My Health Records Amendments (Strengthening Privacy) Bill 2018
Purpose of the Bill
The My Health Records Amendment (Strengthening Privacy) Bill 2018 (Bill)
proposes amendments to the My Health Records Act 2012 (MHR Act) to strengthen
the privacy provisions of the My Health Record (MHR) system.
During the MHR system opt-out period, concerns were raised by some
healthcare recipients, peak health bodies and privacy organisations that the
MHR Act included provisions for the disclosure of health information to law
enforcement agencies and other government bodies. Concerns were also raised
that health information contained in MHRs would be retained by the MHR System
Operator (System Operator) after healthcare recipients requested their MHR
registration be cancelled.
In response to this concern, the Minister for Health, the Hon. Greg Hunt
MP, announced the Australian Government would strengthen the privacy provisions
in the MHR Act, specifically in relation to disclosure and retention of information. The proposed amendments in the Bill give legislative effect to the Minister's
- removing the current capacity of the System Operator to disclose information
contained in a MHR to a law enforcement or government agency without an order
from an eligible judicial officer, or consent from the healthcare recipient;
- requiring the System Operator to permanently delete the health
information stored in the National Repositories Service should the person for whom
the MHR is made cancel their MHR registration.
The concept of a national digital health record has been progressed in
public policy over the past decade and was formally agreed by Australian
governments through the National eHealth Strategy in 2008. The strategy
recognised the need to consolidate individuals' health information, and for
that information to be accessible by individuals and healthcare providers to
improve communication and continuity of individuals' care across health services.
In 2012, the Australian Parliament legislated for a national digital
health record system and established the Personally Controlled Electronic Health
Records (PCEHR) system. The PCEHR system was implemented to, in part, overcome
issues in healthcare resulting from fragmented health information, and to
enable healthcare recipients to manage their own health data.
In 2013, the Australian Government commissioned a review of the PCEHR
system. The review's report made 38 recommendations, including moving the PCEHR
system to an opt-out model. In the 2015–16 Budget, the Australian Government announced in the 'My Health
Record—a new direction for electronic health records in Australia' measure
- $485.1 million over four years would be provided to continue the
operation of the eHealth system;
trials would be implemented to test opt-out arrangements;
- PCEHRs would be renamed to MHRs; and
- an agency would be established to provide national coordination
The Australian Digital Health Agency (ADHA) was established on 30
January 2016, and is the prescribed System Operator.
Following agreement of the Council of Australian Governments Health
Council, the Australian Government confirmed, through the 2017–18 Budget, that the
MHR system would transition to an opt-out model. The opt-out period for the MHR system commenced on 16 July 2018 and ends on 15 November
The privacy framework for the MHR system is established through the
provisions of the MHR Act, Privacy Act 1988, and the Healthcare
Identifiers Act 2010. The amendments proposed in the Bill build on this established privacy
Provisions of the Bill
The Bill is comprised of one schedule, inclusive of 17 items. The key proposed
amendments to the MHR Act are:
- Item 5—adds a requirement to subsection 17(2) to require
the System Operator to permanently destroy a MHR should a healthcare recipient cancel
their MHR registration. Currently, the System Operator is required to retain
all MHR information for healthcare recipients until 30 years after their death,
or, if the date of death is unknown, 130 years after the date of the healthcare
- Item 6—inserts a new subsection 17(3) to require the System
Operator to destroy any health information that is included in a MHR when a
healthcare recipient cancels their MHR registration, excluding certain
administrative information, such as the name and healthcare identifier of the
person making the cancellation request, and the date of cancellation. Item 6
also inserts subsection 17(4) which requires the System Operator to destroy MHR
information, in accordance with subsection 17(3), as soon as practicable after
a cancellation request is made, unless there is court order for the System
Operator not to destroy a MHR, or there are particular legal requirements for
the System Operator to disclose a MHR.
- Item 10—inserts a new subsection 65(3) that limits the
laws that authorise the collection, use and disclosure of MHR information. In
effect, subsection 65(3) limits the collection, use and disclosure of MHR
information to the Auditor-General, the Ombudsman and the Information
Commissioner in fulling their legislated functions. Other entities seeking to access
MHR data would need to do so under section 69 or proposed section 69A, which
would require a court order.
- Item 12—inserts new section 69A to limit the disclosure of
information to designated law enforcement and government agencies only by order
of a specified judicial officer, and the process by which a designated entity
may apply for such an order to be made and the administrative requirements the
order must meet. Item 12 also inserts new section 69B, which specifies the
judicial officers who can make an order to disclose MHR information under new section
- Item 14—repeals subsections 70(1) and 70(2) which
currently enable the System Operator to use or disclose health information
included in MHRs for law enforcement and revenue protection related activities.
- Item 16—inserts new subsection 70(3A) which enables the
System Operator , under specified conditions, to release limited information to
a relevant person or agency where the System Operator reasonably believes there
may be unlawful activity occurring in connection with its functions to enable
initial consideration of the matter.
If enacted, the Bill's proposed amendments to the MHR Act would commence
the day after the Bill receives Royal Assent.
There will not be any net financial impact arising from the Bill.
The Senate Standing Committee on the Scrutiny of Bills reported it did
not have any comments on the Bill.
The Joint Committee on Human Rights reported that the Bill did not raise
any human rights concerns.
Conduct of the inquiry
On 22 August 2018, the Bill was introduced in the House of
Representatives and read a first time.
On 23 August 2018, the Senate, referred the provisions of the Bill to
the Senate Community Affairs Legislation Committee (committee) for inquiry and
report by 12 October 2018.
On 19 September 2018, the Senate granted the committee an extension of
time to report to 12 October 2018.
At the time of referral, the Senate Community Affairs References
Committee (references committee) was conducting a related inquiry into the MHR
system. The two Senate Standing Committees on Community Affairs have agreed to share
relevant evidence received across the inquiries. Only matters directly relevant
to the provisions of the Bill are considered in this report. Matters related to
the broader operation of the MHR system are considered in the references
The committee wrote to 57 individuals and organisations inviting
submissions by 14 September 2018. The committee received 31 submissions to the
inquiry, which were published on the committee's inquiry webpage.
The committee thanks the witnesses and submitters for their
contributions to the inquiry.
Notes on references
In this report, references to the Committee Hansard are to proof
transcripts. Page numbers may vary between proof and official transcripts.
Navigation: Previous Page | Contents | Next Page