Bills Digest no. 41 2015–16
PDF version [794KB]
WARNING: This Digest was prepared for debate. It reflects the legislation as introduced and does not canvass subsequent amendments. This Digest does not have any official legal status. Other sources should be consulted to determine the subsequent official status of the Bill.
Amanda Biggs, Social Policy Section
Leah Ferris and Juli Tomaras, Law and Bills Digest Section
9 November 2015
Contents
Purpose
of the Bill
Structure of the Bill
Background
Committee consideration
Policy position of non-government parties/independents
Position of major interest groups
Financial implications
Statement of Compatibility with Human Rights
Key issues and provisions
Concluding comments
Date introduced: 17
September 2015
House: House of
Representatives
Portfolio: Health
Commencement: Sections
1–3 commence on Royal Assent. Schedules 1, 2 and 3 commence the day after Royal
Assent, while items 2 and 3 of Schedule 4 commence immediately after Schedules
1, 2 and 3 commence. Item 1 of Schedule 4 commences either immediately after
Schedules 1, 2 and 3 commence or upon the commencement of Schedule 1 to the Acts
and Instruments (Framework Reform) Act 2015, whichever occurs first.
Links: The links to the Bill,
its Explanatory Memorandum and second reading speech can
be found on the Bill’s home page, or through the Australian
Parliament website.
When Bills have been passed and have received Royal Assent, they
become Acts, which can be found at the ComLaw
website.
The purpose of the Health Legislation Amendment (eHealth)
Bill 2015 (the Bill) is to amend a number of Acts to alter arrangements around
the personally controlled electronic health record (PCEHR) system. The Bill
amends the Personally
Controlled Electronic Health Records Act 2012 (PCEHR Act), the Healthcare Identifiers
Act 2010 (HI Act), the Privacy Act 1988,
the Copyright Act
1968, the Health
Insurance Act 1973 and the National Health Act 1953.
The PCEHR is a system which allows individuals and ‘healthcare providers’ to create,
access and share personal health information electronically.[1]
In particular, the Bill proposes amendments to:
- rename
the PCEHR to My Health Record
- rename
the PCEHR Act to the My Health Records Act 2012
- clarify
the legislative meaning of ‘healthcare’
- strengthen
and expand provisions around the collection, use and disclosure of personal
information
- impose
greater civil penalties for privacy breaches and unauthorised activity
- broaden
the types of entities which can collect, use and disclose information
- introduce
an exception to copyright infringement for health records
- prepare
for the establishment of the new Australian Commission for eHealth (ACeH) to
oversee eHealth development and operation of e-Health arrangements
- provide
for trials of different participation arrangements (including opt-out) to be
undertaken
- allow
the Minister to make rules to implement (under My Health Records Rules) the
opt-out model[2]
nationally if after consideration of trial evidence she considers this is
warranted
- clarify
the scope and application of ‘consent’ for healthcare information to be
uploaded to the system by a healthcare provider and
- allow
for the abolition of two advisory committees as part of the government's plans
to introduce a new Australian Commission on eHealth (ACeH) that will have new
governance arrangements.
The Bill has four Schedules:
- Schedule
1 is in two parts: Part 1 proposes amendments to the Copyright Act, the HI
Act, the PCEHR Act and the Privacy Act; Part 2 proposes
provisions around the making of My Health Records Rules, the application of the
amendments made in Part 1 and transitional provisions
- Schedule
2 proposes to amendments to the HI Act, the Health Insurance Act,
the National Health Act and the PCEHR Act to rename the PCEHR as
My Health Record (including renaming the PCEHR Act to the My Health
Records Act)
- Schedule
3 proposes amendments to the Health Insurance Act, the National
Health Act and the PCEHR Act, to rename consumers as healthcare
recipients and
- Schedule
4 is in two parts and deals with consequential amendments: Part 1 proposes
amendments to the PCEHR Act; Part 2 proposes amendments to the Health
Insurance Act.
What is eHealth?
While no single-consensus all-encompassing definition of eHealth
exists, the World Health Organization defines eHealth broadly as ‘... the
cost-effective and secure use of information and communications technologies in
support of health and health-related fields, including healthcare services,
health surveillance, health literature, and health education, knowledge and
research’.[3]
There are a number of components to eHealth. For example, the
use of broadband technology to allow a patient in a remote area access to a medical
specialist through a video conference link. Another example is the electronic
health record, a single patient record that contains the key health details of
a patient and is capable of being shared electronically.
As one commentator has usefully pointed out:
[T]he "e" in e-health does not only stand for
"electronic," but implies a number of other "e's," which
together perhaps best characterize what e-health is all about (or what it should
be).
The 10 e's in "e-health"
•Efficiency - one of the promises of e-health is to
increase efficiency in health care, thereby decreasing costs. One possible way
of decreasing costs would be by avoiding duplicative or unnecessary diagnostic
or therapeutic interventions, through enhanced communication possibilities
between health care establishments, and through patient involvement.[4]
•Enhancing quality of care - increasing efficiency
involves not only reducing costs, but at the same time improving quality.
E-health may enhance the quality of health care for example by allowing comparisons
between different providers, involving consumers as additional power for
quality assurance, and directing patient streams to the best quality providers.
•Evidence based - e-health interventions should be
evidence-based in a sense that their effectiveness and efficiency should not be
assumed but proven by rigorous scientific evaluation. Much work still has to be
done in this area.
•Empowerment of consumers and patients - by making the
knowledge bases of medicine and personal electronic records accessible to
consumers over the Internet, e-health opens new avenues for patient-centered
medicine, and enables evidence-based patient choice.
•Encouragement of a new relationship between the
patient and health professional, towards a true partnership, where decisions
are made in a shared manner.
•Education of physicians through online sources
(continuing medical education) and consumers (health education, tailored
preventive information for consumers).
•Enabling information exchange and communication in a
standardized way between health care establishments.
•Extending the scope of health care beyond its
conventional boundaries. This is meant in both a geographical sense as well as
in a conceptual sense. e-health enables consumers to easily obtain health
services online from global providers. These services can range from simple
advice to more complex interventions or products such as pharmaceuticals.
•Ethics - e-health involves new forms of
patient-physician interaction and poses new challenges and threats to ethical
issues such as online professional practice, informed consent, privacy and
equity issues.
•Equity - to make health care more equitable is one of
the promises of e-health, but at the same time there is a considerable threat
that e-health may deepen the gap between the "haves" and
"have-nots". People, who do not have the money, skills, and access to
computers and networks, cannot use computers effectively. As a result, these
patient populations (which would actually benefit the most from health
information) are those who are the least likely to benefit from advances in
information technology, unless political measures ensure equitable access for
all. The digital divide currently runs between rural vs. urban populations,
rich vs. poor, young vs. old, male vs. female people, and between
neglected/rare vs. common diseases. [5]
In recent decades, the development of eHealth has been
given a high priority because of its potential to revolutionise the delivery of
health services by overcoming the barrier of distance, and reducing errors in
patient treatment.[6]
In addition, eHealth initiatives can deliver improved productivity through
streamlining administrative processes.[7]
What is the PCEHR system?
The Personally Controlled Electronic Health Records
(PCEHR) system was established in July 2012, with the enactment of the Personally
Controlled Electronic Health Records Act 2012 (PCEHR Act).[8]
The PCEHR system provides a national system for regulating collection,
recording, use and disclosure of ‘health information’ included in an
individual’s e-health record. In simple practical terms, it allows doctors,
hospitals, and other healthcare providers to view and share an individual’s
health information to assist in their care. In this way, the PCEHR is captured
by the definition of a ‘health service’ for the purposes of the Privacy
Act.[9]
What is ‘health information’?
‘Health information’ is defined in the Privacy Act
to mean information or opinion about:
- an
individual’s health or disability (at any time)
- an
individual’s expressed wishes about future health services that may be provided
to them
- a
health service provided or to be provided to an individual
- other
personal information collected to provide or in providing a health service, or
in connection with donation of body parts, organs or body substances and
- genetic
information about an individual in a form that is or could be predictive of
their health or a genetic relative of the individual.[10]
What is a ‘health service’?
‘Health service’ is defined in the Privacy Act as;
- an
activity performed in relation to an individual that is intended or claimed to:
- assess,
record, maintain or improve the individual’s health
- diagnose
the individual’s illness or disability or
- treat
the individual’s illness or disability or
- the
dispensing on prescription of a drug or medicinal preparation by a pharmacist.[11]
This is the same definition as provided for ‘healthcare’
under the PCEHR Act.[12]
Purpose of the PCEHR system
Currently, the PCEHR Act states that the object of
the legislation is to enable the operation of a voluntary[13]
national system for the provision of access to health information relating to
consumers of healthcare to:
- help
overcome the fragmentation of health information
- improve
the availability and quality of health information
- reduce
the occurrence of adverse medical events and the duplication of treatment[14],
and
- improve
the coordination and quality of ‘healthcare’[15]
provided to individuals by different healthcare providers.[16]
In addition to the objects listed in the PCEHR Act,
another expected outcome of the system is significant budget savings through
reduced inefficiencies. It is anticipated that the budget savings will flow
from increasing access to comprehensive health information which will provide
healthcare providers with relevant information to enable improved, coordinated
and timely treatment decisions, reduce the incidence of adverse events and
reduce unnecessary or duplicated services.
The PCEHR system relies on the Healthcare Identifier (HI)
service which is intended to ensure consistent identification of individuals,
healthcare providers and organisations. The HI service was established by the Health
Care Identifiers Act 2010 (HI Act) in line with the Council of
Australian Governments (COAG) commitment to developing eHealth.[17]
The HI Act regulates the use and disclosure of health care identifiers
used in the e-health record system. The HI service assigns each individual and
healthcare provider with a unique identifier and is central to the operation of
the PCEHR.[18]
The development of eHealth initiatives has been overseen by the National
E-Health Transition Authority (NEHTA), which was established in 2005.[19]
The type of records contained in an individual’s PCEHR can
include prescription records, pathology and diagnostic imaging reports and
discharge summaries. Under the PCEHR system the individual controls who is able
to access their record, what documents can be added and may remove or add
records themselves.[20]
The current system operates as an ‘opt-in’ system; individuals must actively register
if they wish to participate in the PCEHR system.[21]
Key statistics on the PCEHR
As of October 2015:
- 2,427,704
people have registered for a PCEHR (or around 10 per cent of the population)
- 57,810
shared health summaries were in the system, up from about 38,200 in December
2014
- There
were 218,915 discharge summaries
- 4,445
specialist letters have been uploaded
- 7,970
healthcare providers were registered for the PCEHR, including 5,182 general
practices and
- 1,770,632
prescription documents have been uploaded.[22]
Review of the PCEHR
In November 2013, a review of the PCEHR was announced by
the then Health Minister, Peter Dutton. The review, led by the head of Uniting
Care Health Queensland Richard Royle, was tasked with reporting on issues around
implementation of the system which were hampering adoption of the PCEHR. Issues
surrounding clinician and patient useability were of particular interest, as
were the possible use of incentives to encourage more people and providers to
register with the PCEHR system.[23]
In May 2014, the Review of the Personally Controlled Electronic Health
Record (the Royle Review) was publicly released.[24]
While it found ‘overwhelming support’ for the implementation of an electronic
health record system, it said a ‘change in approach’ was needed and made a
number of recommendations to this end. Broadly, this included renaming the
PCEHR, dissolving the NEHTA and replacing it with a new body, moving to an ‘opt-out’
system[25],
improving usability and restructuring governance arrangements. Following this the
Government conducted public consultations on its recommendations.
Separately to the PCEHR review, a review of the HI service
occurred in October 2012. This review found that the core function of the HI service
generally worked well, but a number of enhancements and adjustments needed to
be made.[26]
Subsequently, the Health Minister Sussan Ley announced
just prior to the 2015–16 Budget that the Government would provide $485 million
to improve the PCEHR system informed by the recommendations of the Royle review
and consultation process.[27]
Specifically, the budget announced that the PCEHR would be renamed My Health
Record, NEHTA would be replaced by a new Australian Commission for eHealth
(ACeH), and trials would be undertaken to assess responses to revised
participation arrangements including for an opt-out model.[28]
This Bill proposes provisions that commence implementation
of the Government’s response to the PCEHR and HI service reviews, specifically
those ‘which are aimed at facilitating increased participation in the system
and improvements in the usability and clinical content’ for the benefit of
patients and healthcare providers.[29]
Implementation of other measures, such as the
establishment of ACeH may require separate legislation.[30]
An implementation taskforce to oversee the transition of responsibilities from
NEHTA to ACeH has been established to assist this process.[31]
Some recommendations of the Royle Review, such as data standardisation issues, may
need to be addressed through regulation or other means. Other recommendations,
such as an education campaign for consumers and clinicians about the impact of changing
to an opt-out system, will not require regulatory change.[32]
Community Affairs Committee
The Bill has been referred to the Senate Community Affairs
Legislation Committee for inquiry and report by 9 November 2015. Details
of the inquiry are at the inquiry webpage.[33]
Senate Standing Committee for the
Scrutiny of Bills
The Senate Standing Committee for the Scrutiny of Bills
(Scrutiny of Bills Committee) raised a number of concerns regarding the
provisions of the Bill.[34]
The Scrutiny of Bills Committee was particularly concerned with the
introduction of proposed section 26 of the HI Act, at
item 36 of Schedule 1 to the Bill, which sets out the circumstances where
the use or disclosure of healthcare identifiers and other information is prohibited.[35]
Proposed subsections 26(3) and (4) set out circumstances where the
prohibition on the use and disclosure of a healthcare identifier or other
relevant information, respectively, does not apply. Such circumstances include
where the use or disclosure is required or authorised under the HI Act
or a court order. However, a person charged with breaching the prohibition on
use and disclosure, who wishes to rely on the exceptions set out in subsections
26(3) and (4), bears an evidential burden in relation to the relevant exception,
in accordance with section 13.3 of the Criminal Code Act 1995. That is,
the defendant has ‘the burden of adducing or pointing to evidence that suggests
a reasonable possibility that the matter exists or does not exist’. [36] If the
defendant discharges the evidential burden, the prosecution must then disprove
the relevant matters beyond reasonable doubt. The Scrutiny of Bills Committee
noted that ‘significant penalties apply for contravention of this provision’
and that ‘there is no justification in the explanatory memorandum for placing
an evidential burden on the defendant’.[37]
As a result of the impact that these amendments may have on a person’s rights
and liberties, the Scrutiny of Bills Committee has sought the Minister’s advice
‘as to the rationale for the proposed approach, including whether the approach
is consistent with the principles in relation to offence-specific defences
outlined in the Guide to Framing Commonwealth Offences, Infringement Notices
and Enforcement Powers (September 2011)’.[38]
The Scrutiny of Bills Committee also raised concerns over
a number of proposed provisions that allow for matters to be legislated for by
way of delegated legislation.[39]
In particular, the Scrutiny of Bills Committee was concerned with new Schedule
1 of the My Health Records Act (inserted by item 106 of Schedule
1 to the Bill), which contains provisions that would allow the Minister to make
rules that will prescribe trial arrangements and for the opt-out model to be
applied nationally.[40]
While the Scrutiny of Bills Committee recognises that the proposed op-out
system includes a number of adequate safeguards, it concluded ‘that a general
change to an opt-out system is central to the regulatory design of the system
and thus is a choice which appropriately made by the Parliament rather than
delegated to a Minister’ and sought justification from the Minister.[41]
Justification was also sought in relation to the use of a ‘Henry VIII clause’
in relation to opt-out trials and a national opt-out system and the
incorporation of material/written instruments which may change from time to
time within the delegated legislation.[42]
The Australian Labor Party’s (ALP) Health spokesperson
Catherine King has indicated the Opposition is likely to support the Bill, but
has criticised the length of time it has taken since the Royle Review to
introduce legislation. She has also questioned the reduced funding for the
measure:
“We’ve been waiting for the legislation to be introduced, so
we can properly consider it, which we’ll now do,” Ms King said.
“Opt out is an important issue, but this government has
wasted two years stalling on eHealth, is now having a trial for another year,
and has cut $214 million from it in the budget with no funding beyond 2018. The
government should stop stalling and just get on with it.”[43]
In her second reading speech, Ms King noted there were
some significant changes in the Bill that warranted further scrutiny ‘to ensure
people’s privacy is protected’:
As I stated well at the outset, Labor does not oppose the
intent of this Bill. However, we do believe there are elements—especially those
that relate to changing the way information can be collected and shared—that do
require further scrutiny. As I said, it is not that Labor opposes the
principles—many of them do at face value appear to be very common-sense and
necessary changes to meet the policy intent—but, given the extent of the
changes, stakeholders with direct experience and responsibility in delivering
health care and working with personally controlled electronic health records
should have an opportunity to provide feedback on the Bill.[44]
The Australian Greens supported the introduction of the PCEHR.
Senator Richard Di Natale (then Health spokesperson) stated in 2012 that:
“The introduction of electronic health records will
ultimately lead to better health outcomes and savings to the bottom line. This
is good news for Australia’s healthcare system and will drag our health system
into the 21st century,” said Senator Di Natale.
“The electronic health record will empower people to take
control of their health, improve communication between healthcare professionals
and reduce medical errors.
“It’s understandable that some medical indemnity groups have
concerns but in the long term the electronic record will mean fewer mistakes,
which means fewer claims.
“It's clear that Australians will benefit from an electronic
health record and we will hold the government to account so that any problems
with the rollout are dealt with transparently and quickly.”[45]
This suggests that the Greens are supportive of efforts to
increase adoption of the PCEHR, and would be likely to support the general
thrust of this Bill.
At this time, the views of cross-bench Senators are not
known.
The development of the PCEHR has been of ongoing interest
to a wide number of groups, including state and territory governments,
clinicians and other health professionals, hospitals, health care
organisations, aged care providers, health insurers, software vendors and
consumer groups. While the views of stakeholders on the specific provisions
contained in this Bill are still emerging, their views on the recommendations
of the Royle Review (upon which this Bill is largely based) were canvassed as
part of the recent consultation process.
Views of stakeholders gathered from
the consultation process
The Department undertook a consultation process on the
proposed changes to the PCEHR, which included issuing a discussion paper and conducting
multiple workshops with a diversity of stakeholder groups. Broadly, these
consultations indicated, ‘strong support for the continued operation of a
national shared electronic health record system’ and the findings of the PCEHR
review.[46]
The Department received 137 written submissions in
response to the discussion paper.[47]
Consultants Deloitte prepared a report on the outcomes of this consultation
process. A summary of stakeholder comments on some key issues is presented
below.[48]
Opt-out model and access controls
Deloitte noted a majority of consumers supported an
opt-out model after it was explained to them. However there was some concern
around communicating the concept to certain groups, particularly those from
culturally and linguistically diverse backgrounds, persons with a disability or
those without access to the internet.[49]
Among health providers, a similar level of support for an opt-out model was
also evident. According to Deloitte, ‘many providers indicated that they would
be more willing to participate in the PCEHR if they knew that there was a high
likelihood that their patients will have a record.’[50]
Providers had some concerns around how the move to an opt-out model would
affect the implied consumer consent that exists with the current opt-in model,
and suggested legislatively ensuring the right of providers to access records
unless this action was specifically blocked by an individual.[51]
The majority of consumers indicated they would be ‘unlikely
to use the controls to block access to their record, or to particular documents
in their record, except in very special circumstances’.[52]
Issues around information security and misuse were found to still exist, but
were not considered predominant concerns among consumers.[53]
Not all stakeholders support the PCEHR or the move to an
opt-out model. The Australian Privacy Foundation in a submission to the
Department questioned the need for a PCEHR, arguing there is ‘no reliable and
compelling evidence that demonstrates that the PCEHR as it exists today, or as
it will become if the proposed changes are implemented, can deliver the type or
level of value and benefits that justify the risks to privacy of a high value
repository of every Australian’s identity and health data’.[54]
Furthermore, the Foundation is concerned that ‘[w]hat is not clear at all from
the Legislation Discussion Paper or any of the public briefings is what, if
any, changes are to be made to the system either in terms of usability or in
support of better health outcomes.’[55]
In short, the Department has failed to demonstrate how the fundamental drivers
and requirements of eHealth care have been incorporated into the PCEHR and
therefore should not be insisting on public participation.[56]
Significantly, the Foundation warns that the proposed opt-out model can ‘leave
people in the dark about things which might have implications for their whole
family or community, for their whole lives’.[57]
Its concerns about mission creep have been expressed as follows:
[...]we believe that there is a strong possibility that there
will be a realisation amongst the population at large that the PCEHR is
actually a thinly disguised national identity number attached to some health
information, none of which can be relied upon because there is no way to
medico-legally trust the information contained. However the identity data will
be seen as very useful to the government, especially when cross-matched against
internet and telecommunications metadata and other government databases.[58]
Governance arrangements and new
eHealth entity
Deloitte reported that stakeholder feedback had indicated
that health care providers wanted greater representation in governance
arrangements. Many stakeholders revealed they had concerns around the current
governance arrangements.
Deloitte found ‘strong support for improving the
governance arrangements for the PCEHR through the recommendations provided in
the PCEHR review’. This included strong support for the establishment of the new
eHealth entity (the Australian Commission for eHealth), and the establishment
of a new governing board ‘with a greater focus on skills-based membership’.[59]
Stakeholders wanted their input into the governance
process ‘to be listened to, considered and acted upon where appropriate.’[60]
Record content and usability
Improved utility of the PCEHR was seen by all stakeholders
as one of the keys to driving participation. Concerns have been driven by
stakeholder experience of poor software integration which has ‘resulted in very
little automation of the accessing of PCEHR information and poor alignment to
clinical workflows resulting in impacts on provider time and making it
difficult for providers to find information and to upload information.’[61]The
type of content which could be uploaded was also regarded as a key factor in
providing value to stakeholders, and a number of new types of documents was
suggested. But there was broad agreement initially focusing on recording high
priority health information, including:
- allergies
and alerts
- current
medications
- current
conditions
- transfer
of care summaries (for example, hospital discharge summaries) and
- recent
pathology and diagnostic imaging test results.[62]
For more details of stakeholder views gathered during the
consultation process, the reader is advised to consult the Deloitte report and
the submissions on the Department’s website.[63]
Other stakeholder views
As noted, views from stakeholders on the specific provisions
in this Bill are still emerging. However, since the budget announcement the proposed
opt-out trials have attracted some comment. Long-time eHealth commentator and
consultant Dr David More has suggested that the trials may end up being
‘trickier than is currently believed’.[64]
In particular he has raised pertinent questions about the length of the trials,
how these will include the homeless and those without internet access, what
evaluation criteria will be used to assess their value, how young people below
the age of consent but who may want to suppress personal information that has
been automatically uploaded (such as medications) will be able to control this information
if they need to, and how control of information will be handled in the event of
family violence.
A recent industry survey organised by the Health Informatics
Society of Australia (HISA) and the Health Information Management Association
of Australia (HIMAA), indicated broad support for the opt-out trials and the
name change to My Health Record, but views on other matters were more varied according
to an article appearing in Pulse+IT magazine. The article noted that a
slim majority of industry respondents (51 per cent) supported continuing the
voluntary opt-in arrangement for healthcare provider organisations and
associated operators, 20 per cent were neutral on the idea with around 17 per
cent supporting mandatory participation of providers and operators.[65]
More than 90 per cent supported expanding the PCEHR rules to address how a
healthcare provider would ensure data quality, and 85 per cent supported the
expansion of security measures to all PCEHR participants. Respondents also
supported allowing vendors to develop and run a test environment and the need
to encourage secure messaging between healthcare providers. In terms of
secondary use of data, 64 per cent agreed that individuals need to provide
direct consent to a researcher (with ethics approval). There was less agreement
(under 50 per cent) over control of de-identified information for research
purposes.[66]
State and territory governments
As key stakeholders in the PCEHR, the co-operation of state
and territory governments will be crucial in implementing changes to the PCEHR.
However, only New South Wales and Victoria provided submissions in response to
the legislation discussion paper. Victoria stated broad support in its
submission:
The Victorian Government provides strong in-principle support
for enhancing the scope of application of the HI Service, as a key enabler of a
more coordinated and robust health and wellbeing system for all Victorians; and
for the modification of the PCEHR system to an opt-out model to encourage
greater participation and streamline processes for consumers, providers and
organisations.[67]
The NSW submission did not state a position but noted
that, ‘if the Commonwealth moves to an opt-out model for the PECHR, consideration
will have to be given to the interaction with relevant NSW legislation to
ensure that an opt-out model can operate in NSW’.[68]
The proposed legislative changes including the opt-out
trials were discussed by all Health Ministers at the last meeting of COAG’s
Standing Council on Health on 7 August 2015. The Communique noted that
Ministers were ‘invited to nominate potential trial sites’, but provided no
further detail of the views of Health Ministers.[69]
While consultations may be ongoing between governments, the final views of the
states and territories on the specific provisions proposed in this Bill are not
yet clear.
The Explanatory Memorandum confirms the funding commitment
made in the 2015–16 Budget of $485.1 million over four years to implement
the new My Health Record system, eHealth governance arrangements and trials of
participation arrangements.[70]
However, the budget also noted that in the 2014–15 budget $699.2 million had
been provisioned for the redevelopment of the PCEHR in the contingency reserve;
expected savings from this reduced expenditure are to be re-directed to the
newly established Medical Research Future Fund.[71]
Since 2010, successive governments have allocated just
over $1 billion in budget commitments to implement the PCEHR. In 2010–11 the
Rudd Government allocated $466.7 million, then in 2014–15 the Abbott Government
committed a further $140.6 million (while the government finalised its response
to the Royle Review).[72]
This does not include spending on NeHTA, which has been estimated at $1 billion
since it was established in 2005.[73]
But eHealth initiatives are expected to generate
substantial savings over time. The Royle Review cites one estimate indicating that
savings of $7 billion a year in direct health costs are possible from
digitising the health system.[74]
In evidence to a Senate Estimates Committee, a Health Department official cited
an estimate from Deloitte that benefits of $11.5 billion over 15 years could be
delivered.[75]
As required under Part 3 of the Human Rights
(Parliamentary Scrutiny) Act 2011 (Cth), the Government has assessed the
Bill’s compatibility with the human rights and freedoms recognised or declared
in the international instruments listed in section 3 of that Act. The
Government considers that the Bill is compatible.[76]
The Explanatory Memorandum lists the human rights that are
engaged by the Bill. This includes:
Right to health
Article 12(1) of the International Covenant on Economic,
Social and Cultural Rights [ICESCR] provides for a right to the enjoyment
of the highest attainable standard of physical and mental health, which is to
be realised progressively within the resources available. In its General
Comment No. 14 (2000), the Committee on the Economic, Social and Cultural
Rights notes that information accessibility is an element of the right to
health and that this includes “the right to seek, receive and impart
information and ideas concerning health issues”, without impairing the right to
have health data treated confidentially.[77]
General Comment 14: The Right to the Highest Attainable
Standard of Health,[78]
attempted to clarify the meaning of the broad declaratory language that the
Article 12 of the ICESCR uses to set out the right to health. Through the General
Comment 14 publication, the Committee on Economic, Social and Cultural Rights
sought to translate and articulate the right to health into norms, obligations,
violations and implementation. However, General Comment 14 has yet to be accepted
as binding law by all states, thus its legal status arguably remains uncertain.
It is also notable that General Comment 14 clarifies that
right to health includes freedoms and entitlements. The right to health is not
to be understood as a right to be healthy – people are free to make choices
that are unhealthy. More accurately, the right is concerned with the systems,
facilities, services and conditions that are necessary for everyone to achieve
the highest possible standard of mental and physical health.[79]
Furthermore the Committee’s articulation of the right to
health incorporates the following key elements:
- Availability
– Sufficient quantity of functioning public health and health-care facilities,
good and services [...] (General Comment No. 14, para 12(a)).
- Accessibility
– All people in the country (regardless of whether they are citizens or not,
and especially if they are vulnerable or marginalised), have equitable access
to health facilities, goods and services without discrimination. Accessibility
has four overlapping dimensions, one of which includes:
- Information
accessibility – this means that health consumers can participate in decisions
about their health and have confidentiality of their health information
protected. [emphasis added] (General Comment No. 14, para. 12(d))
- Acceptability
– Health facilities, goods and services should be respectful of medical ethics
and be designed to respect confidentiality and improve the health of consumers.
They should also be designed to ensure that people receive treatment
appropriate for their culture, gender and stage of life (General Comment No.
14, para. 12(c)).
- Quality
– Health facilities, goods and services must be scientifically and medically
appropriate and of good quality (General Comment No. 14, para. 12(d)).
Right to privacy
Of course the right to health is interdependent with other
human rights including, for example, the right to privacy and to access information.
‘Privacy is a fundamental human right, and is central to
the maintenance of democratic societies. It is essential to human dignity and
it reinforces other rights, such as freedom of expression and information.’[80]
Of all of the human rights in the international catalogue, the right to privacy
is perhaps the most difficult to define. Although definitions and thus attempts
to articulate the content or basis for privacy vary, ‘privacy’ is seen as a way
of defining the limits of public intrusion into one’s private life. In its most
simple terms, it has been expressed as ‘the right to be let alone’.[81]
Article 12 of the Universal Declaration of Human Rights and Article 17 of the International
Covenant on Civil and Political Rights[82]
both protect the individual against ‘arbitrary or unlawful interference with
his or her privacy, family, home or correspondence’. While the right to privacy
under international human rights law is not absolute, any instance of
interference must be subject to a careful and critical assessment of its
necessity, legitimacy and proportionality.
The limitations on the right to privacy should be strictly
construed and conform to the tests of necessity and proportionality. A proposal
for an opt-out eHealth system is arguably justified when it is prescribed by
law, necessary to achieve a legitimate aim, and proportionate to the aim
pursued.
The current opt-in system would appear to be more
consistent with a balancing of the right to privacy and the right to health.
This is because the data is obtained with the explicit knowledge or consent of
the data subject.
The possible issues with an opt-out approach include:
-
insufficient guarantee in relation to the openness about developments,
practices and policies with respect to health information collected
-
insufficient guarantee of knowledge or consent of the data
subject prior to collection
-
insufficient guarantee that the data collected will be relevant
to the purposes for which they are to be used, and will only be used for
authorised purposes
-
insufficient guarantee that the data is accurate, complete and
kept up-to-date and
-
lack of explicitly stated mechanism and guarantee of ability of
individual to easily obtain health data in a timely manner, at a charge that is
free or minimal, to be able to challenge and rectify errors or omissions in the
data.[83]
Nonetheless, it is arguable that the collection and use of
health data by a health professional (under an opt-out approach without the
explicit consent of the individual) may be consistent with the right to health
in terms of using that data for diagnosis, care and treatment of a patient.
However, the free and informed consent of the individual would arguably be
required where that information was used for research or other secondary
purposes. The details of the opt-out scheme do not appear to make that
distinction.
Parliamentary Joint Committee on
Human Rights
On 9 September 2015 the Parliamentary Joint Committee on
Human Rights published its comments on the Bill. The Committee noted that this Bill
would ‘enable trials to take place, which could then be applied Australia‑wide,
to enable the health records of all Australians to be automatically uploaded
onto the electronic database unless the person actively opts-out of the
process.’ The Committee considered that gave rise to privacy concerns and
queried whether the objective of the Bill was a legitimate objective for the
purposes of international human law. The Committee pointed out that:
To be capable of justifying a proposed limitation of human
rights, a legitimate objective must address a pressing or substantial concern
and not simply seek an outcome regarded as desirable or convenient. The
committee also raised concerns as to whether the limitation on the right to
privacy is proportionate; in particular, whether there are adequate safeguards
in place to protect an individual's privacy and whether the opt-out model is
the least rights restrictive way to achieve the stated objective.[84]
Key issues and related provisions are discussed below. For
the remaining provisions the reader is advised to consult the Explanatory Memorandum
which provides an adequate overview.
Schedule 1
Amendments to the Copyright Act
The Copyright Act sets out rules about copyright
ownership.[85]
However, people and organisations involved in creating or investing in
copyright material can reach agreement about who will own copyright and the
terms of its use. The Copyright Act distinguishes between two categories
of subject matter: the first is ‘works’, which covers literary[86],
dramatic, musical and artistic works.[87]
The second category is known as ‘subject matter other than works’ which covers
sound recordings, films, sound and television broadcasts, and published
editions of works.
Item 1 inserts proposed section 44BB into
the Copyright Act, which provides that the uploading into, or sharing
and or use of information in, the My Health Record system will not infringe the
copyright in a work. Currently healthcare providers that register to
participate in the My Health Record system (through a ‘participation
agreement’) grant a license to the System Operator to ‘use, reproduce, copy,
modify, adapt, publish and communicate health records they upload for the
purposes of providing health care’.[88]
As part of this participation agreement, providers also give the System
Operator permission to sub-license other healthcare provider organisations and
participants, which means that records can be shared without breaching any organisation’s
copyright. However, as a result of the removal of participation agreements, the
Government has chosen to introduce an exception into the Copyright Act to
ensure that actions taken for the purposes of the My Health Record system will
not infringe copyright.
Proposed subsection 44BB(1)
applies to works that:
- are
substantially comprised of health information (which could include reports,
specialist letters or pathology or diagnostic imaging results) or
- allow
for the storage, retrieval or use of health information (proposed paragraph
44BB(1)(b)).
Copyright in such works will not be infringed by an act done
or authorised to be done:
- for
a purpose for which the collection, use or disclosure of information is required
or authorised under the My Health Records Act
- where
it is unreasonable or impracticable to obtain the individual’s consent to the
collection, use or disclosure; and the entity reasonably believes that the
collection, use or disclosure is necessary to lessen or prevent a serious
threat to the life, health or safety of any individual, or to public health or
safety[89]
- where
a ‘permitted health situation’ exists[90]
or
- where
prescribed by the regulations, provided the purpose relates to health care, or
the communication or management of health information.
Item 2 inserts proposed section 104C into
the Copyright Act, which contains provisions that mirror proposed
section 44BB except that it refers to copyright infringement with respect
to sounds recordings and cinematograph films (which are not considered to fall
within the definition of ‘works’). This would cover health records that might
consist, for example, of ‘a recording of a person’s breathing for their
treatment as a chronic asthmatic, or an ultrasound of a foetus for the
treatment of a prenatal condition’.[91]
Amendments to the Healthcare
Identifiers Act (HI Act)
Items 27-28 introduce amendments to section 7 of the HI
Act, which will expand the type of information that is considered to be ‘identifying
information’ and therefore can only be disclosed for authorised purposes.[92]
In particular, item 27 amends subsections 7(1) and 7(2) to provide that
the email address, telephone number and fax number of a healthcare provider
(individual or organisation) will now be considered as identifying information.
Item 28 inserts proposed paragraph 7(3)(i) to allow for
regulations to be made which prescribe further identifying information in
relation to healthcare recipients.
As discussed above, at present
people in Australia can voluntarily register to create their own
personally controlled eHealth record. To ensure a healthcare provider can view
its patients’ eHealth records, it needs to register to participate in
Australia’s eHealth record system.[93]
‘The eHealth record system uses the HI Service to manage an individual’s and
health provider’s participation in the eHealth record system’.[94]
It does this by issuing ‘unique identifiers for patients, individual healthcare
professionals and organisations.’[95]
These identifiers are then ‘used in electronic health communications to ensure
information is matched to the right patient and shared between the right
healthcare providers.’[96]
Healthcare provider organisations participate in the
eHealth record system either as a ‘seed organisation’ only or as a ‘network
organisation’ that is part of a wider ‘network hierarchy’ (under the
responsibility of a seed organisation).[97]
A seed
organisation is an organisation which provides or controls the delivery of
healthcare services. ‘A seed organisation
could be, for example, a local GP practice, pharmacy or private medical
specialist.’[98]
An example of a network organisation could be an individual
department (e.g. pathology or radiology) within a wider metropolitan hospital.
A network hierarchy operating in the eHealth record system consists of one seed
organisation and one or more network organisations.[99]
Current section 9A of the HI Act defines the
different classes of healthcare provider that may be assigned a healthcare
identifier and thus participate in the PCEHR system. The Explanatory Memorandum
states that proposed section 9A seeks to replace existing section 9A and
simplify the provisions relating to seed and network organisations.
Collection, use and disclose of
healthcare identifiers and other information
Item 34 repeals current Divisions 1, 2, 2A and 3 of
Part 3 of the HI Act and replaces them with new Divisions 1, 2 and 3.
The proposed amendments update the provisions that deal with when healthcare
identifiers and other information can be collected, used and disclosed. New
Division 1 inserts a simplified outline of Part 3, while new Division 2 refers
to healthcare recipients and new Division 3 deals with healthcare providers.
New Division 2 clarifies the circumstances when a healthcare
recipient’s healthcare identifier or other information can be collected, used
or disclosed to another party. Specifically, new Division 2 provides for the collection,
use and disclosure of a healthcare recipient’s healthcare identifier or other information
for the following purposes:
- assigning
a healthcare identifier to a healthcare recipient (proposed section 12)
- keeping
a record of healthcare identifiers and related information (proposed section
13)
- providing
healthcare to a healthcare recipient (proposed section 14)
- for
the My Health record system (proposed section 15)[100]
- aged
care purposes (proposed section 16)
- adopting
a healthcare recipient’s healthcare identifier as an entity’s identifier of
that person (proposed section 17)
- disclosing
a healthcare recipient’s healthcare identifier (proposed section 18)
- disclosing
information about a healthcare recipient’s healthcare identifier (proposed section
19) and
- additional
purposes to be specified in the regulations (proposed section 20).
While all of the circumstances are currently provided for
under the HI Act, not every provision authorises all three possible
actions, that is, they do not authorise collection, use and disclosure
for each purpose. In a number of cases, the proposed amendments expand the ways
in which a healthcare recipient’s healthcare identifier or other information
can be used. While the majority of these amendments simply clarify existing
provisions, others authorise new actions. For example, proposed subsection
14(1) will allow the HI Service Operator to disclose to a healthcare
provider information about a healthcare recipient for the purpose of
determining the recipient’s healthcare identifier. The Explanatory Memorandum
notes over the last five years there has been a 20 percent failure rate when
attempting to identify an individual’s healthcare identifier and the ability to
disclose identifying information about the healthcare recipient to the
healthcare provider will allow more individuals to benefit from the My Health
Record System. However, while the Government has stated that the Service
Operator ‘will develop policies to minimise risks associated with disclosure of
identifying information to organisations seeking an individual’s healthcare identifier’
and will disclose ‘only where the Service Operator is confident they have
identified the correct healthcare recipient’, there is a danger the Service
Operator will disclose the personal details of the wrong person.[101]
Currently section 22E of the HI Act allows for
regulations to be made authorising a person to collect, use and disclose
identifying information of participants in the My Health Record System and
healthcare identifiers. This can only occur where the collection, use or
disclosure is authorised under the PCEHR Act or where it is reasonably
necessary for the performance of a function or the exercise of a power in
relation to the PCEHR system. Due to paragraph 22E(d) the regulations may only
permit disclosure of the information or healthcare identifier to a
person or organisation who is a participant in the My Health Record system. Proposed
section 20 expands this provision by allowing for information to be
disclosed to persons or organisations outside of the My Health Record system,
provided it is for one or more of the following purposes:
- providing
healthcare to healthcare recipients or a class of healthcare recipients
- determining
whether adequate and appropriate healthcare is available to healthcare
recipients or a class of healthcare recipients
- facilitating
the provision of adequate and appropriate healthcare to healthcare recipients
or a class of healthcare recipients
- assisting
persons who, because of health issues (including illness, disability or
injury), require support or
- the
My Health Record system.[102]
The Explanatory Memorandum explains the reasoning behind the
amendments:
The new power has been designed to allow the appropriate
collection, use, disclosure and adoption of healthcare identifiers and
identifying information by entities like [the National Disability Insurance
Agency] NDIA and cancer registers, within tight limits related to providing
healthcare and assisting individuals who require support because of health
issues, without having to amend the Act each time a new entity needs to be
authorised.[103]
New Division 3 contains similar provisions to new
Division 2, except relating to the collection, use and disclosure of healthcare
identifiers and other information relating to healthcare providers. The
proposed amendments allow the collection, use and disclosure of healthcare
providers’ healthcare identifiers and other information for the following
purposes:
- assigning
a healthcare identifier to a healthcare provider (proposed section 21)
- keeping
a record of healthcare providers’ healthcare identifiers (proposed section
22)
- providing
healthcare to a healthcare recipient (proposed section 23)
- for
the My Health record system (proposed section 24)
- for
authentication in electronic communication (proposed section 25)
- sharing
information with registration authorities (proposed section 25A)
- adopting
a healthcare provider’s healthcare identifier as an entity’s identifier of that
healthcare provider (proposed section 25B)
- providing
the healthcare provider’s healthcare identifier to them (proposed section
25C) and
- additional
purposes to be specified in the regulations (proposed section 25D).
As with new Division 2, a number of the proposed amendments
set out in proposed Division 3 reflect the same level of authorisation
currently provided under the HI Act or merely clarify existing
provisions. However, proposed section 25A introduces new provisions that
allow a HI Service Operator to ‘collect from a registration authority, use and
disclose to a registration authority identifying information about, or a
healthcare identifier, of a health care provider’ and vice-versa. Proposed
section 25D introduces similar amendments to those contained in proposed
section 20.
Proposed section 25E imposes an obligation on
healthcare provider organisations to inform the Service Operator in the event
they become aware that information about their organisation is not accurate,
up-to-date or complete. Under proposed subsection 25E(1), the
organisation must, within 20 business days of becoming aware of the situation,
provide the Service Operator in writing with accurate, up-to-date and complete
information. Provided neither of the exceptions set out in subsections 25E(2)
and (3) apply, a person who fails to comply with the requirements of proposed
subsection 25E(1) and knows or is reckless as to those circumstances (that
the information is not accurate, up-to-date or complete) will be liable for a
civil penalty of up to 100 penalty units.[104]
Unauthorised use and disclosure
Currently sections 15 and 26 of the HI Act prohibit
the unauthorised use or disclosure of a healthcare identifier or identifying
information about the healthcare provider or healthcare recipient.
Specifically, subsections 15(1) and (2) provide that the use or disclosure of
information provided to a person under Part 2 or Part 3-Division 1 is
prohibited unless the person uses or discloses it for the purpose for which it
was provided or another purpose authorised by law. Additionally, subsection
15(3) makes it an offence for a person to use or disclose information which
they knew was not authorised to be disclosed to them. The penalty for breaching
subsection 15(1) or (3) is imprisonment for up to two years and/or 120 penalty
units (currently $21,600 for individuals and $108,000 for bodies corporate).
Section 26 prohibits a person from using or disclosing a healthcare identifier
except where the person is authorised to do so under the HI Act, or for
a purpose authorised by another law, or for a purpose permitted by section 16
of the Privacy Act (relating to the person’s personal or household
affairs). The penalty for breaching section 16 is also imprisonment for up to
two years and/or 120 penalty units.
Item 36 repeals and replaces section 26 to combine existing
sections 15 and 26 of the HI Act. While the provisions of new section
26 are quite similar to those currently contained in sections 15 and 26,
there are some differences, including a new civil penalty provision. Proposed
subsection 26(1) effectively combines the provisions of subsection 26(1)
and subsection 15(1) to provide that a person must not disclose information
that they have obtained under the HI Act or disclose a healthcare
identifier (recipient or provider) unless any of the exceptions in proposed
subsections 26(3) and (4) apply. Proposed subsection 26(3) sets out
the exceptions in relation to the disclosure of a healthcare identifier. While
some of these exceptions already exist under subsection 26(2), proposed section
26(3) introduces the following two new exceptions in relation to the disclosure
of a healthcare identifier:
- in
the following situations provided for under subsection 16A(1) of the Privacy
Act:
- where
it is unreasonable or impracticable to obtain the individual’s consent to the
collection, use or disclosure and the entity reasonably believes that the
collection, use or disclosure is necessary to lessen or prevent a serious
threat to the life, health or safety of any individual, or to public health or
safety
- where
unlawful activity or serious misconduct is suspected and the collection, use or
disclosure is necessary to allow appropriate action to be taken or
- where
the collection, use or disclosure is necessary to establish a legal defence or
claim, or for the purposes of a confidential alternative dispute resolution
process;[105]
and
- where
the use or disclosure is required or authorised by the Information
Commissioner, or an equivalent officer or agency of a State or Territory, in
exercising powers or performing functions in relation to privacy.[106]
Proposed subsection 26(4) sets out the exceptions in
relation to the disclosure of identifying information or other information
obtained under the HI Act. Again, while a number of the exceptions
contained in proposed subsection 26(4) mirror those currently contained in
subsection 15(2) the Bill introduces two new exceptions in relation to the
disclosure of other information:
- where
the information is personal information and the use or disclosure would not be
an interference with the privacy of the individual for the purposes of the Privacy
Act;[107]
and
- where
the use or disclosure is required or authorised by the Information
Commissioner, or an equivalent officer or agency of a State or Territory, in
exercising powers or performing functions in relation to privacy.[108]
Proposed subsection 26(2) provides that a person is
prohibited from using or disclosing information that was provided to them by a
person who was not authorised to do so. Proposed subsection 26(5)
provides that the penalty for breaching proposed subsection 26(1) or (2)
is imprisonment for up to two years and/or 120 penalty units. As with the
current provisions in sections 15 and 26, the defendant continues to bear the
evidential burden in proving that the use or disclosure was not unauthorised.[109]
As there is no fault element stated, it must be established that the defendant
intended to use or disclose the information.[110]
Proposed subsection 26(6) introduces a new civil penalty of up to 600
penalty units, which applies where a person uses or discloses information in
circumstances that breach proposed subsection 26(1) or (2) and
knows or is reckless to those circumstances. As the standard of proof for civil
penalty provisions is on the balance of probabilities, as opposed to beyond
reasonable doubt, it is less difficult to prove that a person is guilty of
breaching these provisions. The Explanatory Memorandum argues that as the My
Health Record system deals with privacy sensitive information, ‘misuse of this
information needs to have proportionate penalties to the potential damage to
healthcare recipients’.[111]
It also notes that ‘only a specific group of users, being healthcare providers
and other participants in the My Health Record system with access to sensitive
information will generally be impacted by these penalties’. [112] Proposed
subsection 26(6), insofar as it relates to a breach of subsection 26(2),
provides an example of a civil offence that will apply more broadly. This is
because a person who has information disclosed to them in contravention of
proposed section 26(1) will be subject to these penalties in the event they
then disclose or use the information-even if they are not a participant in the
My Health Record system.
Items 38-40 amend current section 29 of the HI Act,
to clarify when an unauthorised collection, use or disclosure of a healthcare
identifier constitutes an interference with privacy under the Privacy Act.
This is significant as complaints about breaches of information privacy trigger
the functions and powers of the Information Commissioner, including the power
to undertake investigations. The amendments in items 38-40 clarify that
the provisions only operate in respect to healthcare identifiers of a
healthcare recipient or of an individual healthcare provider (not in relation
to a healthcare organisation). The proposed provisions also ensure that just
because a person cannot be found to have breached a civil penalty provision (as
they did not have the relevant state of mind) this does not mean there will not
be an interference with privacy under the Privacy Act.
Item 43 inserts new Part 5A–Enforcement into
the HI Act, which activates a number of corresponding Parts of the Regulatory
Powers (Standard Provisions) Act 2014 (Regulatory Powers Act).[113]
The Regulatory Powers Act:
...seeks, over time, to systematise the monitoring and
investigatory powers provided to Commonwealth regulatory agencies. To do that,
the [Act] seeks to act as the standard framework to which other legislation
refers, in order to trigger its provisions that are relevant to a particular
agency or authority.[114]
In particular, proposed subsection 31C(1) provides
that the civil penalty provisions introduced by this Bill and by future
regulations are enforceable under Part 4 of the Regulatory Powers Act.
Item 46 deals with a review of the HI Act.
The item proposes to replace existing section 35 of the HI Act (which
specifies the timing of the last review, which was conducted in 2013) with a
new section. Proposed section 35 specifies that the Minister, after
consultation with the Ministerial Council, must appoint an individual to review
the operation of the Act and the regulations. The appointee must provide a
report to the Minister within three years of the commencement of proposed
Schedule 1 of the Bill. In addition, a copy of the report must be provided to
the Ministerial Council and be tabled in the Parliament within 15 sitting days
after it is presented to the Minister.
Item 48 introduces a number of amendments which
extend the number of people to whom authorisations apply, clarifies how the HI
Act applies to entities not considered to be legal persons and sets out how
the Service Operator’s functions and powers can be delegated. Proposed
section 36A provides that where an entity has authorisation to disclose
information to a health care provider, that information can be disclosed either
to an employee or person acting on behalf of the provider, a contracted service
provider or an employee or person acting on behalf of the contracted service
provider. This reflects current section 36, which recognises that information
can be received on behalf of an entity in a number of different ways. Proposed
sections 36B, 36C and 36D set out how the various authorisations,
obligations and penalties set out in the HI Act apply to partnerships,
unincorporated associations and trusts with multiple trustees. In particular,
these proposed provisions extend the scope of liability in relation to
unauthorised disclosures to each partner, member of the association and
trustee.
Amendments to the PCEHR Act
Item 69 relates to the operation of a test
environment by the system operator. Being able to operate a test environment
allows the system operator to assess how other systems and software interact
with the My Health Record system. Section 15 of the PCEHR Act sets out
the functions of the System Operator. Item 69 proposes a new paragraph
15(ia), which allows the system operator to establish and operate a test
environment for the My Health Record System and other electronic systems, in
accordance with any Rules that are made.[115]
Item 72 proposes the abolition of two key advisory
bodies: the Jurisdictional Advisory Committee and the Independent Advisory Council,
which were established under Divisions 2 and 3 respectively in Part 2 of the PCEHR
Act. The item proposes to repeal both Divisions, abolishing both bodies.
The main function of the current Jurisdictional Advisory Committee, as prescribed
in Division 2 is to advise the system operator (currently the Secretary of the
Department of Health) on jurisdictional matters relating to the PCEHR. Membership
consists of representatives from the Commonwealth and each state and territory.
The Independent Advisory Committee has a number of functions including advising
the system operator on the operation of the PCEHR, participation in the PCEHR,
and clinical, privacy and security matters. Membership of this committee is
required to include experts in medicine, law/privacy, health informatics,
health administration, healthcare for Aboriginal and Torres Strait Islander
people, and healthcare for people in regional areas. The system operator is
required under current section 16 of the PCEHR Act to have regard to the
advice and recommendations of these two bodies. Item 70 proposes to
repeal section 16 at the same time.
It is the Government’s intention that the functions of the
two advisory bodies are to be undertaken by new advisory bodies which will be
established as part of the new Australian Commission for eHealth (ACeH), which
itself is yet to be established.[116]
However, until the ACeH is established, there will be no legislated bodies
advising the system operator.
Items 74–75 insert provisions which deal with the
uploading of healthcare information which includes information about a third
party. In particular, proposed subsection 41(3A) provides that a
registered health care organisation is authorised to upload a record to the My
Health Record system in relation to a healthcare recipient (the patient) which
also contains information about another healthcare recipient (third party)
where this information is directly relevant to the healthcare of the patient.
This new provision operates in conjunction with current subsection 41(3), which
provides that a healthcare recipient must give standing consent for their
information to be uploaded by the healthcare provider except where they have
instructed the provider not to and current subsection 41(4) which provides that
standing consent under current subsection 41(3) (and authorisation under proposed
subsection 41(3A)) has effect regardless of whether state/territory laws
require consent to be given in a particular manner, except if the state and
territory law has been prescribed in the regulations.[117]
Item 76 proposes provisions that specify the type
of healthcare provider who can upload health information to a repository. Item
76 proposes new paragraph 45(ba), which requires the healthcare
provider uploading a health record to be either registered by a registration
authority or be a member of a professional association as specified in the HI
Act (under proposed new section 9A of the HI Act, as
specified at item 31 of Schedule 1 to the Bill). Any healthcare provider
whose registration or membership is conditional, suspended, cancelled or lapsed
(unless the Rules prescribe otherwise) will be excluded.[118]
This new paragraph makes explicit that a healthcare provider creating and
uploading health records is to be properly registered and appropriately
qualified as described in the HI Act.
Item 77 amends the PCEHR Act to reflect the
new copyright exceptions introduced by items 1–2, while items 78–79
introduce amendments to deal with material created before the new exemptions
commence. In particular, a healthcare provider organisation or repository
operator who does not own copyright in the works or film or sound recordings is
prohibited from uploading it unless the owner of the copyright has granted a
licence to the System Operator to deal with the material.
Item 84 repeals current section 58 and replaces it
with new sections 58 and 58A. As with item 34 (above), the
proposed amendments update the provisions which authorise the collection, use
and disclosure of information about healthcare recipients and healthcare
providers by the System Operator and other Commonwealth entities. Collection,
use and disclosure of information is only authorised for the purposes of the My
Health Record system, including incorporating information in a My Health Record.
While neither of these purposes are particularly
controversial, the PCEHR Act currently provides for a number of
circumstances where information in the My Health Record system can be used for
purposes that do not relate to the provision of healthcare or the management of
the My Health Record system:
Information in the My Health Record system can be used for
other purposes identified in Part 4 of the My Health Records Act
including if authorised by another law (section 65), for a law enforcement
purpose (section 70) or ordered by a court or tribunal (section 69). These
authorisations recognise that from time to time information in the My Health
Record system will be relevant for significant decisions, such as investigation
of a crime. The information cannot be disclosed arbitrarily and robust
justification must be provided as to why the information is necessary.[119]
Items 85–88 amend sections 59 and 60 of the PCEHR
Act which deal with the unauthorised collection, use and disclosure of
health information included in a healthcare recipient’s electronic record.
Section 59 prohibits the disclosure of such material unless it is authorised by
the PCEHR Act, while section 60 prevents a person from disclosing
information that was obtained in contravention of section 59. Items 85–88
update the offence provisions in sections 59 and 60 to reflect the new
penalties introduced in relation to an unauthorised disclosure under the HI Act.
A person who breaches either section 59 or 60 may now incur a criminal penalty
of up to two years imprisonment and/or 120 penalty units or a civil penalty
provision of up to 600 penalty units.
Items 91–93 introduce amendments in relation to
other civil penalty provisions. Section 77 of the PCEHR Act provides
that the System Operator, a registered repository operator, a registered portal
operator or a registered contracted service provider must not hold, take,
process or handle My Health Record information outside Australia or cause or
permit another person to do so. The current civil penalty for breaching section
77 is 120 penalty units. Items 91 and 92 provide that a person who
breaches section 77 may now incur a criminal penalty of up to two years imprisonment
and/or 120 penalty units or a civil penalty provision of up to 600 penalty
units. Unlike sections 59 and 60, section 77 does not specify any fault
elements and therefore the fault element is intention in relation to the
physical elements of the offence (for example, taking the records outside
Australia). Item 93 repeals and replaces section 78 to expand the number
of people who have a statutory obligation to comply with the My Health Records
Rules and increases the maximum civil penalty from 80 to 100 penalty units.
Item 94 replaces Parts 6 and 7 of the PCEHR Act
with a new Part 6. As with item 43 (above) the provisions of new
Part 6 will activate a number of corresponding Parts of the Regulatory
Powers Act.[120]
Items 97-100 introduce similar provisions to those discussed in relation
to item 48 (above) in relation to how the My Health Records Act
will apply to entities not considered to be legal persons.
Item 101 proposes to replace existing section 107
with a new section 107 specifying new arrangements for the preparation
of annual reports by the system operator. These take into account the proposed
establishment of the Australian Commission of eHealth (ACeH) which will take on
the functions of the system operator (which is currently the Secretary of the
Department of Health). The future ACeH will be subject to the reporting
provisions under the Public Governance, Performance and Accountability Act
2013 (PGPA Act), which would make parts of the existing
section 107 redundant.[121]
Particularly, there will no longer be any need to include a separate reporting
obligation in the My Health Records Act as the future ACeH will already
be bound under the PGPA Act. Proposed section 107 still specifies
the type of information that is to be included in any annual report prepared by
the system operator. These are the same as those specified in current section
107 but have been amended to take into account changes in nomenclature. The current
requirement to include details of the activities of two advisory committees in
the annual report will not be needed as these bodies are being abolished under
item 72.
Item 102 proposes a review of the My Health Records
Act. Specifically it proposes to replace section 108 of the PCEHR Act
(which specified the timing of the last review—the Royle Review). Proposed
section 108 specifies that, after consultation with the Ministerial
Council, the Minister must appoint an individual to review the operation of the
Act. The appointee must provide a report to the Minister within the later of three
years of the commencement of proposed Schedule 1, or, if Rules have been made
under clause 2 of Schedule 1 of the My Health Records Act, three years
after the making of the Rules. It also requires the Minister to provide a copy
of the report to the Ministerial Council and for the report to be tabled in the
Parliament within 15 sitting days after it is presented to the Minister.
Notably, unlike the repealed section 108, the new section does not specify that
the person appointed to undertake the review take submissions from members of
the public. Nor does it specify the nature of matters to be considered in the
review.
Opt-out system
Currently, the PCEHR system operates as an opt-in system,
which means that an individual has to expressly consent in order to be
registered in the system. This requires an individual to take steps to verify
their identity so that a PCEHR record can be created. The process of having to
opt-in was described as ‘clunky and over complicated’ in the Royle Review,
which recommended the system transition to an opt-out model on the basis that
it would increase PCEHR adoption rates.[122]
An opt-out approach means that an individual is
automatically registered for the My Health Record, unless they expressly
specify they do not want to participate. This Bill allows for trials of
participation arrangements to be conducted in selected regions, including for trials
of an opt-out system. In these trials online accounts will be automatically
created for selected participants using names, date of birth, gender and health
identification numbers pulled out of the Medicare database.[123]
International evidence suggests that an opt-out model is generally well
supported ‘provided safety and security issues are addressed’.[124]
An individual would still be able to control their health record even where
they are participating in an opt-out trial region.[125]
Participation by healthcare providers and organisations would remain opt-in in
the trial areas, and the trials are not expected to place an additional burden
on these entities.[126]
It is therefore not clear how having opt-out for patients, but not for
healthcare providers will achieve the stated goal of this e-Health project,
that is, better health outcomes for individuals given the lack of guarantee
that quality robust information will be shared and thus used by all healthcare
providers in the trial.
Details of the trial sites and the timeframe for these are
not specified, but the Bill proposes to allow the Minister for Health to make
Rules that will prescribe trial arrangements and for the opt-out model to be
applied nationally, after consideration of evidence. Notably, there are no
proposed provisions to ensure the Minister releases publicly the evidence
acquired from the trials or presents this evidence to Parliament. Also of note,
details of how the trial sites will be selected are not specified in any
provisions, but the Explanatory Memorandum states that an administrative
framework will be established and made public.[127]
Significantly, the Explanatory Memorandum is silent about how much advance
notice (and the nature of that notice) will be given to the public to opt-out.[128]
It is also not clear what happens to a default record that is created before a
person has been given transparent, reasonable and fair notice of the trial and
the legal entitlement to opt-out, or what constitutes reasonable notice. At
part of her address to the National Press Club on 28 October 2015, the Minister
announced that ‘all-inclusive trials of the Government’s new My Health Record
will commence in early 2016 for around 1 million Australians’ and will be held
‘in Far North Queensland and in the New South Wales Nepean Blue Mountains
region’.[129]
Item 106 proposes the insertion of new Schedule 1 at the end of
the newly renamed My Health Records Act 2012 (proposed Schedule 2 of the
Bill renames the PCEHR Act to the My Health Records Act) to allow
for the operation of an opt-out system including for trials to be established. The
proposed new Schedule will have three parts.
Part 1 allows for opt-out trials and for these to
be extended nationally. Proposed clause 1 allows the Minister to make My
Health Records Rules (Rules) to apply an opt-out model to a class or classes of
healthcare recipients. It requires the Minister to be satisfied that applying
the opt-out model to a class of healthcare recipients would provide evidence of
the value of an opt-out model. Clause 1 also requires the Minister to consult a
subcommittee of the Ministerial Council, prescribed by the regulations, before
making the Rules and allows the Minister to make Rules that apply the opt-out
model nationally after the commencement of the trials. Proposed clause 2
specifies that the Minister may consider evidence and other relevant matters when
making a decision to extend the opt-out model nationally, and requires the
Minister to consult the Ministerial Council before making Rules that apply the
opt-out model Australia-wide.
Proposed Part 2 of new Schedule 1 My Health
Records Act allows for the registration of healthcare recipients under an
opt-out system, and the sharing and handling of information and other matters under
this system, whether the opt-out system is operating in a trial site or
nationally. Proposed clause 3 allows the system operator to register a
healthcare recipient for a My Health Record if the recipient is eligible as
specified under proposed clause 4, provided the system operator is satisfied that
their identity has been appropriately verified (in accordance with any Rules) and
that the recipient has been afforded the opportunity to decline registration as
specified under proposed clause 5. The proposed clause also requires the
system operator to not register the person if doing so would, in the view of
the system operator, compromise the security or integrity of the My Health
Record system.[130]
Proposed clause 4 specifies that a health care
recipient is eligible for registration provided they have a healthcare
identifier assigned in accordance with the Healthcare Identifiers Act 2010,
and provided the system operator has collected their name, date of birth,
healthcare identifier, Medicare card number or Department of Veterans’ Affairs
number, sex and any other information prescribed in the regulations.
Proposed clause 5 deals with how a healthcare
recipient elects to not be registered for a My Health Record. Proposed clause 5
allows a healthcare recipient to choose not to be registered provided they give
notice and provided the notice is in an approved form and is lodged as
specified. If the Rules specify that notice can only be given within a
specified period of time or depend upon the occurrence of an event and the
healthcare recipient is a member of the class to which the Rules apply, then notice
of an election to not register must be given in accordance with these
requirements. The proposed clause also specifies that an election to not be
registered commences immediately on the day the healthcare recipient gives
notice and ceases immediately on the day the recipient makes an application to
register as specified under proposed clause 6.
Proposed clause 6 allows a healthcare recipient to
apply to a system operator for registration of a My Health Record. The
application must be in an approved form, include relevant information as
specified in the form, and be lodged in a place or means as specified on the
form. A system operator must register the healthcare recipient if they make an
application provided the recipient meets the eligibility criteria specified at
proposed clause 4 and the system operator is satisfied the identity of the
healthcare recipient has been verified (in accordance with any Rules). However,
the system operator is required to not register the person if doing so would,
in the view of the system operator, compromise the security or integrity of the
My Health Record System.
Proposed clauses 7 and 8 deal with matters relating
to information sharing for the purposes of an opt-out system. Proposed
clause 7 authorises a system operator to collect, use and disclose health
information about a healthcare recipient for the purposes of including
information in the My Health Record of a registered healthcare recipient. Proposed
clause 8 specifies in a table the actions an entity or system operator is
permitted to take in relation to the collection, use and disclosure of
information in specified circumstances. The proposed clause also specifies that
if an entity listed in the clause discloses information to the system operator
in circumstances as permitted in the table, and then becomes aware that the
information has changed, the entity must as soon as practicable notify the
system operator of the changed information.
Proposed clauses 9–16 are intended to mirror
provisions in the My Health Records Act which can only operate with
consent (and thus may not be applicable in an opt-out environment).[131]
Proposed clause 9 reflects section 41 of the My Health Records Act
(as amended by items 74–75 of Schedule 1 to the Bill) and authorises a
registered healthcare provider organisation to upload health information about
a registered healthcare recipient (including information about a third party) to
the My Health Record unless it has received express advice from a healthcare
recipient that a particular record or type of record is not to be uploaded; or a
preserved law of a state or territory prohibits the organisation from
disclosing the information without the express consent of the healthcare
recipient.[132]
This helps preserve the healthcare recipient’s control over their health record
even in opt-out regions.
Proposed clauses 10–14 specify that the Chief
Executive of Medicare Australia (Medicare Australia) is required to become a
registered repository operator and operate a repository in line with current
section 38 of the My Health Records Act. This allows Medicare Australia
to upload and share health information with the system operator about a
registered healthcare recipient.
Proposed clause 13 allows for a healthcare
recipient to control the disclosure of information held by Medicare Australia
(such as their Medicare claims) to the system operator, provided they give
notice on an approved form, which is lodged in an approved manner. The clause
also allows for the healthcare recipient to change their mind and permit the
uploading of certain information, provided this notice is given on an approved
form and in an approved manner.
Proposed clause 14 allows information uploaded by
Medicare Australia to include details of healthcare providers who have provided
healthcare to the healthcare recipient. Proposed clause 15 clarifies
that none of these clauses limit the way in which Medicare Australia operates
its repository. Proposed clause 16 allows another registered repository
operator to make available to the system operator health information about a
registered healthcare recipient.[133]
It mirrors proposed section 50D, inserted by item 79 of Schedule
1 to the Bill.
Proposed Part 3 of new Schedule 1 of the My
Health Records Act includes proposed clause 17, which specifies
provisions in the My Health Records Act that do not apply when proposed
Part 2 of new Schedule 1 of the My Health Records Act (the opt-out
system) is operating.
Amendments to the Privacy Act
Items 107–109 repeal the current definitions of
‘health information’ and ‘health service’ in subsection 6(1) of the Privacy
Act and insert new definitions of these terms in proposed sections 6FA and
6FB.[134]
The effect of this change will be to broaden the definition of health service
to include palliative care services, aged care services and to include
injuries, as well as illness and disability. While the Australian Law Reform
Commission (ALRC) recommended that the reference to recording an individual’s
health should be removed from the definition to ensure that it ‘does not extend
to activities such as providing health insurance’,[135]
it has instead been redrafted. Currently under the Act recording information
about an individual’s health is considered a health service. Proposed
subparagraph 6FB(1)(e) provides that recording an individual’s health
will only constitute a health service where it is done ‘for the purposes of
assessing, maintaining, improving or managing the individual’s health’. Proposed
subsection 6FB(3) adopts the recommendation of the ALRC that the definition
of health service ‘should be extended to cover disability services, palliative
care services and aged care services’ and should include services which concern
a person’s psychological health.[136]
Schedule 2—Renaming PCEHR as My
Health Record (amendments to various Acts)
Proposed Schedule 2 to the Bill makes amendments to
the HI Act, the Health Insurance Act, the National Health Act and
the PCEHR Act, to replace occurrences of the terms PCEHR or PCEHR Act
or similar nomenclature, with My Health Record or My Health Record Act 2012
or similar. This includes replacing all references to the PCEHR Rules with My
Health Records Rules. Item 15 specifically proposes to rename the short
title of the Personally Controlled Electronic Health Records Act 2012, to
the My Health Records Act 2012. These amendments to rename the PCEHR to
My Health Record are in line with one of the key recommendations of the Royle
Review, which noted that a change in name would ‘reflect more of a partnership
between the clinician and the patient’ but would ‘retain all of the personal controls
that exist in the current PCEHR’.[137]
Schedule 3—renaming consumers as
healthcare recipients
Schedule 3 (items 1 to 8) proposes to amend the HI
Act, the National Health Act and the newly renamed My Health
Records Act, to replace all references to ‘consumer’ with ‘healthcare
recipient’. Currently, the term healthcare recipient is used in the HI Act,
but consumer is used in other health legislation. A healthcare recipient is
defined at proposed section 5 of the PCEHR Act to be ‘an
individual who has received, receives, or may receive, healthcare’. This applies
the same definition as is used in the HI Act to other relevant
legislation, and removes any potential ambiguity that might derive from allowing
both terms to occur.
The Bill proposes amendments to a number of Acts to
implement the Government’s 2015 Budget announcement on eHealth, as part of its
broader digital health agenda.[138]It
draws on recommendations of two recent reviews of the Personally Controlled
Electronic Health Record (PCEHR) system and the Healthcare Identifiers (HI) Service.
These reviews, which involved a public consultation process, made
recommendations to lift participation in the PCEHR, as well as improve
usability and clinical content.
As well as renaming the PCEHR to My Health Record, the
Bill seeks to expand and strengthen provisions around the collection, use and
disclosure of personal information, allow for the participation of new entities
in the system, clarify copyright issues, prepare for new governance
arrangements and provide for trials of an opt-out model (and other forms of
participation). If these trials are successful, the Bill allows the Minister to
roll out an opt-out model nationally.
Previously, developments around eHealth have garnered
considerable public interest.[139]
The Government has undertaken a broad consultation process with stakeholders, and
has drawn on the recommendations of two reviews which themselves invited public
comment. This process has revealed broad stakeholder and consumer support for
improvements to the PCEHR system, including consideration of an opt-out model.
However, some issues remain sensitive for stakeholders. Concerns around privacy
and consumer control have previously arisen in relation to the PCEHR and
eHealth developments more broadly.[140]
While the Explanatory Memorandum states that consumers will have an extensive
range of privacy positive options, as well as the ability to manage their My
Health Record, this has not been specified in the Bill itself.[141]
Indeed the absence of detail on the control and access which consumers will
have over their health record may not be entirely consistent with the
connotation and denotation of the rebranded name ‘My Health Record’. The provisions
that allow the Minister to determine to roll-out an opt-out system nationally
following trials, but without the need to publicly release evidence, may be
another area which attracts scrutiny.
Members, Senators and Parliamentary staff can obtain
further information from the Parliamentary Library on (02) 6277 2500.
[1]. In
simple terms, if a person or entity provides a health service (even if that’s
not their primary activity) and holds health information, they will be a
‘health service provider’.
[2]. The
opt-out model is being initially introduced as a trial to address the poor
level of participation by Australians, with only 10 per cent of Australians
currently enrolled and using the PCEHR. The opt-out trials are expected to
commence around April 2016.
[3]. World
Health Organisation (WHO), ‘WHO eHealth
resolution 2005’, WHO website, accessed 17 September 2015.
[4]. This
would imply of course, that there is careful, accurate and sufficient record
keeping on the part of health care providers. It is beyond the scope of this
digest to discuss the right of data subjects to ask for data to be rectified
when they are incomplete or inaccurate, and the means by which this may be
effectively done.
[5]. G
Eysenbach, ‘What is e-health?’, Journal
of Medical Internet Research, 3(2), 2001, accessed 20 October 2015.
[6]. R
Jolly, The
e health revolution—easier said than done, Research paper, 3,
2011–12, Parliamentary Library, Canberra, accessed 17 September 2015.
[7]. C
Pearce and M Haikerwal, ‘E-health
in Australia: time to plunge into the 21st century’, Medical Journal of
Australia, 193(7), 4 October 2010, pp. 397–400, accessed 23 September 2015.
[8]. For
background and issues on the Personally Controlled Electronic Health Records
Act 2012, see R Jolly, Personally
Controlled Electronic Health Records Bill 2011, Bills digest, 100,
2011–12, Parliamentary Library, Canberra, 2012, accessed 8 October 2015.
[9]. Privacy
Act, section 6.
[10]. Privacy
Act, section 6. A functionally identical definition is set out at
section 5 of the Personally
Controlled Electronic Health Records Act 2012. Note that the current
definition of ‘health information’ in the Privacy Act is repealed and
replaced by items 107 and 109 of Schedule 1 to the Bill; and the current
definition in the PCEHR Act is repealed and replaced by item 56
of Schedule 1 to the Bill. The new PCHER Act definition adopts the Privacy
Act definition.
[11]. Privacy
Act, section 6. Note that the current definition of ‘health service’ in the Privacy
Act is repealed and replaced by items 108 and 109 of Schedule 1 to
the Bill; and the current definition in the PCEHR Act is repealed and
replaced by item 55 of Schedule 1 to the Bill. The new PCHER Act
definition adopts the Privacy Act definition.
[12]. PCEHR
Act, section 5.
[13]. Emphasis
added.
[14]. Denmark’s
‘end to end’ eHealth system has reportedly reduced some medical errors to
almost zero. C Pearce and M Haikerwal, op. cit., p. 397.
[15]. See
definition set out above.
[16]. PCEHR
Act, section 3.
[17]. COAG
first agreed to a national approach in implementing HI service in 2006: Council
of Australian Governments, Council
of Australian Governments’ Communique, 10 February 2006, p. 12,
accessed 3 November 2015. This was followed by the signing of a National
Partnership Agreement on eHealth in 2009: Council of Australian Governments, National
Partnership Agreement on E-Health, Council of Federal Financial
Relations website, 7 December 2009, accessed 3 November 2015.
[18]. The
assignment of a healthcare identifier by the HI service is an automatic process
not requiring an individual’s consent.
[19]. NEHTA
is a not for profit company limited by guarantee formed on 5 July 2005. NEHTA
is jointly funded by the Commonwealth and state and territory governments.
Further information about NEHTA is available on its website: National E-Health
Transition Authority, ‘About
NEHTA’, website, accessed 3 November 2015.
[20]. Department
of Health, Electronic
health records and healthcare identifiers: legislation discussion paper,
Department of Health, Canberra, May 2015, p. 4, accessed 22 October 2015.
[21]. Health
care providers and other health organisations can also opt-in. Incentive
payments are available to encourage their participation. For example, general
practices that participate are eligible for an eHealth Practice Incentive
Payment (PIP). See Department of Human Services (DHS), ‘Practice
Incentives Program: eHealth incentive’, DHS website, accessed 24 September
2015. The incentive payments are under review so may change in the future. See
Department of Health, ‘Practice
Incentives Programme (PIP) eHealth incentive discussion paper’, Department
of Health, Canberra, September 2015, accessed 30 September 2015.
[22]. Department
of Health, ‘PCEHR
statistics’, Department of Health website, 20 October 2015, accessed 20
October 2015.
[23]. R
Jolly, ‘E
health’, Budget review 2014–15, Parliamentary Library, 30 May 2014,
accessed 17 September 2015.
[24]. R
Royle, Review
of the Personally Controlled Electronic Health Record (Royle Review), report
prepared for the Department of Health, Department of Health, Canberra, December
2013, accessed 17 September 2015.
[25]. Broadly,
the key difference between opt-in and opt-out is that under an opt-in system an
individual expressly consents to register; while under an opt-out system the
individual is automatically registered unless they expressly request otherwise.
[26]. Department
of Health, Healthcare
Identifiers Act and Service Review—Final Report, June 2013, accessed 18
September 2015.
[27]. S
Ley (Minister for Health), Patients
to get new myHealth record: $485m ‘rescue’ package to reboot Labor’s e-health
failures, media release, 10 May 2015, accessed 17 September 2015.
[28]. Australian
Government, Budget
measures: budget paper no. 2: 2015–16, p. 104, accessed 17
September 2015.
[29]. S
Ley (Minister for Health), ‘Second
reading speech: Health Legislation Amendment (eHealth) Bill 2015’, House of
Representatives, Debates, 17 September 2015, p. 10528–10530, accessed 18
September 2015.
[30]. The
Government has suggested that the new body could be established under the Public
Governance, Performance and Accountability Act 2013 rules or under its own
primary legislation. See Explanatory Memorandum, p. 16, 21.
[31]. S
Ley (Minister for Health), ‘Developing
a 21st century electronic health records system’, media release,
9 October 2015, accessed 20 October 2015. The establishment of the
taskforce was also a recommendation of the Royle Review. Royle, op. cit., p.
15.
[32]. A
training package for health providers is currently in development. See
Australian Healthcare and Hospitals Association (AHHA), ‘My
Health Record education and training package’, AHHA website, accessed 30
September 2015. The cost of this package has not been identified.
[33]. Senate
Community Affairs Legislation Committee, Inquiry
into the Health Legislation Amendment (eHealth) Bill 2015, The Senate,
Canberra, accessed 3 November 2015.
[34]. Senate
Standing Committee for the Scrutiny of Bills, Alert
digest, 11, 2015, The Senate, 14 October 2015, pp 13–18.
[35]. Ibid.,
pp 14–15.
[36]. Criminal Code Act
1995, accessed 28 October 2015.
[37]. Senate
Standing Committee for the Scrutiny of Bills, op. cit., p. 14.
[38]. Ibid.
See also: Attorney-General’s Department, A
guide to framing Commonwealth offences, infringement notices and enforcement
powers, Australian Government, Canberra, updated September 2011,
accessed 29 October 2015.
[39]. Senate
Standing Committee for the Scrutiny of Bills, op. cit., pp 13-18.
[40]. Ibid.,
pp 16-17.
[41]. Ibid.,
p. 17.
[42]. Ibid.,
pp 14-18.
[43]. K
McDonald, ‘Name-changer:
PCEHR amendment bill finally introduced’, Pulse+IT, 18 September
2015, accessed 22 October 2015.
[44]. C
King, ‘Second
reading: Health Legislation Amendment (eHealth) Bill 2015’, House of
Representatives, Debates, (proof), 15 October 2015, p. 10, accessed
20 October 2015.
[45]. Senator
R Di Natale, ‘eHealth
is good news for health: Greens’, media release, 6 June 2012, accessed 24
September 2015.
[46]. Department
of Health, Electronic
health records and healthcare identifiers: legislation discussion paper,
op. cit., p. 6.
[47]. Submissions
are accessible at Department of Health, ‘Electronic
Health Records and Healthcare Identifiers: Legislation Consultation - Public
Submissions’, The Department website, accessed 22 September 2015.
[48]. Deloitte,
Report
to the Commonwealth Department of Health on the public consultation into the
implementation of the recommendations of the Review of the Personally
Controlled Electronic Health Record, report prepared for Department of
Health, Department of Health, Canberra, September 2014, accessed 18 September
2015.
[49]. Ibid.,
p. 10.
[50]. Ibid.,
p. 10.
[51]. Ibid.,
p. 13.
[52]. Ibid.,
p. 13.
[53]. Ibid.,
p. 1.
[54]. Australian
Privacy Foundation, Submission
to Department of Health, Electronic health records and healthcare
identifiers—Discussion paper, p. 3, accessed 22 September 2015.
[55]. Ibid.,
p. 8.
[56]. Ibid.,
p. 2.
[57]. Ibid.,
p. 8.
[58]. Ibid.,
p. 2.
[59]. Deloitte,
op. cit., p. 18.
[60]. Ibid.
[61]. Ibid.,
p. 15.
[62]. Ibid.,
p. 16.
[63]. Department
of Health, ‘Electronic
health records and healthcare identifiers: legislation consultation - public
submissions’, Department of Health website, 8 October 2015, accessed 22
October 2015.
[64]. D
More, ‘The
opt-out trials may be much trickier that is presently believed. There are many
challenges I suspect’, Australian Health Information Technology blog, 16
June 2015, accessed 22 September 2015.
[65]. K
McDonald, ‘Support
for PCEHR optout from HISA and HIMAA survey’, Pulse+IT, 7 July 2015,
accessed 22 September 2015.
[66]. Ibid.
[67]. Victorian
Government, Submission
Department of Health, Electronic health records and healthcare
identifiers—Discussion paper, p. 2, accessed 24 September 2015.
[68]. NSW
Health, Submission
to Department of Health, Electronic health records and healthcare
identifiers—Discussion paper, p. 1, accessed 24 September 2015.
[69]. COAG
Health Council, Communique,
media release, 7 August 2015, accessed 24 September 2015.
[70]. Explanatory
Memorandum, Health Legislation Amendment (eHealth) Bill
2015, p. 3, accessed 29 October 2015.
[71]. Australian
Government, Budget measures: budget paper no. 2: 2015–16, op. cit., p.
104.
[72]. R
Jolly, ‘E health’, op. cit.
[73]. K
McDonald, ‘No
decision on trial sites or enabling legislation for opt-out PCEHR’, Pulse+IT,
15 September 2015, accessed 19 September 2015.
[74]. R
Royle, op. cit., p. 9.
[75]. Senate
Community Affairs Committee, Answers to Questions on Notice, Health Portfolio,
Budget Estimates 2014–2015, 2/3 June 2014, Question
SQ14-000502, accessed 21 September 2015.
[76]. The
Statement of Compatibility with Human Rights can be found at page 28 of the
Explanatory Memorandum to the Bill.
[77]. Explanatory
Memorandum, Health Legislation Amendment (eHealth) Bill
2015, pp. 29-30, accessed 29 October 2015.
[78]. UN
Committee on Economic, Social and Cultural Rights (CESCR), General
comment no. 14: the right to the highest attainable standard of health (art. 12
of the Covenant), 11 August 2000, E/C.12/2000/4, accessed 22 October 2015.
[79]. Ibid.,
paragraphs 8 and 9.
[80]. Preamble
to the International
Principles on the Application of Human Rights to Communications Surveillance,
Final Version, May 2014, accessed 11 October 2015. The issue of the use of
health information for the purposes of contributing to better and more
efficient health outcomes triggers issues and concerns around the claim of
factuality and accuracy of representation of information available for use, and
the ability of individuals to access and request changes to the recorded
information where there are inaccuracies or incompleteness. See UN General
Assembly, Resolution 68/167, The
Right to Privacy in the Digital Age, UN Doc. A/RES/68/167, 13 December
2013.
[81]. S
Warren and L Brandeis, ‘The
Right to Privacy’, Harvard Law Review, 4(5), 15 December 1890,
accessed 11 October 2015.
[82]. Universal Declaration of Human
Rights, adopted by the United Nations General Assembly on 10 December 1948;
UN General Assembly, International
Covenant on Civil and Political Rights, done in New York on 16 December
1966, [1980] ATS 23 (entered into force for Australia (except Art. 41) on 13
November 1980; Art. 41 came into force for Australia on 28 January 1994).
[83]. It
is notable that the Swedish eHealth system appears to be far more evolved in
this regard, which may explain the higher take up rate—about two million people
(a fifth of the population). The ‘National e-health services in Sweden provide
citizens with health information, contact details of providers, and interactive
services where they can ask questions anonymously that are answered by
healthcare professionals within seven days. The national portal My Healthcare
Contacts lets citizens request, cancel, or reschedule healthcare appointments,
renew prescriptions, and request contact with a specific clinician or hospital.
Each healthcare centre or other local provider decides which e-services people
can use to interact with them.’ See: M Hägglund and S Koch, ‘Commentary: Sweden rolls out online access
to medical records and is developing new e-health services to enable people to
manage their care’, BMJ, 350, February 2015, accessed 20 October
2015.
[84]. Parliamentary
Joint Committee on Human Rights, Twenty-ninth
report of the 44th Parliament, The Senate, 14 October 2015, accessed
10 November 2015.Parliamentary Joint Committee on Human Rights, tabled 14
October 2015.
[85]. Copyright Act 1968,
accessed 29 October 2015.
[86]. Literary
works are usually written (with the exception of computer programs) and include
tables, results, instructions, list of symptoms and so forth.
[87]. Defined
at subsection 10(1) of the Copyright Act,
[88]. Explanatory
Memorandum, Health Legislation Amendment (eHealth) Bill
2015, op. cit., p. 39.
[89]. Proposed
subparagraph 44BB(1)(a)(ii) refers to subsection 16A(1) of the Privacy Act 1988,
which sets out a number of situations in which the information handling
requirements set out in the Privacy Act (specifically the Australian
Privacy Principles (APPs) contained in Schedule 1 to the Act) do not apply.
These are referred to as ‘permitted general situations’. The Privacy Act
requirements apply to ‘APP entities’. As not all participants in the My Health
Record system will be APP entities, proposed subparagraph 44BB(1)(a)(ii) adjusts
the exception in subsection 16A(1)
to also cover non-APP entities. For further information see: Office of the
Australian Information Commissioner (OAIC), ‘Chapter
C: Permitted general situations’, OAIC website, February 2014, accessed 29
October 2015.
[90]. ‘Permitted
health situations’ are set out at section 16B of the Privacy Act. As set
out above, the Privacy Act requirements apply to ‘APP entities’. As not
all participants in the My Health Record system will be APP entities, proposed
subparagraph 44BB(1)(a)(iii) adjusts the exception in subsection 16B to also
cover non-APP entities. For further information see: Office of the Australian
Information Commissioner (OAIC), ‘Chapter
D: Permitted health situations’, OAIC website, February 2014, accessed 29
October 2015.
[91]. Explanatory
Memorandum, op. cit., p. 41.
[92]. Healthcare Identifiers
Act 2010, accessed 30 October 2015.
[93]. Department
of Health, ‘Participating
in the personally controlled electronic health record system: a registration
guide for healthcare organisations’, Department website, 9 June 2015,
accessed 17 October 2015.
[94]. Ibid.
[95]. Ibid.
[96]. Ibid.
[97]. Ibid.
[98]. Ibid.
[99]. Ibid.
[100]. The
Explanatory Memorandum provides that ‘the purposes of the My Health Record
System will require consideration of the System Operator’s functions under
section 15 of the My Health Records Act, the purposes and objects of the
My Heath Records Act, and the powers and obligations of the System
Operator and other participants in the My Health Record system’: Explanatory
Memorandum, op. cit., pp. 67–68.
[101]. Explanatory
Memorandum, op. cit., p. 49.
[102]. HI
Act, proposed subsection 20(3).
[103]. Explanatory
Memorandum, op. cit., p. 54.
[104]. HI
Act, proposed subsection 25E(4). Section 4AA of the Crimes Act 1914
(Cth) provides that a penalty unit is equal to $180. Therefore the maximum
penalty for breaching this requirement is $18,000.
[105]. Proposed
paragraph 26(3)(d) refers to subsection 16A(1) of the Privacy Act and
expands the exception to apply where the collection, use or disclosure has been
done by a non-APP entity.
[106]. HI
Act, proposed subparagraph 26(e)(3).
[107]. The
Privacy Act requirements apply to ‘APP entities’. As not all
participants in the My Health Record system will be APP entities, proposed
paragraph 26(4)(c) adjusts the exception in subsection 16A(1) to also
cover non-APP entities.
[108]. HI
Act, proposed subparagraph 26(e)(3).
[109]. See
Criminal Code Act
1995, subsection 13.3(3).
[110]. See
Criminal Code Act
1995, section 5.6.
[111]. Explanatory
Memorandum, op. cit., p. 34.
[112]. Ibid.
[113]. Regulatory
Powers (Standard Provisions) Act 2014, accessed 30 October 2015.
[114]. J
Murphy, Regulatory
Powers (Standard Provisions) Bill 2014, Bills digest, 73, 2013–14,
Parliamentary Library, Canberra, 2014, p. 3, accessed 30 October 2015.
[115]. Personally Controlled
Electronic Health Records Act 2012, accessed 30 October 2015.
[116]. Explanatory
Memorandum, op. cit., p. 72.
[117]. Regulation
3.1.1 of the Personally
Controlled Electronic Health Records Regulation 2012 prescribes provisions
of the following legislation: Public
Health Act 2010 (NSW); Public
Health Act 2005 (Qld); Public Health
Act 1997 (ACT), all accessed 9 November 2015.
[118]. The
Explanatory Memorandum provides an example of where it might be appropriate for
the Rules to prescribe otherwise. See Ibid., p. 73.
[119]. Ibid.,
p. 32.
[120]. See
footnotes 112–113 and related text for further information on the Regulatory
Powers Act.
[121]. Public Governance,
Performance and Accountability Act 2013, accessed 2 November 2015.
[122]. Royle,
op. cit., p. 55. See recommendation 13.
[123]. Explanatory
Memorandum, op. cit., p. 94. While the Explanatory memorandum provides that
‘there are no regulations proposed to collect any further information’, the
regulations can be amended to identify further information that can be
collected about an individual.
[124]. Royle,
op. cit., p. 28. In the UK, the summary care record rollout by the National
Health Service experienced an opt-out rate of just 1.4 per cent.
[125]. Explanatory
Memorandum, op. cit., p. 92.
[126]. Ibid.,
p. 23.
[127]. Ibid.,
p. 93.
[128]. Ibid.,
p. 92. The Explanatory Memorandum states that ‘various methods would be
available to healthcare recipients to opt-out, for example, online, in person
or by phone’. However, these are not set out in the Bill.
[129]. S
Ley (Minister for Health), National
Press Club Address, media release, 28 October 2015, accessed 5 November
2015.
[130]. The
My Health Record System Operator is currently the Secretary of Department of
Health as prescribed in section 14 of the PCEHR Act. It is intended that
the new Australian Commission on eHealth (ACeH) will undertake this role once
it is established.
[131]. Explanatory
Memorandum, op. cit., p. 102.
[132]. A
preserved law for the purposes of the My Health Record system refers to a law
prescribed by regulation 3.1.1 of the Personally Controlled
Electronic Health Records Regulation 2012, accessed 2 November 2015.
[133]. Repository
operators must be registered under section 49 of the My Health Records Act
2010.
[134]. Privacy Act 1988,
accessed 2 November 2015.
[135]. Australian
Law Reform Commission (ALRC), For your information:
Australian privacy law and practice, ALRC report 108,
12 August 2008, pp. 2067–2068, accessed 7 October 2015.
[136]. Ibid.,
p. 2065.
[137]. Royle,
op. cit., p. 19.
[138]. S
Ley, ‘Second reading speech: Health Legislation Amendment (eHealth) Bill 2015’,
op. cit.
[139]. R
Jolly, Personally
Controlled Electronic Health Records Bill 2011, Bills digest, op. cit.
[140]. Ibid.
[141]. Explanatory
Memorandum, op. cit., p. 92.
For copyright reasons some linked items are only available to members of Parliament.
© Commonwealth of Australia
Creative Commons
With the exception of the Commonwealth Coat of Arms, and to the extent that copyright subsists in a third party, this publication, its logo and front page design are licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Australia licence.
In essence, you are free to copy and communicate this work in its current form for all non-commercial purposes, as long as you attribute the work to the author and abide by the other licence terms. The work cannot be adapted or modified in any way. Content from this publication should be attributed in the following way: Author(s), Title of publication, Series Name and No, Publisher, Date.
To the extent that copyright subsists in third party quotes it remains with the original owner and permission may be required to reuse the material.
Inquiries regarding the licence and any use of the publication are welcome to webmanager@aph.gov.au.
Disclaimer: Bills Digests are prepared to support the work of the Australian Parliament. They are produced under time and resource constraints and aim to be available in time for debate in the Chambers. The views expressed in Bills Digests do not reflect an official position of the Australian Parliamentary Library, nor do they constitute professional legal opinion. Bills Digests reflect the relevant legislation as introduced and do not canvass subsequent amendments or developments. Other sources should be consulted to determine the official status of the Bill.
Any concerns or complaints should be directed to the Parliamentary Librarian. Parliamentary Library staff are available to discuss the contents of publications with Senators and Members and their staff. To access this service, clients may contact the author or the Library‘s Central Entry Point for referral.