Chapter 2

Key issues

2.1 Most submissions supported the objectives of the Health Legislation Amendment (eHealth) Bill 2015 (Bill) to improve health outcomes, achieve a better partnership between patients and healthcare providers in healthcare and develop an effective, national shared electronic health record system.[1] A number of submissions supported the measures outlined in the Bill, including the introduction of an opt-out trial of the My Health Records system.[2] However, a number of submitters raised concerns about the following aspects of the Bill:

introduction of an opt-out model;
privacy and security issues;
proposed rule-making authority measures;
governance arrangements;
civil and criminal penalties; and
legislation consultation process.[3]

2.2 The Department of Health (department) submitted that the measures outlined in the Bill would all contribute to improving health outcomes for Australians:

...the combination of opt-out trials, extensive information and communication activities, and the continuation of the same strong personal controls mean that moving to opt-out participation arrangements for individuals is proportionate, necessary and reasonable for achieving the objective of improving health outcomes.[4]

Opt-out model

2.3 Submitters expressed both support and opposition to the trial of an opt-out model.

2.4 A number of submitters supported the introduction of an opt-out model for both healthcare recipients and healthcare providers.[5] For example, Medicines Australia suggested that an opt-out system:

...will enable the My Health Record to provide better, more useful and usable information to healthcare practitioners, which will in turn lead to improved whole-of-care for patients.[6]

2.5 The Office of the Australian Information Commissioner (OAIC) recognised that the benefits of an effective eHealth record system include 'better health outcomes arising from the improved availability and quality of health information, fewer adverse medical events, and procedural and economic efficiency through reduced duplication of treatment'.[7] Similarly, the National eHealth Transition Authority (NEHTA) noted that:

The objectives of eHealth to improve healthcare outcomes are supported across the community. A shift to an opt-out consumer participation model continues to be advocated by consumers and providers alike.[8]

2.6 However, a number of submissions expressed concerns about the introduction of an opt-out model. The Australian Privacy Foundation recommended that the My Health Record system should 'never be made opt-out', suggesting that the collection of data would 'have no practicable health value, but would represent a significant and dangerous risk'.[9]

2.7 The department noted that the trial of opt-out arrangements:

...provides the opportunity for the Australian community to consider their response to opt-out arrangements and determine whether from their perspective the arrangements are proportionate and reasonable measures to achieving the objective of improving health outcomes.[10]

2.8 The department clarified that the trials of the opt-out arrangements aim to:

identify appropriate methods of targeting and delivering critical information about the My Health Record System to key audiences;
assess the effectiveness of targeted communications, and education and training for healthcare providers; and
test implementation approaches.[11]

2.9 The department confirmed that trials of opt-out participation arrangements would be conducted in two sites in the North Queensland and Nepean Blue Mountains Primary Health Network areas.[12]

2.10 The department also highlighted that opt-out arrangements would have a significant impact on long-term government expenditure:

Annual Commonwealth healthcare costs are forecast to increase by $27 billion to $86 billion by 2025, and will increase to over $250 billion by 2050. Improved health outcomes and productivity improvements such as hose that can be delivered by eHealth are needed to help counter the expected increases in the healthcare costs. Leveraging eHealth is one of the few strategies available to drive microeconomic reform to reduce Commonwealth health outlays. Without these changes, the quality of healthcare available to all Australians may reduce in the future as costs become prohibitive.

Without a move to opt-out participation arrangements, the required critical mass of registered individuals may not occur, or may be significantly delayed. As a result, the anticipated objective of improving health outcomes and reducing the pressure on Commonwealth health funding may not occur or may be significantly delayed. Under the current opt-in registration arrangements, a net cumulative benefit of $11.5 billion is expected over 15 years to 2025. It is anticipated that the move to a national opt-out system would deliver these benefits in a shorter period.[13]

Current uptake of eHealth records

2.11 NEHTA noted that at 22 October 2015, the national Personally Controlled Electronic Health Record (PCEHR) system currently has registered:

2 427 704 consumers (a large proportion of which are newborns and children);
7 970 healthcare organisations (including 452 public hospitals);
57 810 shared health summaries; and
1.77 million prescription records.[14]

2.12 NEHTA suggested that this level of uptake:

...is an indicator of willingness by providers to engage with eHealth, even if comfort and capability to use the system is still developing. Together with continual improvements to usability and registration processes, the changes proposed in the eHealth Bill will further facilitate use of eHealth and the PCEHR.[15]

2.13 The department noted although currently around 1 in 10 individuals have a My Health Record, there is 'overwhelming support for electronic health records from the consumer community'. The department suggested that the current 'opt-in' system is 'considered an administrative barrier to consumers achieving better health outcomes through the electronic sharing of their health information'.[16]

Utility of data

2.14 However, some submitters suggested that the low uptake of the eHealth system reflected the perceived inefficiencies of the PCEHR system. The Australian Privacy Foundation (APF) expressed concern that the Bill focuses 'on the number of registrations rather than usability and clinical value'. The APF also raised questions about the use and value of the PCEHR system, suggesting that the 2013 PCEHR review:

...noted that poor utility was a major factor in the low level of uptake of the PCEHR. We are unaware of any initiatives to identify what is required to increase the usability of the PCEHR or to actually implement improvements in the system.[17]

2.15 Similarly, the Consumers eHealth Alliance suggested that the existing PCEHR system does not function effectively:

Rather than an efficient and trusted means of information exchange, the system resembles a big old tiling cabinet, randomly stuffed with a selection of documents that may or may not be current, relevant or accurate.

That is why doctors don't use it, and consumers show little interest either.[18]

2.16 Submitters suggested that the PCEHR system does not improve health outcomes. Primary Health Care Limited submitted that 'evidence to date shows the spend and value generated as a result of the PCEHR initiative has not increased quality of patient care or streamlined health delivery processes'.[19] Similarly, the Royal Australian College of General Practitioners (RACGP) submitted:

There is currently limited evidence that supports the proposition that patients merely having access to their healthcare information leads to significant changes to healthcare outcomes. It is the use by clinicians that will help deliver the benefits of coordinated and integrated care and clinicians are unlikely to use it until design and functionality issues are resolved.[20]

2.17 Medicines Australia suggested that the My Health Record system could be improved by considering the mandatory inclusion of medications, noting that this could 'go a long way to reducing and in some cases eliminating avoidable medication misadventure, error and mishap'.[21] Medicines Australia noted that 'optimising the My Health Record to improve the recording, sharing and management of prescribed (and non-prescribed) medication will enable better monitoring of patients' medication management' and contribute to 'improved safety and quality use of medicines'.[22]

2.18 The department submitted that having a My Health Record would be 'likely to improve health outcomes, making access to the right treatment faster, safer, easier and more cost effective'.[23] The Explanatory Memorandum (EM) noted that the 'usability' issues identified by the 2013 PCEHR review would be addressed through preparing for new governance arrangements and simplifying the privacy framework 'by revising the way that permissions to collect, use and disclose information are presented, making it easier for participants in the system to understand what they can and cannot do'.[24]

2.19 In her second reading speech, the Minister for Health (Minister), the Hon Sussan Ley MP, noted that increasing the uptake of eHealth records would improve the value of the system:

At present about one in 10 Australians has an electronic health record. That is not enough to make it an effective national system, and doctors do not see enough value as yet to use it. If the majority of people have a My Health Record, more healthcare providers will use it and include their patients' health information on it, and this will improve the overall value of the system.[25]

Impact on vulnerable groups

2.20 As noted in Chapter 1, the Parliamentary Joint Committee on Human Rights (PJCHR) raised a number of concerns about the impact of an opt-out model on the right to privacy and rights of vulnerable groups, including children and people with disability.[26]

2.21 The Consumers eHealth Alliance recommended that the trials be delayed until the issues raised by the PJCHR are addressed and suggested 'reflection on the critical points raised by the PJCHR in respect of the nature and scale of vulnerable people - and the practical and legal difficulties of obtaining proper, informed, consent from an unengaged populace'.[27]

2.22 The EM noted that the anticipated benefits in health outcomes as a result of the Bill would be:

...skewed towards vulnerable families as they currently face more challenges in accessing timely and appropriate healthcare and will have more to benefit from improved health outcomes. These people are also less likely to participate in an opt-in model as they are more likely to be challenged by the registration process.[28]

2.23 This statement was supported by Carers Australia's submission which noted that 'carers are less likely to participate in an opt-in model and are more likely to be challenged by the registration process'.[29]

2.24 The department submitted that the current PCEHR system provides special arrangements to support children and vulnerable people to participate in the system by allowing authorised representatives to act on their behalf. The department noted that the Bill provides additional arrangements to ensure:

...that people providing decision-making support will...need to give effect to the will and preference of the person to whom they provide decision-making support. Ensuring that representatives can continue to act on behalf of individuals (including children and persons with a disability) to help them to manage their record as part of opt-out is a privacy positive under the eHealth Bill. Authorised representatives will be able, for example, to opt-out the individual for whom they have responsibility from having an electronic health record, if this meets the will and preference of the person they are representing.[30]

2.25 The department further noted that the process has been designed to:

...cater for those people who have difficulties in coping with bureaucratic processes to ensure it is highly accessible and easy to understand so that they are able to exercise their right to opt-out without unnecessary complexity. While phone and online channels are expected to cater for the majority of individuals, the Department of Health is working to ensure that alternative processes will be available to all individuals including those needing additional support or with limited documentation.[31]

Pseudonymous records

2.26 The OAIC raised concerns that the Bill does not address how healthcare recipients who wish to obtain a pseudonymous record, currently available under the current system, would be able to do so under an opt-out system. The OAIC recommended that the EM be amended to outline how such records would be addressed in an opt-out model, including for existing healthcare recipients, and this be included in the public awareness campaign.[32]

Opt-out mechanism

2.27 The OAIC highlighted that one of the key privacy safeguards for the trial is a 'fair and easy to use opt-out process' that includes:

allowing healthcare recipients an adequate time period in which to receive and consider information about the opt-out system, to make their decision about whether or not to opt-out, and to exercise their right to opt-out if they so choose
providing free, simple and accessible means of opting-out of the system, including means that take account of the needs of healthcare recipients with particular needs.[33]

2.28 The OAIC recommended that further details be provided on the opt-out process for minors and adults lacking capacity and how their records would be managed, including 'what mechanism will be in place to ensure that, where an adult healthcare recipient who lacks capacity has not or is not opted-out, the individual has received the necessary support and information to make that decision'.[34]

2.29 The department clarified that the opt-out process would be designed to be 'as simple as possible for as many people as possible'. The department noted that individuals who choose to opt-out would be able to do so online, in person or by phone:

The process leading to the creation and filling of a record as part of the opt-out trial has been designed to ensure it is highly accessible, easy to understand and caters for those people who have difficulties in coping with administrative processes so that they are able to exercise their right to opt-out without unnecessary complexity.[35]

Awareness and education campaign

2.30 A number of submitters highlighted the need to ensure that people, particularly those from disadvantaged backgrounds and those with poor health literacy, are made aware of how to opt-out of the system.[36] Without this, individuals are likely to be 'unaware that their data is in a large central repository that can be accessed by providers across Australia and the government'.[37]

2.31 The OAIC suggested that the public awareness campaign should satisfy the following criteria:

it should provide sufficient information to enable healthcare recipients to understand what the PCEHR system is and the benefits and risks of participation, and to understand what their options are
the option to opt-out of the system should be clearly and prominently presented
the campaign needs to be of sufficient scope so that it is likely that each affected healthcare recipient has received and read the information about the PCEHR system, the option to opt-out, and the opt-out process
the information provided for healthcare recipients should clearly explain the implications of not opting-out. This information should also clearly explain the personal controls available to them, when they will become available and how they can be set
the material should be accessible, written in plain English and should also be provided in ways that take into account the needs of healthcare recipients with particular needs, such as those from a non-English speaking background and disadvantaged or vulnerable individuals.

2.32 The OAIC further recommended that the public awareness campaign:

...clearly inform healthcare recipients about how their Medicare information will be handled and their options, and that this information may include detail that indicates diagnosed conditions and illnesses.[38]

2.33 The Australian Dental Association suggested there is also a need for 'an effective communications and education campaign for all healthcare provider organisations and providers':

...if healthcare provider organisations do not have an adequate level of comfort and confidence about how to use the system and what their obligations are and how they can simply comply with those obligations, under the Bill as it stands, there is a real risk that these healthcare provider organisations will not register to participate in the MyHR system, even in these opt-out trial sites where healthcare recipients automatically have corresponding MyHRs set up.[39]

2.34 The Australian Dental Association recommended that the communication strategy 'must be targeted to all healthcare provider organisations and practitioners and not restricted to healthcare provider organisations and practitioners within the opt-out trail sites' to advise them of the penalties and obligations under the Bill.[40] Similarly, Primary Health Care Limited expressed concern that there are 'no detailed plans on how the initiative will change clinician behaviour to access My Health Record system for patient records, especially when patients can opt out and there is a significant likelihood that a patient's records will not be there'.[41]

2.35 The department clarified that a communication strategy to inform people about the opt-out trials is currently being developed. The department submitted that in relation to the plans for a public awareness campaign:

Comprehensive information and communication activities are being planned for the opt-out trials to ensure all affected individuals, including parents, guardians and carers, are aware they are in an opt-out trial and what they need to do to participate, adjust privacy controls associated with their record, or to opt-out if they choose. This will include letters to affected individuals, targeted communication to carers and advocacy groups, extensive online and social media information, and education and training for healthcare providers in opt-out trial locations.[42]

2.36 The department noted that key features of the communication strategy include:

Minister's launch of the My Health Record (subject to the Bill being passed);
updating of the eHealth website to include information about the opt-out trials;
updating of information about the My Health Record programme, including that which is specific to the opt-out trials;
the inclusion of information and articles in consumer peak body/disease association specific newsletters about the My Health Record programme, and in particular information to assist carers of people who need assistance to manage their record;
education and training for healthcare providers about the My Health Record Programme;
a letter to each person living in an opt-out trial location prior to the commencement of the 'opt-out' period informing them of the trials and how to opt-out if they so choose;
targeted information, content and articles for distribution to carers and other associations and advocate groups;
a letter to each person who opts-out to confirm they have opted out of the My Health Record system during the opt-out period;
tailored information to meet the specific needs of each opt-out trial location community, including the availability of accessible culturally and linguistically diverse materials, working with vulnerable groups and considering the needs of rural and remote communities; and
working with the state/territory governments involved in opt-out trials to ensure the appropriate communication or action is taken in respect of individuals in protection or custody.[43]

2.37 The department noted that it is currently considering options for alerting healthcare recipients who may be unaware that they have a record or that it is being used, including:

a letter is sent to them upon initial creation of the record; and/or
the provision of notices for display in healthcare settings and community noticeboards advising people of the existence of the trial and what to do if they don't want a record (either before or after its creation).[44]

Privacy and security issues

2.38 A number of submitters raised concerns about privacy and security issues raised by the Bill.[45]

Privacy concerns

2.39 The Australian Privacy Foundation (APF) expressed particular concern about the 'lack of control of access to information in the PCEHR and to information in the PCEHR that can be transferred to, and accessed by, associated systems'.[46] The APF argued that the Bill does not provide adequate user access controls and 'allows anonymous users, without any form of police or security check to access the system', and risks improper use of healthcare recipients' medical records. The APF recommended a complete redesign of the user controls to reflect a 'need to know' approach.[47]

2.40 Ms Helen Nicols expressed particular concern about the inclusion of third party information to a healthcare recipient's My Health Record proposed under item 106. Ms Nichols noted:

Speaking as a patient who doesn't want any form of ehealth, I would see this as completely defeating the purpose of allowing me to opt out, if my health information were to be uploaded anyway into my family's records.[48]

2.41 The APF suggested that privacy concerns should be addressed on a holistic level across the whole electronic health record system:

The PCEHR is part of a complex, interacting health information ecosystem. Privacy issues need to be treated holistically, not in a piecemeal manner, as is the situation with the eHealth Bill.

Concerns about personal information security, privacy, confidentiality and governance of the fragmented national electronic health records system are as much about how the pieces interact, whether controls, protection and risk governance effectively deal with the interoperability, complexity and potential for breach and misuse inherent in the virtual system of which the PCEHR is part, as they are about the PCEHR itself, which would have little interest if it was truly standalone.[49]

2.42 In contrast, NEHTA submitted that the 'current settings for provider access appropriately balances privacy and clinical outcomes, and if communicated effectively, will encourage active use of the system under an opt-out model'.[50]

2.43 The OAIC submitted that compared to an opt-in system, the proposed opt-out system increases the privacy risks faced by healthcare recipients, including:

a healthcare recipient's health information will be handled for the purposes of the PCEHR system without that individual's express consent. This does not align with best privacy practice, which generally involves obtaining express consent before handling health or other sensitive information given the bigger privacy impact that handling this type of information can have
within a short period of time, an opt-out system will result in an increasing volume of health information being more readily available and to more people than has previously been possible. This creates an increased risk of privacy incidents such as the inadvertent disclosure or misuse of health information. Given that health information is of a particularly sensitive nature, the consequences of these incidents can be more serious.[51]

2.44 The OAIC emphasised that:

...strong privacy safeguards should be a critical aspect of an eHealth system operated on an opt-out basis. Ensuring that privacy is adequately addressed and protected is also fundamental to establishing and maintaining public confidence in the system.[52]

2.45 The OAIC recommended that the EM be amended to 'provide clearer requirements and detail about the parameters of these privacy safeguards and how they will be implemented', such as those provided for in the Electronic Health Records and Healthcare Identifiers: Legislation Discussion Paper.[53]

2.46 The department submitted that the Bill 'maintains the current strong and significant privacy protections under the current opt-in arrangements, and ensures they will apply under the proposed new opt-out arrangements (whether as part of a trial or under any future national implementation)'.[54]

2.47 The department noted that these protections include the following measures, available to all people registered with the My Health Record system, including children and people with disability:

set access controls restricting access to their My Health Record entirely or restricting access to certain information in their My Health Record;
request that their healthcare provider not upload certain information or documents to their My Health Record, in which case the healthcare provider will be required not to upload that information or those documents;
request that their Medicare data not be included in their My Health Record, in which case the Chief Executive Medicare will be required to not make the data available to the System Operator;
monitor activity in relation to their My Health Record using the audit log or via electronic messages alerting them that someone has accessed their My Health Record;
effectively remove documents from their My Health Record;
make a complaint if they consider there has been a breach of privacy; and
cancel their registration (that is, cancel their My Health Record).[55]

2.48 The department asserted that implementing opt-out arrangements is likely to result in a much greater use of the system and improve privacy for healthcare recipients by reducing reliance on paper records:

Increased use of the system is a privacy positive as it will reduce the use of paper records, which pose significant privacy risks. For example, where a patient is receiving treatment in a hospital's emergency department for a chronic illness, the hospital may request from the patient's regular doctor information about the patient's clinical history which is likely to be faxed to the hospital. The fax might remain unattended on the fax machine for an extended period of time before being placed into the patient's file, or the information may be sent to the wrong fax number. Either of these things could lead to an interference with the patient's privacy should a third party read the unattended fax or incorrectly receive the fax. In contrast, under the My Health Record system, the patient's Shared Health Summary would be securely available only to those people authorised to see it. There are other similar scenarios where an increase in the level of use of the My Health Record system is likely to lead to a reduction in privacy breaches associated with paper-based records.[56]

Security concerns

2.49 Several submissions expressed concern about the security of patient data collected under the eHealth system and the risk of identity theft and fraud as a result of unauthorised disclosure or cyber security attacks.[57]

2.50 The APF recommended that an independent assessment be conducted of the design of the eHealth system that includes 'the risk to national security of having personal and health data on all Australians in a system with poor access controls, accessible by anonymous, un-vetted users and which is accessible via the internet'.[58]

2.51 The EM notes that proposed new section 75 of the PCEHR Act introduces new mandatory reporting requirements for any 'potential or actual unauthorised collection, use or disclosure of health information in a healthcare recipient’s My Health Record', or any 'potential or actual breach of the security or integrity of the My Health Record system' (discussed below).[59]

Data retention period

2.52 Submitters raised concerns about the length of time records collected under the PCEHR must be held in the National Repositories Service.[60] Under section 17 of the current PCEHR Act, records must be retained until either 30 years after the healthcare recipient's death, or 130 years after the record was first uploaded if the date of death is unknown. Item 71 of the Bill proposes to amend section 17 so that where the date of death is unknown, the record must be retained for 130 years from the healthcare recipient's date of birth.[61]

2.53 The OAIC suggested that a shorter length of time would be consistent with the Australian Privacy Principle 11 which states that 'where an entity holds personal information it no longer needs for a purpose permitted under the APPs, it must take reasonable steps to destroy or de-identify the information'.[62] The OAIC recommended that consideration be given to whether the clinical and other authorised purposes would be satisfied if records are retained for a shorter period, and whether holding records for the specified period is necessary and proportionate to those purposes.[63]

2.54 If no decision is made to extend the opt-out trial nationally, the OAIC recommended that trial participants are notified at the conclusion of the trial and provided with cancellation instructions, or have their records cancelled within a certain number of days of receiving the notification.[64]

Mandatory data breach notification

2.55 The OAIC recommended two changes to the mandatory data breach notification (MDBN) obligation under proposed section 75 of the PCEHR Act:

that the mandatory data breach notification be considered in the context of the general MDBN scheme currently being considered by the Australian Government to avoid having two schemes with different reporting thresholds; and
that a higher threshold for healthcare recipient notifications be provided to mitigate the risk of 'notification fatigue' where 'when a particular breach presents a high risk of harm to [healthcare recipients], they may not take the necessary action to protect their privacy which they would otherwise have taken if notifications were less frequent and only sent in relation to more serious breaches'.[65]

2.56 The ADA suggested that the proposed requirements for healthcare providers to report on and address data breaches should consider the different organisational structures of healthcare providers, particularly smaller practices, recommending that:

...any security and data quality requirements be reasonable and proportionate and take into account that health practitioners work within a variety of organisational and business structures and so they have varying levels of resources at their disposal to conform to security/data requirements.[66]

2.57 The EM justified this measure by noting that:

...it is critical that the System Operator and affected healthcare recipients be notified of a data breach so they can take any necessary action to mitigate risks they may face, or to improve the security of the My Health Record system.[67]

Governance arrangements

2.58 Some submitters expressed concerns about the proposed new governance arrangements for the My Health Records System. The Consumer eHealth Alliance expressed concern about that proposed new Australian Commission for eHealth would be absorbed into the Department of Health.[68] The RACGP suggested the proposed Commission for eHealth should include a representative from their organisation.[69]

2.59 The EM noted that the new governance arrangements would be established through rules to be made under the Public Governance, Performance and Accountability Act 2013.[70] These changes are in response to the 2013 PCEHR review.[71] The EM clarified that:

It is intended that the Australian Commission for eHealth will be established as a Commonwealth entity and will be subject to the requirements of the PGPA Act.[72]

Rule-making authority

2.60 Submitters raised concerns highlighted by the Senate Standing Committee for the Scrutiny of Bills (Scrutiny Committee) regarding the appropriateness of the proposed rule-making powers for certain matters.

Extension of prescribed entities

2.61 The OAIC expressed concern that the proposed changes outlined in item 34 to provide rule-making powers to change the handling of healthcare identifiers are 'not drafted narrowly enough' to avoid the risk of function creep over time.[73] The OAIC recommended the proposed limitations be qualified by a reference to healthcare to avoid the risk that the measure be used to 'expand the handling of healthcare identifiers beyond the original intention behind healthcare identifiers of matching health information to individuals when healthcare is delivered'.[74]

2.62 The OAIC further recommended including a provision that the department be required 'to consult with stakeholders in the making of the regulation, including a specific requirement that the Information Commissioner be consulted, before making such regulations', to ensure that 'any expansion in the handling of healthcare identifiers is subject to sufficient consultation and scrutiny'.[75] The OAIC also recommended the Information Commissioner be consulted in making regulations to prescribe an activity that is not to be treated as a health service for the purposes of the Privacy Act.[76]

2.63 The department clarified that the proposed regulation-making powers under proposed new sections 20 and 25D of the HI Act have been designed to:

...allow the appropriate collection, use, disclosure and adoption of healthcare identifiers and identifying information by entities like NDIA [National Disability Insurance Agency] and the national cancer screening registers, without having to amend the Act each time a new entity needs to be authorised as was necessary with the Aged Care Gateway. Given that the NDIA and the national cancer screening registers may wish to handle identifying information and healthcare identifiers over the next couple of years to improve healthcare and health-related services supplied to individuals, the ability to authorise this in regulations will allow timely authorisation without the need to amend the HI Act each time.[77]

2.64 Further, the department confirmed that 'any regulations made authorising other entities to collect, use and disclose identifying information and healthcare identifiers will be subject to Parliamentary scrutiny and disallowance'.[78]

Roll out of national opt-out system

2.65 Several submissions shared the concerns expressed by the Scrutiny Committee about the proposed measure outlined in item 106 that would allow the roll out of a national opt-out system to be made by legislative instrument, rather than primary legislation.[79] The OAIC recommended that 'consideration be given as to whether it is appropriate for this decision about the future direction of the PCEHR system to be made by rules rather than being made by Parliament and effected by change to the primary legislation'.[80]

2.66 For trials to operate as an effective privacy safeguard, the OAIC further recommended that 'consideration be given to alternative approaches that would more clearly ensure that privacy is taken into account', such as:

requiring the Minister to consider the privacy impacts when deciding whether to apply the opt out model to all healthcare recipients in Australia; and
requiring the Minister to engage in consultation more broadly than with just the Ministerial Council, including specifically with the Information Commissioner.[81]

2.67 The department noted that any decision to proceed to a national roll-out would be informed by an independent evaluation of the trial:

An independent evaluation of the trials will be undertaken in 2016 and will inform consideration by the Government in early 2017 on whether to proceed to national implementation. The Minister will be required to consult with state and territory health ministers before making the Rules necessary to execute such a decision.[82]

2.68 The department explained that the Minister is required to consult with the states and territories prior to making this decision:

...before the Health Minister makes a decision to implement opt-out nationally, they must consult with the Ministerial Council – that is, the COAG Health Council. The states and territories are central to the success of the My Health Record system, regardless of whether the system is opt-in or opt-out, given that their public health systems will be one of the major healthcare provider participants in the system. If a decision is made to implement opt-out nationally, that decision will be of great interest to states and territories as it will also affect their citizens. In practice, national implementation of opt-out will not occur unless states and territories support the implementation.[83]

2.69 The department considered that the delegation of power for this measure is appropriate:

...the Department considers that it is an appropriate delegation of power for the Bill to allow the Health Minister to make a Rule implementing opt-out nationally, provided that they first follow the procedural and consultation requirements in the Bill.[84]

2.70 Further, the department confirmed that any rule made implementing opt-out nationally would be subject to Parliamentary scrutiny and disallowance.[85]

Privacy impact statement

2.71 In addition, the OAIC recommended that before any decision is made to apply the opt-out model nationally, the Minister conduct an independent privacy impact assessment (PIA) in consultation with the OAIC to 'identify, evaluate and address privacy risks that arise during the trial'.[86]

2.72 The department clarified that an independent PIA analysing the potential privacy risks and impacts of implementing an opt-out approach for participation in the PCEHR system at a national level has been undertaken and has been published on the eHealth website.[87] The department noted it is preparing its response to the PIA in respect of the opt-out trials and that this will be published. The department further noted that a follow-up PIA specifically on the opt-out trials has and is expected to be completed in November 2015.[88]

Incorporation of written instruments

2.73 The Scrutiny Committee raised concerns about proposed subsection 109(9) of the PCEHR Act that would allow the My Health Records Rules to incorporate other material which may change from time to time, and sought advice on whether a requirement that any material incorporated by reference be freely and readily available can be included in the Bill itself.[89]

2.74 In its submission the department explained that the proposed measure has been included in delegated legislation rather than the Bill itself as the materials most likely to be incorporated are IT security related documents, and would need to be responded to quickly and flexibly:

The requirements may quickly and at relatively short notice change to address emerging IT security threats. It is important to be able to deal with rapidly changing IT security threats in a responsive manner that also allows requirements to be enforced. If this does not occur, the security risks to the My Health Record system will increase given the large number of interconnecting healthcare provider organisations (currently more than 7,000 and expected to increase substantially with the trial of opt-out arrangements). A failure by healthcare provider organisations (or repository or portal operators) to comply with IT security requirements may put individuals’ health information at increased risk.[90]

Henry VIII clause

2.75 The Scrutiny Committee expressed concern about the 'Henry VIII clause' that would allow the Minister to modify the operation of the HI Act, PCEHR Act and Privacy Act by making rules and sought more information and examples on possible circumstances in which the clause may be necessary. [91]

2.76 The department submitted that the clause was included to:

...allow the Minister to deal with any unintended or unforeseen circumstances that may arise in the future, in particular as part of transitional arrangements in relation to opt-out and in relation to changes of governance arrangements as governance mechanisms for the My Health Record system are moved out of the My Health Records Act and subordinate legislation and into rules proposed to be made under section 87 of the PGPA Act.[92]

2.77 The department noted that Henry VIII clauses are 'not uncommon as part of transitional arrangements' and the clause is modelled on a similar provision in the Governance of Australian Government Superannuation Schemes Legislation Amendment Act 2015 (Item 22 of Schedule 2). The department further noted that the rules made under this measure would be subject to Parliamentary scrutiny and disallowance.[93]

Civil and criminal penalties

2.78 A number of submitters expressed concern about the introduction of new and increased civil penalties and new criminal penalties for healthcare providers and healthcare provider organisations.[94] The AMA argued that the proposed penalties 'are not justified and are likely to have a negative impact on healthcare provider and healthcare provider organisation participation' in the My Health Record System.[95] Similarly, the RACGP argued that the penalties 'appear excessive and unnecessary and will greatly deter use by busy general practitioners'.[96] The AMA recommended that the existing civil penalties for the unauthorised use and disclosure of PCEHR information should remain as they are and no criminal penalties should be introduced.[97]

2.79 The department submitted that the proposed maximum civil penalty is justified as:

...the My Health Record system stores the sensitive health information of many individuals. The amount of health information stored and the number of individuals whose records are stored will increase significantly under opt-out arrangements.

Penalty levels must provide an appropriate deterrent to any planned or deliberate misuse of sensitive health information. In addition, penalties need to be proportionate to the potential damage that might be suffered by individuals if the health information in their My Health Record is misused.[98]

2.80 The PJCHR expressed particular concerns that the proposed civil penalties outlined in the Bill may limit the right to a fair trial.[99]

2.81 The department responded to the PJCHR's concerns in its submission to the inquiry, noting that the proposed civil penalties are significantly lower than the penalties under the Privacy Act (a maximum 2 000 penalty units compared with 600 penalty units under the Bill):

Given that the civil penalties available under the Privacy Act are considered appropriate, it is most unlikely that lower penalties under the Bill would be considered criminal in nature or would limit the right to a fair trial, especially where the penalty regime imposed by the Bill is designed to protect significantly more sensitive health information than is generally the case under the Privacy Act.[100]

2.82 Both the Scrutiny Committee and the PJCHR expressed particular concerns about the reversal of the burden of proof in proposed new section 26 of the HI Act.[101] Proposed new subsections 26(3) and (4) reverse the burden of proof by providing that the defendant bears an evidential burden when asserting that an exception to the prohibition against misusing healthcare identifiers applies.[102]

2.83 In response, the department submitted that an evidential burden placed on the defendant is 'not uncommon' and similar measures exist in other Commonwealth legislation. The department noted that:

In accordance with the Guide to Framing Commonwealth Offences, Infringement Notices and Enforcement Powers, the facts relating to each defence in proposed new subsections 26(3) and (4) of the HI Act are peculiarly within the knowledge of the defendant, and could be extremely difficult or expensive for the prosecution to disprove whereas proof of a defence could be readily provided by the defendant. A burden of proof that a law imposes on a defendant is an evidential burden only (not a legal burden), and does not completely displace the prosecutor's burden. Proposed subsections 26(3) and (4) simply require a person to produce or point to evidence that suggests a reasonable possibility that exceptions in those provisions apply to the person.[103]

Consultation process

2.84 Some submitters raised concerns about the consultation process for the Electronic Health Records and Healthcare Identifiers: Legislation Discussion Paper on which the Bill is based, including the limited timeframe for preparing submissions and limited consultation briefings.[104] The Consumers eHealth Alliance recommended the committee consider the submissions to the discussion paper, expressing concern that:

...there has been no analysis and no response to the matters raised in these submissions by either the Department or the Government, and the submissions do not appear to have been considered in any way, let alone addressed, in the tabled legislation.[105]

2.85 The department clarified that the discussion paper was available for consultation between May and June 2015 and received 137 submissions. The department also held three stakeholder briefings with more than 100 representatives of stakeholder groups including individuals and healthcare providers. State and territory health ministers were also given the opportunity to provide feedback on exposure drafts of the Bill. The department advised that the feedback from this consultation:

...has informed the development of the legislative changes proposed by the Bill, and is also informing system and communications development, as well as planning for the trials of participation arrangements.[106]

2.86 The department noted that the submissions emphasised:

the need for appropriate protection of patient information to prevent misuse;
the importance of considering patient access controls in terms of safety and quality of care versus protection of medical information; and
the importance of ensuring representatives [who] have authority to act for individuals have access.[107]

2.87 The department highlighted that the submissions to the discussion paper were largely supportive of the opt-out trial:

About 85 per cent of submissions that commented on opt-out gave full or conditional support to national opt-out participation, while about 98 per cent supported opt-out trials – supporters were equally individuals (including representative organisations) and healthcare providers.[108]

Committee view

2.88 The committee is recognises that the introduction of an opt-out trial of the My Health Records system has the potential to improve health outcomes for Australians. The committee acknowledges that the proposed new governance arrangements that the Bill anticipates could assist to address the previous issues with the PCEHR identified by the 2013 PCEHR review.

2.89 The committee acknowledges that the opt-out model raises privacy risks and recognises the concerns raised by submitters. The committee is satisfied that the trial would provide an opportunity for the department to identify and address any privacy issues that may arise. The committee is also satisfied that the Bill includes sufficient reporting requirements and penalties to deter the unauthorised use or disclosure of healthcare information.

2.90 The committee supports the view of the Information Commissioner that an effective public awareness campaign is integral to the success of the trial, and a key privacy safeguard. The committee considers that the outline of this campaign provided by the department could include greater focus on how privacy concerns would be addressed.

Recommendation 1

2.91 The committee recommends that the Department of Health consider the recommendations by the Office of the Australian Information Commissioner in relation to privacy in developing the public awareness campaign about the opt-out trial.

2.92 The committee recognises concerns about the delegation of certain rule-making powers to the Minister for Health in relation to the operation of the trial and the handling of healthcare identifiers. The committee is satisfied that these measures are necessary to allow the Minister to respond to any unforeseen circumstances that may arise from the trial. The committee is also satisfied with the safeguards to ensure that the Minister consults appropriately with the states and territories prior to implementing the opt-out model nationally.

2.93 The committee acknowledges the concerns about the civil and penalties for the unauthorised use or disclosure of information accessed through the My Health Records system. However, the committee considers that these penalties are justified as deterrent measures to protect the privacy of system participants.

2.94 The committee considers that the Bill is an appropriate response to the 2013 PCEHR review and provides an opportunity to 'reboot' Australia's national electronic healthcare system to improve the health of all Australians.

Recommendation 2

2.95 The committee recommends that the Bill be passed.

Senator Zed Seselja
Chair

Navigation: Previous Page | Contents | Next Page