PERSONALLY CONTROLLED ELECTRONIC HEALTH RECORDS BILL 2011 Explanatory Memorandum
PERSONALLY CONTROLLED ELECTRONIC HEALTH RECORDS BILL 2011
2010 - 2011
THE PARLIAMENT OF THE COMMONWEALTH OF AUSTRALIA
HOUSE OF REPRESENTATIVES
PERSONALLY CONTROLLED ELECTRONIC HEALTH RECORDS BILL 2011
EXPLANATORY MEMORANDUM
(Circulated by authority of the Minister for Health and Ageing,
the Honourable Nicola Roxon, MP)
PERSONALLY CONTROLLED ELECTRONIC HEALTH RECORDS BILL 2011
OUTLINE
The Personally Controlled Electronic Health Records Bill 2011 (`PCEHR Bill') will establish
the national personally controlled electronic health record (`PCEHR') system (`PCEHR
system') and provide its regulatory framework, including an entity that will be responsible for
the operation of the PCEHR system. The PCEHR Bill will also implement a privacy regime
specific to the PCEHR system which will generally operate concurrently with
Commonwealth, state and territory privacy laws.
Background
The National E-Health Strategy, endorsed by Health Ministers in 2008, recognised that a
21st century healthcare system requires 21st century health information infrastructure in order
to achieve its vision, which is to enable a safer, higher quality, more equitable and
sustainable health system for all Australians by transforming the way information is used to
plan, manage and deliver healthcare services. Underpinning this vision is a recognition that
significant improvements in the way that health information is accessed and shared is
required if Australia is to maintain a world class health system in the face of rapidly
increasing demand and costs.
The National E-Health Strategy and National Health and Hospitals Reform Commission
report of June 2009 both identified an electronic health records system as being central to
enabling the realisation of many health reform objectives including improved quality, safety,
efficiency and equity in healthcare and the long-term sustainability of the health system.
E-health is an integral part of the Australian Government's agenda for health reform, an
agenda that aims to create a continuously improving healthcare system for the 21st century - a
system that is accountable, affordable and sustainable, with safety and quality at its centre.
The PCEHR system
As part of the 2010-11 Budget the Australian Government announced funding of
$467 million over two years to build the key national components of the national PCEHR
system. The PCEHR system is the next step in using e-health to enhance the healthcare
system. It enables the secure sharing of health information between a consumer's healthcare
providers, while enabling the consumer to control who can access their PCEHR.
The PCEHR system builds on the foundation laid by the introduction of national healthcare
identifiers for consumers, healthcare providers and healthcare provider organisations, as well
as the National Authentication Service for Health, clinical terminologies and methods for
communicating health information between healthcare providers such as discharge
summaries and electronic referrals.
The PCEHR system places the individual at the centre of their own healthcare by enabling
access to important health information when and where it is needed, by consumers and their
healthcare providers. A PCEHR will be assembled from distributed participating repositories
which will hold summarised clinical information. These repositories will be operated by a
mix of private and public sector organisations and will need to conform to strict
specifications.
The development and operation of the PCEHR system will provide a range of benefits to
healthcare consumers, providers and service organisations, and to the Australian economy
1
more broadly. The benefits arise directly from providing consumers and healthcare providers
with better access to health information, and indirectly by enabling reform of the way
healthcare is delivered.
The PCEHR system is voluntary for consumers and organisations - healthcare provider
organisations, repository operators, portal operators and contracted service providers. The
system will operate on an opt-in basis, which means that any person or organisation wishing
to participate in the system will need to register.
The PCEHR Bill
The PCEHR Bill establishes the PCEHR System Operator which will be responsible for the
operation of the system, and its advisory bodies which will provide expert advice and ensure
state, territory, consumer and stakeholder input on the operation of the system. The Secretary
of the Department of Health and Ageing will initially perform the role of System Operator.
A framework will be established for the registration of consumers and other entities,
specifying eligibility criteria, authorising them to participate and imposing obligations on
them to maintain the security and integrity of the PCEHR system.
The PCEHR Bill provides clear privacy protections and clarifies how state and territory
privacy laws will apply. It prescribes the circumstances in which registered consumers and
entities can collect, use and disclose information in consumers' PCEHRs. It also allows for a
range of remedies, including civil penalties, where there is an unauthorised use, collection or
disclosure of information in a consumer's PCEHR or where certain actions occur that might
compromise the integrity of the PCEHR system.
The Privacy Act 1988 will generally apply to the PCEHR system in respect of health
information in consumers' PCEHRs. Amongst other things, this will allow the Information
Commissioner to investigate any interference with privacy. The main area where the
provisions of the PCEHR Bill will prevail over the Privacy Act are in relation to the
collection, use and disclosure of health information in a consumer's PCEHR.
As well as permitting the making of regulations, the PCEHR Bill permits the Minister for
Health and Ageing to make PCEHR Rules. Such Rules will be legislative instruments and
may relate to a range of matters, including the registration and access controls of consumers
and registration of entities wishing to participate in the PCEHR system. The PCEHR Rules
will allow flexible and fast responses to evolving technologies and security risks.
The PCEHR Bill implements a range of common mechanisms to provide transparency and
scrutiny of the PCEHR system's operation, including the review of decisions by the System
Operator, annual reports by the System Operator and the Information Commissioner and a
review of the legislation after it has been operating for two years.
2
PERSONALLY CONTROLED ELECTRONIC HEALTH RECORDS BILL 2011
NOTES ON CLAUSES
PART 1--PRELIMINARY
Clause 1 Short title
Clause 1 provides that the Bill, once enacted, will be cited as the Personally Controlled
Electronic Health Records Act 2011.
Clause 2 Commencement
Clause 2 provides that the Bill will commence on a day or days to be fixed by Proclamation.
This enables the Governor-General to specify the day the Bill will commence or the days
different provisions will commence. For example, it may be appropriate for the functions of
the System Operator and the privacy arrangements to commence before the remainder of the
Bill to allow the system framework to be put in place before the system begins on
1 July 2012.
If Proclamation has not occurred by either 1 July 2012 or the day the Bill receives Royal
Assent, clause 2 provides that the Bill will commence on the day after the later of those dates.
The PCEHR System Operator will not be established, and the registration and PCEHR-
specific privacy arrangements will not start, until the Bill (or the relevant parts of the Bill)
commences.
Clause 3 Object of Act
It is common practice today to include in a bill certain types of explanatory material. Clause
3 outlines the object of the proposed Act and reflects the purpose of the PCEHR system
which is primarily to help overcome the fragmentation of health information and improve the
delivery of healthcare by increasing the availability and quality of health information.
Clause 4 Simplified outline of Act
This clause serves as a directory to the Bill, outlining what is contained in each Part of the
Bill.
Clause 5 Definitions
This clause assists in the interpretation of the Bill by defining particular words and phrases
used in the Bill. Many of these terms are aligned with the Healthcare Identifiers Act 2010
(`HI Act') and the Privacy Act 1988 (`Privacy Act'), given the critical role those Acts play in
the operation of the PCEHR system. Some key terms are described below:
Approved form
If a consumer or healthcare provider organisation chooses to participate in the PCEHR
system, they must apply to the System Operator to be registered (see clauses 39 and 42). In
order to ensure that applications are made in an effective and appropriate manner, and contain
the information required by the System Operator to make a decision about the application, the
System Operator may determine the approved form an application must take. This allows the
System Operator to specify the form in which applications must be made, and information
and documentary requirements to support an application. The System Operator must
determine this form in writing. It is envisaged that details on making applications to register
3
will be published on the System Operator's website and made available to consumers and
healthcare providers in other manners.
Consumer-only notes
The PCEHR system will provide the capacity for consumers to enter notes on their health that
will not be accessible to healthcare providers. Consumer-only notes will serve as an aide
memoir to consumers for recording details about such things as complementary medicines
and general health.
Consumers will also have the ability to enter some summary health information in their
PCEHR, including medications and allergies, that will be accessible by healthcare providers
and will be clearly identified as having been entered by the consumer. This summary health
information will not form part of consumer-only notes.
Contracted service provider
The Bill recognises that many healthcare provider organisations outsource their information
technology and health information management services to contracted service providers. The
Bill therefore provides for contracted service providers, which are under contract to a
healthcare provider organisation, to register to participate in the PCEHR system. This
definition is the same as that used in the HI Act.
Court
Court is defined to mean the Federal Court of Australia, the Federal Magistrates Court or a
court of a state or territory that has jurisdiction in relation to matters arising under the Bill.
The term Court is used, for example, to specify the courts within which the Information
Commissioner may bring proceedings for a contravention of a civil penalty provision.
Employee
This definition reflects the broad range of arrangements used by entities that will participate
in the PCEHR system. It recognises contractors and other persons who provide services to an
organisation regardless of whether or not they are remunerated for those services, thereby
taking account of medical students and volunteer workers. This definition is critical to clause
99 which extends the authorisations in the Bill (for the collection, use and disclosure of
PCEHR information) to employees in certain circumstances.
Entity
Carries the same meaning as in the HI Act. A "person" (paragraph (a) of the definition) will
include a body corporate and a body politic as well as an individual: see section 22 of the
Acts Interpretation Act 1901.
Healthcare
Is defined in the same way, and is intended to have the same meaning, as health service under
the Privacy Act. The term healthcare has been used to align with the terminology used in the
HI Act.
Healthcare provider organisations
This definition ensures that any reference to a healthcare provider organisation includes those
organisations which provide healthcare services free of charge and takes account of
organisations which form part of a larger entity.
4
Health information
Health information is defined in substantially the same way as health information is under the
Privacy Act. The only difference is that under the PCEHR Bill the definition uses the term
healthcare rather than health service. Despite this difference, it is intended that health
information have same meaning under the PCEHR Bill as it does under the Privacy Act.
Health information is a subset of personal information.
National Law
In 2010, Queensland passed the Health Practitioner Regulation National Law Act 2009. The
other states and the territories have since applied the law set out in the Schedule to the
Queensland Act, or substantially applied that law, in their jurisdictions. The National Law
provides for the national regulation of health practitioners. The PCEHR Bill relies on the
National Law for giving certain rights. For example, only certain types of healthcare
providers under the National Law are eligible to be nominated healthcare providers under the
PCEHR Bill.
Nominated healthcare provider
Nominated healthcare providers play an important role in providing key health information
for a consumer's PCEHR by creating and maintaining a consumer's shared health summary.
It is critical that shared health summaries be clinically useful and effective for a range of
different types of healthcare providers who may review them. Only certain types of providers
are eligible to be a nominated healthcare provider, being providers who are registered by a
registration authority as a:
· medical practitioner;
· registered nurse; or
· Aboriginal health practitioner, Torres Strait Islander health practitioner or Aboriginal and
Torres Strait Islander health practitioner within a class specified in the regulations. The
ability to prescribe classes of these types of practitioners is necessary as there may be
several levels of qualification held by such practitioners, some of which may not be
sufficient for the practitioner to be a nominated healthcare provider.
Additional types of healthcare providers may be prescribed in regulations as being eligible to
be a nominated healthcare provider in the future, providing flexibility if implementation
experience and stakeholder feedback indicate it is needed.
A healthcare provider must have a healthcare identifier under the HI Act and there must be
agreement between the healthcare provider and the consumer for the healthcare provider to
be the consumer's nominated healthcare provider. Such agreement is not required to be
written.
A consumer is not required to have a nominated healthcare provider. If a consumer has never
had a nominated healthcare provider, the consumer's PCEHR will not contain a shared health
summary but may contain event summaries, discharge summaries and other healthcare
documents.
Parental responsibility
This definition provides who has parental responsibility for a child - for example, as a
parent, under a court order or as a guardian. The definition relies on definitions in the Family
Law Act 1975 and takes account of Commonwealth, state and territory laws regarding
custody or guardianship, or access to, a child. The term parental responsibility is used in the
5
definition of authorised representative which recognises a broader range of legal
responsibilities for other persons.
Participant in the PCEHR system
This term is defined to include all the entities involved in the PCEHR system - that is, the
PCEHR System Operator, registered healthcare provider organisations, registered repository
operators, registered portal operators and registered contracted service providers. It does not
include registered consumers.
Personal information
This definition is the same as that used in the Privacy Act.
The Privacy Act defines personal information as "information or an opinion (including
information or an opinion forming part of a database), whether true or not, and whether
recorded in a material form or not, about an individual whose identity is apparent, or can
reasonably be ascertained, from the information or opinion".
Personally controlled electronic health record (or PCEHR)
A consumer's PCEHR is compiled from a range of sources and may include existing and new
records which have been uploaded to the PCEHR system, as well as records which only exist
within the PCEHR system. A PCEHR includes:
· information about the consumer entered by the System Operator into the Register, such as
identifying information, access control settings, details about authorised and/or nominated
representatives and details of any prior suspensions of the PCEHR;
· health information relating to the consumer that has been indexed in order to be
accessible via the PCEHR system;
· other information connected to the consumer as part of the PCEHR system, such as audit
information or any actions taken to correct or remove incorrect information; and
· back-up records of the PCEHR.
Use
The Bill sets out circumstances in which information may and may not be collected, used and
disclosed. To avoid any doubt about whether certain activities constitute a "use" of
information, the term has been defined to include accessing, viewing, modifying and deleting
information. This is to ensure that authorisations and sanctions under the PCEHR Bill have
appropriate coverage.
Clause 6 Meaning of authorised representative of a consumer
It is intended that minors and people with no or only limited capacity to act on their own
behalf will be able to have a PCEHR. To enable this, the PCEHR Bill contains the concept of
authorised representatives. An authorised representative will be able to register a consumer
for a PCEHR and manage the access controls of the PCEHR on behalf of the consumer.
A person claiming to act on behalf of a consumer may apply to the System Operator to
register the consumer for a PCEHR or, if the consumer already has a PCEHR, the person may
apply to the System Operator to take control of the consumer's PCEHR. The System
Operator is restricted by the provisions in clause 6 as to who it may recognise as an
authorised representative.
6
If the System Operator decides that the person is an authorised representative for the purposes
of the PCEHR system, it will adjust the settings of the individual's PCEHR to provide that
the authorised representative, instead of the consumer, can manage the access control settings
of the PCEHR. For the purposes of the Bill and the PCEHR system, an authorised
representative is treated as if she or he were the consumer (subclauses 6(7) and (8)). That is,
the authorised representative can do anything authorised or required of the consumer in
relation to the PCEHR system, and anything done by an authorised representative in relation
to the PCEHR system is taken as if it were done by the consumer. Where a consumer has an
authorised representative, the consumer will not be able to access her or his PCEHR unless
the authorised representative has granted her or him access as a nominated representative.
A person will generally need a healthcare identifier in order to be an authorised representative
(subclause 6(6)). This requirement is necessary so the System Operator is able to identify
persons using the system in order to maintain a comprehensive audit trail of access to
consumers' PCEHRs. The PCEHR Rules may provide that an authorised representative does
not need a healthcare identifier. It is envisaged that such PCEHR Rules would be made in
only limited circumstances. For example, where a child is under the guardianship of a
statutory office holder such as a public guardian, it is not intended that the statutory office
holder or their staff would use their own healthcare identifier to identify themselves to the
System Operator when acting as an authorised of the child. However, it is important that
such people are identified and paragraph 6(6)(b) will permit PCEHR Rules to be made for
this purpose.
An authorised representative must always act in the best interests of the consumer, having
regard to any directions from the consumer expressed when they had capacity to act on their
own behalf (subclause 6(9)). This obligation will help reduce the risk of an authorised
representative acting for their own benefit and helps ensure that preferences previously
expressed by the consumer will be taken into account in managing their PCEHR.
If the System Operator is not satisfied that a person is the authorised representative of the
consumer, the person can request a review of that decision (see subclause 97(1)(a)).
A consumer may have more than one authorised representative. There are no age restrictions
on being an authorised representative for PCEHR purposes.
It is critical that the operation of the PCEHR system be flexible to deal with unique
circumstances in respect of minors and persons with limited or no capacity. The design of
the system will provide that, if the PCEHR System Operator is notified of a dispute between
authorised representatives over the management of a person's PCEHR, the System Operator
may suspend access by the authorised representatives to the PCEHR. If this occurs, the
PCEHR will continue to be accessible by healthcare providers, and providers will still be able
to upload information to the PCEHR in accordance with the access control settings already in
place. The System Operator will reinstate access by authorised representatives when it is
satisfied that the dispute has been resolved - for example, as a result of a court order or on
receipt of formal advice by all parties involved in the dispute that the dispute has been settled.
Persons aged under 18 years
Any authorised representative of a minor will be able to register the minor. Once the minor is
registered, the authorised representative(s) will be responsible for managing the minor's
PCEHR including determining which healthcare provider organisations may access the
7
PCEHR and whether any other persons (including the minor themselves) may access the
PCEHR as a nominated representative.
If the System Operator is satisfied that a person has parental responsibility for a minor, that
person will be recognised as an authorised representative (subclause 6(1)).
If there is no person who the System Operator is satisfied has parental responsibility for a
minor, the System Operator may choose to recognise a range of other people as an authorised
representative. For example, a person may satisfy the System Operator that the person is
authorised by an Australian law, or by a decision of an Australian court or tribunal, to act on
behalf of the minor (paragraph 6(2)(a)). Subclause 6(2) specifies other circumstances where
a person may be recognised as an authorised representative, and is intended to allow the
System Operator to take into account exceptional circumstances so that all minors can have
an authorised representative and thus a PCEHR.
Subclause 6(3) specifies the circumstances in which a minor is taken not to have an
authorised representative and may thus take control of their own PCEHR.
An administrative framework for determining whether a minor may take control of their
PCEHR, or register themselves for a PCEHR, will be established based on existing Medicare
arrangements which acknowledge the growth in maturity and capacity that occurs during the
teenage years and the differing family circumstances that can occur. In summary, the
arrangements for the PCEHR system will presume that consumers aged 14 up to 18 years
have the capacity to make their own decisions in respect of healthcare information but will
recognise that some may choose not to exercise that power and may prefer to have their
parent(s) or legal guardian(s) continue to act for them. PCEHR administrative arrangements
will also provide for circumstances where a mature minor under 14 years may register for
their own PCEHR, or take control of their existing PCEHR, without the involvement of a
parent or legal guardian. In considering whether a mature minor had the capacity to manage
their own PCEHR, the System Operator may require written evidence from the minor's
healthcare provider.
In practice, when a minor turns 14 years the System Operator will advise the minor in writing
of the ability to take control of their PCEHR and explain how the minor can take such an
action. The minor can then determine whether they will continue to allow their parent/s or
legal guardian/s to access their PCEHR as a nominated representative, as well as determining
which healthcare provider organisations can access their PCEHR and whether any other
person can access their PCEHR as a nominated representative.
Any minor who has been registered by another person and who chooses to take control of
their PCEHR will be required to prove their identity to the System Operator.
8
Example: Ben is 22 years old and he has had a PCEHR since he was 12 years old when his
foster parents registered him. Ben has always been able to view his PCEHR since his foster
parents granted him read-only access as a nominated representative. He has now decided
that he wants to actively participate in his own healthcare and manage his PCEHR. Using
the options provided by the PCEHR system, Ben proves his identity to the System Operator
and activates the setting which transfers PCEHR control to him. He then sets the access
controls to allow his foster parents read-only access to his PCEHR as nominated
representatives.
Example: Moira is 12 years old and has diabetes. Her parents are estranged and are
involved in a difficult custody battle over Moira. Moira's healthcare provider has
determined that, given the circumstances, Moira is a mature minor and is able to make
decisions in respect of her healthcare. Moira is therefore able to make an application to
register for a PCEHR. In considering Moira's application, the PCEHR System Operator will
likely require written advice from Moira's healthcare provider that she is a mature minor
capable of making decisions for herself.
Following a decision by the System Operator to register her, Moira can now manage her own
PCEHR including determining which healthcare provider organisations may access her
PCEHR and whether her parents or any other persons may access her PCEHR as nominated
representatives.
When a consumer turns 18, the System Operator will advise them in writing explaining how
they may take control of their record. Upon turning 18, the consumer's parent(s), legal
guardian(s) or other authorised representatives will automatically cease to be authorised
representatives in relation to the consumer. In the period between turning 18 and taking
action to either manage their PCEHR or cancel their PCEHR registration (in both cases
requiring the consumer to prove their identity), the consumer will not be able to access their
PCEHR. However, the consumer's PCEHR will continue to be accessible by healthcare
providers, including for uploading information, subject to the access control settings in place
immediately before the consumer turned 18.
Example: Keiko has just turned 18 years old and has been notified by the PCEHR System
Operator that she is now obliged to manage her own PCEHR, if she chooses to continue
having one. Until now, she has been happy to allow her parents to manage her PCEHR for
her but the PCEHR system no longer recognises the authority of her parents and they can no
longer access her PCEHR. Until Keiko takes action (that is, proves her identity and either
sets access control settings or cancels her PCEHR registration), her PCEHR will continue to
be accessible by her healthcare providers in accordance with the access controls set by he
parents.
Keiko decides to keep her PCEHR, so she takes the action specified by the System Operator
to take control of her PCEHR. Keiko can now decide which healthcare provider
organisations and other persons (such as her parents) may access her PCEHR.
Persons aged at least 18 years
Persons who have limited or no capacity will be able to participate in the PCEHR system.
Any authorised representative of a consumer will be able to register the consumer. Once the
consumer is registered, the authorised representative will be responsible for managing the
9
consumer's PCEHR including determining which healthcare provider organisations may
access the PCEHR and whether any other persons (including the consumer themselves) may
access the PCEHR as a nominated representative.
A person may be an authorised representative of a person over 18 years old if the System
Operator is satisfied that a consumer is not capable of making decisions for themselves, and
that another person is authorised by an Australian law, or by a decision of an Australian court
or tribunal, to act on behalf of the consumer (paragraph 6(4)(a)). The System Operator may
recognise other people as an authorised representative in specified other circumstances
(paragraph 6(4)(b)). This provision allows the System Operator to take into account a range
of other circumstances for people without capacity, or with only limited capacity.
Example: When Rosa was diagnosed with Alzheimer's disease several years ago, she
granted her son, Hakim, Power of Attorney (subject to her capacity) to allow him, once she
lost capacity, to make decisions on her behalf. Rosa's doctor has now informed Hakim that
Rosa no longer has the capacity to make decisions.
Rosa already has a PCEHR which Hakim helped her to set up last year. Hakim now presents
to the PCEHR System Operator evidence of the Power of Attorney granted by Rosa and
evidence that it is now in force (written advice by Rosa's doctor that Rosa has lost decision-
making capacity). The System Operator then gives Hakim access to Rosa's PCEHR as an
authorised representative. Hakim can now manage Rosa's PCEHR on her behalf which
includes managing the access controls and entering notes about Rosa's health for his own
reference.
Clause 7 Definition of nominated representative of a consumer
This definition supports the involvement of non-healthcare professionals involved in assisting
consumers in managing their healthcare. Nominated representatives may be family members,
carers, neighbours or any other person nominated by a consumer.
For a person to be a nominated representative, there must be an agreement between the
consumer and the proposed nominated representative. This agreement does not have to be in
writing. The consumer must also notify the System Operator that the other person is her or
his nominated representative. In practice, the requirement for agreement and notification will
be satisfied by the consumer setting the access controls to their PCEHR granting the
nominated representative a particular level of access.
A nominated representative will be able to access the consumer's PCEHR, subject to any
access controls set by the consumer. This means that, in some cases a nominated
representative may only have read-only access to a consumer's PCEHR, should a consumer
so wish. In other cases, a consumer may allow a nominated representative to have the same
level of control as an authorised representative - that is, be able to act on behalf of the
consumer in relation to the consumer's PCEHR, including setting access controls on the
consumer's PCEHR and granting access to healthcare provider organisations.
This flexibility in setting access controls is designed to take into account the many
circumstances where a person may not be able to, or may not wish to, manage their own
PCEHR but where they do not have a formal legally recognised representative to act on their
behalf.
10
Example: Machiko's father, Toshio, is on numerous medications. Machiko assists her
father in managing his healthcare. Toshio has given his daughter read-only access to his
PCEHR as a nominated representative, thereby allowing Machiko to easily view key health
information about her father, such as currently prescribed medications and test results. This
helps Machiko provide care and assistance to her father.
Example: Helen has schizophrenia which sometimes affects her capacity to make healthcare
decisions. Helen has given her sister, Beverly, full access to her PCEHR as a nominated
representative, thereby allowing Beverly to act on Helen's behalf in relation to her PCEHR.
Beverly can enter information into Helen's PCEHR, such as keeping a record of the
frequency of Helen's episodes, and can change the access control settings for Helen's
PCEHR including granting new healthcare provider organisations access to Helen's PCEHR.
A nominated representative is subject to any access limitations that have been set by the
consumer, so for example a nominated representative who has been provided with full access
by the consumer is entitled to do anything that a consumer is entitled to do (paragraph
7(2)(a)), and the nominated representative is treated as if she or he were also the consumer
(paragraph 7(2)(b)).
Unlike the authorised representative arrangements, a consumer will still be able to access and
control her or his PCEHR if she or he has a nominated representative (subclause 7(4)).
There may be more than one nominated representative in respect of a PCEHR, and there are
no age restrictions on being a nominated representative.
A nominated representative with read-only access will not require a healthcare identifier,
allowing for circumstances where a consumer may have a family member overseas who is
involved in the consumer's healthcare. Any access to a consumer's PCEHR by a nominated
representative who does not have a healthcare identifier will be recorded for audit purposes,
however, the identity of the nominated representative may not be able to be verified by the
System Operator. Consumers will need to take this into account if they choose to have more
than one nominated representative.
For a nominated representative to be given more than read-only access to a consumer's
PCEHR (which means they will be able to change access settings), the representative will
require a healthcare identifier, unless the PCEHR Rules provide otherwise (subclause
7(3)(d))). The PCEHR Rules may provide that nominated representatives with more than
read-only access to a consumer's PCEHR do not require a healthcare identifier to deal with
the same types of situation discussed in relation to subclause 6(6). It is envisaged that any
PCEHR Rules made under subclause 7(3) would be made in only limited circumstance and
would require the nominated representative to be identifiable in some other way.
A nominated representative must always act in the best interests of the consumer, subject to
the consumer's directions (subclause 7(6)). This obligation will help reduce the risk of
nominated representative acting for their own benefit and helps ensure that directions given
by the consumer about how their PCEHR should be managed will be implemented.
Clause 8 References is sections 6 and 7 to certain things
This clause ensures that the provisions in clauses 6 and 7 can apply to authorised
representatives and nominated representatives as necessary. It does this by permitting
regulations to be made, if necessary, prescribing provisions of other Acts so that authorised
11
representatives and nominated representatives who are able to change access settings can act
on behalf of consumers under the PCEHR Bill. Without the ability to make regulations under
this clause, provisions in other Acts may effectively prevent a consumer's representatives
acting on behalf of the consumer in relation to the consumer's PCEHR.
Clause 9 Definition of identifying information
This is defined for the purposes of clause 58. Identifying information is defined in respect of
consumers (subclause 9(3)), healthcare providers (subclause 9(1)) and healthcare provider
organisations (subclause 9(2)) and generally includes the name, address and other details of
the person or entity. Identifying information is necessary for the purposes of verifying
identities for registration and ongoing use of the PCEHR system. The definition is similar to
the definition of identifying information under the HI Act.
Clause 10 Definition of shared health summary
A shared health summary is an important tool for providing key health information in a
consumer's PCEHR. A shared health summary for a consumer, at any particular time, is a
record which is prepared by a nominated healthcare provider, is described by that provider as
a shared health summary, has been uploaded to the National Repositories Service and is at
that time the most recent shared health summary uploaded. Each time a new shared health
summary is uploaded, it will replace the previous summary (records which were previously
shared health summaries will remain accessible via the PCEHR system). There will only be
one shared health summary for a consumer at any given time.
Clause 11 Act to bind the Crown
This clause provides that the Bill binds the Crown in each of its capacities. This means that
the Bill is intended to apply (and be observed by) the Commonwealth and each of the States,
the Australian Capital Territory and the Northern Territory.
While each jurisdiction will be legally bound by the arrangements set out in the Bill, the
Crown will not be liable for pecuniary penalties or subject to prosecution for offences
(subclause 11(2)). This is a common clause in Commonwealth legislation.
While the Crown cannot be liable to be prosecuted for an offence, or liable for a pecuniary
penalty, this does not mean that all action against the Crown is precluded. This is explained
in the note to subclause 11(2). If the Crown in any of its capacities does not comply with its
obligations under this Bill, other remedies are potentially available. For example, it may be
subject to a declaration or injunction, investigated by the Information Commissioner under
the Privacy Act, investigated by the Ombudsman, subject to Parliamentary scrutiny or subject
to claims for breach of statutory duty. Further, while the Crown may have immunity in
certain regards, the employees and contractors of the Crown will not necessarily have any
such immunity. Finally, nothing in the Bill prevents an individual who suffers loss or
damage from seeking to recover that loss or damage from the person who caused it.
Clause 12 Concurrent operation of State laws
The Bill has been developed to work in conjunction with existing Australian laws as far as is
possible. This clause provides that the Bill does not apply to the exclusion of a law of a state
or territory to the extent that that law is capable of operating concurrently with the Bill.
There are state and territory laws which are specifically intended to be overridden by this Bill
in order to ensure the effective operation of the PCEHR system (see clause 41). These
include:
12
· laws prohibiting the uploading of health records without the "express" consent of a
consumer. For example, Health Privacy Principle 15(1) of the Health Records and
Information Privacy Act 2002 (NSW); and
· laws prohibiting the disclosure of health information to an entity outside a state or
territory, or to the Commonwealth, without the consent of the consumer. For example,
Health Privacy Principle 14(b) of the Health Records and Information Privacy Act 2002
(NSW) and Health Privacy Principle 9.1(b) of the Health Records Act 2002 (Vic).
There are also state and territory laws that are not intended to be displaced by this Bill. These
relate to the disclosure of a person's identity or confidential information in connection with
certain notifiable diseases. It is proposed that such state and territory laws, which may
otherwise be displaced by the Bill, will be prescribed by regulation under (subclause 41(4))
and will be preserved.
Clause 13 External Territories
This clause provides for the Bill to apply to Australia and all its external territories - for
example, Christmas Island, Cocos (Keeling) Islands, Ashmore and Cartier Islands, Norfolk
Island, Coral Sea Islands, Heard Island and McDonald Islands, and the Australian Antarctic
Territory. This means that consumers and entities located in Australia and each of the
external territories may be eligible to participate in the PCEHR system.
PART 2--THE SYSTEM OPERATOR, ADVISORY BODIES AND OTHER
MATTERS
Part 2 of the Bill sets out the governance arrangements for the PCEHR system. It establishes
the System Operator (the body responsible for creating and running the PCEHR system) and
specifies its functions. Part 2 also specifies advisory bodies to the System Operator and
prescribe s their functions, and confers functions on the Chief Executive Medicare in respect
of the PCEHR system.
DIVISION 1--SYSTEM OPERATOR
Clause 14 Identity of the System Operator
The PCEHR system will be managed by the System Operator which is established by clause
14.
Subclause 14(1) specifies that the System Operator is the Secretary of the Department of
Health and Ageing. It also provides that another body established by a law of the
Commonwealth may be prescribed by the regulations to be the System Operator (paragraph
14(1)(b)).
Having the Secretary of the Department as the System Operator will ensure:
· accountability and transparency of operations;
· coverage by Commonwealth financial, data security and privacy arrangements;
· a smooth transition from contractual governance arrangements established for the system
build; and
· the ability to coordinate the necessary jurisdictional and stakeholder involvement.
13
Discussions will continue with the states and territories around possible future options for the
development of an inter-jurisdictional national e-health body.
Before regulations are made which prescribe a body to be the System Operator, the Minister
must consult with the Ministerial Council (subclause 14(2)).
Clause 15 Functions of the System Operator
This clause prescribes the functions of the System Operator, giving the System Operator the
necessary legal authority to establish and run the PCEHR system.
The System Operator must:
· establish and operate an index service (paragraph 15(a)) - the index service associates a
consumer with clinical documents relating to the consumer which are stored in registered
repositories or the National Repositories Service. The index service enables a consumer's
PCEHR to be compiled from various sources. Clinical documents will be associated with
consumers using the consumer's healthcare identifier;
· implement and maintain access control mechanisms for consumers, subject to any
requirements in PCEHR Rules (paragraph 15(b)) - access control mechanisms will enable
a consumer to control access to their PCEHR by healthcare providers and nominated
representatives. If a consumer does not set access controls, default access controls will
apply. Access control mechanism may also specify when access to a consumer's PCEHR
is to be automatically suspended or cancelled - for example, it is proposed that access by
authorised representatives will be automatically cancelled upon the consumer turning 18.
Paragraph 15(c) sets out further minimum requirements for access control mechanisms to
be established and maintained by the System Operator;
· establish and operate a reporting service (paragraph 15(d)) - this service will support
reporting and analysis on the operation of the PCEHR system for use in, for example, the
System Operator's annual report to Parliament;
· establish and manage the Register (paragraph 15(e)) - the Register is established under
clause 56. It will be used for operations of the PCEHR system, including to record
information about the registration of consumers and other participants In the PCEHR
system, and consumers' access control settings. . The System Operator is responsible for
ensuring appropriate details are recorded in this Register (clause 57). The Register will
not contain health information;
· register consumers and participants (paragraph 15(f)) - this will involve functions such as
implementing a system of registration and making decisions as to whether or not to
register participants in the PCEHR system and consumers (including decisions about
whether a person is an authorised representative of a consumer). It will also involve
varying, suspending or cancelling the registration of participants and consumers, where
necessary, and monitoring compliance by participants with conditions of registration;
· establish and manage the audit service (paragraph 15(g)) - this service will record all
activity in relation to information in the PCEHR system for transparency and regulatory
purposes. The record will include activity in relation to consumers' PCEHRs and
activities undertaken by participants in the PCEHR system including healthcare provider
organisations, portal providers and contracted service providers. The audit service will
ensure that a consumer can obtain details of all flows of information relating to her or his
14
PCEHR (paragraph 15(h)(i) and (ii). A summary of the flows of information in relation
to a consumer's PCEHR will be accessible electronically. Consumers may obtain from
the System Operator a detailed record of flows of information in relation to their PCEHR;
· establish and operate the National Repositories Service (paragraph 15(i)) - this Service
will ensure there is a minimum critical set of health information about registered
consumers, including shared health summaries, discharge summaries, event summaries
and specialist letters. The National Repositories Service will also provide secure storage
for consumer-only notes;
· establish a complaints handling mechanism (paragraph 15(j)) - this service will provide
national arrangements for consumers and participants to make complaints relating to the
PCEHR system, although consumers will still have the ability to lodge complaints with
other appropriate bodies such as national or state privacy or health information regulators;
· ensure that the PCEHR system is administered so that problems may be resolved
(paragraph 15(k));
· advise the Minister of matters relating to the PCEHR system (paragraph 15(l)) - this
function will involve advising on a broad range of matters of which the Minister should
be made aware or on which the Minister has sought advice. This function includes
advising the Minister about matters to be included in PCEHR Rules; and
· educate the public, consumers and participants about the PCEHR system (paragraph
15(m)) - providing information on the PCEHR system for consumers and healthcare
providers is a key part of ensuring they are aware of the benefits of the PCEHR system,
and that those involved in the system are aware of their rights and obligations. Effective
availability of information will help protect the integrity and security of the PCEHR
system, and the health information stored in it.
Clause 16 System Operator to have regard to advisory bodies' advice etc.
In carrying out its functions as specified in clause 15, the System Operator must have regard
to advice and recommendations (if any) given to it by the two advisory bodies established by
the Bill: the Jurisdictional Advisory Committee (Part 2 of Division 2) and the Independent
Advisory Council (Part 2 of Division 3).
The System Operator is not required to follow the advice of these advisory bodies. However,
the existence of these bodies provides the System Operator with access to specialist advice in
a broad range of areas. Such advice and recommendations, and subsequent decisions by the
System Operator, may be made public to provide for scrutiny and transparency.
The System Operator and the advisory bodies may draw on other expert advice as
appropriate, including from the Office of the Australian Information Commissioner in
relation to privacy matters.
Information about the operations of the advisory bodies may be reported in the System
Operator's annual report (subclause 107(3)).
Clause 17 Retention of records uploaded to National Repositories Service
The National Repositories Service will ensure that there is capacity to store a minimum
critical set of health information about registered consumers, which will include shared health
summaries, event summaries, discharge summaries and specialist letters. The Service will
also provide secure storage for consumer-only notes.
The National Repositories Service must retain any record which contains health information
about a consumer until 30 years after the consumer has died or, if the System Operator does
15
not know the date of death, for 130 years from the date the record was uploaded to the
National Repositories Service (paragraph 17(2)(b)).
These requirements support the longevity of a minimum data set in the PCEHR system.
These retention requirements for the National Repositories Service will not apply to
registered repositories, such as those operated by state governments or the private sector.
Those repositories are already subject to existing Commonwealth, state or territory
arrangements concerning the retention of health records and will not be subject to any
additional retention requirements under this Bill.
The National Repositories Service will retain the records of a consumer for a period after she
or he dies and, during that time, the records will continue to be given the same privacy
protections which were in place when the consumer was alive.
DIVISION 2--JURISDICTIONAL ADVISORY COMMITTEE
Many of the benefits to the health system and to healthcare outcomes arise from up-to-date
information being available when patients move to, from and within the primary and acute
care sectors. Ensuring the involvement of the states and territories and their input into the
operation and implementation of the PCEHR system is therefore crucial.
The Jurisdictional Advisory Committee will ensure state and territory involvement in the
operation of the PCEHR system.
Clause 18 Establishment, functions and status of the jurisdictional advisory committee
Subclause 18(1) establishes the Jurisdictional Advisory Committee. The purpose of this
committee is to advise the System Operator on matters relating to the interests of the
Commonwealth, states and territories, and any other functions which are prescribed by the
regulations (subclause 18(2)).
This committee will have the privileges and immunities of the Crown, which means it will
not be liable for pecuniary penalties or be subject to prosecution for offences (subclause
18(3)). See the discussion above in relation to clause 11 for an outline of the limitations on
this immunity.
Clause 19 Membership of the jurisdictional advisory committee
Membership of the committee will comprise:
· a representative of the Commonwealth (paragraph 19(1)(a)), to be appointed by the
Minister in writing (subclause 19(2)); and
· a representative of each state and territory (paragraph 19(1)(b)), to be appointed by the
head of the relevant state or territory health department in writing (subclause 19(3)).
This ensures equal representation of the Commonwealth, states and territories. It also ensures
that states and territories have a voice in relation to operation of the PCEHR system,
including how the System Operator performs its functions.
All members will be appointed on a part-time basis (subclause 19(4)) which is standard for
this type of statutory body.
State and territory representatives will take turns chairing the committee (subclause 19(5)).
16
Clause 20 Termination of appointment of members of the jurisdictional advisory
committee
The appointment of the Commonwealth representative may be terminated by the Minister at
any time (subclause 20(1)). Similarly, the appointment of a state or territory representative
may be terminated by the relevant state or territory health department head at any time
(subclause 20(2)). The Bill does not prescribe any criteria for deciding to terminate the
appointment of a member so these decisions will be made at the discretion of the Minister
and the relevant health department head, respectively.
Clause 21 Substitute members of the jurisdictional advisory committee
In circumstances where a member is unable to attend a meeting of the committee, the
Minister (subclause 21(1)) or the state or territory health department head (subclause 21(2)),
depending on who appointed that particular member, may nominate another person to attend
in place of the absent member.
Clause 22 Application of the Remuneration Tribunal Act
The members of the committee will not receive payment under the Remuneration Tribunal
Act 1973. Since the Commonwealth, state and territory representatives on this committee
will likely be government employees, and will likely continue to receive a salary while
participating on the committee, these members will not be eligible for payment under the
Remuneration Tribunal Act 1973 in fulfilling their role as a committee member. This is a
common arrangement for government employee participation in government committees.
The Bill does however provide that regulations may be made in relation to remuneration of
committee members if the need should arise (see clause 23).
Clause 23 Regulations may provide for matters relating to committee
The Bill provides that regulations may be made regarding the Jurisdictional Advisory
Committee (clause 23), thereby permitting additional arrangements to be prescribed for the
committee which are not already set out in the Bill. The regulations may relate to:
· any qualifications for the Commonwealth member (paragraph 23(a));
· subject to clause 20;
· remuneration and allowances which may be paid to members (subparagraphs 23(b)(i) and
(ii));
· arrangements for leaves of absence (subparagraph 23(b)(iii));
· the disclosure of members' interests (subparagraph 23(b)(iv)); and
· the operation of procedures of the committee (paragraph 23(c)). In this regard, the
regulations may prescribe that the committee can determine its own procedures on any
matter.
DIVISION 3--INDEPENDENT ADVISORY COUNCIL
The involvement of healthcare providers, consumers and other health sector stakeholders will
also be crucial to the success of the PCEHR system, particularly in ensuring clinically safe
operations, expert advice on technical, security and privacy issues and expert advice on the
consumer experience and consumer needs in managing their own healthcare.
The Independent Advisory Council will ensure the involvement of key stakeholders that
reflect a broad range of experience, and the provision of key expertise in the operation of the
PCEHR system.
17
SUBDIVISION A--ESTABLISHMENT, FUNCTIONS AND STATUS
Clause 24 Establishment, functions and status of independent advisory council
Subclause 24(1) establishes the Independent Advisory Council. The purpose of the Council
is to advise the System Operator on matters relating to the operation of the PCEHR system,
participation in the PCEHR system, and consumer security, privacy and clinical matters
relating to the operation of the PCEHR system (paragraphs 24(2)(a) to (c)). The Committee
may also advise the System Operator on matters prescribed by the regulations (paragraph
24(2)(d)), which gives the flexibility to add new functions as necessary.
Clause 25 Independent advisory council has privileges and immunities of the Crown
This Council will have the privileges and immunities of the Crown, which means it will not
be liable for pecuniary penalties or be subject to prosecution for offences. See the discussion
above in relation to clause 11 for an outline of the limitations on this immunity.
SUBDIVISION B--MEMBERSHIP
Clause 26 Membership of the independent advisory council
Membership of the council will comprise:
· a Chairperson;
· a Deputy Chair; and
· a minimum of seven and a maximum of 10 other members. These numbers are designed
to ensure that the Council has available to it the necessary expertise and experience, but
remains small enough to be effective.
Clause 27 Appointment of members
All Council members will be appointed by the Minister in writing (subclause 27(1)). In
making appointments, the Minister must ensure that members between them have certain
expertise and experience:
· three members must represent consumers' interests and must have significant knowledge
of consumers' receipt of healthcare (paragraph 27(2)(a)). This recognises the diversity of
the delivery to, and receipt of, healthcare by consumers and the unique needs of certain
groups. These members may not be healthcare providers (subclause 27(3)).
· the remaining members of the Council must between them have experience or knowledge
in:
o the provision of healthcare as a medical practitioner (subparagraph 27(b)(i));
o the provision of healthcare as a healthcare provider other than a medical practitioner
(subparagraph 27(b)(ii));
o law and/or privacy (subparagraph 27(b)(iii));
o health informatics and/or information technology services relating to healthcare
(subparagraph 27(b)(iv));
o healthcare administration (subparagraph 27(b)(v));
o healthcare for Aboriginal or Torres Strait Islander people (subparagraph 27(b)(vi));
and
o healthcare for people living or working in regional areas (subparagraph 27(b)(vii));
18
These fields of experience will ensure that appropriate advice can be provided by the Council
to the System Operator regarding the operations of the PCEHR system.
Council members will be appointed on a part-time basis (subclause 27(4)) which is standard
for this type of statutory body. Appointments cannot exceed five years (subclause 27(5)),
although members will be eligible for re-appointment as explained in the note below
(subclause 27(1)).
Clause 28 Acting appointments
If there is a vacancy, or an absence or an inability to perform duties, the Minister may appoint
an acting Chair (subclause 28(1)), Deputy Chair (subclause 28(2)) or member (subclause
28(3)) to temporarily fill that position. Any such appointments must be made in writing.
SUBDIVISION C--MEMBERS' TERMS AND CONDITIONS
The appointment of the Council members, including the Chair and Deputy Chair, will be
subject to certain terms and conditions which are specified in Subdivision C of Part 2 of the
Bill.
Clause 29 Remuneration
A member of the Council will be paid for their services as a Council member in accordance
with the Remuneration Tribunal Act 1973 (subclause 29(1)), except where the member is a
full-time employee of the Commonwealth, a state or territory, or a state or territory authority
or instrumentality (subclause 29(2)). It is intended that any full-time government employees
should not be entitled to be paid for their role on the Council given that they would continue
to receive a salary while performing that role.
If the Remuneration Tribunal has not made a determination, the members of the Council will
be paid the remuneration which is set out in the regulations (subclause 29(1)).
Any allowances to be paid to members of the Council will be set out in the regulations
(subclause 29(3)).
Clause 30 Leave
The Chair may be granted a leave of absence by the Minister (subclause 30(1)), and other
members may be granted a leave of absence by the Chair (subclause 30(2)). A leave of
absence will be subject to the terms and conditions determined by the Minister or Chair,
respectively.
Clause 31 Disclosure of interests to the Minister
A member must disclose to the Minister in writing any interests that conflict, or could
conflict, with the proper performance of duties as a member of the council.
Clause 32 Disclosure of interests to the independent advisory council
In the case of a member having an interest in a matter being considered by the Council, the
member must formally disclose her or his interests to the Council (subclause 32(1)) and may
be required to absent herself or himself from the consideration of the matter (subclauses 32(4)
and (5)). Any such disclosure, and the Council's decision as to how to treat the member in
respect of those interests, must be recorded in the Council's minutes (subclauses 32(3) and
(6)).
19
Clause 33 Resignation
A member may resign from the Council by giving written notification to the Minister, and the
resignation will take effect in accordance with subclause 33(2).
Clause 34 Termination of appointment
The appointment of a member of the Council may be terminated by the Minister for various
reasons including misbehaviour or incapacity (subclause 34(1)), bankruptcy or absence
(subclause 34(2)) and failing to disclose interests (paragraph 34(2)(c)).
The Minister must consult with the System Operator before terminating the appointment of a
member (subclause 34(3)). However, a failure to consult will not by itself invalidate the
Minister's decision to terminate the appointment of a member (subclause 34(4)). This
provides flexibility for an appointment to be terminated immediately and is only intended to
be used in exceptional circumstances.
Clause 35 Other terms and conditions
This clause allows for the Minister to determine other terms and conditions that will apply to
a member's appointment, but only where such matters are not covered by the Bill.
SUBDIVISION D--PROCEDURES OF THE INDEPENDENT ADVISORY COUNCIL
Clause 36 Who presides at meetings
The Chair will preside at all meetings she or he attends (subclause 36(1)). In the Chair's
absence, the Deputy Chair will preside (subclause 36(2)) or otherwise the members will elect
a member to preside (subclause 36(3)).
Clause 37 Regulations may provide for other procedural matters
This clause provides that the regulations may prescribe matters relating to the operation and
procedures of the Council, including by allowing the Council to determine its own
procedures.
DIVISION 4--FUNCTIONS OF CHIEF EXECUTIVE MEDICARE
Clause 38 Registered repository operator
The Medicare program, which is part of the Department of Human Services, holds a range of
health information that consumers may wish to include in their PCEHR. This information
includes Medicare Benefits Schedule (MBS) claiming history, Pharmaceutical Benefits
Scheme (PBS) claiming history, Australian Organ Donation Register (AODR) details and
Australian Childhood Immunisation Register (ACIR) information. While the information
may lack the clinical richness of information uploaded by treating healthcare providers, it
nevertheless provides a longitudinal source of information about a consumer's healthcare
events.
Clause 38 will allow the holder of the Medicare information - that is, the Chief Executive
Medicare - to make this information available to the PCEHR system where a consumer
consents to the information being included in her or his PCEHR.
A new function is conferred on the Chief Executive Medicare to apply to be a registered
repository operator and, if registered, to operate a repository for PCEHR purposes
20
(subclause 38(1)). The Chief Executive Medicare must meet the same eligibility
requirements as other applicants wishing to be come registered repository operators, and the
final decision on whether to register the Chief Executive Medicare will rest with the System
Operator.
If the Chief Executive Medicare becomes a registered repository operator, she or he may
upload any health information they hold about a registered consumer to its repository
(paragraph 38(2)(a)). Where a consumer consents to including the health information in his
or her PCEHR, the Chief Executive Medicare may then make the information available to the
System Operator (paragraph 38(2)(b)).
It is intended that the Chief Executive Medicare will establish a PCEHR-specific repository
which is separate to existing repositories of Medicare program data. Obligations under the
PCEHR Bill will apply to the PCEHR repository operated by the Chief Executive but not to
other Medicare program repositories. It is from PCEHR-specific repository that Medicare
program information will be made available through the PCEHR system to consumers and
their healthcare providers.
Other functions may be delegated to the Chief Executive Medicare under clause 98.
PART 3--REGISTRATION
Participation in the PCEHR system will involve a registration process to ensure eligibility
criteria are met, the identity of consumers and other participants is verified and that necessary
technical, security and administrative criteria are in place.
The provisions set out in the Bill have been developed to support an easy, streamlined
registration process as proposed by the Concept of Operations.
Part 3 of the Bill sets out the eligibility criteria for registration of consumers and each type of
participant, requirements for registration, the obligations of the System Operator in the
registration process and the obligations of consumers and participants for the duration of their
participation. Failure to meet the prescribed requirements and terms and conditions may
result in the suspension or cancellation of registration and/or other sanctions.
DIVISION 1--REGISTERING CONSUMERS
From the date the Bill commences, Australians and other healthcare consumers in Australia
may be eligible to register for a PCEHR. These individual are referred to in the Bill as
consumers.
Clause 39 Consumers may apply for registration
Registration is entirely voluntary and consumers who choose not to register for a PCEHR will
continue to be able to access healthcare services, and medical benefits in accordance with
current eligibility criteria.
If a consumer chooses to apply for registration, they will need to make an application to the
PCEHR System Operator (subclause 39(1)). The System Operator will determine the manner
in which applications must be made, including the information that must be provided and
how applications are to be made (subclause 39(2)).
21
It is envisaged that applications will be able to be made using a variety of channels, including
online, via Medicare branded shopfronts, over the phone and by post. Assistance will be
available for those that need help registering.
Clause 40 When a consumer is eligible for registration
In order to register for a PCEHR, a consumer must have a healthcare identifier issued under
the HI Act (paragraph 40(a)). In practice, the healthcare identifier must be verified by the
Healthcare Identifiers Service (`HI Service'), which means that the HI Service Operator
needs to verify the identity of the consumer to whom the healthcare identifier has been
assigned - see paragraph 41(1)(c).
The consumer must provide to the System Operator her or his:
· full name (paragraph 40(b)(i));
· date of birth (paragraph 40(b)(ii));
· healthcare identifier or Medicare number or Department of Veterans' Affairs file number
(paragraph 40(b)(iii)); and
· sex (paragraph 40(b)(iv)).
This information is necessary for the System Operator to locate the healthcare identifier for
the consumer, and to verify the identity of the consumer under paragraph 41(1)(c).
The consumer must also provide to the System Operator any other information that is set out
in the regulations (paragraph 40(b)(v)).
Pseudonyms
Pseudonymous are used when seeking healthcare in special circumstances, such as:
· witness protection;
· where individuals seek to quarantine certain types of treatment from other healthcare
information. For example, a person may seek treatment for a sexually transmitted
infection using a pseudonym so that the resulting information is not tied to their true
identity;
· where individuals fear exposure due to the public nature of their work; and
· where individuals fear being traceable when escaping family violence.
Such arrangements will continue to be available under the PCEHR system, and a person may
register for a PCEHR using a pseudonym. However, in order to register for a PCEHR using a
pseudonym, the person must first obtain a pseudonymous healthcare identifier from the HI
Service.
Subclause 109(5) permits PCEHR Rules to be made which modify provisions of the Bill,
including clause 40, if this is necessary to permit registration for a PCEHR using a
pseudonym.
A person will be able to register for a PCEHR in respect of their true identity and separately
register for a PCEHR in respect of their pseudonymous identity. These PCEHRs will not be
connected in any manner, and the information contained in each PCEHR will depend on the
identity used the consumer at the time of receiving healthcare.
22
Clause 41 Registration of a consumer by the System Operator
If a consumer has made an application under clause 39, and is eligible to be registered under
clause 40, the System Operator is required to decide whether to register the consumer. The
System Operator must be satisfied that:
· the consumer's identity has been appropriately verified, having regard to any matters set
out in the PCEHR Rules (paragraph 40(b));
· registration of the consumer will not compromise the security or integrity of the PCEHR
system, having regard to any matters set out in the PCEHR Rules (subclause 41(2)); and
· the consumer has consented to healthcare providers uploading health information to the
consumer's PCEHR subject to the conditions described below (subclause 41(3)).
Consent
Personal control of a consumer's PCEHR is one of the central elements of the PCEHR
system. Subclauses 41(3) and (4) are designed to balance the desire for consumers to be able
to exercise personal control with the need for uploading arrangements to be administratively
simple and efficient for healthcare providers.
Subclause 41(3) means that, in order to be registered, consumers will need to give a
"standing" consent to allow treating healthcare providers to upload health information about
them to their PCEHR. This consent will continue to apply unless:
· the consumer expressly advises their healthcare provider not to upload a particular
record, all records or a class of records (paragraph 41(3)(a)); or
· a law of a State or Territory has been prescribed in the regulations and that State or
Territory law would, as a result, prohibit or otherwise restrict the uploading of the record
(paragraph 41(3)(b) and subclause 41(4)).
Paragraph 41(3)(b) and subclause 41(4) are designed to ensure that state and territory
requirements can be preserved in relation to the disclosure and uploading of certain health
information, such as in connection with HIV and other notifiable diseases. As noted above,
such state and territory laws (or provisions of such laws) must be prescribed in the
regulations. Where a state or territory law has been prescribed in accordance with paragraph
41(3)(b) and subclause 41(4), healthcare providers must not upload a record unless they meet
the requirements in the prescribed laws. It is envisaged that one or more of the following
provisions of state and territory laws may be prescribed:
· sections 110 and 111 of the Public Health Act 1997 (ACT);
· section 17 of the Health Records and Information Privacy Act 2010 (NSW);
· section 29 of the Notifiable Diseases Act (NT);
· section 77 and subsection 79(b) of the Public Health Act 2005 (Qld);
· section 42 of the Public and Environmental Health Act 1987 (SA);
· sections 61 and 147 of the Public Health Act 1997 (Tas);
· subsections 141(2) and (3) of the Health Services Act 1988 (Vic); and
· section 314 of the Health Act 1911 (WA).
If the PCEHR System Operator decides to register a consumer, the System Operator is
required to enter the prescribed information in the Register (see Part 3 of Division 5). If the
System Operator decides not to register a consumer, the consumer may request a review of
that decision (see clause 97).
23
Access controls
When a consumer registers, she or he can choose to set advanced access controls in relation
to which healthcare provider organisations may access their PCEHR. It is proposed that an
online tutorial and other assistance will be available to help consumers wishing to implement
advanced access controls.
Default settings will apply where a consumer chooses not to set advanced controls. It is
proposed that the default access controls will allow any healthcare provider organisation
providing care to the consumer to access the consumer's PCEHR. Consumers will be able to
choose whether any other persons can access the PCEHR as nominated representatives.
DIVISION 2--REGISTERING HEALTHCARE PROVIDER ORGANISATIONS
From the date the Bill commences, healthcare provider organisations in Australia may be
eligible to register to participate in the PCEHR system. Participation will enable healthcare
providers and organisations to access, and upload, their registered patients' health
information in accordance with consumer consent and the authorisations specified in the Bill.
Participation by healthcare provider organisations is voluntary.
The legislation provides for minimum requirements applicable to registered healthcare
provider organisations to ensure a consistently high standard of security and integrity for the
PCEHR system. Additional requirements may be specified in PCEHR Rules or in
regulations. Failure to meet these requirements may undermine the security and integrity of
the PCEHR system so the legislation provides that certain actions may be taken where this
occurs.
Clause 42 Healthcare provider organisation may apply for registration
If a healthcare provider organisations chooses to register, the organisation must make an
application to the PCEHR System Operator (subclause 42(1)). The System Operator will
determine the manner in which applications must be made, including the information that
must be provided and how applications are to be made (subclause 42(2)).
It is proposed that applications will be able to be made using a variety of channels, including
online, over the phone or at branded shopfronts.
A registered healthcare provider organisation will have the ability to authorise persons within
the organisation to use the PCEHR system. The registered organisation may authorise
individual healthcare providers, administrative and other support staff, trainees (including
medical students) and contractors as users of the PCEHR system (clause 99).
Clause 74 imposes an obligation on registered organisations regarding the identification of
authorised users when those users access the PCEHR system.
Clause 43 When a healthcare provider organisation is eligible for registration
In order to be eligible to register, a healthcare provider organisation must:
· have a healthcare identifier issued under the HI Act (paragraph 43(a));
· comply with any requirements set out in the PCEHR Rules (paragraph 43(b)). The
PCEHR Rules may include technical and security requirements;
24
· agree to the conditions imposed on the healthcare provider organisation by the System
Operator under subclause 44(3) (paragraph 43(c)).
If at any time a registered healthcare provider organisation ceases to meet these eligibility
criteria, it must notify the System Operator in writing within 14 days (see clause 76). Failure
to do so may result in action being taken against the healthcare provider organisations,
including the imposition of a penalty.
Clause 44 Registration of a healthcare provider organisation
If a healthcare provider organisation has made an application as required by clause 42, and is
eligible to be registered under clause 43, the System Operator must decide whether to register
a healthcare provider organisation (subclause 44(1)). The System Operator must be satisfied
that registration of the healthcare provider organisation will not compromise the security or
integrity of the system, having regard to any matters set out in the PCEHR Rules
(subclause 44(2)).
If the PCEHR System Operator decides to register a healthcare provider organisation, the
System Operator is required to enter the prescribed information in the Register (see Part 3 of
Division 5). The System Operator may impose conditions on the registration of healthcare
provider organisations (subclause 44(3)). Healthcare provider organisations may seek a
review of any conditions imposed (see clause 97).
If the System Operator decides not to register a healthcare provider organisation, the
healthcare provider organisation can request a review of that decision (see clause 97).
Clause 45 Condition of registration--uploading of records, etc.
This clause prescribes statutory conditions that apply to the registration of healthcare provider
organisations in relation to the uploading of records. Failure to comply with these conditions
at any time while the healthcare provider organisation is registered may result in the System
Operator suspending or cancelling the registration of the healthcare provider organisation.
The conditions set out in clause 45 apply only to registered healthcare provider organisations
in relation to dealings with the PCEHR records and interactions with the PCEHR system.
These conditions will not otherwise apply. For example, a healthcare provider who is
employed by a registered healthcare provider organisation need not meet these conditions
when dealing with a consumer who does not have a PCEHR.
A registered healthcare provider organisation must not:
· upload information for the purposes of the PCEHR other than to a repository in respect of
which a repository operator is registered or the National Repositories Service (paragraph
(45)(a)). This condition ensures that information to be used in the PCEHR system is
retained in repositories which participate in the PCEHR system, can be retrieved via the
PCEHR system and is protected by the security and privacy measures of the PCEHR
system;
· upload a record which is claimed to be a shared health summary if it is not
(subparagraph 45(b)(i)) or upload a record of a kind specified in the PCEHR Rules unless
it has been prepared by a healthcare provider with a healthcare identifier
(subparagraph 45(b)(ii)). This condition, together with the PCEHR Rules, ensures that
only nominated healthcare providers can author shared health summaries and that all
25
other records uploaded by registered healthcare provider organisations are appropriately
authored;
· upload information which would constitute an infringement of copyright or the moral
rights of the author of the record (paragraph (45)(c)). This condition means that an
organisation can only upload information produced by that organisation, or that the
organisation has permission to upload, and avoids affecting the intellectual property rights
or moral rights of another provider who may or may not be participating in the PCEHR
system. It is proposed that participation agreements, which will be established between
the System Operator and registered healthcare provider organisations, will license
copying and subsequent use of uploaded materials; or
· upload a record about a registered consumer if the consumer has advised the healthcare
provider organisation that the record is not to be uploaded (paragraph 45(d)). This
recognises the standing consent granted by consumers upon registration which can be
overridden on the consumer's advice or in respect of certain health information which is
subject to prescribed state and territory laws regarding consent (see paragraph 41(1)(c)
and subclauses 41(3) and (4)).
It is important to note that the uploading of information to the PCEHR system is not limited
to healthcare providers. Any employee of a registered healthcare provider organisation who
is authorised to use the PCEHR system on behalf of the organisation can upload information
to the PCEHR system.
Further, nothing in this Bill forces or compels a healthcare provider to upload records or
information to the PCEHR system if, in the opinion of the healthcare provider, it is not
appropriate to upload the information or record.
Intellectual property
Intellectual property rights may subsist in health records.
In practice, the condition at paragraph (45)(c) means that healthcare providers, or other
authorised users within a registered healthcare provider organisation such as administrative
staff, must not upload a record unless the organisation owns any copyright in that record or
has obtained permission from the owner of the copyright in the record. An organisation will
therefore need to determine the intellectual property status of a record before permitting the
record to be uploaded to a PCEHR repository or the National Repositories Service.
The condition at subclause 45(d) and any contractual license will apply only in relation to
information to be accessible through the PCEHR system. A registered healthcare provider
organisation is not subject to these arrangements when dealing with the record of a consumer
who does not have a PCEHR or who has advised that she or he does not want that particular
record to be uploaded to their PCEHR.
Clause 46 Condition of registration--non-discrimination in providing healthcare to a
consumer who does not have a PCEHR etc.
This clause prescribes statutory conditions which apply to the registration of healthcare
provider organisations in relation to non-discriminatory treatment of consumers. Failure to
comply with these conditions at any time while the healthcare provider organisation is
registered may result in the System Operator suspending or cancelling the registration of the
healthcare provider organisation, or in other action.
26
A registered healthcare provider organisation must not refuse to treat a consumer or
otherwise discriminate against the consumer if the consumer does not have a PCEHR
(subclause 46(1)) or, if the consumer has a PCEHR, the consumer has set particular access
controls such as not permitting the treating healthcare provider to access the PCEHR or
certain information in the PCEHR (subclause 46(2)).
These conditions help ensure that participation in the PCEHR system does not affect a
consumer's entitlement to healthcare.
DIVISION 3--REGISTERING REPOSITORY OPERATORS, PORTAL OPERATORS AND
CONTRACTED SERVICE PROVIDERS
The PCEHR system will draw upon information held in repositories around Australia
(including the National Repositories Service as described in paragraph 15(h)), operated by a
mix of private and public sector organisations, to provide a summary view of a consumer's
key health information. Repositories are crucial for the operation of the PCEHR system and
they will be subject to stringent requirements.
If an entity that operates a repository (`repository operator') chooses to participate in the
PCEHR system, it will need to apply to the PCEHR System Operator to register as a PCEHR
repository operator (clause 47).
Numerous conduits will be available to access the PCEHR system. The primary conduits
will be electronic interfaces known as portals. Portals will allow consumers to register for a
PCEHR, access their PCEHR and manage its access settings, and access general PCEHR
system information and support services. Similarly, portals will allow healthcare providers to
access consumers' PCEHRs (subject to consumer consent) and access general PCEHR
system information and support services. Portals will be subject to stringent requirements
given their key role in the PCEHR system.
If an entity that operates a portal (`portal operator') chooses to participate in the PCEHR
system it will need to apply to the PCEHR System Operator to register as a PCEHR portal
operator (clause 47).
Some healthcare provider organisations may choose to use a third party service provider to
deliver health information software as a service and facilitate access to the PCEHR system on
the organisation's behalf. These service providers are referred to as contracted service
providers. An example of a contracted service provider might include a vendor that offers
web-based general practice or aged care software as a service.
Contracted service providers can choose to register as PCEHR contracted service providers
(clause 47).
The legislation provides for minimum requirements to apply to registered repository
operators, portal operators and contracted service providers to ensure a consistently high
standard of security and integrity for the PCEHR system. Failure to meet the requirements
may undermine the security or integrity of the PCEHR system so the legislation provides for
action to be taken where an entity fails to meet its PCEHR obligations.
From the date the Bill commences, repository operators, portal operators and contracted
service providers may be eligible to register to participate in the PCEHR system.
27
Participation by these entities will facilitate use of, and access to, the PCEHR system by
registered healthcare provider organisations and registered consumers.
Participation by repository operators, portal operators and contracted service providers is
voluntary.
The Bill applies to Australia and its external territories so repository operators, portal
operators and contracted service providers situated in those locations may apply for
registration.
Clause 47 Persons may apply for registration as a repository operator, a portal
operator or a contracted service provider
If a repository operator, portal operator or contracted service provider chooses to participate,
the operator or provider must make an application to the PCEHR System Operator (subclause
47(1)). In respect of repository operators, an application will need to specify which
repository or repositories to which the application relates (subclause 47(2)).
Clause 48 When a person is eligible for registration as a repository operator, a portal
operator or a contracted service provider
In order to be eligible to register, the repository operator, portal operator or contracted service
provider must meet certain criteria.
Repository operators
A repository operator is eligible to be registered if:
· it complies with any requirements set out in the PCEHR Rules (paragraph 48(a)). The
PCEHR Rules specify technical or security requirements;
· it agrees to the conditions imposed on the repository operator by the System Operator
under subclause 49(3) and (paragraph 48(b));
· the central management and control of the repository operator is located in Australia
throughout the period of the operator's registration (paragraph 48(c)). This means that,
for a repository operator that is a company, it will be necessary that its directors' meetings
and the day-to-day executive thinking and strategic decision-making generally occur
within Australia and not overseas. This requirement is designed to ensure that the
repository operator will remain subject to Australian law for its duration as a registered
repository operator and, as such, can be held accountable and, if necessary, penalised for
its actions. This requirement does not preclude consumers from accessing their PCEHR
when they are travelling overseas; and
· if the repository operator is a state or territory authority or an instrumentality of a state or
territory authority that is not subject to a designated privacy law, the operator will need to
be prescribed under section 6F of the Privacy Act (paragraph 48(d)). This is to ensure
that the National Privacy Principles under the Privacy Act apply to that operator. The
Privacy Act will apply to Commonwealth and private sector repository operators whereas
state and territory health privacy laws will apply to state and territory public sector
repository operators in those states and territories that are bound by a designated privacy
law.
Portal operators
A portal operator is eligible to be registered if:
28
· it complies with any requirements set out in the PCEHR Rules (paragraph 48(a)). The
PCEHR Rules may specify technical and security requirements;
· it agrees to the conditions imposed on the portal operator by the System Operator under
subclause 49(3) (paragraph 48(b));
· the central management and control of the portal operator is located in Australia
throughout the period of the operator's registration (paragraph 48(c)). This means that,
for a portal operator that is a company, it will be necessary that its directors' meetings and
the day-to-day executive thinking and strategic decision-making generally occur within
Australia and not overseas. This requirement is designed to ensure that the portal
operator will remain subject to Australian law for its duration as a registered portal
operator and, as such, can be held accountable and, if necessary, penalised for its actions.
This requirement does not preclude consumers from accessing their PCEHR when they
are travelling overseas; and
· if the portal operator is a state or territory authority or an instrumentality of a state or
territory authority that is not subject to a designated privacy law, the operator will need to
be prescribed under section 6F of the Privacy Act (paragraph 48(d)). This is to ensure
that the National Privacy Principles under the Privacy Act apply to that operator. The
Privacy Act will apply to Commonwealth and private sector portal operators whereas
state and territory health privacy laws will apply to state and territory public sector portal
operators in those states and territories that are bound by a designated privacy law.
Contracted service providers
A contracted service provider is eligible to be registered if:
· it complies with any requirements set out in the PCEHR Rules (paragraph 48(a)). The
PCEHR Rules may specify technical and security requirements; and
· it agrees to the conditions imposed on the contracted service provider by the System
Operator under subclause 49(3) (paragraph 48(b)).
A registered contracted service provider may not store information relating to the PCEHR
system unless it is also registered as a repository operator.
If at any time a registered repository operator, registered portal operator or registered
contracted service provider ceases to meet these eligibility criteria, it must notify the System
Operator in writing within 14 days (see clause 76). Failure to do so may result in action
being taken against the operator or provider, including the imposition of a penalty.
Clause 49 Registration of a repository operator, a portal operator or a contracted
service provider
If a repository provider, portal operator or contracted service provider has made an
application under clause 47, and is eligible to be registered under clause 48, the System
Operator must decide whether to register the repository provider, portal operator or
contracted service provider (subclause 49(1)). The System Operator must be satisfied that
registration of the repository provider, portal operator or contracted service provider will not
compromise the security or integrity of the PCEHR system, having regard to any matters set
out in the PCEHR Rules (subclause 49(2)).
If the PCEHR System Operator decides to register the repository provider, portal operator or
contracted service provider, the System Operator is required to enter the prescribed
information in the Register (see Part 3 of Division 5). The System Operator may impose
conditions on the registration of the repository provider, portal operator or contracted service
29
provider (subclause 49(3)). A repository operator, portal operator or contracted service
provider may seek a review of any conditions imposed (see clause 97).
In respect of registering a repository operator, the System Operator must identify the
repositories to which the registration relates (subclause 49(4)). This takes into account the
fact that a repository operator may operate a number of repositories, some for PCEHR
purposes and some for other purposes.
In practice, when the System Operator registers a repository operator, portal operator or
contracted service provider it will allocate unique identifiers to each entity for system
operations and audit purposes, allowing the System Operator to identify where information is
stored and which entity has taken particular actions. This mimics the arrangements in place
for using healthcare identifiers to identify healthcare provider organisations, healthcare
providers and consumers.
If the System Operator decides not to register the repository operator, portal operator or
contracted service provider, the repository operator, portal operator or contracted service
provider can request a review of that decision (see clause 97).
Clause 50 Condition about provision of information to System Operator
This clause prescribes a statutory condition which applies to the registration of repository
operators, portal operators and contracted service providers. If the System Operator requests
PCEHR information from a registered repository operator, registered portal operator or
registered contracted service provider, that entity must provide the System Operator with that
information.
Under the PCEHR system, information about a consumer will potentially be held by a range
of participants in the PCEHR system. For example, information might be held in multiple
repositories across different states and territories.
Where a request is made to the System Operator for the disclosure of information (such as for
the provision of healthcare to a consumer), the System Operator needs to be able to direct
participants in the system to supply information about the consumer to the System Operator
so it can be made available to the treating healthcare provider. This clause gives the System
Operator the power to require the provision of information so the PCEHR system can operate
as intended.
Example: An individual is unconscious and in need of immediate medical treatment. A
doctor in the emergency department of the hospital treating the individual accesses the
PCEHR system, via a registered portal operator. The doctor confirms that the individual has
a PCEHR and asserts that an emergency exists. The doctor is authorised to collect, use and
disclose the individual's health information under clause 64.
The System Operator directs various repository operators to provide information relating to
the individual. Under clause 50, the registered repository operators must disclose the
individual's information to the System Operator. Registered repository operators are
authorised to disclose the information under clause 64. The System Operator then provides
the information to the healthcare provider, via the registered portal operator. Both the System
Operator and registered portal operator are authorised to disclose the information under
clause 64.
30
Division 2 of Part 4 authorises participants in the PCEHR system to collect, use and disclose
information for certain authorised purposes, however, it does not require that participants
provide the information when it is needed. This is why clause 50 is required.
Failure to comply with this condition at any time while the repository operator, portal
operator or contracted service provider is registered may result in the System Operator
suspending or cancelling its registration, or other action being taken.
DIVISION 4--CANCELLATION, SUSPENSION AND VARIATION OF REGISTRATION
This Division supports the voluntary participation in the PCEHR system by consumers and
participants and the role of the System Operator in protecting the security and integrity of the
PCEHR system.
Registered consumers and registered participants may withdraw from the PCEHR system, or
suspend their participation in the PCEHR system, at any time. Alternatively, the System
Operator may cancel or suspend the registration of a consumer or participant if the consumer
or participant is no longer eligible to be registered or has contravened the Bill. The Bill also
allows for the variation of a registration.
Clause 51 Cancellation or suspension of registration
There are several circumstances in which the System Operator may or must cancel or suspend
the registration of a consumer or participant.
The System Operator must cancel or suspend the registration of a consumer if the consumer
makes such a request in writing (subclause 51(1)).
The System Operator may cancel or suspend the registration of:
· a consumer if the System Operator is no longer satisfied that a registered consumer meets
the eligibility criteria set out in clause 40 (subclause 51(2));
Example: A consumer might be registered after fraudulently asserting an identity that is not
their true identity. In these circumstances, the System Operator would cancel the consumer's
registration. This would not preclude the consumer from registering with their true identity.
· a participant if the System Operator is no longer satisfied that a registered participant
meets the applicable eligibility criteria set out in clause 43 or 48 (paragraph 51(3)(a)).
The System Operator may determine that the participant is no longer eligible either
through investigation or upon notice by the participant (see clause 76);
· a participant if the System Operator is satisfied that a registered participant has
contravened this Bill or a condition imposed by the System Operator under
subclause 44(3) or 49(3), or no longer meets the applicable eligibility criteria set out in
clause 43 or clause 48 (subparagraph 51(3)(b)(i));
· a participant if the System Operator is satisfied that it is reasonably necessary to prevent a
contravention of this Bill or the conditions imposed by the System Operator
(subparagraph 51(3)(b)(ii)). This is intended to allow pre-emptive action by the System
Operator, where necessary; or
· a participant if the System Operator is satisfied that it is appropriate to protect the security
and integrity of the PCEHR system (subparagraph 51(3)(b)(iii)).
31
Where the System Operator is investigating whether a consumer or participant is eligible to
be registered, or whether the participant has contravened this Bill or a condition of its
registration, the System Operator may suspend the registration of the consumer or participant
(subclauses 51(4) and (5)). This recognises that in some circumstances continued
registration, even for a short period, may compromise the security or integrity of the PCEHR
system. The System Operator must notify the consumer or participant in writing of this
interim suspension.
The System Operator must cancel or suspend the registration of a consumer upon the death of
the registered consumer (subclause 51(6)). In practice, the Healthcare Identifiers service
operator will notify the System Operator about the death of a consumer.
If the System Operator cancels or suspends a registration, it will take effect either on the date
the System Operator makes that decision or, if it is in response to a request, at the time
specified by the request (subclause 51(7)).
Clause 52 Variation of registration
In addition to cancelling or suspending the registration of a consumer or participant, the
System Operator may vary the registration of a consumer or participant. Such a variation
may involve imposing conditions, changing or removing conditions, correcting a mistake or
including missing information in the registration (paragraphs 52(1)(a), (b) and (d)). The
System Operator may, in addition to the matters described above, vary the registration of a
repository operator in relation to the repositories to which the registration relates (paragraph
52(1)(c)) - for example, where an operator acquires or disposes of a repositories while it is
registered.
It is envisaged that the System Operator would generally not refuse to vary a registration, if
requested to do so, providing that the variation would not adversely affect the operation,
integrity or security of the PCEHR system.
Any variation decision will take effect either on the date the System Operator makes the
decision or, if it is response to a request, at the time specified by the request.
Clause 53 Notice of cancellation, suspension or variation of registration etc.
Where the System Operator decides to cancel or suspend a registration for reasons of
ineligibility or contravention of the Bill or a condition (under subclauses 51(2), (4), (5) or
(4)), or decides to vary a registration under clause 52, the System Operator must notify the
consumer or participant in writing (subclause 53(1)).
In urgent circumstances, the System Operator may consider it appropriate to suspend, cancel
or vary a registration immediately (subclause 53(4)). For example, the System Operator may
find that allowing a registration to remain in force any longer may compromise the security
or integrity of the PCEHR system. The System Operator must notify the consumer or
participant in writing, and the suspension, cancellation or variation will have effect on the
date the consumer or participant receives the notice or at a later time specified in the notice
(subclause 53(5)).
In notifying a consumer or participant, the System Operator must provide information about
the reasons for the System Operator's decision to suspend, cancel or vary the registration
(paragraph 53(2)(a)) and, except in the urgent circumstances described above (subclause
53(4)), must invite the participant to make a submission to the System Operator regarding the
32
decision within a specified period (paragraph 53(2)(c)). In the case of a contravention or
breach of registration, the System Operator may include in this notice steps to be taken to
address those circumstances (paragraph 53(2)(b)).
Clause 54 Effect of suspension
Clause 54 sets out the effects of suspension of registration. In summary, the authorisations to
collect, use and disclose information under Division 2 of Part 4 of the Bill cease to operate
during suspension. There are two exceptions to this being that emergency access to a
consumer's PCEHR will still be available under subclause 64(1) and that participants in the
PCEHR system are able to collect, use and disclose information where directed by the
System Operator - for example, as part of an investigation (clauses 54, 63 and 64). Other
PCEHR requirements on participants - for example, security obligations - will continue
despite the suspension.
Clause 55 PCEHR Rules may specify requirements after registration is cancelled or
suspended
Although the Bill will generally not apply to consumers or participants after their registration
has been cancelled or suspended, in some cases it is anticipated that particular restrictions
may need to apply particularly in respect of repository operators given the PCEHR
information they hold. The System Operator may also need to be under certain obligations
after the cancellation or suspension of a consumer's or participant's registration.
These restrictions and obligations may be specified in the PCEHR Rules (subclause 55(1)),
however these Rules cannot modify clause 54 which specifies the effects of the suspension of
a consumer or participant's registration (subclause 55(2)).
The PCEHR Rules may set out requirements relating to the treatment of PCEHRs or other
records (subclause 55(3)). For example, the PCEHR Rules may require a previously
registered repository operator to treat records which were accessible via the PCEHR system
in a particular manner to ensure the ongoing security of those records.
DIVISION 5--THE REGISTER
This Division provides for the establishment and maintenance of the Register by the System
Operator.
The Register will include information associated with the registration of consumers and
participants, details about consumers' access control settings and any decisions regarding the
suspension, variation and cancellation of a registration.
The Register will contain the minimum information necessary to identify consumers and
participants in the PCEHR system, and enable the effective operation of the PCEHR system.
The Register will not contain any health records.
The System Operator is responsible for ensuring appropriate details are recorded in the
Register.
Clause 56 The Register
The System Operator is required to establish and maintain a Register (subclause 56(1)). It
may be in electronic form and may comprise separate parts (subclause 56(2)) - for example,
one part may include registration details and another part may contain access control settings.
33
Given the purpose of the Register, and the nature of information to be stored within it, it is
not considered to be a legislative instrument and will not be subject to the Legislative
Instruments Act 2003 (subclause 56(3)).
Clause 57 Entries to be made in Register
The System Operator is required to enter certain information into the Register.
When the System Operator decides to register a consumer or participant, or cancel, vary or
suspend a registration, the System Operator must enter into the Register enough
administrative information about those decisions to support the operation of the system
(which may include personal information) and any other information which is specified in the
PCEHR Rules.
DIVISION 6--INFORMATION USE AND DISCLOSURE FOR IDENTITY VERIFICATION
Clause 58 Identifying information may be used and disclosed
The PCEHR system will use trusted data sources to verify the identities of consumers and
healthcare provider organisations for the purposes of registration and operation of the
PCEHR system.
The Chief Executive Medicare and the Departments of Human Services, Veterans' Affairs
and Defence are authorised:
· to use identifying information about a consumer or healthcare provider organisation, or
disclose identifying information about a consumer or healthcare provider organisation to
the System Operator, for the verification of identities as part of a PCEHR registration
process (subclause 58(1)). This authorisation will only apply if the consumer or
healthcare provider organisation has applied for registration (paragraph 58(1)(a));
· to use identifying information about a consumer or healthcare provider, or disclose
identifying information about a consumer or healthcare provider to the System Operator,
for the verification of identities associated with the operation of the PCEHR system by
the System Operator (subclause 58(2)). This subclause enables the System Operator to
use identifying information to carry out the day-to-day functions necessary for the
PCEHR system to operate, such as verifying the identities of persons and organisations
accessing the system to ensure they are authorised to access a particular PCEHR; or
· to use identifying information about a consumer, or disclose identifying information
about a consumer to the System Operator, for the verification of identities as part of the
registration process when it is initiated by authorised representatives or nominated
representatives (subclause 58(3)). This authorisation will only apply if an authorised
representative or nominated representative with sufficient authority has applied for
registration of a consumer (paragraph 58(3)(a)).
If at any time the Chief Executive Medicare, or the Departments of Human Services,
Veterans' Affairs or Defence, becomes aware that the identifying information that has been
provided to the System Operator has changed, they must notify the System Operator
(subclause 58(2)). This ensures that the System Operator has and uses the most up-to-date
information for verification system operations.
These authorisations under this clause enable the System Operator to leverage existing
government-stored information as part of the operation of the PCEHR system, providing for a
34
more streamlined process than would otherwise be possible if this existing information was
not available.
PART 4--COLLECTION, USE AND DISCLOSURE OF HEALTH
INFORMATION INCLUDED IN A REGISTERED CONSUMER'S PCEHR
The Bill leverages existing privacy and health information laws where possible. Instead of
overriding existing local privacy laws, the Bill will generally allow those existing laws to
operate wherever they are not inconsistent with the Bill.
Overall, the Bill contains some key privacy protections, including:
· the ability for a consumer to control which healthcare provider organisations can access
their information;
· closely defined limits on the reasons that information can be accessed outside of those
controls;
· the ability to view an audit trail of all access to a consumer's PCEHR;
· penalties and other sanctions for unauthorised viewing of and access to records; and
· requirements to report data breaches.
Part 4 of the PCEHR Bill sets out the purposes for which information can and cannot be used,
collected and disclosed, allows for the imposition of civil penalties and other sanctions where
these provisions are contravened.
Operation of other privacy and health information laws
In addition to the requirements in the PCEHR Bill, the System Operator will be subject to the
Privacy Act and other participants of the PCEHR system will be subject to either the Privacy
Act or a designated state or territory privacy law. For entities that are subject the Privacy
Act, this will allow, for example, the Information Commissioner to carry out investigations
under the Privacy Act. Entities not subject to the Privacy Act will, in addition to the
requirements in the PCEHR Bill, be subject to any local privacy or health information laws
and the mechanisms that are available under those laws.
FOI laws
Documents in the possession of the Secretary as the PCEHR System Operator would be
subject to the Freedom of Information Act1982 (`FOI Act'). However, the FOI Act contains
an exemption provision the practical effect of which is that the personal information of
individuals could be withheld from access to anyone except the individual concerned. The
FOI Act defines personal information as "information or an opinion (including information
forming part of a database), whether true or not, and whether recorded in a material form or
not, about an individual whose identity is apparent, or can reasonably be ascertained from the
information or opinion". Health information contained in a consumer's PCEHR will fall
within this definition.
Other categories of information, such as administrative or system operational information,
contained in documents held by the Secretary as System Operator may or may not be subject
to release under FOI, depending on whether they are exempt under the relevant provisions of
the FOI Act.
35
Documents in the possession of other participants in the PCEHR system, such as registered
portal operators and registered repository operators, would not be subject to the FOI Act as
those bodies will not be Commonwealth agencies. Where such portal or repository operators
are state or territory departments or authorities, state or territory freedom of information laws
may apply. However, all state and territory FOI laws contain exceptions allowing the
withholding of personal information along the lines of those in the FOI Act.
Rationale for civil penalties in the PCEHR Bill and the operation of existing laws and
professional obligations in relation to unauthorised access to records
Existing criminal provisions in the Criminal Code Act 1995 (`Criminal Code'), together with
a robust civil penalty regime in the Bill, are considered to provide an optimum set of
sanctions that will have the ability to punish and deter misuse of the PCEHR system while
encouraging participation.
The rationale for the civil, instead of criminal, penalty regime in the Bill reflects the fact that
civil penalties for breaches of the PCEHR system have a number of significant advantages
over criminal penalties. For example, it is easier to prove them because it is only necessary to
prove that a breach occurred on the "balance of probabilities" rather than "beyond reasonable
doubt". As civil penalties are easier to prove, this encourages enforcement of obligations
under the PCEHR Bill and thus acts as a significant deterrent to misuse. The availability of
civil penalties under the PCEHR Bill does not preclude the possibility that a person may also
be criminally liable under existing criminal laws - for example, under the Criminal Code.
The civil pecuniary penalties specified in the Bill (120 penalty units for an individual) are the
maximum penalty a court may impose on an individual for unauthorised viewing, disclosure,
use, etc of one record in the PCEHR system (pursuant to the Acts Interpretation Act 1901, a
penalty unit is currently defined by the Crimes Act 1914 to mean $110). The maximum
penalty for bodies corporate is five times this level - that is, 600 penalty units - a for
unauthorised viewing, disclosure, use, etc of one record in the PCEHR system (see subclause
79(5)). The penalties in the Bill are set at several different levels to reflect the appropriate
consequence for a breach of a particular civil penalty provision; and
A person who accesses multiple PCEHRs without authorisation will be subject to multiple
penalties. Depending on who accesses a record without authorisation, and how many
PCEHRs are accessed, the maximum pecuniary penalty could be significantly higher than
120 penalty units for individuals and 600 penalty units for corporations.
Example: If a body corporate collects health information from the PCEHR system in a
manner which is not authorised and that collection comprises 100 individual PCEHRs, the
body corporate could potentially face a pecuniary penalty of up to $6,600,000.
An important element of the PCEHR system's legislative framework is that existing criminal
penalties should continue to be available to reinforce the tight technical and security
protections that will apply to protect information in the PCEHR system. The PCEHR Bill
does not affect any existing criminal laws.
Part 10.7 of the Criminal Code specifies criminal offences which involve the use of computer
systems. The penalties for these offences range from two to 10 years imprisonment. The
offences in Part 10.7 include:
36
· Clause 477.1: Unauthorised access, modification or impairment with intent to commit a
serious offence - unauthorised use of computer technology to commit serious crimes;
· Clause 477.2: Unauthorised modification of data to cause impairment - the unauthorised
modification of data on a computer that would impair access to, or the reliability, security
or operation of the data. For example, this offence would cover a person who uses the
internet to infect a computer with malware;
· Clause 477.3: Unauthorised impairment of electronic communication - cyber attacks such
as denial of service attacks, where a server is inundated with a large volume of data
intended to impede or prevent its functioning;
· Clause 478.1: Unauthorised access to, or modification of, restricted data - unauthorised
access to, or modification of, data held on a computer that is restricted by an access
control system. For example, this offence would cover hacking into password protected
data;
· Clause 478.3: Possession or control of data with intent to commit a computer offence -
people who possess programs designed to hack into other people's computer systems or
impair data or electronic communications. For example, this offence covers possessing a
program which will enable the offender to launch a denial of service attack against an
Australian Government agency's computer system; and
· Clause 478.4: Producing, supplying or obtaining data with intent to commit a computer
offence - the production and/or supply of data to be used in a computer offence. This
offence would cover people who trade botnets and malware.
One or more offences under Part 10.7 of the Criminal Code could potentially be committed
where, for example, a person uses a computer system to hack into the PCEHR system.
Further, any breach of PCEHR system requirements or privacy obligations by a healthcare
provider may have consequences for the provider under existing professional rules. This Bill
does not displace these existing obligations.
DIVISION 1--UNAUTHORISED COLLECTION, USE AND DISCLOSURE OF HEALTH
INFORMATION INCLUDED IN A CONSUMER'S PCEHR
This Division imposes civil penalties for unauthorised collection, use and disclosure of health
information included in a PCEHR. What amounts to an "authorised" collection, use or
disclosure is specified in Division 2 of Part 4 of the PCEHR Bill.
Clause 59 Unauthorised collection, use and disclosure of health information included in
a consumer's PCEHR
A person must not collect health information included in a consumer's PCEHR if the
collection is not authorised and the person knows or is reckless to that fact (subclause 59(1)).
A contravention of subclause 59(1) may result in liability for an individual of up to 120
penalty units, or 600 penalty units for bodies corporate, per breach.
While subclause 59(1) is a civil penalty provision, it makes use of fault elements which are to
be interpreted in the same manner as they are under the Criminal Code (subclause 92(2)). As
a result, it will only be a contravention of the civil penalty provision in (subclause 59(1))
where a person knows they are not authorised to collect from the PCEHR system health
information in a consumer's PCEHR, or are reckless as to whether or not they are authorised,
but they collect the information nonetheless.
37
The fault elements in this clause ensure that participants who inadvertently or mistakenly
access a PCEHR do not contravene the provision. For example, if a healthcare provider
accesses a PCEHR by mistake, they will not breach this provision and will not be liable for a
civil penalty.
Despite the fact that a civil penalty provision may not be established, because a fault element
cannot be made out, it will still be open to the Information Commissioner to take action under
the Privacy Act where there has been an unauthorised collection of health information (under
Division 2 of Part 4) from a consumer's PCEHR (clause 73).
Subclause 59(2) provides that a person must not use or disclose health information included
in a consumer's PCEHR if the information was obtained from the PCEHR system, the use or
disclosure is not authorised under Division 2 of Part 4 and the person knows or is reckless to
that fact. As with subclause 59(1):
· the fault elements in this provision must be established to make out a contravention;
· if the fault elements cannot be established, clause 73 will ensure that any unauthorised
collection, use or disclosure of information will still be subject to the mechanisms
available under the Privacy Act despite the fact civil penalties will not be available; and
· a breach of subclause 59(2) may result in liability for an individual of up to 120 penalty
units, or 600 penalty units for bodies corporate, per breach.
Clause 60 Secondary disclosures
Subclause 60(1) provides that a person must not use or disclose health information included
in a consumer's PCEHR if the information was disclosed to the person in contravention of
subclause 59(2) and the person knows that, or is reckless as to whether, the disclosure of the
information to the person contravened subclause 59(2).
As with subclauses 59(1) and (2):
· the fault elements in clause 60 must be established to make out a contravention;
· if the fault elements cannot be established, clause 73 will ensure that any unauthorised
collection, use or disclosure of information will still be subject to the mechanisms
available under the Privacy Act despite the fact civil penalties will not be available; and
· a breach of subclause 59(2) may result in liability for an individual of up to 120 penalty
units, or 600 penalty units for bodies corporate, per breach.
A person will not breach subclause 60(1), and will not be liable for a civil penalty, if the
person discloses the information to an appropriate authority - for example, the Information
Commissioner - to assist in an investigation of the initial contravention (subclause 60(2)).
DIVISION 2--AUTHORISED COLLECTION, USE AND DISCLOSURE
The PCEHR Bill creates a new and specific privacy regime in terms of authorising
collections, uses and disclosures of health information in the PCEHR system. The collection,
use and disclosure regime draws heavily on the use and disclosure provisions in the Privacy
Act's National Privacy Principles. In a number of cases, the PCEHR Bill's regime is more
restrictive than under similar provisions in the National Privacy Principles. This is a
deliberate policy decision which reflects the fact that the PCEHR will create a new, relatively
rich data source in relation to participating consumers and, as a result, deserves increased
protections compared to existing laws.
38
The privacy regime established by the PCEHR Bill:
is intended to cover the field in relation to:
o the collection, use and disclosure of health information in or using the PCEHR
system; and
o prohibiting transborder information flows by the System Operator, repository and
portal operators and contracted service providers (but not so as to prevent
registered consumers outside Australia accessing their PCEHR);
is not intended to cover the field in relation to:
o the initial collection of health information - for example, by a healthcare provider
from a consumer;
o the collection, use or disclosure of health information outside the PCEHR system,
or in a manner that does not use the PCEHR system, unless the contrary intention
appears; and
o privacy laws that deal with aspects other than the collection, use or disclosure of
information - for example, laws in relation to data quality, data security and access
and correction.
To the extent the regime under the PCEHR Bill does not exclude them, it is intended that
existing laws and professional obligations would continue to apply in these
circumstances.
The PCEHR Bill does not regulate de-identified information as such information does not fall
within the meaning of personal information or health information.
SUBDIVISION A--COLLECTION, USE AND DISCLOSURE IN ACCORDANCE WITH ACCESS
CONTROLS
Subdivision A specifies the authorised collections, uses and disclosures of health information
in a consumer's PCEHR in accordance with a consumer's access control settings.
Clause 61 Collection, use and disclosure for providing healthcare
All of the participants in the PCEHR system will be authorised to collect, use and disclose the
health information in a consumer's PCEHR if it is for the purpose of providing healthcare to
the registered consumer and is consistent with the consumer's access control settings
(subclause 61(1)).
This clause enables participants in the PCEHR system to make health information in a
consumer's PCEHR available to a treating healthcare provider when and where it is needed.
For example, a registered repository operator will need to disclose clinical documents that
form part of a consumer's PCEHR to the System Operator so that they can be provided to the
treating healthcare provider. If that provider is connecting to the system using a portal
service, the registered portal operator who operates the portal service will have a role in
delivering the information to the healthcare provider.
The authorisation in subclause 61(1) does not extend to consumer-only notes entered by a
consumer into their PCEHR (subclause 61(2)) and, as a result, treating healthcare providers
will be unable to collect or use consumer-only notes. Despite this restriction, consumers will
39
be able to enter certain other information into their PCEHR which will be accessible by their
healthcare providers - for example, medications and allergies information. This information
will not be described in consumers' PCEHRs as consumer-only notes and, as a result,
subclause 61(2) will not prevent the collection, use or disclosure of that information (see the
definition of consumer-only notes and subclause 61(2)).
Clause 62 Collection, use and disclosure to nominated representative
Clause 62 authorises participants in the PCEHR system to disclose, to a consumer's
nominated representative, health information in a registered consumer's PCEHR in
accordance with the consumer's access control settings.
This authorisation ensures, where a consumer wishes, nominated representatives in a caring
role will be able to access the PCEHR for whom they are the carer. This will help ensure that
they have sufficient information about the healthcare of the consumer to provide appropriate
support.
SUBDIVISION B--COLLECTION, USE AND DISCLOSURE OTHER THAN IN ACCORDANCE WITH
ACCESS CONTROLS
Subdivision B specifies the authorised collections, uses and disclosures of health information
in a consumer's PCEHR other than in accordance with a consumer's access control settings.
Clause 63 Collection, use or disclosure for management of PCEHR system
This clause authorises participants in the PCEHR system to collect, use and disclose health
information included in a consumer's PCEHR if:
· the collection, use or disclosure is for the purpose of managing or operating the PCEHR
system, and the consumer would reasonably expect the participant to collect, use or
disclose the information for that purpose (paragraph 63(a)); or
· the collection, use or disclosure is undertaken in response to a request by the System
Operator for the purpose of performing a function or exercising a power of the System
Operator.
Clause 63 is intended, for example, to enable the entities working together to deliver the
PCEHR system to:
· to monitor and evaluate the operation of the PCEHR system, including to ascertain
whether the anticipated benefits of the system are being realised;
· correct errors and emissions in PCEHRs; and
· investigate, resolve and report on system problems. It is not envisaged that maintenance
or reporting would usually require access to, or the use of, information within a PCEHR.
In some circumstances, however, the System Operator may need to use and disclose
health information to do these things.
.
Example: If a clinical document was accidentally linked to the wrong PCEHR there may be
a need to exchange the contents of the document with the healthcare provider who uploaded
it, or the repository operator who is storing it, to fix the linkage.
40
Clause 64 Collection, use and disclosure in the case of a serious threat
Subclause 61(1) authorises participants in the PCEHR system to collect, use and disclose
health information included in a registered consumer's PCEHR in certain emergency
situations - that is:
· where the participant reasonably believes that (paragraph 64(1)(a)):
o the collection, use or disclosure is necessary to lessen or prevent a serious threat to
an individual's life, health or safety; and
o it is unreasonable or impracticable to obtain the consumer's consent to the
collection use or disclosure; and
· the participant advises the System Operator of the matters in paragraph 64(1)(a)
(paragraph 64(1)(b)); and
· the collection, use or disclosure occurs not later than 5 days after the participant gives
the advice in paragraph 64(1)(b) (paragraph 64(1)(c)).
In practice, what will usually occur is that where it is unreasonable or impracticable to gain a
consumer's consent - for example, because the consumer is unconscious - and the consumer
is facing a serious threat to their health, the treating healthcare provider will assert to the
System Operator that emergency access is required to the consumer's PCEHR. The System
Operator will then use the index service to obtain information in the consumer's PCEHR
from other participants in the PCEHR system - for example, from registered repository
operators and the National Repositories Service. The information will be disclosed to the
treating healthcare provider. Emergency access will lapse 5 days after the healthcare
provider asserted that emergency access was required. If the emergency situation is ongoing,
and it is still unreasonable or impracticable to obtain the consumer's consent, the healthcare
provider would be able to reassert that emergency access was required.
Example: A young man has arrived by ambulance at the emergency department of a
hospital. He is unconscious and in a critical condition. The treating healthcare provider
checks the man's identification and uses this to see if he has a PCEHR. The healthcare
provider discovers that the man does have a PCEHR and asserts to the System Operator,
using the PCEHR system, that an emergency exists and access to the man's PCEHR is
required. The System Operator coordinates the collection of health information in the man's
PCEHR, which is then provided to the treating healthcare provider. The healthcare
provider's access to the man's PCEHR automatically lapses 5 days later.
Participants in the PCEHR system are also authorised to collect, use and disclose health
information in a consumer's PCEHR in circumstances where that information is needed to
lessen or prevent a serious threat to public health or public safety (subclause 64(2)). This
kind of access is anticipated to be used, for example, where a dangerous infection has been
detected within a hospital and it is necessary to identify the source of the infection to prevent
its spread. In this example, the PCEHRs of recent arrivals to the hospital may be accessed to
assist in identifying the source of the infection.
The authorisations in clause 64 do not extend to consumer-only notes entered by a consumer
in their PCEHR (subclause 64(3)). However, as explained above in relation to clause 61,
certain other information (not being consumer-only notes) can be entered by consumers and
this other information may be available to healthcare providers under the clause 64
authorisation.
41
All emergency access to consumers' PCEHRs, as with access under other authorisations, will
be logged and subject to audit.
All health information in a consumer's PCEHR will generally be accessible under clause 63,
regardless of a consumer's access control settings. The two exceptions to this are consumer-
only notes (as discussed above) and information that has been `effectively removed' from
their PCEHR. A document which has been `effectively removed', while it is not deleted for
medico-legal reasons, would no longer be accessible in an emergency.
Clause 65 Collection, use and disclosure authorised by law
Subclause 65(1) authorises a participant in the PCEHR system to collect, use and disclose
health information included in a consumer's PCEHR if the collection, use and disclose is
authorised by a Commonwealth, state or territory law (subclause 65(1)).
Subclause 65(1) is subject to clause 69. This is intended to ensure that subpoenas, and other
information gathering powers available under court rules, etc, do not permit the collection,
use or disclosure of health information in a consumer's PCEHR in reliance on the authorised
by law exception where the collection, use or disclosure of that information would not be
authorised under clause 69.
The authorisation under subclause 65(1) does not extend to consumer-only notes entered by a
consumer in their PCEHR (subclause 65(2)). However, as explained above, certain other
information (not being consumer-only notes) can be entered by consumers. This other
information may be available under the subclause 65(1) authorisation.
Clause 66 Collection, use of disclosure with consumer's consent
A participant in the PCEHR system is authorised to disclose for any purpose health
information included in the consumer's PCEHR to the consumer (subclause 66(1)).
Under subclause 66(2), a participant in the PCEHR system may collect, use and disclose for
any purpose health information included a consumer's PCEHR with the consent of the
consumer.
These provisions reflect the policy position that PCEHRs should be personally controlled and
thus provide that consumers are entitled to deal with the content of their PCEHR as they see
fit, subject to other provisions of this Bill and other laws.
Where a consumer consents to her or his health information being used for research purposes,
clause 66 will enable disclosure of the identified health information to the researcher. Unlike
the position under the National Privacy Principles, the PCEHR Bill only permits the use of a
consumer's identified health information for research where the consumer has consented. As
noted above, this Bill does not regulate de-identified information.
Clause 67 Collection, use and disclosure by consumer
Further to clause 66 which provides for a participant in the PCEHR system to disclosure
health information in a consumer's PCEHR information to the consumer, this clause provides
that a consumer may collect, use and disclose, for any purpose, health information in his or
her PCEHR.
42
Clause 68 Collection, use and disclosure for indemnity cover
Subclause 68(1) authorises participants in the PCEHR system to collect, use and disclose
information included in a consumer's PCEHR for the purposes relating to the provision of
indemnity cover for a healthcare provider (subclause 68(1)).
This provision is intended to allow collection, use and disclosure for indemnity cover
purposes regardless of whether the matter involves court or tribunal proceedings or is the
subject of a complaint.
This authorisation in subclause 68(1) does not extend to consumer-only notes (subclause
68(2)). However, as explained above, certain other information (not being consumer-only
notes) can be entered by consumers. This other information may be available under the
clause 68 authorisation.
Clause 69 Disclosure to courts and tribunals
Clause 69 specifies the circumstances in which health information in a consumer's PCEHR
may be collected, used and disclosed in response to subpoenas and other similar information
gathering mechanisms, and in response to an order of a court or tribunal.
Subclause 69(1) provides that the System Operator must comply with an order to disclose
health information in a consumer's PCEHR if:
· all of the following apply:
o a court or tribunal other than a coroner orders or directs the System Operator to
disclose health information in a consumer's PCEHR to the court or tribunal
(paragraph 69(1)(a)); and
o the order or direction is given in the course of proceedings relating to the PCEHR
Bill, or unauthorised access to information through the PCEHR system (for
example, in relation to proceedings under the Criminal Code where a person
hacked in the PCEHR system) or for the provision of indemnity cover to a
healthcare provider (paragraph 69(1)(b)); and
o apart from Part 4 of the PCEHR Bill, the System Operator would be required to
comply with the order or direction (paragraph 69(1)(c)); or
· a coroner orders or directs the System Operator to disclose the information to the
coroner (subclause 69(2)).
Except as mentioned in subclauses 69(1) and (2):
· a participant in the PCEHR system, or a consumer, cannot be required to disclose health
information included in a consumer's PCEHR to a court or tribunal (subclause 69(3));
and
· the System Operator is not authorised to disclose health information included in a
consumer's PCEHR to a court or tribunal unless the consumer consents (subclause
69(4)).
The authorisations in clause 69 do not extend to consumer-only notes entered by a consumer
in their PCEHR (subclause 69(4)). However, as explained above, certain other information
(not being consumer-only notes) can be entered by consumers. This other information may
be available under the clause 69 authorisation.
43
The decision to restrict the ability of courts and tribunals to access health information
contained in a consumer's PCEHR has been made for a range of policy reasons:
· the PCEHR system, by drawing together health information about a consumer from many
different sources, will create a much richer data source about consumers than any existing
system. This warrants additional protections, including placing some restrictions on
access to health information in the PCEHR system by way of subpoenas and other orders
of courts and tribunals. Registration by consumers in the PCEHR system is voluntary,
and consumers do not want the PCEHR system to be a source of health information that
can be accessed for any court or tribunal purpose;
· health information in the PCEHR system will be available from other sources. For
example, healthcare providers' local clinical records system will keep a copy of health
information that is uploaded to the PCEHR system. Healthcare providers are also able to
download copies of a consumer's PCEHR where authorised under Division 2 of Part 4 of
the PCEHR Bill. Health information outside of the PCEHR system is subject to existing
local laws and the provisions in the PCEHR Bill will not apply to the locally-held copy of
the information or restrict access to such locally-held health information (see clause 71);
· the restrictions only apply to health information in a consumer's PCEHR. The
restrictions under clause 69 would not prevent access to other information in the PCEHR
system, for example, information about the operations of the PCEHR system generally;
and
· the administrative burden on the System Operator of having to deal with unrestricted
access to PCEHR-based health information by way of subpoena and other orders of
courts ad tribunals would likely be significant.
Clause 70 Disclosure for law enforcement purposes, etc.
Subclause 70(1) authorises the System Operator to use or disclose health information
included in a consumer's PCEHR if the System Operator reasonably believes that the use or
disclosure is reasonably necessary for one or more of the following things done by, or on
behalf of, an enforcement body:
· the prevention, detection, investigation, prosecution or punishment of criminal offence
or breaches of certain other laws (paragraph 70(1)(a));
· the enforcement of laws relating to the confiscation of the proceeds of crime or the
protection of public revenue (paragraphs 70(1)(b) and (c));
· the prevention, detection, investigation or remedying of seriously improper conduct or
prescribed conduct (paragraph 70(1)(d));
· the preparation for, or conduct of, proceedings before any court or tribunal, or the
implementation of the orders of a court or tribunal (paragraph 70(1)(e)), subject to clause
69 (subclause 70(2).
Subclause 70(3) authorises the System Operator to use or disclose health information in a
consumer's PCEHR if the System Operator:
· has reason to suspect that unlawful activity that relates to the System Operator's
functions has been, is being or may be engaged in; and
· reasonably believes that the use or disclosure of the information is necessary for the
purposes of an investigation of the matter or in reporting concerns to the relevant
persons or authorities.
44
The System Operator must make a written note of a use or disclosure of information under
clause 70 (subclause 70(4)).
The authorisation in clause 70 does not extend to consumer-only notes entered by a consumer
into their PCEHR (subclause 70(5)). However, as explained above, certain other information
(not being consumer-only notes) can be entered by consumers. This other information may
be available under the clause 70 authorisation.
This authorisation is restricted to the System Operator who has a coordination and oversight
role in the system. If part of the PCEHR is held by another participant in the system and this
is also needed for an investigation, the System Operator can require the other participant to
provide this (see clause 50).
DIVISION 3--PROHIBITIONS AND AUTHORISATIONS LIMITED TO PCEHR SYSTEM
Clause 71 Prohibitions and authorisations limited to health information collected by
using the PCEHR system
The authorisations and prohibitions in Division 2 of Part 4 in respect of the collection, use
and disclosure of health information included in a consumer's PCEHR are limited to the
collection, use and disclosure of information obtained by using the PCEHR system
(subclause 71(1)). The authorisations and prohibitions do not apply where information has
been lawfully obtained other than by using the PCEHR system, even if the information was
originally obtained by using the PCEHR system (subclause 71(2)).
In summary, clause 5 of the PCEHR Bill defines the PCEHR system as a system:
· involving the System Operator;
· that is for the collection, use and disclosure of information from various sources, and the
holding of that information in accordance with the wishes of consumers or as specified in
the Bill; and
· that is for the assembly of that information in respect of individual consumers which is to
be made available subject to a consumer's wishes to support healthcare for the consumer,
and in other circumstances specified in the Bill.
Essentially, the PCEHR system is a network of various participating entities which are
coordinated by the System Operator, exchanging health information for the provision of
healthcare and other authorised purposes. Some of these participants - for example,
repositories operated by state or territory governments - may hold information for dual
purposes. For example, some information about a consumer may be held for PCEHR
purposes and for the purpose of providing healthcare outside the PCEHR system in
accordance with the rules applying in the relevant state or territory.
The involvement of the System Operator is a vital element in determining whether
information has been obtained by using the PCEHR system, or whether information has been
obtained other than by using the PCEHR system.
Subclauses 71(3) and (4) describe circumstances where PCEHR information is not obtained
by using the PCEHR system:
45
· subclause 71(3) provides that health information is taken not to be obtained by using the
PCEHR system if the information is stored in a repository for PCEHR purposes and other
purposes, and a person lawfully obtains the information directly from the repository (that
is, not via the System Operator) for those other purposes.
Existing repositories operate for a range of purposes, and operators of these repositories
may wish to become registered repository operators under the PCEHR Bill. Where a
registered repository operator wishes to provide services for PCEHR and non-PCEHR
purposes, subclause 71(3) is intended to allow this to occur. Where a person lawfully
obtains health information directly from the repository for those non-PCEHR purposes,
the prohibitions and authorisations in Part 4 of the PCEHR Bill will not apply;
· where authorised under the PCEHR Bill, health information in a consumer's PCEHR may
be downloaded from the PCEHR system - for example, into the local clinical records
system of a healthcare provider organisation - and the downloaded information can be
subsequently obtained from that local clinical system.
Subclause 71(4) provides that obtaining information from that other system, even though
the information was originally obtained from the PCEHR system, is taken not to be
obtained using the PCEHR system. As a result, the authorisations and prohibitions in Part
4 of the PCEHR Bill do not apply where the downloaded information is accessed using
the local clinical records system (instead, existing Commonwealth, state or territory
privacy and health information laws and professional obligations will apply to the
collection, use and disclosure of that downloaded information).
DIVISION 3--INTERACTION WITH THE PRIVACY ACT 1988
Clause 72 Interaction with the Privacy Act 1988
This clause provides clarification as to how the PCEHR Bill (once enacted), will operate in
conjunction with the Privacy Act and clarifies that an authorisation under this Bill is
an authorisation for the purpose of the Privacy Act. This ensures that a collection, use or
disclosure authorised under the PCEHR Bill does not contravene the Privacy Act.
Clause 73 Contravention of this Act is an interference with privacy
Clause 73 provides that an act or practices that contravenes the PCEHR Bill (once enacted) in
relation to health information in a consumer's PCEHR, or would contravene the PCEHR Bill
but for a requirement relating to the state of mind of a person, is taken to be an interference
with the consumer's privacy and is taken to be covered by section 13 or 13A of the Privacy
Act, as applicable.
The reference to "would contravene this Act but for a requirement relating to the state of
mind of a person" ensures that where a person does not breach clause 59 or 60:
· because the person was held to have not known that their action was unauthorised; or
· because the person was held to have not been reckless as to the fact that they were not
authorised,
The mechanisms under the Privacy Act are still available.
46
The consequence is that, while a person may not contravene clauses 59 or 60 and may not be
liable for a civil penalty, the Information Commissioner would still have, for example, the
power to investigate where a collection, use or disclosure is not authorised under Division 2
of Part 4.
PART 5--OTHER CIVIL PENALTY PROVISIONS
In order to ensure that the integrity of the PCEHR system is not compromised and that any
security issues such as breaches or non-compliance can be dealt with, this Part contains a
series of civil penalty provisions and related mechanisms.
Clause 74 Registered healthcare provider organisations must ensure certain
information is given to System Operator
Once registered to participate in the PCEHR system, a registered healthcare provider
organisation will be able to authorise persons within the organisation to access records in the
PCEHR system. The organisation may choose to authorise healthcare providers,
administrative and other support staff, trainees (including medical students) and/or
contractors.
On each occasion that an authorised user accesses a consumer's PCEHR on behalf of, or
purportedly on behalf of, the registered healthcare provider organisation, the organisation
must provide to the System Operator sufficient information to enable the System Operator to
identify the authorised user (subclause 74(1)).
The requirement to provide this information is essential for enabling the System Operator to
maintain a comprehensive audit trail of access to consumers' PCEHRs.
The obligation to provide the information has been placed on healthcare provider
organisations. This is because they will be best placed to ensure that their IT systems are
configured to provide the necessary information to the System Operator. The individual
making the actual request for disclosure, who in most cases will be an employed healthcare
provider or a person in an administrative role at the healthcare provider organisation, is
unlikely to be in a position to ensure such systems are in place. Consequently, it would be
inappropriate to impose liability on the individual who actually sought access to a consumer's
PCEHR on behalf of the healthcare provider organisation should clause 74 be breached.
A maximum civil penalty of 100 penalty units for an individual, or 500 penalty units for a
body corporate (subclause 79(5)), may be imposed by a court for a contravention of clause
74.
Clause 75 Certain participants in the PCEHR system must notify data breaches etc.
The obligations in relation to data breaches in clause 75 apply to an entity if (subclause
75(1)):
· the entity is or has at ant time been the System Operator, a registered repository operator
or a registered portal operator; and
· the entity becomes aware that:
o a person has, or may have, contravened the PCEHR Bill in a manner involving an
unauthorised collection, use or disclosure of health information included in a
consumer's PCEHR; or
47
o an event has occurred or circumstances have arisen (whether or not involving a
contravention of the PCEHR Bill) that compromise, or may compromise the
security or integrity of the PCEHR system; and
· the contravention, event or circumstances directly involved, may have involved or may
involve the entity. This requirement is intended to ensure that only entities experiencing,
or who have or may have experienced, contraventions, events or circumstances
described in paragraph 75(1)(b) report. Entities that find out about breaches affecting
only another entity are not under a PCEHR Bill obligation to report that information to
the System Operator or Information Commissioner.
Data breach reporting obligations vary slightly depending on the entity involved:
· if the entity is a state or territory authority or instrumentality - the entity must notify the
System Operator as soon as practicable after becoming aware of the contravention, event
or circumstances (paragraph 75(2)(a));
· all other registered repository operators and registered portal operators must notify a
breach to the System Operator and the Information Commissioner as soon as practicable
after becoming aware of the contravention, event or circumstances (paragraph 75(2)(b));
and
· if the entity is the System Operator, the System Operator must notify the Information
Commissioner as soon as practicable after becoming aware of the contravention, event
or circumstances (subclause 75(3)).
A failure by a registered repository operator or a register portal operator to comply with
subclause 75(2) may result in imposition of a civil penalty of up to 100 penalty units for an
individual or 500 penalty units for a body corporate.
Subclause 75(4) specifies the other actions that must be taken as soon as practicable after
becoming aware of the contravention, event or circumstances. These steps are based on
existing Information Commissioner guidelines for dealing with data breaches and include:
· as far as practicable, containing the contravention, event or circumstances and carrying
out a preliminary assessment of the causes;
· evaluating risks that may arise;
· notifying affected customers and, if a significant number if customers are affected,
notifying the general public. Only the System Operator is permitted to notify affected
customers or the general public. Entities other than the System Operator who experience
a contravention, event or circumstances described in paragraph 75(1)(b) must ask the
System Operator to notify affected customers or the general public on their behalf, and
the System Operator must comply with such a request (subclause 75(5)); and
· take steps to prevent of mitigate the effects of further contraventions, events or
circumstances described in paragraph 75(1)(b).
The requirement to notify data breaches or potential data breaches affecting a repository,
portal or the System Operator is intended to allow the System Operator and the Information
Commissioner to investigate, take corrective actions and help mitigate any loss or damage
that may result from the breach. The steps required under subclause 75(4) are critical to the
ongoing security and integrity of the PCEHR system and maintaining consumer and provider
confidence in the PCEHR system.
48
Example: A privately-operated pathology entity is a registered repository operator. It has
just discovered that an unidentified external computer program has interfered with health
records that it holds, and the repository operator has isolated the affected areas of the system.
The repository operator must notify the System Operator and the Information Commissioner
of the breach, and take any action necessary to contain the breach, analyse the breach,
ascertain the risks associated with the breach (such as whether other information within the
system may be affected or whether the affected areas may have affected other organisations'
systems before the breach was discovered) and prevent or mitigate further breaches.
As part of notifying the System Operator of the breach, the operator has provided details of
the consumers whose records were affected by the breach and asked for the System Operator
to notify the affected consumers. The System Operator has notified the affected consumers
and is considering whether the number of affected consumers requires that a public notice be
issued.
Although a civil penalty would not apply under the PCEHR Bill should an entity fail to
comply with the actions specified in subclause 75(4) following a breach, there may be other
consequences. These could potentially include cancellation of the entity's registration.
Clause 76 Requirement to notify if cease to be eligible to be registered
Clause 76 would require registered healthcare providers, registered repository operators,
registered portal operators and registered contracted service providers to notify the System
Operator in writing within 14 days of ceasing to be eligible to be registered.
Failure to comply with clause 76 may result in the imposition of a civil penalty of up to 80
penalty units for an individual or 400 penalty units for a body corporate.
Ceasing to be eligible to be registered may also result in the System Operator deciding to
suspend or cancel the registration of the healthcare provider organisation, repository operator,
portal operator or contracted service provider.
Clause 77 Requirement not to hold or take records outside Australia
Clause 77 places an obligation on the System Operator, registered repository operators,
registered portal operators and registered contracted service providers that hold records for
PCEHR purposes (whether or not those records are also held for other purposes) to not:
· hold the records, or take the records, outside Australia; or
· process or handle information relating to the records outside Australia; or
· cause or permit another person to hold or take the records outside Australia or to process
of handle information relating to the records outside Australia.
Should PCEHR-related health information be stored or processed outside Australia, very few
effective enforcement options would be available if that information were to be misused or
mishandled. Remedies for affected individuals would likewise be severely curtailed.
Allowing health information to be stored or processed outside Australia also increases the
risk of the information being compulsorily acquired by foreign governments. For these
reasons, a policy decision has been taken to require all PCEHR-related health information to
be stored and processed in Australia.
49
Failure to comply with clause 77 may result in the imposition of a civil penalty of up to 120
penalty units for an individual or 600 penalty units for a body corporate.
Clause 78 Participant in the PCEHR system must not contravene PCEHR Rules
Clause 78 provided that a person who is, or at any time has been, a registered repository
operator or a registered portal operator must not contravene a PCEHR Rule that applies to
that person.
Failure to comply with clause 78 may result in the imposition of a civil penalty of up to 80
penalty units for an individual or 400 penalty units for a body corporate.
PART 6--CIVIL PENALTY SUPPORTING PROVISIONS
This Part sets out machinery provisions associated with the civil penalty provisions in the
PCEHR Bill.
DIVISION 1--CIVIL PENALTY ORDERS
This Division sets out the arrangements for seeking and making orders for civil penalties and
how those penalties will be determined.
Clause 79 Civil penalty orders
The Information Commissioner will have standing to apply to a Court for an order that a
person who is alleged to have contravened a civil penalty provision pay the Commonwealth a
pecuniary penalty (subclause 79(1)). Court is defined in section 5 to be the Federal Court of
Australia, Federal Magistrates Court or a state or territory court with appropriate jurisdiction.
An application for an order must be made within six years of the alleged contravention
(subclause 79(2)). This timeframe is consistent with limitation periods that generally apply in
civil proceedings.
If satisfied that the person has contravened a civil penalty provision, a Court may order the
person to pay a pecuniary penalty (subclause 79(3)). Such an order is a civil penalty order
(subclause 79(4)).
The maximum penalty which an individual can be ordered by a Court to pay is as set out in
the civil penalty provisions of the PCEHR Bill. If the person is a body corporate, the
maximum penalty is five times the amount specified in the civil penalty provision (subclause
79(4)).
A Court may take into account all relevant matters when it is determining the penalty amount
to be imposed, including the nature and extent of the contravention and of any loss or damage
suffered, the circumstances of the contravention, whether a court has previously found that
the person has engaged in similar conduct and the extent to which the person has taken steps
to notify appropriate persons of the contravention and to prevent further contraventions
(subclause 79(6)).
Clause 80 Civil enforcement of penalty
Clause 80 specifies that a pecuniary penalty is a debt payable to the Commonwealth
(subclause 80(1)) and may be enforced by the Commonwealth as if it were a judgement debt
(subclause 80(2)).
50
Clause 81 Conduct contravening more than one civil penalty provision
Where conduct has contravened two or more civil penalty provisions, proceedings may be
instituted against the person in relation to the contravention of one or more of those
provisions (subclause 81(1)) although a person cannot be liable for more than one civil
penalty under Part 6 in relation to the same conduct (subclause 81(2)).
Clause 82 Multiple contraventions
Clause 82 specifies how Courts may deal with multiple contraventions.
Courts may make a single penalty order in respect of multiple contraventions of a civil
penalty provision if proceedings for the contravention are founded on the same facts, or if the
contraventions form, or are part of, a series of contraventions of the same or a similar
character (subclause 82(1)).
However, the penalty ordered by the Court must not exceed the sum of the maximum
penalties that could be ordered if a separate penalty were ordered for each of the
contraventions (subclause 82(2)).
Clause 83 Proceedings may be heard together
This clause provides that multiple proceeding for civil penalty orders may be heard together.
Clause 84 Civil evidence and procedure rules for civil penalty orders
This clause provides that the rules of evidence and procedure for civil matters apply when a
Court hears proceedings for a civil penalty order.
Clause 85 Contravening a civil penalty provision is not an offence
The penalty provisions in the Bill are civil, not criminal, provisions. Contravening a civil
penalty provision is not an offence.
DIVISION 2--RELATIONSHIP TO OTHER PROCEEDINGS
Clause 86 Civil proceedings after criminal proceedings
A Court may not make a civil penalty order against a person for a contravention of a civil
penalty provision if the person has been convicted of a criminal offence (for example, under
the Criminal Code) and the conduct associated with that conviction is similar or substantially
the same as the conduct constituting the contravention.
Clause 87 Criminal proceedings during civil proceedings
Proceedings for a civil penalty order against a person are stayed if criminal proceedings are
commenced or have already been commenced and the offence is constituted by conduct that
is similar or substantially the same as the conduct alleged to constitute the contravention
(subclause 87(1)).
If the person is not convicted of the criminal offence, the civil proceedings may be resumed.
However, if the person is convicted of the criminal offence, the civil proceedings are
dismissed (subclause 87(2)).
51
Clause 88 Criminal proceedings after civil proceedings
Regardless of whether a civil penalty order has been made against a person, criminal
proceedings may be commenced against the person notwithstanding that the conduct in
relation to both the criminal and civil matters is the same or similar.
Clause 89 Evidence given in civil penalty provision not admissible in criminal
proceedings
Clause 89 specifies the circumstances in which evidence given in civil proceedings is not
admissible in criminal proceedings.
DIVISION 3--OTHER MATTERS
This Division sets out provisions specifically relating to the penalty provisions referred to
previously.
Clause 90 Ancillary contravention of civil penalty provisions
Subclause 90(1) specifies the circumstances in which a person who may not have
contravened a civil penalty provision, or who may not have been directly involved in a
contravention, will nevertheless be liable. These circumstances include:
· attempting to contravene a civil penalty provision (paragraph 90(1)(a));
· aiding, abetting counselling or procuring a contravention of a civil penalty provision
(paragraph 90(1)(b));
· inducing a contravention of a civil penalty provision (paragraph 90(1)(c));
· being in any way, directly or indirectly, knowingly concerned in, or a party to, a
contravention of a civil penalty provision (paragraph 90(1)(d)); or
· conspiring with others to contravene a civil penalty provision (paragraph 90(1)(e)).
If a person contravenes subclause 90(1) in relation to a civil penalty provision, that person is
taken to have contravened the civil penalty provision (subclause 90(2)).
Example: A person conspires with an employee of a registered portal operator to collect
health information from consumers' PCEHRs passing though the operator's portal. The
employee is not authorised to collect the information and knows this. The employee will
contravene a civil penalty provision in the PCEHR Bill. The person conspiring with the
employee will also be deemed under clause 90 to have contravened a civil penalty provision.
Clause 91 Mistake of fact
Clause 91 specifies the circumstances where a mistake of fact will result in a person not being
liable for a contravention of a civil penalty provision.
Clause 92 State of mind
Clause 92 specifies the circumstance in which it is necessary to prove a person's state of
mind in proceedings under the PCEHR Bill.
Subclause 92(2) provides that an expression used in a civil penalty provision that expressly
provides for a state of mind has the same means as in the Criminal Code.
52
Clause 93 Civil penalty provisions contravened by employees, agents or officers
Clause 93 provides that if an element of a civil penalty provision is done by an employee,
agent or officer of a body corporate, acting within the scope of their employment, or the
scope of their authority, the element must also be attributed to the body corporate.
ART 7--VOLUNTARY ENFORCEABLE UNDERTAKINGS AND INJUNCTIONS
Voluntary enforceable undertakings are a key element of the graduated responses available
under the Bill . They can be used as an effective control of behaviour and can result in
systemic changes being made.
Clause 94 Acceptance of undertakings
Under clause 94, the Information Commissioner and System Operator may accept a written
undertaking from a person that the person will take, or refrain from taking, specified actions
to ensure compliance with their obligations under the PCEHR Bill (subclause 94(1)).
For the purposes of Part 5 of the PCEHR Bill, the person who accepts the undertaking is
referred to as the recipient of the undertaking (subclause 94(2)). This is done for drafting
simplicity given that there are two people who may accept undertakings.
Neither the Information Commissioner nor System Operator is required to accept an
undertaking. Whether it was appropriate to accept an undertaking would depend on a range
circumstances, including the nature and severity of the contravention.
Where the Information Commissioner or System Operator accept an undertaking, the person
giving it must comply with their undertaking, If they do not, the recipient of the undertaking
may apply to the Court to enforce the undertaking or for other orders (see clause 95).
Example: The System Operator notices that a particular healthcare provider organisation
appears to have accessed PCEHRs without identifying the individual accessing the PCEHR
system on its behalf. The System Operator notifies the Information Commissioner.
An investigation by the Information Commissioner shows that the healthcare provider
organisation has not correctly configured its IT system to provide the required information.
Not identifying the individual is a contravention of clause 74.
As the oversight involves a relatively small number of PCEHRs, and the healthcare provider
organisation has not been involved in any previous contraventions of civil penalty
provisions, the Information Commissioner decides to accept an undertaking from the
healthcare provider organisation that it will correctly configure its IT systems and ensure that
all its employees are properly identified to the System Operator when accessing PCEHRs in
the future. If the healthcare provider organisation subsequently breaches its undertaking,
the Information Commissioner is able seek an order to enforce the undertaking and other
Court orders.
In giving an undertaking, a person must make clear that the undertaking is for the purposes of
clause 94 (subclause 94(3)).
53
If the Information Commissioner or System Operator have accepted an undertaking from a
person, the person may subsequently vary or withdraw the undertaking with the written
agreement of the recipient (subclause 94(3)). This allows for changes to circumstances, such
as where a person may no longer be able to carry out an undertaking or where they wish to
cease participating in the PCEHR system.
A consent by the recipient to the withdrawal or variation of an undertaking is not a legislative
instrument (subclause 94(4)). This provision is not an exemption from the Legislative
Instruments Act 2003. Rather, it is merely declaratory to assist readers. The instrument is not
a legislative instrument for the purposes of the Legislative Instruments Act 2003 so it will not
be disallowable by Parliament or published on the Federal Register of Legislative
Instruments.
The recipient of an undertaking may cancel the undertaking (subclause 94(5)). In this case,
the recipient must given written notice of the cancellation to the person.
The recipient of an undertaking may publish the undertaking on its website (subclause 94(6)).
Publication of an undertaking may be sensitive in some cases and the recipient would
determine whether or not to public an undertaking. On the other hand, publication may assist
educate other participants in the PCEHR system about their obligations under the PCEHR
Bill.
Clause 95 Enforcement of undertakings
The recipient of an undertaking may apply to a Court for an order if the recipient considers
that a person has failed to comply with their undertaking (subclause 95(1)). If the Court is
satisfied that the person has breached their undertaking, the court may make any or all of the
following (subclause 95(2):
· an order directing the person to comply with the undertaking;
· an order directing the person to pay the Commonwealth part or all of an amount which
was obtained directly or indirectly by the person and that is reasonably attributable to the
breach;
· an order that the Court considers appropriate directing the person to compensate any other
person who suffered loss or damage as a result of the breach;
· any other order that the Court considers appropriate (paragraph (2)(d)).
Clause 96 Injunctions
Subclauses 96(1) and (2) specify the circumstances in which the Information Commissioner
or System Operator may seek an injunction.
If an application is made to a Court seeking an injunction under subclauses 96(1) or (2), the
Court may grant an interim injunction before considering the application (subclause 96(3)).
The ability to obtain interim injunctions will be important in responding quickly to serious
privacy breaches and in helping maintain the security and integrity of the PCEHR system.
Any injunction granted by a Court in response to an application by the Information
Commissioner or System Operator may be vary or discharged by the Court (subclause 96(4)).
54
A Court is not to require, as a condition of issuing an interim injunction, any undertaking as
to damages from the System Operator, Information Commissioner or other person
(subclause 96(7)).
PART 8--OTHER MATTERS
Part 8 of the Bill provides for subordinate legislation to be made in the form of regulations
and PCEHR Rules, certain decisions to be reviewable, reporting and review of the legislation
and its associated activities, the treatment of types of participating entities, the extension of
authorisations and the delegation of certain functions and powers.
DIVISION 1--REVIEW OF DECISIONS
Clause 97 Review of decisions
Key decisions which are required to be made by the System Operator and which could have
an adverse effect will be subject to merits review. These decisions are:
· whether or not to recognise a person as an authorised representative. This reflects that in
some cases a person may be adversely affected by the decision to recognise another
person as an authorised representative;
· to refuse to register a consumer;
· to refuse to register a healthcare provider organisation;
· to impose a condition on the registration of a healthcare provider;
· to refuse to register a person as a repository operator, portal provider or contracted service
provider;
· to impose a condition on the registration of a person as a repository operator, portal
provider or contracted service provider;
· to refuse to specify a repository as one to which the registration of a repository operator
relates; and
· to cancel or suspend the registration of a consumer or other entity;
· to refuse to cancel or suspend the registration of a consumer or other entity upon request
by that consumer or entity;
· to vary the registration of a consumer or other entity upon request by that consumer or
entity; and
· to refuse to vary the registration of a consumer or other entity.
Upon making any of the above decisions, the System Operator is required to notify the
affected person in writing and inform the person of their rights to seek merits review of the
decision (subclause 97(2)).
Subclause 97(4) places a 28 day limit on a person's ability to seek merits review,
commencing on the day the person receives the System Operator's notice under subclause
97(2). Requests for merits review must explain why the affected person is making the request
(subclause 97(5)).
The System Operator is required to reconsider its decision within 28 days of receiving the
request and notify the affected party in writing of the outcome of the reconsideration and the
basis for those results (subclause 97(6)). The System Operator must also notify the affected
person of their rights to seek a review by the Administrative Appeals Tribunal (subclause
97(7)).
55
If the affected person is not satisfied with the outcome of the reconsideration, the person may
make an application to the Administrative Appeals Tribunal to review the decision
(subclause 97(8)).
The Administrative Appeals Tribunal provides independent merits review of administrative
decisions. Merits review of an administrative decision involves considering afresh the facts,
law and policy relating to that decision. The Tribunal considers the material before it and
decides what is the correct, or, in a discretionary area, the preferable decision. It will affirm,
vary or set aside the decision under review, and substitute its own decision or remit the matter
to the System Operator for reconsideration in accordance with any directions or
recommendations of the Tribunal.
DIVISION 2--DELEGATIONS
Clause 98 Delegations by the System Operator
This clause enables the System Operator to delegate, in writing, any of her or his functions or
powers to an APS employee of the Department of Health and Ageing or the Chief Executive
Medicare (paragraphs (1)(a) and (b)). The System Operator may also delegate any of her or
his functions to any other person subject to the consent of the Minister (paragraph (1)(c)).
Despite any delegations the System Operator may make, the System Operator remains
responsible and accountable for the functions.
If the System Operator delegates any of her or his functions or powers to the Chief Executive
Medicare, the Chief Executive Medicare may, in writing, further delegate those functions or
powers to an employee of the Department of Human Services (subclause 98(3)).
Subclause 98(4) applies sections 34AA, 34AB and 34A of the Acts Interpretation Act 1901 in
relation to any subdelegation in a corresponding way to the way in which those provisions
apply to a delegation.
This power of delegation is provided for practical and administrative reasons. Providing for
delegations is commonplace in Commonwealth legislation.
The System Operator cannot delegate the function of advising the Minister on matters
relating to the PCEHR system under paragraph 11(1)(k) (subclause 98(2)).
The exercise of any delegation must be carried out in accordance with the directions of the
System Operator (subclause 98(5)).
DIVISION 3--AUTHORISATIONS OF ENTITIES ALSO COVER EMPLOYEES
Clause 99 Authorisations extend to employees etc.
This provision expands on the authorisations given in other parts of the PCEHR Bill.
The Bill authorises participants in the PCEHR system to collect, use and disclose health
information included in a consumer's PCEHR in particular circumstances. Given that many
of the participants will be organisations rather than individuals, this clause ensures that the
Bill's authorisations extend to employees, contracted service providers and contractors of
those organisations where appropriate.
56
DIVISION 4--TREATMENT OF CERTAIN ENTITIES
Many of the participants in the PCEHR system will be organisations rather than individuals,
and those organisations are likely to be structured in a variety of ways. Some organisations
may not be a legal person. Division 4 of Part 8 ensures that the obligations and penalties set
out in the Bill apply appropriately, notwithstanding the different structures that may be
adopted by participants in the PCEHR system.
In each case, the Bill will apply to partnerships, unincorporated organisations and trusts with
multiple trustees as if that organisation were an individual (subclauses 100(1), 101(1) and
102(1)).
Clause 100 Treatment of partnerships
In respect of partnerships, obligations will apply to each partner and may be discharged by
any partner (subclause 100(2)). A civil penalty provision that would otherwise be
contravened by the partnership is taken to have been contravened by each partner (subclause
100(3)).
Clause 101 Treatment of unincorporated associations
In respect of unincorporated associations, obligations will apply to each member of the
association's committee of management and may be discharged by any of those members
(subclause 101(2)). A civil penalty provision that would otherwise be contravened by the
association is taken to have been contravened by each member (subclause 101(3)).
Clause 102 Treatment of trusts with multiple trustees
In respect of trusts with two or more trustees, obligations will apply to each trustee and may
be discharged by any trustee (subclause 102(2)). A civil penalty provision that would
otherwise be contravened by the trust is taken to have been contravened by each trustee
(subclause 102(3)).
Clause 103 Exception in certain circumstances
Despite clauses 100-103, partners, members of the committee of management of an
unincorporated association and trustees will not contravene a civil penalty provision if she or
he:
· is not aware of the circumstances which caused the contravention (paragraph 103(a)); or
· is aware of those circumstances but takes all reasonable steps to correct the
contravention as soon as possible after becoming aware of those circumstances
(paragraph 103(b)).
Clause 104 Division does not apply to Division 3 of Part 3
Clause 104 provides that Division 4 of Part 8 of the Bill does not have effect for the purposes
of Division 3 of Part 3 (registering repository operators, portal operators and contracted
service providers).
An applicant for registration as a repository operator, portal operator or contracted service
provider must be a legal person.
57
DIVISION 5--ALTERNATIVE CONSTITUTIONAL BASES
Division 5 is intended to ensure that the proposed Act is given the widest possible operation
consistent with Commonwealth constitutional legislative power. Subclause 105(1) provides
that, without limiting the effect of the proposed Act, it also has effect as provided by
subclauses 105(2) to (7) in reliance on different Commonwealth heads of power.
Subclause 105(6) deals with Australia's obligations under international agreements and this
takes account of the International Covenant on Civil and Political Rights under which
Australia has obligations in relation to privacy.
DIVISION 6--ANNUAL REPORTS AND REVIEW OF ACT
The provisions in Division 6 are consistent with the annual reporting and legislation review
provisions in the HI Act.
Clause 106 Annual reports by Information Commissioner
The Information Commissioner must prepare a report, no more than three months after the
end of each financial year, on its activities over the course of that financial year
(subclause 106(1)).
The Bill specifies the types of matters that must be included in the report (subclause 106(2)),
including statistics on complaints received, investigations, accepted enforceable undertakings
and proceedings which have been initiated. Paragraph 106(2)(b) provides that the regulations
may also prescribe matters on which the Information Commissioner must report.
By 30 September each year, the Information Commissioner must provide his or her report to
the Minister and to the Ministerial Council (subclause 106(3)).
The Minister must table the report in Parliament within 15 sitting days of receiving the report
(subclause 106(4)). The report would therefore be available to the public, providing scrutiny
and transparency of the Information Commissioner's activities in respect of the PCEHR
system.
Clause 107 Annual reports by System Operator
The System Operator must prepare a report, no more than three months after the end of each
financial year, on its activities over the course of that financial year (subclause 107(1)).
The Bill specifies the types of matters that must be included in the report (subclause 107(2)),
including statistics on registration, cancellation and suspension decisions, complaints and
investigations, accepted enforceable undertakings, proceedings which have been initiated,
breaches and use of the system by consumers and healthcare providers.
Paragraph 107(2)(b) provides that the regulations may also prescribe any other matters on
which the System Operator is to report.
The System Operator's report may include information about the operation of the
Jurisdictional Advisory Committee and the Independent Advisory Council (subclause
107(3)).
58
By 30 September each year, the System Operator must provide its report to the Minister and
to the Ministerial Council (subclause 107(4)).
The Minister must table the report in Parliament within 15 sitting days of receiving the report
(subclause 107(5)). The report would therefore be available to the public, providing scrutiny
and transparency of the System Operator's activities.
Clause 108 Review of operation of Act
This clause requires that the operation of this proposed Act be reviewed after it has been in
operation for two years.
It is intended that such a review will provide the opportunity to correct any unanticipated
shortcomings of the legislation and identify possible improvements and clarifications to its
operation, including the arrangements underpinning the PCEHR System Operator. Such
matters may only become evident after extended application of the legislation. The review
will also provide the opportunity to implement new arrangements that are necessary, such as
to support an increased capacity for the system.
Two years after commencement, the Minister must consult with the Ministerial Council
regarding the arrangements for the review (subclause 108(3)). The person or body
subsequently assigned by the Minister to undertake this review must seek and consider
submissions from the public (subclause 108(4)).
The review must be completed within six months of commencing the review
(paragraph (2)(b)) and a written report on the review must be provided to the Minister
(subclause 108(5)).
The Minister must provide a copy of the report to the Ministerial Council (paragraph (6)(a))
and table the report in Parliament within 15 sitting days after receiving the report (paragraph
(6)(b)). The report would therefore be available to the public, providing scrutiny and
transparency in relation to the operation of the PCEHR legislation.
DIVISION 7--PCEHR RULES, REGULATIONS AND OTHER INSTRUMENTS
This Division of the Bill provides for a range of subordinate legislation to be made by the
Governor-General and the Minister to support the operation of the PCEHR system.
Clause 109 Minister may make PCEHR Rules
This clause allows the Minister to make rules to support the PCEHR system. The PCEHR
Rules will be legislative instruments subject to the Legislative Instruments Act 2003, meaning
that they will be tabled in Parliament, registered on the Federal Register of Legislative
Instruments and subject to disallowance by Parliament and sunsetting.
Before making PCEHR Rules, the Minister must consult with the Jurisdictional Advisory
Committee. In some cases, PCEHR Rules may need to be made urgently in response to
emerging security or privacy threats, and there may not be time to fully consult. Subclause
109(2) therefore provides that a failure to consult the Committee does not affect the validity
of the Rules.
Subclauses 109(2) to (8) specify the things in relation to which PCEHR Rules may be made
and the way in which Rules may apply to certain participants. In particular, PCEHR Rules
may be made in relation to:
59
· the registration of consumers and other entities, including technical and other
requirements such as the storage of data and records, records management,
administration and day-to-day operations, physical and information security, the
uploading of certain types of records;
· access control mechanisms, including default access controls; and
· authorised and nominated representatives, including how such persons are recognised,
the verification requirements for a consumer who no longer has an authorised
representative when they assume control of their PCEHR and the circumstances where a
healthcare identifier is not required.
The Rules will not relate to the professional activities of healthcare providers. Numerous
professional bodies exist for this purpose and the PCEHR Rules are intended to only
prescribe matters which relate specifically to the operation of the PCEHR system.
Other matters that may be addressed in the PCEHR Rules include:
· security and technical requirements of participants;
· processes that must be implemented by registered healthcare provider organisations to
authorise users of the PCEHR system;
· types of PCEHR records can be authored by healthcare providers;
· requirements associated with the registration of a consumer, such as the types of
documentation that are acceptable to prove a consumer's identity and arrangements
regarding assisted registration;
· the circumstances for automatically suspending or cancelling access to a consumer's
PCEHR;
· requirements that will apply to the System Operator or other entity after the registration of
a consumer of other participant is cancelled, such as in relation to records; and
· information that must be entered by the System Operator on the Register.
As discussed above in relation to clause 40, subclause 109(5) permits PCEHR Rules to be
made which modify provisions of the Bill if this is necessary to permit registration for a
PCEHR using a pseudonym. Such a provision is necessary to ensure that people may
participate pseudonymously in the PCEHR system, should they need or desire to do so. At
this time, it is not expected that such modification will be necessary. However, before the
PCEHR system is in place and operating, it is not possible to be certain that modifications to
the PCEHR Bill will not be required. Like other PCEHR Rules, any Rules made for this
purpose will be subject to Parliamentary scrutiny and disallowance.
A failure to comply with a relevant requirement in the PCEHR Rules may result in
cancellation or suspension of a participant's registration and/or other sanctions, including the
imposition of a civil penalty.
A failure by a registered repository operator or registered portal operator to comply with the
PCEHR Rules may result in a civil penalty of 80 penalty units for individuals or 400 penalty
units for bodies corporate (see clause 78).
Clause 110 Minister may determine a law of a State or Territory to be a designated
privacy law
Subclause 110(1) permits the Minister to determine that a state or territory privacy or health
information law is a designated privacy law (subclause 110(1)) for the purpose of clause 48.
60
The designation of privacy laws is connected to the registration of repository and portal
operators. If the repository operator or portal operator is a state or territory authority or an
instrumentality of a state or territory authority that is not subject to a designated privacy law,
the operator will need to be prescribed under section 6F of the Privacy Act (paragraph 48(d)).
This is to ensure that the National Privacy Principles under the Privacy Act apply to that
operator.
A determination under clause 110(1) will be a legislative instrument subject to the Legislative
Instruments Act 2003 (subclause 110(2)). This means that the determination will be tabled in
Parliament, registered on the Federal Register of Legislative Instruments and will be subject
to disallowance and sunsetting.
Clause 111 Guidelines relating to the Information Commissioner's enforcement powers
etc.
Given the Information Commissioner's central role in relation to the PCEHR system, the
Commissioner will be required to issue enforcement guidelines outlining how she or he will
approach enforcement issues under the PCEHR Bill and related legislation
(subclause 111(2)). The Information Commissioner must have regard to these guidelines in
exercising her or his powers under this Bill (subclause 111(1)).
The Information Commissioner's guidelines will be a legislative instrument subject to the
Legislative Instruments Act 2003 (subclause 111(2)).
Clause 112 Regulations
This clause provides for the Governor-General to make regulations for the purposes of the
proposed Act (subclause 112(1)).
Subclause 112(2) makes clear that, without limiting subclause 112(1), regulations may be
made on any matter about which the Minister may make PCEHR Rules.
The matters specifically mentioned in the Bill about which regulations may be made include:
· additional types of healthcare provider that may be a nominated healthcare provider (see
definition of nominated healthcare provider);
· types of person who may be an authorised representative of a consumer (see clause 6);
· a body to be the System Operator (see clause 14);
· additional functions of the Jurisdictional Advisory Committee (see clause 18);
· additional matters relating to the Jurisdictional Advisory Committee such as remuneration
and allowances, and procedures of the committee (see clause 23);
· additional functions of the Independent Advisory Council (see clause 24);
· remuneration of the Independent Advisory Council, in the absence of a determination by
the Remuneration Tribunal, and allowances (see clause 29);
· procedural matters of the Independent Advisory Council (see clause 37);
· information required as part of the consumer registration process (see clause 40);
· additional information about which the Information Commissioner must report annually
(clause 106); and
· additional information about which the System Operator must report annually
(clause 107).
61
The regulations may prescribe criminal penalties of not more than 50 penalty units for
offences against the regulations.
The regulations may also prescribe civil penalties for contraventions of the regulations. The
regulations may provide for a maximum civil penalty of 50 penalty units for individuals and a
maximum of 250 penalty units for bodies corporate.
Prior to the Governor-General making regulations, the Minister must consult with the
Ministerial Council in respect of the proposed regulations (subclause 112(3)). This ensures
that the states and territories are consulted prior to the making of any regulations.
62