Introduction
The Regulatory
Reform Omnibus Bill 2025 (the Bill), introduced into the House of
Representatives on 8 October 2025, contains amendments in relation to the
protection and handling of claims information collected under the Medicare
Benefits Schedule (MBS) and the Pharmaceutical Benefits Scheme (PBS) by
Australian Government agencies.
Amendments in the Bill
Part 5 of Schedule 2 of the Bill
amends the National
Health Act 1953, the Health
Insurance Act 1973 and the Dental
Benefits Act 2008 to introduce provisions authorising the use and
disclosure of MBS and PBS claims information.
Currently, the National Health Act and the Health
Insurance Act include provisions prohibiting the disclosure of information
unless certain exceptions apply. The Bill will introduce specific
authorisations for different types of use and disclosure, primarily by an ‘entrusted
public official’. This definition will include officers and employees of
Services Australia and departments which administer Health portfolio
legislation, as well as certain persons engaged by these departments (for
example, consultants). The Director of Professional
Services Review will also be authorised to disclose information in certain
circumstances.
The Bill will allow for information to be disclosed for a
wide range of purposes. For example, MBS and PBS claims information about a
person may be disclosed for the following purposes (see Items 70 and 153 of
Schedule 2):
- the
integrity or sustainability of a Medicare program
- the
protection of a person from a risk arising from, or in connection with, the
provision of a benefit or service under a Medicare program
- statistical
analysis (subject to certain qualifications)
- medical
research (subject to certain qualifications)
- research
and development in relation to health, disability or aged care
- development,
analysis, administration and review of, and reporting related to, government
policy and programs in relation to health, disability or aged care
- a
disclosure of information that is required or authorised under an Australian
law.
The terms ‘integrity’ and ‘sustainability’ are not specifically
defined but would include ensuring that access to a Medicare program is limited
to where the relevant requirements/parameters have been met. The Explanatory
Memorandum provides a list of circumstances where information is intended to be
used for the purposes of integrity and sustainability of a Medicare program,
including specific examples (these are not exhaustive) (pp.
74–77).
The Bill will authorise the sharing of information
‘relating to the affairs of a person’ for a range of purposes, including ‘the
integrity or sustainability of a Medicare program’. This includes sharing
information ‘outside of the Commonwealth’.
The Explanatory Memorandum states that the Department of
Health, Disability and Ageing ‘has commenced the process of obtaining a privacy
impact assessment’ to ensure that the collection of information under the
proposed provisions, and any subsequent use or disclosure of such information,
is reasonable, necessary and proportionate (p.
166).
Repeal of section 135AA
Part 5 of Schedule 2 of the Bill
will also repeal section
135AA of the National Health Act. Section
135AA currently provides that the Information
Commissioner must, by legislative instrument, issue rules governing how
Australian Government agencies may use, store, disclose and link MBS and PBS
claims information. It requires that the rules prohibit agencies storing MBS
and PBS claims information on the one database.
The National Health
(Privacy) Rules 2025 (the Rules) provide for higher protections on the use
of this information than what is set out in the Australian
Privacy Principles. A breach of the Rules constitutes an interference with
privacy under section
13 of the Privacy
Act 1988.
History of section 135AA
When section 135AA was introduced into the National Health Act
by the Health
Legislation (Pharmaceutical Benefits) Amendment Act 1991, the policy
intent was to ‘recognise the sensitivity of health information and restrict the
linkage of claims information’ (p.
8). Parliamentary debate during the introduction of section 135AA and
amending legislation in 1993 suggests it was also intended to ensure
a balance between the use of data for compliance action (such as detecting
fraudulent claims) to protect taxpayer money and the requirement for privacy
(p. 33).
The most recent
version of the Rules commenced on 1 April 2025 following a
3-year review period. This version expanded their application to all
Australian Government agencies and introduced a list of specific purposes for
use and disclosure of claims information which includes research, statistical
analysis or development of government policies and programs. In the Explanatory
Statement, the government acknowledged the importance of the Rules in
protecting very sensitive health information and the need to ensure that the
use of this information is carefully controlled (pp. 23–24).
Proposals for change
There have been calls to make changes to section 135AA for over
20 years. Broadly, these proposals have raised
similar issues – that it is overly restrictive and complex, and that allowing
for increased data linkage and access would be beneficial for policy
development and health research (pp. 35–38).
More recently, the Independent
Review of Medicare Integrity and Compliance (the Philip Review), while not
directly addressing section 135AA, recommended that the government should
‘consider the optimal operating environment to support a culture of information
sharing’ (recommendation 3.5) and implement new governance processes to expand
the data exchanged between Services Australia and the Department of Health,
Disability and Ageing (recommendation 4.5) (pp. 10–11). The Explanatory
Memorandum to the Bill cites the Philip Review recommendations as a driver
behind the proposed amendments (pp. 63–64).
While amendments have been made to section 135AA and the
Rules since their introduction that have enabled further data matching for
compliance purposes, the Explanatory
Memorandum states that ‘[m]any aspects of s 135AA
and the Privacy Rules are outdated, overly prescriptive, and no longer fit for
purpose’ (p. 65). Repealing section 135AA will remove the requirement for the
Information Commissioner to issue rules concerning the handling of information
obtained by any agency in connection with a claim for a payment or benefit
under the MBS or PBS. The proposed changes will also ‘provide an express
authorisation for the collection, use, and disclosure of certain information
for Medicare integrity and other purposes required by the department’ (p.
65).