Annual report of the Australian Information Commissioner’s activities in relation to digital health 2018–19

Publication date: September 2019

Download the print version

Preliminary page

Part 1 — Executive summary

This annual report sets out the Australian Information Commissioner’s digital health compliance and enforcement activity during 2018–19, in accordance with s 106 of the My Health Records Act 2012 (My Health Records Act) and s 30 of the Healthcare Identifiers Act 2010 (HI Act), as outlined in the 2017–19 Memorandum of Understanding (MOU) between the Office of the Australian Information Commissioner (OAIC) and the Australian Digital Health Agency (ADHA).

The report also provides information about the OAIC’s other digital health activities, including its assessment program, handling of My Health Record data breaches, development of guidance material, provision of advice, and liaison with key stakeholders.

More information about the MOU is provided in Part 2 of this report. The MOU can also be accessed on the OAIC website.

This was the seventh year of operation of the My Health Record system and the ninth year of the Healthcare Identifiers Service (HI Service), a critical enabler for the My Health Record system and digital health generally.

The management of personal information is at the core of both the My Health Record system and the HI Service (which are collectively referred to as ‘digital health’ in this report). In recognition of the special sensitivity of health information, the My Health Records Act and the HI Act contain provisions that protect and restrict the collection, use and disclosure of personal information. The Information Commissioner oversees compliance with those privacy provisions.

The My Health Record system commenced in 2012 as an opt-in system where an individual needed to register in order to get his or her My Health Record. Trials were conducted regarding opt-out system participation and an independent evaluation was commissioned by the Department of Health to look at the outcomes from these trials.

In the May 2017 Budget, the Australian Government announced the creation of a My Health Record for every Australian to begin nationally from mid-2018. In May 2018, it was announced that a three month opt-out period for individuals would run from 16 July to 15 October 2018. This period was extended to 15 November 2018 and finally to 31 January 2019.

In 2018–19, the OAIC received 35 mandatory data breach notifications one of which on further consideration was found not to be a breach. The remaining 34 notifications recorded 37 separate breaches affecting a total of 65 healthcare recipients, 40 of whom had a My Health Record at the time of the breaches. Five of these notifications were still being considered at the end of the reporting period.

The OAIC also received 57 privacy complaints regarding the My Health Record system, 37 of which have been finalised. Four complaints from the previous reporting period were also finalised in 2018–19. Twenty privacy complaints regarding the My Health Record system were open at the end of the reporting period. There were also five privacy complaints received relating to the HI Service, one of which was closed on the basis that it had been withdrawn by the complainant after being resolved. Four HI Service privacy complaints were open at the end of the reporting period.

In addition to handling data breach notifications and privacy complaints, the OAIC carried out a program of digital health-related work, including:

• commencement of three privacy assessments and progression of one assessment from the previous year
• making submissions to the Senate Community Affairs References Committee concerning their inquiry into the My Health Record system, and to the Senate Community Affairs Legislation Committee concerning the My Health Records Amendment (Strengthening Privacy) Bill 2018 (My Health Records Amendment Bill)
• providing advice to stakeholders, including the ADHA, on privacy-related matters relevant to the My Health Record system
• developing, revising and updating guidance materials for a range of audiences, including the publication of My Health Record related multimedia resources for healthcare providers and new Frequently Asked Questions for consumers, to coincide with the commencement of the opt-out period
• monitoring developments in digital health, the My Health Record system and the HI Service.

Part 2 — Introduction

Many Australians view their health information as being particularly sensitive. This sensitivity has been recognised in the My Health Records Act and HI Act, which regulate the collection, use and disclosure of information, and give the Information Commissioner a range of enforcement powers. This sensitivity is also recognised in the Privacy Act 1988 (Privacy Act) which treats health information as ‘sensitive information’.

Changes to the My Health Record system

In this reporting year, the My Health Record system has moved from a self-register model to an opt-out model. This follows the Australian Government’s announcement in May 2017 of the national expansion of the opt-out participation model for the My Health Record system, after opt-out pilots in Nepean Blue Mountains and far north Queensland in 2016.

The opt-out period for the My Health Record system commenced on 16 July 2018 and ended on 31 January 2019 (having previously been extended on two occasions). The ADHA created My Health Records for individuals following the end of the opt-out period. The records are now available to individuals and to participating healthcare providers.

Additionally, certain privacy-enhancing changes were made to the system during this reporting period. The My Health Records Amendment Bill was passed on 26 November 2018. This introduced measures providing individuals with greater certainty and control over how their My Health Record information will be handled. Key amendments included:

• requiring the ADHA to permanently delete health information about a health care recipient who has cancelled a My Health Record
• restricting the ability of the ADHA to disclose health information contained in a My Health Record to law enforcement agencies and government agencies without an order by a judicial officer
• specifying that My Health Record information cannot be used for insurance or employment purposes
• preventing a person from being an authorised representative of a minor if they have restricted access to a minor or if this may pose a risk to the minor or another person
• increasing civil and criminal penalties for breaches of key privacy protections
• further protections for the use of My Health Record data for research or public health purposes
• removing parents’ access to a young person’s record from age 14, except where the young person has nominated them as an authorised representative.

The regulatory work of the OAIC

The Information Commissioner is the independent regulator of the privacy provisions relevant to the My Health Record system and HI Service. However, as set out in the terms of the MOU with the ADHA, the OAIC also performs proactive education and guidance functions that go beyond compliance and enforcement. During the 2018–19 financial year — and in the context of the shift to an opt-out model for the My Health Record system — the OAIC’s regulatory work has focused on:

• providing consumers with clear and up-to-date information about the My Health Record system, their ability to opt out during the opt-out period, the available privacy settings, and the option to cancel their records at any time
• engaging with the ADHA about the opt-out process, implementation of the amending legislation and privacy aspects of the system more generally
• regulatory oversight of the My Health Record system, including responding to enquiries and complaints, handling mandatory data breach notifications, providing privacy advice, and privacy assessments under our MOU with the ADHA.

Memorandum of Understanding with the ADHA

The OAIC worked with the ADHA to develop a new MOU for the period which sets out operational and funding arrangements between the OAIC and the ADHA and covers activities related to both the My Health Record system and the HI Service. It sets out a program of work that includes business as usual activities (such as responding to requests for advice and investigating privacy complaints relating to digital health), and project-based work (such as developing guidance materials and conducting assessments). Information about these activities is set out in Parts 3 and 4 of this report. Further information about the OAIC’s MOU activities can be found in the MOU, which came into effect on 1 July 2019.

During the reporting period, the OAIC received $1,626,023.40 (GST exclusive)[1] under the MOU.

Information Commissioner’s digital health functions

The My Health Record system

The Information Commissioner has the following roles and responsibilities under the My Health Records Act and the Privacy Act:

• respond to complaints received relating to the privacy aspects of the My Health Record system as the Commissioner considers appropriate, including through preliminary inquiries, conciliation, investigation or deciding not to investigate a complaint
• investigate, on the Commissioner’s own initiative, acts and practices that may be a contravention of the My Health Records Act in connection with health information contained in a healthcare recipient’s My Health Record or a provision of Part 4 or 5 of the My Health Records Act
• receive data breach notifications and assist affected entities to deal with data breaches in accordance with the My Health Record legislative requirements
• investigate failures to notify data breaches
• exercise, as the Commissioner considers appropriate, a range of enforcement powers available in relation to contraventions of the My Health Records Act or contraventions of the Privacy Act relating to the My Health Record system, including making determinations, accepting enforceable undertakings, seeking injunctions and seeking civil penalties
• conduct assessments
• provide a range of advice and guidance material
• maintain guidance for exercising the powers available to the Commissioner in relation to the My Health Record system.

Healthcare Identifiers Service

The Australian Information Commissioner has the following roles and responsibilities under the HI Act and the Privacy Act:

• respond to complaints received relating to the privacy aspects of the HI Service as the Commissioner considers appropriate, including through preliminary inquiries, conciliation, investigation or deciding not to investigate a complaint
• investigate, on the Commissioner’s own initiative, acts and practices that may be a misuse of healthcare identifiers
• receive data breach notifications and respond as appropriate
• conduct assessments
• provide a range of advice and guidance material.

Year in review — a summary

During the 2018–19 financial year, the OAIC undertook the following activities:

* This includes submissions.
# An enquiry was made into one notification and found not to be a data breach.

Part 3 — OAIC and the My Health Record system

The OAIC performs a range of functions in relation to the My Health Record system. These functions include legislative compliance and enforcement activities and other activities set out under the MOU, including providing privacy-related advice and developing guidance materials for internal and external stakeholders.

Compliance and enforcement activities include:

• receiving, conciliating and investigating complaints about alleged interferences with the privacy of a healthcare recipient in relation to the My Health Record system
• conducting Commissioner initiated investigations of any act or practice that may be a contravention of the My Health Records Act
• conducting assessments of participants in the system to ensure they are complying with their privacy obligations
• receiving mandatory data breach notifications from system participants.

Information about the OAIC’s enforcement and compliance activities is set out on page 9.

The OAIC is also responsible for producing statutory and regulatory guidance for consumers and other participants such as healthcare providers, registered repository operators and the System Operator (the ADHA). In addition, the OAIC responds to enquiries and requests for policy advice from a broad range of stakeholders about the privacy framework for the My Health Record system and the appropriate handling of My Health Record information. These activities are an important component of the OAIC’s regulatory role under the My Health Record system.

To deliver these outcomes, the OAIC liaised with external stakeholders including professional industry bodies in the health sector and consumer organisations. Information about the OAIC’s activities in relation to providing advice, developing guidance material and liaison with key stakeholders is provided below.

OAIC enforcement and compliance activities

Complaints and investigations relating to the My Health Record system

The OAIC received 57 complaints about the My Health Record system during 2018–19, 37 of which have been finalised. Four complaints from the previous reporting period were also finalised during 2018–19. Twenty complaints from 2018–19 remain ongoing.

No complaint investigations or Commissioner initiated investigations were commenced or finalised during the reporting period.

During 2018–19, the OAIC saw a significant increase in complaints about the My Health Record system (57 complaints were received during this reporting period compared to eight received during 2017–18). This increase appeared to be a result of individuals becoming aware that a My Health Record would be created for them if they did not opt-out by 31 January 2019.

Some individuals also lodged complaints about not being able to cancel or permanently delete a My Health Record. Changes to the legislation in 2018 introduced the legislative authority for an individual to request the permanent deletion of his or her My Health Record. There has been a reduction in the number of complaints received about My Health Records since 31 January 2019.

Assessments relating to the My Health Record system

Under the MOU with the ADHA, the OAIC is required to conduct a minimum of four and up to six assessments during the 2017–18 and 2018–19 financial years in relation to the My Health Record system and the HI service.

The OAIC initiated three assessments relating to the My Health Record system in 2018–19, and continued to progress one assessment that began in the previous year.

Assessment of the ADHA — reasonable steps to protect personal information held in the My Health Record system

In 2017–18, the OAIC conducted an assessment of the ADHA’s handling of personal information. The assessment focused on Australian Privacy Principle (APP) 11 which requires the ADHA to take reasonable steps to protect personal information held in the My Health Record system and on the relevant provisions in the My Health Records Act. The assessment will be finalised in the 2019–20 financial year.

Assessment of two private hospitals — access controls for the My Health Record system

In 2018–19, the OAIC conducted an assessment of two private hospitals and their access controls for the My Health Record system. The assessment examined whether the hospitals had appropriate governance and information security arrangements to manage access security risks in accordance with Rule 42 of the My Health Records Rule and APPs 1.2 and 11. The assessment will be finalised in the 2019–20 financial year.

Assessment of 14 pharmacies — access controls for the My Health Record system

In 2018–19, the OAIC conducted an assessment of 14 pharmacies and their access controls for the My Health Record system. The assessment involved a self-administered questionnaire and desktop review of documentation. It examined whether the pharmacies had appropriate governance and information security arrangements to manage access security risks in accordance with Rule 42 of the My Health Records Rule and APPs 1.2 and 11. The assessment will be finalised in the 2019–20 financial year.

Assessment of eight pathology and diagnostic imaging services

In 2018–19, the OAIC conducted an assessment of eight pathology and diagnostic imaging services and their access controls for the My Health Record system. The assessment involved a self-administered questionnaire and desktop review of documentation. It examined whether these services had appropriate governance and information security arrangements to manage access security risks in accordance with Rule 42 of the My Health Records Rule and APPs 1.2 and 11. The assessment will be finalised in the 2019–20 financial year.

* Including 1 carried over from 2017–18
# Including 3 carried over from 2017–18.

In 2018–19, the OAIC received four data breach notifications from the My Health Record System Operator. Two notifications, each involving one data breach, related to unauthorised access to a My Health Record by a third party while conducting fraudulent Medicare-claiming activity online. One notification involved a data breach, which resulted in unauthorised access to a My Health Record due to incorrect Medicare enrolment. An enquiry was made into the other notification and it was confirmed that a data breach had not occurred.

The OAIC also received 31 notifications from the Chief Executive of Medicare in their capacity as a registered repository operator under s 38 of the My Health Records Act.

• Twenty-seven of these notifications involved separate breaches related to intertwined Medicare records, where healthcare recipients with similar demographic information shared the same Medicare record. These intertwined Medicare records resulted in Medicare providing data to the incorrect individual’s My Health Record.
• Four notifications, involving seven separate breaches, resulted from findings under the Medicare compliance program. In these instances, certain Medicare claims made in the name of a healthcare recipient, but not by that healthcare recipient, were uploaded to the individual’s My Health Record.
• Six notifications remained open at the end of the reporting period. The OAIC has sought further clarification of the circumstances of the breaches contained within those notifications.

My Health Record system advice, guidance, liaison and other activities

Advice

My Health Record system enquiries

The OAIC’s enquiries team received 145 enquiries about the My Health Record system during the reporting period. These included general enquiries related to the My Health Record system, data breaches, access to the records of children and the opt-out process.

Policy advice to stakeholders and members of the public

During the reporting period, the OAIC provided 15 policy advices to various stakeholders related to the My Health Record system. These included:

• comments to an Australian Government agency about the interpretation of certain provisions of the Privacy Act and its application to the My Health Records Act
• consultation with the Department of Health during the drafting phase of the My Health Records Amendment Bill and comments to the Attorney-General’s Department regarding this Bill
• assisting the Royal Australian College of General Practitioners to develop a data breach flow chart for their website
• response to an Australian Government agency’s query about Personally Controlled Electronic Health Records and the My Health Record system
• responses to various requests for advice from stakeholders such as consumer representative bodies and private sector representatives (representing health service providers and in digital technology).

Policy advice to the ADHA

Under the 2017–19 MOU with the ADHA, the OAIC liaised and coordinated with the My Health Record System Operator on privacy-related matters in relation to the system, including those arising from changes to the system introduced by the My Health Records Amendment Bill.

During the reporting period, this included providing feedback to the ADHA on draft communications materials aimed at:

• informing consumers about how they can use their My Health Record, including privacy and security controls
• updating health providers on record creation and informing them of the above consumer resources.

Submissions

The OAIC made two submissions related to the My Health Record system during the reporting period.

The OAIC made a submission to the Senate Community Affairs References Committee concerning its inquiry into the My Health Record system. In this submission, the OAIC:

• noted the importance of an effective communications awareness campaign given the move to opt-out arrangements
• stated our view that individual clinicians accessing a My Health Record should be able to be identified in the System Operator’s audit log
• encouraged further consideration and/or consultation on issues such as: default privacy settings, parental access, automatic upload of Medicare information, the effect of the opt-out model on individuals at risk from family violence, and access to My Health Record information by third parties
• welcomed further engagement with the Department of Health and the ADHA on the secondary use of information in the My Health Record system.

The OAIC also made a submission to the inquiry into the My Health Records Amendment Bill by the Senate Community Affairs Legislation Committee. In its submission, the OAIC noted its support for measures in the Bill providing individuals with greater certainty and control over how their My Health Record information would be handled. In particular, the OAIC supported amendments that enhanced privacy in relation to:

• disclosure of health information by the ADHA for law enforcement purposes
• disclosure of health information by participants in the My Health Record system where this is authorised by law
• the permanent deletion of records where a person has cancelled a My Health Record.

Guidance

For healthcare providers

The OAIC has continued to develop and promote guidance materials and resources about the My Health Record system across a range of channels.

This includes development of a new website to highlight educational videos for healthcare providers. The videos explain the role of the OAIC in the My Health Record system, mandatory data breach notification requirements in the My Health Records Act, and give an overview of legislative requirements and privacy best practice when it comes to handling sensitive information in the My Health Record system.

An infographic for healthcare providers outlining the mandatory data breach notification requirements under the My Health Record system was published to complement the OAIC’s existing Guide to mandatory data breach notification in the My Health Record system.

We also updated existing resources for healthcare providers to reflect the shift to an opt-out participation model. Updates were published in July 2018 to coincide with the commencement of the opt-out period, and in March 2019.

For consumers

A series of eight new ‘Frequently Asked Questions’ (FAQs) were developed to help consumers make informed decisions about opting out of the My Health Record system and protecting their health information should they choose not to opt out. The FAQs were published on 16 July 2018 to coincide with the commencement of the opt-out period.

The OAIC also made significant updates to the existing suite of My Health Record consumer fact sheets to reflect the shift to an opt-out participation model. This included advice on:

• protecting the personal information in your My Health Record
• the OAIC and the My Health Record system
• how to manage your My Health Record
• young people and the My Health Record system
• Medicare and your My Health Record
• emergency access and your My Health Record.

The updated fact sheets were published on 16 July 2018 to coincide with the commencement of the opt-out period.

In February 2019, we updated the My Health Record section for individuals on the OAIC website to reflect the move to an opt-out participation model and improve readability.

External engagement

The OAIC actively promoted greater awareness of privacy rights and responsibilities within the My Health Record system through our external stakeholder engagement program for 2018–19.

Led by our executive, we participated in a range of conferences and other events to raise health service providers’ awareness of their obligations when handling personal information under the Privacy Act and the My Health Records Act.

• In October 2018, Assistant Commissioner Melanie Drayton presented to the Australian Association of Practice Management Conference, explaining the health sector’s obligations under the Notifiable Data Breaches scheme and the interrelationship with My Health Record system requirements.
• Commissioner Angelene Falk focused on privacy obligations and prevention of data breaches in an address to the Medical Software Industry Association Summit in Sydney in November 2018.
• Principal Director Amie Grierson led a discussion about patient privacy and how to protect personal information at the Australian Private Hospitals Association National Congress in Melbourne in March 2019.

We promoted awareness of the privacy aspects of the My Health Record system through our communications channels, including our website, media comments and social media accounts. The OAIC responded to 25 media inquiries about My Health Records during 2018–19.

We also partnered with the Royal Australian College of General Practitioners (RACGP) during the reporting period to develop training and information resources on privacy for healthcare providers, including data breaches within the My Health Record system. We took part in three webinars for RACGP members on preventing breaches of patient privacy, and developed a new resource explaining the key steps in reporting a data breach under both the Notifiable Data Breaches scheme and the My Health Records Act.

Sharing My Health Record — It’s My Choice consumer resources

In 2018–19 we released a series of consumer resources to inform people about how to take additional steps to protect their privacy when using the My Health Record system. The release of the Sharing My Health Record — It’s My Choice resources coincided with the end of the opt-out period and were supported by a dedicated website and live action videos, as well as being promoted through social media and the OAIC website.

The resources explained the privacy controls available to users, including options to control and monitor access, set up access alerts, remove documents, or permanently delete a My Health Record.

The consumer resources were featured alongside the OAIC’s existing video resources for health service providers in a new microsite. Information for individuals and health service providers on the OAIC’s website was extensively updated to reflect changes made as part of the shift to an opt-out system.

Liaison

Liaison with the System Operator

The OAIC liaised regularly with the ADHA to discuss MOU activities and other matters relating to the My Health Record system.

The OAIC engaged with the ADHA about the My Health Records system, including on post opt-out arrangements and the implementation of the My Health Records Amendment (Strengthening Privacy) Act. This included meetings with the ADHA on:

• the security aspects of the My Health Record system
• the ADHA’s communications strategy in relation to the national opt-out expansion of the My Health Record system
• implementing changes in legislative arrangements for the My Health Records of young persons aged 14–17 years
• implementing legislative changes that require the permanent deletion of health information when a person cancels a My Health Record.

Liaison with other key stakeholders

The OAIC met the Australian Institute of Health and Welfare (AIHW) in relation to secondary uses of My Health Record system data on two occasions. The OAIC also met the Department of Health to discuss secondary use of My Health Record system data.

OAIC staff delivered presentations to health stakeholders during the reporting period including a presentation delivered to the South Australian Network of Drug and Alcohol Services (SANDAS) Roundtable on Privacy and Information Sharing. This presentation included a discussion about My Health Record and Health Identifiers.

Other activities

Strengthening internal expertise

Throughout 2018–19, the OAIC continued to develop internal expertise regarding its functions and powers in connection with the My Health Record system. This involved ensuring new staff received induction training in digital health and the OAIC’s regulatory oversight role. Staff who are new to working on digital health receive extensive on-the-job training to ensure they acquire the necessary digital health subject matter knowledge.

An updated My Health Record induction session was delivered to new staff to help them develop a comprehensive understanding of digital health policy issues and initiatives, the My Health Record system and the OAIC’s regulatory role. The session included information specific to the changes introduced by the My Health Records Amendment Bill.

Monitoring developments in digital health and the My Health Record system

Under the MOU with the ADHA, the OAIC is required to monitor developments in digital health and the My Health Record system to ensure it is able to provide informed advice about privacy aspects of the operation of the system and the broader digital health context. During the reporting period, staff attended:

• the Health Informatics Society of Australia conference in Sydney, which included presentations on issues such as health data, patient-centred technology, systems responses to technological change and Australia’s digital health future
• a webinar series by the Consumers Health Forum of Australia.

In addition, OAIC staff:

• reviewed and analysed the My Health Records Amendment Bill and corresponding Act, including in relation to provisions concerning young people, new civil and criminal penalties, and secondary use of My Health Record data
• analysed various international digital health systems
• monitored news clips, relevant parliamentary committees, and digital health and related websites and blogs.

Part 4 — OAIC and the Healthcare Identifiers Service

The HI Service is a foundation service for a range of digital health initiatives in Australia, particularly the My Health Record system. Accordingly, the use of healthcare identifiers has increased since the launch of the My Health Record system on 1 July 2012.

Under the My Health Record system, healthcare identifiers:

• are used to identify healthcare recipients who register for a My Health Record
• enable the My Health Record System Operator to authenticate the identity of all individuals who access a My Health Record and record activity through the audit trail
• help ensure the correct health information is associated with the correct healthcare recipient’s My Health Record.

Registration with the HI Service is a prerequisite for a healthcare provider organisation to be registered for the My Health Record system.

OAIC compliance and enforcement activities

Complaints relating to the Healthcare Identifiers Service

The OAIC received five complaints about healthcare identifiers in 2018–19, one of which was closed on the basis that it had been withdrawn by the complainant after being resolved. Four complaints from 2018–19 remain ongoing.

Investigations relating to the Healthcare Identifiers Service

No complaint investigations or Commissioner initiated investigations were commenced or finalised during the reporting period. At 30 June 2019, there were no HI investigations open.

Assessments relating to the Healthcare Identifiers Service

Under the MOU with the ADHA, the OAIC was required to conduct a minimum of four and up to six assessments during the 2017–18 and 2018–19 financial years in relation to the My Health Record system and the HI service.

The OAIC did not conduct an assessment of the HI Service in 2018–19. Work continued on one assessment that was commenced in 2017–18.

Healthcare identifiers advice, guidance, liaison and other activities

Advice

In relation to the HI Service, the OAIC provided advice to:

• the independent reviewer of the HI Act and the HI Service — the OAIC consulted with the reviewer, providing recommendations and raising issues in relation to the service
• a health service provider representative regarding the range of health providers under the HI Act and the Healthcare Identifier review.

Other activities

Monitoring developments in digital health and the Healthcare Identifiers Service

Under the MOU with the ADHA, the OAIC is required to monitor developments in digital health and the HI Service to ensure the OAIC is aware of the implications of any developments for the HI Service and is able to offer informed advice about privacy aspects of the HI Service in the broader digital health context. During the reporting period, the OAIC:

• monitored developments relating to digital health and the HI Service through news clips and digital health websites and blogs
• as outlined above in relation to the My Health Record system, attended various conferences related to digital health.

Angelene Falk

Australian Information Commissioner
Australian Privacy Commissioner

17 September 2019

oaic.gov.au

Office of the Australian Information Commissioner

1300 363 992
enquiries@oaic.gov.au
@OAICgov