Lat updated: 13 August 2024
The Australian Information Commissioner is required to make rules under s 135AA of the National Health Act 1953 (National Health Act) to regulate the handling of Medicare Benefits Schedule (MBS) and Pharmaceutical Benefits Schedule (PBS) claims information by Australian Government agencies. Claims information is some of the most sensitive personal information as it may contain details about an individuals’ health status and medical issues.
The Rules are legally binding and ensure that claims information is linked and used only for limited purposes and in particular circumstances, recognising the special sensitivity involved in bringing this data together. A breach of the Rules constitutes an interference with privacy under section 13 of the Privacy Act 1988 (Cth) (Privacy Act). In turn, an individual may complain to the Australian Information Commissioner about an alleged interference with their privacy.
The OAIC reviewed the Rules over a 3-year period, and on 8 August 2024 published the proposed National Health (Privacy) Rules 2025 (2025 Rules) on the Federal Register of Legislation, which will replace the existing National Health (Privacy) Rules 2021 (current Rules) which are due to self-repeal on 1 April 2025.
The 2025 Rules enshrine the most comprehensive changes to the rules around the handling of claims information since the first iteration of the claims information framework was issued in 1993. Critically, the 2025 Rules now extend to all Australian Government agencies. They do not create any new obligations for individuals, businesses or community organisations.
Based on extensive stakeholder feedback, the OAIC reviewed the rules with a view to strengthening the privacy protections contained therein, while also recognising the changing community expectations around the fair and lawful use of claims information for specific purposes, such as research, under strict conditions.
We made five key changes to the Rules:
- We clarified the application of the Rules to all Australian government agencies, ending the previously arbitrary application of the Rules to the Department of Health and Aged Care, and Services Australia.
- We introduced the principle of data minimisation to the new Rules, to ensure privacy was mainstreamed in all agency handling of claims information.
- We introduced data sharing agreements, which will provide additional privacy protections to claims data, and inserted requirements for data sharing agreements to restrict re-identification.
- We expanded the use and disclosure provisions by inserting a list of permitted use provisions which is well defined, and includes the purposes of research, statistical analysis or development of government policies and programs. We repealed provisions enabling the indefinite retention of claims data.
- We required all linkages of information to be traceable, to enable scrutiny and oversight.
The amendments will enhance the effectiveness of the Rules by ensuring strong and consistent privacy protections apply to sensitive MBS and PBS data, including data-sharing agreements between agencies, data minimisation obligations and enhanced traceability requirements. Existing obligations requiring strict access, storage and security controls for entities handling this data will continue to apply.
The changes will also improve the efficient operation of the Rules by enhancing their usability by Australian Government agencies. This will be achieved through changes including simplification of the structure of the Rules and enhanced clarity for Australian Government agencies regarding their obligations when handling MBS and PBS claims information, as well as a broadening of the purposes for which claims information can be handled under the Rules, in cases where this is in the public interest (i.e. to support health and medical research).
For further background information on the rules, please see the consultation page.
