Save Search

Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Personally Controlled Electronic Health Records Bill 2011

Bill home page  


Download WordDownload Word


Download PDFDownload PDF

 

 

 

 

 

2010 - 2011

 

 

 

THE PARLIAMENT OF THE COMMONWEALTH OF AUSTRALIA

 

 

 

 

HOUSE OF REPRESENTATIVES

 

 

 

 

 

 

 

 

 

 

 

PERSONALLY CONTROLLED ELECTRONIC HEALTH RECORDS BILL 2011

 

 

 

 

 

EXPLANATORY MEMORANDUM

 

 

 

 

 

 

 

 

 

 

 

 

(Circulated by authority of the Minister for Health and Ageing,

the Honourable Nicola Roxon, MP)

 

 

 

 

 



PERSONALLY CONTROLLED ELECTRONIC HEALTH RECORDS BILL 2011

 

OUTLINE

The Personally Controlled Electronic Health Records Bill 2011 (‘PCEHR Bill’) will establish the national personally controlled electronic health record (‘PCEHR’) system (‘PCEHR system’) and provide its regulatory framework, including an entity that will be responsible for the operation of the PCEHR system.  The PCEHR Bill will also implement a privacy regime specific to the PCEHR system which will generally operate concurrently with Commonwealth, state and territory privacy laws.

 

Background

The National E-Health Strategy, endorsed by Health Ministers in 2008, recognised that a 21 st  century healthcare system requires 21 st century health information infrastructure in order to achieve its vision, which is to enable a safer, higher quality, more equitable and sustainable health system for all Australians by transforming the way information is used to plan, manage and deliver healthcare services .  Underpinning this vision is a recognition that significant improvements in the way that health information is accessed and shared is required if Australia is to maintain a world class health system in the face of rapidly increasing demand and costs.

 

The National E-Health Strategy and National Health and Hospitals Reform Commission report of June 2009 both identified an electronic health records system as being central to enabling the realisation of many health reform objectives including improved quality, safety, efficiency and equity in healthcare and the long-term sustainability of the health system.

 

E-health is an integral part of the Australian Government’s agenda for health reform, an agenda that aims to create a continuously improving healthcare system for the 21 st century - a system that is accountable, affordable and sustainable, with safety and quality at its centre.

 

The PCEHR system

As part of the 2010-11 Budget the Australian Government announced funding of $467 million over two years to build the key national components of the national PCEHR system.  The PCEHR system is the next step in using e-health to enhance the healthcare system.  It enables the secure sharing of health information between a consumer’s healthcare providers, while enabling the consumer to control who can access their PCEHR.

 

The PCEHR system builds on the foundation laid by the introduction of national healthcare identifiers for consumers, healthcare providers and healthcare provider organisations, as well as the National Authentication Service for Health, clinical terminologies and methods for communicating health information between healthcare providers such as discharge summaries and electronic referrals.

 

The PCEHR system places the individual at the centre of their own healthcare by enabling access to important health information when and where it is needed, by consumers and their healthcare providers.  A PCEHR will be assembled from distributed participating repositories which will hold summarised clinical information.  These repositories will be operated by a mix of private and public sector organisations and will need to conform to strict specifications.

 

The development and operation of the PCEHR system will provide a range of benefits to healthcare consumers, providers and service organisations, and to the Australian economy more broadly.  The benefits arise directly from providing consumers and healthcare providers with better access to health information, and indirectly by enabling reform of the way healthcare is delivered.

 

The PCEHR system is voluntary for consumers and organisations - healthcare provider organisations, repository operators, portal operators and contracted service providers.  The system will operate on an opt-in basis, which means that any person or organisation wishing to participate in the system will need to register.

 

The PCEHR Bill

The PCEHR Bill establishes the PCEHR System Operator which will be responsible for the operation of the system, and its advisory bodies which will provide expert advice and ensure state, territory, consumer and stakeholder input on the operation of the system.  The Secretary of the Department of Health and Ageing will initially perform the role of System Operator.

 

A framework will be established for the registration of consumers and other entities, specifying eligibility criteria, authorising them to participate and imposing obligations on them to maintain the security and integrity of the PCEHR system.

 

The PCEHR Bill provides clear privacy protections and clarifies how state and territory privacy laws will apply.  It prescribes the circumstances in which registered consumers and entities can collect, use and disclose information in consumers’ PCEHRs.  It also allows for a range of remedies, including civil penalties, where there is an unauthorised use, collection or disclosure of information in a consumer’s PCEHR or where certain actions occur that might compromise the integrity of the PCEHR system.

 

The Privacy Act 1988 will generally apply to the PCEHR system in respect of health information in consumers’ PCEHRs.  Amongst other things, this will allow the Information Commissioner to investigate any interference with privacy.  The main area where the provisions of the PCEHR Bill will prevail over the Privacy Act are in relation to the collection, use and disclosure of health information in a consumer’s PCEHR. 

 

As well as permitting the making of regulations, the PCEHR Bill permits the Minister for Health and Ageing to make PCEHR Rules.  Such Rules will be legislative instruments and may relate to a range of matters, including the registration and access controls of consumers and registration of entities wishing to participate in the PCEHR system.  The PCEHR Rules will allow flexible and fast responses to evolving technologies and security risks. 

 

The PCEHR Bill implements a range of common mechanisms to provide transparency and scrutiny of the PCEHR system’s operation, including the review of decisions by the System Operator, annual reports by the System Operator and the Information Commissioner and a review of the legislation after it has been operating for two years. 



PERSONALLY CONTROLED ELECTRONIC HEALTH RECORDS BILL 2011

 

NOTES ON CLAUSES

 

PART 1—PRELIMINARY

 

Clause 1     Short title

Clause 1 provides that the Bill, once enacted, will be cited as the Personally Controlled Electronic Health Records Act 2011 .

 

Clause 2     Commencement

Clause 2 provides that the Bill will commence on a day or days to be fixed by Proclamation.  This enables the Governor-General to specify the day the Bill will commence or the days different provisions will commence.  For example, it may be appropriate for the functions of the System Operator and the privacy arrangements to commence before the remainder of the Bill to allow the system framework to be put in place before the system begins on 1 July 2012.

 

If Proclamation has not occurred by either 1 July 2012 or the day the Bill receives Royal Assent, clause 2 provides that the Bill will commence on the day after the later of those dates. 

 

The PCEHR System Operator will not be established, and the registration and PCEHR-specific privacy arrangements will not start, until the Bill (or the relevant parts of the Bill) commences.

 

Clause 3     Object of Act

It is common practice today to include in a bill certain types of explanatory material.  Clause 3 outlines the object of the proposed Act and reflects the purpose of the PCEHR system which is primarily to help overcome the fragmentation of health information and improve the delivery of healthcare by increasing the availability and quality of health information.

 

Clause 4     Simplified outline of Act

This clause serves as a directory to the Bill, outlining what is contained in each Part of the Bill.

 

Clause 5     Definitions

This clause assists in the interpretation of the Bill by defining particular words and phrases used in the Bill.  Many of these terms are aligned with the Healthcare Identifiers Act 2010 (‘HI Act’) and the Privacy Act 1988 (‘Privacy Act’), given the critical role those Acts play in the operation of the PCEHR system.  Some key terms are described below:

 

Approved form

If a consumer or healthcare provider organisation chooses to participate in the PCEHR system, they must apply to the System Operator to be registered (see clauses 39 and 42).  In order to ensure that applications are made in an effective and appropriate manner, and contain the information required by the System Operator to make a decision about the application, the System Operator may determine the approved form an application must take.  This allows the System Operator to specify the form in which applications must be made, and information and documentary requirements to support an application. The System Operator must determine this form in writing.  It is envisaged that details on making applications to register will be published on the System Operator’s website and made available to consumers and healthcare providers in other manners.

 

Consumer-only notes

The PCEHR system will provide the capacity for consumers to enter notes on their health that will not be accessible to healthcare providers.  Consumer-only notes will serve as an aide memoir to consumers for recording details about such things as complementary medicines and general health.

 

Consumers will also have the ability to enter some summary health information in their PCEHR, including medications and allergies, that will be accessible by healthcare providers and will be clearly identified as having been entered by the consumer.  This summary health information will not form part of consumer-only notes.

 

Contracted service provider

The Bill recognises that many healthcare provider organisations outsource their information technology and health information management services to contracted service providers.  The Bill therefore provides for contracted service providers, which are under contract to a healthcare provider organisation, to register to participate in the PCEHR system.  This definition is the same as that used in the HI Act.

 

Court

Court is defined to mean the Federal Court of Australia, the Federal Magistrates Court or a court of a state or territory that has jurisdiction in relation to matters arising under the Bill.  The term Court is used, for example, to specify the courts within which the Information Commissioner may bring proceedings for a contravention of a civil penalty provision.

 

Employee

This definition reflects the broad range of arrangements used by entities that will participate in the PCEHR system.  It recognises contractors and other persons who provide services to an organisation regardless of whether or not they are remunerated for those services, thereby taking account of medical students and volunteer workers.  This definition is critical to clause 99 which extends the authorisations in the Bill (for the collection, use and disclosure of PCEHR information) to employees in certain circumstances.

 

Entity

Carries the same meaning as in the HI Act.  A “person” (paragraph (a) of the definition) will include a body corporate and a body politic as well as an individual: see section 22 of the Acts Interpretation Act 1901 .

 

Healthcare

Is defined in the same way, and is intended to have the same meaning, as health service under the Privacy Act.  The term healthcare has been used to align with the terminology used in the HI Act.

 

Healthcare provider organisations

This definition ensures that any reference to a healthcare provider organisation includes those organisations which provide healthcare services free of charge and takes account of organisations which form part of a larger entity.

 

Health information

Health information is defined in substantially the same way as health information is under the Privacy Act.  The only difference is that under the PCEHR Bill the definition uses the term healthcare rather than health service.  Despite this difference, it is intended that health information have same meaning under the PCEHR Bill as it does under the Privacy Act.  Health information is a subset of personal information.

 

National Law

In 2010, Queensland passed the Health Practitioner Regulation National Law Act 2009 . The other states and the territories have since applied the law set out in the Schedule to the Queensland Act, or substantially applied that law, in their jurisdictions.  The National Law provides for the national regulation of health practitioners.  The PCEHR Bill relies on the National Law for giving certain rights.  For example, only certain types of healthcare providers under the National Law are eligible to be nominated healthcare providers under the PCEHR Bill.

 

Nominated healthcare provider

Nominated healthcare providers play an important role in providing key health information for a consumer’s PCEHR by creating and maintaining a consumer’s shared health summary.  It is critical that shared health summaries be clinically useful and effective for a range of different types of healthcare providers who may review them. Only certain types of providers are eligible to be a nominated healthcare provider, being providers who are registered by a registration authority as a:

 

·          medical practitioner;

·          registered nurse; or

·          Aboriginal health practitioner, Torres Strait Islander health practitioner or Aboriginal and Torres Strait Islander health practitioner within a class specified in the regulations.  The ability to prescribe classes of these types of practitioners is necessary as there may be several levels of qualification held by such practitioners, some of which may not be sufficient for the practitioner to be a nominated healthcare provider.

 

Additional types of healthcare providers may be prescribed in regulations as being eligible to be a nominated healthcare provider in the future, providing flexibility if implementation experience and stakeholder feedback indicate it is needed. 

 

A healthcare provider must have a healthcare identifier under the HI Act and there must be agreement between the healthcare provider and the consumer for the healthcare provider to be the consumer’s nominated healthcare provider.  Such agreement is not required to be written.

 

A consumer is not required to have a nominated healthcare provider.  If a consumer has never had a nominated healthcare provider, the consumer’s PCEHR will not contain a shared health summary but may contain event summaries, discharge summaries and other healthcare documents.

 

Parental responsibility

This definition provides who has parental responsibility for a child - for example,  as a parent, under a court order or as a guardian. The definition relies on definitions in the Family Law Act 1975 and takes account of Commonwealth, state and territory laws regarding custody or guardianship, or access to, a child.  The term parental responsibility is used in the definition of authorised representative which recognises a broader range of legal responsibilities for other persons.

 

Participant in the PCEHR system

This term is defined to include all the entities involved in the PCEHR system - that is, the PCEHR System Operator, registered healthcare provider organisations, registered repository operators, registered portal operators and registered contracted service providers.  It does not include registered consumers.   

 

Personal information

This definition is the same as that used in the Privacy Act. 

 

The Privacy Act defines personal information as “information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion”.   

 

Personally controlled electronic health record (or PCEHR )

A consumer’s PCEHR is compiled from a range of sources and may include existing and new records which have been uploaded to the PCEHR system, as well as records which only exist within the PCEHR system.  A PCEHR includes:

 

·          information about the consumer entered by the System Operator into the Register, such as identifying information, access control settings, details about authorised and/or nominated representatives and details of any prior suspensions of the PCEHR;

·          health information relating to the consumer that has been indexed in order to be accessible via the PCEHR system;

·          other information connected to the consumer as part of the PCEHR system, such as audit information or any actions taken to correct or remove incorrect information; and

·          back-up records of the PCEHR.

 

Use

The Bill sets out circumstances in which information may and may not be collected, used and disclosed.  To avoid any doubt about whether certain activities constitute a “use” of information, the term has been defined to include accessing, viewing, modifying and deleting information.  This is to ensure that authorisations and sanctions under the PCEHR Bill have appropriate coverage.

 

Clause 6     Meaning of authorised representative of a consumer

It is intended that minors and people with no or only limited capacity to act on their own behalf will be able to have a PCEHR.  To enable this, the PCEHR Bill contains the concept of authorised representatives.  An authorised representative will be able to register a consumer for a PCEHR and manage the access controls of the PCEHR on behalf of the consumer.

 

A person claiming to act on behalf of a consumer may apply to the System Operator to register the consumer for a PCEHR or, if the consumer already has a PCEHR, the person may apply to the System Operator to take control of the consumer’s PCEHR.  The System Operator is restricted by the provisions in clause 6 as to who it may recognise as an authorised representative.

 

If the System Operator decides that the person is an authorised representative for the purposes of the PCEHR system, it will adjust the settings of the individual’s PCEHR to provide that the authorised representative, instead of the consumer, can manage the access control settings of the PCEHR.  For the purposes of the Bill and the PCEHR system, an authorised representative is treated as if she or he were the consumer (subclauses 6(7) and (8)).  That is, the authorised representative can do anything authorised or required of the consumer in relation to the PCEHR system, and anything done by an authorised representative in relation to the PCEHR system is taken as if it were done by the consumer.  Where a consumer has an authorised representative, the consumer will not be able to access her or his PCEHR unless the authorised representative has granted her or him access as a nominated representative.

 

A person will generally need a healthcare identifier in order to be an authorised representative (subclause 6(6)).  This requirement is necessary so the System Operator is able to identify persons using the system in order to maintain a comprehensive audit trail of access to consumers’ PCEHRs.  The PCEHR Rules may provide that an authorised representative does not need a healthcare identifier.  It is envisaged that such PCEHR Rules would be made in only limited circumstances.  For example, where a child is under the guardianship of a statutory office holder such as a public guardian, it is not intended that the statutory office holder or their staff would use their own healthcare identifier to identify themselves to the System Operator when acting as an authorised of the child.  However, it is important that such people are identified and paragraph 6(6)(b) will permit PCEHR Rules to be made for this purpose.

 

An authorised representative must always act in the best interests of the consumer, having regard to any directions from the consumer expressed when they had capacity to act on their own behalf (subclause 6(9)).  This obligation will help reduce the risk of an authorised representative acting for their own benefit and helps ensure that preferences previously expressed by the consumer will be taken into account in managing their PCEHR.

 

If the System Operator is not satisfied that a person is the authorised representative of the consumer, the person can request a review of that decision (see subclause 97(1)(a)). 

 

A consumer may have more than one authorised representative.  There are no age restrictions on being an authorised representative for PCEHR purposes. 

 

It is critical that the operation of the PCEHR system be flexible to deal with unique circumstances in respect of minors and persons with limited or no capacity.  The design of the system will provide that, if the PCEHR System Operator is notified of a dispute between authorised representatives over the management of a person’s PCEHR, the System Operator may suspend access by the authorised representatives to the PCEHR.  If this occurs, the PCEHR will continue to be accessible by healthcare providers, and providers will still be able to upload information to the PCEHR in accordance with the access control settings already in place.  The System Operator will reinstate access by authorised representatives when it is satisfied that the dispute has been resolved - for example, as a result of a court order or on receipt of formal advice by all parties involved in the dispute that the dispute has been settled.

 

Persons aged under 18 years

Any authorised representative of a minor will be able to register the minor.  Once the minor is registered, the authorised representative(s) will be responsible for managing the minor’s PCEHR including determining which healthcare provider organisations may access the PCEHR and whether any other persons (including the minor themselves) may access the PCEHR as a nominated representative.

 

If the System Operator is satisfied that a person has parental responsibility for a minor, that person will be recognised as an authorised representative (subclause 6(1)). 

 

If there is no person who the System Operator is satisfied has parental responsibility for a minor, the System Operator may choose to recognise a range of other people as an authorised representative.  For example, a person may satisfy the System Operator that the person is authorised by an Australian law, or by a decision of an Australian court or tribunal, to act on behalf of the minor (paragraph 6(2)(a)).  Subclause 6(2) specifies other circumstances where a person may be recognised as an authorised representative, and is intended to allow the System Operator to take into account exceptional circumstances so that all minors can have an authorised representative and thus a PCEHR.

 

Subclause 6(3) specifies the circumstances in which a minor is taken not to have an authorised representative and may thus take control of their own PCEHR. 

 

An administrative framework for determining whether a minor may take control of their PCEHR, or register themselves for a PCEHR, will be established based on existing Medicare arrangements which acknowledge the growth in maturity and capacity that occurs during the teenage years and the differing family circumstances that can occur.  In summary, the arrangements for the PCEHR system will presume that consumers aged 14 up to 18 years have the capacity to make their own decisions in respect of healthcare information but will recognise that some may choose not to exercise that power and may prefer to have their parent(s) or legal guardian(s) continue to act for them.  PCEHR administrative arrangements will also provide for circumstances where a mature minor under 14 years may register for their own PCEHR, or take control of their existing PCEHR, without the involvement of a parent or legal guardian. In considering whether a mature minor had the capacity to manage their own PCEHR, the System Operator may require written evidence from the minor’s healthcare provider.

 

In practice, when a minor turns 14 years the System Operator will advise the minor in writing of the ability to take control of their PCEHR and explain how the minor can take such an action.  The minor can then determine whether they will continue to allow their parent/s or legal guardian/s to access their PCEHR as a nominated representative, as well as determining which healthcare provider organisations can access their PCEHR and whether any other person can access their PCEHR as a nominated representative.

 

Any minor who has been registered by another person and who chooses to take control of their PCEHR will be required to prove their identity to the System Operator.

 

Example: Ben is 22 years old and he has had a PCEHR since he was 12 years old when his foster parents registered him.  Ben has always been able to view his PCEHR since his foster parents granted him read-only access as a nominated representative.  He has now decided that he wants to actively participate in his own healthcare and manage his PCEHR.  Using the options provided by the PCEHR system, Ben proves his identity to the System Operator and activates the setting which transfers PCEHR control to him.  He then sets the access controls to allow his foster parents read-only access to his PCEHR as nominated representatives.

 

Example: Moira is 12 years old and has diabetes.  Her parents are estranged and are involved in a difficult custody battle over Moira.  Moira’s healthcare provider has determined that, given the circumstances, Moira is a mature minor and is able to make decisions in respect of her healthcare.  Moira is therefore able to make an application to register for a PCEHR.  In considering Moira’s application, the PCEHR System Operator will likely require written advice from Moira’s healthcare provider that she is a mature minor capable of making decisions for herself.

Following a decision by the System Operator to register her, Moira can now manage her own PCEHR including determining which healthcare provider organisations may access her PCEHR and whether her parents or any other persons may access her PCEHR as nominated representatives.

 

When a consumer turns 18, the System Operator will advise them in writing explaining how they may take control of their record.  Upon turning 18, the consumer’s parent(s), legal guardian(s) or other authorised representatives will automatically cease to be authorised representatives in relation to the consumer. In the period between turning 18 and taking action to either manage their PCEHR or cancel their PCEHR registration (in both cases requiring the consumer to prove their identity), the consumer will not be able to access their PCEHR.  However, the consumer’s PCEHR will continue to be accessible by healthcare providers, including for uploading information, subject to the access control settings in place immediately before the consumer turned 18.

 

Example: Keiko has just turned 18 years old and has been notified by the PCEHR System Operator that she is now obliged to manage her own PCEHR, if she chooses to continue having one.  Until now, she has been happy to allow her parents to manage her PCEHR for her but the PCEHR system no longer recognises the authority of her parents and they can no longer access her PCEHR.  Until Keiko takes action (that is, proves her identity and either sets access control settings or cancels her PCEHR registration), her PCEHR will continue to be accessible by her healthcare providers in accordance with the access controls set by he parents.

Keiko decides to keep her PCEHR, so she takes the action specified by the System Operator to take control of her PCEHR.  Keiko can now decide which healthcare provider organisations and other persons (such as her parents) may access her PCEHR.

 

Persons aged at least 18 years

Persons who have limited or no capacity will be able to participate in the PCEHR system.

 

Any authorised representative of a consumer will be able to register the consumer.  Once the consumer is registered, the authorised representative will be responsible for managing the consumer’s PCEHR including determining which healthcare provider organisations may access the PCEHR and whether any other persons (including the consumer themselves) may access the PCEHR as a nominated representative.

 

A person may be an authorised representative of a person over 18 years old if the System Operator is satisfied that a consumer is not capable of making decisions for themselves, and that another person is authorised by an Australian law, or by a decision of an Australian court or tribunal, to act on behalf of the consumer (paragraph 6(4)(a)).  The System Operator may recognise other people as an authorised representative in specified other circumstances (paragraph 6(4)(b)).  This provision allows the System Operator to take into account a range of other circumstances for people without capacity, or with only limited capacity.

 

 

Example: When Rosa was diagnosed with Alzheimer’s disease several years ago, she granted her son, Hakim, Power of Attorney (subject to her capacity) to allow him, once she lost capacity, to make decisions on her behalf.  Rosa’s doctor has now informed Hakim that Rosa no longer has the capacity to make decisions.

Rosa already has a PCEHR which Hakim helped her to set up last year.  Hakim now presents to the PCEHR System Operator evidence of the Power of Attorney granted by Rosa and evidence that it is now in force (written advice by Rosa’s doctor that Rosa has lost decision-making capacity).  The System Operator then gives Hakim access to Rosa’s PCEHR as an authorised representative.  Hakim can now manage Rosa’s PCEHR on her behalf which includes managing the access controls and entering notes about Rosa’s health for his own reference.

 

 

Clause 7     Definition of nominated representative of a consumer

This definition supports the involvement of non-healthcare professionals involved in assisting consumers in managing their healthcare.  Nominated representatives may be family members, carers, neighbours or any other person nominated by a consumer. 

 

For a person to be a nominated representative, there must be an agreement between the consumer and the proposed nominated representative.  This agreement does not have to be in writing.  The consumer must also notify the System Operator that the other person is her or his nominated representative.  In practice, the requirement for agreement and notification will be satisfied by the consumer setting the access controls to their PCEHR granting the nominated representative a particular level of access. 

 

A nominated representative will be able to access the consumer’s PCEHR, subject to any access controls set by the consumer.  This means that, in some cases a nominated representative may only have read-only access to a consumer’s PCEHR, should a consumer so wish.  In other cases, a consumer may allow a nominated representative to have the same level of control as an authorised representative - that is, be able to act on behalf of the consumer in relation to the consumer’s PCEHR, including setting access controls on the consumer’s PCEHR and granting access to healthcare provider organisations. 

 

This flexibility in setting access controls is designed to take into account the many circumstances where a person may not be able to, or may not wish to, manage their own PCEHR but where they do not have a formal legally recognised representative to act on their behalf. 

 

Example: Machiko’s father, Toshio, is on numerous medications.  Machiko assists her father in managing his healthcare.  Toshio has given his daughter read-only access to his PCEHR as a nominated representative, thereby allowing Machiko to easily view key health information about her father, such as currently prescribed medications and test results. This helps Machiko provide care and assistance to her father.

Example: Helen has schizophrenia which sometimes affects her capacity to make healthcare decisions.  Helen has given her sister, Beverly, full access to her PCEHR as a nominated representative, thereby allowing Beverly to act on Helen’s behalf in relation to her PCEHR.  Beverly can enter information into Helen’s PCEHR, such as keeping a record of the frequency of Helen’s episodes, and can change the access control settings for Helen’s PCEHR including granting new healthcare provider organisations access to Helen’s PCEHR.

 

A nominated representative is subject to any access limitations that have been set by the consumer, so for example a nominated representative who has been provided with full access by the consumer is entitled to do anything that a consumer is entitled to do (paragraph 7(2)(a)), and the nominated representative is treated as if she or he were also the consumer (paragraph 7(2)(b)).

 

Unlike the authorised representative arrangements, a consumer will still be able to access and control her or his PCEHR if she or he has a nominated representative (subclause 7(4)).

 

There may be more than one nominated representative in respect of a PCEHR, and there are no age restrictions on being a nominated representative. 

 

A nominated representative with read-only access will not require a healthcare identifier, allowing for circumstances where a consumer may have a family member overseas who is involved in the consumer’s healthcare.  Any access to a consumer’s PCEHR by a nominated representative who does not have a healthcare identifier will be recorded for audit purposes, however, the identity of the nominated representative may not be able to be verified by the System Operator.  Consumers will need to take this into account if they choose to have more than one nominated representative.

 

 For a nominated representative to be given more than read-only access to a consumer’s PCEHR (which means they will be able to change access settings), the representative will require a healthcare identifier, unless the PCEHR Rules provide otherwise (subclause 7(3)(d))).  The PCEHR Rules may provide that nominated representatives with more than read-only access to a consumer’s PCEHR do not require a healthcare identifier to deal with the same types of situation discussed in relation to subclause 6(6).  It is envisaged that any PCEHR Rules made under subclause 7(3) would be made in only limited circumstance and would require the nominated representative to be identifiable in some other way.

 

A nominated representative must always act in the best interests of the consumer, subject to the consumer’s directions (subclause 7(6)).  This obligation will help reduce the risk of nominated representative acting for their own benefit and helps ensure that  directions given by the consumer about how their PCEHR should be managed will be implemented.

 

Clause 8     References is sections 6 and 7 to certain things

This clause ensures that the provisions in clauses 6  and 7 can apply to authorised representatives and nominated representatives as necessary.  It does this by permitting regulations to be made, if necessary, prescribing provisions of other Acts so that authorised representatives and nominated representatives who are able to change access settings can act on behalf of consumers under the PCEHR Bill. Without the ability to make regulations under this clause, provisions in other Acts may effectively prevent a consumer’s representatives acting on behalf of the consumer in relation to the consumer’s PCEHR.

 

Clause 9     Definition of identifying information

This is defined for the purposes of clause 58.  Identifying information is defined in respect of consumers (subclause 9(3)), healthcare providers (subclause 9(1)) and healthcare provider organisations (subclause 9(2)) and generally includes the name, address and other details of the person or entity.  Identifying information is necessary for the purposes of verifying identities for registration and ongoing use of the PCEHR system.  The definition is similar to the definition of identifying information under the HI Act.

 

Clause 10   Definition of shared health summary

A shared health summary is an important tool for providing key health information in a consumer’s PCEHR.  A shared health summary for a consumer, at any particular time, is a record which is prepared by a nominated healthcare provider, is described by that provider as a shared health summary, has been uploaded to the National Repositories Service and is at that time the most recent shared health summary uploaded.  Each time a new shared health summary is uploaded, it will replace the previous summary (records which were previously shared health summaries will remain accessible via the PCEHR system).  There will only be one shared health summary for a consumer at any given time.

 

Clause 11   Act to bind the Crown

This clause provides that the Bill binds the Crown in each of its capacities.   This means that the Bill is intended to apply (and be observed by) the Commonwealth and each of the States, the Australian Capital Territory and the Northern Territory.

 

While each jurisdiction will be legally bound by the arrangements set out in the Bill, the Crown will not be liable for pecuniary penalties or subject to prosecution for offences (subclause 11(2)).  This is a common clause in Commonwealth legislation. 

 

While the Crown cannot be liable to be prosecuted for an offence, or liable for a pecuniary penalty, this does not mean that all action against the Crown is precluded.  This is explained in the note to subclause 11(2).  If the Crown in any of its capacities does not comply with its obligations under this Bill, other remedies are potentially available.  For example, it may be subject to a declaration or injunction, investigated by the Information Commissioner under the Privacy Act, investigated by the Ombudsman, subject to Parliamentary scrutiny or subject to claims for breach of statutory duty.  Further, while the Crown may have immunity in certain regards, the employees and contractors of the Crown will not necessarily have any such immunity.  Finally, nothing in the Bill prevents an individual who suffers loss or damage from seeking to recover that loss or damage from the person who caused it. 

 

Clause 12   Concurrent operation of State laws

The Bill has been developed to work in conjunction with existing Australian laws as far as is possible.  This clause provides that the Bill does not apply to the exclusion of a law of a state or territory to the extent that that law is capable of operating concurrently with the Bill.

 

There are state and territory laws which are specifically intended to be overridden by this Bill in order to ensure the effective operation of the PCEHR system (see clause 41).  These include:

 

·          laws prohibiting the uploading of health records without the “express” consent of a consumer.  For example, Health Privacy Principle 15(1) of the Health Records and Information Privacy Act 2002 (NSW); and

 

·          laws prohibiting the disclosure of health information to an entity outside a state or territory, or to the Commonwealth, without the consent of the consumer. For example, Health Privacy Principle 14(b) of the Health Records and Information Privacy Act 2002 (NSW) and Health Privacy Principle 9.1(b) of the Health Records Act 2002 (Vic).

 

There are also state and territory laws that are not intended to be displaced by this Bill.  These relate to the disclosure of a person’s identity or confidential information in connection with certain notifiable diseases.  It is proposed that such state and territory laws, which may otherwise be displaced by the Bill, will be prescribed by regulation under (subclause 41(4)) and will be preserved.

 

Clause 13   External Territories

This clause provides for the Bill to apply to Australia and all its external territories - for example, Christmas Island, Cocos (Keeling) Islands, Ashmore and Cartier Islands, Norfolk Island, Coral Sea Islands, Heard Island and McDonald Islands, and the Australian Antarctic Territory.  This means that consumers and entities located in Australia and each of the external territories may be eligible to participate in the PCEHR system.

 

 

PART 2—THE SYSTEM OPERATOR, ADVISORY BODIES AND OTHER MATTERS

 

Part 2 of the Bill sets out the governance arrangements for the PCEHR system.  It establishes the System Operator (the body responsible for creating and running the PCEHR system) and specifies its functions.  Part 2 also specifies advisory bodies to the System Operator and prescribe s their functions, and confers functions on the Chief Executive Medicare in respect of the PCEHR system.

 

Division 1—System Operator

 

Clause 14   Identity of the System Operator

The PCEHR system will be managed by the System Operator which is established by clause 14. 

 

Subclause 14(1) specifies that the System Operator is the Secretary of the Department of Health and Ageing.  It also provides that another body established by a law of the Commonwealth may be prescribed by the regulations to be the System Operator (paragraph 14(1)(b)).   

 

Having the Secretary of the Department as the System Operator will ensure:

·          accountability and transparency of operations;

·          coverage by Commonwealth financial, data security and privacy arrangements;

·          a smooth transition from contractual governance arrangements established for the system build; and

·          the ability to coordinate the necessary jurisdictional and stakeholder involvement.

 

Discussions will continue with the states and territories around possible future options for the development of an inter-jurisdictional national e-health body.

 

Before regulations are made which prescribe a body to be the System Operator, the Minister must consult with the Ministerial Council (subclause 14(2)).

 

Clause 15   Functions of the System Operator

This clause prescribes the functions of the System Operator, giving the System Operator the necessary legal authority to establish and run the PCEHR system.

 

The System Operator must:

 

·          establish and operate an index service (paragraph 15(a)) - the index service associates a consumer with clinical documents relating to the consumer which are stored in registered repositories or the National Repositories Service.  The index service enables a consumer’s PCEHR to be compiled from various sources.  Clinical documents will be associated with consumers using the consumer’s healthcare identifier;

·          implement and maintain access control mechanisms for consumers, subject to any requirements in PCEHR Rules (paragraph 15(b)) - access control mechanisms will enable a consumer to control access to their PCEHR by healthcare providers and nominated representatives.  If a consumer does not set access controls, default access controls will apply.  Access control mechanism may also specify when access to a consumer’s PCEHR is to be automatically suspended or cancelled - for example, it is proposed that access by authorised representatives will be automatically cancelled upon the consumer turning 18.  Paragraph 15(c) sets out further minimum requirements for access control mechanisms to be established and maintained by the System Operator;

 

·          establish and operate a reporting service (paragraph 15(d)) - this service will support reporting and analysis on the operation of the PCEHR system for use in, for example, the System Operator’s annual report to Parliament;

 

·          establish and manage the Register (paragraph 15(e)) - the Register is established under clause 56.  It will be used for operations of the PCEHR system, including to record information about the registration of consumers and other participants In the PCEHR system, and consumers’ access control settings. .  The System Operator is responsible for ensuring appropriate details are recorded in this Register (clause 57).  The Register will not contain health information;

 

·          register consumers and participants (paragraph 15(f)) - this will involve functions such as implementing a system of registration and making decisions as to whether or not to register participants in the PCEHR system and consumers (including decisions about whether a person is an authorised representative of a consumer).  It will also involve varying, suspending or cancelling the registration of participants and consumers, where necessary, and monitoring compliance by participants with conditions of registration;

 

·          establish and manage the audit service (paragraph 15(g)) - this service will record all activity in relation to information in the PCEHR system for transparency and regulatory purposes.  The record will include activity in relation to consumers’ PCEHRs and activities undertaken by participants in the PCEHR system including healthcare provider organisations, portal providers and contracted service providers. The audit service will ensure that a consumer can obtain details of all flows of information relating to her or his PCEHR (paragraph 15(h)(i) and (ii).  A summary of the flows of information in relation to a consumer’s PCEHR will be accessible electronically.  Consumers may obtain from the System Operator a detailed record of flows of information in relation to their PCEHR;

·          establish and operate the National Repositories Service (paragraph 15(i)) - this Service will ensure there is a minimum critical set of health information about registered consumers, including shared health summaries, discharge summaries, event summaries and specialist letters.   The National Repositories Service will also provide secure storage for consumer-only notes;

·          establish a complaints handling mechanism (paragraph 15(j)) - this service will provide national arrangements for consumers and participants to make complaints relating to the PCEHR system, although consumers will still have the ability to lodge complaints with other appropriate bodies such as national or state privacy or health information regulators;

·          ensure that the PCEHR system is administered so that problems may be resolved (paragraph 15(k));

·          advise the Minister of matters relating to the PCEHR system (paragraph 15(l)) - this function will involve advising on a broad range of matters of which the Minister should be made aware or on which the Minister has sought advice.  This function includes advising the Minister about matters to be included in PCEHR Rules; and

·          educate the public, consumers and participants about the PCEHR system (paragraph 15(m)) - providing information on the PCEHR system for consumers and healthcare providers is a key part of ensuring they are aware of the benefits of the PCEHR system, and that those involved in the system are aware of their rights and obligations.  Effective availability of information will help protect the integrity and security of the PCEHR system, and the health information stored in it.

 

Clause 16   System Operator to have regard to advisory bodies’ advice etc.

In carrying out its functions as specified in clause 15, the System Operator must have regard to advice and recommendations (if any) given to it by the two advisory bodies established by the Bill: the Jurisdictional Advisory Committee (Part 2 of Division 2) and the Independent Advisory Council (Part 2 of Division 3).

 

The System Operator is not required to follow the advice of these advisory bodies. However, the existence of these bodies provides the System Operator with access to specialist advice in a broad range of areas.  Such advice and recommendations, and subsequent decisions by the System Operator, may be made public to provide for scrutiny and transparency.

 

The System Operator and the advisory bodies may draw on other expert advice as appropriate, including from the Office of the Australian Information Commissioner in relation to privacy matters.

 

Information about the operations of the advisory bodies may be reported in the System Operator’s annual report (subclause 107(3)).

 

Clause 17   Retention of records uploaded to National Repositories Service

The National Repositories Service will ensure that there is capacity to store a minimum critical set of health information about registered consumers, which will include shared health summaries, event summaries, discharge summaries and specialist letters.  The Service will also provide secure storage for consumer-only notes.

 

The National Repositories Service must retain any record which contains health information about a consumer until 30 years after the consumer has died or, if the System Operator does not know the date of death, for 130 years from the date the record was uploaded to the National Repositories Service (paragraph 17(2)(b)).

 

These requirements support the longevity of a minimum data set in the PCEHR system. 

 

These retention requirements for the National Repositories Service will not apply to registered repositories, such as those operated by state governments or the private sector.  Those repositories are already subject to existing Commonwealth, state or territory arrangements concerning the retention of health records and will not be subject to any additional retention requirements under this Bill.

 

The National Repositories Service will retain the records of a consumer for a period after she or he dies and, during that time, the records will continue to be given the same privacy protections which were in place when the consumer was alive. 

 

Division 2—Jurisdictional advisory committee

 

Many of the benefits to the health system and to healthcare outcomes arise from up-to-date information being available when patients move to, from and within the primary and acute care sectors.  Ensuring the involvement of the states and territories and their input into the operation and implementation of the PCEHR system is therefore crucial. 

 

The Jurisdictional Advisory Committee will ensure state and territory involvement in the operation of the PCEHR system.

 

Clause 18   Establishment, functions and status of the jurisdictional advisory committee

Subclause 18(1) establishes the Jurisdictional Advisory Committee.  The purpose of this committee is to advise the System Operator on matters relating to the interests of the Commonwealth, states and territories, and any other functions which are prescribed by the regulations (subclause 18(2)).

 

This committee will have the privileges and immunities of the Crown, which means it will not be liable for pecuniary penalties or be subject to prosecution for offences (subclause 18(3)).  See the discussion above in relation to clause 11 for an outline of the limitations on this immunity.

 

Clause 19   Membership of the jurisdictional advisory committee

Membership of the committee will comprise:

·          a representative of the Commonwealth (paragraph 19(1)(a)), to be appointed by the Minister in writing (subclause 19(2)); and

·          a representative of each state and territory (paragraph 19(1)(b)), to be appointed by the head of the relevant state or territory health department in writing (subclause 19(3)).

 

This ensures equal representation of the Commonwealth, states and territories.  It also ensures that states and territories have a voice in relation to operation of the PCEHR system, including how the System Operator performs its functions.

 

All members will be appointed on a part-time basis (subclause 19(4)) which is standard for this type of statutory body.

 

State and territory representatives will take turns chairing the committee (subclause 19(5)).

 

Clause 20   Termination of appointment of members of the jurisdictional advisory committee

The appointment of the Commonwealth representative may be terminated by the Minister at any time (subclause 20(1)).  Similarly, the appointment of a state or territory representative may be terminated by the relevant state or territory health department head at any time (subclause 20(2)).  The Bill does not prescribe any criteria for deciding to terminate the appointment of a member so these decisions will be made at the discretion of the Minister and the relevant health department head, respectively.

 

Clause 21   Substitute members of the jurisdictional advisory committee

In circumstances where a member is unable to attend a meeting of the committee, the Minister (subclause 21(1)) or the state or territory health department head (subclause 21(2)), depending on who appointed that particular member, may nominate another person to attend in place of the absent member. 

 

Clause 22   Application of the Remuneration Tribunal Act

The members of the committee will not receive payment under the Remuneration Tribunal Act 1973 .  Since the Commonwealth, state and territory representatives on this committee will likely be government employees, and will likely continue to receive a salary while participating on the committee, these members will not be eligible for payment under the Remuneration Tribunal Act 1973 in fulfilling their role as a committee member.  This is a common arrangement for government employee participation in government committees.  The Bill does however provide that regulations may be made in relation to remuneration of committee members if the need should arise (see clause 23).

 

Clause 23   Regulations may provide for matters relating to committee

The Bill provides that regulations may be made regarding the Jurisdictional Advisory Committee (clause 23), thereby permitting additional arrangements to be prescribed for the committee which are not already set out in the Bill.  The regulations may relate to:

 

·          any qualifications for the Commonwealth member (paragraph 23(a));

·          subject to clause 20;

·          remuneration and allowances which may be paid to members (subparagraphs 23(b)(i) and (ii));

·          arrangements for leaves of absence (subparagraph 23(b)(iii));

·          the disclosure of members’ interests (subparagraph 23(b)(iv)); and

·          the operation of procedures of the committee (paragraph 23(c)).  In this regard, the regulations may prescribe that the committee can determine its own procedures on any matter. 

 

Division 3—Independent advisory council

 

The involvement of healthcare providers, consumers and other health sector stakeholders will also be crucial to the success of the PCEHR system, particularly in ensuring clinically safe operations, expert advice on technical, security and privacy issues and expert advice on the consumer experience and consumer needs in managing their own healthcare.

 

The Independent Advisory Council will ensure the involvement of key stakeholders that reflect a broad range of experience, and the provision of key expertise in the operation of the PCEHR system.

 

Subdivision A—Establishment, functions and status

 

Clause 24   Establishment, functions and status of independent advisory council

Subclause 24(1) establishes the Independent Advisory Council.  The purpose of the Council is to advise the System Operator on matters relating to the operation of the PCEHR system, participation in the PCEHR system, and consumer security, privacy and clinical matters relating to the operation of the PCEHR system (paragraphs 24(2)(a) to (c)).  The Committee may also advise the System Operator on matters prescribed by the regulations (paragraph 24(2)(d)), which gives the flexibility to add new functions as necessary. 

 

Clause 25   Independent advisory council has privileges and immunities of the Crown

This Council will have the privileges and immunities of the Crown, which means it will not be liable for pecuniary penalties or be subject to prosecution for offences.  See the discussion above in relation to clause 11 for an outline of the limitations on this immunity.

 

Subdivision B—Membership

 

Clause 26   Membership of the independent advisory council

Membership of the council will comprise:

 

·          a Chairperson;

·          a Deputy Chair; and

·          a minimum of seven and a maximum of 10 other members.  These numbers are designed to ensure that the Council has available to it the necessary expertise and experience, but remains small enough to be effective.

 

Clause 27   Appointment of members

All Council members will be appointed by the Minister in writing (subclause 27(1)).  In making appointments, the Minister must ensure that members between them have certain expertise and experience:

 

·          three members must represent consumers’ interests and must have significant knowledge of consumers’ receipt of healthcare (paragraph 27(2)(a)).  This recognises the diversity of the delivery to, and receipt of, healthcare by consumers and the unique needs of certain groups.  These members may not be healthcare providers (subclause 27(3)).

·          the remaining members of the Council must between them have experience or knowledge in:

 

o    the provision of healthcare as a medical practitioner (subparagraph 27(b)(i));

o    the provision of healthcare as a healthcare provider other than a medical practitioner (subparagraph 27(b)(ii));

o    law and/or privacy (subparagraph 27(b)(iii));

o    health informatics and/or information technology services relating to healthcare (subparagraph 27(b)(iv));

o    healthcare administration (subparagraph 27(b)(v));

o    healthcare for Aboriginal or Torres Strait Islander people (subparagraph 27(b)(vi)); and

o    healthcare for people living or working in regional areas (subparagraph 27(b)(vii));

 

These fields of experience will ensure that appropriate advice can be provided by the Council to the System Operator regarding the operations of the PCEHR system.

 

Council members will be appointed on a part-time basis (subclause 27(4)) which is standard for this type of statutory body.  Appointments cannot exceed five years (subclause 27(5)), although members will be eligible for re-appointment as explained in the note below (subclause 27(1)).

 

Clause 28   Acting appointments

If there is a vacancy, or an absence or an inability to perform duties, the Minister may appoint an acting Chair (subclause 28(1)), Deputy Chair (subclause 28(2)) or member (subclause 28(3)) to temporarily fill that position.  Any such appointments must be made in writing.

 

Subdivision C—Members’ terms and conditions

 

The appointment of the Council members, including the Chair and Deputy Chair, will be subject to certain terms and conditions which are specified in Subdivision C of Part 2 of the Bill.

 

Clause 29   Remuneration

A member of the Council will be paid for their services as a Council member in accordance with the Remuneration Tribunal Act 1973 (subclause 29(1)), except where the member is a full-time employee of the Commonwealth, a state or territory, or a state or territory authority or instrumentality (subclause 29(2)).  It is intended that any full-time government employees should not be entitled to be paid for their role on the Council given that they would continue to receive a salary while performing that role.

 

If the Remuneration Tribunal has not made a determination, the members of the Council will be paid the remuneration which is set out in the regulations (subclause 29(1)).

 

Any allowances to be paid to members of the Council will be set out in the regulations (subclause 29(3)).

 

Clause 30   Leave

The Chair may be granted a leave of absence by the Minister (subclause 30(1)), and other members may be granted a leave of absence by the Chair (subclause 30(2)).  A leave of absence will be subject to the terms and conditions determined by the Minister or Chair, respectively.

 

Clause 31   Disclosure of interests to the Minister

A member must disclose to the Minister in writing any interests that conflict, or could conflict, with the proper performance of duties as a member of the council. 

 

Clause 32   Disclosure of interests to the independent advisory council

In the case of a member having an interest in a matter being considered by the Council, the member must formally disclose her or his interests to the Council (subclause 32(1)) and may be required to absent herself or himself from the consideration of the matter (subclauses 32(4) and (5)).  Any such disclosure, and the Council’s decision as to how to treat the member in respect of those interests, must be recorded in the Council’s minutes (subclauses 32(3) and (6)).

 

Clause 33   Resignation

A member may resign from the Council by giving written notification to the Minister, and the resignation will take effect in accordance with subclause 33(2).

 

Clause 34   Termination of appointment

The appointment of a member of the Council may be terminated by the Minister for various reasons including misbehaviour or incapacity (subclause 34(1)), bankruptcy or absence (subclause 34(2)) and failing to disclose interests (paragraph 34(2)(c)). 

 

The Minister must consult with the System Operator before terminating the appointment of a member (subclause 34(3)).  However, a failure to consult will not by itself invalidate the Minister’s decision to terminate the appointment of a member (subclause 34(4)).  This provides flexibility for an appointment to be terminated immediately and is only intended to be used in exceptional circumstances.

 

Clause 35   Other terms and conditions

This clause allows for the Minister to determine other terms and conditions that will apply to a member’s appointment, but only where such matters are not covered by the Bill.

 

Subdivision D—Procedures of the independent advisory council

 

Clause 36   Who presides at meetings

The Chair will preside at all meetings she or he attends (subclause 36(1)).  In the Chair’s absence, the Deputy Chair will preside (subclause 36(2)) or otherwise the members will elect a member to preside (subclause 36(3)). 

 

Clause 37   Regulations may provide for other procedural matters

This clause provides that the regulations may prescribe matters relating to the operation and procedures of the Council, including by allowing the Council to determine its own procedures.

 

 

 

Division 4—Functions of Chief Executive Medicare

 

Clause 38   Registered repository operator

The Medicare program, which is part of the Department of Human Services, holds a range of health information that consumers may wish to include in their PCEHR.  This information includes Medicare Benefits Schedule (MBS) claiming history, Pharmaceutical Benefits Scheme (PBS) claiming history, Australian Organ Donation Register (AODR) details and Australian Childhood Immunisation Register (ACIR) information.  While the information may lack the clinical richness of information uploaded by treating healthcare providers, it nevertheless provides a longitudinal source of information about a consumer’s healthcare events. 

 

Clause 38 will allow the holder of the Medicare information - that is, the Chief Executive Medicare - to make this information available to the PCEHR system where a consumer consents to the information being included in her or his PCEHR.

 

A new function is conferred on the Chief Executive Medicare to apply to be a registered repository operator and, if registered, to operate a repository for PCEHR purposes (subclause 38(1)).  The Chief Executive Medicare must meet the same eligibility requirements as other applicants wishing to be come registered repository operators, and the final decision on whether to register the Chief Executive Medicare will rest with the System Operator.

 

If the Chief Executive Medicare becomes a registered repository operator, she or he may upload any health information they hold about a registered consumer to its repository (paragraph 38(2)(a)).  Where a consumer consents to including the health information in his or her PCEHR, the Chief Executive Medicare may then make the information available to the System Operator (paragraph 38(2)(b)). 

 

It is intended that the Chief Executive Medicare will establish a PCEHR-specific repository which is separate to existing repositories of Medicare program data.  Obligations under the PCEHR Bill will apply to the PCEHR repository operated by the Chief Executive but not to other Medicare program repositories. It is from PCEHR-specific repository that Medicare program information will be made available through the PCEHR system to consumers and their healthcare providers.  

 

Other functions may be delegated to the Chief Executive Medicare under clause 98.

 

PART 3—REGISTRATION

 

Participation in the PCEHR system will involve a registration process to ensure eligibility criteria are met, the identity of consumers and other participants is verified and that necessary technical, security and administrative criteria are in place. 

 

The provisions set out in the Bill have been developed to support an easy, streamlined registration process as proposed by the Concept of Operations. 

 

Part 3 of the Bill sets out the eligibility criteria for registration of consumers and each type of participant, requirements for registration, the obligations of the System Operator in the registration process and the obligations of consumers and participants for the duration of their participation.  Failure to meet the prescribed requirements and terms and conditions may result in the suspension or cancellation of registration and/or other sanctions.

 

Division 1—Registering consumers

 

From the date the Bill commences, Australians and other healthcare consumers in Australia may be eligible to register for a PCEHR.  These individual are referred to in the Bill as consumers. 

 

Clause 39   Consumers may apply for registration

Registration is entirely voluntary and consumers who choose not to register for a PCEHR will continue to be able to access healthcare services, and medical benefits in accordance with current eligibility criteria.

 

If a consumer chooses to apply for registration, they will need to make an application to the PCEHR System Operator (subclause 39(1)).  The System Operator will determine the manner in which applications must be made, including the information that must be provided and how applications are to be made (subclause 39(2)). 

 

It is envisaged that applications will be able to be made using a variety of channels, including online, via Medicare branded shopfronts, over the phone and by post.  Assistance will be available for those that need help registering.

 

Clause 40   When a consumer is eligible for registration

In order to register for a PCEHR, a consumer must have a healthcare identifier issued under the HI Act (paragraph 40(a)).  In practice, the healthcare identifier must be verified by the Healthcare Identifiers Service (‘HI Service’), which means that the HI Service Operator needs to verify the identity of the consumer to whom the healthcare identifier has been assigned - see paragraph 41(1)(c).

 

The consumer must provide to the System Operator her or his:

 

·          full name (paragraph 40(b)(i));

·          date of birth (paragraph 40(b)(ii));

·          healthcare identifier or Medicare number or Department of Veterans’ Affairs file number (paragraph 40(b)(iii)); and

·          sex (paragraph 40(b)(iv)).

 

This information is necessary for the System Operator to locate the healthcare identifier for the consumer, and to verify the identity of the consumer under paragraph 41(1)(c).

 

The consumer must also provide to the System Operator any other information that is set out in the regulations (paragraph 40(b)(v)).

 

Pseudonyms

Pseudonymous are used when seeking healthcare in special circumstances, such as:

 

·            witness protection;

·            where individuals seek to quarantine certain types of treatment from other healthcare information.  For example, a person may seek treatment for a sexually transmitted infection using a pseudonym so that the resulting information is not tied to their true identity;

·            where individuals fear exposure due to the public nature of their work; and

·            where individuals fear being traceable when escaping family violence. 

 

Such arrangements will continue to be available under the PCEHR system, and a  person may register for a PCEHR using a pseudonym.  However, in order to register for a PCEHR using a pseudonym, the person must first obtain a pseudonymous healthcare identifier from the HI Service. 

 

Subclause 109(5) permits PCEHR Rules to be made which modify provisions of the Bill, including clause 40, if this is necessary to permit registration for a PCEHR using a pseudonym. 

 

A person will be able to register for a PCEHR in respect of their true identity and separately register for a PCEHR in respect of their pseudonymous identity.  These PCEHRs will not be connected in any manner, and the information contained in each PCEHR will depend on the identity used the consumer at the time of receiving healthcare.

 

 

Clause 41   Registration of a consumer by the System Operator

 

If a consumer has made an application under clause 39, and is eligible to be registered under clause 40, the System Operator is required to decide whether to register the consumer.  The System Operator must be satisfied that:

·          the consumer’s identity has been appropriately verified, having regard to any matters set out in the PCEHR Rules (paragraph 40(b));

·          registration of the consumer will not compromise the security or integrity of the PCEHR system, having regard to any matters set out in the PCEHR Rules (subclause 41(2)); and

·          the consumer has consented to healthcare providers  uploading health information to the consumer’s PCEHR subject to the conditions described below (subclause 41(3)). 

 

Consent

Personal control of a consumer’s PCEHR is one of the central elements of the PCEHR system.  Subclauses 41(3) and (4) are designed to balance the desire for consumers to be able to exercise personal control with the need for uploading arrangements to be administratively simple and efficient for healthcare providers. 

 

Subclause 41(3) means that, in order to be registered, consumers will need to give a “standing” consent to allow treating healthcare providers to upload health information about them to their PCEHR.  This consent will continue to apply unless:

 

·            the consumer expressly advises their healthcare provider not to upload a particular record, all records or a class of records (paragraph 41(3)(a)); or

·            a law of a State or Territory has been prescribed in the regulations and that State or Territory law would, as a result, prohibit or otherwise restrict the uploading of the record (paragraph 41(3)(b) and subclause 41(4)).

 

Paragraph 41(3)(b) and subclause 41(4) are designed to ensure that state and territory requirements can be preserved in relation to the disclosure and uploading of certain health information, such as in connection with HIV and other notifiable diseases. As noted above, such state and territory laws (or provisions of such laws) must be prescribed in the regulations.  Where a state or territory law has been prescribed in accordance with paragraph 41(3)(b) and subclause 41(4), healthcare providers must not upload a record unless they meet the requirements in the prescribed laws.  It is envisaged that one or more of the following provisions of state and territory laws may be prescribed:

·          sections 110 and 111 of the Public Health Act 1997 (ACT);

·          section 17 of the Health Records and Information Privacy Act 2010 (NSW);

·          section 29 of the Notifiable Diseases Act (NT);

·          section 77 and subsection 79(b) of the Public Health Act 2005 (Qld);

·          section 42 of the Public and Environmental Health Act 1987 (SA);

·          sections 61 and 147 of the Public Health Act 1997 (Tas);

·          subsections 141(2) and (3) of the Health Services Act 1988 (Vic); and

·          section 314 of the Health Act 1911 (WA).

 

If the PCEHR System Operator decides to register a consumer, the System Operator is required to enter the prescribed information in the Register (see Part 3 of Division 5).  If the System Operator decides not to register a consumer, the consumer may request a review of that decision (see clause 97).

 

Access controls

When a consumer registers, she or he can choose to set advanced access controls in relation to which healthcare provider organisations may access their PCEHR.  It is proposed that an online tutorial and other assistance will be available to help consumers wishing to implement advanced access controls. 

 

Default settings will apply where a consumer chooses not to set advanced controls.  It is proposed that the default access controls will allow any healthcare provider organisation providing care to the consumer to access the consumer’s PCEHR.  Consumers will be able to choose whether any other persons can access the PCEHR as nominated representatives.

 

Division 2—Registering healthcare provider organisations

 

From the date the Bill commences, healthcare provider organisations in Australia may be eligible to register to participate in the PCEHR system.  Participation will enable healthcare providers and organisations to access, and upload, their registered patients’ health information in accordance with consumer consent and the authorisations specified in the Bill.

 

Participation by healthcare provider organisations is voluntary.

 

The legislation provides for minimum requirements applicable to registered healthcare provider organisations to ensure a consistently high standard of security and integrity for the PCEHR system.  Additional requirements may be specified in PCEHR Rules or in regulations.  Failure to meet these requirements may undermine the security and integrity of the PCEHR system so the legislation provides that certain actions may be taken where this occurs. 

 

Clause 42   Healthcare provider organisation may apply for registration

If a healthcare provider organisations chooses to register, the organisation must make an application to the PCEHR System Operator (subclause 42(1)).  The System Operator will determine the manner in which applications must be made, including the information that must be provided and how applications are to be made (subclause 42(2)).

 

It is proposed that applications will be able to be made using a variety of channels, including online, over the phone or at branded shopfronts.

 

A registered healthcare provider organisation will have the ability to authorise persons within the organisation to use the PCEHR system.  The registered organisation may authorise individual healthcare providers, administrative and other support staff, trainees (including medical students) and contractors as users of the PCEHR system (clause 99). 

 

Clause 74 imposes an obligation on registered organisations regarding the identification of authorised users when those users access the PCEHR system.

 

Clause 43   When a healthcare provider organisation is eligible for registration

In order to be eligible to register, a healthcare provider organisation must:

 

·          have a healthcare identifier issued under the HI Act (paragraph 43(a));

·          comply with any requirements set out in the PCEHR Rules (paragraph 43(b)).  The PCEHR Rules may include technical and security requirements;

·          agree to the conditions imposed on the healthcare provider organisation by the System Operator under subclause 44(3) (paragraph 43(c)).

 

If at any time a registered healthcare provider organisation ceases to meet these eligibility criteria, it must notify the System Operator in writing within 14 days (see clause 76).  Failure to do so may result in action being taken against the healthcare provider organisations, including the imposition of a penalty. 

 

Clause 44   Registration of a healthcare provider organisation

 

If a healthcare provider organisation has made an application as required by clause 42, and is eligible to be registered under clause 43, the System Operator must decide whether to register a healthcare provider organisation (subclause 44(1)).  The System Operator must be satisfied that registration of the healthcare provider organisation will not compromise the security or integrity of the system, having regard to any matters set out in the PCEHR Rules (subclause 44(2)).

 

If the PCEHR System Operator decides to register a healthcare provider organisation, the System Operator is required to enter the prescribed information in the Register (see Part 3 of Division 5).  The System Operator may impose conditions on the registration of healthcare provider organisations (subclause 44(3)).  Healthcare provider organisations may seek a review of any conditions imposed (see clause 97).

 

If the System Operator decides not to register a healthcare provider organisation, the healthcare provider organisation can request a review of that decision (see clause 97).

 

Clause 45   Condition of registration—uploading of records, etc.

This clause prescribes statutory conditions that apply to the registration of healthcare provider organisations in relation to the uploading of records.  Failure to comply with these conditions at any time while the healthcare provider organisation is registered may result in the System Operator suspending or cancelling the registration of the healthcare provider organisation.

 

The conditions set out in clause 45 apply only to registered healthcare provider organisations in relation to dealings with the PCEHR records and interactions with the PCEHR system.  These conditions will not otherwise apply.  For example, a healthcare provider who is employed by a registered healthcare provider organisation need not meet these conditions when dealing with a consumer who does not have a PCEHR.

 

A registered healthcare provider organisation must not:

 

·          upload information for the purposes of the PCEHR other than to a repository in respect of which a repository operator is registered or the National Repositories Service (paragraph (45)(a)).  This condition ensures that information to be used in the PCEHR system is retained in repositories which participate in the PCEHR system, can be retrieved via the PCEHR system and is protected by the security and privacy measures of the PCEHR system;

·          upload a record which is claimed to be a shared health summary if it is not (subparagraph 45(b)(i)) or upload a record of a kind specified in the PCEHR Rules unless it has been prepared by a healthcare provider with a healthcare identifier (subparagraph 45(b)(ii)).  This condition, together with the PCEHR Rules, ensures that only nominated healthcare providers can author shared health summaries and that all other records uploaded by registered healthcare provider organisations are appropriately authored;

·          upload information which would constitute an infringement of copyright or the moral rights of the author of the record (paragraph (45)(c)).  This condition means that an organisation can only upload information produced by that organisation, or that the organisation has permission to upload, and avoids affecting the intellectual property rights or moral rights of another provider who may or may not be participating in the PCEHR system.  It is proposed that participation agreements, which will be established between the System Operator and registered healthcare provider organisations, will license copying and subsequent use of uploaded materials; or

·          upload a record about a registered consumer if the consumer has advised the healthcare provider organisation that the record is not to be uploaded (paragraph 45(d)).  This recognises the standing consent granted by consumers upon registration which can be overridden on the consumer’s advice or in respect of certain health information which is subject to prescribed state and territory laws regarding consent (see paragraph 41(1)(c) and subclauses 41(3) and (4)).

 

It is important to note that the uploading of information to the PCEHR system is not limited to healthcare providers.  Any employee of a registered healthcare provider organisation who is authorised to use the PCEHR system on behalf of the organisation can upload information to the PCEHR system.

 

Further, nothing in this Bill forces or compels a healthcare provider to upload records or information to the PCEHR system if, in the opinion of the healthcare provider, it is not appropriate to upload the information or record.

 

Intellectual property

Intellectual property rights may subsist in health records.

 

In practice, the condition at paragraph (45)(c) means that healthcare providers, or other authorised users within a registered healthcare provider organisation such as administrative staff, must not upload a record unless the organisation owns any copyright in that record or has obtained permission from the owner of the copyright in the record.  An organisation will therefore need to determine the intellectual property status of a record before permitting the record to be uploaded to a PCEHR repository or the National Repositories Service.

 

The condition at subclause 45(d) and any contractual license will apply only in relation to information to be accessible through the PCEHR system.  A registered healthcare provider organisation is not subject to these arrangements when dealing with the record of a consumer who does not have a PCEHR or who has advised that she or he does not want that particular record to be uploaded to their PCEHR.

 

Clause 46   Condition of registration—non-discrimination in providing healthcare to a consumer who does not have a PCEHR etc.

This clause prescribes statutory conditions which apply to the registration of healthcare provider organisations in relation to non-discriminatory treatment of consumers.  Failure to comply with these conditions at any time while the healthcare provider organisation is registered may result in the System Operator suspending or cancelling the registration of the healthcare provider organisation, or in other action.

 

A registered healthcare provider organisation must not refuse to treat a consumer or otherwise discriminate against the consumer if the consumer does not have a PCEHR (subclause 46(1)) or, if the consumer has a PCEHR, the consumer has set particular access controls such as not permitting the treating healthcare provider to access the PCEHR or certain information in the PCEHR (subclause 46(2)).

 

These conditions help ensure that participation in the PCEHR system does not affect a consumer’s entitlement to healthcare.

 

Division 3—Registering repository operators, portal operators and contracted service providers

 

The PCEHR system will draw upon information held in repositories around Australia (including the National Repositories Service as described in paragraph 15(h)), operated by a mix of private and public sector organisations, to provide a summary view of a consumer’s key health information.  Repositories are crucial for the operation of the PCEHR system and they will be subject to stringent requirements. 

 

If an entity that operates a repository (‘repository operator’) chooses to participate in the PCEHR system, it will need to apply to the PCEHR System Operator to register as a PCEHR repository operator (clause 47).

 

Numerous conduits will be available to access the PCEHR system.  The primary conduits will be electronic interfaces known as portals.  Portals will allow consumers to register for a PCEHR, access their PCEHR and manage its access settings, and access general PCEHR system information and support services.  Similarly, portals will allow healthcare providers to access consumers’ PCEHRs (subject to consumer consent) and access general PCEHR system information and support services.  Portals will be subject to stringent requirements given their key role in the PCEHR system.

 

If an entity that operates a portal (‘portal operator’) chooses to participate in the PCEHR system it will need to apply to the PCEHR System Operator to register as a PCEHR portal operator (clause 47).

 

Some healthcare provider organisations may choose to use a third party service provider to deliver health information software as a service and facilitate access to the PCEHR system on the organisation’s behalf.  These service providers are referred to as contracted service providers.  An example of a contracted service provider might include a vendor that offers web-based general practice or aged care software as a service.

 

Contracted service providers can choose to register as PCEHR contracted service providers (clause 47).

 

The legislation provides for minimum requirements to apply to registered repository operators, portal operators and contracted service providers to ensure a consistently high standard of security and integrity for the PCEHR system.  Failure to meet the requirements may undermine the security or integrity of the PCEHR system so the legislation provides for action to be taken where an entity fails to meet its PCEHR obligations. 

 

From the date the Bill commences, repository operators, portal operators and contracted service providers may be eligible to register to participate in the PCEHR system.  Participation by these entities will facilitate use of, and access to, the PCEHR system by registered healthcare provider organisations and registered consumers.

 

Participation by repository operators, portal operators and contracted service providers is voluntary.

 

The Bill applies to Australia and its external territories so repository operators, portal operators and contracted service providers situated in those locations may apply for registration.

 

Clause 47   Persons may apply for registration as a repository operator, a portal operator or a contracted service provider

If a repository operator, portal operator or contracted service provider chooses to participate, the operator or provider must make an application to the PCEHR System Operator (subclause 47(1)).  In respect of repository operators, an application will need to specify which repository or repositories to which the application relates (subclause 47(2)).

 

Clause 48   When a person is eligible for registration as a repository operator, a portal operator or a contracted service provider

In order to be eligible to register, the repository operator, portal operator or contracted service provider must meet certain criteria.

 

Repository operators

A repository operator is eligible to be registered if:

 

·          it complies with any requirements set out in the PCEHR Rules (paragraph 48(a)).  The PCEHR Rules specify technical or security requirements;

·          it agrees to the conditions imposed on the repository operator by the System Operator under subclause 49(3) and (paragraph 48(b));

·          the central management and control of the repository operator is located in Australia throughout the period of the operator’s registration (paragraph 48(c)).  This means that, for a repository operator that is a company, it will be necessary that its directors’ meetings and the day-to-day executive thinking and strategic decision-making generally occur within Australia and not overseas.  This requirement is designed to ensure that the repository operator will remain subject to Australian law for its duration as a registered repository operator and, as such, can be held accountable and, if necessary, penalised for its actions. This requirement does not preclude consumers from accessing their PCEHR when they are travelling overseas; and

·          if the repository operator is a state or territory authority or an instrumentality of a state or territory authority that is not subject to a designated privacy law, the operator will need to be prescribed under section 6F of the Privacy Act (paragraph 48(d)).  This is to ensure that the National Privacy Principles under the Privacy Act apply to that operator. The Privacy Act will apply to Commonwealth and private sector repository operators whereas state and territory health privacy laws will apply to state and territory public sector repository operators in those states and territories that are bound by a designated privacy law. 

 

Portal operators

A portal operator is eligible to be registered if:

 

·          it complies with any requirements set out in the PCEHR Rules (paragraph 48(a)).  The PCEHR Rules may specify technical and security requirements;

·          it agrees to the conditions imposed on the portal operator by the System Operator under subclause 49(3) (paragraph 48(b));

·          the central management and control of the portal operator is located in Australia throughout the period of the operator’s registration (paragraph 48(c)).  This means that, for a portal operator that is a company, it will be necessary that its directors’ meetings and the day-to-day executive thinking and strategic decision-making generally occur within Australia and not overseas.   This requirement is designed to ensure that the portal operator will remain subject to Australian law for its duration as a registered portal operator and, as such, can be held accountable and, if necessary, penalised for its actions. This requirement does not preclude consumers from accessing their PCEHR when they are travelling overseas; and

·          if the portal operator is a state or territory authority or an instrumentality of a state or territory authority that is not subject to a designated privacy law, the operator will need to be prescribed under section 6F of the Privacy Act (paragraph 48(d)).  This is to ensure that the National Privacy Principles under the Privacy Act apply to that operator.  The Privacy Act will apply to Commonwealth and private sector portal operators whereas state and territory health privacy laws will apply to state and territory public sector portal operators in those states and territories that are bound by a designated privacy law. 

 

Contracted service providers

A contracted service provider is eligible to be registered if:

 

·          it complies with any requirements set out in the PCEHR Rules (paragraph 48(a)).  The PCEHR Rules may specify technical and security requirements; and

·          it agrees to the conditions imposed on the contracted service provider by the System Operator under subclause 49(3) (paragraph 48(b)).

 

A registered contracted service provider may not store information relating to the PCEHR system unless it is also registered as a repository operator.

 

If at any time a registered repository operator, registered portal operator or registered contracted service provider ceases to meet these eligibility criteria, it must notify the System Operator in writing within 14 days (see clause 76).  Failure to do so may result in action being taken against the operator or provider, including the imposition of a penalty.

 

Clause 49   Registration of a repository operator, a portal operator or a contracted service provider

If a repository provider, portal operator or contracted service provider has made an application under clause 47, and is eligible to be registered under clause 48, the System Operator must decide whether to register the repository provider, portal operator or contracted service provider (subclause 49(1)).  The System Operator must be satisfied that registration of the repository provider, portal operator or contracted service provider will not compromise the security or integrity of the PCEHR system, having regard to any matters set out in the PCEHR Rules (subclause 49(2)).

 

If the PCEHR System Operator decides to register the repository provider, portal operator or contracted service provider, the System Operator is required to enter the prescribed information in the Register (see Part 3 of Division 5).  The System Operator may impose conditions on the registration of the repository provider, portal operator or contracted service provider (subclause 49(3)).  A repository operator, portal operator or contracted service provider may seek a review of any conditions imposed (see clause 97).

 

In respect of registering a repository operator, the System Operator must identify the repositories to which the registration relates (subclause 49(4)).  This takes into account the fact that a repository operator may operate a number of repositories, some for PCEHR purposes and some for other purposes.

 

In practice, when the System Operator registers a repository operator, portal operator or contracted service provider it will allocate unique identifiers to each entity for system operations and audit purposes, allowing the System Operator to identify where information is stored and which entity has taken particular actions.  This mimics the arrangements in place for using healthcare identifiers to identify healthcare provider organisations, healthcare providers and consumers.

 

If the System Operator decides not to register the repository operator, portal operator or contracted service provider, the repository operator, portal operator or contracted service provider can request a review of that decision (see clause 97).

 

Clause 50   Condition about provision of information to System Operator

This clause prescribes a statutory condition which applies to the registration of repository operators, portal operators and contracted service providers.  If the System Operator requests PCEHR information from a registered repository operator, registered portal operator or registered contracted service provider, that entity must provide the System Operator with that information. 

 

Under the PCEHR system, information about a consumer will potentially be held by a range of participants in the PCEHR system.  For example, information might be held in multiple repositories across different states and territories.

 

Where a request is made to the System Operator for the disclosure of information (such as for the provision of healthcare to a consumer), the System Operator needs to be able to direct participants in the system to supply information about the consumer to the System Operator so it can be made available to the treating healthcare provider.  This clause gives the System Operator the power to require the provision of information so the PCEHR system can operate as intended.

 

 

Example: An individual is unconscious and in need of immediate medical treatment.  A doctor in the emergency department of the hospital treating the individual accesses the PCEHR system, via a registered portal operator.  The doctor confirms that the individual has a PCEHR and asserts that an emergency exists.  The doctor is authorised to collect, use and disclose the individual’s health information under clause 64.

 

The System Operator directs various repository operators to provide information relating to the individual.  Under clause 50, the registered repository operators must disclose the individual’s information to the System Operator.  Registered repository operators are authorised to disclose the information under clause 64.  The System Operator then provides the information to the healthcare provider, via the registered portal operator.  Both the System Operator and registered portal operator are authorised to disclose the information under clause 64.

 

Division 2 of Part 4 authorises participants in the PCEHR system to collect, use and disclose information for certain authorised purposes, however, it does not require that participants provide the information when it is needed.  This is why clause 50 is required.

 

Failure to comply with this condition at any time while the repository operator, portal operator or contracted service provider is registered may result in the System Operator suspending or cancelling its registration, or other action being taken.

 

Division 4—Cancellation, suspension and variation of registration

 

This Division supports the voluntary participation in the PCEHR system by consumers and participants and the role of the System Operator in protecting the security and integrity of the PCEHR system.

 

Registered consumers and registered participants may withdraw from the PCEHR system, or suspend their participation in the PCEHR system, at any time.  Alternatively, the System Operator may cancel or suspend the registration of a consumer or participant if the consumer or participant is no longer eligible to be registered or has contravened the Bill.  The Bill also allows for the variation of a registration.

 

Clause 51   Cancellation or suspension of registration

There are several circumstances in which the System Operator may or must cancel or suspend the registration of a consumer or participant.

 

The System Operator must cancel or suspend the registration of a consumer if the consumer makes such a request in writing (subclause 51(1)). 

 

The System Operator may cancel or suspend the registration of:

·          a consumer if the System Operator is no longer satisfied that a registered consumer meets the eligibility criteria set out in clause 40 (subclause 51(2));

Example: A consumer might be registered after fraudulently asserting an identity that is not their true identity.  In these circumstances, the System Operator would cancel the consumer’s registration.  This would not preclude the consumer from registering with their true identity.

 

·          a participant if the System Operator is no longer satisfied that a registered participant meets the applicable eligibility criteria set out in clause 43 or 48 (paragraph 51(3)(a)).  The System Operator may determine that the participant is no longer eligible either through investigation or upon notice by the participant (see clause 76);

·          a participant if the System Operator is satisfied that a registered participant has contravened this Bill or a condition imposed by the System Operator under subclause 44(3) or 49(3), or no longer meets the applicable eligibility criteria set out in clause 43 or clause 48 (subparagraph 51(3)(b)(i));

·          a participant if the System Operator is satisfied that it is reasonably necessary to prevent a contravention of this Bill or the conditions imposed by the System Operator (subparagraph 51(3)(b)(ii)).  This is intended to allow pre-emptive action by the System Operator, where necessary; or

·          a participant if the System Operator is satisfied that it is appropriate to protect the security and integrity of the PCEHR system (subparagraph 51(3)(b)(iii)).

 

Where the System Operator is investigating whether a consumer or participant is eligible to be registered, or whether the participant has contravened this Bill or a condition of its registration, the System Operator may suspend the registration of the consumer or participant (subclauses 51(4) and (5)).  This recognises that in some circumstances continued registration, even for a short period, may compromise the security or integrity of the PCEHR system.  The System Operator must notify the consumer or participant in writing of this interim suspension.

 

The System Operator must cancel or suspend the registration of a consumer upon the death of the registered consumer (subclause 51(6)).  In practice, the Healthcare Identifiers service operator will notify the System Operator about the death of a consumer.

 

If the System Operator cancels or suspends a registration, it will take effect either on the date the System Operator makes that decision or, if it is in response to a request, at the time specified by the request (subclause 51(7)). 

 

Clause 52   Variation of registration

In addition to cancelling or suspending the registration of a consumer or participant, the System Operator may vary the registration of a consumer or participant.  Such a variation may involve imposing conditions, changing or removing conditions, correcting a mistake or including missing information in the registration (paragraphs 52(1)(a), (b) and (d)).  The System Operator may, in addition to the matters described above, vary the registration of a repository operator in relation to the repositories to which the registration relates (paragraph 52(1)(c)) - for example, where an operator acquires or disposes of a repositories while it is registered. 

 

It is envisaged that the System Operator would generally not refuse to vary a registration, if requested to do so, providing that the variation would not adversely affect the operation, integrity or security of the PCEHR system.

 

Any variation decision will take effect either on the date the System Operator makes the decision or, if it is response to a request, at the time specified by the request.

 

Clause 53   Notice of cancellation, suspension or variation of registration etc.

Where the System Operator decides to cancel or suspend a registration for reasons of ineligibility or contravention of the Bill or a condition (under subclauses 51(2), (4), (5) or (4)), or decides to vary a registration under clause 52, the System Operator must notify the consumer or participant in writing (subclause 53(1)). 

 

In urgent circumstances, the System Operator may consider it appropriate to suspend, cancel or vary a registration immediately (subclause 53(4)).  For example, the System Operator may find that allowing a registration to remain in force any longer may compromise the security or integrity of the PCEHR system.  The System Operator must notify the consumer or participant in writing, and the suspension, cancellation or variation will have effect on the date the consumer or participant receives the notice or at a later time specified in the notice (subclause 53(5)).

 

In notifying a consumer or participant, the System Operator must provide information about the reasons for the System Operator’s decision to suspend, cancel or vary the registration (paragraph 53(2)(a)) and, except in the urgent circumstances described above (subclause 53(4)), must invite the participant to make a submission to the System Operator regarding the decision within a specified period (paragraph 53(2)(c)).  In the case of a contravention or breach of registration, the System Operator may include in this notice steps to be taken to address those circumstances (paragraph 53(2)(b)).

 

Clause 54   Effect of suspension

Clause 54 sets out the effects of suspension of registration.  In summary, the authorisations to collect, use and disclose information under Division 2 of Part 4 of the Bill cease to operate during suspension.  There are two exceptions to this being that emergency access to a consumer’s PCEHR will still be available under subclause 64(1) and that participants in the PCEHR system are able to collect, use and disclose information where directed by the System Operator - for example, as part of an investigation (clauses 54, 63 and 64).  Other PCEHR requirements on participants - for example, security obligations - will continue despite the suspension.    

 

Clause 55   PCEHR Rules may specify requirements after registration is cancelled or suspended

Although the Bill will generally not apply to consumers or participants after their registration has been cancelled or suspended, in some cases it is anticipated that particular restrictions may need to apply particularly in respect of repository operators given the PCEHR information they hold.  The System Operator may also need to be under certain obligations after the cancellation or suspension of a consumer’s or participant’s registration.

 

These restrictions and obligations may be specified in the PCEHR Rules (subclause 55(1)), however these Rules cannot modify clause 54 which specifies the effects of the suspension of a consumer or participant’s registration (subclause 55(2)). 

 

The PCEHR Rules may set out requirements relating to the treatment of PCEHRs or other records (subclause 55(3)).  For example, the PCEHR Rules may require a previously registered repository operator to treat records which were accessible via the PCEHR system in a particular manner to ensure the ongoing security of those records.

 

Division 5—The Register

 

This Division provides for the establishment and maintenance of the Register by the System Operator.  

 

The Register will include information associated with the registration of consumers and participants, details about consumers’ access control settings and any decisions regarding the suspension, variation and cancellation of a registration. 

 

The Register will contain the minimum information necessary to identify consumers and participants in the PCEHR system, and enable the effective operation of the PCEHR system.  The Register will not contain any health records.

 

The System Operator is responsible for ensuring appropriate details are recorded in the Register.

 

Clause 56   The Register

The System Operator is required to establish and maintain a Register (subclause 56(1)).  It may be in electronic form and may comprise separate parts (subclause 56(2)) - for example, one part may include registration details and another part may contain access control settings. 

 

Given the purpose of the Register, and the nature of information to be stored within it, it is not considered to be a legislative instrument and will not be subject to the Legislative Instruments Act 2003 (subclause 56(3)).      

 

Clause 57   Entries to be made in Register

The System Operator is required to enter certain information into the Register. 

 

When the System Operator decides to register a consumer or participant, or cancel, vary or suspend a registration, the System Operator must enter into the Register enough administrative information about those decisions to support the operation of the system (which may include personal information) and any other information which is specified in the PCEHR Rules.

 

Division 6—Information use and disclosure for identity verification

 

Clause 58   Identifying information may be used and disclosed

The PCEHR system will use trusted data sources to verify the identities of consumers and healthcare provider organisations for the purposes of registration and operation of the PCEHR system.

 

The Chief Executive Medicare and the Departments of Human Services, Veterans’ Affairs and Defence are authorised:

 

·          to use identifying information about a consumer or healthcare provider organisation, or disclose identifying information about a consumer or healthcare provider organisation to the System Operator, for the verification of identities as part of a PCEHR registration process (subclause 58(1)).  This authorisation will only apply if the consumer or healthcare provider organisation has applied for registration (paragraph 58(1)(a));

·          to use identifying information about a consumer or healthcare provider, or disclose identifying information about a consumer or healthcare provider to the System Operator, for the verification of identities associated with the operation of the PCEHR system by the System Operator (subclause 58(2)).  This subclause enables the System Operator to use identifying information to carry out the day-to-day functions necessary for the PCEHR system to operate, such as verifying the identities of persons and organisations accessing the system to ensure they are authorised to access a particular PCEHR; or

·          to use identifying information about a consumer, or disclose identifying information about a consumer to the System Operator, for the verification of identities as part of the registration process when it is initiated by authorised representatives or nominated representatives (subclause 58(3)).  This authorisation will only apply if an authorised representative or nominated representative with sufficient authority has applied for registration of a consumer (paragraph 58(3)(a)).

 

If at any time the Chief Executive Medicare, or the Departments of Human Services, Veterans’ Affairs or Defence, becomes aware that the identifying information that has been provided to the System Operator has changed, they must notify the System Operator (subclause 58(2)).  This ensures that the System Operator has and uses the most up-to-date information for verification system operations.

 

These authorisations under this clause enable the System Operator to leverage existing government-stored information as part of the operation of the PCEHR system, providing for a more streamlined process than would otherwise be possible if this existing information was not available.

 

PART 4—COLLECTION, USE AND DISCLOSURE OF HEALTH INFORMATION INCLUDED IN A REGISTERED CONSUMER’S PCEHR

 

The Bill leverages existing privacy and health information laws where possible.  Instead of overriding existing local privacy laws, the Bill will generally allow those existing laws to operate wherever they are not inconsistent with the Bill. 

 

Overall, the Bill contains some key privacy protections, including:

 

·          the ability for a consumer to control which healthcare provider organisations can access their information;

·          closely defined limits on the reasons that information can be accessed outside of those controls;

·          the ability to view an audit trail of all access to a consumer’s PCEHR;

·          penalties and other sanctions for unauthorised viewing of and access to records; and

·          requirements to report data breaches.

 

Part 4 of the PCEHR Bill sets out the purposes for which information can and cannot be used, collected and disclosed, allows for the imposition of civil penalties and other sanctions where these provisions are contravened.

 

Operation of other privacy and health information laws

 

In addition to the requirements in the PCEHR Bill, the System Operator will be subject to the Privacy Act and other participants of the PCEHR system will be subject to either the Privacy Act or a designated state or territory privacy law.  For entities that are subject the Privacy Act, this will allow, for example, the Information Commissioner to carry out investigations under the Privacy Act. Entities not subject to the Privacy Act will, in addition to the requirements in the PCEHR Bill, be subject to any local privacy or health information laws and the mechanisms that are available under those laws.  

 

FOI laws

 

Documents in the possession of the Secretary as the PCEHR System Operator would be subject to the Freedom of Information Act1982 (‘FOI Act’).  However, the FOI Act contains an exemption provision the practical effect of which is that the personal information of individuals could be withheld from access to anyone except the individual concerned.  The FOI Act defines personal information as “information or an opinion (including information forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained from the information or opinion”.  Health information contained in a consumer’s PCEHR will fall within this definition.

 

Other categories of information, such as administrative or system operational information, contained in documents held by the Secretary as System Operator may or may not be subject to release under FOI, depending on whether they are exempt under the relevant provisions of the FOI Act.

 

Documents in the possession of other participants in the PCEHR system, such as registered portal operators and registered repository operators, would not be subject to the FOI Act as those bodies will not be Commonwealth agencies.  Where such portal or repository operators are state or territory departments or authorities, state or territory freedom of information laws may apply.  However, all state and territory FOI laws contain exceptions allowing the withholding of personal information along the lines of those in the FOI Act.

 

Rationale for civil penalties in the PCEHR Bill and the operation of existing laws and professional obligations in relation to unauthorised access to records

 

Existing criminal provisions in the Criminal Code Act 1995 (‘Criminal Code’), together with a robust civil penalty regime in the Bill, are considered to provide an optimum set of sanctions that will have the ability to punish and deter misuse of the PCEHR system while encouraging participation.

 

The rationale for the civil, instead of criminal, penalty regime in the Bill reflects the fact that civil penalties for breaches of the PCEHR system have a number of significant advantages over criminal penalties. For example, it is easier to prove them because it is only necessary to prove that a breach occurred on the “balance of probabilities” rather than “beyond reasonable doubt”.  As civil penalties are easier to prove, this encourages enforcement of obligations under the PCEHR Bill and thus acts as a significant deterrent to misuse.  The availability of civil penalties under the PCEHR Bill does not preclude the possibility that a person may also be criminally liable under existing criminal laws - for example, under the Criminal Code.

 

The civil pecuniary penalties specified in the Bill (120 penalty units for an individual)  are the maximum penalty a court may impose on an individual for unauthorised viewing, disclosure, use, etc of one record in the PCEHR system (p ursuant to the Acts Interpretation Act 1901 , a penalty unit is currently defined by the Crimes Act 1914 to mean $110).  The maximum penalty for bodies corporate is five times this level - that is, 600 penalty units - a for unauthorised viewing, disclosure, use, etc of one record in the PCEHR system (see subclause 79(5)).  The penalties in the Bill are set at several different levels to reflect the appropriate consequence for a breach of a particular civil penalty provision; and

 

A person who accesses multiple PCEHRs without authorisation will be subject to multiple penalties.  Depending on who accesses a record without authorisation, and how many PCEHRs are accessed, the maximum pecuniary penalty could be significantly higher than 120 penalty units for individuals and 600 penalty units for corporations.

 

Example: If a body corporate collects health information from the PCEHR system in a manner which is not authorised and that collection comprises 100 individual PCEHRs, the body corporate could potentially face a pecuniary penalty of up to $6,600,000.

 

An important element of the PCEHR system’s legislative framework is that existing criminal penalties should continue to be available to reinforce the tight technical and security protections that will apply to protect information in the PCEHR system. The PCEHR Bill does not affect any existing criminal laws.

 

Part 10.7 of the Criminal Code specifies criminal offences which involve the use of computer systems.  The penalties for these offences range from two to 10 years imprisonment.  The offences in Part 10.7 include:

 

·          Clause 477.1: Unauthorised access, modification or impairment with intent to commit a serious offence - unauthorised use of computer technology to commit serious crimes;

·          Clause 477.2: Unauthorised modification of data to cause impairment - the unauthorised modification of data on a computer that would impair access to, or the reliability, security or operation of the data.  For example, this offence would cover a person who uses the internet to infect a computer with malware;

·          Clause 477.3: Unauthorised impairment of electronic communication - cyber attacks such as denial of service attacks, where a server is inundated with a large volume of data intended to impede or prevent its functioning;

·          Clause 478.1: Unauthorised access to, or modification of, restricted data - unauthorised access to, or modification of, data held on a computer that is restricted by an access control system.  For example, this offence would cover hacking into password protected data;

·          Clause 478.3: Possession or control of data with intent to commit a computer offence - people who possess programs designed to hack into other people’s computer systems or impair data or electronic communications.  For example, this offence covers possessing a program which will enable the offender to launch a denial of service attack against an Australian Government agency’s computer system; and

·          Clause 478.4: Producing, supplying or obtaining data with intent to commit a computer offence - the production and/or supply of data to be used in a computer offence.  This offence would cover people who trade botnets and malware.

 

One or more offences under Part 10.7 of the Criminal Code could potentially be committed where, for example, a person uses a computer system to hack into the PCEHR system.

 

Further, any breach of PCEHR system requirements or privacy obligations by a healthcare provider may have consequences for the provider under existing professional rules.  This Bill does not displace these existing obligations.

 

Division 1—Unauthorised collection, use and disclosure of health information included in a consumer’s PCEHR

 

This Division imposes civil penalties for unauthorised collection, use and disclosure of health information included in a PCEHR.  What amounts to an “authorised” collection, use or disclosure is specified in Division 2 of Part 4 of the PCEHR Bill.

 

Clause 59   Unauthorised collection, use and disclosure of health information included in a consumer’s PCEHR

A person must not collect health information included in a consumer’s PCEHR if the collection is not authorised and the person knows or is reckless to that fact (subclause 59(1)).  A contravention of subclause 59(1) may result in liability for an individual of up to 120 penalty units, or 600 penalty units for bodies corporate, per breach.

 

While subclause 59(1) is a civil penalty provision, it makes use of fault elements which are to be interpreted in the same manner as they are under the Criminal Code (subclause 92(2)).  As a result, it will only be a contravention of the civil penalty provision in (subclause 59(1)) where a person knows they are not authorised to collect from the PCEHR system health information in a consumer’s PCEHR, or are reckless as to whether or not they are authorised, but they collect the information nonetheless.

 

The fault elements in this clause ensure that participants who inadvertently or mistakenly access a PCEHR do not contravene the provision.  For example, if a healthcare provider accesses a PCEHR by mistake, they will not breach this provision and will not be liable for a civil penalty. 

 

Despite the fact that a civil penalty provision may not be established, because a fault element cannot be made out, it will still be open to the Information Commissioner to take action under the Privacy Act where there has been an unauthorised collection of health information (under Division 2 of Part 4) from a consumer’s PCEHR (clause 73). 

 

Subclause 59(2) provides that a person must not use or disclose health information included in a consumer’s PCEHR if the information was obtained from the PCEHR system, the use or disclosure is not authorised under Division 2 of Part 4 and the person knows or is reckless to that fact.  As with subclause 59(1):

 

·            the fault elements in this provision must be established to make out a contravention;

·            if the fault elements cannot be established, clause 73 will ensure that any unauthorised collection, use or disclosure of information will still be subject to the mechanisms available under the Privacy Act despite the fact civil penalties will not be available; and

·            a breach of subclause 59(2) may result in liability for an individual of up to 120 penalty units, or 600 penalty units for bodies corporate, per breach.

 

Clause 60   Secondary disclosures

Subclause 60(1) provides that a person must not use or disclose health information included in a consumer’s PCEHR if the information was disclosed to the person in contravention of subclause 59(2) and the person knows that, or is reckless as to whether, the disclosure of the information to the person contravened subclause 59(2).

 

As with subclauses 59(1) and (2):

 

·            the fault elements in clause 60 must be established to make out a contravention;

·            if the fault elements cannot be established, clause 73 will ensure that any unauthorised collection, use or disclosure of information will still be subject to the mechanisms available under the Privacy Act despite the fact civil penalties will not be available; and

·             a breach of subclause 59(2) may result in liability for an individual of up to 120 penalty units, or 600 penalty units for bodies corporate, per breach.

 

A person will not breach subclause 60(1), and will not be liable for a civil penalty, if the person discloses the information to an appropriate authority - for example, the Information Commissioner - to assist in an investigation of the initial contravention (subclause 60(2)).  

 

Division 2—Authorised collection, use and disclosure

 

The PCEHR Bill creates a new and specific privacy regime in terms of authorising collections, uses and disclosures of health information in the PCEHR system.  The collection, use and disclosure regime draws heavily on the use and disclosure provisions in the Privacy Act’s National Privacy Principles.  In a number of cases, the PCEHR Bill’s regime is more restrictive than under similar provisions in the National Privacy Principles.  This is a deliberate policy decision which reflects the fact that the PCEHR will create a new, relatively rich data source in relation to participating consumers and, as a result, deserves increased protections compared to existing laws.   

 

The privacy regime established by the PCEHR Bill:

 

is intended to cover the field in relation to:

 

o       the collection, use and disclosure of health information in or using the PCEHR system; and

o       prohibiting transborder information flows by the System Operator, repository and portal operators and contracted service providers (but not so as to prevent registered consumers outside Australia accessing their PCEHR);

 

is not intended to cover the field in relation to:

 

o      the initial collection of health information - for example, by a healthcare provider from a consumer;

o      the collection, use or disclosure of health information outside the PCEHR system, or in a manner that does not use the PCEHR system, unless the contrary intention appears; and

o      privacy laws that deal with aspects other than the collection, use or disclosure of information - for example, laws in relation to data quality, data security and access and correction. 

 

To the extent the regime under the PCEHR Bill does not exclude them, it is intended that existing laws and professional obligations would continue to apply in these circumstances.

 

The PCEHR Bill does not regulate de-identified information as such information does not fall within the meaning of personal information or health information.

Subdivision A—Collection, use and disclosure in accordance with access controls

 

Subdivision A specifies the authorised collections, uses and disclosures of health information in a consumer’s PCEHR in accordance with a consumer’s access control settings. 

 

Clause 61   Collection, use and disclosure for providing healthcare

All of the participants in the PCEHR system will be authorised to collect, use and disclose the health information in a consumer’s PCEHR if it is for the purpose of providing healthcare to the registered consumer and is consistent with the consumer’s access control settings (subclause 61(1)).

 

This clause enables participants in the PCEHR system to make health information in a consumer’s PCEHR available to a treating healthcare provider when and where it is needed.  For example, a registered repository operator will need to disclose clinical documents that form part of a consumer’s PCEHR to the System Operator so that they can be provided to the treating healthcare provider.  If that provider is connecting to the system using a portal service, the registered portal operator who operates the portal service will have a role in delivering the information to the healthcare provider.

 

The authorisation in subclause 61(1) does not extend to consumer-only notes entered by a consumer into their PCEHR (subclause 61(2)) and, as a result, treating healthcare providers will be unable to collect or use consumer-only notes.  Despite this restriction, consumers will be able to enter certain other information into their PCEHR which will be accessible by their healthcare providers - for example, medications and allergies information.  This information will not be described in consumers’ PCEHRs as consumer-only notes and, as a result, subclause 61(2) will not prevent the collection, use or disclosure of that information (see the definition of consumer-only notes and subclause 61(2)).

 

Clause 62   Collection, use and disclosure to nominated representative

Clause 62 authorises participants in the PCEHR system to disclose, to a consumer’s nominated representative, health information in a registered consumer’s PCEHR in accordance with the consumer’s access control settings. 

 

This authorisation ensures, where a consumer wishes, nominated representatives in a caring role will be able to access the PCEHR for whom they are the carer.  This will help ensure that they have sufficient information about the healthcare of the consumer to provide appropriate support.

 

Subdivision B—Collection, use and disclosure other than in accordance with access controls

 

Subdivision B specifies the authorised collections, uses and disclosures of health information in a consumer’s PCEHR other than in accordance with a consumer’s access control settings. 

 

Clause 63   Collection, use or disclosure for management of PCEHR system

This clause authorises participants in the PCEHR system to collect, use and disclose health information included in a consumer’s PCEHR if:

·             the collection, use or disclosure is for the purpose of managing or operating the PCEHR system, and the consumer would reasonably expect the participant to collect, use or disclose the information for that purpose (paragraph 63(a)); or

·             the collection, use or disclosure is undertaken in response to a request by the System Operator for the purpose of performing a function or exercising a power of the System Operator. 

 

Clause 63 is intended, for example, to enable the entities working together to deliver the PCEHR system to:

 

·             to monitor and evaluate the operation of the PCEHR system, including to ascertain whether the anticipated benefits of the system are being realised;

·             correct errors and emissions in PCEHRs; and

·             investigate, resolve and report on system problems.  It is not envisaged that maintenance or reporting would usually require access to, or the use of, information within a PCEHR.  In some circumstances, however, the System Operator may need to use and disclose health information to do these things.

 

.

Example: If a clinical document was accidentally linked to the wrong PCEHR there may be a need to exchange the contents of the document with the healthcare provider who uploaded it, or the repository operator who is storing it, to fix the linkage.

 

 

 

Clause 64   Collection, use and disclosure in the case of a serious threat

Subclause 61(1) authorises participants in the PCEHR system to collect, use and disclose health information included in a registered consumer’s PCEHR in certain emergency situations - that is:

 

·             where the participant reasonably believes that (paragraph 64(1)(a)):

o       the collection, use or disclosure is necessary to lessen or prevent a serious threat to an individual’s life, health or safety; and

o       it is unreasonable or impracticable to obtain the consumer’s consent to the collection use or disclosure; and

·             the participant advises the System Operator of the matters in paragraph 64(1)(a) (paragraph 64(1)(b)); and

·             the collection, use or disclosure occurs not later than 5 days after the participant gives the advice in paragraph 64(1)(b) (paragraph 64(1)(c)).

 

In practice, what will usually occur is that where it is unreasonable or impracticable to gain a consumer’s consent - for example, because the consumer is unconscious - and the consumer is facing a serious threat to their health, the treating healthcare provider will assert to the System Operator that emergency access is required to the consumer’s PCEHR.  The System Operator will then use the index service to obtain information in the consumer’s PCEHR from other participants in the PCEHR system - for example, from registered repository operators and the National Repositories Service.  The information will be disclosed to the treating healthcare provider.  Emergency access will lapse 5 days after the healthcare provider asserted that emergency access was required.  If the emergency situation is ongoing, and it is still unreasonable or impracticable to obtain the consumer’s consent, the healthcare provider would be able to reassert that emergency access was required.

 

 

Example: A young man has arrived by ambulance at the emergency department of a hospital.  He is unconscious and in a critical condition.  The treating healthcare provider checks the man’s identification and uses this to see if he has a PCEHR.  The healthcare provider discovers that the man does have a PCEHR and asserts to the System Operator, using the PCEHR system, that an emergency exists and access to the man’s PCEHR is required.  The System Operator coordinates the collection of health information in the man’s PCEHR, which is then provided to the treating healthcare provider.  The healthcare provider’s access to the man’s PCEHR automatically lapses 5 days later.

 

Participants in the PCEHR system are also authorised to collect, use and disclose health information in a consumer’s PCEHR in circumstances where that information is needed to lessen or prevent a serious threat to public health or public safety (subclause 64(2)).  This kind of access is anticipated to be used, for example, where a dangerous infection has been detected within a hospital and it is necessary to identify the source of the infection to prevent its spread.  In this example, the PCEHRs of recent arrivals to the hospital may be accessed to assist in identifying the source of the infection.

 

The authorisations in clause 64 do not extend to consumer-only notes entered by a consumer in their PCEHR (subclause 64(3)).  However, as explained above in relation to clause 61, certain other information (not being consumer-only notes) can be entered by consumers and this other information may be available to healthcare providers under the clause 64 authorisation.

 

All emergency access to consumers’ PCEHRs, as with access under other authorisations, will be logged and subject to audit. 

 

All health information in a consumer’s PCEHR will generally be accessible under clause 63, regardless of a consumer’s access control settings.  The two exceptions to this are consumer-only notes (as discussed above) and information that has been ‘effectively removed’ from their PCEHR.  A document which has been ‘effectively removed’, while it is not deleted for medico-legal reasons, would no longer be accessible in an emergency.

 

Clause 65   Collection, use and disclosure authorised by law

Subclause 65(1) authorises a participant in the PCEHR system to collect, use and disclose health information included in a consumer’s PCEHR if the collection, use and disclose is authorised by a Commonwealth, state or territory law (subclause 65(1)). 

 

Subclause 65(1) is subject to clause 69.  This is intended to ensure that subpoenas, and other information gathering powers available under court rules, etc, do not permit the collection, use or disclosure of health information in a consumer’s PCEHR in reliance on the authorised by law exception where the collection, use or disclosure of that information would not be authorised under clause 69.

 

The authorisation under subclause 65(1) does not extend to consumer-only notes entered by a consumer in their PCEHR (subclause 65(2)).  However, as explained above, certain other information (not being consumer-only notes) can be entered by consumers.  This other information may be available under the subclause 65(1) authorisation.

 

Clause 66   Collection, use of disclosure with consumer’s consent

A participant in the PCEHR system is authorised to disclose for any purpose health information included in the consumer’s PCEHR to the consumer (subclause 66(1)). 

Under subclause 66(2), a participant in the PCEHR system may collect, use and disclose for any purpose health information included a consumer’s PCEHR with the consent of the consumer.

 

These provisions reflect the policy position that PCEHRs should be personally controlled and thus provide that consumers are entitled to deal with the content of their PCEHR as they see fit, subject to other provisions of this Bill and other laws.

 

Where a consumer consents to her or his health information being used for research purposes, clause 66 will enable disclosure of the identified health information to the researcher.  Unlike the position under the National Privacy Principles, the PCEHR Bill only permits the use of a consumer’s identified health information for research where the consumer has consented.  As noted above, this Bill does not regulate de-identified information.

 

Clause 67   Collection, use and disclosure by consumer

Further to clause 66 which provides for a participant in the PCEHR system to disclosure health information in a consumer’s PCEHR information to the consumer, this clause provides that a consumer may collect, use and disclose, for any purpose, health information in his or her PCEHR.

 

 

 

Clause 68   Collection, use and disclosure for indemnity cover

Subclause 68(1) authorises participants in the PCEHR system to collect, use and disclose information included in a consumer’s PCEHR for the purposes relating to the provision of indemnity cover for a healthcare provider (subclause 68(1)). 

 

This provision is intended to allow collection, use and disclosure for indemnity cover purposes regardless of whether the matter involves court or tribunal proceedings or is the subject of a complaint. 

 

This authorisation in subclause 68(1) does not extend to consumer-only notes (subclause 68(2)).  However, as explained above, certain other information (not being consumer-only notes) can be entered by consumers.  This other information may be available under the clause 68 authorisation.

 

Clause 69   Disclosure to courts and tribunals

Clause 69 specifies the circumstances in which health information in a consumer’s PCEHR may be collected, used and disclosed in response to subpoenas and other similar information gathering mechanisms, and in response to an order of a court or tribunal.

 

Subclause 69(1) provides that the System Operator must comply with an order to disclose health information in a consumer’s PCEHR if:

 

·             all of the following apply:

o       a court or tribunal other than a coroner orders or directs the System Operator to disclose health information in a consumer’s PCEHR to the court or tribunal (paragraph 69(1)(a)); and

o       the order or direction is given in the course of proceedings relating to the PCEHR Bill, or unauthorised access to information through the PCEHR system (for example, in relation to proceedings under the Criminal Code where a person hacked in the PCEHR system) or for the provision of indemnity cover to a healthcare provider (paragraph 69(1)(b)); and

o       apart from Part 4 of the PCEHR Bill, the System Operator would be required to comply with the order or direction (paragraph 69(1)(c)); or

·             a coroner orders or directs the System Operator to disclose the information to the coroner (subclause 69(2)).

 

Except as mentioned in subclauses 69(1) and (2):

 

·             a participant in the PCEHR system, or a consumer, cannot be required to disclose health information included in a consumer’s PCEHR to a court or tribunal (subclause 69(3)); and

·             the System Operator is not authorised to disclose health information included in a consumer’s PCEHR to a court or tribunal unless the consumer consents (subclause 69(4)).

 

The authorisations in clause 69 do not extend to consumer-only notes entered by a consumer in their PCEHR (subclause 69(4)).  However, as explained above, certain other information (not being consumer-only notes) can be entered by consumers.  This other information may be available under the clause 69 authorisation.

 

 

The decision to restrict the ability of courts and tribunals to access health information contained in a consumer’s PCEHR has been made for a range of policy reasons:

 

·          the PCEHR system, by drawing together health information about a consumer from many different sources, will create a much richer data source about consumers than any existing system.  This warrants additional protections, including placing some restrictions on access to health information in the PCEHR system by way of subpoenas and other orders of courts and tribunals.  Registration by consumers in the PCEHR system is voluntary, and consumers do not want the PCEHR system to be a source of health information that can be accessed for any court or tribunal purpose;

·          health information in the PCEHR system will be available from other sources.  For example, healthcare providers’ local clinical records system will keep a copy of health information that is uploaded to the PCEHR system.  Healthcare providers are also able to download copies of a consumer’s PCEHR where authorised under Division 2 of Part 4 of the PCEHR Bill.  Health information outside of the PCEHR system is subject to existing local laws and the provisions in the PCEHR Bill will not apply to the locally-held copy of the information or restrict access to such locally-held health information (see clause 71);

·          the restrictions only apply to health information in a consumer’s PCEHR.  The restrictions under clause 69 would not prevent access to other information in the PCEHR system, for example, information about the operations of the PCEHR system generally; and

·          the administrative burden on the System Operator of having to deal with unrestricted access to PCEHR-based health information by way of subpoena and other orders of courts ad tribunals would likely be significant. 

 

Clause 70   Disclosure for law enforcement purposes, etc.

Subclause 70(1) authorises the System Operator to use or disclose health information included in a consumer’s PCEHR if the System Operator reasonably believes that the use or disclosure is reasonably necessary for one or more of the following things done by, or on behalf of, an enforcement body:

 

·             the prevention, detection, investigation, prosecution or punishment of criminal offence or breaches of certain other laws (paragraph 70(1)(a));

·             the enforcement of laws relating to the confiscation of the proceeds of crime or the protection of public revenue (paragraphs 70(1)(b) and (c));

·             the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct (paragraph 70(1)(d));

·             the preparation for, or conduct of, proceedings before any court or tribunal, or the implementation of the orders of a court or tribunal (paragraph 70(1)(e)), subject to clause 69 (subclause 70(2).

 

Subclause 70(3) authorises the System Operator to use or disclose health information in a consumer’s PCEHR if the System Operator:

 

·             has reason to suspect that unlawful activity that relates to the System Operator’s functions has been, is being or may be engaged in; and

·             reasonably believes that the use or disclosure of the information is necessary for the purposes of an investigation of the matter or in reporting concerns to the relevant persons or authorities.

 

The System Operator must make a written note of a use or disclosure of information under clause 70 (subclause 70(4)).

 

The authorisation in clause 70 does not extend to consumer-only notes entered by a consumer into their PCEHR (subclause 70(5)).  However, as explained above, certain other information (not being consumer-only notes) can be entered by consumers.  This other information may be available under the clause 70 authorisation.

 

This authorisation is restricted to the System Operator who has a coordination and oversight role in the system.  If part of the PCEHR is held by another participant in the system and this is also needed for an investigation, the System Operator can require the other participant to provide this (see clause 50).

 

Division 3—Prohibitions and authorisations limited to PCEHR system

 

Clause 71   Prohibitions and authorisations limited to health information collected by using the PCEHR system

 

The authorisations and prohibitions in Division 2 of Part 4 in respect of the collection, use and disclosure of health information included in a consumer’s PCEHR are limited to the collection, use and disclosure of information obtained by using the PCEHR system (subclause 71(1)).  The authorisations and prohibitions do not apply where information has been lawfully obtained other than by using the PCEHR system, even if the information was originally obtained by using the PCEHR system (subclause 71(2)). 

 

In summary, clause 5 of the PCEHR Bill defines the PCEHR system as a system:

 

·          involving the System Operator;

·          that is for the collection, use and disclosure of information from various sources, and the holding of that information in accordance with the wishes of consumers or as specified in the Bill; and

·          that is for the assembly of that information in respect of individual consumers which is to be made available subject to a consumer’s wishes to support healthcare for the consumer, and in other circumstances specified in the Bill. 

 

Essentially, the PCEHR system is a network of various participating entities which are coordinated by the System Operator, exchanging health information for the provision of healthcare and other authorised purposes. Some of these participants - for example, repositories operated by state or territory governments - may hold information for dual purposes.  For example, some information about a consumer may be held for PCEHR purposes and for the purpose of providing healthcare outside the PCEHR system in accordance with the rules applying in the relevant state or territory.

 

The involvement of the System Operator is a vital element in determining whether information has been obtained by using the PCEHR system, or whether information has been obtained other than by using the PCEHR system. 

 

Subclauses 71(3) and (4) describe circumstances where PCEHR information is not obtained by using the PCEHR system:

 

·          subclause 71(3) provides that health information is taken not to be obtained by using the PCEHR system if the information is stored in a repository for PCEHR purposes and other purposes, and a person lawfully obtains the information directly from the repository (that is, not via the System Operator) for those other purposes. 

 

Existing repositories operate for a range of purposes, and operators of these repositories may wish to become registered repository operators under the PCEHR Bill.  Where a registered repository operator wishes to provide services for PCEHR and non-PCEHR purposes, subclause 71(3) is intended to allow this to occur.  Where a person lawfully obtains health information directly from the repository for those non-PCEHR purposes, the prohibitions and authorisations in Part 4 of the PCEHR Bill will not apply;

 

·          where authorised under the PCEHR Bill, health information in a consumer’s PCEHR may be downloaded from the PCEHR system - for example, into the local clinical records system of a healthcare provider organisation - and the downloaded information can be subsequently obtained from that local clinical system. 

 

Subclause 71(4) provides that obtaining information from that other system, even though the information was originally obtained from the PCEHR system, is taken not to be obtained using the PCEHR system.  As a result, the authorisations and prohibitions in Part 4 of the PCEHR Bill do not apply where the downloaded information is accessed using the local clinical records system (instead, existing Commonwealth, state or territory privacy and health information laws and professional obligations will apply to the collection, use and disclosure of that downloaded information).

 

 

Division 3—Interaction with the Privacy Act 1988

 

Clause 72   Interaction with the Privacy Act 1988

This clause provides clarification as to how the PCEHR Bill (once enacted), will operate in

conjunction with the Privacy Act and clarifies that an authorisation under this Bill is

an authorisation for the purpose of the Privacy Act.  This ensures that a collection, use or disclosure authorised under the PCEHR Bill does not contravene the Privacy Act.

 

Clause 73   Contravention of this Act is an interference with privacy

Clause 73 provides that an act or practices that contravenes the PCEHR Bill (once enacted) in relation to health information in a consumer’s PCEHR, or would contravene the PCEHR Bill but for a requirement relating to the state of mind of a person, is taken to be an interference with the consumer’s privacy and is taken to be covered by section 13 or 13A of the Privacy Act, as applicable.

 

The reference to “would contravene this Act but for a requirement relating to the state of mind of a person” ensures that where a person does not breach clause 59 or 60:

 

·          because the person was held to have not known that their action was unauthorised; or

·          because the person was held to have not been reckless as to the fact that they were not authorised,

 

The mechanisms under the Privacy Act are still available. 

 

The consequence is that, while a person may not contravene clauses 59 or 60 and may not be liable for a civil penalty, the Information Commissioner would still have, for example, the power to investigate where a collection, use or disclosure is not authorised under Division 2 of Part 4.

 

PART 5—OTHER CIVIL PENALTY PROVISIONS

 

In order to ensure that the integrity of the PCEHR system is not compromised and that any security issues such as breaches or non-compliance can be dealt with, this Part contains a series of civil penalty provisions and related mechanisms. 

 

Clause 74   Registered healthcare provider organisations must ensure certain information is given to System Operator

Once registered to participate in the PCEHR system, a registered healthcare provider organisation will be able to authorise persons within the organisation to access records in the PCEHR system.  The organisation may choose to authorise healthcare providers, administrative and other support staff, trainees (including medical students) and/or contractors. 

 

On each occasion that an authorised user accesses a consumer’s PCEHR on behalf of, or purportedly on behalf of, the registered healthcare provider organisation, the organisation must provide to the System Operator sufficient information to enable the System Operator to identify the authorised user (subclause 74(1)).    

 

The requirement to provide this information is essential for enabling the System Operator to maintain a comprehensive audit trail of access to consumers’ PCEHRs.  

 

The obligation to provide the information has been placed on healthcare provider organisations.  This is because they will be best placed to ensure that their IT systems are configured to provide the necessary information to the System Operator.  The individual making the actual request for disclosure, who in most cases will be an employed healthcare provider or a person in an administrative role at the healthcare provider organisation, is unlikely to be in a position to ensure such systems are in place. Consequently, it would be inappropriate to impose liability on the individual who actually sought access to a consumer’s PCEHR on behalf of the healthcare provider organisation should clause 74 be breached.

A maximum civil penalty of 100 penalty units for an individual, or 500 penalty units for a body corporate (subclause 79(5)), may be imposed by a court for a contravention of clause 74.

 

Clause 75   Certain participants in the PCEHR system must notify data breaches etc.

The obligations in relation to data breaches in clause 75 apply to an entity if (subclause 75(1)):

 

·             the entity is or has at ant time been the System Operator, a registered repository operator or a registered portal operator; and

·             the entity becomes aware that:

o      a person has, or may have, contravened the PCEHR Bill in a manner involving an unauthorised collection, use or disclosure of health information included in a consumer’s PCEHR; or

o      an event has occurred or circumstances have arisen (whether or not involving a contravention of the PCEHR Bill) that compromise, or may compromise the security or integrity of the PCEHR system; and

·             the contravention, event or circumstances directly involved, may have involved or may involve the entity.  This requirement is intended to ensure that only entities experiencing, or who have or may have experienced, contraventions, events or circumstances described in paragraph 75(1)(b) report.  Entities that find out about  breaches affecting only another entity are not under a PCEHR Bill obligation to report that information to the System Operator or Information Commissioner.

 

Data breach reporting obligations vary slightly depending on the entity involved:

 

·               if the entity is a state or territory authority or instrumentality - the entity must notify the System Operator as soon as practicable after becoming aware of the contravention, event or circumstances (paragraph 75(2)(a));

·               all other registered repository operators and registered portal operators must notify a breach to the System Operator and the Information Commissioner as soon as practicable after becoming aware of the contravention, event or circumstances (paragraph 75(2)(b)); and

·               if the entity is the System Operator, the System Operator must notify the Information Commissioner as soon as practicable after becoming aware of the contravention, event or circumstances (subclause 75(3)).

 

A failure by a registered repository operator or a register portal operator to comply with subclause 75(2) may result in imposition of a civil penalty of up to 100 penalty units for an individual or 500 penalty units for a body corporate.

 

Subclause 75(4) specifies the other actions that must be taken as soon as practicable after becoming aware of the contravention, event or circumstances.  These steps are based on existing Information Commissioner guidelines for dealing with data breaches and include:

 

·             as far as practicable, containing the contravention, event or circumstances and carrying out a preliminary assessment of the causes;

·             evaluating risks that may arise;

·             notifying affected customers and, if a significant number if customers are affected, notifying the general public.  Only the System Operator is permitted to notify affected customers or the general public.  Entities other than the System Operator who experience a contravention, event or circumstances described in paragraph 75(1)(b) must ask the System Operator to notify affected customers or the general public on their behalf, and the System Operator must comply with such a request (subclause 75(5)); and

·             take steps to prevent of mitigate the effects of further contraventions, events or circumstances described in paragraph 75(1)(b).

 

The requirement to notify data breaches or potential data breaches affecting a repository, portal or the System Operator is intended to allow the System Operator and the Information Commissioner to investigate, take corrective actions and help mitigate any loss or damage that may result from the breach. The steps required under subclause 75(4) are critical to the ongoing security and integrity of the PCEHR system and maintaining consumer and provider confidence in the PCEHR system.

 

 

Example: A privately-operated pathology entity is a registered repository operator.  It has just discovered that an unidentified external computer program has interfered with health records that it holds, and the repository operator has isolated the affected areas of the system.  The repository operator must notify the System Operator and the Information Commissioner of the breach, and take any action necessary to contain the breach, analyse the breach, ascertain the risks associated with the breach (such as whether other information within the system may be affected or whether the affected areas may have affected other organisations’ systems before the breach was discovered) and prevent or mitigate further breaches.

 

As part of notifying the System Operator of the breach, the operator has provided details of the consumers whose records were affected by the breach and asked for the System Operator to notify the affected consumers.  The System Operator has notified the affected consumers and is considering whether the number of affected consumers requires that a public notice be issued.

 

Although a civil penalty would not apply under the PCEHR Bill should an entity fail to comply with the actions  specified in subclause 75(4) following a breach, there may be other consequences.  These could potentially include cancellation of the entity’s registration.

 

Clause 76   Requirement to notify if cease to be eligible to be registered

Clause 76 would require registered healthcare providers, registered repository operators, registered portal operators and registered contracted service providers to notify the System Operator in writing within 14 days of ceasing to be eligible to be registered.

 

Failure to comply with clause 76 may result in the imposition of a civil penalty of up to 80 penalty units for an individual or 400 penalty units for a body corporate.

 

Ceasing to be eligible to be registered may also result in the System Operator deciding to suspend or cancel the registration of the healthcare provider organisation, repository operator, portal operator or contracted service provider.

 

Clause 77   Requirement not to hold or take records outside Australia

Clause 77 places an obligation on the System Operator, registered repository operators, registered portal operators and registered contracted service providers that hold records for PCEHR purposes (whether or not those records are also held for other purposes) to not:

 

·           hold the records, or take the records, outside Australia; or

·           process or handle information relating to the records outside Australia; or

·           cause or permit another person to hold or take the records outside Australia or to process of handle information relating to the records outside Australia.

 

Should PCEHR-related health information be stored or processed outside Australia, very few effective enforcement options would be available if that information were to be misused or mishandled.  Remedies for affected individuals would likewise be severely curtailed.  Allowing health information to be stored or processed outside Australia also increases the risk of the information being compulsorily acquired by foreign governments.  For these reasons, a policy decision has been taken to require all PCEHR-related health information to be stored and processed in Australia.

 

Failure to comply with clause 77 may result in the imposition of a civil penalty of up to 120 penalty units for an individual or 600 penalty units for a body corporate.

 

Clause 78   Participant in the PCEHR system must not contravene PCEHR Rules

Clause 78 provided that a person who is, or at any time has been, a registered repository operator or a registered portal operator must not contravene a PCEHR Rule that applies to that person. 

 

Failure to comply with clause 78 may result in the imposition of a civil penalty of up to 80 penalty units for an individual or 400 penalty units for a body corporate.

 

PART 6—CIVIL PENALTY SUPPORTING PROVISIONS

 

This Part sets out machinery provisions associated with the civil penalty provisions in the PCEHR Bill.

 

Division 1—Civil penalty orders

 

This Division sets out the arrangements for seeking and making orders for civil penalties and how those penalties will be determined.

 

Clause 79   Civil penalty orders

The Information Commissioner will have standing to apply to a Court for an order that a person who is alleged to have contravened a civil penalty provision pay the Commonwealth a pecuniary penalty (subclause 79(1)).  Court is defined in section 5 to be the Federal Court of Australia, Federal Magistrates Court or a state or territory court with appropriate jurisdiction.

 

An application for an order must be made within six years of the alleged contravention (subclause 79(2)).  This timeframe is consistent with limitation periods that generally apply in civil proceedings.

 

If satisfied that the person has contravened a civil penalty provision,  a Court may order the person to pay a pecuniary penalty (subclause 79(3)).  Such an order is a civil penalty order (subclause 79(4)).

 

The maximum penalty which an individual can be ordered by a Court to pay is as set out in the civil penalty provisions of the PCEHR Bill.  If the person is a body corporate, the maximum penalty is five times the amount specified in the civil penalty provision (subclause 79(4)).

 

A Court may take into account all relevant matters when it is determining the penalty amount to be imposed, including the nature and extent of the contravention and of any loss or damage suffered, the circumstances of the contravention, whether a court has previously found that the person has engaged in similar conduct and the extent to which the person has taken steps to notify appropriate persons of the contravention and to prevent further contraventions (subclause 79(6)).

 

Clause 80   Civil enforcement of penalty

Clause 80 specifies that a pecuniary penalty is a debt payable to the Commonwealth (subclause 80(1)) and may be enforced by the Commonwealth as if it were a judgement debt (subclause 80(2)). 

 

Clause 81   Conduct contravening more than one civil penalty provision

Where conduct has contravened two or more civil penalty provisions, proceedings may be instituted against the person in relation to the contravention of one or more of those provisions (subclause 81(1)) although a person cannot be liable for more than one civil penalty under Part 6 in relation to the same conduct (subclause 81(2)). 

 

Clause 82   Multiple contraventions

 Clause 82 specifies how Courts may deal with multiple contraventions.

 

Courts may make a single penalty order in respect of multiple contraventions of a civil penalty provision if proceedings for the contravention are founded on the same facts, or if the contraventions form, or are part of, a series of contraventions of the same or a similar character (subclause 82(1)).

 

However, the penalty ordered by the Court must not exceed the sum of the maximum penalties that could be ordered if a separate penalty were ordered for each of the contraventions (subclause 82(2)).

 

Clause 83   Proceedings may be heard together

This clause provides that multiple proceeding for civil penalty orders may be heard together.

 

Clause 84   Civil evidence and procedure rules for civil penalty orders

This clause provides that the rules of evidence and procedure for civil matters apply when a Court hears proceedings for a civil penalty order.

 

Clause 85   Contravening a civil penalty provision is not an offence

The penalty provisions in the Bill are civil, not criminal, provisions.  Contravening a civil penalty provision is not an offence.

 

Division 2—Relationship to other proceedings

 

Clause 86   Civil proceedings after criminal proceedings

A Court may not make a civil penalty order against a person for a contravention of a civil penalty provision if the person has been convicted of a criminal offence (for example, under the Criminal Code) and the conduct associated with that conviction is similar or substantially the same as the conduct constituting the contravention.

 

Clause 87   Criminal proceedings during civil proceedings

Proceedings for a civil penalty order against a person are stayed if criminal proceedings are commenced or have already been commenced and the offence is constituted by conduct that is similar or substantially the same as the conduct alleged to constitute the contravention (subclause 87(1)). 

 

If the person is not convicted of the criminal offence, the civil proceedings may be resumed.  However, if the person is convicted of the criminal offence, the civil proceedings are dismissed (subclause 87(2)).

 

 

 

 

Clause 88   Criminal proceedings after civil proceedings

Regardless of whether a civil penalty order has been made against a person, criminal proceedings may be commenced against the person notwithstanding that the conduct in relation to both the criminal and civil matters is the same or similar.

 

Clause 89   Evidence given in civil penalty provision not admissible in criminal proceedings

Clause 89 specifies the circumstances in which evidence given in civil proceedings is not admissible in criminal proceedings.

 

Division 3—Other matters

 

This Division sets out provisions specifically relating to the penalty provisions referred to previously.

 

Clause 90   Ancillary contravention of civil penalty provisions

Subclause 90(1) specifies the circumstances in which a person who may not have contravened a civil penalty provision, or who may not have been directly involved in a contravention, will nevertheless be liable.  These circumstances include:

 

·          attempting to contravene a civil penalty provision (paragraph 90(1)(a));

·          aiding, abetting counselling or procuring a contravention of a civil penalty provision (paragraph 90(1)(b));

·          inducing a contravention of a civil penalty provision (paragraph 90(1)(c));

·          being in any way, directly or indirectly, knowingly concerned in, or a party to, a contravention of a civil penalty provision (paragraph 90(1)(d)); or

·          conspiring with others to contravene a civil penalty provision (paragraph 90(1)(e)).

 

If a person contravenes subclause 90(1) in relation to a civil penalty provision, that person is taken to have contravened the civil penalty provision (subclause 90(2)). 

 

Example: A person conspires with an employee of a registered portal operator to collect health information from consumers’ PCEHRs passing though the operator’s portal.  The employee is not authorised to collect the information and knows this.  The employee will contravene a civil penalty provision in the PCEHR Bill.  The person conspiring with the employee will also be deemed under clause 90 to have contravened a civil penalty provision. 

 

Clause 91   Mistake of fact

Clause 91 specifies the circumstances where a mistake of fact will result in a person not being liable for a contravention of a civil penalty provision.

 

Clause 92   State of mind

Clause 92 specifies the circumstance in which it is necessary to prove a person’s state of mind in proceedings under the PCEHR Bill.

 

Subclause 92(2) provides that an expression used in a civil penalty provision that expressly provides for a state of mind has the same means as in the Criminal Code. 

 

 

 

Clause 93   Civil penalty provisions contravened by employees, agents or officers

Clause 93 provides that if an element of a civil penalty provision is done by an employee, agent or officer of a body corporate, acting within the scope of their employment, or the scope of their authority, the element must also be attributed to the body corporate.

 

ART 7—VOLUNTARY ENFORCEABLE UNDERTAKINGS AND INJUNCTIONS

 

Voluntary enforceable undertakings are a key element of the graduated responses available under the Bill . They can be used as an effective control of behaviour and can result in systemic changes being made. 

 

Clause 94   Acceptance of undertakings

Under clause 94, the Information Commissioner and System Operator may accept a written undertaking from a person that the person will take, or refrain from taking, specified actions to ensure compliance with their obligations under the PCEHR Bill (subclause 94(1)). 

 

For the purposes of Part 5 of the PCEHR Bill, the person who accepts the undertaking is referred to as the recipient of the undertaking (subclause 94(2)).  This is done for drafting simplicity given that there are two people who may accept undertakings. 

Neither the Information Commissioner nor System Operator is required to accept an undertaking.  Whether it was appropriate to accept an undertaking would depend on a range circumstances, including the nature and severity of the contravention.

 

Where the Information Commissioner or System Operator accept an undertaking, the person giving it must comply with their undertaking, If they do not, the recipient of the undertaking may apply to the Court to enforce the undertaking or for other orders (see clause 95).

 

Example: The System Operator notices that a particular healthcare provider organisation appears to have accessed PCEHRs without identifying the individual accessing the PCEHR system on its behalf.  The System Operator notifies the Information Commissioner.

 

An investigation by the Information Commissioner shows that the healthcare provider organisation has not correctly configured its IT system to provide the required information. Not identifying the individual is a contravention of clause 74.

 

As the oversight involves a relatively small number of PCEHRs, and the healthcare provider organisation has not been involved in any previous contraventions of civil penalty provisions, the Information Commissioner decides to accept an undertaking from the healthcare provider organisation that it will correctly configure its IT systems and ensure that all its employees are properly identified to the System Operator when accessing PCEHRs in the future.    If the healthcare provider organisation subsequently breaches its undertaking, the Information Commissioner is able seek an order to enforce the undertaking and other Court orders.

 

In giving an undertaking, a person must make clear that the undertaking is for the purposes of clause 94 (subclause 94(3)). 

 

If the Information Commissioner or System Operator have accepted an undertaking from a person, the person may subsequently vary  or withdraw the undertaking with the written agreement of the recipient (subclause 94(3)).  This allows for changes to circumstances, such as where a person may no longer be able to carry out an undertaking or where they wish to cease participating in the PCEHR system.

 

A consent by the recipient to the withdrawal or variation of an undertaking is not a legislative instrument (subclause 94(4)).  This provision is not an exemption from the Legislative Instruments Act 2003 .  Rather, it is merely declaratory to assist readers.  The instrument is not a legislative instrument for the purposes of the Legislative Instruments Act 2003 so it will not be disallowable by Parliament or published on the Federal Register of Legislative Instruments.

 

The recipient of an undertaking may cancel the undertaking (subclause 94(5)).  In this case, the  recipient must given written notice of the cancellation to the person.

 

The recipient of an undertaking may publish the undertaking on its website (subclause 94(6)).  Publication of an undertaking may be sensitive in some cases and the recipient would determine whether or not to public an undertaking.  On the other hand, publication may assist educate other participants in the PCEHR system about their obligations under the PCEHR Bill.

 

Clause 95   Enforcement of undertakings

The recipient of an undertaking may apply to a Court for an order if the recipient considers that a person has failed to comply with their undertaking (subclause 95(1)).  If the Court is satisfied that the person has breached their undertaking, the court may make any or all of the following (subclause 95(2):

 

·          an order directing the person to comply with the undertaking;

·          an order directing the person to pay the Commonwealth part or all of an amount which was obtained directly or indirectly by the person and that is reasonably attributable to the breach;

·          an order that the Court considers appropriate directing the person to compensate any other person who suffered loss or damage as a result of the breach;

·          any other order that the Court considers appropriate (paragraph (2)(d)).

 

Clause 96   Injunctions

Subclauses 96(1) and (2) specify the circumstances in which the Information Commissioner or System Operator may seek an injunction. 

 

If an application is made to a Court seeking an injunction under subclauses 96(1) or (2), the Court may grant an interim injunction before considering the application (subclause 96(3)).  The ability to obtain interim injunctions will be important in responding quickly to serious privacy breaches and in helping maintain the security and integrity of the PCEHR system.

 

Any injunction granted by a Court in response to an application by the Information Commissioner or System Operator may be vary or discharged by the Court (subclause 96(4)).

 

 

A Court is not to require, as a condition of issuing an interim injunction, any undertaking as to damages from the System Operator, Information Commissioner or other person (subclause 96(7)).

 

PART 8—OTHER MATTERS

 

Part 8 of the Bill provides for subordinate legislation to be made in the form of regulations and PCEHR Rules, certain decisions to be reviewable, reporting and review of the legislation and its associated activities, the treatment of types of participating entities, the extension of authorisations and the delegation of certain functions and powers.

 

Division 1—Review of decisions

 

Clause 97   Review of decisions

Key decisions which are required to be made by the System Operator and which could have an adverse effect will be subject to merits review.  These decisions are:

 

·          whether or not to recognise a person as an authorised representative.  This reflects that in some cases a person may be adversely affected by the decision to recognise another person as an authorised representative;

·          to refuse to register a consumer;

·          to refuse to register a healthcare provider organisation;

·          to impose a condition on the registration of a healthcare provider;

·          to refuse to register a person as a repository operator, portal provider or contracted service provider;

·          to impose a condition on the registration of a person as a repository operator, portal provider or contracted service provider;

·          to refuse to specify a repository as one to which the registration of a repository operator relates; and

·          to cancel or suspend the registration of a consumer or other entity;

·          to refuse to cancel or suspend the registration of a consumer or other entity upon request by that consumer or entity;

·          to vary the registration of a consumer or other entity upon request by that consumer or entity; and

·          to refuse to vary the registration of a consumer or other entity.

 

Upon making any of the above decisions, the System Operator is required to notify the affected person in writing and inform the person of their rights to seek merits review of the decision (subclause 97(2)).

 

Subclause 97(4) places a 28 day limit on a person’s ability to seek merits review, commencing on the day the person receives the System Operator’s notice under subclause 97(2). Requests for merits review must explain why the affected person is making the request (subclause 97(5)).

 

The System Operator is required to reconsider its decision within 28 days of receiving the request and notify the affected party in writing of the outcome of the reconsideration and the basis for those results (subclause 97(6)).  The System Operator must also notify the affected person of their rights to seek a review by the Administrative Appeals Tribunal (subclause 97(7)).

 

If the affected person is not satisfied with the outcome of the reconsideration, the person may make an application to the Administrative Appeals Tribunal to review the decision (subclause 97(8)).

 

The Administrative Appeals Tribunal provides independent merits review of administrative decisions.  Merits review of an administrative decision involves considering afresh the facts, law and policy relating to that decision.  The Tribunal considers the material before it and decides what is the correct, or, in a discretionary area, the preferable decision.  It will affirm, vary or set aside the decision under review, and substitute its own decision or remit the matter to the System Operator for reconsideration in accordance with any directions or recommendations of the Tribunal.

 

Division 2—Delegations

 

Clause 98   Delegations by the System Operator

This clause enables the System Operator to delegate, in writing, any of her or his functions or powers to an APS employee of the Department of Health and Ageing or the Chief Executive Medicare (paragraphs (1)(a) and (b)).  The System Operator may also delegate any of her or his functions to any other person subject to the consent of the Minister (paragraph (1)(c)). Despite any delegations the System Operator may make, the System Operator remains responsible and accountable for the functions.

 

If the System Operator delegates any of her or his functions or powers to the Chief Executive Medicare, the Chief Executive Medicare may, in writing, further delegate those functions or powers to an employee of the Department of Human Services (subclause 98(3)). 

Subclause 98(4) applies sections 34AA, 34AB and 34A of the Acts Interpretation Act 1901 in relation to any subdelegation in a corresponding way to the way in which those provisions apply to a delegation.

 

This power of delegation is provided for practical and administrative reasons. Providing for delegations is commonplace in Commonwealth legislation.

 

The System Operator cannot delegate the function of advising the Minister on matters relating to the PCEHR system under paragraph 11(1)(k) (subclause 98(2)).

 

The exercise of any delegation must be carried out in accordance with the directions of the System Operator (subclause 98(5)).

 

Division 3—Authorisations of entities also cover employees

 

Clause 99   Authorisations extend to employees etc.

This provision expands on the authorisations given in other parts of the PCEHR Bill.

 

The Bill authorises participants in the PCEHR system to collect, use and disclose health information included in a consumer’s PCEHR in particular circumstances.  Given that many of the participants will be organisations rather than individuals, this clause ensures that the Bill’s authorisations extend to employees, contracted service providers and contractors of those organisations where appropriate.

 

 

Division 4—Treatment of certain entities

 

Many of the participants in the PCEHR system will be organisations rather than individuals, and those organisations are likely to be structured in a variety of ways.  Some organisations may not be a legal person.  Division 4 of Part 8 ensures that the obligations and penalties set out in the Bill apply appropriately, notwithstanding the different structures that may be adopted by participants in the PCEHR system.

 

In each case, the Bill will apply to partnerships, unincorporated organisations and trusts with multiple trustees as if that organisation were an individual (subclauses 100(1), 101(1) and 102(1)).

 

Clause 100 Treatment of partnerships

In respect of partnerships, obligations will apply to each partner and may be discharged by any partner (subclause 100(2)).  A civil penalty provision that would otherwise be contravened by the partnership is taken to have been contravened by each partner (subclause 100(3)).

 

Clause 101 Treatment of unincorporated associations

In respect of unincorporated associations, obligations will apply to each member of the association’s committee of management and may be discharged by any of those members (subclause 101(2)).  A civil penalty provision that would otherwise be contravened by the association is taken to have been contravened by each member (subclause 101(3)).

 

Clause 102 Treatment of trusts with multiple trustees

In respect of trusts with two or more trustees, obligations will apply to each trustee and may be discharged by any trustee (subclause 102(2)).  A civil penalty provision that would otherwise be contravened by the trust is taken to have been contravened by each trustee (subclause 102(3)).

 

Clause 103 Exception in certain circumstances

Despite clauses 100-103, partners, members of the committee of management of an unincorporated association and trustees will not contravene a civil penalty provision if she or he:

 

·             is not aware of the circumstances which caused the contravention (paragraph 103(a)); or

·             is aware of those circumstances but takes all reasonable steps to correct the contravention as soon as possible after becoming aware of those circumstances (paragraph 103(b)).

 

Clause 104 Division does not apply to Division 3 of Part 3

Clause 104 provides that Division 4 of Part 8 of the Bill does not have effect for the purposes of Division 3 of Part 3 (registering repository operators, portal operators and contracted service providers). 

 

An applicant for registration as a repository operator, portal operator or contracted service provider must be a legal person.

 

 

 

 

Division 5—Alternative constitutional bases

 

Division 5 is intended to ensure that the proposed Act is given the widest possible operation consistent with Commonwealth constitutional legislative power.  Subclause 105(1) provides that, without limiting the effect of the proposed Act, it also has effect as provided by subclauses 105(2) to (7) in reliance on different Commonwealth heads of power. 

 

Subclause 105(6) deals with Australia’s obligations under international agreements and this takes account of the International Covenant on Civil and Political Rights under which Australia has obligations in relation to privacy.

 

Division 6—Annual reports and review of Act

 

The provisions in Division 6 are consistent with the annual reporting and legislation review provisions in the HI Act.

 

Clause 106 Annual reports by Information Commissioner

 

The Information Commissioner must prepare a report, no more than three months after the end of each financial year, on its activities over the course of that financial year (subclause 106(1)). 

 

The Bill specifies the types of matters that must be included in the report (subclause 106(2)), including statistics on complaints received, investigations, accepted enforceable undertakings and proceedings which have been initiated.  Paragraph 106(2)(b) provides that the regulations may also prescribe matters on which the Information Commissioner must report.

 

By 30 September each year, the Information Commissioner must provide his or her report to the Minister and to the Ministerial Council (subclause 106(3)). 

 

The Minister must table the report in Parliament within 15 sitting days of receiving the report (subclause 106(4)).  The report would therefore be available to the public, providing scrutiny and transparency of the Information Commissioner’s activities in respect of the PCEHR system.

 

Clause 107 Annual reports by System Operator

The System Operator must prepare a report, no more than three months after the end of each financial year, on its activities over the course of that financial year (subclause 107(1)). 

 

The Bill specifies the types of matters that must be included in the report (subclause 107(2)), including statistics on registration, cancellation and suspension decisions, complaints and investigations, accepted enforceable undertakings, proceedings which have been initiated, breaches and use of the system by consumers and healthcare providers. 

 

Paragraph 107(2)(b) provides that the regulations may also prescribe any other matters on which the System Operator is to report. 

 

The System Operator’s report may include information about the operation of the Jurisdictional Advisory Committee and the Independent Advisory Council (subclause 107(3)).

 

By 30 September each year, the System Operator must provide its report to the Minister and to the Ministerial Council (subclause 107(4)). 

 

The Minister must table the report in Parliament within 15 sitting days of receiving the report (subclause 107(5)).  The report would therefore be available to the public, providing scrutiny and transparency of the System Operator’s activities.

 

Clause 108 Review of operation of Act

This clause requires that the operation of this proposed Act be reviewed after it has been in operation for two years.

 

It is intended that such a review will provide the opportunity to correct any unanticipated shortcomings of the legislation and identify possible improvements and clarifications to its operation, including the arrangements underpinning the PCEHR System Operator.  Such matters may only become evident after extended application of the legislation.  The review will also provide the opportunity to implement new arrangements that are necessary, such as to support an increased capacity for the system.

 

Two years after commencement, the Minister must consult with the Ministerial Council regarding the arrangements for the review (subclause 108(3)).  The person or body subsequently assigned by the Minister to undertake this review must seek and consider submissions from the public (subclause 108(4)). 

 

The review must be completed within six months of commencing the review (paragraph (2)(b)) and a written report on the review must be provided to the Minister (subclause 108(5)).

 

The Minister must provide a copy of the report to the Ministerial Council (paragraph (6)(a)) and table the report in Parliament within 15 sitting days after receiving the report (paragraph (6)(b)).  The report would therefore be available to the public, providing scrutiny and transparency in relation to the operation of the PCEHR legislation.

 

Division 7—PCEHR Rules, regulations and other instruments

 

This Division of the Bill provides for a range of subordinate legislation to be made by the Governor-General and the Minister to support the operation of the PCEHR system.

 

Clause 109 Minister may make PCEHR Rules

This clause allows the Minister to make rules to support the PCEHR system.  The PCEHR Rules will be legislative instruments subject to the Legislative Instruments Act 2003 , meaning that they will be tabled in Parliament, registered on the Federal Register of Legislative Instruments and subject to disallowance by Parliament and sunsetting.

 

Before making PCEHR Rules, the Minister must consult with the Jurisdictional Advisory Committee.  In some cases, PCEHR Rules may need to be made urgently in response to emerging security or privacy threats, and there may not be time to fully consult.  Subclause 109(2) therefore provides that a failure to consult the Committee does not affect the validity of the Rules.

Subclauses 109(2) to (8) specify the things in relation to which PCEHR Rules may be made and the way in which Rules may apply to certain participants.  In particular, PCEHR Rules may be made in relation to:

 

·             the registration of consumers and other entities, including technical and other requirements such as the storage of data and records, records management, administration and day-to-day operations, physical and information security, the uploading of certain types of records;

·             access control mechanisms, including default access controls; and

·             authorised and nominated representatives, including how such persons are recognised, the verification requirements for a consumer who no longer has an authorised representative when they assume control of their PCEHR and the circumstances where a healthcare identifier is not required.

 

The Rules will not relate to the professional activities of healthcare providers.  Numerous professional bodies exist for this purpose and the PCEHR Rules are intended to only prescribe matters which relate specifically to the operation of the PCEHR system. 

 

Other matters that may be addressed in the PCEHR Rules include:

 

·          security and technical requirements of participants;

·          processes that must be implemented by registered healthcare provider organisations to authorise users of the PCEHR system;

·          types of PCEHR records can be authored by healthcare providers;

·          requirements associated with the registration of a consumer, such as the types of documentation that are acceptable to prove a consumer’s identity and arrangements regarding assisted registration;

·          the circumstances for automatically suspending or cancelling access to a consumer’s PCEHR;

·          requirements that will apply to the System Operator or other entity after the registration of a consumer of other participant is cancelled, such as in relation to records; and

·          information that must be entered by the System Operator on the Register.

 

As discussed above in relation to clause 40, subclause 109(5) permits PCEHR Rules to be made which modify provisions of the Bill if this is necessary to permit registration for a PCEHR using a pseudonym.  Such a provision is necessary to ensure that people may participate pseudonymously in the PCEHR system, should they need or desire to do so.  At this time, it is not expected that such modification will be necessary.  However, before the PCEHR system is in place and operating, it is not possible to be certain that modifications to the PCEHR Bill will not be required.   Like other PCEHR Rules, any Rules made for this purpose will be subject to Parliamentary scrutiny and disallowance.  

 

A failure to comply with a relevant requirement in the PCEHR Rules may result in cancellation or suspension of a participant’s registration and/or other sanctions, including the imposition of a civil penalty.

 

A failure by a registered repository operator or registered portal operator to comply with the PCEHR Rules may result in a civil penalty of 80 penalty units for individuals or 400 penalty units for bodies corporate (see clause 78).

 

Clause 110 Minister may determine a law of a State or Territory to be a designated privacy law

Subclause 110(1) permits the Minister to determine that a state or territory privacy or health information law is a designated privacy law (subclause 110(1)) for the purpose of clause 48. 

 

 

The designation of privacy laws is connected to the registration of repository and portal operators.  If the repository operator or portal operator is a state or territory authority or an instrumentality of a state or territory authority that is not subject to a designated privacy law, the operator will need to be prescribed under section 6F of the Privacy Act (paragraph 48(d)).  This is to ensure that the National Privacy Principles under the Privacy Act apply to that operator.

 

A determination under clause 110(1) will be a legislative instrument subject to the Legislative Instruments Act 2003 (subclause 110(2)).  This means that the determination will be tabled in Parliament, registered on the Federal Register of Legislative Instruments and will be subject to disallowance and sunsetting.

 

Clause 111 Guidelines relating to the Information Commissioner’s enforcement powers etc.

Given the Information Commissioner’s central role in relation to the PCEHR system, the Commissioner will be required to issue enforcement guidelines outlining how she or he will approach enforcement issues under the PCEHR Bill and related legislation (subclause 111(2)).  The Information Commissioner must have regard to these guidelines in exercising her or his powers under this Bill (subclause 111(1)).

 

The Information Commissioner’s guidelines will be a legislative instrument subject to the Legislative Instruments Act 2003 (subclause 111(2)).

 

Clause 112 Regulations

This clause provides for the Governor-General to make regulations for the purposes of the proposed Act (subclause 112(1)). 

 

Subclause 112(2) makes clear that, without limiting subclause 112(1), regulations may be made on any matter about which the Minister may make PCEHR Rules.

 

The matters specifically mentioned in the Bill about which regulations may be made include:

 

·          additional types of healthcare provider that may be a nominated healthcare provider (see definition of nominated healthcare provider );

·          types of person who may be an authorised representative of a consumer (see clause 6);

·          a body to be the System Operator (see clause 14);

·          additional functions of the Jurisdictional Advisory Committee (see clause 18);

·          additional matters relating to the Jurisdictional Advisory Committee such as remuneration and allowances, and procedures of the committee (see clause 23);

·          additional functions of the Independent Advisory Council (see clause 24);

·          remuneration of the Independent Advisory Council, in the absence of a determination by the Remuneration Tribunal, and allowances (see clause 29);

·          procedural matters of the Independent Advisory Council (see clause 37);

·          information required as part of the consumer registration process (see clause 40);

·          additional information about which the Information Commissioner must report annually (clause 106);  and

·          additional information about which the System Operator must report annually (clause 107).

 

The regulations may prescribe criminal penalties of not more than 50 penalty units for offences against the regulations. 

 

The regulations may also prescribe civil penalties for contraventions of the regulations.  The regulations may provide for a maximum civil penalty of 50 penalty units for individuals and a maximum of 250 penalty units for bodies corporate.

 

Prior to the Governor-General making regulations, the Minister must consult with the Ministerial Council in respect of the proposed regulations (subclause 112(3)).  This ensures that the states and territories are consulted prior to the making of any regulations.