Most submissions supported the objectives of the Health Legislation
Amendment (eHealth) Bill 2015 (Bill) to improve health outcomes, achieve a
better partnership between patients and healthcare providers in healthcare and
develop an effective, national shared electronic health record system.
A number of submissions supported the measures outlined in the Bill, including
the introduction of an opt-out trial of the My Health Records system.
However, a number of submitters raised concerns about the following aspects of
introduction of an opt-out model;
privacy and security issues;
proposed rule-making authority measures;
civil and criminal penalties; and
legislation consultation process.
The Department of Health (department) submitted that the measures
outlined in the Bill would all contribute to improving health outcomes for
...the combination of opt-out trials, extensive information and
communication activities, and the continuation of the same strong personal
controls mean that moving to opt-out participation arrangements for individuals
is proportionate, necessary and reasonable for achieving the objective of
improving health outcomes.
Submitters expressed both support and opposition to the trial of an
A number of submitters supported the introduction of an opt-out model
for both healthcare recipients and healthcare providers.
For example, Medicines Australia suggested that an opt-out system:
...will enable the My Health Record to provide better, more
useful and usable information to healthcare practitioners, which will in turn
lead to improved whole-of-care for patients.
The Office of the Australian Information Commissioner (OAIC) recognised
that the benefits of an effective eHealth record system include 'better health
outcomes arising from the improved availability and quality of health
information, fewer adverse medical events, and procedural and economic
efficiency through reduced duplication of treatment'.
Similarly, the National eHealth Transition Authority (NEHTA) noted that:
The objectives of eHealth to improve healthcare outcomes are
supported across the community. A shift to an opt-out consumer participation
model continues to be advocated by consumers and providers alike.
However, a number of submissions expressed concerns about the
introduction of an opt-out model. The Australian Privacy Foundation recommended
that the My Health Record system should 'never be made opt-out', suggesting
that the collection of data would 'have no practicable health value, but would
represent a significant and dangerous risk'.
The department noted that the trial of opt-out arrangements:
...provides the opportunity for the Australian community to
consider their response to opt-out arrangements and determine whether from
their perspective the arrangements are proportionate and reasonable measures to
achieving the objective of improving health outcomes.
The department clarified that the trials of the opt-out arrangements aim
identify appropriate methods of targeting and delivering critical
information about the My Health Record System to key audiences;
assess the effectiveness of targeted communications, and
education and training for healthcare providers; and
test implementation approaches.
The department confirmed that trials of opt-out participation
arrangements would be conducted in two sites in the North Queensland and Nepean
Blue Mountains Primary Health Network areas.
The department also highlighted that opt-out arrangements would have a
significant impact on long-term government expenditure:
Annual Commonwealth healthcare costs are forecast to increase
by $27 billion to $86 billion by 2025, and will increase to over $250 billion
by 2050. Improved health outcomes and productivity improvements such as hose
that can be delivered by eHealth are needed to help counter the expected
increases in the healthcare costs. Leveraging eHealth is one of the few
strategies available to drive microeconomic reform to reduce Commonwealth
health outlays. Without these changes, the quality of healthcare available to
all Australians may reduce in the future as costs become prohibitive.
Without a move to opt-out participation arrangements, the
required critical mass of registered individuals may not occur, or may be
significantly delayed. As a result, the anticipated objective of improving
health outcomes and reducing the pressure on Commonwealth health funding may
not occur or may be significantly delayed. Under the current opt-in
registration arrangements, a net cumulative benefit of $11.5 billion is
expected over 15 years to 2025. It is anticipated that the move to a national
opt-out system would deliver these benefits in a shorter period.
Current uptake of eHealth records
NEHTA noted that at 22 October 2015, the national Personally Controlled
Electronic Health Record (PCEHR) system currently has registered:
2 427 704 consumers (a large proportion of which are newborns and
7 970 healthcare organisations (including 452 public hospitals);
57 810 shared health summaries; and
1.77 million prescription records.
NEHTA suggested that this level of uptake:
...is an indicator of willingness by providers to engage with
eHealth, even if comfort and capability to use the system is still developing.
Together with continual improvements to usability and registration processes,
the changes proposed in the eHealth Bill will further facilitate use of eHealth
and the PCEHR.
The department noted although currently around 1 in 10 individuals have
a My Health Record, there is 'overwhelming support for electronic health
records from the consumer community'. The department suggested that the current
'opt-in' system is 'considered an administrative barrier to consumers achieving
better health outcomes through the electronic sharing of their health
Utility of data
However, some submitters suggested that the low uptake of the eHealth
system reflected the perceived inefficiencies of the PCEHR system. The
Australian Privacy Foundation (APF) expressed concern that the Bill focuses 'on
the number of registrations rather than usability and clinical value'. The APF
also raised questions about the use and value of the PCEHR system, suggesting
that the 2013 PCEHR review:
...noted that poor utility was a major factor in the low level
of uptake of the PCEHR. We are unaware of any initiatives to identify what is
required to increase the usability of the PCEHR or to actually implement
improvements in the system.
Similarly, the Consumers eHealth Alliance suggested that the existing
PCEHR system does not function effectively:
Rather than an efficient and trusted means of information
exchange, the system resembles a big old tiling cabinet, randomly stuffed with
a selection of documents that may or may not be current, relevant or accurate.
That is why doctors don't use it, and consumers show little
Submitters suggested that the PCEHR system does not improve health
outcomes. Primary Health Care Limited submitted that 'evidence to date shows
the spend and value generated as a result of the PCEHR initiative has not
increased quality of patient care or streamlined health delivery processes'.
Similarly, the Royal Australian College of General Practitioners (RACGP)
There is currently limited evidence that supports the
proposition that patients merely having access to their healthcare information
leads to significant changes to healthcare outcomes. It is the use by
clinicians that will help deliver the benefits of coordinated and integrated
care and clinicians are unlikely to use it until design and functionality
issues are resolved.
Medicines Australia suggested that the My Health Record system could be
improved by considering the mandatory inclusion of medications, noting that this
could 'go a long way to reducing and in some cases eliminating avoidable
medication misadventure, error and mishap'.
Medicines Australia noted that 'optimising the My Health Record to improve the
recording, sharing and management of prescribed (and non-prescribed) medication
will enable better monitoring of patients' medication management' and
contribute to 'improved safety and quality use of medicines'.
The department submitted that having a My Health Record would be 'likely
to improve health outcomes, making access to the right treatment faster, safer,
easier and more cost effective'.
The Explanatory Memorandum (EM) noted that the 'usability' issues identified by
the 2013 PCEHR review would be addressed through preparing for new governance
arrangements and simplifying the privacy framework 'by revising the way that
permissions to collect, use and disclose information are presented, making it
easier for participants in the system to understand what they can and cannot do'.
In her second reading speech, the Minister for Health (Minister), the
Hon Sussan Ley MP, noted that increasing the uptake of eHealth records would
improve the value of the system:
At present about one in 10 Australians has an electronic
health record. That is not enough to make it an effective national system, and
doctors do not see enough value as yet to use it. If the majority of people
have a My Health Record, more healthcare providers will use it and include
their patients' health information on it, and this will improve the overall
value of the system.
Impact on vulnerable groups
As noted in Chapter 1, the Parliamentary Joint Committee on Human Rights
(PJCHR) raised a number of concerns about the impact of an opt-out model on the
right to privacy and rights of vulnerable groups, including children and people
The Consumers eHealth Alliance recommended that the trials be delayed
until the issues raised by the PJCHR are addressed and suggested 'reflection on
the critical points raised by the PJCHR in respect of the nature and scale of
vulnerable people - and the practical and legal difficulties of obtaining
proper, informed, consent from an unengaged populace'.
The EM noted that the anticipated benefits in health outcomes as a
result of the Bill would be:
...skewed towards vulnerable families as they currently face
more challenges in accessing timely and appropriate healthcare and will have
more to benefit from improved health outcomes. These people are also less
likely to participate in an opt-in model as they are more likely to be
challenged by the registration process.
This statement was supported by Carers Australia's submission which
noted that 'carers are less likely to participate in an opt-in model and are
more likely to be challenged by the registration process'.
The department submitted that the current PCEHR system provides special
arrangements to support children and vulnerable people to participate in the
system by allowing authorised representatives to act on their behalf. The
department noted that the Bill provides additional arrangements to ensure:
...that people providing decision-making support will...need to
give effect to the will and preference of the person to whom they provide
decision-making support. Ensuring that representatives can continue to act on
behalf of individuals (including children and persons with a disability) to
help them to manage their record as part of opt-out is a privacy positive under
the eHealth Bill. Authorised representatives will be able, for example, to
opt-out the individual for whom they have responsibility from having an
electronic health record, if this meets the will and preference of the person
they are representing.
The department further noted that the process has been designed to:
...cater for those people who have difficulties in coping with
bureaucratic processes to ensure it is highly accessible and easy to understand
so that they are able to exercise their right to opt-out without unnecessary
complexity. While phone and online channels are expected to cater for the
majority of individuals, the Department of Health is working to ensure that
alternative processes will be available to all individuals including those
needing additional support or with limited documentation.
The OAIC raised concerns that the Bill does not address how healthcare
recipients who wish to obtain a pseudonymous record, currently available under
the current system, would be able to do so under an opt-out system. The OAIC
recommended that the EM be amended to outline how such records would be
addressed in an opt-out model, including for existing healthcare recipients,
and this be included in the public awareness campaign.
The OAIC highlighted that one of the key privacy safeguards for the
trial is a 'fair and easy to use opt-out process' that includes:
healthcare recipients an adequate time period in which to receive and consider
information about the opt-out system, to make their decision about whether or
not to opt-out, and to exercise their right to opt-out if they so choose
free, simple and accessible means of opting-out of the system, including means
that take account of the needs of healthcare recipients with particular needs.
The OAIC recommended that further details be provided on the opt-out
process for minors and adults lacking capacity and how their records would be
managed, including 'what mechanism will be in place to ensure that, where an
adult healthcare recipient who lacks capacity has not or is not opted-out, the
individual has received the necessary support and information to make that
The department clarified that the opt-out process would be designed to
be 'as simple as possible for as many people as possible'. The department noted
that individuals who choose to opt-out would be able to do so online, in person
or by phone:
The process leading to the creation and filling of a record
as part of the opt-out trial has been designed to ensure it is highly
accessible, easy to understand and caters for those people who have
difficulties in coping with administrative processes so that they are able to
exercise their right to opt-out without unnecessary complexity.
Awareness and education campaign
A number of submitters highlighted the need to ensure that people,
particularly those from disadvantaged backgrounds and those with poor health
literacy, are made aware of how to opt-out of the system.
Without this, individuals are likely to be 'unaware that their data is in a large
central repository that can be accessed by providers across Australia and the
The OAIC suggested that the public awareness campaign should satisfy the
- it should
provide sufficient information to enable healthcare recipients to understand
what the PCEHR system is and the benefits and risks of participation, and to
understand what their options are
option to opt-out of the system should be clearly and prominently presented
campaign needs to be of sufficient scope so that it is likely that each
affected healthcare recipient has received and read the information about the
PCEHR system, the option to opt-out, and the opt-out process
information provided for healthcare recipients should clearly explain the
implications of not opting-out. This information should also clearly explain
the personal controls available to them, when they will become available and
how they can be set
material should be accessible, written in plain English and should also be
provided in ways that take into account the needs of healthcare recipients with
particular needs, such as those from a non-English speaking background and
disadvantaged or vulnerable individuals.
The OAIC further recommended that the public awareness campaign:
...clearly inform healthcare recipients about how their
Medicare information will be handled and their options, and that this
information may include detail that indicates diagnosed conditions and
The Australian Dental Association suggested there is also a need for 'an
effective communications and education campaign for all healthcare provider
organisations and providers':
...if healthcare provider organisations do not have an adequate
level of comfort and confidence about how to use the system and what their
obligations are and how they can simply comply with those obligations, under
the Bill as it stands, there is a real risk that these healthcare provider
organisations will not register to participate in the MyHR system, even in
these opt-out trial sites where healthcare recipients automatically have
corresponding MyHRs set up.
The Australian Dental Association recommended that the communication
strategy 'must be targeted to all healthcare provider organisations and
practitioners and not restricted to healthcare provider organisations and
practitioners within the opt-out trail sites' to advise them of the penalties
and obligations under the Bill.
Similarly, Primary Health Care Limited expressed concern that there are 'no
detailed plans on how the initiative will change clinician behaviour to access
My Health Record system for patient records, especially when patients can opt
out and there is a significant likelihood that a patient's records will not be
The department clarified that a communication strategy to inform people
about the opt-out trials is currently being developed. The department submitted
that in relation to the plans for a public awareness campaign:
Comprehensive information and communication activities are
being planned for the opt-out trials to ensure all affected individuals,
including parents, guardians and carers, are aware they are in an opt-out trial
and what they need to do to participate, adjust privacy controls associated
with their record, or to opt-out if they choose. This will include letters to
affected individuals, targeted communication to carers and advocacy groups,
extensive online and social media information, and education and training for
healthcare providers in opt-out trial locations.
The department noted that key features of the communication strategy
launch of the My Health Record (subject to the Bill being passed);
of the eHealth website to include information about the opt-out trials;
of information about the My Health Record programme, including that which is
specific to the opt-out trials;
inclusion of information and articles in consumer peak body/disease association
specific newsletters about the My Health Record programme, and in particular
information to assist carers of people who need assistance to manage their
and training for healthcare providers about the My Health Record Programme;
- a letter
to each person living in an opt-out trial location prior to the commencement of
the 'opt-out' period informing them of the trials and how to opt-out if they so
information, content and articles for distribution to carers and other
associations and advocate groups;
- a letter
to each person who opts-out to confirm they have opted out of the My Health
Record system during the opt-out period;
information to meet the specific needs of each opt-out trial location
community, including the availability of accessible culturally and
linguistically diverse materials, working with vulnerable groups and
considering the needs of rural and remote communities; and
with the state/territory governments involved in opt-out trials to ensure the
appropriate communication or action is taken in respect of individuals in
protection or custody.
The department noted that it is currently considering options for
alerting healthcare recipients who may be unaware that they have a record or
that it is being used, including:
- a letter
is sent to them upon initial creation of the record; and/or
provision of notices for display in healthcare settings and community
noticeboards advising people of the existence of the trial and what to do if
they don't want a record (either before or after its creation).
Privacy and security issues
A number of submitters raised concerns about privacy and security issues
raised by the Bill.
The Australian Privacy Foundation (APF) expressed particular concern
about the 'lack of control of access to information in the PCEHR and to
information in the PCEHR that can be transferred to, and accessed by,
The APF argued that the Bill does not provide adequate user access controls and
'allows anonymous users, without any form of police or security check to access
the system', and risks improper use of healthcare recipients' medical records.
The APF recommended a complete redesign of the user controls to reflect a 'need
to know' approach.
Ms Helen Nicols expressed particular concern about the inclusion of
third party information to a healthcare recipient's My Health Record proposed
under item 106. Ms Nichols noted:
Speaking as a patient who doesn't want any form of ehealth, I
would see this as completely defeating the purpose of allowing me to opt out,
if my health information were to be uploaded anyway into my family's records.
The APF suggested that privacy concerns should be addressed on a
holistic level across the whole electronic health record system:
The PCEHR is part of a complex, interacting health
information ecosystem. Privacy issues need to be treated holistically, not in a
piecemeal manner, as is the situation with the eHealth Bill.
Concerns about personal information security, privacy,
confidentiality and governance of the fragmented national electronic health
records system are as much about how the pieces interact, whether controls,
protection and risk governance effectively deal with the interoperability,
complexity and potential for breach and misuse inherent in the virtual system
of which the PCEHR is part, as they are about the PCEHR itself, which would
have little interest if it was truly standalone.
In contrast, NEHTA submitted that the 'current settings for provider
access appropriately balances privacy and clinical outcomes, and if
communicated effectively, will encourage active use of the system under an
The OAIC submitted that compared to an opt-in system, the proposed
opt-out system increases the privacy risks faced by healthcare recipients,
healthcare recipient's health information will be handled for the purposes of
the PCEHR system without that individual's express consent. This does not align
with best privacy practice, which generally involves obtaining express consent
before handling health or other sensitive information given the bigger privacy
impact that handling this type of information can have
- within a
short period of time, an opt-out system will result in an increasing volume of health
information being more readily available and to more people than has previously
been possible. This creates an increased risk of privacy incidents such as the
inadvertent disclosure or misuse of health information. Given that health
information is of a particularly sensitive nature, the consequences of these
incidents can be more serious.
The OAIC emphasised that:
...strong privacy safeguards should be a critical aspect of an
eHealth system operated on an opt-out basis. Ensuring that privacy is adequately
addressed and protected is also fundamental to establishing and maintaining
public confidence in the system.
The OAIC recommended that the EM be amended to 'provide clearer
requirements and detail about the parameters of these privacy safeguards and how
they will be implemented', such as those provided for in the Electronic
Health Records and Healthcare Identifiers: Legislation Discussion Paper.
The department submitted that the Bill 'maintains the current strong and
significant privacy protections under the current opt-in arrangements, and
ensures they will apply under the proposed new opt-out arrangements (whether as
part of a trial or under any future national implementation)'.
The department noted that these protections include the following measures,
available to all people registered with the My Health Record system, including
children and people with disability:
access controls restricting access to their My Health Record entirely or
restricting access to certain information in their My Health Record;
that their healthcare provider not upload certain information or documents to
their My Health Record, in which case the healthcare provider will be required
not to upload that information or those documents;
that their Medicare data not be included in their My Health Record, in which
case the Chief Executive Medicare will be required to not make the data
available to the System Operator;
activity in relation to their My Health Record using the audit log or via
electronic messages alerting them that someone has accessed their My Health
remove documents from their My Health Record;
- make a
complaint if they consider there has been a breach of privacy; and
their registration (that is, cancel their My Health Record).
The department asserted that implementing opt-out arrangements is likely
to result in a much greater use of the system and improve privacy for
healthcare recipients by reducing reliance on paper records:
Increased use of the system is a privacy positive as it will
reduce the use of paper records, which pose significant privacy risks. For
example, where a patient is receiving treatment in a hospital's emergency
department for a chronic illness, the hospital may request from the patient's regular
doctor information about the patient's clinical history which is likely to be
faxed to the hospital. The fax might remain unattended on the fax machine for
an extended period of time before being placed into the patient's file, or the
information may be sent to the wrong fax number. Either of these things could
lead to an interference with the patient's privacy should a third party read
the unattended fax or incorrectly receive the fax. In contrast, under the My Health
Record system, the patient's Shared Health Summary would be securely available
only to those people authorised to see it. There are other similar scenarios
where an increase in the level of use of the My Health Record system is likely
to lead to a reduction in privacy breaches associated with paper-based records.
Several submissions expressed concern about the security of patient data
collected under the eHealth system and the risk of identity theft and fraud as
a result of unauthorised disclosure or cyber security attacks.
The APF recommended that an independent assessment be conducted of the
design of the eHealth system that includes 'the risk to national security of
having personal and health data on all Australians in a system with poor access
controls, accessible by anonymous, un-vetted users and which is accessible via
The EM notes that proposed new section 75 of the PCEHR Act introduces
new mandatory reporting requirements for any 'potential or actual unauthorised
collection, use or disclosure of health information in a healthcare recipient’s
My Health Record', or any 'potential or actual breach of the security or
integrity of the My Health Record system' (discussed below).
Data retention period
Submitters raised concerns about the length of time records collected
under the PCEHR must be held in the National Repositories Service.
Under section 17 of the current PCEHR Act, records must be retained until
either 30 years after the healthcare recipient's death, or 130 years after the
record was first uploaded if the date of death is unknown. Item 71 of the Bill
proposes to amend section 17 so that where the date of death is unknown, the
record must be retained for 130 years from the healthcare recipient's date of
The OAIC suggested that a shorter length of time would be consistent
with the Australian Privacy Principle 11 which states that 'where an entity
holds personal information it no longer needs for a purpose permitted under the
APPs, it must take reasonable steps to destroy or de-identify the information'.
The OAIC recommended that consideration be given to whether the clinical and
other authorised purposes would be satisfied if records are retained for a
shorter period, and whether holding records for the specified period is
necessary and proportionate to those purposes.
If no decision is made to extend the opt-out trial nationally, the OAIC
recommended that trial participants are notified at the conclusion of the trial
and provided with cancellation instructions, or have their records cancelled
within a certain number of days of receiving the notification.
Mandatory data breach notification
The OAIC recommended two changes to the mandatory data breach
notification (MDBN) obligation under proposed section 75 of the PCEHR Act:
that the mandatory data breach notification be considered in the
context of the general MDBN scheme currently being considered by the Australian
Government to avoid having two schemes with different reporting thresholds; and
that a higher threshold for healthcare recipient notifications be
provided to mitigate the risk of 'notification fatigue' where 'when a
particular breach presents a high risk of harm to [healthcare recipients], they
may not take the necessary action to protect their privacy which they would otherwise
have taken if notifications were less frequent and only sent in relation to
more serious breaches'.
The ADA suggested that the proposed requirements for healthcare
providers to report on and address data breaches should consider the different
organisational structures of healthcare providers, particularly smaller
practices, recommending that:
...any security and data quality requirements be reasonable and
proportionate and take into account that health practitioners work within a
variety of organisational and business structures and so they have varying
levels of resources at their disposal to conform to security/data requirements.
The EM justified this measure by noting that:
...it is critical that the System Operator and affected
healthcare recipients be notified of a data breach so they can take any
necessary action to mitigate risks they may face, or to improve the security of
the My Health Record system.
Some submitters expressed concerns about the proposed new governance arrangements
for the My Health Records System. The Consumer eHealth Alliance expressed
concern about that proposed new Australian Commission for eHealth would be
absorbed into the Department of Health.
The RACGP suggested the proposed Commission for eHealth should include a
representative from their organisation.
The EM noted that the new governance arrangements would be established
through rules to be made under the Public Governance, Performance and
Accountability Act 2013.
These changes are in response to the 2013 PCEHR review.
The EM clarified that:
It is intended that the Australian Commission for eHealth
will be established as a Commonwealth entity and will be subject to the
requirements of the PGPA Act.
Submitters raised concerns highlighted by the Senate Standing Committee
for the Scrutiny of Bills (Scrutiny Committee) regarding the appropriateness of
the proposed rule-making powers for certain matters.
Extension of prescribed entities
The OAIC expressed concern that the proposed changes outlined in item 34
to provide rule-making powers to change the handling of healthcare identifiers
are 'not drafted narrowly enough' to avoid the risk of function creep over
The OAIC recommended the proposed limitations be qualified by a reference to
healthcare to avoid the risk that the measure be used to 'expand the handling
of healthcare identifiers beyond the original intention behind healthcare
identifiers of matching health information to individuals when healthcare is
The OAIC further recommended including a provision that the department
be required 'to consult with stakeholders in the making of the regulation,
including a specific requirement that the Information Commissioner be
consulted, before making such regulations', to ensure that 'any expansion in
the handling of healthcare identifiers is subject to sufficient consultation
The OAIC also recommended the Information Commissioner be consulted in making
regulations to prescribe an activity that is not to be treated as a health
service for the purposes of the Privacy Act.
The department clarified that the proposed regulation-making powers
under proposed new sections 20 and 25D of the HI Act have been designed to:
...allow the appropriate collection, use, disclosure and
adoption of healthcare identifiers and identifying information by entities like
NDIA [National Disability Insurance Agency] and the national cancer screening
registers, without having to amend the Act each time a new entity needs to be
authorised as was necessary with the Aged Care Gateway. Given that the NDIA and
the national cancer screening registers may wish to handle identifying
information and healthcare identifiers over the next couple of years to improve
healthcare and health-related services supplied to individuals, the ability to
authorise this in regulations will allow timely authorisation without the need
to amend the HI Act each time.
Further, the department confirmed that 'any regulations made authorising
other entities to collect, use and disclose identifying information and
healthcare identifiers will be subject to Parliamentary scrutiny and
Roll out of national opt-out system
Several submissions shared the concerns expressed by the Scrutiny Committee
about the proposed measure outlined in item 106 that would allow the roll out
of a national opt-out system to be made by legislative instrument, rather than
The OAIC recommended that 'consideration be given as to whether it is appropriate
for this decision about the future direction of the PCEHR system to be made by
rules rather than being made by Parliament and effected by change to the
For trials to operate as an effective privacy safeguard, the OAIC
further recommended that 'consideration be given to alternative approaches that
would more clearly ensure that privacy is taken into account', such as:
requiring the Minister to consider the privacy impacts when
deciding whether to apply the opt out model to all healthcare recipients in
requiring the Minister to engage in consultation more broadly
than with just the Ministerial Council, including specifically with the
The department noted that any decision to proceed to a national roll-out
would be informed by an independent evaluation of the trial:
An independent evaluation of the trials will be undertaken in
2016 and will inform consideration by the Government in early 2017 on whether
to proceed to national implementation. The Minister will be required to consult
with state and territory health ministers before making the Rules necessary to
execute such a decision.
The department explained that the Minister is required to consult with
the states and territories prior to making this decision:
...before the Health Minister makes a decision to implement
opt-out nationally, they must consult with the Ministerial Council – that is,
the COAG Health Council. The states and territories are central to the success
of the My Health Record system, regardless of whether the system is opt-in or
opt-out, given that their public health systems will be one of the major
healthcare provider participants in the system. If a decision is made to
implement opt-out nationally, that decision will be of great interest to states
and territories as it will also affect their citizens. In practice, national
implementation of opt-out will not occur unless states and territories support
The department considered that the delegation of power for this measure
...the Department considers that it is an appropriate
delegation of power for the Bill to allow the Health Minister to make a Rule
implementing opt-out nationally, provided that they first follow the procedural
and consultation requirements in the Bill.
Further, the department confirmed that any rule made implementing
opt-out nationally would be subject to Parliamentary scrutiny and disallowance.
Privacy impact statement
In addition, the OAIC recommended that before any decision is made to
apply the opt-out model nationally, the Minister conduct an independent privacy
impact assessment (PIA) in consultation with the OAIC to 'identify, evaluate
and address privacy risks that arise during the trial'.
The department clarified that an independent PIA analysing the potential
privacy risks and impacts of implementing an opt-out approach for participation
in the PCEHR system at a national level has been undertaken and has been
published on the eHealth website.
The department noted it is preparing its response to the PIA in respect of the
opt-out trials and that this will be published. The department further noted
that a follow-up PIA specifically on the opt-out trials has and is expected to
be completed in November 2015.
Incorporation of written
The Scrutiny Committee raised concerns about proposed subsection 109(9)
of the PCEHR Act that would allow the My Health Records Rules to incorporate
other material which may change from time to time, and sought advice on whether
a requirement that any material incorporated by reference be freely and readily
available can be included in the Bill itself.
In its submission the department explained that the proposed measure has
been included in delegated legislation rather than the Bill itself as the
materials most likely to be incorporated are IT security related documents, and
would need to be responded to quickly and flexibly:
The requirements may quickly and at relatively short notice
change to address emerging IT security threats. It is important to be able to
deal with rapidly changing IT security threats in a responsive manner that also
allows requirements to be enforced. If this does not occur, the security risks
to the My Health Record system will increase given the large number of
interconnecting healthcare provider organisations (currently more than 7,000
and expected to increase substantially with the trial of opt-out arrangements).
A failure by healthcare provider organisations (or repository or portal
operators) to comply with IT security requirements may put individuals’ health
information at increased risk.
Henry VIII clause
The Scrutiny Committee expressed concern about the 'Henry VIII clause'
that would allow the Minister to modify the operation of the HI Act, PCEHR Act
and Privacy Act by making rules and sought more information and examples on
possible circumstances in which the clause may be necessary. 
The department submitted that the clause was included to:
...allow the Minister to deal with any unintended or unforeseen
circumstances that may arise in the future, in particular as part of
transitional arrangements in relation to opt-out and in relation to changes of
governance arrangements as governance mechanisms for the My Health Record
system are moved out of the My Health Records Act and subordinate legislation
and into rules proposed to be made under section 87 of the PGPA Act.
The department noted that Henry VIII clauses are 'not uncommon as part
of transitional arrangements' and the clause is modelled on a similar provision
in the Governance of Australian Government Superannuation Schemes
Legislation Amendment Act 2015 (Item 22 of Schedule 2). The department
further noted that the rules made under this measure would be subject to
Parliamentary scrutiny and disallowance.
Civil and criminal penalties
A number of submitters expressed concern about the introduction of new
and increased civil penalties and new criminal penalties for healthcare
providers and healthcare provider organisations.
The AMA argued that the proposed penalties 'are not justified and are likely to
have a negative impact on healthcare provider and healthcare provider
organisation participation' in the My Health Record System.
Similarly, the RACGP argued that the penalties 'appear excessive and
unnecessary and will greatly deter use by busy general practitioners'.
The AMA recommended that the existing civil penalties for the unauthorised use
and disclosure of PCEHR information should remain as they are and no criminal
penalties should be introduced.
The department submitted that the proposed maximum civil penalty is
...the My Health Record system stores the sensitive health
information of many individuals. The amount of health information stored and
the number of individuals whose records are stored will increase significantly
under opt-out arrangements.
Penalty levels must provide an appropriate deterrent to any
planned or deliberate misuse of sensitive health information. In addition,
penalties need to be proportionate to the potential damage that might be
suffered by individuals if the health information in their My Health Record is
The PJCHR expressed particular concerns that the proposed civil
penalties outlined in the Bill may limit the right to a fair trial.
The department responded to the PJCHR's concerns in its submission to
the inquiry, noting that the proposed civil penalties are significantly lower
than the penalties under the Privacy Act (a maximum 2 000 penalty units
compared with 600 penalty units under the Bill):
Given that the civil penalties available under the Privacy
Act are considered appropriate, it is most unlikely that lower penalties under
the Bill would be considered criminal in nature or would limit the right to a
fair trial, especially where the penalty regime imposed by the Bill is designed
to protect significantly more sensitive health information than is generally
the case under the Privacy Act.
Both the Scrutiny Committee and the PJCHR expressed particular concerns
about the reversal of the burden of proof in proposed new section 26 of the HI
Proposed new subsections 26(3) and (4) reverse the burden of proof by providing
that the defendant bears an evidential burden when asserting that an exception
to the prohibition against misusing healthcare identifiers applies.
In response, the department submitted that an evidential burden placed
on the defendant is 'not uncommon' and similar measures exist in other
Commonwealth legislation. The department noted that:
In accordance with the Guide to Framing Commonwealth
Offences, Infringement Notices and Enforcement Powers, the facts relating
to each defence in proposed new subsections 26(3) and (4) of the HI Act are
peculiarly within the knowledge of the defendant, and could be extremely
difficult or expensive for the prosecution to disprove whereas proof of a
defence could be readily provided by the defendant. A burden of proof that a
law imposes on a defendant is an evidential burden only (not a legal burden),
and does not completely displace the prosecutor's burden. Proposed subsections
26(3) and (4) simply require a person to produce or point to evidence that
suggests a reasonable possibility that exceptions in those provisions apply to
Some submitters raised concerns about the consultation process for the Electronic
Health Records and Healthcare Identifiers: Legislation Discussion Paper on
which the Bill is based, including the limited timeframe for preparing submissions
and limited consultation briefings.
The Consumers eHealth Alliance recommended the committee consider the
submissions to the discussion paper, expressing concern that:
...there has been no analysis and no response to the matters
raised in these submissions by either the Department or the Government, and the
submissions do not appear to have been considered in any way, let alone
addressed, in the tabled legislation.
The department clarified that the discussion paper was available for
consultation between May and June 2015 and received 137 submissions. The
department also held three stakeholder briefings with more than 100
representatives of stakeholder groups including individuals and healthcare
providers. State and territory health ministers were also given the opportunity
to provide feedback on exposure drafts of the Bill. The department advised that
the feedback from this consultation:
...has informed the development of the legislative changes
proposed by the Bill, and is also informing system and communications
development, as well as planning for the trials of participation arrangements.
The department noted that the submissions emphasised:
- the need
for appropriate protection of patient information to prevent misuse;
importance of considering patient access controls in terms of safety and
quality of care versus protection of medical information; and
importance of ensuring representatives [who] have authority to act for
individuals have access.
The department highlighted that the submissions to the discussion paper
were largely supportive of the opt-out trial:
About 85 per cent of submissions that commented on opt-out
gave full or conditional support to national opt-out participation, while about
98 per cent supported opt-out trials – supporters were equally individuals
(including representative organisations) and healthcare providers.
The committee is recognises that the introduction of an opt-out trial of
the My Health Records system has the potential to improve health outcomes for
Australians. The committee acknowledges that the proposed new governance
arrangements that the Bill anticipates could assist to address the previous
issues with the PCEHR identified by the 2013 PCEHR review.
The committee acknowledges that the opt-out model raises privacy risks
and recognises the concerns raised by submitters. The committee is satisfied
that the trial would provide an opportunity for the department to identify and
address any privacy issues that may arise. The committee is also satisfied that
the Bill includes sufficient reporting requirements and penalties to deter the
unauthorised use or disclosure of healthcare information.
The committee supports the view of the Information Commissioner that an
effective public awareness campaign is integral to the success of the trial,
and a key privacy safeguard. The committee considers that the outline of this
campaign provided by the department could include greater focus on how privacy
concerns would be addressed.
The committee recommends that the Department of Health consider the
recommendations by the Office of the Australian Information Commissioner in relation
to privacy in developing the public awareness campaign about the opt-out trial.
The committee recognises concerns about the delegation of certain
rule-making powers to the Minister for Health in relation to the operation of
the trial and the handling of healthcare identifiers. The committee is
satisfied that these measures are necessary to allow the Minister to respond to
any unforeseen circumstances that may arise from the trial. The committee is
also satisfied with the safeguards to ensure that the Minister consults
appropriately with the states and territories prior to implementing the opt-out
The committee acknowledges the concerns about the civil and penalties
for the unauthorised use or disclosure of information accessed through the My
Health Records system. However, the committee considers that these penalties
are justified as deterrent measures to protect the privacy of system
The committee considers that the Bill is an appropriate response to the
2013 PCEHR review and provides an opportunity to 'reboot' Australia's national
electronic healthcare system to improve the health of all Australians.
The committee recommends that the Bill be passed.
Senator Zed Seselja
Navigation: Previous Page | Contents | Next Page