Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Australian Digital Health Agency MOU Biannual Report 2016-2017 for the period ending 31 December 2016

Mr Tim Kelsey
Chief Executive Officer
Australian Digital Health Agency
Level 25, 56 Pitt Street
Sydney NSW 2000

Dear Mr Kelsey

I am pleased to provide you with the biannual report for the period ending 31 December 2016, in accordance with section 3.3 of Schedule 1, section 3.3 of Schedule 2 and section 10.1 of the Memorandum of Understanding between the Office of the Australian Information Commissioner and the Australian Digital Health Agency, in relation to the provision of dedicated privacy-related services under the Privacy Act 1988, the My Health Records Act 2012 and the Healthcare Identifiers Act 2010.

If you have any queries relating to the report, please contact Melanie Drayton on [contact details removed].

Yours sincerely

Angelene Falk
Deputy Commissioner

21 March 2017

Section 1 — Advice, guidance, liaison and other activities

The Office of the Australian Information Commissioner (OAIC) is required to report biannually under the Memorandum of Understanding (MOU) with the Australian Digital Health Agency (the Agency) in relation to the My Health Record system and Healthcare Identifiers (HI) system activities.

Section 10.1 of the MOU requires that the performance and impact of the activities set out in the MOU are adequately and effectively monitored and assessed.

The activities reported below relate to work performed on activities listed in section 3.1 of Schedule 1 and section 3.1 of Schedule 2 of the MOU, other than the compliance and enforcement activities set out under Section 2 of this report.

Activities relating to the My Health Record system

Advice

S3.1(g) – Respond to enquiries and requests for advice on the appropriate handling of My Health Record information and other privacy compliance obligations in relation to the My Health Record system
  • The OAIC provided comments to the Agency on a draft privacy impact assessment in relation to proposals to facilitate third party development of mobile applications which will enable consumers to include information from their My Health Record system in an app.
  • The OAIC provided comments to the Agency on its draft ‘My Health Record informed consent requirements and guidelines,’ which outline requirements for app developers to meet when seeking and obtaining an individual’s consent to connect with and access information in their My Health Record.
  • The OAIC provided policy advice to the Agency on the application of certain provisions of the Privacy Act 1988 (Privacy Act) and the Freedom of Information Act 1982.
  • The OAIC provided comments to the Department of Health on a draft privacy impact assessment on the proposed National Cancer Screening Register. The comments included an explanation of the My Health Record system’s access controls and an overview of how information is authorised, by the My Health Records Act 2012 (My Health Records Act), to be uploaded to the system.
  • The OAIC further considered a request for advice from a State government body about the application and interpretation of certain provisions of the My Health Records Act.
  • The OAIC provided comments to the Department of Health on the draft National Health Genomics Policy Framework, which highlighted the information handling provisions of the My Health Records Act in response to the discussion about how genomics data may be shared and stored.
  • The OAIC received three written enquiries and one telephone enquiry regarding the My Health Record system. These enquiries related to general information about the My Health Record system, access to the records of children and the opt-out process.

Guidance

S3.1(h) – Prepare and/or update written guidance materials for individuals and participants in the My Health Record system on the appropriate handling of My Health Record information and other privacy compliance obligations in relation to the My Health Record system
  • Two business resources for healthcare providers were finalised and provided to the Agency for consideration. One resource covers the legislative requirements that apply to handling a patient’s personal information when using the My Health Record system. The second resource provides tips on how to protect a patient’s privacy when using the My Health Record system.
  • The OAIC continued to develop a resource for healthcare providers on the mandatory data breach notification requirements. This resource is specifically targeted at providers and will complement the OAIC’s existing Guide to mandatory data breach notification in the My Health Record system.
  • The OAIC continued to draft revisions to the Guide to mandatory data breach notification in the My Health Record system to reflect changes to the mandatory data breach notification requirements under section 75 of the My Health Records Act.
  • The OAIC finalised two fact sheets for healthcare recipients relating to health privacy issues including access to, and correction of, health information. These facts sheets are not specific to the My Health Record system and will be published early in the next reporting period.
  • The OAIC worked to finalise its new draft guidance dealing with health care providers’ privacy obligations under the Privacy Act when handling health information, including information in the My Health Record system. This guidance follows a public consultation process and brings together sector specific guidance for health service providers.
S3.1(i) – Update guidance for exercising the powers conferred on the Information Commissioner by the My Health Records Act as required
  • The OAIC continued to prepare updates to its Guide to privacy regulatory action to reflect changes to the My Health Records Actenforcement powers, as a result of the Health Legislation Amendment (eHealth Act) 2015.

Liaison

S3.1(j) – Liaise and coordinate on privacy-related My Health Record activities with the System Operator and other key agencies (i.e. Department of Health and Department of Human Services – Medicare)
  • The OAIC prepared a biannual report under the MOU between the Department of Health and the OAIC for the period ending 30 June 2016.
  • The OAIC prepared an annual report setting out the OAIC’s activities in relation to the My Health Record system during 2015 – 2016, in accordance with section 106 of the My Health Records Act.
  • The Commissioner and OAIC staff participated in a preliminary consultation with Health Consult to discuss the development of a framework for secondary uses of My Health Record data.
  • The OAIC liaised with the Agency about the Privacy and Security Advisory Committee, which is one of the five advisory committees being established by the Agency to support the Agency’s Board.
S3.1(k) – Liaise and coordinate on privacy related My Health Record activities with state and territory regulators
  • The OAIC liaised with a State regulator regarding its interest in the role of the OAIC as the regulator of the privacy aspects of the My Health Record system.

Other activities

S3.1(l) – Prepare My Health Record related briefing material, speeches, articles and media comment on privacy matters
  • OAIC staff developed briefing material for the Commissioner’s participation in a preliminary consultation with Health Consult about the development of a framework for secondary uses of My Health Record data. In June 2016, Health Consult was engaged by the Department of Health to develop a Framework for the secondary use of data in the My Health Record system for research, policy, system use, quality improvement and evaluation activities. The briefing material included an overview of the relevant legislative provisions of the My Health Records Actthat authorise the secondary use of My Health Record data.
  • OAIC staff developed briefing material for the Commissioner in preparation for his attendance before the Senate Standing Committee on Community Affairs in regards to the National Cancer Screening Register Bill 2016. The briefing material included an explanation of how the proposed National Cancer Screening Register could potentially connect, in the future, with the My Health Record system. The briefing also outlined the penalties in the My Health Records Actfor a breach of the information handling requirements.
  • OAIC staff prepared briefing material for the Commissioner ahead of the Commissioner’s meeting with the Chief Executive Officer of the Agency. The briefing material included an overview of current digital health issues and initiatives, such as the development of My Health Record mobile apps.
  • The OAIC responded to a media enquiry regarding the National Health Service Directory (NHSD). OAIC staff dealing with the enquiry were provided with internal background information about the NHSD, including the display of the My Health Record system logo against certain NHSD listings.
S3.1(m) – Comment on draft legislation that may interact with the My Health Records Act (where appropriate)
  • The OAIC commented on the privacy aspects of the National Cancer Screening Register Bill 2016 (see above and below for related work regarding this bill).
S3.1(n) – Participate in consultations and comment on digital health developments that relate to the My Health Record system
  • Following the Commissioner’s appearance before the Senate Standing Committee on Community Affairs regarding the National Cancer Screening Register Bill 2016,the OAIC prepared responses to questions taken on notice. These answers included an explanation of the penalties in the My Health Records Actfor mishandling personal information in an individual’s My Health Record, and a reference to the way in which the My Health Records Actrefers to its interaction with the Privacy Act.
  • The OAIC provided comments to the Royal Australian College of General Practitioners on the second draft of the fifth edition Standards for general practices. The comments included a recommendation to clarify references to health records so that it was clear whether certain parts of the Standards referred to local patient health records or to the My Health Record system.
  • The OAIC attended the 46th Asia Pacific Privacy Authorities (APPA) Forum in Mexico on 30 November to 2 December 2016. For this forum, the OAIC provided an enforcement report, which included an outline of the penalty provisions relevant to the My Health Records Act and the Healthcare Identifiers Act2010 (HI Act).
  • During the reporting period, the Agency launched the consultation process for the National Digital Health Strategy. The OAIC considered the consultation documentation and intends to make a submission, which is due in the next reporting period.
S3.1(o) – Update internal reference materials and provide staff training as necessary
  • The OAIC conducted induction training in digital health and the OAIC’s digital health regulatory oversight role for all new OAIC staff.
  • The OAIC conducted detailed digital health induction and training for one new staff member working in the OAIC’s digital health team.
S3.1(p) – Monitor developments in digital health and the My Health Record system to ensure the OAIC is able to offer informed advice about privacy aspects of the operation of the My Health Record system and the broader digital health context
  • OAIC staff monitored news clips, relevant parliamentary committees and digital health and related websites and blogs, such as Pulse+IT.
  • The OAIC reviewed the Australian Commission on Safety and Quality in Health Care’s Fifth and Sixth Clinical Safety Review reports of the My Health Record system.
  • An OAIC staff member attended the annual Health Informatics Conference in Melbourne. The conference included presentations by executive staff of the Agency and presentations on issues such as cyber-security and health data.
  • An OAIC staff member attended, via live streaming, the Royal Australian College of General Practitioners’ eHealth forum, which included discussions about digital health and the use of patient data to improve health outcomes.
  • An OAIC staff member attended the Health Data Analytics conference in Brisbane, which was organised by the Health Informatics Society of Australia and covered developments in the health IT industry. This included presentations on the use of big data in healthcare and on cyber-security.
  • An OAIC staff member attended the Agency’s webinar on how to embed patient registration processes for the My Health Record in a practice’s workflow.
  • An OAIC staff member attended the Agency’s webinar on event summaries and shared health summaries in the My Health Record system.
  • An OAIC staff member attended the Agency’s webinar on the National Digital Health Strategy.
  • The OAIC reviewed the World Health Organisation (WHO) report ‘From innovation to implementation – eHealth in the WHO European region’ (2016), which describes trends in electronic health in the WHO European Region.

Activities relating to the Healthcare Identifiers Service

Advice

S3.1(e) – Respond to enquiries and requests for advice on the appropriate handling of Healthcare Identifiers and other privacy compliance obligations in relation to the HI Service
  • The OAIC provided comments to the Department of Health on a draft privacy impact assessment on the proposed National Cancer Screening Register. The comments included an overview of the provisions of the HI Act that authorise the handling of HIs.

Guidance

S3.1(f) – Prepare and/or update written guidance materials for individuals and participants in the healthcare industry on the appropriate handling of Healthcare Identifiers and other privacy compliance obligations in relation to the HI Service
  • The OAIC continued to draft updates to its Guide to privacy regulatory action to reflect changes to the HI Act enforcement powers, as a result of the Health Legislation Amendment (eHealth) Act 2015.
  • The OAIC reviewed its healthcare identifier business resources and webpages to consider how it could best update this material to better meet stakeholder needs. As part of its review, the OAIC sought targeted initial feedback on the current guidance.

Liaison

S3.1(g) – Liaise and coordinate on privacy related HI activities with key agencies (i.e. Department of Health and Department of Human Services – Medicare)
  • The OAIC prepared a biannual report under the MOU between the Department of Health and the OAIC for the period ending 30 June 2016.
  • The OAIC prepared an annual report setting out the OAIC’s activities in relation to the HI Service during 2015 – 2016, in accordance with section 30 of the HI Act.
S3.1(h) – Liaise and coordinate on privacy related HI activities with state and territory regulators
  • None required.

Other activities

S3.1(i) – Prepare HI-related briefing material, speeches, articles and media comment on privacy matters
  • None required.
S3.1(j) – Comment on draft legislation that may interact with the HI Act (where appropriate)
  • None required.
S3.1(k) – Participate in consultations and comment on digital health developments that relate to the HI Service
  • None required.
S3.1(l) – Update internal reference materials and provide staff training as necessary
  • The OAIC conducted induction training in digital health and the OAIC’s digital health regulatory oversight role for all new OAIC staff.
  • The OAIC conducted detailed digital health induction and training for one new staff member working in the OAIC’s digital health team.
S3.1(m) – Monitor developments in digital health and the HI Service to ensure the OAIC is aware of the implications of any developments for the HI Service and able to offer informed advice about privacy aspects of the operation of the HI Service in the broader digital health context.
  • OAIC staff monitored news clips, relevant parliamentary committees and digital health and related websites and blogs, such as Pulse+IT.
  • The OAIC reviewed the Australian Commission on Safety and Quality in Health Care’s Fifth and Sixth Clinical Safety Review reports of the My Health Record system. The reports also considered matters relating to healthcare identifiers.

Back to Contents

Section 2 — Compliance and enforcement activities

The OAIC is required to undertake a range of compliance and enforcement activities under the MOU.

Section 3.3 of Schedule 1 of the MOU requires the OAIC to produce a biannual report about activities related to the My Health Record system which, at a minimum, provide a summary of

  1. any complaints or compliance issues within the period and the outcomes or conciliation activities associated
  2. any investigations commenced within the period and the findings and recommendations associated; and
  3. any assessments commenced within the period and the findings and recommendations associated.

The Information Commissioner also has annual statutory reporting obligations under section 106 of the My Health Records Act.

Section 3.3 of Schedule 2 of the MOU requires the OAIC to produce a biannual report about activities related to the HI Service which, at a minimum, provide a summary of

  1. any investigations commenced within the period and the findings and recommendations associated
  2. any assessments commenced within the period and the findings and any recommendations associated; and
  3. complaints or compliance issues within the period and the outcomes or conciliation activities associated.

The Commissioner also has annual statutory reporting obligations under section 30 of the HI Act.

For consistency purposes, the biannual reports will contain the same statistical reporting fields as the Commissioner’s statutory reporting requirements under the My Health Records Act and the HI Act.

However, information about enforceable undertakings accepted by the Commissioner or proceedings taken by the Commissioner will not appear in biannual reports. Full details about compliance and enforcement activities (complaints, investigations and assessments) may not be available for biannual reports where these matters are still undergoing investigation or assessment.

Compliance activities relating to My Health Record system

Table A: Matters commenced and finalised during the reporting period 1 July to 31 December 2016.

 

Received/commenced during period

Finalised during period

Open at 31 December

Assessments

1

1

1

Complaints

Nil

1

Nil

Commissioner-initiated investigations

Nil

Nil

Nil

Table B: Data breach notifications (DBNs) received and closed during the reporting period 1 July to 31 December 2016.

 

Received in the period

Closed in the period

Open at 31 December

Notifying party

Number of DBN

Number of healthcare recipients affected

Number of DBN

Number of healthcare recipients affected

Number of DBN

Number of healthcare recipients affected

System Operator

2

4[1]

Nil

Nil

2

4[1]

DHS[2]

18

106[1]

10

130

13

43[1]

Details of assessments relating to the My Health Record system

Assessments commenced during the reporting period

Assessment: The OAIC has notified the Department of Human Services (DHS) of an upcoming privacy assessment. This assessment will consider DHS’s role as a contractor to the System Operator for services related to the My Health Record system. In particular, the assessment will focus on DHS’s privacy management and governance arrangements as well as the notification of the collection of personal information.

Status: A letter to notify DHS of the assessment was sent on 2 December 2016, and discussions are ongoing as to the conduct of the assessment. It is anticipated that the assessment will be conducted and completed in the next reporting period.

Assessments closed during the reporting period

Assessment: The OAIC conducted an assessment of the System Operator’s implementation of recommendations made by the OAIC in its previous Information Privacy Principle 4 audit of the System Operator. The previous audit examined how the System Operator protected personal information held on the National Repositories Service.

Status: The OAIC concluded this assessment and published the report of the assessment in September 2016.

Assessments commenced in previous reporting periods and still underway

None

Details of mandatory data breach notifications relating to the My Health Record system

Mandatory data breach notifications received during the reporting period

The OAIC received two mandatory data breach notifications from the System Operator during the reporting period, in September 2016 and December 2016. It involved the unauthorised access of a healthcare recipient’s My Health Record by a third party. The review of these notifications was ongoing as at 31 December 2016.

The OAIC also received eighteen mandatory data breach notifications from DHS during the reporting period.

  • Eleven notifications resulted from findings under the Medicare compliance program that certain Medicare claims in the name of a healthcare recipient but not made by that healthcare recipient were uploaded to their My Health Record. These notifications totalled 92 breaches, each of which affected a separate healthcare recipient. Seven of these data breach notifications have been closed, totalling 67 breaches, and the review of the other four notifications, totalling 25 breaches, was ongoing as at 31 December 2016.
  • A further seven notifications, affecting fourteen healthcare recipients, eight with a My Health Record and six without, relate to healthcare recipients with similar demographic information having their Medicare records intertwined. As a result, Medicare claims belonging to another healthcare recipient were made available in the My Health Record of the record owner. Review of these notifications was ongoing as at 31 December 2016.

Mandatory data breach notifications closed during the reporting period

The OAIC completed its enquiries into ten data breach notifications received from DHS between April 2016 and October 2016. These data breach notifications relate to the findings under the Medicare compliance program discussed above.

The OAIC requested further information from DHS regarding the data breaches. Following consideration of the additional material and response provided by DHS, the OAIC considers that DHS has acted appropriately in assessing those incidents, sought to cancel the relevant My Health Records and sought to contact affected individuals.

Mandatory Data breach notifications received in previous reporting periods and still open

Two of the data breach notifications received by the OAIC prior to 1 July 2016 were still open at 31 December 2016. These data breach notifications relate to intertwined Medicare records and affected four healthcare recipients and two My Health Records.

Details of complaints relating to the My Health Record system

Complaints finalised during the reporting period

The OAIC finalised one complaint during the reporting period, which alleged that the opt-out portal for the My Health Record system opt-out trials was not appropriately encrypted. The complainant’s concerns were addressed in the course of preliminary enquiries conducted by the OAIC, and the complainant chose to withdraw their complaint.

Compliance activities relating to Healthcare Identifiers Service

Table C: Matters commenced and finalised during the reporting period 1 July to 31 December 2016.

 

Received/commenced during period

Finalised during period

Open at 31 December

Complaints

Nil

Nil

Nil

Commissioner-initiated investigations

Nil

Nil

Nil

Assessments

Nil

1

Nil

Details of assessments relating to the Healthcare Identifiers Service

Assessments closed during the reporting period

Assessment: The OAIC conducted an assessment into the handling of personal information by the Australian Health Practitioner Regulation Agency (AHPRA) in its role as a national registration authority for healthcare practitioners. The assessment focused on AHPRA’s handling of healthcare identifiers and associated identifying information under APPs 10 (data quality) and 11 (security).

Status: The OAIC has concluded the assessment, and is in the process of publishing the report of the assessment on the OAIC website.

Assessments commenced in previous reporting periods and still underway

None

Other activities

The OAIC is currently scoping a HI Service assessment to be conducted in the next reporting period.

Back to Contents

Footnotes

[1] The total number of healthcare recipients affected by the DBN include individuals with and without a My Health Record at the time of the breach. Accordingly, there were 103 affected individuals with a My Health Record in the DBNs received in the period, and 38 in the DBNs open at 31 December.

[2] Department of Human Services.

Back to Contents