Discussion Paper proposals

Electronic health information systems

61.21 In the Discussion Paper, Review of Australian Privacy Law (DP 72), the ALRC expressed the view that the collection of health information into electronic health information systems does not necessarily require specific legislative control if the Privacy Act is updated and amended, as proposed in DP 72. The collection of health information into stand-alone electronic records, and the use of electronic systems to transmit health information among health service providers treating an individual, do not raise new or unique issues. The model Unified Privacy Principles (UPPs) and the new Privacy (Health Information) Regulations are intended to be technology neutral and will regulate satisfactorily the handling of electronic health information in these circumstances.

National shared electronic health records

61.22 The ALRC expressed the view, however, that the establishment of a national UHI or SEHR scheme would require specific enabling legislation. The ALRC recognised the significant potential benefits to healthcare quality and safety that the establishment of such schemes may deliver, but noted that such schemes will work effectively only if there is a sufficient degree of public trust and public confidence in the schemes and their administration. The ALRC also expressed the view that national developments of such importance involving the establishment and use of unique identifiers for all Australians, and the development of a national approach to SEHRs, should be subject to comprehensive public debate and parliamentary scrutiny.

61.23 The ALRC agreed with NEHTA’s position that enabling legislation should deal with those issues that fall outside existing privacy regulation. The ALRC proposed that such enabling legislation should nominate or establish an agency or organisation with clear responsibility for managing the UHI and SEHR schemes; set out eligibility criteria, rights and requirements for participation in the schemes, including consent requirements; specify the permitted and prohibited uses and linkages of the personal information held in the systems and the permitted and prohibited uses of UHIs; establish sanctions in relation to misuse; and include specific safeguards, for example, that it is not necessary to use a UHI in order to access health services.[23]

61.24 The ALRC proposed, however, that the systems should remain subject to the Privacy Act and the proposed UPPs as amended by the proposed Privacy (Health Information) Regulations.

Submissions and consultations

61.25 In response to DP 72, the Australian Privacy Foundation expressed opposition to the establishment of a centralised health information system, based on unique identifiers. It argued that such a system posed an unacceptable risk to the privacy of health information and was unnecessary. The Australian Privacy Foundation’s view was that a more appropriate approach would be a federated model where separate systems were linked in specific circumstances and subject to safeguards. The Australian Privacy Foundation stated that:

The Foundation urges that the ALRC not reach any conclusions, and not make any recommendations, that pre-suppose that centralised data schemes or a universal identifier are even desirable, let alone inevitable.

The Foundation further submits that the ALRC should expressly recognise that strong arguments exist against those approaches and in favour of federation among large numbers of independent databases, and should frame its conclusions and recommendations in order to reflect the unsettled nature of health care data architectures.[24]

61.26 Microsoft Asia Pacific also supported a federated model:

Microsoft considers that a privacy-sensitive approach to the development of electronic health information management systems would be to adopt a federated data model. Rather than centralising data storage, a federated model seeks to centralise the point of access. Data storage is compartmentalised and access is granted only on a ‘need to know’ basis. This approach ensures that systems are designed with built-in checks and balances to lower the risk (both in terms of the likelihood and magnitude) of data security breaches.[25]

61.27 The Australian Institute of Health and Welfare (AIHW) expressed the view that, although the SEHR and UHI schemes differ from existing electronic health records and identifiers in scale, they are not different in nature. In the AIHW’s view, creating separate provisions to regulate the schemes would result in inconsistency.[26]

61.28 On the other hand, the Australian Privacy Foundation, and a number of other stakeholders, were of the view that specific legislation would be required if projects of the scale and scope of the proposed SEHR and UHI schemes were to go forward.[27] Medicare Australia noted that:

The COAG funding approval for the UHI was predicated on leveraging the personal information stored in Medicare Australia’s Consumer Directory for the initial data load to populate the Individual Healthcare Identifier (IHI) portion of the UHI system. It will therefore be essential for the enabling legislation to provide the specific authority to use the Medicare data in that way.

Given the significance of these programs to the vast majority of the public, it is particularly appropriate that the framework be subject to public debate and parliamentary scrutiny.

In developing the legislation, we think the most important factor will be to ensure that consumers can effectively control the handling of their personal information.[28]

61.29 The Victorian Office of the Health Services Commissioner agreed that enabling legislation would be required for the schemes, but was of the view that a separate set of health privacy principles was also necessary and should apply to the schemes.[29]

61.30 A number of other stakeholders expressed general support for the ALRC’s proposed approach.[30] The OPC expressed support for the proposal and noted that it had provided a submission to NEHTA concerning its Privacy Blueprint for Unique Health Identifiers.

This submission raised a number of privacy risks, including the risks posed by the backend UHI Service database. As the Office understands the proposal, this database would be a national database of names and addresses of individuals with UHIs. The Office noted that while other similarly large databases exist in Australia, such as those maintained by Medicare Australia and the Australian Taxation Office, what would seem to make this repository unique is the potential for it to be accessible to a large number of users who work in the health sector. In regard to privacy protections, users will interact with the database in different jurisdictions, some of which may have no privacy legislation.[31]

ALRC’s view

61.31 A number of stakeholders expressed the view that a centralised shared health records system based on unique identifiers is not the best way forward. The ALRC expresses no view on whether a centralised or federated model is preferable. Such concerns are, however, one reason that any such scheme should be underpinned by specific enabling legislation. The development and passage of such legislation will provide an opportunity, although not the only opportunity, for public scrutiny of, and debate on, the proposed scheme.

61.32 Any such legislation should deal with those issues that fall outside existing privacy regulation and provide more stringent rules where necessary. The legislation should, for example, nominate or establish an agency or organisation with clear responsibility for managing the systems, including the privacy of personal information in the systems. There should be clear lines of accountability. The legislation should set out the permitted and prohibited uses of UHIs and sanctions for misuse. Moreover, the legislation should make absolutely clear that certain safeguards are fundamental; for example, that it is not necessary to use a UHI to access health care.

61.33 As discussed in Chapter 30, legislative schemes establishing multi-purpose identifiers—such as UHIs—will also need to address the issues raised by the ‘Identifiers’ principle. The‘Identifiers’ principle prohibits the adoption, use and disclosure by organisations of multi-purpose identifiers except in certain circumstances.[32] It will be necessary to set out in the legislation establishing the UHIs—or in regulations under the Privacy Actthose organisations allowed to adopt, use and disclose UHIs, and the circumstances in which it is lawful for those organisations to do so. In addition, the ALRC has recommended that, before the introduction by agencies of any unique multi-purpose identifier, such as the UHI, the Australian Government, in consultation with the Privacy Commissioner, should conduct a privacy impact assessment.[33]

61.34 The systems should remain subject to the Privacy Act and the model UPPs as amended by the new Privacy (Health Information) Regulations. For example, health information generally should be collected for inclusion in an SEHR with consent. That information should be used or disclosed only for the purpose for which it was collected or a directly related secondary purpose where the individual would reasonably expect the agency or organisation to use or disclose the information for that purpose. Exceptions in the UPPs and the regulations would apply so that, for example, it would be possible to use or disclose an individual’s health information held in an SEHR if the agency or organisation reasonably believed that the use or disclosure was necessary to lessen or prevent a serious threat to an individual’s life, health or safety, or public health or public safety.

61.35 The recommendations in Chapter 4 are aimed at achieving national consistency in privacy regulation and, in particular, one set of privacy principles applying across the private sector, and the federal, state and territory public sectors. Any legislation establishing the UHI and SEHR schemes should also apply nationally to ensure consistency between the public and private sectors and across all jurisdictions. Finally, and as discussed in detail in Chapter 60, it would be extremely undesirable to have two sets of privacy principles, one set dealing with health information and one set dealing with other personal information. One set of UPPs, amended where necessary by the new Privacy (Health Information) Regulations will achieve an appropriate level of regulation and consistency across sectors and jurisdictions.

Recommendation 61-1 If a national Unique Healthcare Identifiers (UHIs) or a national Shared Electronic Health Records (SEHR) scheme goes forward, it should be established under specific enabling legislation. This legislation should address information privacy issues, such as:

(a) the nomination of an agency or organisation with clear responsibility for managing the respective systems, including the personal information contained in the systems;

(b) the eligibility criteria, rights and requirements for participation in the UHI and SEHR schemes by health consumers and health service providers, including consent requirements;

(c) permitted and prohibited uses and linkages of the personal information held in the systems;

(d) permitted and prohibited uses of UHIs and sanctions in relation to misuse; and

(e) safeguards in relation to the use of UHIs, including providing that it is not necessary to use a UHI in order to access health services.

[23]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 56–5.

[24] Australian Privacy Foundation, Submission PR 553, 2 January 2008.

[25] Microsoft Asia Pacific, Submission PR 463, 12 December 2007.

[26] Australian Institute of Health and Welfare, Submission PR 552, 2 January 2008.

[27] Confidential, Submission PR 570, 13 February 2008; Australian Privacy Foundation, Submission PR 553, 2 January 2008; Medicare Australia, Submission PR 534, 21 December 2007.

[28] Medicare Australia, Submission PR 534, 21 December 2007.

[29] Office of the Health Services Commissioner (Victoria), Submission PR 518, 21 December 2007.

[30] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Australian Government Department of Human Services, Submission PR 541, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Northern Territory Government Department of Health and Community Services, Submission PR 480, 17 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007.

[31] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[32] UPP 10.3.

[33] Rec 30–6.