Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Community Affairs Legislation Committee—Senate Standing—Health Legislation Amendment (eHealth) Bill 2015 [Provisions]—Report, dated November 2015


Download PDF Download PDF

The Senate

Community Affairs

Legislation Committee

Health Legislation Amendment (eHealth) Bill 2015 [Provisions]

November 2015

ii

 Commonwealth of Australia 2015

ISBN 978-1-76010-312-5

Secretariat

Ms Jeanette Radcliffe (Committee Secretary)

Dr Josh Forkert (Senior Research Officer)

Ms Carol Stewart (Administrative Officer)

PO Box 6100 Parliament House Canberra ACT 2600

Phone: 02 6277 3515

Fax: 02 6277 5829

E-mail: community.affairs.sen@aph.gov.au Internet: www.aph.gov.au/senate_ca

This document was produced by the Senate Community Affairs Committee Secretariat and printed by the Senate Printing Unit, Parliament House, Canberra.

This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Australia License.

The details of this licence are available on the Creative Commons website: http://creativecommons.org/licenses/by-nc-nd/3.0/au/

iii

MEMBERSHIP OF THE COMMITTEE

44th Parliament

Members

Senator Zed Seselja, Chair Australian Capital Territory, LP

Senator Rachel Siewert, Deputy Chair Western Australia, AG

Senator Carol Brown Tasmania, ALP

Senator Joanna Lindgren Queensland, LP

Senator Nova Peris OAM Northern Territory, ALP

Senator Dean Smith Western Australia, LP

iv

TABLE OF CONTENTS

Membership of the Committee ........................................................................ iii

Abbreviations ....................................................................................................vii

List of Recommendations .................................................................................. ix

Chapter 1

Introduction .............................................................................................................. 1

Referral ................................................................................................................... 1

Conduct of the inquiry ............................................................................................ 1

Background ............................................................................................................. 1

Purpose and key provisions of the Bill ................................................................... 2

Financial implications ............................................................................................ 7

Consideration by other committees ........................................................................ 7

Acknowledgement .................................................................................................. 8

Chapter 2

Key issues................................................................................................................... 9

Opt-out model ......................................................................................................... 9

Privacy and security issues ................................................................................... 18

Governance arrangements .................................................................................... 22

Rule-making authority .......................................................................................... 23

Civil and criminal penalties .................................................................................. 27

Consultation process ............................................................................................. 28

Committee view .................................................................................................... 29

Appendix 1

Submissions and additional information received by the Committee ............... 31

vi

ABBREVIATIONS

2013 review Review of the Personally Controlled Electronic Health Record, December 2013

AMA Australian Medical Association

APF Australian Privacy Foundation

Bill Health Legislation Amendment (eHealth) Bill 2015

Copyright Act Copyright Act 1968

department Department of Health

EM Explanatory Memorandum

Health Insurance

Act

Health Insurance Act 1973

HI Act Healthcare Identifiers Act 2010

MDBN Mandatory data breach notification

Minister Minister for Health

National Health Act National Health Act 1953

NEHTA National E-Health Transition Authority

OAIC Office of the Australian Information Commissioner

PCEHR Personally Controlled Electronic Health Record

PCEHR Act Personally Controlled Electronic Health Record Act 2012

PJCHR Parliamentary Joint Committee on Human Rights

Privacy Act Privacy Act 1988

Scrutiny Committee Senate Standing Committee for the Scrutiny of Bills

viii

LIST OF RECOMMENDATIONS

Recommendation 1

2.91 The committee recommends that the Department of Health consider the recommendations by the Office of the Australian Information Commissioner in relation to privacy in developing the public awareness campaign about the opt-out trial.

Recommendation 2

2.95 The committee recommends that the Bill be passed.

x

Chapter 1 Introduction

Referral 1.1 On 15 October 2015, the Senate referred the provisions of the Health Legislation Amendment (eHealth) Bill 2015 (Bill) to the Senate Community Affairs Legislation Committee (committee) for inquiry and report by 9 November 2015.1

1.2 The reason for referral outlined in the Selection of Bills report was to give detailed consideration to 'the implications of the changes to the collection, distribution and use of personal information' outlined in the Bill.2

Conduct of the inquiry 1.3 Details of the inquiry, including a link to the Bill and associated documents, were placed on the committee's website. The committee also wrote to 16 organisations and individuals, inviting submissions by 29 October 2015.

1.4 The committee received 12 submissions. Submissions are listed at Appendix 1 and published on the committee's website.

Background 1.5 The personally controlled electronic health record (PCEHR) system allows individuals and their healthcare providers to access their key health information online. The PCEHR system was implemented in July 2012 in response to recommendations by the Department of Health's Healthcare Identifiers Act and Service Review, Final Report 2013 to improve the Healthcare Identifiers Service, a national system for consistently identifying individuals, individual healthcare providers and healthcare provider organisations for healthcare communication purposes.3

1.6 A review of the PCEHR system was undertaken in 2013.4 The review found that 'there was overwhelming support for continuing implementation of a consistent electronic health record system for all Australians, but that a change in approach was needed to correct early implementation issues'.5 The review made thirty-eight recommendations, including:

1 Journals of the Senate, No. 122-15 October 2015, p. 3260.

2 Selection of Bills Committee, Report No. 13 of 2015, Appendix 5.

3 See: Department of Health, Healthcare Identifiers Act and Service Review, Final Report, June 2013, http://www.health.gov.au/internet/main/publishing.nsf/Content/hlth-id-act-srvc-review-container (accessed 3 November 2015).

4 See: Department of Health, Review of the Personally Controlled Electronic Health Record, December 2013, http://www.health.gov.au/internet/main/publishing.nsf/content/ehealth-record (accessed 3 November 2015).

5 Explanatory Memorandum (EM), p. 1.

2

• establishing new governance arrangements;

• moving to an opt-out system for individual participation; and

• improving system usability and the clinical content of records. 6

1.7 In the 2015-16 Budget, the Government announced it would provide $485.1 million over four years in response to the PCEHR review to 'continue the operation of the eHealth system, make key system and governance improvements and implement trials of opt-out arrangements'. This included renaming the PCEHR as My Health Records and transitioning governance arrangements from the National E-Health Transition Authority to the new Australian Commission for eHealth. The Government also announced that trials would be held in at least two regions in 2016 to 'assess public and provider responses to revised participation arrangements, including to an opt-out model'.7

1.8 In her second reading speech, the Minister for Health (Minister), the Hon Sussan Ley MP, noted that the Bill:

…takes the first important steps to reboot our national electronic health records system to deliver an effective system that will help improve the health of all Australians, as well as realising the benefits that instant access to and sharing of electronic health records can provide.8

Purpose and key provisions of the Bill 1.9 The Bill proposes to amend the Personally Controlled Electronic Health Records Act 2012 (PCEHR Act), Healthcare Identifiers Act 2010 (HI Act), Privacy Act 1988 (Privacy Act), Copyright Act 1968 (Copyright Act), Health Insurance Act 1973 (Health Insurance Act) and National Health Act 1953 (National Health Act) to:

• change the name of the PCEHR system to the My Health Record system;

• enable trials of opt-out participation for individuals to be undertaken and, if

the trials prove successful at improving uptake of the system, enable opt-out to be implemented nationally;

• prepare for establishment of the Australian Commission for eHealth (to be progressed separately through rules made under the Public Governance, Performance and Accountability Act 2013);

• revise the way permission to collect, use and disclose information is presented and include several new permissions necessary for effective operation of the PCEHR system and Healthcare Identifiers Service;

6 EM, pp 1-2.

7 Budget 2015, 'My Health Record - a new direction for electronic health records in Australia', Budget Paper 2: Budget Measures, http://www.budget.gov.au/2015-16/content/bp2/html/bp2_expense-14.htm (accessed 3 November 2015).

8 The Hon. Sussan Ley MP, Minister for Health, House of Representatives Hansard, 17 September 2015, p. 10528.

3

• introduce new civil and criminal penalties and make enforceable undertakings

and injunctions available in both systems;

• remove restrictions on sharing of healthcare provider organisation

information;

• clarify that health-related disability, palliative care and aged care services are considered health services;

• apply mandatory data breach notification requirements equally to all participants in the My Health Record system; and

• revise the obligations of people who provide decision-making support. 9

1.10 The Bill is comprised of four schedules. Schedules 1 to 3 of the Bill would commence upon Royal Assent. However, application provisions in proposed part 2 of schedule 1 would mean that some provisions in schedules 1 to 3 will not apply until a later time fixed by proclamation. Schedule 4 would commence at various specified times.10

Schedule 1 - Healthcare identifiers and health records

Part 1 - Amendments

1.11 This part proposes to amend the handling of healthcare identifiers and the information flows relating to the PCEHR system (to be renamed the My Health Record system under schedule 2), and allow for a trial of an opt-out My Health Record system.11

Trials of opt-out arrangements

1.12 Item 106 proposes changes to the PCEHR Act to provide the authorisations necessary for opt-out trial regions to be selected and for healthcare recipients to be registered and their information uploaded to the My Health Record system for use by participants for health purposes.12 This measure also ensures that healthcare recipients can choose to opt-out.13

1.13 The proposed changes provide rule-making powers for the Minister to 'impose opt-out participation for healthcare recipients', allowing the Minster to prescribe opt-out arrangements to a class or classes of people. The trial rules are not required to set a time frame for the trial; however, if a timeframe is specified and the trial concludes without a decision being made to extend the trial or implement opt-out arrangements nationally, the system will revert back to an opt-in system. In making the trial rules, the proposed measure requires that the Minister must:

9 Department of Health, Submission 9, p. 3.

10 EM, p. 38.

11 EM, p. 39.

12 EM, p. 92.

13 EM, p. 93.

4

• be satisfied that applying opt-out to the class, or classes, of healthcare

recipients will provide evidence of whether the opt-out arrangements result in participation in the My Health Record system at a level that provides value to those using the My Health Record system; and

• consult with the subcommittee to the Ministerial Council. The EM notes that in practice, the Australian Health Ministers' Advisory Council will be consulted.14

1.14 In addition, the proposed changes provide that the Minister may make rules to implement the opt-out arrangements nationally 'provided the outcomes of the opt-out trials have demonstrated the value in adopting an opt-out model'.15

New governance arrangements

1.15 Item 72 proposes changes to the PCEHR Act to abolish the Independent Advisory Council and Jurisdictional Advisory Council that currently provide advice to the System Operator. The EM notes that in 2016, it is intended that the yet to be established Australian Commission for eHealth will become the new System Operator and new advisory bodies will be established as part of this new entity.16

Simplification of privacy framework

1.16 Item 34 proposes changes to the HI Act to insert restructured provisions 'to make clear how and why healthcare identifiers and other information can be used, and by whom'.17

1.17 Proposed new subsections 20 and 25D of the HI Act would allow for future regulations to be made allowing prescribed entities to collect, use, disclose and adopt identifying information and healthcare identifiers. This includes limits to ensure that regulations may only be made authorising the collection, use or disclosure of identifying information and healthcare identifiers for purposes related to the provision of healthcare or to assist people who, because of health issues including illness, disability or injury, require support.18

Criminal and civil penalties

1.18 Item 36 proposes changes to the penalties for contravening the prohibitions on the use or disclosure of a healthcare identifier outlined in current section 26 of the HI Act.19 The proposed changes would amend the existing prohibitions and exemptions and introduce the following penalties:

14 EM, p. 93

15 EM, p. 93.

16 EM, p. 72.

17 EM, p. 46. For a full explanation of this provisions, refer to the table in the EM at pp 47-59.

18 EM, p. 54 & 59.

19 EM, pp 61-63.

5

• a civil penalty of up to 600 penalty units (currently $108 000 for individuals

and $540 000 for bodies corporate); or

• a criminal penalty of up to two years' imprisonment and/or 120 penalty units (currently $21 600 for individuals and $108 000 for bodies corporate).20

Restrictions on sharing healthcare provider organisation information

1.19 Item 1 proposes changes to the Copyright Act to simplify the registration process for healthcare provider organisations to participate in the PCEHR system. This would include copyright infringement exemption to 'ensure that sharing and use of health records does not infringe any copyright that might subsist in health records'.21

Definition of 'health services'

1.20 Items 99 to 101 propose changes to the definition of 'health service' to include that a health service is 'an activity performed in relation to an individual that is intended or claimed (expressly or otherwise) by the individual or the person performing it':

• to assess, maintain or improve the individual's health;

• where the individual's health cannot be maintained or improved - to manage the individual's health;

• to diagnose the individual's illness, disability or injury;

• to treat the individual's illness, disability or injury, or suspected illness,

disability or injury;

• to record the individual's health for the purposes of assessing, maintaining,

improving or managing the individual's health.22

1.21 The EM noted that this change responds to a recommendation by the Australian Law Reform Commission's 2008 report, For Your Information: Australian Privacy Law and Practice.23

Mandatory data breach notification requirements

1.22 Item 90 proposes changes to the PCEHR Act to centralise data breach reporting requirements for all participants in the My Health Record system. Proposed new section 75 of the PCEHR Act would require that data breach reporting would apply to:

• the unauthorised collection, use and disclosure of health information in an

individual's My Health Record;

20 EM, p. 63.

21 EM, p. 39.

22 EM, p. 104.

23 EM, p. 104.

6

• any event that has, or may have, occurred that compromises, may

compromise, has compromised or may have compromised the security or integrity of the My Health Record system; or

• any circumstances that have, or may have arisen (whether or not involving a

contravention of the Act), that compromise, may compromise, have compromised or may have compromised the security or integrity of the My Health Record system.24

Obligations of people who provide decision-making support

1.23 Items 63 and 64 propose changes to the PCEHR Act to provide that a person providing decision-making support 'should, instead of acting in the person's best interests, give effect to the 'will and preferences' of the person to whom they provide decision-making support. The EM noted that this proposed change responds to a recommendation by the Australian Law Reform Commission's 2014 report, Equality, Capacity and Disability in Commonwealth Laws.25

Part 2 - Rule-making powers, application and transitional provisions

1.24 This part describes how the changes set out in part 1 of the Bill would operate and have effect and when the various changes would commence.26

Henry VII clause

1.25 Item 128 proposes changes to allow the Minister to modify the operation of the HI Act, PCEHR Act and Privacy Act by making rules, and may result in the operation of primary legislation being expressly or impliedly amended by subordinate legislation (known as the Henry VIII clause).27 The EM notes this clause is required for transition purposes and is consistent with similar rule-making powers. The EM asserts that the purposes of the provision is to:

…allow the Minister to deal with any unforseen or unintended consequences that may arise at a later date, specifically regarding the opt-out trials and the changes in governance of the System Operator to the Australian Commission for eHealth.28

Schedule 2 - Renaming PCEHR as My Health Record

1.26 This schedule proposes to amend the Health Insurance Act and the National Health Act to change the name of the PCEHR to the My Health Record. The EM notes that this change is intended to 'recognise that a health record is the result of a

24 EM, p. 84.

25 EM, p. 69.

26 EM, p. 105.

27 EM, p. 105.

28 EM, p. 106.

7

partnership between a healthcare recipient and a healthcare provider' and that 'it is becoming unnecessary to differentiate between digital and physical information'.29

Schedule 3 - Renaming consumers as healthcare recipients

1.27 This schedule proposes to amend the Health Insurance Act, National Health Act and PCEHR Act to change all references from 'consumer' to 'healthcare recipient'. The EM notes that this change aims to align with the terminology used in the HI Act.30

Schedule 4 - Further consequential amendments

1.28 This schedule proposes to make further consequential amendments to align terminology and clarify when the Minister, the Secretary and the Chief Executive Medicare may delegate their powers.31

Financial implications 1.29 In the 2015-16 Budget, the Government announced funding of $485.1 million over four years for the My Health Record system. The EM noted that the measures outlined in the Bill are expected to cost $57.7 million over the forward estimates.32

Consideration by other committees 1.30 The Parliamentary Joint Committee on Human Rights (PJCHR) considered the Bill and found that:

• the opt-out model provided for by the Bill engages and limits the right to privacy;

• the automatic inclusion of the health records of all children and persons with

disability engages and limits the rights of children and persons with disability; and

• the civil penalty provisions engage and may limit the right to a fair hearing.

1.31 The PJCHR sought advice from the Minister as to:

• whether there is reasoning or evidence that establishes that the stated objective addresses a pressing or substantial concern or whether the proposed changes are otherwise aimed at achieving a legitimate objective;

• whether there is a rational connection between the limitation and that objective; and

• whether the limitations is a reasonable and proportionate measure for the achievement of that objective.33

29 EM, p. 106.

30 EM, p. 107.

31 EM, p. 107.

32 EM, p. 3.

8

1.32 The Minister's response had not been published by the time this inquiry had concluded.34

1.33 The Senate Standing Committee for the Scrutiny of Bills (Scrutiny Committee) made a number of comments on the Bill in its Alert Digest of 14 October 2015. The Scrutiny Committee sought explanation from the Minister on:

• the rationale for placing an evidential burden on the defendant for the

increased civil and criminal penalties;

• concerns about provisions that would allow the My Health Records Rules to

incorporate other material which may change from time to time, and asked whether a requirement that any material 'incorporated by reference be freely and readily available' can be included in the Bill itself;

• why the conduct of the trials of the opt-out model are provided for in

delegated legislation, rather than the matter being considered by Parliament and the change being made through an amendment to the primary legislation; and

• more information, and examples of possible circumstances in which the

'Henry VIII clause' could be needed, to assist the committee in understanding why the clause is necessary.35

1.34 The Minister's response had not been published by the time this inquiry had concluded.36

Acknowledgement 1.35 The committee thanks those individuals and organisations that made submissions.

33 Parliamentary Joint Committee on Human Rights, Human Rights Scrutiny Report: Twenty-ninth report of the 44th Parliament, 13 October 2015, pp 13-24.

34 In its submission, the department noted that the Minister has since responded with this advice. The department's submission also seeks to address the issues raised by the PJCHR. See: Submission 9, p. 3.

35 Senate Standing Committee for the Scrutiny of Bills, Alert Digest No. 11 of 2015, 14 October 2015, pp 14-18.

36 In its submission, the department noted that the Minister has since responded with this advice. The department's submission also seeks to address the issues raised by the Scrutiny Committee. See: Submission 9, p. 3.

Chapter 2 Key issues

2.1 Most submissions supported the objectives of the Health Legislation Amendment (eHealth) Bill 2015 (Bill) to improve health outcomes, achieve a better partnership between patients and healthcare providers in healthcare and develop an effective, national shared electronic health record system.1 A number of submissions supported the measures outlined in the Bill, including the introduction of an opt-out trial of the My Health Records system.2 However, a number of submitters raised concerns about the following aspects of the Bill:

• introduction of an opt-out model;

• privacy and security issues;

• proposed rule-making authority measures;

• governance arrangements;

• civil and criminal penalties; and

• legislation consultation process. 3

2.2 The Department of Health (department) submitted that the measures outlined in the Bill would all contribute to improving health outcomes for Australians:

…the combination of opt-out trials, extensive information and communication activities, and the continuation of the same strong personal controls mean that moving to opt-out participation arrangements for individuals is proportionate, necessary and reasonable for achieving the objective of improving health outcomes.4

Opt-out model 2.3 Submitters expressed both support and opposition to the trial of an opt-out model.

2.4 A number of submitters supported the introduction of an opt-out model for both healthcare recipients and healthcare providers.5 For example, Medicines Australia suggested that an opt-out system:

1 See: Royal Australian College of General Practitioners (RACGP), Submission 3; Office of the Australian Information Commissioner (OAIC), Submission 7; Medicines Australia, Submission 8; Primary Health Care Limited, Submission 10.

2 See: Carers Australia, Submission 1; Australian Medical Association, Submission 2; National eHealth Transition Authority (NEHTA), Submission 5.

3 See: Australian Privacy Foundation (APF), Submission 6; OAIC, Submission 7; Ms Helen Nicols, Submission 11; Consumers eHealth Alliance, Submission 12.

4 Department of Health, Submission 9, p. 8.

5 See: Submission 5; Submission 8.

10

…will enable the My Health Record to provide better, more useful and usable information to healthcare practitioners, which will in turn lead to improved whole-of-care for patients.6

2.5 The Office of the Australian Information Commissioner (OAIC) recognised that the benefits of an effective eHealth record system include 'better health outcomes arising from the improved availability and quality of health information, fewer adverse medical events, and procedural and economic efficiency through reduced duplication of treatment'.7 Similarly, the National eHealth Transition Authority (NEHTA) noted that:

The objectives of eHealth to improve healthcare outcomes are supported across the community. A shift to an opt-out consumer participation model continues to be advocated by consumers and providers alike.8

2.6 However, a number of submissions expressed concerns about the introduction of an opt-out model. The Australian Privacy Foundation recommended that the My Health Record system should 'never be made opt-out', suggesting that the collection of data would 'have no practicable health value, but would represent a significant and dangerous risk'.9

2.7 The department noted that the trial of opt-out arrangements:

…provides the opportunity for the Australian community to consider their response to opt-out arrangements and determine whether from their perspective the arrangements are proportionate and reasonable measures to achieving the objective of improving health outcomes.10

2.8 The department clarified that the trials of the opt-out arrangements aim to:

• identify appropriate methods of targeting and delivering critical information about the My Health Record System to key audiences;

• assess the effectiveness of targeted communications, and education and training for healthcare providers; and

• test implementation approaches. 11

2.9 The department confirmed that trials of opt-out participation arrangements would be conducted in two sites in the North Queensland and Nepean Blue Mountains Primary Health Network areas.12

6 Submission 8, p. [1].

7 Submission 7, p. 1.

8 Submission 5, p. 3.

9 Submission 6, p. 4.

10 Submission 9, p. 6.

11 Submission 9, p. 13.

12 Submission 9, p. 13.

11

2.10 The department also highlighted that opt-out arrangements would have a significant impact on long-term government expenditure:

Annual Commonwealth healthcare costs are forecast to increase by $27 billion to $86 billion by 2025, and will increase to over $250 billion by 2050. Improved health outcomes and productivity improvements such as hose that can be delivered by eHealth are needed to help counter the expected increases in the healthcare costs. Leveraging eHealth is one of the few strategies available to drive microeconomic reform to reduce Commonwealth health outlays. Without these changes, the quality of healthcare available to all Australians may reduce in the future as costs become prohibitive.

Without a move to opt-out participation arrangements, the required critical mass of registered individuals may not occur, or may be significantly delayed. As a result, the anticipated objective of improving health outcomes and reducing the pressure on Commonwealth health funding may not occur or may be significantly delayed. Under the current opt-in registration arrangements, a net cumulative benefit of $11.5 billion is expected over 15 years to 2025. It is anticipated that the move to a national opt-out system would deliver these benefits in a shorter period.13

Current uptake of eHealth records

2.11 NEHTA noted that at 22 October 2015, the national Personally Controlled Electronic Health Record (PCEHR) system currently has registered:

• 2 427 704 consumers (a large proportion of which are newborns and

children);

• 7 970 healthcare organisations (including 452 public hospitals);

• 57 810 shared health summaries; and

• 1.77 million prescription records. 14

2.12 NEHTA suggested that this level of uptake:

…is an indicator of willingness by providers to engage with eHealth, even if comfort and capability to use the system is still developing. Together with continual improvements to usability and registration processes, the changes proposed in the eHealth Bill will further facilitate use of eHealth and the PCEHR.15

2.13 The department noted although currently around 1 in 10 individuals have a My Health Record, there is 'overwhelming support for electronic health records from the consumer community'. The department suggested that the current 'opt-in' system is

13 Submission 9, pp 5-6.

14 Submission 5, p. 2.

15 Submission 5, p. 2.

12

'considered an administrative barrier to consumers achieving better health outcomes through the electronic sharing of their health information'.16

Utility of data

2.14 However, some submitters suggested that the low uptake of the eHealth system reflected the perceived inefficiencies of the PCEHR system. The Australian Privacy Foundation (APF) expressed concern that the Bill focuses 'on the number of registrations rather than usability and clinical value'. The APF also raised questions about the use and value of the PCEHR system, suggesting that the 2013 PCEHR review:

…noted that poor utility was a major factor in the low level of uptake of the PCEHR. We are unaware of any initiatives to identify what is required to increase the usability of the PCEHR or to actually implement improvements in the system.17

2.15 Similarly, the Consumers eHealth Alliance suggested that the existing PCEHR system does not function effectively:

Rather than an efficient and trusted means of information exchange, the system resembles a big old tiling cabinet, randomly stuffed with a selection of documents that may or may not be current, relevant or accurate.

That is why doctors don't use it, and consumers show little interest either.18

2.16 Submitters suggested that the PCEHR system does not improve health outcomes. Primary Health Care Limited submitted that 'evidence to date shows the spend and value generated as a result of the PCEHR initiative has not increased quality of patient care or streamlined health delivery processes'.19 Similarly, the Royal Australian College of General Practitioners (RACGP) submitted:

There is currently limited evidence that supports the proposition that patients merely having access to their healthcare information leads to significant changes to healthcare outcomes. It is the use by clinicians that will help deliver the benefits of coordinated and integrated care and clinicians are unlikely to use it until design and functionality issues are resolved.20

2.17 Medicines Australia suggested that the My Health Record system could be improved by considering the mandatory inclusion of medications, noting that this could 'go a long way to reducing and in some cases eliminating avoidable medication misadventure, error and mishap'.21 Medicines Australia noted that 'optimising the My

16 Submission 9, p. 5.

17 Submission 6, p. 10.

18 Submission 12, p. [2].

19 Submission 10, p. [1].

20 Submission 3, p. [1].

21 Submission 8, p. [1].

13

Health Record to improve the recording, sharing and management of prescribed (and non-prescribed) medication will enable better monitoring of patients' medication management' and contribute to 'improved safety and quality use of medicines'.22

2.18 The department submitted that having a My Health Record would be 'likely to improve health outcomes, making access to the right treatment faster, safer, easier and more cost effective'.23 The Explanatory Memorandum (EM) noted that the 'usability' issues identified by the 2013 PCEHR review would be addressed through preparing for new governance arrangements and simplifying the privacy framework 'by revising the way that permissions to collect, use and disclose information are presented, making it easier for participants in the system to understand what they can and cannot do'.24

2.19 In her second reading speech, the Minister for Health (Minister), the Hon Sussan Ley MP, noted that increasing the uptake of eHealth records would improve the value of the system:

At present about one in 10 Australians has an electronic health record. That is not enough to make it an effective national system, and doctors do not see enough value as yet to use it. If the majority of people have a My Health Record, more healthcare providers will use it and include their patients' health information on it, and this will improve the overall value of the system.25

Impact on vulnerable groups

2.20 As noted in Chapter 1, the Parliamentary Joint Committee on Human Rights (PJCHR) raised a number of concerns about the impact of an opt-out model on the right to privacy and rights of vulnerable groups, including children and people with disability.26

2.21 The Consumers eHealth Alliance recommended that the trials be delayed until the issues raised by the PJCHR are addressed and suggested 'reflection on the critical points raised by the PJCHR in respect of the nature and scale of vulnerable people - and the practical and legal difficulties of obtaining proper, informed, consent from an unengaged populace'.27

2.22 The EM noted that the anticipated benefits in health outcomes as a result of the Bill would be:

22 Submission 8, p. [2].

23 Submission 9, p. 4.

24 EM, p. 2.

25 The Hon Sussan Ley MP, Minister for Health, House of Representatives Hansard, 15 October 2015, p. 20.

26 Parliamentary Joint Committee on Human Rights, Human Rights Scrutiny Report: Twenty-ninth report of the 44th Parliament, 13 October 2015, pp 16-17.

27 Submission 12, p. [5].

14

…skewed towards vulnerable families as they currently face more challenges in accessing timely and appropriate healthcare and will have more to benefit from improved health outcomes. These people are also less likely to participate in an opt-in model as they are more likely to be challenged by the registration process.28

2.23 This statement was supported by Carers Australia's submission which noted that 'carers are less likely to participate in an opt-in model and are more likely to be challenged by the registration process'.29

2.24 The department submitted that the current PCEHR system provides special arrangements to support children and vulnerable people to participate in the system by allowing authorised representatives to act on their behalf. The department noted that the Bill provides additional arrangements to ensure:

…that people providing decision-making support will…need to give effect to the will and preference of the person to whom they provide decision-making support. Ensuring that representatives can continue to act on behalf of individuals (including children and persons with a disability) to help them to manage their record as part of opt-out is a privacy positive under the eHealth Bill. Authorised representatives will be able, for example, to opt-out the individual for whom they have responsibility from having an electronic health record, if this meets the will and preference of the person they are representing.30

2.25 The department further noted that the process has been designed to:

…cater for those people who have difficulties in coping with bureaucratic processes to ensure it is highly accessible and easy to understand so that they are able to exercise their right to opt-out without unnecessary complexity. While phone and online channels are expected to cater for the majority of individuals, the Department of Health is working to ensure that alternative processes will be available to all individuals including those needing additional support or with limited documentation.31

Pseudonymous records

2.26 The OAIC raised concerns that the Bill does not address how healthcare recipients who wish to obtain a pseudonymous record, currently available under the current system, would be able to do so under an opt-out system. The OAIC recommended that the EM be amended to outline how such records would be

28 EM, p. 19.

29 Submission 1, p. [1]. The Explanatory Memorandum suggested that an opt-out approach would benefit vulnerable families, including carers, as they 'currently face more challenges in accessing timely and appropriate healthcare and will have more to benefit from improved health outcomes'. See: EM, p. 19.

30 Submission 9, p. 7.

31 Submission 9, p. 14.

15

addressed in an opt-out model, including for existing healthcare recipients, and this be included in the public awareness campaign.32

Opt-out mechanism

2.27 The OAIC highlighted that one of the key privacy safeguards for the trial is a 'fair and easy to use opt-out process' that includes:

• allowing healthcare recipients an adequate time period in which to receive and consider information about the opt-out system, to make their decision about whether or not to opt-out, and to exercise their right to opt-out if they so choose

• providing free, simple and accessible means of opting-out of the system, including means that take account of the needs of healthcare recipients with particular needs.33

2.28 The OAIC recommended that further details be provided on the opt-out process for minors and adults lacking capacity and how their records would be managed, including 'what mechanism will be in place to ensure that, where an adult healthcare recipient who lacks capacity has not or is not opted-out, the individual has received the necessary support and information to make that decision'.34

2.29 The department clarified that the opt-out process would be designed to be 'as simple as possible for as many people as possible'. The department noted that individuals who choose to opt-out would be able to do so online, in person or by phone:

The process leading to the creation and filling of a record as part of the opt-out trial has been designed to ensure it is highly accessible, easy to understand and caters for those people who have difficulties in coping with administrative processes so that they are able to exercise their right to opt-out without unnecessary complexity.35

Awareness and education campaign

2.30 A number of submitters highlighted the need to ensure that people, particularly those from disadvantaged backgrounds and those with poor health literacy, are made aware of how to opt-out of the system.36 Without this, individuals are likely to be 'unaware that their data is in a large central repository that can be accessed by providers across Australia and the government'.37

2.31 The OAIC suggested that the public awareness campaign should satisfy the following criteria:

32 Submission 7, p. 11.

33 Submission 7, p. 3.

34 Submission 7, p. 11.

35 Submission 9, p. 15.

36 See: Submission 3, p. [1]; Submission 7, p. 3.

37 Submission 10, p. [2].

16

• it should provide sufficient information to enable healthcare recipients to understand what the PCEHR system is and the benefits and risks of participation, and to understand what their options are

• the option to opt-out of the system should be clearly and prominently presented

• the campaign needs to be of sufficient scope so that it is likely that each affected healthcare recipient has received and read the information about the PCEHR system, the option to opt-out, and the opt-out process

• the information provided for healthcare recipients should clearly explain the implications of not opting-out. This information should also clearly explain the personal controls available to them, when they will become available and how they can be set

• the material should be accessible, written in plain English and should also be provided in ways that take into account the needs of healthcare recipients with particular needs, such as those from a non-English speaking background and disadvantaged or vulnerable individuals.

2.32 The OAIC further recommended that the public awareness campaign:

…clearly inform healthcare recipients about how their Medicare information will be handled and their options, and that this information may include detail that indicates diagnosed conditions and illnesses.38

2.33 The Australian Dental Association suggested there is also a need for 'an effective communications and education campaign for all healthcare provider organisations and providers':

…if healthcare provider organisations do not have an adequate level of comfort and confidence about how to use the system and what their obligations are and how they can simply comply with those obligations, under the Bill as it stands, there is a real risk that these healthcare provider organisations will not register to participate in the MyHR system, even in these opt-out trial sites where healthcare recipients automatically have corresponding MyHRs set up.39

2.34 The Australian Dental Association recommended that the communication strategy 'must be targeted to all healthcare provider organisations and practitioners and not restricted to healthcare provider organisations and practitioners within the opt-out trail sites' to advise them of the penalties and obligations under the Bill.40 Similarly, Primary Health Care Limited expressed concern that there are 'no detailed plans on how the initiative will change clinician behaviour to access My Health Record system for patient records, especially when patients can opt out and there is a significant likelihood that a patient's records will not be there'.41

38 Submission 7, p. 6.

39 Submission 4, p. 1.

40 Submission 4, p. 2.

41 Submission 10, p. [2].

17

2.35 The department clarified that a communication strategy to inform people about the opt-out trials is currently being developed. The department submitted that in relation to the plans for a public awareness campaign:

Comprehensive information and communication activities are being planned for the opt-out trials to ensure all affected individuals, including parents, guardians and carers, are aware they are in an opt-out trial and what they need to do to participate, adjust privacy controls associated with their record, or to opt-out if they choose. This will include letters to affected individuals, targeted communication to carers and advocacy groups, extensive online and social media information, and education and training for healthcare providers in opt-out trial locations.42

2.36 The department noted that key features of the communication strategy include:

• Minister's launch of the My Health Record (subject to the Bill being passed);

• updating of the eHealth website to include information about the opt-out trials;

• updating of information about the My Health Record programme, including that which is specific to the opt-out trials;

• the inclusion of information and articles in consumer peak body/disease association specific newsletters about the My Health Record programme, and in particular information to assist carers of people who need assistance to manage their record;

• education and training for healthcare providers about the My Health Record Programme;

• a letter to each person living in an opt-out trial location prior to the commencement of the 'opt-out' period informing them of the trials and how to opt-out if they so choose;

• targeted information, content and articles for distribution to carers and other associations and advocate groups;

• a letter to each person who opts-out to confirm they have opted out of the My Health Record system during the opt-out period;

• tailored information to meet the specific needs of each opt-out trial location community, including the availability of accessible culturally and linguistically diverse materials, working with vulnerable groups and considering the needs of rural and remote communities; and

• working with the state/territory governments involved in opt-out trials to ensure the appropriate communication or action is taken in respect of individuals in protection or custody.43

42 Submission 9, p. 6.

43 Submission 9, pp 14-15.

18

2.37 The department noted that it is currently considering options for alerting healthcare recipients who may be unaware that they have a record or that it is being used, including:

• a letter is sent to them upon initial creation of the record; and/or

• the provision of notices for display in healthcare settings and community noticeboards advising people of the existence of the trial and what to do if they don't want a record (either before or after its creation).44

Privacy and security issues 2.38 A number of submitters raised concerns about privacy and security issues raised by the Bill.45

Privacy concerns

2.39 The Australian Privacy Foundation (APF) expressed particular concern about the 'lack of control of access to information in the PCEHR and to information in the PCEHR that can be transferred to, and accessed by, associated systems'.46 The APF argued that the Bill does not provide adequate user access controls and 'allows anonymous users, without any form of police or security check to access the system', and risks improper use of healthcare recipients' medical records. The APF recommended a complete redesign of the user controls to reflect a 'need to know' approach.47

2.40 Ms Helen Nicols expressed particular concern about the inclusion of third party information to a healthcare recipient's My Health Record proposed under item 106. Ms Nichols noted:

Speaking as a patient who doesn't want any form of ehealth, I would see this as completely defeating the purpose of allowing me to opt out, if my health information were to be uploaded anyway into my family's records.48

2.41 The APF suggested that privacy concerns should be addressed on a holistic level across the whole electronic health record system:

The PCEHR is part of a complex, interacting health information ecosystem. Privacy issues need to be treated holistically, not in a piecemeal manner, as is the situation with the eHealth Bill.

Concerns about personal information security, privacy, confidentiality and governance of the fragmented national electronic health records system are as much about how the pieces interact, whether controls, protection and risk governance effectively deal with the interoperability, complexity and potential for breach and misuse inherent in the virtual system of which the

44 Submission 9, p. 15.

45 See: Submission 6; Submission 11; Submission 12.

46 Submission 6, p. 2.

47 Submission 6, pp 5-8.

48 Submission 11, p. [1].

19

PCEHR is part, as they are about the PCEHR itself, which would have little interest if it was truly standalone.49

2.42 In contrast, NEHTA submitted that the 'current settings for provider access appropriately balances privacy and clinical outcomes, and if communicated effectively, will encourage active use of the system under an opt-out model'.50

2.43 The OAIC submitted that compared to an opt-in system, the proposed opt-out system increases the privacy risks faced by healthcare recipients, including:

• a healthcare recipient's health information will be handled for the purposes of the PCEHR system without that individual's express consent. This does not align with best privacy practice, which generally involves obtaining express consent before handling health or other sensitive information given the bigger privacy impact that handling this type of information can have

• within a short period of time, an opt-out system will result in an increasing volume of health information being more readily available and to more people than has previously been possible. This creates an increased risk of privacy incidents such as the inadvertent disclosure or misuse of health information. Given that health information is of a particularly sensitive nature, the consequences of these incidents can be more serious.51

2.44 The OAIC emphasised that:

…strong privacy safeguards should be a critical aspect of an eHealth system operated on an opt-out basis. Ensuring that privacy is adequately addressed and protected is also fundamental to establishing and maintaining public confidence in the system.52

2.45 The OAIC recommended that the EM be amended to 'provide clearer requirements and detail about the parameters of these privacy safeguards and how they will be implemented', such as those provided for in the Electronic Health Records and Healthcare Identifiers: Legislation Discussion Paper.53

2.46 The department submitted that the Bill 'maintains the current strong and significant privacy protections under the current opt-in arrangements, and ensures they will apply under the proposed new opt-out arrangements (whether as part of a trial or under any future national implementation)'.54

2.47 The department noted that these protections include the following measures, available to all people registered with the My Health Record system, including children and people with disability:

49 Submission 6, p. 2.

50 Submission 5, pp 3-4.

51 Submission 7, p. 3.

52 Submission 7, p. 1.

53 Submission 7, p. 5.

54 Submission 9, p. 6.

20

• set access controls restricting access to their My Health Record entirely or restricting access to certain information in their My Health Record;

• request that their healthcare provider not upload certain information or documents to their My Health Record, in which case the healthcare provider will be required not to upload that information or those documents;

• request that their Medicare data not be included in their My Health Record, in which case the Chief Executive Medicare will be required to not make the data available to the System Operator;

• monitor activity in relation to their My Health Record using the audit log or via electronic messages alerting them that someone has accessed their My Health Record;

• effectively remove documents from their My Health Record;

• make a complaint if they consider there has been a breach of privacy; and

• cancel their registration (that is, cancel their My Health Record).55

2.48 The department asserted that implementing opt-out arrangements is likely to result in a much greater use of the system and improve privacy for healthcare recipients by reducing reliance on paper records:

Increased use of the system is a privacy positive as it will reduce the use of paper records, which pose significant privacy risks. For example, where a patient is receiving treatment in a hospital's emergency department for a chronic illness, the hospital may request from the patient's regular doctor information about the patient's clinical history which is likely to be faxed to the hospital. The fax might remain unattended on the fax machine for an extended period of time before being placed into the patient's file, or the information may be sent to the wrong fax number. Either of these things could lead to an interference with the patient's privacy should a third party read the unattended fax or incorrectly receive the fax. In contrast, under the My Health Record system, the patient's Shared Health Summary would be securely available only to those people authorised to see it. There are other similar scenarios where an increase in the level of use of the My Health Record system is likely to lead to a reduction in privacy breaches associated with paper-based records.56

Security concerns

2.49 Several submissions expressed concern about the security of patient data collected under the eHealth system and the risk of identity theft and fraud as a result of unauthorised disclosure or cyber security attacks.57

55 Submission 9, pp 6-7.

56 Submission 9, pp 7-8.

57 See: Submission 10, p. [1]; Submission 6, p. 11; Submission 11, p. [2].

21

2.50 The APF recommended that an independent assessment be conducted of the design of the eHealth system that includes 'the risk to national security of having personal and health data on all Australians in a system with poor access controls, accessible by anonymous, un-vetted users and which is accessible via the internet'.58

2.51 The EM notes that proposed new section 75 of the PCEHR Act introduces new mandatory reporting requirements for any 'potential or actual unauthorised collection, use or disclosure of health information in a healthcare recipient’s My Health Record', or any 'potential or actual breach of the security or integrity of the My Health Record system' (discussed below).59

Data retention period

2.52 Submitters raised concerns about the length of time records collected under the PCEHR must be held in the National Repositories Service.60 Under section 17 of the current PCEHR Act, records must be retained until either 30 years after the healthcare recipient's death, or 130 years after the record was first uploaded if the date of death is unknown. Item 71 of the Bill proposes to amend section 17 so that where the date of death is unknown, the record must be retained for 130 years from the healthcare recipient's date of birth.61

2.53 The OAIC suggested that a shorter length of time would be consistent with the Australian Privacy Principle 11 which states that 'where an entity holds personal information it no longer needs for a purpose permitted under the APPs, it must take reasonable steps to destroy or de-identify the information'.62 The OAIC recommended that consideration be given to whether the clinical and other authorised purposes would be satisfied if records are retained for a shorter period, and whether holding records for the specified period is necessary and proportionate to those purposes.63

2.54 If no decision is made to extend the opt-out trial nationally, the OAIC recommended that trial participants are notified at the conclusion of the trial and provided with cancellation instructions, or have their records cancelled within a certain number of days of receiving the notification.64

Mandatory data breach notification

2.55 The OAIC recommended two changes to the mandatory data breach notification (MDBN) obligation under proposed section 75 of the PCEHR Act:

58 Submission 6, p. 11.

59 EM, p. 84.

60 Submission 11, p. [4].

61 See: EM, pp 71-72.

62 Office of the Australian Information Commissioner, 'Chapter 11: APP 11 - Security of personal information', http://www.oaic.gov.au/agencies-and-organisations/app-guidelines/chapter-11-app-11-security-of-personal-information (accessed 4 November 2015).

63 Submission 7, p. 10.

64 Submission 7, pp 10-11.

22

• that the mandatory data breach notification be considered in the context of the

general MDBN scheme currently being considered by the Australian Government to avoid having two schemes with different reporting thresholds; and

• that a higher threshold for healthcare recipient notifications be provided to mitigate the risk of 'notification fatigue' where 'when a particular breach presents a high risk of harm to [healthcare recipients], they may not take the necessary action to protect their privacy which they would otherwise have taken if notifications were less frequent and only sent in relation to more serious breaches'.65

2.56 The ADA suggested that the proposed requirements for healthcare providers to report on and address data breaches should consider the different organisational structures of healthcare providers, particularly smaller practices, recommending that:

…any security and data quality requirements be reasonable and proportionate and take into account that health practitioners work within a variety of organisational and business structures and so they have varying levels of resources at their disposal to conform to security/data requirements.66

2.57 The EM justified this measure by noting that:

…it is critical that the System Operator and affected healthcare recipients be notified of a data breach so they can take any necessary action to mitigate risks they may face, or to improve the security of the My Health Record system.67

Governance arrangements 2.58 Some submitters expressed concerns about the proposed new governance arrangements for the My Health Records System. The Consumer eHealth Alliance expressed concern about that proposed new Australian Commission for eHealth would be absorbed into the Department of Health.68 The RACGP suggested the proposed Commission for eHealth should include a representative from their organisation.69

2.59 The EM noted that the new governance arrangements would be established through rules to be made under the Public Governance, Performance and

65 Submission 7, pp 7-8.

66 Submission 4, p. 3.

67 EM, p. 85.

68 Submission 12, p. 3.

69 Submission 3, p. [1].

23

Accountability Act 2013.70 These changes are in response to the 2013 PCEHR review.71 The EM clarified that:

It is intended that the Australian Commission for eHealth will be established as a Commonwealth entity and will be subject to the requirements of the PGPA Act.72

Rule-making authority 2.60 Submitters raised concerns highlighted by the Senate Standing Committee for the Scrutiny of Bills (Scrutiny Committee) regarding the appropriateness of the proposed rule-making powers for certain matters.

Extension of prescribed entities

2.61 The OAIC expressed concern that the proposed changes outlined in item 34 to provide rule-making powers to change the handling of healthcare identifiers are 'not drafted narrowly enough' to avoid the risk of function creep over time.73 The OAIC recommended the proposed limitations be qualified by a reference to healthcare to avoid the risk that the measure be used to 'expand the handling of healthcare identifiers beyond the original intention behind healthcare identifiers of matching health information to individuals when healthcare is delivered'.74

2.62 The OAIC further recommended including a provision that the department be required 'to consult with stakeholders in the making of the regulation, including a specific requirement that the Information Commissioner be consulted, before making such regulations', to ensure that 'any expansion in the handling of healthcare identifiers is subject to sufficient consultation and scrutiny'.75 The OAIC also recommended the Information Commissioner be consulted in making regulations to prescribe an activity that is not to be treated as a health service for the purposes of the Privacy Act.76

2.63 The department clarified that the proposed regulation-making powers under proposed new sections 20 and 25D of the HI Act have been designed to:

…allow the appropriate collection, use, disclosure and adoption of healthcare identifiers and identifying information by entities like NDIA [National Disability Insurance Agency] and the national cancer screening registers, without having to amend the Act each time a new entity needs to

70 EM, p. 2.

71 See: Department of Health, Review of the Personally Controlled Electronic Health Record, December 2013, p. 22, http://www.health.gov.au/internet/main/publishing.nsf/content/ehealth-record (accessed 3 November 2015).

72 EM, p. 89.

73 Submission 7, p. 9.

74 Submission 7, p. 9.

75 Submission 7, p. 9.

76 Submission 7, p. 10.

24

be authorised as was necessary with the Aged Care Gateway. Given that the NDIA and the national cancer screening registers may wish to handle identifying information and healthcare identifiers over the next couple of years to improve healthcare and health-related services supplied to individuals, the ability to authorise this in regulations will allow timely authorisation without the need to amend the HI Act each time.77

2.64 Further, the department confirmed that 'any regulations made authorising other entities to collect, use and disclose identifying information and healthcare identifiers will be subject to Parliamentary scrutiny and disallowance'.78

Roll out of national opt-out system

2.65 Several submissions shared the concerns expressed by the Scrutiny Committee about the proposed measure outlined in item 106 that would allow the roll out of a national opt-out system to be made by legislative instrument, rather than primary legislation.79 The OAIC recommended that 'consideration be given as to whether it is appropriate for this decision about the future direction of the PCEHR system to be made by rules rather than being made by Parliament and effected by change to the primary legislation'.80

2.66 For trials to operate as an effective privacy safeguard, the OAIC further recommended that 'consideration be given to alternative approaches that would more clearly ensure that privacy is taken into account', such as:

• requiring the Minister to consider the privacy impacts when deciding whether

to apply the opt out model to all healthcare recipients in Australia; and

• requiring the Minister to engage in consultation more broadly than with just the Ministerial Council, including specifically with the Information Commissioner.81

2.67 The department noted that any decision to proceed to a national roll-out would be informed by an independent evaluation of the trial:

An independent evaluation of the trials will be undertaken in 2016 and will inform consideration by the Government in early 2017 on whether to proceed to national implementation. The Minister will be required to consult with state and territory health ministers before making the Rules necessary to execute such a decision.82

2.68 The department explained that the Minister is required to consult with the states and territories prior to making this decision:

77 Submission 9, p. 17.

78 Submission 9, p. 17.

79 See: Submission 12, p. 3.

80 Submission 7, p. 6.

81 Submission 7, p. 7.

82 Submission 9, p. 13.

25

…before the Health Minister makes a decision to implement opt-out nationally, they must consult with the Ministerial Council - that is, the COAG Health Council. The states and territories are central to the success of the My Health Record system, regardless of whether the system is opt-in or opt-out, given that their public health systems will be one of the major healthcare provider participants in the system. If a decision is made to implement opt-out nationally, that decision will be of great interest to states and territories as it will also affect their citizens. In practice, national implementation of opt-out will not occur unless states and territories support the implementation.83

2.69 The department considered that the delegation of power for this measure is appropriate:

…the Department considers that it is an appropriate delegation of power for the Bill to allow the Health Minister to make a Rule implementing opt-out nationally, provided that they first follow the procedural and consultation requirements in the Bill.84

2.70 Further, the department confirmed that any rule made implementing opt-out nationally would be subject to Parliamentary scrutiny and disallowance.85

Privacy impact statement

2.71 In addition, the OAIC recommended that before any decision is made to apply the opt-out model nationally, the Minister conduct an independent privacy impact assessment (PIA) in consultation with the OAIC to 'identify, evaluate and address privacy risks that arise during the trial'.86

2.72 The department clarified that an independent PIA analysing the potential privacy risks and impacts of implementing an opt-out approach for participation in the PCEHR system at a national level has been undertaken and has been published on the eHealth website.87 The department noted it is preparing its response to the PIA in respect of the opt-out trials and that this will be published. The department further noted that a follow-up PIA specifically on the opt-out trials has and is expected to be completed in November 2015.88

Incorporation of written instruments

2.73 The Scrutiny Committee raised concerns about proposed subsection 109(9) of the PCEHR Act that would allow the My Health Records Rules to incorporate other

83 Submission 9, p. 18.

84 Submission 9, p. 19.

85 Submission 9, p. 18.

86 Submission 7, p. 7.

87 See: Department of Health, 'Privacy and the PCEHR' http://www.ehealth.gov.au/internet/ehealth/publishing.nsf/Content/ehealth-program-info-privacy (accessed 4 November 2015).

88 Submission 9, p. 11.

26

material which may change from time to time, and sought advice on whether a requirement that any material incorporated by reference be freely and readily available can be included in the Bill itself.89

2.74 In its submission the department explained that the proposed measure has been included in delegated legislation rather than the Bill itself as the materials most likely to be incorporated are IT security related documents, and would need to be responded to quickly and flexibly:

The requirements may quickly and at relatively short notice change to address emerging IT security threats. It is important to be able to deal with rapidly changing IT security threats in a responsive manner that also allows requirements to be enforced. If this does not occur, the security risks to the My Health Record system will increase given the large number of interconnecting healthcare provider organisations (currently more than 7,000 and expected to increase substantially with the trial of opt-out arrangements). A failure by healthcare provider organisations (or repository or portal operators) to comply with IT security requirements may put individuals’ health information at increased risk.90

Henry VIII clause

2.75 The Scrutiny Committee expressed concern about the 'Henry VIII clause' that would allow the Minister to modify the operation of the HI Act, PCEHR Act and Privacy Act by making rules and sought more information and examples on possible circumstances in which the clause may be necessary. 91

2.76 The department submitted that the clause was included to:

…allow the Minister to deal with any unintended or unforeseen circumstances that may arise in the future, in particular as part of transitional arrangements in relation to opt-out and in relation to changes of governance arrangements as governance mechanisms for the My Health Record system are moved out of the My Health Records Act and subordinate legislation and into rules proposed to be made under section 87 of the PGPA Act.92

2.77 The department noted that Henry VIII clauses are 'not uncommon as part of transitional arrangements' and the clause is modelled on a similar provision in the Governance of Australian Government Superannuation Schemes Legislation Amendment Act 2015 (Item 22 of Schedule 2). The department further noted that the rules made under this measure would be subject to Parliamentary scrutiny and disallowance.93

89 Senate Standing Committee for the Scrutiny of Bills, Alert Digest No. 11 of 2015, 14 October 2015, p. 16.

90 Submission 9, p. 20.

91 Scrutiny Committee, Alert Digest No. 11 of 2015, p. 18.

92 Submission 9, p. 21.

93 Submission 9, p. 21.

27

Civil and criminal penalties 2.78 A number of submitters expressed concern about the introduction of new and increased civil penalties and new criminal penalties for healthcare providers and healthcare provider organisations.94 The AMA argued that the proposed penalties 'are not justified and are likely to have a negative impact on healthcare provider and healthcare provider organisation participation' in the My Health Record System.95 Similarly, the RACGP argued that the penalties 'appear excessive and unnecessary and will greatly deter use by busy general practitioners'.96 The AMA recommended that the existing civil penalties for the unauthorised use and disclosure of PCEHR information should remain as they are and no criminal penalties should be introduced.97

2.79 The department submitted that the proposed maximum civil penalty is justified as:

…the My Health Record system stores the sensitive health information of many individuals. The amount of health information stored and the number of individuals whose records are stored will increase significantly under opt-out arrangements.

Penalty levels must provide an appropriate deterrent to any planned or deliberate misuse of sensitive health information. In addition, penalties need to be proportionate to the potential damage that might be suffered by individuals if the health information in their My Health Record is misused.98

2.80 The PJCHR expressed particular concerns that the proposed civil penalties outlined in the Bill may limit the right to a fair trial.99

2.81 The department responded to the PJCHR's concerns in its submission to the inquiry, noting that the proposed civil penalties are significantly lower than the penalties under the Privacy Act (a maximum 2 000 penalty units compared with 600 penalty units under the Bill):

Given that the civil penalties available under the Privacy Act are considered appropriate, it is most unlikely that lower penalties under the Bill would be considered criminal in nature or would limit the right to a fair trial, especially where the penalty regime imposed by the Bill is designed to protect significantly more sensitive health information than is generally the case under the Privacy Act.100

94 See: Submission 2, p. [1]; Submission 3, p. [1]; Submission 4, p. 2.

95 Submission 2, p. [1].

96 Submission 3, p. [1].

97 Submission 2, p. [2].

98 Submission 9, p. 8.

99 PJCHR, Human Rights Scrutiny Report: Twenty-ninth report of the 44th Parliament, p. 24.

100 Submission 9, p. 8.

28

2.82 Both the Scrutiny Committee and the PJCHR expressed particular concerns about the reversal of the burden of proof in proposed new section 26 of the HI Act.101 Proposed new subsections 26(3) and (4) reverse the burden of proof by providing that the defendant bears an evidential burden when asserting that an exception to the prohibition against misusing healthcare identifiers applies.102

2.83 In response, the department submitted that an evidential burden placed on the defendant is 'not uncommon' and similar measures exist in other Commonwealth legislation. The department noted that:

In accordance with the Guide to Framing Commonwealth Offences, Infringement Notices and Enforcement Powers, the facts relating to each defence in proposed new subsections 26(3) and (4) of the HI Act are peculiarly within the knowledge of the defendant, and could be extremely difficult or expensive for the prosecution to disprove whereas proof of a defence could be readily provided by the defendant. A burden of proof that a law imposes on a defendant is an evidential burden only (not a legal burden), and does not completely displace the prosecutor's burden. Proposed subsections 26(3) and (4) simply require a person to produce or point to evidence that suggests a reasonable possibility that exceptions in those provisions apply to the person.103

Consultation process 2.84 Some submitters raised concerns about the consultation process for the Electronic Health Records and Healthcare Identifiers: Legislation Discussion Paper on which the Bill is based, including the limited timeframe for preparing submissions and limited consultation briefings.104 The Consumers eHealth Alliance recommended the committee consider the submissions to the discussion paper, expressing concern that:

…there has been no analysis and no response to the matters raised in these submissions by either the Department or the Government, and the submissions do not appear to have been considered in any way, let alone addressed, in the tabled legislation.105

2.85 The department clarified that the discussion paper was available for consultation between May and June 2015 and received 137 submissions. The department also held three stakeholder briefings with more than 100 representatives of stakeholder groups including individuals and healthcare providers. State and territory health ministers were also given the opportunity to provide feedback on exposure drafts of the Bill. The department advised that the feedback from this consultation:

101 See: Scrutiny Committee, Alert Digest No. 11 of 2015, p. 14; PJCHR, Human Rights Scrutiny Report: Twenty-ninth report of the 44th Parliament, p. 23.

102 EM, pp 62-63.

103 Submission 9, p. 9.

104 See: Submission 6; Submission 11; Submission 12.

105 Submission 12, p. [1].

29

…has informed the development of the legislative changes proposed by the Bill, and is also informing system and communications development, as well as planning for the trials of participation arrangements.106

2.86 The department noted that the submissions emphasised:

• the need for appropriate protection of patient information to prevent misuse;

• the importance of considering patient access controls in terms of safety and quality of care versus protection of medical information; and

• the importance of ensuring representatives [who] have authority to act for individuals have access.107

2.87 The department highlighted that the submissions to the discussion paper were largely supportive of the opt-out trial:

About 85 per cent of submissions that commented on opt-out gave full or conditional support to national opt-out participation, while about 98 per cent supported opt-out trials - supporters were equally individuals (including representative organisations) and healthcare providers.108

Committee view 2.88 The committee is recognises that the introduction of an opt-out trial of the My Health Records system has the potential to improve health outcomes for Australians. The committee acknowledges that the proposed new governance arrangements that the Bill anticipates could assist to address the previous issues with the PCEHR identified by the 2013 PCEHR review.

2.89 The committee acknowledges that the opt-out model raises privacy risks and recognises the concerns raised by submitters. The committee is satisfied that the trial would provide an opportunity for the department to identify and address any privacy issues that may arise. The committee is also satisfied that the Bill includes sufficient reporting requirements and penalties to deter the unauthorised use or disclosure of healthcare information.

2.90 The committee supports the view of the Information Commissioner that an effective public awareness campaign is integral to the success of the trial, and a key privacy safeguard. The committee considers that the outline of this campaign provided by the department could include greater focus on how privacy concerns would be addressed.

Recommendation 1

2.91 The committee recommends that the Department of Health consider the recommendations by the Office of the Australian Information Commissioner in relation to privacy in developing the public awareness campaign about the opt-out trial.

106 Submission 9, pp 21-22.

107 Submission 9, p. 12.

108 Submission 9, p. 12.

30

2.92 The committee recognises concerns about the delegation of certain rule-making powers to the Minister for Health in relation to the operation of the trial and the handling of healthcare identifiers. The committee is satisfied that these measures are necessary to allow the Minister to respond to any unforeseen circumstances that may arise from the trial. The committee is also satisfied with the safeguards to ensure that the Minister consults appropriately with the states and territories prior to implementing the opt-out model nationally.

2.93 The committee acknowledges the concerns about the civil and penalties for the unauthorised use or disclosure of information accessed through the My Health Records system. However, the committee considers that these penalties are justified as deterrent measures to protect the privacy of system participants.

2.94 The committee considers that the Bill is an appropriate response to the 2013 PCEHR review and provides an opportunity to 'reboot' Australia's national electronic healthcare system to improve the health of all Australians.

Recommendation 2

2.95 The committee recommends that the Bill be passed.

Senator Zed Seselja

Chair

APPENDIX 1

Submissions and additional information received by the Committee

Submissions

1 Carers Australia

2 Australian Medical Association

3 Royal Australian College of General Practitioners (plus an attachment)

4 Australian Dental Association

5 National E-Health Transition Authority

6 Australian Privacy Foundation

7 Office of the Australian Information Commissioner

8 Medicines Australia

9 Department of Health

10 Primary Health Care Limited

11 Ms Helen Nichols

12 Consumers e-Health Alliance (plus an attachment)