( see clause 12(2));
- •
- prescribing another entity as a service operator ( see clause 6);
- •
- prescribing a national registration authority ( see clause 8) and
- •
- prescribing requirements for assigning a healthcare identifier to a healthcare recipient or healthcare provider, such as eligibility of healthcare providers and any security obligations that healthcare providers need to meet to be assigned a healthcare identifiers and/or to access the Healthcare Identifiers Service (see clause 9).
Subclause 39(2) provides that the regulations may also provide for the imposition of a penalty for not more than 50 units (a penalty unit being worth $110).
Regulations to support this Bill (once enacted) will need to be in place to support the commencement of Healthcare Identifiers Service. Proposals for the regulations are currently being drafted and consultation with stakeholders is expected to be undertaken between March and May 2010, prior to the regulations being considered by the Ministerial Council.
Copyright notice
© Australian Taxation Office for the Commonwealth of Australia
You are free to copy, adapt, modify, transmit and distribute material on this website as you wish (but not in any way that suggests the ATO or the Commonwealth endorses you or any of your services or products).