Healthcare Identifiers Bill 2010


Bills Digest no. 116 2009–10

Healthcare Identifiers Bill 2010

This Digest was prepared for debate. It reflects the legislation as introduced and does not canvass subsequent amendments. This Digest does not have any official legal status. Other sources should be consulted to determine the subsequent official status of the Bill.


Passage history
Financial implications
Main provisions
Concluding comments
Contact officer & copyright details

Passage history

Healthcare Identifiers Bill 2010

Date introduced:  10 February 2010

House:  House of Representatives

Portfolio:  Health and Ageing

Commencement:  On Royal Assent

Links: The relevant links to the Bill, Explanatory Memorandum and second reading speech can be accessed via BillsNet, which is at When Bills have been passed they can be found at ComLaw, which is at


The purpose of the Healthcare Identifiers Bill 2010 is to establish a national healthcare identifier system for patients, healthcare providers and healthcare provider organisations and to set out the purposes for which healthcare identifiers can be used. 


Basis of policy commitment

Howard Government

In 1997, the House of Representatives Standing Committee on Family and Community Affairs first advocated the assignment of a unique patient identifier in conjunction with an electronic health card.[1] The Committee noted that patient identifiers had begun to be used in other health systems and lamented that the discussion about the use of this technology had not progressed more quickly in Australia.    

The following year, Australian Health Ministers agreed to establish a National Health Information Management Advisory Council (NHIMAC) to deal with issues relating to the use of information technology generally in the health sector.  NHIMAC developed the Health Online project which identified personal health identifiers as a key component of any system that intended to transfer health information electronically.[2] NHIMAC consequently made the development of unique personal health identifiers a high priority issue.  

A sub committee of NHIMAC, the National Electronic Health Records Taskforce, was established in 1999 to advise the Health Ministers on the development of a national framework for electronic health record systems. A Taskforce report to the Health Ministers in 2000 recommended the development of a health information network.[3]  The Taskforce report noted:

New information and communication technologies create opportunities both to improve patient care and simultaneously give consumers more control over health care decisions that vitally affect them. The use of these new technologies can also lead to better quality information about our health services, allowing better planning and the provision of more cost-effective health care services, including for people living in regional Australia.

The key to this opportunity is the potential for new technology to provide the right health care information, wherever it is needed, when it is needed.[4]

The report emphasised that a health information network would need to provide absolute certainty about the identity of the person to whom the information related, as well as the identity of the identity of the person who created the information and the location from which the information originated.

Apart from an obvious benefit in greatly improving patient safety, the report listed a number of benefits that could result from being able more accurately to identify health consumers. These included: improved continuity of care and administrative efficiency and enhanced privacy as identifiers were used to coordinate test results and other information, rather than names and addresses. It also warned that there were dangers associated with developing identifiers—unauthorised use of an identifier, for example—and that appropriate measures need to be put in place to address such risks.    

The Howard Government established HealthConnect, a project to develop a national system for collecting, storing and exchanging health records in 2001. HealthConnect trials in various states and the Northern Territory led to the introduction of a HealthConnect Implementation Strategy released in July 2005. One aspect of HealthConnect involved the introduction of a Medicare ‘smartcard’ in 2004. The card not only to provide access to standard Medicare services, but also to give people access to certain records pertaining to them, such as organ donation and immunisation records.[5] It was not envisaged, however, that smartcards would be able to store the detailed information contained in HealthConnect records, and the card was abandoned in May 2006 after the Government announced a policy to introduce an access card to replace a number of welfare cards.  

In July 2004, Health Ministers endorsed the formation of a National E-Health Transition Authority (NEHTA), which was jointly funded by the state, territory and federal governments. NEHTA was to be the body responsible for establishing a national health information management and information and communication technology entity and working on the national priorities in these areas. One of its fundamental projects was to be development of a patient identification system, which together with a product and medicines database and a national provider index was to contribute to a national shared e-health record (EHR).[6]                    

COAG agreed to accelerate work on a national electronic health records system in 2006, providing funding of $130 million to June 2009.[7]  In 2007, a further $218 million was provided over three years.[8] 

Rudd Government

Weeks after the Rudd Government was elected in November 2007 a contract was signed between NEHTA and Medicare Australia for the development of the Unique Healthcare Identifier (UHI) service.[9]  Under the contract with NEHTA, Medicare Australia was to be responsible for the design, building and testing of the UHI service. The Ministers for Health and Ageing and Human Services labelled the project as ‘a significant collaboration between state and federal governments to provide the building blocks for Australia’s e-health future’.[10]

E-health experts welcomed this move and COAG’s plan to engage a consultant to develop a strategic framework to guide national coordination and collaboration. There was concern, however, that the time frame set by government for development of such a complex task was too short.[11] Deloitte Touche Tohmatsu, the company contracted in April 2008 for the task consulted extensively with health stakeholders before reporting to COAG in September.[12]

The Deloitte report noted that a growing amount of research had highlighted the important role e-health may be able to lay in delivering ‘a higher quality, safer, more equitable and more efficient health system’. This could be achieved for example by reducing medical errors associated with lack of access to patient information and adverse drug events or time and cost associated with duplicate, unnecessary and dangerous treatments and   tests.[13]   Tangible benefits associated with the implementation of an Australian e-health strategy were estimated by Deloitte annual savings to the health system of approximately $2.6 billion in 2008–09 dollar terms. More importantly, however, according to Deloitte:

The ultimate benefit achieved from implementation of a national E-Health Strategy will be a safer and more sustainable health system that is suitably equipped to respond to emerging health sector cost and demand pressures. Improvements in the Australian health care system will also drive stronger workforce productivity and will therefore be integral to Australia’s long run economic prosperity.[14]

The Government released the National E-Health Strategy in December 2008. The strategy set out an incremental and staged approach to developing e-health capabilities. This approach was to leverage on existing e-health strategies, manage the variation in capacity across the health sector in general and in the various states and territories, and include scope for changes as technology developed further. It reinforced existing collaboration of Commonwealth, state and territory governments and identified priority areas where this could be improved. It provided flexibility for individual states and territories and the public and private health sectors to determine how e-health was implemented within a common framework and set of priorities to maximise benefits and efficiencies.[15]

The Final Report of the Rudd Government’s National Health and Hospital Reform Commission (NHHRC), released six months later in June 2009, endorsed the proposed directions set out in the National E-Health Strategy.[16] The NHHRC also made a number of recommendations relating to e-health. These included a recommendation that a person-controlled electronic health record should be in place for all Australians by 1 July 2012, with unique personal, professional and organisation identifiers set up by 1 July 2010.[17] The NHHRC made it clear, however, that it supported personal health records that would at all times be owned and controlled by individuals and access to those records would need to be approved by the owners.[18]

Privacy and Healthcare Identifiers

One issue that has stood in the way of realising person-controlled health records as suggested by the NHHRC is the question of privacy. It has been asked in a number of instances how secure the information kept on these records will be, who will be able to access information and even whether so-called electronic health records will actually be a means to achieve what has been labelled ‘function creep’. While in a slightly different context, this latter concern has surfaced from time to time in various guises, for example, the Howard Government’s Medicare smartcard was criticised because it was argued that patient data on the card could potentially be used for other purposes or shared with other agencies.[19]

On 13 July 2009, the Australian Health Ministers’ Conference announced that national consultations on the legislative framework to underpin the governance, privacy and agreed uses for national healthcare identifier numbers would take place.[20] A discussion paper was released and public consultations on legislative proposals were undertaken.[21]  Submissions to the discussion paper were supportive of improved management of health records.  However, a number expressed concerns about proposals for healthcare identifiers.   These included concerns about the proposed role envisaged for Medicare in managing identifiers and potential misuse of information. The Privacy Commissioner noted for example that the challenge in introducing individual health identifiers is to ensure 

… such a highly reliable identifier is not usurped for purposes beyond the health system and the clinical care of individuals. If such identifiers were used expansively outside of the health system, particularly in ways the community may be uncomfortable with, then the trust individuals place in the system may be undermined.[22]

The Commissioner noted that this ‘function creep’ which was experienced in relation to Canada’s Social Insurance Number which was looked upon as a piece of identification and property owners asked for it on apartment rental applications, video stores required it as security for movie rentals, universities and colleges requested it on their application forms and pizza places even used it as a customer number for their delivery system.[23]

Other issues raised included the Consumers Health Forum (CHF) claims that consumers are unhappy with the level of control they have over their health information. CHF sought greater control for consumers including controls over who is able to access patient information and what information is able to be accessed. Any instances needed also to be fully reportable to consumers.[24]  The Australian Privacy Foundation considered that a health identifiers scheme would be ‘highly privacy invasive’, and considered that it showed a remarkable similarity ‘to earlier attempts to introduce mandatory national identity systems.[25]

Australian Health Ministers considered the feedback from this consultation process and on 13 November 2009 announced that the identifiers concept had been clarified to strengthen patient privacy. Legislation would therefore limit the use of healthcare identifiers to information management and communication for the purposes of delivering a healthcare service. National privacy arrangements and appropriate governance would underpin the system and penalties would apply for misuse of identifiers. Further, implementation would be reviewed after two years.[26]

The Ministers affirmed their commitment to the introduction in 2010 of national healthcare identifier numbers and released an exposure draft of the Healthcare Identifiers Bill 2010.[27] Further comment was received on the exposure draft, some of which continued to express concerns that the privacy of individuals would not be adequately protected by the legislation. The Australian Privacy Foundation believed the legislation was ‘deeply flawed’ and delivered incomplete and inadequate privacy protection.[28]   While other submissions were less critical, there was concern raised about the lack of provision in the legislation for a service provider to disclose an individual’s healthcare identifier and other information held by the service provider to that individual.[29]   

Committee consideration

At the time of writing, the Bill has not been referred to a committee.


Position of significant interest groups/press commentary and political party comment

A number of health stakeholders have expressed concern for some time over the slow progress in the implementation of e-health measures. In 2008, for example David Roffe, chief information officer of St Vincent's and Mater Health in Sydney, likened it to being stuck in a bog in a two wheel drive.[30] At the same time, consumer groups have consistently expressed concern about how certain aspects of e-health, such as healthcare identifiers will affect people. Their express fear is that the national healthcare identity numbers for patients and medical providers will be locked into what they believe is a flawed state, federal, private-public sector privacy system.

The Australian Privacy Foundation has been a particular critic of the Government’s healthcare identifiers proposals. Following a report in the Courier Mail in January 2010, the Foundation wrote to the Government to clarify an interpretation of the exposure draft which claimed legislation intended to give options to ‘well-known personalities’ to use pseudonyms in relation to the healthcare identifiers but not to the public in general.[31]   In a response to the Foundation, the Department of Health and Ageing confirmed that there may be some circumstances in which individuals may be able to access health services using a pseudonym, but that it considered these would be supported by the existing health privacy framework. The Department noted also that there are a number of ways in which individuals can currently receive healthcare under a pseudonym.[32]

Following introduction of this Bill, the Foundation again expressed concern that privacy would not be adequately protected under the legislation.       

When attending the Stakeholder conference in Canberra last November, an audience member asked about direct patient access to their HI and personal information stored about oneself. The audience was advised that no arrangement for direct access had been made and there were no plans to implement such. Yet government personnel present at a conference where I spoke yesterday asserted the policy had been updated to enable direct consumer access. At the same time, the HI Bill introduced to Parliament this week makes no reference to direct consumer access to the information. Thus I write to ask for clarification of the mechanisms that have evidently been established to enable direct consumer access to HIs and the linked personal information. [33]

Civil liberties group, Liberty Victoria, have expressed concerns about a number of issues relating to e-health.  Many practical failings of e-health were made obvious by a pilot program in Tasmania according to Liberty. The lack of doctor consistency in recording illness for example—what one sees as a cold, another may diagnose as an upper respiratory tract infection.[34]

Liberty notes also that an interim report of an e-health pilot scheme for referral and management of patient records being conducted in Hunter Health in New South Wales is due to be released March or April 2010, after this legislation may already have been passed. Liberty is of the view that without vital information from the Hunter trial we may be ‘setting forth on a national and expensive scheme, without knowing if it will deliver the key outcomes’.[35]

Further, Liberty remains unconvinced that healthcare identifiers will not be used for other purposes: 

The methods chosen to deliver the e-Health Initiative contain all the elements of a national identification scheme. Every adult will be identified and their medical details and contact details will be linked. The first stage has all medical practitioners moving to storing their records in a form that is consistent and searchable by the new number.

Later external searches of practitioners’ databases will be possible to ensure up-to-date clinical information at the venue where the patient presents. Many of these details are not confirmed but are inherent in the design proposed. The possibility of function creep, both within the Health and Social Security Department and in ‘whole of government’, is very real. No attempt at placing limits on the information to be gained is included in the design.[36]

In a similar vein, David Vaile, executive director at the Cyberspace Law and Policy Centre at the University of New South Wales sees the healthcare identifiers legislation as ‘about politics and what you can get away with before other regulatory issues are resolved’.[37] That is, as Health journalist Karen Deane points out, before the ‘promised rewrite of the Privacy Act for the digital age, based on the recommendations of the Australian Law Reform Commission’. Deane is of the view that ‘Roxon's bill will lock in the present confused patchwork of legal requirements’.[38]

While Senator Nick Xenophon agrees that there are potential benefits from e-health, he too is concerned about its ramifications for privacy and wants a Senate Inquiry into the concerns raised.[39] The Government insists the identifiers will not be able to be used for other purposes.[40]

One journalist has pointed out other possible problems with the proposed scheme: 

… bureaucrats running the system yesterday could not say how it would confirm that a person trying to access your health ID number is actually a doctor. Nor can they say how computers will know you gave permission to share health data with others. They confirmed that some people, perhaps celebrities and domestic violence victims, will be able to have pseudonyms attached to their number to hide their identity. And the Government will not send any correspondence telling you your health number either if you want to know you will have to ring a Medicare office and ask.[41]

Consultant and health commentator, Dr David More, has been critical of NEHTA for not providing more information record content and access and how health providers will be authenticated.[42] Mater Hospital chief information officer, and member of the NEHTA Stakeholder Reference Forum Malcolm Thatcher, is of a similar view. Thatcher has concerns about the extent to which the Government and NEHTA have thought through the need for providing a user-held token for the storage of the individual (patient) health identifier to avoid incorrect retrieval of patient identifiers based on demographic data and the human error.[43] According to software developer Peter West, warnings to NEHTA that centralised information will be easier for hackers to access and potentially more open to abuse by medical staff, have been consistently ignored.[44]

On the other hand, NEHTA clinical lead and former Australian Medical Association President, Dr Mukesh Haikerwal, has argued:

… the good thing about the healthcare identifier is that it not only makes the system safer, more accurate and up-to-date, it also carries with it additional safeguards over and above what exists today…There is also a very strict audit trail so that any individual can know that someone has accessed their record in the system which is an additional layer of security…You will never satisfy everyone in regards to privacy, but I have far more confidence in the future of e-health and the security of its records than I do in the current system.[45]

NEHTA Chief Executive, Peter Fleming, acknowledges that it is a difficult and complex task to centralise the identifier projects in place across the states and territories. Nonetheless, he supports Haikerwal’s claims that the outcome will be safer healthcare.[46]  

The Royal Australian College of General Practitioners welcomed this legislation and stated that ‘the national Healthcare Identifiers Service is the cornerstone to make e-health work’.[47] It noted, however, that there must be clarity regarding privacy safeguards, such as, who will have access to patient information and informed consent, and when to apply anonymous health care identifiers. The RACGP also sought more information on the implementation process and issues including integration into general practice software and funding for general practices to support required software and business changes.[48]

The Australian Medical Association has made no official comment since this legislation was introduced. However, as journalist Julian Bajkowski points out, the support of clinicians is essential if the identifiers system is to be workable. Days before the introduction of this Bill AMA President Dr Andrew Pesce agreed with the Law Council that new audit and oversight powers of the Privacy Commissioner needed to be codified. Pesce believed it was reasonable to expect regular audits of health identifiers and that breaches should be subject to ‘significant sanctions’. But Pesce also was clear that he wanted to see e-health happen and that privacy issues and red tape should not be used as obstacles to its realisation.[49] 

It has been reported that while the Opposition is insistent that it supports e-health in principle, it intends to oppose any Government moves to ‘fast track reforms’, with health spokesperson, Peter Dutton, arguing that such significant reforms need to be reviewed in more depth.[50]

In the opinion of some health commentators, however, the plan to introduce a coordinated, national e-health scheme will not succeed in Australia. An Ovum Research report released in early February 2010 claims that years of investment in uncoordinated and unconnected strategies has produced system so fragmented that the cost of integration will prove prohibitively high.[51] While clearly the cost of implementing a complex scheme will be high, the existence of a number of variations is not unsurmountable as the British have already discovered (see the box below).

Overseas implementation example—the United Kingdom    

Personal Demographic Service (PDS) with information on over 48 million health consumers has been in the process of implementation in the United Kingdom since July 2004.

The PDS will replace a number of locally held data bases in the various National Health Service (NHS) regions.

Each person's PDS care record comprises demographic information, such as name, address, date of birth and NHS number as well as medical information. The PDS does not hold any clinical health information or sensitive data such as ethnicity or religion.

The PDS includes information governance controls protecting patient information, such as registration and authentication processes to identify actions taken by particular healthcare professionals, controls on the information available to healthcare professionals and privacy controls to check who has accessed or amended patient records. The level of access to patient records is determined by the role an NHS staff member has in dealing with patients—for example, a consultant is able to see more information than a medical receptionist. There are logs kept of those who access patient care records. These show who has accessed the records and what they added or changed. Patients can ask to see this information. It is expected that eventually patients will be able to check their own details through a secure NHS web service.

Disciplinary action can be taken for unauthorised access to patient information. This can include criminal action under the United Kingdom Data Protection Act or civil action for breaches of confidentiality.[52]

Pros and cons


NEHTA has noted a number of benefits of a national e-health system:  

  • improved safety and quality of healthcare
  • increased involvement of consumers in their own health
  • improved access for healthcare providers to reliable health information when and where it is needed
  • enhanced shared care of complex medical problems and chronic disease
  • reduced burden on Australia’s health sector through better health management
  • innovation to deliver improvements in health sector productivity
  • improved healthcare planning by ensuring resources are directed to where they are needed most
  • lives saved through better decision support, increased access to information, and reduction in adverse events.[53]


On the other hand, as the National Electronic Health Records Taskforce has pointed out, there are a number of risks that have to be recognised and appropriate counter measures put in place to manage those risks within acceptable limits.

These risks include:

  • potential breaches to privacy and confidentiality
  • unauthorised access to health information
  • unauthorised use of a health identifier
  • inadequate/incorrect identification through lack of agreed standards for identification and
  • widening of uses over time ('function creep').

The Taskforce considered that strict criteria for counter measures needed to be in place to ensure these problems would not eventuate. These included:

  • limiting the use of patient identifiers to the health sector
  • absolute transparency and accountability—with control over an identifier’s use residing with the consumer
  • participation by consumers and providers to be voluntary
  • a robust privacy/legislative framework which limited circumstances in which a health identifier could be used (with appropriate penalties for misuse)
  • appropriate security measures and standards in place throughout the health sector to maintain privacy and confidentiality of health information and
  • agreed standards to provide assurance of the integrity and quality of information that is  exchanged electronically.[54]

Financial implications

The Healthcare Identifiers Service which will implement the system of healthcare identifiers is to be funded to 30 June 2012 as part of $218 million allocated by the Council of Australian Governments to NEHTA in November 2008.[55] Under the National Partnership Agreement on E-Health, funding is contributed to by the Commonwealth, state and territory governments.[56] 

NEHTA has allocated $52.02 million to fund the operation of the Healthcare Identifiers Service by Medicare Australia for 2010–11 and 2011–12.[57]

In addition, the Commonwealth has provided funding of $0.5 million for 2010–11 and 2011–12 to the Office of the Privacy Commissioner to provide regulatory oversight and advice on the introduction of healthcare identifiers.

Funding for the Healthcare Identifiers Service from 30 June 2012 will be determined through discussion between the Commonwealth, states and territories.


Main provisions

There are seven parts to this Bill.

Part 1—Preliminary

Part 1 of the Bill (clauses 1–4) contains preliminary information relating to the title of the Act to be enacted, commencement and the purpose of the Act. Clause 4 provides that the Act will bind the Crown in right of Commonwealth and the states and territories, but and they will not be liable to prosecution for any offence under the Act.

Clause 5 lists definitions of terminology used in the Bill.  Key definitions used are:

healthcare: means health service within the meaning of subsection 6(1) of the Privacy Act 1988.

healthcare identifier has the meaning given by section 9 of the Bill (see below).

healthcare provider means:

(a) an individual who:

(i) has provided, provides, or is to provide, healthcare or

(ii) is registered by a registration authority as a member of a particular health profession or

(b) an entity, or a part of an entity, that has conducted, conducts, or will conduct, an enterprise that provides healthcare (including healthcare provided free of charge).

healthcare recipient means an individual who has received, receives, or may receive, healthcare.

health information has the meaning given by subsection 6(1) of the Privacy Act 1988.

Clause 6 defines the Chief Executive Officer of Medicare Australia as the (Healthcare Identifiers) service operator, but allows that alternative operator can be specified in the regulations. Clause 33 requires the Minister to consult with the Ministerial council before the regulations are made by the Governor General under clause 39.

Clause 7 defines the information which will be required by the service operator in order to assign and maintain healthcare identifiers to healthcare providers and individual healthcare recipients. Personal information, such as name, address, gender and date of birth will be required for individuals. Name, address and CAN, ABN and other information as prescribed in the regulations will be required by healthcare providers. Other information, such as a Medicare number may be required.

Clause 8 describes a national registration authority as one prescribed in the regulations.  

Part 2—Assigning healthcare identifiers

Part 2 (Clauses 9 and 10) provides information on assigning healthcare identifiers. Sub clause 9(1) will authorise the service operator to assign a unique healthcare identifier number to a healthcare provider (as prescribed in the regulations), or to an individual. The service operator will determine whether to assign an identifier (Subclause 9(4)) irrespective of the wishes of the potential assignee.   

As the Explanatory Memorandum to the Bill notes, from July 2010 a national scheme will be established for the registration of health professionals in ten professions.[58] These national registration bodies will be able to, under certain circumstances, assign healthcare identifiers to individual healthcare providers under subclause 9(2).  Individual health care provider identifiers for health care providers who are not included in the national registration and accreditation scheme will be provided by the service operator subject to the individual providers meeting criteria set out in the regulation and to their providing identifying information as set out in clause 7(1).[59]

Subclause 9(3) will provide that health care identifiers will be able to be assigned to individual healthcare providers, enterprises that provide health care and to individuals. The regulations may provide requirements for assigning healthcare identifiers (Subclause 9(5)).

Subclause 9(6) will provide that health care identifiers are subject to the National Privacy Principle 7.[60] This principle provides that a private organisation must not adopt as its own an identifier of an individual that has been assigned by the Commonwealth Government.

Clause 10 will require the service operator to establish and maintain an accurate record of assigned healthcare identifiers and information relating to those identifiers, including requests made to disclose those identifiers (under Division 2 of Part 3).     

Part 3—Use and disclosure of healthcare identifiers and other information

Part 3 refers to proposals for the use and disclosure of healthcare identifiers and other information. This part provides for limited authorisation for private organisations to use and disclose healthcare identifiers.   

Division 1 - Use and disclosure of identifying information for assignment of healthcare identifiers

Clauses 11–15 refer to use and disclosure of identifying information for assignment of healthcare identifiers by healthcare providers, data sources and national registration authorities.

Subclauses 11(1) and (2) will authorise a healthcare provider to disclose identifying information about an individual healthcare recipient to the service operator for the purpose of assigning a healthcare identifier to the individual. The service operator will be authorised to collect the information and use it for assigning an identifier.

Subclauses 12(1) and (2) will authorise a data source (Medicare Australia, the Veteran Affairs’ Department or an entity prescribed by the regulations) to disclose identifying information it holds about an individual healthcare recipient or healthcare provider for the purpose of assigning a healthcare identifier. The service operator will be authorised to collect the information and use it for this purpose.

Subclauses 13(1) and (2) will authorise a national registration authority to disclose a health care identifier or information relating to a healthcare identifier to the service operator for the purpose of establishing or maintaining the healthcare identifiers record referred to in Clause 10.  

Clause 14 enables the making of regulations to require healthcare providers to provide the service operator with up-to-date information about themselves.

Clause 15(1) provides that a person commits an offence if the person, without appropriate authorisation, discloses or uses information collected under Part 2 or Division 1 of Part 3. The penalty is two years or 120 penalty units ($13 200) or both. A body corporate may be subject to a fine of up to 600 penalty units ($66 000). Subclause 15(3) is similar and relates to a person who acquires information in contravention of subsection 15(1) and uses and discloses the information.

Division 2 - Disclosure of healthcare identifier by service operator 

Subdivision A

Clause 16 will authorise a healthcare provider to disclose identifying information about a healthcare recipient to the service operator to obtain the recipient’s healthcare identifier.

Subdivision B 

The service operator will be authorised to disclose healthcare identifiers to an identified healthcare provider or an authorised employee of such a provider. The health care provider must notify the service operator about which employees are so authorised. The healthcare provider or authorised employee will be authorised to collect the healthcare identifier information (Clause 17).     

Clauses 18 will require the service operator to disclose to the healthcare recipient (or the person responsible for the healthcare recipient under subclause 2.5 of National Privacy Principle 2) the person’s healthcare identifier or information that relates to the person and which is included in the service operator’s record maintained under section (clause) 10

The service operator will be authorised under clause 19 to disclose a healthcare provider’s healthcare identifier to a registration authority so that the authority may register the provider.

Clause 20 will authorise the service operator to disclose a health care provider’s identifier to an entity to enable the provider’s identity to be confirmed in electronic transmissions.    

Clauses 21 and 22 allow for the regulations to prescribe rules about the disclosure of healthcare identifiers by the service operator, and to require an entity to which information has been disclosed to provide certain information relevant to that disclosure to be made to the service operator. The regulations may provide for the imposition of a penalty of up to 50 penalty units ($5 500) for contravention of a regulation.        

Division 3 - Use, disclosure and adoption of healthcare identifier by a health care provider

Clause 23 will authorise a healthcare provider to disclose a healthcare recipient healthcare identifier to the recipient or to a person responsible for the recipient.

Clause 24 sets out the proposed terms for disclosure and other uses.

Paragraph 24(1)(a) sets out the proposed permitted uses and disclosures of healthcare identifiers by healthcare providers for the purpose of communication or management of information as part of:

  • providing healthcare to a person or
  • the management, funding, monitoring or evaluation of healthcare; or
  • provision of indemnity cover for the healthcare provider or
  • research approved by a human research ethics committee.

Paragraph 24(1)(b) authorises a healthcare provider to use or disclose healthcare identifiers if the provider reasonably believes it is necessary to lessen or prevent a serious threat to an individual’s life, health or safety or a serious threat to public health or public safety.

As the Explanatory Memorandum notes, ‘express authority permitting a healthcare provider to use or disclose healthcare identifiers is necessary in light of the restrictions under National Privacy Principle 7 of the Privacy Act on private sector organisations using and disclosing Commonwealth government assigned identifiers’.[61]  A note to the clause indicates that Division 3 does not apply to personal health information other than that specified. Collection, use, disclosure or adoption of other personal information is dealt with in other legislation. 

Subclause 24(2) provides that where a healthcare provider discloses a healthcare identifier to another entity for a purpose defined by subclause 24(1), the entity is authorised to collect, use or disclose it to a healthcare provider for the purpose for which it was disclosed to the entity.

Subclause 24(4) provides that a healthcare identifier cannot be used by an insurer to underwrite health insurance or determine eligibility or cover level for health insurance or for the purpose of employment.

Clause 25 will provide for healthcare providers to adopt an identifier of a healthcare recipient as their identifier to that healthcare recipient. As the Explanatory Memorandum points out, this authority is needed because of the prohibition under National Privacy Principle 7 of the Privacy Act that prevents private sector organisations adopting Commonwealth government assigned identifiers.

Division 4  - Unauthorised use and disclosure of healthcare identifiers

Clause 26 sets out offences and penalties proposed for the unauthorised use and disclosure of healthcare identifiers.   Subclause 26(1) will make it an offence if a healthcare identifier is disclosed to a person and that person uses or discloses the healthcare identifier. The penalty for this offence as committed by an individual is a fine of 120 penalty units, imprisonment for two years or both. If the offence is committed by a corporation, a fine of 600 penalty units will apply.

Under Subclause 26(2) this penalty will not apply if a person is authorised to use or disclose the healthcare identifier and the use and disclosure is in accordance with the purposes defined in subclause 24(1), the use or disclosure is authorised under another law, or the person discloses the healthcare identifier for the purpose of, or in connection with, the person’s personal, family or household affairs (within the meaning of section 16E of the Privacy Act 1988).  

Division 5 - Protection of Healthcare Identifiers

Clause 27 proposes that an entity holding a healthcare identifier must protect it from misuse, loss, unauthorised access, modification or disclosure. Additional requirements may be imposed under regulations. 

Part 4—Interaction with the Privacy Act 1988

Clause 28 proposes that an authorisation to collect, use or disclose a healthcare identifier under this legislation will also be considered an authorisation for the same purpose under the Privacy Act 1988.

Under subclause 29(1), an act or practice which contravenes the legislation or regulations (once enacted) will be considered as a breach of privacy under the Privacy Act 1988.

Subclause 29(3) will allow the Privacy Commissioner to undertake audits of  healthcare identifiers under the Privacy Act in relation to personal information.

The Privacy Commissioner will be required to prepare an annual report on compliance and enforcement activities undertaken in relation to the Healthcare Identifiers Service. A copy of the report must be provided to the Ministerial Council by 30 September of each year clause 30). A copy of the report must be tabled in each House of parliament within 15 days sitting days after the report is submitted to the Minister.

Part 5—Healthcare Provider Directory

Subclause 31(1) will require the service operator to establish and maintain a Healthcare Provider Directory. This will detail the professional and business details of healthcare providers who have consented to having these details included in the Directory.

Under subclause 31(2) the service operator will be able to disclose details from the Healthcare Provider Directory to other participating healthcare providers or employees, authorised to act on the healthcare provider’s behalf.

The Explanatory Memorandum cites the establishment of the Healthcare Provider Directory as a key benefit of the Healthcare Identifiers Service as it aims to improve communication between healthcare providers by providing ‘a reliable source of identifying and contact information about other participating healthcare providers’.[62]

Part 6—Oversight role of the Ministerial Council

This part proposes that the responsible Minister in consultation with the Ministerial Council is able to issue written directions by legislative instrument to the service operator in relation to the operation of the Healthcare Identifiers Service (clause 32). Under the proposed clause 33 the Minister responsible will be required to consult with the Ministerial Council prior to the Governor General making regulations.

Clause 34 will require the service operator to prepare an annual report and to provide that report no later than 30 September each year. The Minister must table the report in Parliament within 15 sitting days after the service operator has submitted it to the Minister. A review of the operation of the legislation within three years is proposed under clause 35.

The Explanatory Memorandum explains that a review will be required to provide necessary regulatory support to enable the Healthcare Identifiers Service to operate efficiently and effectively and to assess Medicare Australia’s role as the service operator.

It also notes that requiring consultation with the Ministerial Council recognises the important role states and territories play in managing the operation of the Healthcare Identifiers Service to ensure it appropriately supports the needs of national public health policy.[63]

Part 7—Miscellaneous

Clause 36 proposes that the authorisation for a particular purpose which applies to an entity under this Bill applies to a person employed by the entity. This would be subject to the requirement under clause 17 of the legislation. 

Relationship to state and territory laws 

Under subclause 37(1) it is proposed that laws of the states and territories will operate concurrently with the healthcare identifiers legislation to the extent to which those laws are ‘capable’ of doing so. The Government considers this will allow existing privacy arrangements in the states and territories to continue to operate if they do not conflict with the provisions of the Bill. If an offence under this legislation is also an offence under state and territory law then a person will only be able to be convicted of one of the offences (subclause 37(2)).  

Subclause 37(3) will ensure that nothing in this Bill (once enacted) limits, restricts or otherwise affects any right or remedy a person would have had if this Act had not been enacted.

Under subclause 37(4) if the Minister responsible for the administration of the health identifiers legislation makes a declaration relating to specific provisions and specified public bodies of a state or territory under subclause 37(5), the provisions referred to will not apply to those authorities.

Subclause 37(5) will oblige the Minister to declare that certain provisions of this Bill will not apply to relevant state or territory public bodies if both a state of territory Minister requests such a declaration in writing, and the Minister is  satisfied that an appropriate law is in force in that state or territory that has provisions that have been agreed by the Ministerial Council.  

Subclause 37(6) will oblige the Minister to revoke a declaration made under subclause 37(4) where a Minister of a state or territory makes a request or where a state or territory law previously agreed to by the Ministerial Council is amended without their agreement.

Under subclause 37(7) neither section 42 (disallowance) nor Part 6 (sunsetting) of the Legislative Instruments Act 2003 will apply to a declaration or revocation made under subclauses 37(5) and 37 (6). 

Clause 38

Severability – additional effect of Parts 3 and 4

Clause 38 will provide that the legislation ‘is given the widest possible operation consistent with Commonwealth constitutional legislative power’.[64] Subclause 38(1)  proposes that without limiting the effect of the Act, Parts 3 and 4 will also have the effect as provided by subclauses 38(2) to 38(10) relying on different elements of Commonwealth power.

Clause 39 – Regulations

Subclause 39(1) will provide that the Governor-General is able to make regulations which may be required, necessary or convenient for the operation of, or giving effect to, the Bill

(once enacted). Consultation with the Ministerial Council will be required prior to the making of such regulations. Regulations will be able to be made in relation to a number of areas.

Subclause 39(2) proposes that regulations may provide for the imposition of a penalty for not more than 50 units ($550).

Concluding comments

There appears to be general agreement that e-health has the potential to improve the delivery of healthcare for consumers and healthcare providers alike. Healthcare Identifiers have been recognised as a fundamental part of the national infrastructure required to deliver secure electronic communications across the health system.

Concerns have been raised, however, that patient privacy will be compromised by technology. Consumer groups in particular have been critical of identifiers because they believe these will be misused and the privacy of individuals will be breached from the onset. Additionally, they consider there is the possibility that in the future, the identifiers may be used for purposes other that healthcare. It is of particular concern also for these groups that the legislation will be in place before it is clear how the Privacy Act 1988 will be updated to address the impact of electronic technologies on the privacy of individuals

While this Bill appears to make serious attempts to address these issues, critics are not fully satisfied that the proposed legislation is sufficiently rigorous to ensure there are no adverse consequences for health consumers. Supporters of the legislation on the other hand, are convinced that the introduction of healthcare identifiers is indeed a first and vital step towards creating a safer health system which ensures that ‘the right people have access to the right information at the right time’.[65]     

Members, Senators and Parliamentary staff can obtain further information from the Parliamentary Library on (02) 6277 2429.


[1].       House of Representatives Standing Committee on Family and Community Affairs, Health on line: a report on health information management and telemedicine, Australian Government Publishing Service (AGPS), Canberra, 1997, pp. 90–92, viewed 12 February 2010,          

[2].       National Health Information Management Advisory Council (NHIMAC), Health Online: a health information action plan for Australia, NHIMAC, 1999. Not available online. Revised version 2001, viewed 12 February 2010,$file/actplan2.pdf  

[3].       National Electronic Health Records Taskforce, A health information network for Australia: report to Health Ministers by the National Electronic Health Records Taskforce, July 2000, viewed 12 February 2010,  $File/ehrrept.pdf  

[4].       Ibid.

[5].       T Abbott (Minister for Health and Ageing), Medicare smartcard launched, media release, 28 July 2004, viewed 16 February 2010,          http://parlinfo/parlInfo/download/media/pressrel/SX9D6/upload_binary/sx9d62.pdf;fileType=application/pdf#search=%22medicare%20smartcard%20launched%22 and Medicare Australia, Medicare smartcard brochure, May 2005.

[6].       Archived website for HealthConnect, information on National E-Health Transition Authority (NEHTA) website, viewed 15 February 2010,  

[7].       The Commonwealth and the states and territories contributed on a 50/50 basis to this funding. 

[8].       Senate Community Affairs Committee, Answers to Estimates Question on Notice, Health and Ageing Portfolio, Supplementary Budget Estimates 2009–2010, 21 October 2009, Question: E09–244.

[9].       N Roxon (Minister for Health and Ageing), and J Ludwig (Minister for Human Services), Federal-state collaboration advances electronic health agenda, joint media release, 12 January 2008, viewed 15 February 2010,        

[10].     Ibid.

[11].     R LeMai, ‘Too much haste not good for e-health’, MIS Financial Review, 15 February 2008, viewed 15 February 2010,

[12].     Deloitte, National E-Health and Information Principal Committee,  National E-Health Strategy, 2008, viewed 15 February 2010,$File/National%20eHealth%20Strategy%20final.pdf     

[13].     Australian Institute of Health and Welfare findings in Australia’s Health 2002, which cite statistics as quoted in Deloitte, National e-health strategy, op. cit. 

[14].     Deloitte, National e-health strategy, op. cit.

[15].     Ibid.

[16].     National Health and Hospitals Reform Commission (NHHRC), A healthier future for all Australians, final report, June 2009, viewed 15 February 2010,     $File/Final_Report_of_the%20nhhrc_June_2009.pdf              

[17].     Ibid.

[18].     Ibid.

[19].     S Mitchell, ‘Privacy warning on Medicare smartcard’, The Australian, 22 November 2005, p. 2, viewed 15 February 2010,   http://parlinfo/parlInfo/download/media/pressclp/2W0I6/upload_binary/2w0i64.pdf;fileType=application/pdf#search=%22privacy%20warning%20on%20Medicare%20smartcard%22

[20].     Australian Health Ministers’ Conference, First step taken towards national e-health system, media release, 13 July 2009, viewed 15 February 2010,$File/AHMC%20-%20out%20of%20session%20eHealth%20communique%2013%20July%2009%20FINAL.pdf

[21].     Australian Health Ministers’ Advisory Council, Healthcare identifiers and privacy: discussion paper on proposals for legislative support, July 2009, viewed 15 February 2010,$File/Typeset%20discussion%20paper%20-%20public%20release%20version%20070709.pdf

[22].     Office of the Privacy Commissioner, Healthcare identifiers and privacy: Discussion paper on proposals for legislative support, submission to the Australian Health Ministers’ Conference, August 2009, viewed 15 February 2010,

[23].     Ibid.

[24].     Consumers Health Forum of Australia (CHF), CHF Submission on the Healthcare identifiers and privacy: discussion paper on proposal for legislative support, August 2009, viewed 15 February 2010,  $FILE/030_Consumers%20Health%20Forum%20of%20Australia%20pt%201_14-08-09.pdf

[25].     Australian Privacy Foundation (APF), APF response to AHMAC paper: Healthcare Identifiers and privacy: discussion paper on proposals for legislative support, viewed 15 February 2010,$FILE/018_Australian%20Privacy%20Foundation_03-08-09.pdf

[26].     Australian Health Ministers’ Conference, Communique, 13 November 2009, viewed 15 February 2010,

[27].     Exposure draft, Healthcare Identifiers Bill 2010, viewed 15 February 2010,$File/Exposure%20Draft.pdf

[28].     Australian Privacy Foundation, submission to Exposure draft, Healthcare Identifiers Bill, viewed 15 February 2010,$FILE/044_Australian%20Privacy%20Foundation_07-01-10.pdf

[29].     Australasian College of Health Informatics, Response to request for comment on the draft health identifier legislation, January 2010, viewed 15 February 2010,$FILE/045_The%20Australasian%20College%20of%20Health%20Informatics_07-01-10.pdf

[30].     K Dearne, ‘E-health logjam frustrates health providers’, The Australian, 9 September 2008, p.27, viewed 19 February 2010,   http://parlinfo/parlInfo/download/media/pressclp/ETHR6/upload_binary/ethr60.pdf;fileType%3Dapplication%2Fpdf   

[31].     Reference to report  by R Viellaris, ‘Health ID cover-up for some exposes risks’, The Courier Mail , 20 January 2010 and ABC Radio morning program, 20 January 2010, presenter Madonna King in letter from Australian Privacy Foundation Chair, Health Sub Committee, Dr J Fernando, to Minister for Health and Ageing, viewed 19 February 2010,      

[32].     Letter to the Australian Privacy Foundation from Liz Forman, Assistant Secretary, eHealth Branch, Department of Health and Ageing, on behalf of Minister for Health and Ageing, 9 February 2010, viewed 19 February 2010,

[33].     Letter from Australian Privacy Foundation Chair, Health Sub Committee, Dr J Fernando, to Liz Forman, Assistant Secretary, eHealth Branch, Department of Health and Ageing, 12 February 2010, viewed 19 February 2010,

[34].     T Warner, Is the e-Health initiative healthy? Victorian Council for Civil Liberties, Liberty website, viewed 19 February 2010,

[35].     Ibid.

[36].     Ibid.

[37].     K Dearne, ‘Compromised confidentiality’, The Weekend Australian, 13 February 2010, p. 12, viewed 15 February 2010,;query=Id%3A%22media%2Fpressclp%2FL0WV6%22   

[38].     Ibid. 

[39].     Quoted in S Dunleavy, ‘Health number ID for all: patients have no choice’,  The Daily Telegraph, 17 February 2010 p.11, viewed 19 February 2010,     http://parlinfo/parlInfo/download/media/pressclp/04XV6/upload_binary/04xv60.pdf;fileType=application/pdf#search=%22health%20number%20id%20for%20all%22

[40].     Dunleavy, ‘Health number ID’, op. cit

[41].     Ibid.

[42].     D Pauli, e-health news sparks more criticism, Computerworld website, 21 January 2010          viewed 19 February 2010,

[43].     Ibid.

[44].     T Shepherd, ‘No privacy: expert claims health records can’t be kept secret’, The Adelaide Advertiser, 19 January 2010, p. 1, viewed 19 February 2010,   http://parlinfo/parlInfo/download/media/pressclp/9BOV6/upload_binary/9bov60.pdf;fileType=application/pdf#search=%22no%20privacy%22

[45].     Pauli, op. cit.

[46].     K Dearne, ‘State plans to build on patient identifier  on imaging, radiology’, The Australian, 9 February 2010, p. 29, viewed 19 February 2010,     http://parlinfo/parlInfo/download/media/pressclp/AHUV6/upload_binary/ahuv60.pdf;fileType=application/pdf#search=%22state%20plans%20to%20build%20on%20patient%20identifier%20on%20imaging,%20radiology%22

[47].     Royal Australian College of General Practitioners (RACGP),  College of GPs welcomes new step for e-health, media release, 10 February 2010, viewed 19 February 2010,

[48].     Ibid.

[49].     J Bajkowski, ‘Privacy push for e-health data’, The Australian Financial Review, 9 February 2010, p. 31, viewed 19 February 2010,           http://parlinfo/parlInfo/download/media/pressclp/LDUV6/upload_binary/lduv60.pdf;fileType=application/pdf#search=%22Privacy%20push%20for%20e-health%20data%22

[50].     R Bolton, ‘Electronic health system on sick list’, The Australian Financial Review, 2 February 2010, p. 1, viewed 19 February 2010,          http://parlinfo/parlInfo/download/media/pressclp/70SV6/upload_binary/70sv60.pdf;fileType=application/pdf#search=%22Electronic%20health%20system%20on%20sick%20list%22

[51].     Ovum research, National e-health strategy progress in Australia, report cited in Bolton, op. cit. Report is not publicly available.

[52].     More information is available on the Personal Demographics Service on the National Health Service website,  viewed 22 February 2010,  

[53].     NEHTA Strategic Plan, 2009–2012,  viewed 19 February 2010,  

[54].     National Electronic Health Records Taskforce, A health information network for Australia, op. cit.

[55].     Council of Australian Governments’ Meeting, 29 November 2008, Outcomes, Attachment A, Health and Ageing, viewed 12          February 2010,         

[56].     That is, the Commonwealth contributes just over 40 per cent and the states and territories contribute on a proportional basis, the remaining funding.  Council of Australian Governments (COAG), National partnership agreement on e-health, viewed 12 February 2010,              

[57].     Funding will be $26.01million in both financial years. Explanatory Memorandum, Healthcare Identifiers Bill 2010 and Healthcare Identifiers (Consequential Amendments) Bill 2010, viewed 12 February 2010,;fileType=application%2Fpdf     

[58].     The professions are: medical, nursing and midwifery, pharmacy, physiotherapy, dental, psychology, optometry, osteopathy and chiropractic. A further four professions—Aboriginal and Torres Strait Islander health practice, Chinese medicine, medical radiation practice, occupational therapy are expected to be added to the scheme in 2012 and other professions may be added in the future. Explanatory Memorandum, p. 10. See also the Intergovernmental agreement for a national registration and accreditation scheme for the health professions, signed 26 March 2008 , viewed 16 February 2010,    .

[59].     Explanatory Memorandum, p. 11.

[60].     The National Privacy Principles can be found in Schedule 3 of the Privacy Act 1988, viewed 16 February 2010,        

[61].     Explanatory Memorandum, p. 18.

[62].     Ibid., p. 21.

[63].     Ibid., p. 23.

[64].     Ibid., p. 24. 

[65].     N Roxon, ‘Second reading speech: Healthcare Identifiers Bill 2010’, House of Representatives, Debates, 10 February 2010, pp. 3–5, viewed 22 February 2010, http://parlinfo/parlInfo/genpdf/chamber/hansardr/2010-02-10/0013/hansard_frag.pdf;fileType=application/pdf

Contact officer and copyright details

Rhonda Jolly
24 February 2010
Bills Digest Service
Parliamentary Library

Back to top