Health Legislation Amendment (eHealth) Bill 2015

Bills Digest no. 41 2015–16

PDF version [794KB]

WARNING: This Digest was prepared for debate. It reflects the legislation as introduced and does not canvass subsequent amendments. This Digest does not have any official legal status. Other sources should be consulted to determine the subsequent official status of the Bill.

Amanda Biggs, Social Policy Section
Leah Ferris and Juli Tomaras, Law and Bills Digest Section
9 November 2015

Contents

Purpose of the Bill
Structure of the Bill
Background
Committee consideration
Policy position of non-government parties/independents
Position of major interest groups
Financial implications
Statement of Compatibility with Human Rights
Key issues and provisions
Concluding comments

Date introduced: 17 September 2015
House: House of Representatives
Portfolio: Health
Commencement: Sections 1–3 commence on Royal Assent. Schedules 1, 2 and 3 commence the day after Royal Assent, while items 2 and 3 of Schedule 4 commence immediately after Schedules 1, 2 and 3 commence. Item 1 of Schedule 4 commences either immediately after Schedules 1, 2 and 3 commence or upon the commencement of Schedule 1 to the Acts and Instruments (Framework Reform) Act 2015, whichever occurs first.

Links: The links to the Bill, its Explanatory Memorandum and second reading speech can be found on the Bill’s home page, or through the Australian Parliament website.

When Bills have been passed and have received Royal Assent, they become Acts, which can be found at the ComLaw website.

Purpose of the Bill

The purpose of the Health Legislation Amendment (eHealth) Bill 2015 (the Bill) is to amend a number of Acts to alter arrangements around the personally controlled electronic health record (PCEHR) system. The Bill amends the Personally Controlled Electronic Health Records Act 2012 (PCEHR Act), the Healthcare Identifiers Act 2010 (HI Act), the Privacy Act 1988, the Copyright Act 1968, the Health Insurance Act 1973 and the National Health Act 1953. The PCEHR is a system which allows individuals and ‘healthcare providers’ to create, access and share personal health information electronically.^{^[1]}

In particular, the Bill proposes amendments to:

rename the PCEHR to My Health Record
rename the PCEHR Act to the My Health Records Act 2012
clarify the legislative meaning of ‘healthcare’
strengthen and expand provisions around the collection, use and disclosure of personal information
impose greater civil penalties for privacy breaches and unauthorised activity
broaden the types of entities which can collect, use and disclose information
introduce an exception to copyright infringement for health records
prepare for the establishment of the new Australian Commission for eHealth (ACeH) to oversee eHealth development and operation of e-Health arrangements
provide for trials of different participation arrangements (including opt-out) to be undertaken
allow the Minister to make rules to implement (under My Health Records Rules) the opt-out model[2] nationally if after consideration of trial evidence she considers this is warranted
clarify the scope and application of ‘consent’ for healthcare information to be uploaded to the system by a healthcare provider and
allow for the abolition of two advisory committees as part of the government's plans to introduce a new Australian Commission on eHealth (ACeH) that will have new governance arrangements.

Structure of the Bill

The Bill has four Schedules:

Schedule 1 is in two parts: Part 1 proposes amendments to the Copyright Act, the HI Act, the PCEHR Act and the Privacy Act; Part 2 proposes provisions around the making of My Health Records Rules, the application of the amendments made in Part 1 and transitional provisions
Schedule 2 proposes to amendments to the HI Act, the Health Insurance Act, the National Health Act and the PCEHR Act to rename the PCEHR as My Health Record (including renaming the PCEHR Act to the My Health Records Act)
Schedule 3 proposes amendments to the Health Insurance Act, the National Health Act and the PCEHR Act, to rename consumers as healthcare recipients and
Schedule 4 is in two parts and deals with consequential amendments: Part 1 proposes amendments to the PCEHR Act; Part 2 proposes amendments to the Health Insurance Act.

Background

What is eHealth?

While no single-consensus all-encompassing definition of eHealth exists, the World Health Organization defines eHealth broadly as ‘... the cost-effective and secure use of information and communications technologies in support of health and health-related fields, including healthcare services, health surveillance, health literature, and health education, knowledge and research’.[3]

There are a number of components to eHealth. For example, the use of broadband technology to allow a patient in a remote area access to a medical specialist through a video conference link. Another example is the electronic health record, a single patient record that contains the key health details of a patient and is capable of being shared electronically.

As one commentator has usefully pointed out:

[T]he "e" in e-health does not only stand for "electronic," but implies a number of other "e's," which together perhaps best characterize what e-health is all about (or what it should be).

The 10 e's in "e-health"

•Efficiency - one of the promises of e-health is to increase efficiency in health care, thereby decreasing costs. One possible way of decreasing costs would be by avoiding duplicative or unnecessary diagnostic or therapeutic interventions, through enhanced communication possibilities between health care establishments, and through patient involvement.[4]

•Enhancing quality of care - increasing efficiency involves not only reducing costs, but at the same time improving quality. E-health may enhance the quality of health care for example by allowing comparisons between different providers, involving consumers as additional power for quality assurance, and directing patient streams to the best quality providers.

•Evidence based - e-health interventions should be evidence-based in a sense that their effectiveness and efficiency should not be assumed but proven by rigorous scientific evaluation. Much work still has to be done in this area.

•Empowerment of consumers and patients - by making the knowledge bases of medicine and personal electronic records accessible to consumers over the Internet, e-health opens new avenues for patient-centered medicine, and enables evidence-based patient choice.

•Encouragement of a new relationship between the patient and health professional, towards a true partnership, where decisions are made in a shared manner.

•Education of physicians through online sources (continuing medical education) and consumers (health education, tailored preventive information for consumers).

•Enabling information exchange and communication in a standardized way between health care establishments.

•Extending the scope of health care beyond its conventional boundaries. This is meant in both a geographical sense as well as in a conceptual sense. e-health enables consumers to easily obtain health services online from global providers. These services can range from simple advice to more complex interventions or products such as pharmaceuticals.

•Ethics - e-health involves new forms of patient-physician interaction and poses new challenges and threats to ethical issues such as online professional practice, informed consent, privacy and equity issues.

•Equity - to make health care more equitable is one of the promises of e-health, but at the same time there is a considerable threat that e-health may deepen the gap between the "haves" and "have-nots". People, who do not have the money, skills, and access to computers and networks, cannot use computers effectively. As a result, these patient populations (which would actually benefit the most from health information) are those who are the least likely to benefit from advances in information technology, unless political measures ensure equitable access for all. The digital divide currently runs between rural vs. urban populations, rich vs. poor, young vs. old, male vs. female people, and between neglected/rare vs. common diseases. [5]

In recent decades, the development of eHealth has been given a high priority because of its potential to revolutionise the delivery of health services by overcoming the barrier of distance, and reducing errors in patient treatment.[6] In addition, eHealth initiatives can deliver improved productivity through streamlining administrative processes.[7]

What is the PCEHR system?

The Personally Controlled Electronic Health Records (PCEHR) system was established in July 2012, with the enactment of the Personally Controlled Electronic Health Records Act 2012 (PCEHR Act).[8] The PCEHR system provides a national system for regulating collection, recording, use and disclosure of ‘health information’ included in an individual’s e-health record. In simple practical terms, it allows doctors, hospitals, and other healthcare providers to view and share an individual’s health information to assist in their care. In this way, the PCEHR is captured by the definition of a ‘health service’ for the purposes of the Privacy Act.[9]

What is ‘health information’?

‘Health information’ is defined in the Privacy Act to mean information or opinion about:

an individual’s health or disability (at any time)
an individual’s expressed wishes about future health services that may be provided to them
a health service provided or to be provided to an individual
other personal information collected to provide or in providing a health service, or in connection with donation of body parts, organs or body substances and
genetic information about an individual in a form that is or could be predictive of their health or a genetic relative of the individual.[10]

What is a ‘health service’?

‘Health service’ is defined in the Privacy Act as;

an activity performed in relation to an individual that is intended or claimed to:
- assess, record, maintain or improve the individual’s health
- diagnose the individual’s illness or disability or
- treat the individual’s illness or disability or
the dispensing on prescription of a drug or medicinal preparation by a pharmacist.[11]

This is the same definition as provided for ‘healthcare’ under the PCEHR Act.[12]

Purpose of the PCEHR system

Currently, the PCEHR Act states that the object of the legislation is to enable the operation of a voluntary[13] national system for the provision of access to health information relating to consumers of healthcare to:

help overcome the fragmentation of health information
improve the availability and quality of health information
reduce the occurrence of adverse medical events and the duplication of treatment[14], and
improve the coordination and quality of ‘healthcare’[15] provided to individuals by different healthcare providers.[16]

In addition to the objects listed in the PCEHR Act, another expected outcome of the system is significant budget savings through reduced inefficiencies. It is anticipated that the budget savings will flow from increasing access to comprehensive health information which will provide healthcare providers with relevant information to enable improved, coordinated and timely treatment decisions, reduce the incidence of adverse events and reduce unnecessary or duplicated services.

The PCEHR system relies on the Healthcare Identifier (HI) service which is intended to ensure consistent identification of individuals, healthcare providers and organisations. The HI service was established by the Health Care Identifiers Act 2010 (HI Act) in line with the Council of Australian Governments (COAG) commitment to developing eHealth.[17] The HI Act regulates the use and disclosure of health care identifiers used in the e-health record system. The HI service assigns each individual and healthcare provider with a unique identifier and is central to the operation of the PCEHR.[18] The development of eHealth initiatives has been overseen by the National E-Health Transition Authority (NEHTA), which was established in 2005.[19]

The type of records contained in an individual’s PCEHR can include prescription records, pathology and diagnostic imaging reports and discharge summaries. Under the PCEHR system the individual controls who is able to access their record, what documents can be added and may remove or add records themselves.[20] The current system operates as an ‘opt-in’ system; individuals must actively register if they wish to participate in the PCEHR system.[21]

Key statistics on the PCEHR

As of October 2015:

2,427,704 people have registered for a PCEHR (or around 10 per cent of the population)
57,810 shared health summaries were in the system, up from about 38,200 in December 2014
There were 218,915 discharge summaries
4,445 specialist letters have been uploaded
7,970 healthcare providers were registered for the PCEHR, including 5,182 general practices and
1,770,632 prescription documents have been uploaded.[22]

Review of the PCEHR

In November 2013, a review of the PCEHR was announced by the then Health Minister, Peter Dutton. The review, led by the head of Uniting Care Health Queensland Richard Royle, was tasked with reporting on issues around implementation of the system which were hampering adoption of the PCEHR. Issues surrounding clinician and patient useability were of particular interest, as were the possible use of incentives to encourage more people and providers to register with the PCEHR system.[23] In May 2014, the Review of the Personally Controlled Electronic Health Record (the Royle Review) was publicly released.[24] While it found ‘overwhelming support’ for the implementation of an electronic health record system, it said a ‘change in approach’ was needed and made a number of recommendations to this end. Broadly, this included renaming the PCEHR, dissolving the NEHTA and replacing it with a new body, moving to an ‘opt-out’ system[25], improving usability and restructuring governance arrangements. Following this the Government conducted public consultations on its recommendations.

Separately to the PCEHR review, a review of the HI service occurred in October 2012. This review found that the core function of the HI service generally worked well, but a number of enhancements and adjustments needed to be made.[26]

Subsequently, the Health Minister Sussan Ley announced just prior to the 2015–16 Budget that the Government would provide $485 million to improve the PCEHR system informed by the recommendations of the Royle review and consultation process.[27] Specifically, the budget announced that the PCEHR would be renamed My Health Record, NEHTA would be replaced by a new Australian Commission for eHealth (ACeH), and trials would be undertaken to assess responses to revised participation arrangements including for an opt-out model.[28]

This Bill proposes provisions that commence implementation of the Government’s response to the PCEHR and HI service reviews, specifically those ‘which are aimed at facilitating increased participation in the system and improvements in the usability and clinical content’ for the benefit of patients and healthcare providers.[29]

Implementation of other measures, such as the establishment of ACeH may require separate legislation.[30] An implementation taskforce to oversee the transition of responsibilities from NEHTA to ACeH has been established to assist this process.[31] Some recommendations of the Royle Review, such as data standardisation issues, may need to be addressed through regulation or other means. Other recommendations, such as an education campaign for consumers and clinicians about the impact of changing to an opt-out system, will not require regulatory change.[32]

Committee consideration

Community Affairs Committee

The Bill has been referred to the Senate Community Affairs Legislation Committee for inquiry and report by 9 November 2015. Details of the inquiry are at the inquiry webpage.[33]

Senate Standing Committee for the Scrutiny of Bills

The Senate Standing Committee for the Scrutiny of Bills (Scrutiny of Bills Committee) raised a number of concerns regarding the provisions of the Bill.[34] The Scrutiny of Bills Committee was particularly concerned with the introduction of proposed section 26 of the HI Act, at item 36 of Schedule 1 to the Bill, which sets out the circumstances where the use or disclosure of healthcare identifiers and other information is prohibited.[35] Proposed subsections 26(3) and (4) set out circumstances where the prohibition on the use and disclosure of a healthcare identifier or other relevant information, respectively, does not apply. Such circumstances include where the use or disclosure is required or authorised under the HI Act or a court order. However, a person charged with breaching the prohibition on use and disclosure, who wishes to rely on the exceptions set out in subsections 26(3) and (4), bears an evidential burden in relation to the relevant exception, in accordance with section 13.3 of the Criminal Code Act 1995. That is, the defendant has ‘the burden of adducing or pointing to evidence that suggests a reasonable possibility that the matter exists or does not exist’.^{^[36]} If the defendant discharges the evidential burden, the prosecution must then disprove the relevant matters beyond reasonable doubt. The Scrutiny of Bills Committee noted that ‘significant penalties apply for contravention of this provision’ and that ‘there is no justification in the explanatory memorandum for placing an evidential burden on the defendant’.[37] As a result of the impact that these amendments may have on a person’s rights and liberties, the Scrutiny of Bills Committee has sought the Minister’s advice ‘as to the rationale for the proposed approach, including whether the approach is consistent with the principles in relation to offence-specific defences outlined in the Guide to Framing Commonwealth Offences, Infringement Notices and Enforcement Powers (September 2011)’.[38]

The Scrutiny of Bills Committee also raised concerns over a number of proposed provisions that allow for matters to be legislated for by way of delegated legislation.[39] In particular, the Scrutiny of Bills Committee was concerned with new Schedule 1 of the My Health Records Act (inserted by item 106 of Schedule 1 to the Bill), which contains provisions that would allow the Minister to make rules that will prescribe trial arrangements and for the opt-out model to be applied nationally.[40] While the Scrutiny of Bills Committee recognises that the proposed op-out system includes a number of adequate safeguards, it concluded ‘that a general change to an opt-out system is central to the regulatory design of the system and thus is a choice which appropriately made by the Parliament rather than delegated to a Minister’ and sought justification from the Minister.[41] Justification was also sought in relation to the use of a ‘Henry VIII clause’ in relation to opt-out trials and a national opt-out system and the incorporation of material/written instruments which may change from time to time within the delegated legislation.[42]

Policy position of non-government parties/independents

The Australian Labor Party’s (ALP) Health spokesperson Catherine King has indicated the Opposition is likely to support the Bill, but has criticised the length of time it has taken since the Royle Review to introduce legislation. She has also questioned the reduced funding for the measure:

“We’ve been waiting for the legislation to be introduced, so we can properly consider it, which we’ll now do,” Ms King said.

“Opt out is an important issue, but this government has wasted two years stalling on eHealth, is now having a trial for another year, and has cut $214 million from it in the budget with no funding beyond 2018. The government should stop stalling and just get on with it.”[43]

In her second reading speech, Ms King noted there were some significant changes in the Bill that warranted further scrutiny ‘to ensure people’s privacy is protected’:

As I stated well at the outset, Labor does not oppose the intent of this Bill. However, we do believe there are elements—especially those that relate to changing the way information can be collected and shared—that do require further scrutiny. As I said, it is not that Labor opposes the principles—many of them do at face value appear to be very common-sense and necessary changes to meet the policy intent—but, given the extent of the changes, stakeholders with direct experience and responsibility in delivering health care and working with personally controlled electronic health records should have an opportunity to provide feedback on the Bill.[44]

The Australian Greens supported the introduction of the PCEHR. Senator Richard Di Natale (then Health spokesperson) stated in 2012 that:

“The introduction of electronic health records will ultimately lead to better health outcomes and savings to the bottom line. This is good news for Australia’s healthcare system and will drag our health system into the 21st century,” said Senator Di Natale.

“The electronic health record will empower people to take control of their health, improve communication between healthcare professionals and reduce medical errors.

“It’s understandable that some medical indemnity groups have concerns but in the long term the electronic record will mean fewer mistakes, which means fewer claims.

“It's clear that Australians will benefit from an electronic health record and we will hold the government to account so that any problems with the rollout are dealt with transparently and quickly.”[45]

This suggests that the Greens are supportive of efforts to increase adoption of the PCEHR, and would be likely to support the general thrust of this Bill.

At this time, the views of cross-bench Senators are not known.

Position of major interest groups

The development of the PCEHR has been of ongoing interest to a wide number of groups, including state and territory governments, clinicians and other health professionals, hospitals, health care organisations, aged care providers, health insurers, software vendors and consumer groups. While the views of stakeholders on the specific provisions contained in this Bill are still emerging, their views on the recommendations of the Royle Review (upon which this Bill is largely based) were canvassed as part of the recent consultation process.

Views of stakeholders gathered from the consultation process

The Department undertook a consultation process on the proposed changes to the PCEHR, which included issuing a discussion paper and conducting multiple workshops with a diversity of stakeholder groups. Broadly, these consultations indicated, ‘strong support for the continued operation of a national shared electronic health record system’ and the findings of the PCEHR review.[46]

The Department received 137 written submissions in response to the discussion paper.[47] Consultants Deloitte prepared a report on the outcomes of this consultation process. A summary of stakeholder comments on some key issues is presented below.[48]

Opt-out model and access controls

Deloitte noted a majority of consumers supported an opt-out model after it was explained to them. However there was some concern around communicating the concept to certain groups, particularly those from culturally and linguistically diverse backgrounds, persons with a disability or those without access to the internet.[49] Among health providers, a similar level of support for an opt-out model was also evident. According to Deloitte, ‘many providers indicated that they would be more willing to participate in the PCEHR if they knew that there was a high likelihood that their patients will have a record.’[50] Providers had some concerns around how the move to an opt-out model would affect the implied consumer consent that exists with the current opt-in model, and suggested legislatively ensuring the right of providers to access records unless this action was specifically blocked by an individual.[51]

The majority of consumers indicated they would be ‘unlikely to use the controls to block access to their record, or to particular documents in their record, except in very special circumstances’.[52] Issues around information security and misuse were found to still exist, but were not considered predominant concerns among consumers.[53]

Not all stakeholders support the PCEHR or the move to an opt-out model. The Australian Privacy Foundation in a submission to the Department questioned the need for a PCEHR, arguing there is ‘no reliable and compelling evidence that demonstrates that the PCEHR as it exists today, or as it will become if the proposed changes are implemented, can deliver the type or level of value and benefits that justify the risks to privacy of a high value repository of every Australian’s identity and health data’.[54] Furthermore, the Foundation is concerned that ‘[w]hat is not clear at all from the Legislation Discussion Paper or any of the public briefings is what, if any, changes are to be made to the system either in terms of usability or in support of better health outcomes.’[55] In short, the Department has failed to demonstrate how the fundamental drivers and requirements of eHealth care have been incorporated into the PCEHR and therefore should not be insisting on public participation.[56] Significantly, the Foundation warns that the proposed opt-out model can ‘leave people in the dark about things which might have implications for their whole family or community, for their whole lives’.[57] Its concerns about mission creep have been expressed as follows:

[...]we believe that there is a strong possibility that there will be a realisation amongst the population at large that the PCEHR is actually a thinly disguised national identity number attached to some health information, none of which can be relied upon because there is no way to medico-legally trust the information contained. However the identity data will be seen as very useful to the government, especially when cross-matched against internet and telecommunications metadata and other government databases.[58]

Governance arrangements and new eHealth entity

Deloitte reported that stakeholder feedback had indicated that health care providers wanted greater representation in governance arrangements. Many stakeholders revealed they had concerns around the current governance arrangements.

Deloitte found ‘strong support for improving the governance arrangements for the PCEHR through the recommendations provided in the PCEHR review’. This included strong support for the establishment of the new eHealth entity (the Australian Commission for eHealth), and the establishment of a new governing board ‘with a greater focus on skills-based membership’.[59]

Stakeholders wanted their input into the governance process ‘to be listened to, considered and acted upon where appropriate.’[60]

Record content and usability

Improved utility of the PCEHR was seen by all stakeholders as one of the keys to driving participation. Concerns have been driven by stakeholder experience of poor software integration which has ‘resulted in very little automation of the accessing of PCEHR information and poor alignment to clinical workflows resulting in impacts on provider time and making it difficult for providers to find information and to upload information.’[61]The type of content which could be uploaded was also regarded as a key factor in providing value to stakeholders, and a number of new types of documents was suggested. But there was broad agreement initially focusing on recording high priority health information, including:

allergies and alerts
current medications
current conditions
transfer of care summaries (for example, hospital discharge summaries) and
recent pathology and diagnostic imaging test results.[62]

For more details of stakeholder views gathered during the consultation process, the reader is advised to consult the Deloitte report and the submissions on the Department’s website.[63]

Other stakeholder views

As noted, views from stakeholders on the specific provisions in this Bill are still emerging. However, since the budget announcement the proposed opt-out trials have attracted some comment. Long-time eHealth commentator and consultant Dr David More has suggested that the trials may end up being ‘trickier than is currently believed’.[64] In particular he has raised pertinent questions about the length of the trials, how these will include the homeless and those without internet access, what evaluation criteria will be used to assess their value, how young people below the age of consent but who may want to suppress personal information that has been automatically uploaded (such as medications) will be able to control this information if they need to, and how control of information will be handled in the event of family violence.

A recent industry survey organised by the Health Informatics Society of Australia (HISA) and the Health Information Management Association of Australia (HIMAA), indicated broad support for the opt-out trials and the name change to My Health Record, but views on other matters were more varied according to an article appearing in Pulse+IT magazine. The article noted that a slim majority of industry respondents (51 per cent) supported continuing the voluntary opt-in arrangement for healthcare provider organisations and associated operators, 20 per cent were neutral on the idea with around 17 per cent supporting mandatory participation of providers and operators.[65] More than 90 per cent supported expanding the PCEHR rules to address how a healthcare provider would ensure data quality, and 85 per cent supported the expansion of security measures to all PCEHR participants. Respondents also supported allowing vendors to develop and run a test environment and the need to encourage secure messaging between healthcare providers. In terms of secondary use of data, 64 per cent agreed that individuals need to provide direct consent to a researcher (with ethics approval). There was less agreement (under 50 per cent) over control of de-identified information for research purposes.[66]

State and territory governments

As key stakeholders in the PCEHR, the co-operation of state and territory governments will be crucial in implementing changes to the PCEHR. However, only New South Wales and Victoria provided submissions in response to the legislation discussion paper. Victoria stated broad support in its submission:

The Victorian Government provides strong in-principle support for enhancing the scope of application of the HI Service, as a key enabler of a more coordinated and robust health and wellbeing system for all Victorians; and for the modification of the PCEHR system to an opt-out model to encourage greater participation and streamline processes for consumers, providers and organisations.[67]

The NSW submission did not state a position but noted that, ‘if the Commonwealth moves to an opt-out model for the PECHR, consideration will have to be given to the interaction with relevant NSW legislation to ensure that an opt-out model can operate in NSW’.[68]

The proposed legislative changes including the opt-out trials were discussed by all Health Ministers at the last meeting of COAG’s Standing Council on Health on 7 August 2015. The Communique noted that Ministers were ‘invited to nominate potential trial sites’, but provided no further detail of the views of Health Ministers.[69] While consultations may be ongoing between governments, the final views of the states and territories on the specific provisions proposed in this Bill are not yet clear.

Financial implications

The Explanatory Memorandum confirms the funding commitment made in the 2015–16 Budget of $485.1 million over four years to implement the new My Health Record system, eHealth governance arrangements and trials of participation arrangements.[70] However, the budget also noted that in the 2014–15 budget $699.2 million had been provisioned for the redevelopment of the PCEHR in the contingency reserve; expected savings from this reduced expenditure are to be re-directed to the newly established Medical Research Future Fund.[71]

Since 2010, successive governments have allocated just over $1 billion in budget commitments to implement the PCEHR. In 2010–11 the Rudd Government allocated $466.7 million, then in 2014–15 the Abbott Government committed a further $140.6 million (while the government finalised its response to the Royle Review).[72] This does not include spending on NeHTA, which has been estimated at $1 billion since it was established in 2005.[73]

But eHealth initiatives are expected to generate substantial savings over time. The Royle Review cites one estimate indicating that savings of $7 billion a year in direct health costs are possible from digitising the health system.[74] In evidence to a Senate Estimates Committee, a Health Department official cited an estimate from Deloitte that benefits of $11.5 billion over 15 years could be delivered.[75]

Statement of Compatibility with Human Rights

As required under Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011 (Cth), the Government has assessed the Bill’s compatibility with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of that Act. The Government considers that the Bill is compatible.[76]

The Explanatory Memorandum lists the human rights that are engaged by the Bill. This includes:

Right to health

Article 12(1) of the International Covenant on Economic, Social and Cultural Rights [ICESCR] provides for a right to the enjoyment of the highest attainable standard of physical and mental health, which is to be realised progressively within the resources available. In its General Comment No. 14 (2000), the Committee on the Economic, Social and Cultural Rights notes that information accessibility is an element of the right to health and that this includes “the right to seek, receive and impart information and ideas concerning health issues”, without impairing the right to have health data treated confidentially.[77]

General Comment 14: The Right to the Highest Attainable Standard of Health,[78] attempted to clarify the meaning of the broad declaratory language that the Article 12 of the ICESCR uses to set out the right to health. Through the General Comment 14 publication, the Committee on Economic, Social and Cultural Rights sought to translate and articulate the right to health into norms, obligations, violations and implementation. However, General Comment 14 has yet to be accepted as binding law by all states, thus its legal status arguably remains uncertain.

It is also notable that General Comment 14 clarifies that right to health includes freedoms and entitlements. The right to health is not to be understood as a right to be healthy – people are free to make choices that are unhealthy. More accurately, the right is concerned with the systems, facilities, services and conditions that are necessary for everyone to achieve the highest possible standard of mental and physical health.[79]

Furthermore the Committee’s articulation of the right to health incorporates the following key elements:

Availability – Sufficient quantity of functioning public health and health-care facilities, good and services [...] (General Comment No. 14, para 12(a)).
Accessibility – All people in the country (regardless of whether they are citizens or not, and especially if they are vulnerable or marginalised), have equitable access to health facilities, goods and services without discrimination. Accessibility has four overlapping dimensions, one of which includes:
- Information accessibility – this means that health consumers can participate in decisions about their health and have confidentiality of their health information protected. [emphasis added] (General Comment No. 14, para. 12(d))
Acceptability – Health facilities, goods and services should be respectful of medical ethics and be designed to respect confidentiality and improve the health of consumers. They should also be designed to ensure that people receive treatment appropriate for their culture, gender and stage of life (General Comment No. 14, para. 12(c)).
Quality – Health facilities, goods and services must be scientifically and medically appropriate and of good quality (General Comment No. 14, para. 12(d)).

Right to privacy

Of course the right to health is interdependent with other human rights including, for example, the right to privacy and to access information.

‘Privacy is a fundamental human right, and is central to the maintenance of democratic societies. It is essential to human dignity and it reinforces other rights, such as freedom of expression and information.’[80] Of all of the human rights in the international catalogue, the right to privacy is perhaps the most difficult to define. Although definitions and thus attempts to articulate the content or basis for privacy vary, ‘privacy’ is seen as a way of defining the limits of public intrusion into one’s private life. In its most simple terms, it has been expressed as ‘the right to be let alone’.[81] Article 12 of the Universal Declaration of Human Rights and Article 17 of the International Covenant on Civil and Political Rights[82] both protect the individual against ‘arbitrary or unlawful interference with his or her privacy, family, home or correspondence’. While the right to privacy under international human rights law is not absolute, any instance of interference must be subject to a careful and critical assessment of its necessity, legitimacy and proportionality.

The limitations on the right to privacy should be strictly construed and conform to the tests of necessity and proportionality. A proposal for an opt-out eHealth system is arguably justified when it is prescribed by law, necessary to achieve a legitimate aim, and proportionate to the aim pursued.

The current opt-in system would appear to be more consistent with a balancing of the right to privacy and the right to health. This is because the data is obtained with the explicit knowledge or consent of the data subject.

The possible issues with an opt-out approach include:

insufficient guarantee in relation to the openness about developments, practices and policies with respect to health information collected
insufficient guarantee of knowledge or consent of the data subject prior to collection
insufficient guarantee that the data collected will be relevant to the purposes for which they are to be used, and will only be used for authorised purposes
insufficient guarantee that the data is accurate, complete and kept up-to-date and
lack of explicitly stated mechanism and guarantee of ability of individual to easily obtain health data in a timely manner, at a charge that is free or minimal, to be able to challenge and rectify errors or omissions in the data.[83]

Nonetheless, it is arguable that the collection and use of health data by a health professional (under an opt-out approach without the explicit consent of the individual) may be consistent with the right to health in terms of using that data for diagnosis, care and treatment of a patient. However, the free and informed consent of the individual would arguably be required where that information was used for research or other secondary purposes. The details of the opt-out scheme do not appear to make that distinction.

Parliamentary Joint Committee on Human Rights

On 9 September 2015 the Parliamentary Joint Committee on Human Rights published its comments on the Bill. The Committee noted that this Bill would ‘enable trials to take place, which could then be applied Australia‑wide, to enable the health records of all Australians to be automatically uploaded onto the electronic database unless the person actively opts-out of the process.’ The Committee considered that gave rise to privacy concerns and queried whether the objective of the Bill was a legitimate objective for the purposes of international human law. The Committee pointed out that:

To be capable of justifying a proposed limitation of human rights, a legitimate objective must address a pressing or substantial concern and not simply seek an outcome regarded as desirable or convenient. The committee also raised concerns as to whether the limitation on the right to privacy is proportionate; in particular, whether there are adequate safeguards in place to protect an individual's privacy and whether the opt-out model is the least rights restrictive way to achieve the stated objective.[84]

Key issues and provisions

Key issues and related provisions are discussed below. For the remaining provisions the reader is advised to consult the Explanatory Memorandum which provides an adequate overview.

Schedule 1

Amendments to the Copyright Act

The Copyright Act sets out rules about copyright ownership.^{^[85]} However, people and organisations involved in creating or investing in copyright material can reach agreement about who will own copyright and the terms of its use. The Copyright Act distinguishes between two categories of subject matter: the first is ‘works’, which covers literary[86], dramatic, musical and artistic works.[87] The second category is known as ‘subject matter other than works’ which covers sound recordings, films, sound and television broadcasts, and published editions of works.

Item 1 inserts proposed section 44BB into the Copyright Act, which provides that the uploading into, or sharing and or use of information in, the My Health Record system will not infringe the copyright in a work. Currently healthcare providers that register to participate in the My Health Record system (through a ‘participation agreement’) grant a license to the System Operator to ‘use, reproduce, copy, modify, adapt, publish and communicate health records they upload for the purposes of providing health care’.[88] As part of this participation agreement, providers also give the System Operator permission to sub-license other healthcare provider organisations and participants, which means that records can be shared without breaching any organisation’s copyright. However, as a result of the removal of participation agreements, the Government has chosen to introduce an exception into the Copyright Act to ensure that actions taken for the purposes of the My Health Record system will not infringe copyright.

Proposed subsection 44BB(1) applies to works that:

are substantially comprised of health information (which could include reports, specialist letters or pathology or diagnostic imaging results) or
allow for the storage, retrieval or use of health information (proposed paragraph 44BB(1)(b)).

for a purpose for which the collection, use or disclosure of information is required or authorised under the My Health Records Act
where it is unreasonable or impracticable to obtain the individual’s consent to the collection, use or disclosure; and the entity reasonably believes that the collection, use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety[89]
where a ‘permitted health situation’ exists[90] or
where prescribed by the regulations, provided the purpose relates to health care, or the communication or management of health information.

Item 2 inserts proposed section 104C into the Copyright Act, which contains provisions that mirror proposed section 44BB except that it refers to copyright infringement with respect to sounds recordings and cinematograph films (which are not considered to fall within the definition of ‘works’). This would cover health records that might consist, for example, of ‘a recording of a person’s breathing for their treatment as a chronic asthmatic, or an ultrasound of a foetus for the treatment of a prenatal condition’.[91]

Amendments to the Healthcare Identifiers Act (HI Act)

Items 27-28 introduce amendments to section 7 of the HI Act, which will expand the type of information that is considered to be ‘identifying information’ and therefore can only be disclosed for authorised purposes.[92] In particular, item 27 amends subsections 7(1) and 7(2) to provide that the email address, telephone number and fax number of a healthcare provider (individual or organisation) will now be considered as identifying information. Item 28 inserts proposed paragraph 7(3)(i) to allow for regulations to be made which prescribe further identifying information in relation to healthcare recipients.

As discussed above, at present people in Australia can voluntarily register to create their own personally controlled eHealth record. To ensure a healthcare provider can view its patients’ eHealth records, it needs to register to participate in Australia’s eHealth record system.[93] ‘The eHealth record system uses the HI Service to manage an individual’s and health provider’s participation in the eHealth record system’.[94] It does this by issuing ‘unique identifiers for patients, individual healthcare professionals and organisations.’[95] These identifiers are then ‘used in electronic health communications to ensure information is matched to the right patient and shared between the right healthcare providers.’[96]

Healthcare provider organisations participate in the eHealth record system either as a ‘seed organisation’ only or as a ‘network organisation’ that is part of a wider ‘network hierarchy’ (under the responsibility of a seed organisation).[97]

A seed organisation is an organisation which provides or controls the delivery of healthcare services. ‘A seed organisation could be, for example, a local GP practice, pharmacy or private medical specialist.’[98]

An example of a network organisation could be an individual department (e.g. pathology or radiology) within a wider metropolitan hospital. A network hierarchy operating in the eHealth record system consists of one seed organisation and one or more network organisations.[99]

Current section 9A of the HI Act defines the different classes of healthcare provider that may be assigned a healthcare identifier and thus participate in the PCEHR system. The Explanatory Memorandum states that proposed section 9A seeks to replace existing section 9A and simplify the provisions relating to seed and network organisations.

Collection, use and disclose of healthcare identifiers and other information

Item 34 repeals current Divisions 1, 2, 2A and 3 of Part 3 of the HI Act and replaces them with new Divisions 1, 2 and 3. The proposed amendments update the provisions that deal with when healthcare identifiers and other information can be collected, used and disclosed. New Division 1 inserts a simplified outline of Part 3, while new Division 2 refers to healthcare recipients and new Division 3 deals with healthcare providers.

New Division 2 clarifies the circumstances when a healthcare recipient’s healthcare identifier or other information can be collected, used or disclosed to another party. Specifically, new Division 2 provides for the collection, use and disclosure of a healthcare recipient’s healthcare identifier or other information for the following purposes:

assigning a healthcare identifier to a healthcare recipient (proposed section 12)
keeping a record of healthcare identifiers and related information (proposed section 13)
providing healthcare to a healthcare recipient (proposed section 14)
for the My Health record system (proposed section 15)[100]
aged care purposes (proposed section 16)
adopting a healthcare recipient’s healthcare identifier as an entity’s identifier of that person (proposed section 17)
disclosing a healthcare recipient’s healthcare identifier (proposed section 18)
disclosing information about a healthcare recipient’s healthcare identifier (proposed section 19) and
additional purposes to be specified in the regulations (proposed section 20).

While all of the circumstances are currently provided for under the HI Act, not every provision authorises all three possible actions, that is, they do not authorise collection, use and disclosure for each purpose. In a number of cases, the proposed amendments expand the ways in which a healthcare recipient’s healthcare identifier or other information can be used. While the majority of these amendments simply clarify existing provisions, others authorise new actions. For example, proposed subsection 14(1) will allow the HI Service Operator to disclose to a healthcare provider information about a healthcare recipient for the purpose of determining the recipient’s healthcare identifier. The Explanatory Memorandum notes over the last five years there has been a 20 percent failure rate when attempting to identify an individual’s healthcare identifier and the ability to disclose identifying information about the healthcare recipient to the healthcare provider will allow more individuals to benefit from the My Health Record System. However, while the Government has stated that the Service Operator ‘will develop policies to minimise risks associated with disclosure of identifying information to organisations seeking an individual’s healthcare identifier’ and will disclose ‘only where the Service Operator is confident they have identified the correct healthcare recipient’, there is a danger the Service Operator will disclose the personal details of the wrong person.[101]

Currently section 22E of the HI Act allows for regulations to be made authorising a person to collect, use and disclose identifying information of participants in the My Health Record System and healthcare identifiers. This can only occur where the collection, use or disclosure is authorised under the PCEHR Act or where it is reasonably necessary for the performance of a function or the exercise of a power in relation to the PCEHR system. Due to paragraph 22E(d) the regulations may only permit disclosure of the information or healthcare identifier to a person or organisation who is a participant in the My Health Record system. Proposed section 20 expands this provision by allowing for information to be disclosed to persons or organisations outside of the My Health Record system, provided it is for one or more of the following purposes:

providing healthcare to healthcare recipients or a class of healthcare recipients
determining whether adequate and appropriate healthcare is available to healthcare recipients or a class of healthcare recipients
facilitating the provision of adequate and appropriate healthcare to healthcare recipients or a class of healthcare recipients
assisting persons who, because of health issues (including illness, disability or injury), require support or
the My Health Record system.[102]

The Explanatory Memorandum explains the reasoning behind the amendments:

The new power has been designed to allow the appropriate collection, use, disclosure and adoption of healthcare identifiers and identifying information by entities like [the National Disability Insurance Agency] NDIA and cancer registers, within tight limits related to providing healthcare and assisting individuals who require support because of health issues, without having to amend the Act each time a new entity needs to be authorised.[103]

New Division 3 contains similar provisions to new Division 2, except relating to the collection, use and disclosure of healthcare identifiers and other information relating to healthcare providers. The proposed amendments allow the collection, use and disclosure of healthcare providers’ healthcare identifiers and other information for the following purposes:

assigning a healthcare identifier to a healthcare provider (proposed section 21)
keeping a record of healthcare providers’ healthcare identifiers (proposed section 22)
providing healthcare to a healthcare recipient (proposed section 23)
for the My Health record system (proposed section 24)
for authentication in electronic communication (proposed section 25)
sharing information with registration authorities (proposed section 25A)
adopting a healthcare provider’s healthcare identifier as an entity’s identifier of that healthcare provider (proposed section 25B)
providing the healthcare provider’s healthcare identifier to them (proposed section 25C) and
additional purposes to be specified in the regulations (proposed section 25D).

As with new Division 2, a number of the proposed amendments set out in proposed Division 3 reflect the same level of authorisation currently provided under the HI Act or merely clarify existing provisions. However, proposed section 25A introduces new provisions that allow a HI Service Operator to ‘collect from a registration authority, use and disclose to a registration authority identifying information about, or a healthcare identifier, of a health care provider’ and vice-versa. Proposed section 25D introduces similar amendments to those contained in proposed section 20.

Proposed section 25E imposes an obligation on healthcare provider organisations to inform the Service Operator in the event they become aware that information about their organisation is not accurate, up-to-date or complete. Under proposed subsection 25E(1), the organisation must, within 20 business days of becoming aware of the situation, provide the Service Operator in writing with accurate, up-to-date and complete information. Provided neither of the exceptions set out in subsections 25E(2) and (3) apply, a person who fails to comply with the requirements of proposed subsection 25E(1) and knows or is reckless as to those circumstances (that the information is not accurate, up-to-date or complete) will be liable for a civil penalty of up to 100 penalty units.[104]

Unauthorised use and disclosure

Currently sections 15 and 26 of the HI Act prohibit the unauthorised use or disclosure of a healthcare identifier or identifying information about the healthcare provider or healthcare recipient. Specifically, subsections 15(1) and (2) provide that the use or disclosure of information provided to a person under Part 2 or Part 3-Division 1 is prohibited unless the person uses or discloses it for the purpose for which it was provided or another purpose authorised by law. Additionally, subsection 15(3) makes it an offence for a person to use or disclose information which they knew was not authorised to be disclosed to them. The penalty for breaching subsection 15(1) or (3) is imprisonment for up to two years and/or 120 penalty units (currently $21,600 for individuals and $108,000 for bodies corporate). Section 26 prohibits a person from using or disclosing a healthcare identifier except where the person is authorised to do so under the HI Act, or for a purpose authorised by another law, or for a purpose permitted by section 16 of the Privacy Act (relating to the person’s personal or household affairs). The penalty for breaching section 16 is also imprisonment for up to two years and/or 120 penalty units.

Item 36 repeals and replaces section 26 to combine existing sections 15 and 26 of the HI Act. While the provisions of new section 26 are quite similar to those currently contained in sections 15 and 26, there are some differences, including a new civil penalty provision. Proposed subsection 26(1) effectively combines the provisions of subsection 26(1) and subsection 15(1) to provide that a person must not disclose information that they have obtained under the HI Act or disclose a healthcare identifier (recipient or provider) unless any of the exceptions in proposed subsections 26(3) and (4) apply. Proposed subsection 26(3) sets out the exceptions in relation to the disclosure of a healthcare identifier. While some of these exceptions already exist under subsection 26(2), proposed section 26(3) introduces the following two new exceptions in relation to the disclosure of a healthcare identifier:

in the following situations provided for under subsection 16A(1) of the Privacy Act:
- where it is unreasonable or impracticable to obtain the individual’s consent to the collection, use or disclosure and the entity reasonably believes that the collection, use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety
- where unlawful activity or serious misconduct is suspected and the collection, use or disclosure is necessary to allow appropriate action to be taken or
- where the collection, use or disclosure is necessary to establish a legal defence or claim, or for the purposes of a confidential alternative dispute resolution process;[105] and
where the use or disclosure is required or authorised by the Information Commissioner, or an equivalent officer or agency of a State or Territory, in exercising powers or performing functions in relation to privacy.[106]

Proposed subsection 26(4) sets out the exceptions in relation to the disclosure of identifying information or other information obtained under the HI Act. Again, while a number of the exceptions contained in proposed subsection 26(4) mirror those currently contained in subsection 15(2) the Bill introduces two new exceptions in relation to the disclosure of other information:

where the information is personal information and the use or disclosure would not be an interference with the privacy of the individual for the purposes of the Privacy Act;[107] and
where the use or disclosure is required or authorised by the Information Commissioner, or an equivalent officer or agency of a State or Territory, in exercising powers or performing functions in relation to privacy.[108]

Proposed subsection 26(2) provides that a person is prohibited from using or disclosing information that was provided to them by a person who was not authorised to do so. Proposed subsection 26(5) provides that the penalty for breaching proposed subsection 26(1) or (2) is imprisonment for up to two years and/or 120 penalty units. As with the current provisions in sections 15 and 26, the defendant continues to bear the evidential burden in proving that the use or disclosure was not unauthorised.[109] As there is no fault element stated, it must be established that the defendant intended to use or disclose the information.[110] Proposed subsection 26(6) introduces a new civil penalty of up to 600 penalty units, which applies where a person uses or discloses information in circumstances that breach proposed subsection 26(1) or (2) and knows or is reckless to those circumstances. As the standard of proof for civil penalty provisions is on the balance of probabilities, as opposed to beyond reasonable doubt, it is less difficult to prove that a person is guilty of breaching these provisions. The Explanatory Memorandum argues that as the My Health Record system deals with privacy sensitive information, ‘misuse of this information needs to have proportionate penalties to the potential damage to healthcare recipients’.[111] It also notes that ‘only a specific group of users, being healthcare providers and other participants in the My Health Record system with access to sensitive information will generally be impacted by these penalties’.^{^[112]} Proposed subsection 26(6), insofar as it relates to a breach of subsection 26(2), provides an example of a civil offence that will apply more broadly. This is because a person who has information disclosed to them in contravention of proposed section 26(1) will be subject to these penalties in the event they then disclose or use the information-even if they are not a participant in the My Health Record system.

Items 38-40 amend current section 29 of the HI Act, to clarify when an unauthorised collection, use or disclosure of a healthcare identifier constitutes an interference with privacy under the Privacy Act. This is significant as complaints about breaches of information privacy trigger the functions and powers of the Information Commissioner, including the power to undertake investigations. The amendments in items 38-40 clarify that the provisions only operate in respect to healthcare identifiers of a healthcare recipient or of an individual healthcare provider (not in relation to a healthcare organisation). The proposed provisions also ensure that just because a person cannot be found to have breached a civil penalty provision (as they did not have the relevant state of mind) this does not mean there will not be an interference with privacy under the Privacy Act.

Item 43 inserts new Part 5A–Enforcement into the HI Act, which activates a number of corresponding Parts of the Regulatory Powers (Standard Provisions) Act 2014 (Regulatory Powers Act).[113] The Regulatory Powers Act:

...seeks, over time, to systematise the monitoring and investigatory powers provided to Commonwealth regulatory agencies. To do that, the [Act] seeks to act as the standard framework to which other legislation refers, in order to trigger its provisions that are relevant to a particular agency or authority.[114]

In particular, proposed subsection 31C(1) provides that the civil penalty provisions introduced by this Bill and by future regulations are enforceable under Part 4 of the Regulatory Powers Act.

Item 46 deals with a review of the HI Act. The item proposes to replace existing section 35 of the HI Act (which specifies the timing of the last review, which was conducted in 2013) with a new section. Proposed section 35 specifies that the Minister, after consultation with the Ministerial Council, must appoint an individual to review the operation of the Act and the regulations. The appointee must provide a report to the Minister within three years of the commencement of proposed Schedule 1 of the Bill. In addition, a copy of the report must be provided to the Ministerial Council and be tabled in the Parliament within 15 sitting days after it is presented to the Minister.

Item 48 introduces a number of amendments which extend the number of people to whom authorisations apply, clarifies how the HI Act applies to entities not considered to be legal persons and sets out how the Service Operator’s functions and powers can be delegated. Proposed section 36A provides that where an entity has authorisation to disclose information to a health care provider, that information can be disclosed either to an employee or person acting on behalf of the provider, a contracted service provider or an employee or person acting on behalf of the contracted service provider. This reflects current section 36, which recognises that information can be received on behalf of an entity in a number of different ways. Proposed sections 36B, 36C and 36D set out how the various authorisations, obligations and penalties set out in the HI Act apply to partnerships, unincorporated associations and trusts with multiple trustees. In particular, these proposed provisions extend the scope of liability in relation to unauthorised disclosures to each partner, member of the association and trustee.

Amendments to the PCEHR Act

Item 69 relates to the operation of a test environment by the system operator. Being able to operate a test environment allows the system operator to assess how other systems and software interact with the My Health Record system. Section 15 of the PCEHR Act sets out the functions of the System Operator. Item 69 proposes a new paragraph 15(ia), which allows the system operator to establish and operate a test environment for the My Health Record System and other electronic systems, in accordance with any Rules that are made.[115]

Item 72 proposes the abolition of two key advisory bodies: the Jurisdictional Advisory Committee and the Independent Advisory Council, which were established under Divisions 2 and 3 respectively in Part 2 of the PCEHR Act. The item proposes to repeal both Divisions, abolishing both bodies. The main function of the current Jurisdictional Advisory Committee, as prescribed in Division 2 is to advise the system operator (currently the Secretary of the Department of Health) on jurisdictional matters relating to the PCEHR. Membership consists of representatives from the Commonwealth and each state and territory. The Independent Advisory Committee has a number of functions including advising the system operator on the operation of the PCEHR, participation in the PCEHR, and clinical, privacy and security matters. Membership of this committee is required to include experts in medicine, law/privacy, health informatics, health administration, healthcare for Aboriginal and Torres Strait Islander people, and healthcare for people in regional areas. The system operator is required under current section 16 of the PCEHR Act to have regard to the advice and recommendations of these two bodies. Item 70 proposes to repeal section 16 at the same time.

It is the Government’s intention that the functions of the two advisory bodies are to be undertaken by new advisory bodies which will be established as part of the new Australian Commission for eHealth (ACeH), which itself is yet to be established.[116] However, until the ACeH is established, there will be no legislated bodies advising the system operator.

Items 74–75 insert provisions which deal with the uploading of healthcare information which includes information about a third party. In particular, proposed subsection 41(3A) provides that a registered health care organisation is authorised to upload a record to the My Health Record system in relation to a healthcare recipient (the patient) which also contains information about another healthcare recipient (third party) where this information is directly relevant to the healthcare of the patient. This new provision operates in conjunction with current subsection 41(3), which provides that a healthcare recipient must give standing consent for their information to be uploaded by the healthcare provider except where they have instructed the provider not to and current subsection 41(4) which provides that standing consent under current subsection 41(3) (and authorisation under proposed subsection 41(3A)) has effect regardless of whether state/territory laws require consent to be given in a particular manner, except if the state and territory law has been prescribed in the regulations.[117]

Item 76 proposes provisions that specify the type of healthcare provider who can upload health information to a repository. Item 76 proposes new paragraph 45(ba), which requires the healthcare provider uploading a health record to be either registered by a registration authority or be a member of a professional association as specified in the HI Act (under proposed new section 9A of the HI Act, as specified at item 31 of Schedule 1 to the Bill). Any healthcare provider whose registration or membership is conditional, suspended, cancelled or lapsed (unless the Rules prescribe otherwise) will be excluded.[118] This new paragraph makes explicit that a healthcare provider creating and uploading health records is to be properly registered and appropriately qualified as described in the HI Act.

Item 77 amends the PCEHR Act to reflect the new copyright exceptions introduced by items 1–2, while items 78–79 introduce amendments to deal with material created before the new exemptions commence. In particular, a healthcare provider organisation or repository operator who does not own copyright in the works or film or sound recordings is prohibited from uploading it unless the owner of the copyright has granted a licence to the System Operator to deal with the material.

Item 84 repeals current section 58 and replaces it with new sections 58 and 58A. As with item 34 (above), the proposed amendments update the provisions which authorise the collection, use and disclosure of information about healthcare recipients and healthcare providers by the System Operator and other Commonwealth entities. Collection, use and disclosure of information is only authorised for the purposes of the My Health Record system, including incorporating information in a My Health Record.

While neither of these purposes are particularly controversial, the PCEHR Act currently provides for a number of circumstances where information in the My Health Record system can be used for purposes that do not relate to the provision of healthcare or the management of the My Health Record system:

Information in the My Health Record system can be used for other purposes identified in Part 4 of the My Health Records Act including if authorised by another law (section 65), for a law enforcement purpose (section 70) or ordered by a court or tribunal (section 69). These authorisations recognise that from time to time information in the My Health Record system will be relevant for significant decisions, such as investigation of a crime. The information cannot be disclosed arbitrarily and robust justification must be provided as to why the information is necessary.[119]

Items 85–88 amend sections 59 and 60 of the PCEHR Act which deal with the unauthorised collection, use and disclosure of health information included in a healthcare recipient’s electronic record. Section 59 prohibits the disclosure of such material unless it is authorised by the PCEHR Act, while section 60 prevents a person from disclosing information that was obtained in contravention of section 59. Items 85–88 update the offence provisions in sections 59 and 60 to reflect the new penalties introduced in relation to an unauthorised disclosure under the HI Act. A person who breaches either section 59 or 60 may now incur a criminal penalty of up to two years imprisonment and/or 120 penalty units or a civil penalty provision of up to 600 penalty units.

Items 91–93 introduce amendments in relation to other civil penalty provisions. Section 77 of the PCEHR Act provides that the System Operator, a registered repository operator, a registered portal operator or a registered contracted service provider must not hold, take, process or handle My Health Record information outside Australia or cause or permit another person to do so. The current civil penalty for breaching section 77 is 120 penalty units. Items 91 and 92 provide that a person who breaches section 77 may now incur a criminal penalty of up to two years imprisonment and/or 120 penalty units or a civil penalty provision of up to 600 penalty units. Unlike sections 59 and 60, section 77 does not specify any fault elements and therefore the fault element is intention in relation to the physical elements of the offence (for example, taking the records outside Australia). Item 93 repeals and replaces section 78 to expand the number of people who have a statutory obligation to comply with the My Health Records Rules and increases the maximum civil penalty from 80 to 100 penalty units.

Item 94 replaces Parts 6 and 7 of the PCEHR Act with a new Part 6. As with item 43 (above) the provisions of new Part 6 will activate a number of corresponding Parts of the Regulatory Powers Act.[120] Items 97-100 introduce similar provisions to those discussed in relation to item 48 (above) in relation to how the My Health Records Act will apply to entities not considered to be legal persons.

Item 101 proposes to replace existing section 107 with a new section 107 specifying new arrangements for the preparation of annual reports by the system operator. These take into account the proposed establishment of the Australian Commission of eHealth (ACeH) which will take on the functions of the system operator (which is currently the Secretary of the Department of Health). The future ACeH will be subject to the reporting provisions under the Public Governance, Performance and Accountability Act 2013 (PGPA Act), which would make parts of the existing section 107 redundant.[121] Particularly, there will no longer be any need to include a separate reporting obligation in the My Health Records Act as the future ACeH will already be bound under the PGPA Act. Proposed section 107 still specifies the type of information that is to be included in any annual report prepared by the system operator. These are the same as those specified in current section 107 but have been amended to take into account changes in nomenclature. The current requirement to include details of the activities of two advisory committees in the annual report will not be needed as these bodies are being abolished under item 72.

Item 102 proposes a review of the My Health Records Act. Specifically it proposes to replace section 108 of the PCEHR Act (which specified the timing of the last review—the Royle Review). Proposed section 108 specifies that, after consultation with the Ministerial Council, the Minister must appoint an individual to review the operation of the Act. The appointee must provide a report to the Minister within the later of three years of the commencement of proposed Schedule 1, or, if Rules have been made under clause 2 of Schedule 1 of the My Health Records Act, three years after the making of the Rules. It also requires the Minister to provide a copy of the report to the Ministerial Council and for the report to be tabled in the Parliament within 15 sitting days after it is presented to the Minister. Notably, unlike the repealed section 108, the new section does not specify that the person appointed to undertake the review take submissions from members of the public. Nor does it specify the nature of matters to be considered in the review.

Opt-out system

Currently, the PCEHR system operates as an opt-in system, which means that an individual has to expressly consent in order to be registered in the system. This requires an individual to take steps to verify their identity so that a PCEHR record can be created. The process of having to opt-in was described as ‘clunky and over complicated’ in the Royle Review, which recommended the system transition to an opt-out model on the basis that it would increase PCEHR adoption rates.[122]

An opt-out approach means that an individual is automatically registered for the My Health Record, unless they expressly specify they do not want to participate. This Bill allows for trials of participation arrangements to be conducted in selected regions, including for trials of an opt-out system. In these trials online accounts will be automatically created for selected participants using names, date of birth, gender and health identification numbers pulled out of the Medicare database.[123] International evidence suggests that an opt-out model is generally well supported ‘provided safety and security issues are addressed’.[124] An individual would still be able to control their health record even where they are participating in an opt-out trial region.[125] Participation by healthcare providers and organisations would remain opt-in in the trial areas, and the trials are not expected to place an additional burden on these entities.[126] It is therefore not clear how having opt-out for patients, but not for healthcare providers will achieve the stated goal of this e-Health project, that is, better health outcomes for individuals given the lack of guarantee that quality robust information will be shared and thus used by all healthcare providers in the trial.

Details of the trial sites and the timeframe for these are not specified, but the Bill proposes to allow the Minister for Health to make Rules that will prescribe trial arrangements and for the opt-out model to be applied nationally, after consideration of evidence. Notably, there are no proposed provisions to ensure the Minister releases publicly the evidence acquired from the trials or presents this evidence to Parliament. Also of note, details of how the trial sites will be selected are not specified in any provisions, but the Explanatory Memorandum states that an administrative framework will be established and made public.[127] Significantly, the Explanatory Memorandum is silent about how much advance notice (and the nature of that notice) will be given to the public to opt-out.[128] It is also not clear what happens to a default record that is created before a person has been given transparent, reasonable and fair notice of the trial and the legal entitlement to opt-out, or what constitutes reasonable notice. At part of her address to the National Press Club on 28 October 2015, the Minister announced that ‘all-inclusive trials of the Government’s new My Health Record will commence in early 2016 for around 1 million Australians’ and will be held ‘in Far North Queensland and in the New South Wales Nepean Blue Mountains region’.[129] Item 106 proposes the insertion of new Schedule 1 at the end of the newly renamed My Health Records Act 2012 (proposed Schedule 2 of the Bill renames the PCEHR Act to the My Health Records Act) to allow for the operation of an opt-out system including for trials to be established. The proposed new Schedule will have three parts.

Part 1 allows for opt-out trials and for these to be extended nationally. Proposed clause 1 allows the Minister to make My Health Records Rules (Rules) to apply an opt-out model to a class or classes of healthcare recipients. It requires the Minister to be satisfied that applying the opt-out model to a class of healthcare recipients would provide evidence of the value of an opt-out model. Clause 1 also requires the Minister to consult a subcommittee of the Ministerial Council, prescribed by the regulations, before making the Rules and allows the Minister to make Rules that apply the opt-out model nationally after the commencement of the trials. Proposed clause 2 specifies that the Minister may consider evidence and other relevant matters when making a decision to extend the opt-out model nationally, and requires the Minister to consult the Ministerial Council before making Rules that apply the opt-out model Australia-wide.

Proposed Part 2 of new Schedule 1 My Health Records Act allows for the registration of healthcare recipients under an opt-out system, and the sharing and handling of information and other matters under this system, whether the opt-out system is operating in a trial site or nationally. Proposed clause 3 allows the system operator to register a healthcare recipient for a My Health Record if the recipient is eligible as specified under proposed clause 4, provided the system operator is satisfied that their identity has been appropriately verified (in accordance with any Rules) and that the recipient has been afforded the opportunity to decline registration as specified under proposed clause 5. The proposed clause also requires the system operator to not register the person if doing so would, in the view of the system operator, compromise the security or integrity of the My Health Record system.[130]

Proposed clause 4 specifies that a health care recipient is eligible for registration provided they have a healthcare identifier assigned in accordance with the Healthcare Identifiers Act 2010, and provided the system operator has collected their name, date of birth, healthcare identifier, Medicare card number or Department of Veterans’ Affairs number, sex and any other information prescribed in the regulations.

Proposed clause 5 deals with how a healthcare recipient elects to not be registered for a My Health Record. Proposed clause 5 allows a healthcare recipient to choose not to be registered provided they give notice and provided the notice is in an approved form and is lodged as specified. If the Rules specify that notice can only be given within a specified period of time or depend upon the occurrence of an event and the healthcare recipient is a member of the class to which the Rules apply, then notice of an election to not register must be given in accordance with these requirements. The proposed clause also specifies that an election to not be registered commences immediately on the day the healthcare recipient gives notice and ceases immediately on the day the recipient makes an application to register as specified under proposed clause 6.

Proposed clause 6 allows a healthcare recipient to apply to a system operator for registration of a My Health Record. The application must be in an approved form, include relevant information as specified in the form, and be lodged in a place or means as specified on the form. A system operator must register the healthcare recipient if they make an application provided the recipient meets the eligibility criteria specified at proposed clause 4 and the system operator is satisfied the identity of the healthcare recipient has been verified (in accordance with any Rules). However, the system operator is required to not register the person if doing so would, in the view of the system operator, compromise the security or integrity of the My Health Record System.

Proposed clauses 7 and 8 deal with matters relating to information sharing for the purposes of an opt-out system. Proposed clause 7 authorises a system operator to collect, use and disclose health information about a healthcare recipient for the purposes of including information in the My Health Record of a registered healthcare recipient. Proposed clause 8 specifies in a table the actions an entity or system operator is permitted to take in relation to the collection, use and disclosure of information in specified circumstances. The proposed clause also specifies that if an entity listed in the clause discloses information to the system operator in circumstances as permitted in the table, and then becomes aware that the information has changed, the entity must as soon as practicable notify the system operator of the changed information.

Proposed clauses 9–16 are intended to mirror provisions in the My Health Records Act which can only operate with consent (and thus may not be applicable in an opt-out environment).[131] Proposed clause 9 reflects section 41 of the My Health Records Act (as amended by items 74–75 of Schedule 1 to the Bill) and authorises a registered healthcare provider organisation to upload health information about a registered healthcare recipient (including information about a third party) to the My Health Record unless it has received express advice from a healthcare recipient that a particular record or type of record is not to be uploaded; or a preserved law of a state or territory prohibits the organisation from disclosing the information without the express consent of the healthcare recipient.[132] This helps preserve the healthcare recipient’s control over their health record even in opt-out regions.

Proposed clauses 10–14 specify that the Chief Executive of Medicare Australia (Medicare Australia) is required to become a registered repository operator and operate a repository in line with current section 38 of the My Health Records Act. This allows Medicare Australia to upload and share health information with the system operator about a registered healthcare recipient.

Proposed clause 13 allows for a healthcare recipient to control the disclosure of information held by Medicare Australia (such as their Medicare claims) to the system operator, provided they give notice on an approved form, which is lodged in an approved manner. The clause also allows for the healthcare recipient to change their mind and permit the uploading of certain information, provided this notice is given on an approved form and in an approved manner.

Proposed clause 14 allows information uploaded by Medicare Australia to include details of healthcare providers who have provided healthcare to the healthcare recipient. Proposed clause 15 clarifies that none of these clauses limit the way in which Medicare Australia operates its repository. Proposed clause 16 allows another registered repository operator to make available to the system operator health information about a registered healthcare recipient.[133] It mirrors proposed section 50D, inserted by item 79 of Schedule 1 to the Bill.

Proposed Part 3 of new Schedule 1 of the My Health Records Act includes proposed clause 17, which specifies provisions in the My Health Records Act that do not apply when proposed Part 2 of new Schedule 1 of the My Health Records Act (the opt-out system) is operating.

Amendments to the Privacy Act

Items 107–109 repeal the current definitions of ‘health information’ and ‘health service’ in subsection 6(1) of the Privacy Act and insert new definitions of these terms in proposed sections 6FA and 6FB.[134] The effect of this change will be to broaden the definition of health service to include palliative care services, aged care services and to include injuries, as well as illness and disability. While the Australian Law Reform Commission (ALRC) recommended that the reference to recording an individual’s health should be removed from the definition to ensure that it ‘does not extend to activities such as providing health insurance’,[135] it has instead been redrafted. Currently under the Act recording information about an individual’s health is considered a health service. Proposed subparagraph 6FB(1)(e) provides that recording an individual’s health will only constitute a health service where it is done ‘for the purposes of assessing, maintaining, improving or managing the individual’s health’. Proposed subsection 6FB(3) adopts the recommendation of the ALRC that the definition of health service ‘should be extended to cover disability services, palliative care services and aged care services’ and should include services which concern a person’s psychological health.[136]

Schedule 2—Renaming PCEHR as My Health Record (amendments to various Acts)

Proposed Schedule 2 to the Bill makes amendments to the HI Act, the Health Insurance Act, the National Health Act and the PCEHR Act, to replace occurrences of the terms PCEHR or PCEHR Act or similar nomenclature, with My Health Record or My Health Record Act 2012 or similar. This includes replacing all references to the PCEHR Rules with My Health Records Rules. Item 15 specifically proposes to rename the short title of the Personally Controlled Electronic Health Records Act 2012, to the My Health Records Act 2012. These amendments to rename the PCEHR to My Health Record are in line with one of the key recommendations of the Royle Review, which noted that a change in name would ‘reflect more of a partnership between the clinician and the patient’ but would ‘retain all of the personal controls that exist in the current PCEHR’.[137]

Schedule 3—renaming consumers as healthcare recipients

Schedule 3 (items 1 to 8) proposes to amend the HI Act, the National Health Act and the newly renamed My Health Records Act, to replace all references to ‘consumer’ with ‘healthcare recipient’. Currently, the term healthcare recipient is used in the HI Act, but consumer is used in other health legislation. A healthcare recipient is defined at proposed section 5 of the PCEHR Act to be ‘an individual who has received, receives, or may receive, healthcare’. This applies the same definition as is used in the HI Act to other relevant legislation, and removes any potential ambiguity that might derive from allowing both terms to occur.

Concluding comments

The Bill proposes amendments to a number of Acts to implement the Government’s 2015 Budget announcement on eHealth, as part of its broader digital health agenda.[138]It draws on recommendations of two recent reviews of the Personally Controlled Electronic Health Record (PCEHR) system and the Healthcare Identifiers (HI) Service. These reviews, which involved a public consultation process, made recommendations to lift participation in the PCEHR, as well as improve usability and clinical content.

As well as renaming the PCEHR to My Health Record, the Bill seeks to expand and strengthen provisions around the collection, use and disclosure of personal information, allow for the participation of new entities in the system, clarify copyright issues, prepare for new governance arrangements and provide for trials of an opt-out model (and other forms of participation). If these trials are successful, the Bill allows the Minister to roll out an opt-out model nationally.

Previously, developments around eHealth have garnered considerable public interest.[139] The Government has undertaken a broad consultation process with stakeholders, and has drawn on the recommendations of two reviews which themselves invited public comment. This process has revealed broad stakeholder and consumer support for improvements to the PCEHR system, including consideration of an opt-out model. However, some issues remain sensitive for stakeholders. Concerns around privacy and consumer control have previously arisen in relation to the PCEHR and eHealth developments more broadly.[140] While the Explanatory Memorandum states that consumers will have an extensive range of privacy positive options, as well as the ability to manage their My Health Record, this has not been specified in the Bill itself.[141] Indeed the absence of detail on the control and access which consumers will have over their health record may not be entirely consistent with the connotation and denotation of the rebranded name ‘My Health Record’. The provisions that allow the Minister to determine to roll-out an opt-out system nationally following trials, but without the need to publicly release evidence, may be another area which attracts scrutiny.

Members, Senators and Parliamentary staff can obtain further information from the Parliamentary Library on (02) 6277 2500.

[1]. In simple terms, if a person or entity provides a health service (even if that’s not their primary activity) and holds health information, they will be a ‘health service provider’.

[2]. The opt-out model is being initially introduced as a trial to address the poor level of participation by Australians, with only 10 per cent of Australians currently enrolled and using the PCEHR. The opt-out trials are expected to commence around April 2016.

[3]. World Health Organisation (WHO), ‘WHO eHealth resolution 2005’, WHO website, accessed 17 September 2015.

[4]. This would imply of course, that there is careful, accurate and sufficient record keeping on the part of health care providers. It is beyond the scope of this digest to discuss the right of data subjects to ask for data to be rectified when they are incomplete or inaccurate, and the means by which this may be effectively done.

[5]. G Eysenbach, ‘What is e-health?’, Journal of Medical Internet Research, 3(2), 2001, accessed 20 October 2015.

[6]. R Jolly, The e health revolution—easier said than done, Research paper, 3, 2011–12, Parliamentary Library, Canberra, accessed 17 September 2015.

[7]. C Pearce and M Haikerwal, ‘E-health in Australia: time to plunge into the 21st century’, Medical Journal of Australia, 193(7), 4 October 2010, pp. 397–400, accessed 23 September 2015.

[8]. For background and issues on the Personally Controlled Electronic Health Records Act 2012, see R Jolly, Personally Controlled Electronic Health Records Bill 2011, Bills digest, 100, 2011–12, Parliamentary Library, Canberra, 2012, accessed 8 October 2015.

[9]. Privacy Act, section 6.

[10]. Privacy Act, section 6. A functionally identical definition is set out at section 5 of the Personally Controlled Electronic Health Records Act 2012. Note that the current definition of ‘health information’ in the Privacy Act is repealed and replaced by items 107 and 109 of Schedule 1 to the Bill; and the current definition in the PCEHR Act is repealed and replaced by item 56 of Schedule 1 to the Bill. The new PCHER Act definition adopts the Privacy Act definition.

[11]. Privacy Act, section 6. Note that the current definition of ‘health service’ in the Privacy Act is repealed and replaced by items 108 and 109 of Schedule 1 to the Bill; and the current definition in the PCEHR Act is repealed and replaced by item 55 of Schedule 1 to the Bill. The new PCHER Act definition adopts the Privacy Act definition.

[12]. PCEHR Act, section 5.

[13]. Emphasis added.

[14]. Denmark’s ‘end to end’ eHealth system has reportedly reduced some medical errors to almost zero. C Pearce and M Haikerwal, op. cit., p. 397.

[15]. See definition set out above.

[16]. PCEHR Act, section 3.

[17]. COAG first agreed to a national approach in implementing HI service in 2006: Council of Australian Governments, Council of Australian Governments’ Communique, 10 February 2006, p. 12, accessed 3 November 2015. This was followed by the signing of a National Partnership Agreement on eHealth in 2009: Council of Australian Governments, National Partnership Agreement on E-Health, Council of Federal Financial Relations website, 7 December 2009, accessed 3 November 2015.

[18]. The assignment of a healthcare identifier by the HI service is an automatic process not requiring an individual’s consent.

[19]. NEHTA is a not for profit company limited by guarantee formed on 5 July 2005. NEHTA is jointly funded by the Commonwealth and state and territory governments. Further information about NEHTA is available on its website: National E-Health Transition Authority, ‘About NEHTA’, website, accessed 3 November 2015.

[20]. Department of Health, Electronic health records and healthcare identifiers: legislation discussion paper, Department of Health, Canberra, May 2015, p. 4, accessed 22 October 2015.

[21]. Health care providers and other health organisations can also opt-in. Incentive payments are available to encourage their participation. For example, general practices that participate are eligible for an eHealth Practice Incentive Payment (PIP). See Department of Human Services (DHS), ‘Practice Incentives Program: eHealth incentive’, DHS website, accessed 24 September 2015. The incentive payments are under review so may change in the future. See Department of Health, ‘Practice Incentives Programme (PIP) eHealth incentive discussion paper’, Department of Health, Canberra, September 2015, accessed 30 September 2015.

[22]. Department of Health, ‘PCEHR statistics’, Department of Health website, 20 October 2015, accessed 20 October 2015.

[23]. R Jolly, ‘E health’, Budget review 2014–15, Parliamentary Library, 30 May 2014, accessed 17 September 2015.

[24]. R Royle, Review of the Personally Controlled Electronic Health Record (Royle Review), report prepared for the Department of Health, Department of Health, Canberra, December 2013, accessed 17 September 2015.

[25]. Broadly, the key difference between opt-in and opt-out is that under an opt-in system an individual expressly consents to register; while under an opt-out system the individual is automatically registered unless they expressly request otherwise.

[26]. Department of Health, Healthcare Identifiers Act and Service Review—Final Report, June 2013, accessed 18 September 2015.

[27]. S Ley (Minister for Health), Patients to get new myHealth record: $485m ‘rescue’ package to reboot Labor’s e-health failures, media release, 10 May 2015, accessed 17 September 2015.

[28]. Australian Government, Budget measures: budget paper no. 2: 2015–16, p. 104, accessed 17 September 2015.

[29]. S Ley (Minister for Health), ‘Second reading speech: Health Legislation Amendment (eHealth) Bill 2015’, House of Representatives, Debates, 17 September 2015, p. 10528–10530, accessed 18 September 2015.

[30]. The Government has suggested that the new body could be established under the Public Governance, Performance and Accountability Act 2013 rules or under its own primary legislation. See Explanatory Memorandum, p. 16, 21.

[31]. S Ley (Minister for Health), ‘Developing a 21^st century electronic health records system’, media release, 9 October 2015, accessed 20 October 2015. The establishment of the taskforce was also a recommendation of the Royle Review. Royle, op. cit., p. 15.

[32]. A training package for health providers is currently in development. See Australian Healthcare and Hospitals Association (AHHA), ‘My Health Record education and training package’, AHHA website, accessed 30 September 2015. The cost of this package has not been identified.

[33]. Senate Community Affairs Legislation Committee, Inquiry into the Health Legislation Amendment (eHealth) Bill 2015, The Senate, Canberra, accessed 3 November 2015.

[34]. Senate Standing Committee for the Scrutiny of Bills, Alert digest, 11, 2015, The Senate, 14 October 2015, pp 13–18.

[35]. Ibid., pp 14–15.

[36]. Criminal Code Act 1995, accessed 28 October 2015.

[37]. Senate Standing Committee for the Scrutiny of Bills, op. cit., p. 14.

[38]. Ibid. See also: Attorney-General’s Department, A guide to framing Commonwealth offences, infringement notices and enforcement powers, Australian Government, Canberra, updated September 2011, accessed 29 October 2015.

[39]. Senate Standing Committee for the Scrutiny of Bills, op. cit., pp 13-18.

[40]. Ibid., pp 16-17.

[41]. Ibid., p. 17.

[42]. Ibid., pp 14-18.

[43]. K McDonald, ‘Name-changer: PCEHR amendment bill finally introduced’, Pulse+IT, 18 September 2015, accessed 22 October 2015.

[44]. C King, ‘Second reading: Health Legislation Amendment (eHealth) Bill 2015’, House of Representatives, Debates, (proof), 15 October 2015, p. 10, accessed 20 October 2015.

[45]. Senator R Di Natale, ‘eHealth is good news for health: Greens’, media release, 6 June 2012, accessed 24 September 2015.

[46]. Department of Health, Electronic health records and healthcare identifiers: legislation discussion paper, op. cit., p. 6.

[47]. Submissions are accessible at Department of Health, ‘Electronic Health Records and Healthcare Identifiers: Legislation Consultation - Public Submissions’, The Department website, accessed 22 September 2015.

[48]. Deloitte, Report to the Commonwealth Department of Health on the public consultation into the implementation of the recommendations of the Review of the Personally Controlled Electronic Health Record, report prepared for Department of Health, Department of Health, Canberra, September 2014, accessed 18 September 2015.

[49]. Ibid., p. 10.

[50]. Ibid., p. 10.

[51]. Ibid., p. 13.

[52]. Ibid., p. 13.

[53]. Ibid., p. 1.

[54]. Australian Privacy Foundation, Submission to Department of Health, Electronic health records and healthcare identifiers—Discussion paper, p. 3, accessed 22 September 2015.

[55]. Ibid., p. 8.

[56]. Ibid., p. 2.

[57]. Ibid., p. 8.

[58]. Ibid., p. 2.

[59]. Deloitte, op. cit., p. 18.

[60]. Ibid.

[61]. Ibid., p. 15.

[62]. Ibid., p. 16.

[63]. Department of Health, ‘Electronic health records and healthcare identifiers: legislation consultation - public submissions’, Department of Health website, 8 October 2015, accessed 22 October 2015.

[64]. D More, ‘The opt-out trials may be much trickier that is presently believed. There are many challenges I suspect’, Australian Health Information Technology blog, 16 June 2015, accessed 22 September 2015.

[65]. K McDonald, ‘Support for PCEHR optout from HISA and HIMAA survey’, Pulse+IT, 7 July 2015, accessed 22 September 2015.

[66]. Ibid.

[67]. Victorian Government, Submission Department of Health, Electronic health records and healthcare identifiers—Discussion paper, p. 2, accessed 24 September 2015.

[68]. NSW Health, Submission to Department of Health, Electronic health records and healthcare identifiers—Discussion paper, p. 1, accessed 24 September 2015.

[69]. COAG Health Council, Communique, media release, 7 August 2015, accessed 24 September 2015.

[70]. Explanatory Memorandum, Health Legislation Amendment (eHealth) Bill 2015, p. 3, accessed 29 October 2015.

[71]. Australian Government, Budget measures: budget paper no. 2: 2015–16, op. cit., p. 104.

[72]. R Jolly, ‘E health’, op. cit.

[73]. K McDonald, ‘No decision on trial sites or enabling legislation for opt-out PCEHR’, Pulse+IT, 15 September 2015, accessed 19 September 2015.

[74]. R Royle, op. cit., p. 9.

[75]. Senate Community Affairs Committee, Answers to Questions on Notice, Health Portfolio, Budget Estimates 2014–2015, 2/3 June 2014, Question SQ14-000502, accessed 21 September 2015.

[76]. The Statement of Compatibility with Human Rights can be found at page 28 of the Explanatory Memorandum to the Bill.

[77]. Explanatory Memorandum, Health Legislation Amendment (eHealth) Bill 2015, pp. 29-30, accessed 29 October 2015.

[78]. UN Committee on Economic, Social and Cultural Rights (CESCR), General comment no. 14: the right to the highest attainable standard of health (art. 12 of the Covenant), 11 August 2000, E/C.12/2000/4, accessed 22 October 2015.

[79]. Ibid., paragraphs 8 and 9.

[80]. Preamble to the International Principles on the Application of Human Rights to Communications Surveillance, Final Version, May 2014, accessed 11 October 2015. The issue of the use of health information for the purposes of contributing to better and more efficient health outcomes triggers issues and concerns around the claim of factuality and accuracy of representation of information available for use, and the ability of individuals to access and request changes to the recorded information where there are inaccuracies or incompleteness. See UN General Assembly, Resolution 68/167, The Right to Privacy in the Digital Age, UN Doc. A/RES/68/167, 13 December 2013.

[81]. S Warren and L Brandeis, ‘The Right to Privacy’, Harvard Law Review, 4(5), 15 December 1890, accessed 11 October 2015.

[82]. Universal Declaration of Human Rights, adopted by the United Nations General Assembly on 10 December 1948; UN General Assembly, International Covenant on Civil and Political Rights, done in New York on 16 December 1966, [1980] ATS 23 (entered into force for Australia (except Art. 41) on 13 November 1980; Art. 41 came into force for Australia on 28 January 1994).

[83]. It is notable that the Swedish eHealth system appears to be far more evolved in this regard, which may explain the higher take up rate—about two million people (a fifth of the population). The ‘National e-health services in Sweden provide citizens with health information, contact details of providers, and interactive services where they can ask questions anonymously that are answered by healthcare professionals within seven days. The national portal My Healthcare Contacts lets citizens request, cancel, or reschedule healthcare appointments, renew prescriptions, and request contact with a specific clinician or hospital. Each healthcare centre or other local provider decides which e-services people can use to interact with them.’ See: M Hägglund and S Koch, ‘Commentary: Sweden rolls out online access to medical records and is developing new e-health services to enable people to manage their care’, BMJ, 350, February 2015, accessed 20 October 2015.

[84]. Parliamentary Joint Committee on Human Rights, Twenty-ninth report of the 44th Parliament, The Senate, 14 October 2015, accessed 10 November 2015.Parliamentary Joint Committee on Human Rights, tabled 14 October 2015.

[86]. Literary works are usually written (with the exception of computer programs) and include tables, results, instructions, list of symptoms and so forth.

[87]. Defined at subsection 10(1) of the Copyright Act,

[88]. Explanatory Memorandum, Health Legislation Amendment (eHealth) Bill 2015, op. cit., p. 39.

[89]. Proposed subparagraph 44BB(1)(a)(ii) refers to subsection 16A(1) of the Privacy Act 1988, which sets out a number of situations in which the information handling requirements set out in the Privacy Act (specifically the Australian Privacy Principles (APPs) contained in Schedule 1 to the Act) do not apply. These are referred to as ‘permitted general situations’. The Privacy Act requirements apply to ‘APP entities’. As not all participants in the My Health Record system will be APP entities, proposed subparagraph 44BB(1)(a)(ii) adjusts the exception in subsection 16A(1) to also cover non-APP entities. For further information see: Office of the Australian Information Commissioner (OAIC), ‘Chapter C: Permitted general situations’, OAIC website, February 2014, accessed 29 October 2015.

[90]. ‘Permitted health situations’ are set out at section 16B of the Privacy Act. As set out above, the Privacy Act requirements apply to ‘APP entities’. As not all participants in the My Health Record system will be APP entities, proposed subparagraph 44BB(1)(a)(iii) adjusts the exception in subsection 16B to also cover non-APP entities. For further information see: Office of the Australian Information Commissioner (OAIC), ‘Chapter D: Permitted health situations’, OAIC website, February 2014, accessed 29 October 2015.

[91]. Explanatory Memorandum, op. cit., p. 41.

[92]. Healthcare Identifiers Act 2010, accessed 30 October 2015.

[93]. Department of Health, ‘Participating in the personally controlled electronic health record system: a registration guide for healthcare organisations’, Department website, 9 June 2015, accessed 17 October 2015.

[94]. Ibid.

[95]. Ibid.

[96]. Ibid.

[97]. Ibid.

[98]. Ibid.

[99]. Ibid.

[100]. The Explanatory Memorandum provides that ‘the purposes of the My Health Record System will require consideration of the System Operator’s functions under section 15 of the My Health Records Act, the purposes and objects of the My Heath Records Act, and the powers and obligations of the System Operator and other participants in the My Health Record system’: Explanatory Memorandum, op. cit., pp. 67–68.

[101]. Explanatory Memorandum, op. cit., p. 49.

[102]. HI Act, proposed subsection 20(3).

[103]. Explanatory Memorandum, op. cit., p. 54.

[104]. HI Act, proposed subsection 25E(4). Section 4AA of the Crimes Act 1914 (Cth) provides that a penalty unit is equal to $180. Therefore the maximum penalty for breaching this requirement is $18,000.

[105]. Proposed paragraph 26(3)(d) refers to subsection 16A(1) of the Privacy Act and expands the exception to apply where the collection, use or disclosure has been done by a non-APP entity.

[106]. HI Act, proposed subparagraph 26(e)(3).

[107]. The Privacy Act requirements apply to ‘APP entities’. As not all participants in the My Health Record system will be APP entities, proposed paragraph 26(4)(c) adjusts the exception in subsection 16A(1) to also cover non-APP entities.

[108]. HI Act, proposed subparagraph 26(e)(3).

[109]. See Criminal Code Act 1995, subsection 13.3(3).

[110]. See Criminal Code Act 1995, section 5.6.

[111]. Explanatory Memorandum, op. cit., p. 34.

[112]. Ibid.

[113]. Regulatory Powers (Standard Provisions) Act 2014, accessed 30 October 2015.

[114]. J Murphy, Regulatory Powers (Standard Provisions) Bill 2014, Bills digest, 73, 2013–14, Parliamentary Library, Canberra, 2014, p. 3, accessed 30 October 2015.

[115]. Personally Controlled Electronic Health Records Act 2012, accessed 30 October 2015.

[116]. Explanatory Memorandum, op. cit., p. 72.

[117]. Regulation 3.1.1 of the Personally Controlled Electronic Health Records Regulation 2012 prescribes provisions of the following legislation: Public Health Act 2010 (NSW); Public Health Act 2005 (Qld); Public Health Act 1997 (ACT), all accessed 9 November 2015.

[118]. The Explanatory Memorandum provides an example of where it might be appropriate for the Rules to prescribe otherwise. See Ibid., p. 73.

[119]. Ibid., p. 32.

[120]. See footnotes 112–113 and related text for further information on the Regulatory Powers Act.

[121]. Public Governance, Performance and Accountability Act 2013, accessed 2 November 2015.

[122]. Royle, op. cit., p. 55. See recommendation 13.

[123]. Explanatory Memorandum, op. cit., p. 94. While the Explanatory memorandum provides that ‘there are no regulations proposed to collect any further information’, the regulations can be amended to identify further information that can be collected about an individual.

[124]. Royle, op. cit., p. 28. In the UK, the summary care record rollout by the National Health Service experienced an opt-out rate of just 1.4 per cent.

[125]. Explanatory Memorandum, op. cit., p. 92.

[126]. Ibid., p. 23.

[127]. Ibid., p. 93.

[128]. Ibid., p. 92. The Explanatory Memorandum states that ‘various methods would be available to healthcare recipients to opt-out, for example, online, in person or by phone’. However, these are not set out in the Bill.

[129]. S Ley (Minister for Health), National Press Club Address, media release, 28 October 2015, accessed 5 November 2015.

[130]. The My Health Record System Operator is currently the Secretary of Department of Health as prescribed in section 14 of the PCEHR Act. It is intended that the new Australian Commission on eHealth (ACeH) will undertake this role once it is established.

[131]. Explanatory Memorandum, op. cit., p. 102.

[132]. A preserved law for the purposes of the My Health Record system refers to a law prescribed by regulation 3.1.1 of the Personally Controlled Electronic Health Records Regulation 2012, accessed 2 November 2015.

[133]. Repository operators must be registered under section 49 of the My Health Records Act 2010.

[134]. Privacy Act 1988, accessed 2 November 2015.

[135]. Australian Law Reform Commission (ALRC), For your information: Australian privacy law and practice, ALRC report 108, 12 August 2008, pp. 2067–2068, accessed 7 October 2015.

[136]. Ibid., p. 2065.

[137]. Royle, op. cit., p. 19.

[138]. S Ley, ‘Second reading speech: Health Legislation Amendment (eHealth) Bill 2015’, op. cit.

[139]. R Jolly, Personally Controlled Electronic Health Records Bill 2011, Bills digest, op. cit.

[140]. Ibid.

[141]. Explanatory Memorandum, op. cit., p. 92.

For copyright reasons some linked items are only available to members of Parliament.

Creative Commons

With the exception of the Commonwealth Coat of Arms, and to the extent that copyright subsists in a third party, this publication, its logo and front page design are licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Australia licence.

In essence, you are free to copy and communicate this work in its current form for all non-commercial purposes, as long as you attribute the work to the author and abide by the other licence terms. The work cannot be adapted or modified in any way. Content from this publication should be attributed in the following way: Author(s), Title of publication, Series Name and No, Publisher, Date.

To the extent that copyright subsists in third party quotes it remains with the original owner and permission may be required to reuse the material.

Inquiries regarding the licence and any use of the publication are welcome to webmanager@aph.gov.au.

Disclaimer: Bills Digests are prepared to support the work of the Australian Parliament. They are produced under time and resource constraints and aim to be available in time for debate in the Chambers. The views expressed in Bills Digests do not reflect an official position of the Australian Parliamentary Library, nor do they constitute professional legal opinion. Bills Digests reflect the relevant legislation as introduced and do not canvass subsequent amendments or developments. Other sources should be consulted to determine the official status of the Bill.

Any concerns or complaints should be directed to the Parliamentary Librarian. Parliamentary Library staff are available to discuss the contents of publications with Senators and Members and their staff. To access this service, clients may contact the author or the Library‘s Central Entry Point for referral.