commissioner’s activities in relation to digital health ... · commissioner, annual report of the...
TRANSCRIPT
Annual reportof the Australian Information
Commissioner’s activities in relation to digital health
2016–17
Board11 October 2017
Item 8.4 Attachment C
The Office of the Australian Information Commissioner (OAIC) was established on 1 November 2010 by the Australian Information Commissioner Act 2010.
All OAIC publications can be made available in a range of accessible formats for people with disabilities. If you require assistance, please contact the OAIC.
ISSN 2202–7262
Creative Commons
With the exception of the Commonwealth Coat of Arms, this Annual report of the Information Commissioner’s activities in relation to digital health, 2016–17 is licensed under a Creative Commons Attribution 3.0 Australia licence (creativecommons.org/licenses/by/3.0/au/deed.en).
This publication should be attributed as: Office of the Australian Information Commissioner, Annual report of the Information Commissioner’s activities in relation to digital health, 2016–17.
Enquiries regarding the licence and any use of this report are welcome at:
Office of the Australian Information Commissioner
GPO Box 5218 Sydney NSW 2001
Tel: 02 9284 9800 TTY: 1800 620 241 (no voice calls)
Email: [email protected]
Annual reportof the Australian Information
Commissioner’s activities in relation to digital health
2016–17
Contents
Part 1: Executive summary 2
Part 2: Introduction 4The Australian Information Commissioner’s digital health functions 4
Year in review — a summary 6
Part 3: OAIC and the My Health Record system 7OAIC enforcement and compliance activities 7
My Health Record system advice, guidance, liaison and other activities 10
Part 4: OAIC and the Healthcare Identifiers Service 16OAIC compliance and enforcement activities 16
Healthcare identifiers advice, guidance, liaison and other activities 17
1
Part 1: Executive summaryFrom 1 July 2016, national digital health governance arrangements and My Health Record system
operations transitioned from the Department of Health and the National E-Health Transition Authority to
a new body, the Australian Digital Health Agency (the Agency).
This annual report sets out the Australian Information Commissioner’s digital health compliance
and enforcement activity during 2016–17, in accordance with s 106 of the My Health Records Act 2012
(My Health Records Act) and s 30 of the Healthcare Identifiers Act 2010 (Cth) (HI Act), as outlined
in the 2016–17 memorandum of understanding (MOU) between the Office of the Australian
Information Commissioner (OAIC) and the Agency.
The report also provides information about the OAIC’s other digital health activities, including its
assessment program, development of guidance material, provision of advice, and liaison with
key stakeholders.
More information about the MOU is provided in section 2 of this report. The MOU can also be accessed on
the OAIC’s website www.oaic.gov.au.
This was the fifth year of operation of the My Health Record system and the seventh year of the
Healthcare Identifiers (HI) Service, a critical enabler for the My Health Record system and digital
health generally.
The management of personal information is at the core of both the My Health Record system and
the HI Service (collectively referred to as ‘digital health’ in this report). In recognition of the special
sensitivity of health information, the My Health Records Act and the HI Act contain provisions that
protect and restrict the collection, use and disclosure of personal information. The Australian
Information Commissioner oversees compliance with those provisions and is the independent regulator
of the privacy aspects of the My Health Record system and the HI Service.
The My Health Record system commenced in 2012 as an opt-in system where an individual needed to
register in order to get their My Health Record. In March 2016, the Australian Government commenced a
trial of opt-out system participation in Far North Queensland and in the Nepean Blue Mountains region
of New South Wales. A My Health Record was created for each individual living in those areas, unless the
individual chose to opt-out of participating in the trial.
ANNUAL REPORT OF THE AUSTRALIAN INFORMATION COMMISSIONER’S ACTIVITIES IN RELATION TO DIGITAL HEALTH 2016–17
2
Changes to the My Health Records Act introduced by the Health Legislation Amendment (eHealth)
Act 2015 enabled the trial to be undertaken. That amendment Act also introduced a number of other
changes across digital health legislation and the Privacy Act 1988 (Privacy Act), including streamlining the
personal information handling authorisations, and introducing additional civil and criminal penalties for
privacy breaches. An independent evaluation of the trials commissioned by the Department of Health was
conducted to look at the outcomes from these trials.
In the May 2017 Budget, the Australian Government announced the creation of a My Health Record for
every Australian to begin nationally from mid–2018.
In 2016–17, the OAIC received 35 mandatory data breach notifications. These notifications recorded
140 separate breaches affecting a total of 152 healthcare recipients, 144 of whom had a My Health Record
at the time of the breaches. Five of these notifications remain open at the end of the reporting period.
The OAIC received two complaints regarding the My Health Record system and no complaints relating to
the HI Service. In addition to handling data breach notifications, the OAIC carried out a full program of
digital health-related work, including:
• commencement of one privacy assessment and completion of two assessments from the
previous year
• liaising with the Agency and the Department of Health on the decision for national expansion of
My Health Record in 2018
• making submissions to various stakeholders on matters either directly related to or associated with
the My Health Record system. This included a submission to the Agency on the development of the
National Digital Health Strategy
• providing advice to stakeholders, including the Agency, on privacy related matters relevant to the
My Health Record system
• developing, revising and updating guidance materials for a range of audiences, including the
development of My Health Record related multimedia resources for healthcare providers
• participation in the Privacy and Security Advisory Committee, one of the advisory committees
established by the Agency to support the Agency’s Board
• monitoring developments in digital health, the My Health Record system and the HI Service.
3
Part 2: IntroductionMany Australians view their health information as being particularly sensitive. This sensitivity
has been recognised in the My Health Records Act and HI Act, which regulate the collection,
use and disclosure of information, and give the Australian Information Commissioner a range of
enforcement powers. This sensitivity is also recognised in the Privacy Act which treats health information
as ‘sensitive information’.
The Australian Information Commissioner is the independent regulator for the privacy aspects of
the My Health Record system and HI Service, and plays a crucial role in overseeing compliance with
privacy provisions. However, the OAIC’s role is not limited to compliance and enforcement. During the
2016–17 financial year, the OAIC also carried out a number of other digital health activities under its MOU
with the Agency.
The MOU covers activities related to both the My Health Record system and the HI Service. It sets out a
program of work that included business as usual activities (such as responding to requests for advice and
investigating privacy complaints relating to digital health), and project-based work (such as developing
guidance materials and conducting assessments). Information about these activities is set out in
sections 3 and 4 of this report. Further information about the OAIC’s MOU activities can be found in its
Biannual Reports under the MOU, available on the OAIC website www.oaic.gov.au.
The Agency provided the OAIC with $2,076,649.94 (GST exclusive) in 2016–17 to carry out activities in
accordance with the MOU.1
The Australian Information Commissioner’s digital health functions The My Health Record systemThe Australian Information Commissioner has the following roles and responsibilities under the My Health
Records Act and Privacy Act:
• respond to complaints received relating to the privacy aspects of the My Health Record system as
the Commissioner considers appropriate, including through preliminary inquiries, conciliation,
investigation or deciding not to investigate a complaint
1 This figure is also included in the OAIC’s Annual Report 2016–17.
ANNUAL REPORT OF THE AUSTRALIAN INFORMATION COMMISSIONER’S ACTIVITIES IN RELATION TO DIGITAL HEALTH 2016–17
4
• investigate, on the Commissioner’s own initiative, acts and practices that may be a contravention of
the My Health Records Act in connection with health information contained in a healthcare recipient’s
My Health Record or a provision of Part 4 or 5 of the My Health Records Act
• receive data breach notifications and assist affected entities to deal with data breaches in accordance
with the My Health Record legislative requirements
• investigate failures to notify data breaches
• exercise, as the Commissioner considers appropriate, a range of enforcement powers
available in relation to contraventions of the My Health Records Act or contraventions of
the Privacy Act relating to the My Health Record system, including making determinations,
accepting enforceable undertakings, seeking injunctions and seeking civil penalties
• conduct assessments
• provide a range of advice and guidance material
• comment on draft legislation that may interact with the My Health Records Act
• maintain guidance for exercising the powers available to the Commissioner in relation to the
My Health Record system.
Healthcare Identifiers ServiceThe Australian Information Commissioner has the following roles and responsibilities under the HI Act
and Privacy Act:
• respond to complaints received relating to the privacy aspects of the HI Service as the Commissioner
considers appropriate, including through preliminary inquiries, conciliation, investigation or deciding
not to investigate a complaint
• investigate, on the Commissioner’s own initiative, acts and practices that may be a misuse of
healthcare identifiers
• receive data breach notifications and respond as appropriate
• conduct assessments
• provide a range of advice and guidance material
• comment on draft legislation that may interact with the HI Act.
5
Year in review — a summaryDuring the 2016–17 financial year, the OAIC undertook the following activities:
TABLE 1: OAIC MY HEALTH RECORD AND HI SERVICE ACTIVITIES 2016–17
Activity My Health Record HI Service
Telephone enquiries 2 0
Written enquiries 4 1
Complaints finalised 2 0
Policy advices 11 2
Assessments completed 1 1
Mandatory data breach notifications received 35 n/a
Media enquiries 8 0
2 This include submissions. Also, one policy advice related to both the My Health Record system and HI Service and is included in both columns.
2
ANNUAL REPORT OF THE AUSTRALIAN INFORMATION COMMISSIONER’S ACTIVITIES IN RELATION TO DIGITAL HEALTH 2016–17
6
Part 3: OAIC and the My Health Record systemThe OAIC performs a range of functions in relation to the My Health Record system. These functions
include compliance and enforcement activities and other activities set out under the MOU,
including providing privacy related advice and developing guidance and training materials for internal
and external stakeholders.
Compliance and enforcement activities include:
• receiving and investigating complaints about alleged interferences with the privacy of a healthcare
recipient in relation to the My Health Record system
• conducting assessments of participants in the system to ensure they are complying with their
privacy obligations
• receiving mandatory data breach notifications from system participants.
Information about the OAIC’s enforcement and compliance activities is set out below.
The OAIC is also responsible for producing statutory and regulatory guidance for consumers and other
participants such as healthcare providers, registered repository operators and the System Operator.
In addition, the OAIC responds to enquiries and requests for policy advice from a broad range of
stakeholders about the privacy framework for the My Health Record system and the appropriate handling
of My Health Record information. These activities are an important component of the OAIC’s regulatory
role under the My Health Record system.
To deliver these outcomes, the OAIC liaised with external stakeholders including professional industry
bodies in the health sector and consumer organisations. Information about the OAIC’s activities in relation
to providing advice, developing guidance material and liaison with key stakeholders is provided below.
OAIC enforcement and compliance activities Complaints and investigations relating to the My Health Record systemThe OAIC received two complaints about the My Health Record system during 2016–17, one of which
has been finalised. A complaint from the previous reporting period was also finalised during 2016–17.
The OAIC is undertaking preliminary inquiries relating to the ongoing complaint.
Under s 40(2) of the Privacy Act, the Australian Information Commissioner also has the discretion to
investigate an act or practice that may be an interference with privacy, on the Commissioner’s own
initiative (without first receiving a complaint from an individual).
7
During 2016–17, the Australian Information Commissioner did not carry out any Commissioner initiated
investigations into the My Health Record system.
Assessments relating to the My Health Record systemUnder the MOU with the Agency, the OAIC was required to conduct up to two assessments in 2016–2017
from the following targets:
• the My Health Record System Operator, and
• agencies and organisations participating in the My Health Record system.
The OAIC initiated one assessment relating to the My Health Record system in 2016–17, and finalised one
assessment commenced in the previous reporting period
ASSESSMENTS CONDUCTED IN 2016–17
Assessment subject No. entities assessed Year opened Closed
1. Follow up assessment of the 2014 audit of the National Repositories Service — APP 11 1 2015–2016 September
2016
2. Assessment of the Department of Human Services (DHS) as a contractor to the System Operator for services related to the My Health Record System — APP 1.2
1 2016–2017 Ongoing
Follow up assessment of the 2014 audit of the National Repositories ServiceThe OAIC undertook an assessment of the System Operator’s implementation of recommendations
made by the OAIC in its previous audit of the System Operator against Information Privacy Principle 4.
The previous audit examined how the System Operator protected personal information held on the
National Repositories Service.
Assessment of the Department of Human Services (DHS) as a contractor to the System Operator for services related to the My Health Record systemThe OAIC has conducted an assessment of the DHS as a contractor to the System Operator for services
related to the My Health Record system. In particular, the assessment focused on DHS’s privacy
management and governance arrangements. Fieldwork was conducted in late March 2017. A draft report
is being prepared.
ANNUAL REPORT OF THE AUSTRALIAN INFORMATION COMMISSIONER’S ACTIVITIES IN RELATION TO DIGITAL HEALTH 2016–17
8
Receiving mandatory data breach notifications
Notifying party
Received in the period Closed in the period Open at 30 June
Number of data breach notifications
Number of healthcare recipients affected
Number data breach notifications
Number of healthcare recipients affected
Number of data breach notifications
Number of healthcare recipients affected
System Operator 6 11 5 9 1 2
DHS 29 141 30 200 4 8
The OAIC received six data breach notifications from the System Operator under s 75 of the
My Health Records Act. They involved the unauthorised access of a healthcare recipient’s
My Health Record by a third party.
The OAIC also received 29 notifications under s 75 of the My Health Records Act from the Chief Executive
of Medicare in their capacity as a registered repository operator under s 38 of the My Health Records Act.
• Twenty notifications resulted from findings under the Medicare compliance and data integrity
programs that certain Medicare claims made in the name of a healthcare recipient but not by
that healthcare recipient were uploaded to their My Health Record. These notifications totalled
123 breaches, each of which affected a separate healthcare recipient.
• Nine notifications, each reporting a single breach affecting two healthcare recipients related
to healthcare recipients with similar demographic information having their Medicare
records intertwined. As a result, Medicare claims belonging to another healthcare recipient were
made available in the My Health Record of the record owner.
Of the 29 received, four notifications remain open as at the end of the reporting period. The OAIC expects
to close these notifications following further clarification of the circumstances of the breaches contained
within those notifications.
3 The total number of healthcare recipients affected by the DBNs include individuals with and without a My Health Record at the time of the breach. Accordingly, for DHS, there were 134 affected individuals with a My Health Record in the DBNs received in the period, 192 affected individuals with a My Health Record in the DBNs closed in the period and 7 affected individuals with a My Health Record in the DBNs that remained open as at 30 June. For the System Operator, there were 10 affected individuals with a My Health Record in the DBNs received, 8 affected individuals with a My Health Record in the DBNs closed in the period and 2 affected individuals with a My Health Record in the DBNs that remained open as at 30 June.
3 3 3
3 3 3
9
My Health Record system advice, guidance, liaison and other activities AdviceMy Health Record system enquiriesThe OAIC’s Enquiries Team received six enquiries about the My Health Record system during the
reporting period. These enquiries related to general information about the My Health Record system,
access to the records of children and the opt-out process.
Policy advice to stakeholders and members of the publicDuring the reporting period, the OAIC provided three policy advices related to the My Health Record
system to various stakeholders. These included:
• a response to an enquiry from a health industry consulting practice on re-identification risks, in the
context of developing a framework for the secondary uses for My Health Record data
• comments to the Department of Health on a draft privacy impact assessment on the proposed
National Cancer Screening Register. The comments included an explanation of the My Health Record
system’s access controls and an overview of how information is authorised, by the My Health Records
Act 2012 (My Health Records Act), to be uploaded to the system
• providing a response to questions taken on notice following the Commissioner’s appearance before
the Senate Standing Committee on Community Affairs regarding the National Cancer Screening
Register Bill 2016. The response included an explanation of the penalties in the My Health Records Act
for mishandling personal information in an individual’s My Health Record, and information regarding
the way in which the My Health Records Act refers to its interaction with the Privacy Act.
The OAIC further considered a request for advice from a State government body about the application and
interpretation of certain provisions of the My Health Records Act.
Policy advice to the Australian Digital Health Agency Under its MOU with the Agency, the OAIC liaised and coordinated with the My Health Record
System Operator on privacy related matters in relation to the system, including providing feedback and
advice on proposals and projects with a possible privacy impact. During the reporting period, the OAIC
provided three policy advices to the Agency. These were:
• comments to the Agency on a draft privacy impact assessment relating to third party development of
mobile applications which will enable consumers to include information from their My Health Record
system in an app
ANNUAL REPORT OF THE AUSTRALIAN INFORMATION COMMISSIONER’S ACTIVITIES IN RELATION TO DIGITAL HEALTH 2016–17
10
• comments to the Agency on its draft ‘My Health Record informed consent requirements
and guidelines,’ which outlined requirements for app developers to meet when seeking and obtaining
an individual’s consent to connect with and access information in their My Health Record
• policy advice to the Agency on the application of certain provisions of the Privacy Act 1988
(Privacy Act) and the Freedom of Information Act 1982.
SubmissionsThe OAIC made five submissions which either directly related to, or touched upon, the My Health Record
system during the reporting period. These included a submission to the Agency on the development
of the National Digital Health Strategy. In its submission, the OAIC expressed support for initiatives
that seek to maximise and enhance the use of data in the public interest, provided that privacy is a
central consideration. The OAIC noted that the success of the National Digital Health Strategy will
depend largely on transparency and establishing trust as to how personal health data will be used,
strong community support for new health data activities, and the ability of individuals to have control
over how their data will be used.
The second submission was to the Australian Law Reform’s inquiry on elder abuse. In its submission,
the OAIC noted its view that enduring documents should not be uploaded to an individual’s
My Health Record as these documents are not solely about healthcare and treatment, but can also
include other sensitive information, such as financial information. The ALRC held a similar view,
which was further detailed in the Elder Abuse Discussion Paper.
In March 2017, the OAIC made a submission to the Department of Health on the draft National Health
Genomics Policy Framework, which highlighted the information handling provisions of the
My Health Records Act in response to the discussion about how genomics data may be shared and stored.
The OAIC provided comments to the Royal Australian College of General Practitioners on the second draft
of the Standards for general practices (5th edition). The comments included a recommendation to clarify
references to health records so that it was clear whether certain parts of the Standards referred to local
patient health records or to the My Health Record system.
In September 2016, the OAIC made a submission to the Senate Standing Committee on Community
affairs on the National Cancer Screening Register Bill 2016. The submission recommended that consistent
language be used to describe the process of withdrawing participation in the Register with withdrawing
participation in the My Health Record system (i.e. the language around ‘opting-out). The submission
also suggested that the Register operator’s security requirements could be strengthened by requiring
the operator to report data breaches and specifying requirements around the handling of data breaches
in a manner consistent with the data breach requirements in section 75 of the My Health Records Act.
Consistency with the My Health Records Act requirements is particularly important if the Register will
link to the My Health Record system and if information in the Register will be made available through
that system.
11
Guidance For healthcare providersThe OAIC has implemented a more contemporary approach to developing guidance materials,
producing a range of multimedia resources for healthcare providers.
Three videos have been developed. One summarises the role of the OAIC in the My Health Record system
and is based on an existing fact sheet currently available on the OAIC’s website. The second explains the
mandatory data breach notification requirements in the My Health Records Act to healthcare providers.
The third provides an overview of the legislative requirements and privacy best practice when it comes
to handling sensitive information in the My Health Record system. The third video will complement two
new written business resources for healthcare providers covering the legislative requirements that apply
to handling a patient’s personal information when using the My Health Record system and tips on how to
protect a patient’s privacy.
An infographic for healthcare providers on the mandatory data breach notification requirements under
the My Health Record system will accompany the videos described above and will complement the OAIC’s
existing Guide to mandatory data breach notification in the My Health Record system.
These resources will be published on the OAIC website in the coming months and distributed via media.
For consumersIn January 2017, the OAIC published two fact sheets for consumers. While these facts sheets are not
specific to the My Health Record system, they relate to health privacy issues including privacy protection
of health information and access to, and correction of, health information.
External engagementThe Consumer Privacy Network assists the OAIC to further understand and respond to contemporary
privacy issues affecting consumers. In March 2017 a forum was held with a specific focus on health.
Attendees were provided with an overview of the OAIC’s role and work relating to digital health and the
My Health Record system. Members also provided information on issues and concerns for consumers
in the privacy and health space and provided valuable feedback on strategies for communicating
with stakeholders.
The Deputy Commissioner spoke at the Hickson’s Health Law Forum, providing an overview of the
OAIC’s role in the My Health Record system and of the specific information handling provisions of the
My Health Records Act. Also, the Assistant Commissioner participated in a panel discussion as part
of CeBIT, the annual business technology conference and exhibition. The panel discussion focused
on digital health data, information management and clinical informatics. It included discussion on
ensuring privacy, protection and data integrity requirements.
ANNUAL REPORT OF THE AUSTRALIAN INFORMATION COMMISSIONER’S ACTIVITIES IN RELATION TO DIGITAL HEALTH 2016–17
12
The OAIC also attended the 46th Asia Pacific Privacy Authorities (APPA) Forum in Mexico on 30 November
to 2 December 2016 and provided an enforcement report, which included an outline of the penalty
provisions relevant to the My Health Records Act and the Healthcare Identifiers Act 2010 (HI Act). A similar
report was prepared for the 47th APPA Forum.
LiaisonLiaison with the System OperatorThe OAIC liaised regularly with the Agency to discuss MOU activities and other matters relating to the
My Health Record system.
The OAIC engaged with both the Agency and the Department of Health about the decision to move to
an opt-out participation arrangement for the My Health Record system, following the conclusion of the
opt-out trials and the finalisation of the evaluation process.
OAIC staff also met with Agency staff to receive information about, and discuss, the work of the Agency’s
Digital Health Cyber Security Centre.
The OAIC participated in the Privacy and Security Advisory Committee, one of the advisory committees
established by the Agency to support the Agency’s Board.
In addition, the OAIC also reported to the Agency on activities performed in relation to the My Health
Record system through its two biannual reports. The biannual reports are published on the OAIC website.
Liaison with other key stakeholdersIn addition to liaising with the Agency and the Department of Health, the Privacy Commissioner and
OAIC staff participated in a preliminary consultation with Health Consult to discuss the development of a
framework for secondary uses of My Health Record data.
Other activitiesStrengthening internal expertise Throughout 2016–17, the OAIC continued to develop its internal expertise relating to its functions and
powers in connection with the My Health Record system. This involved ensuring new staff received
induction training in digital health and the OAIC’s regulatory oversight role. Staff who are new to working
specifically on digital health receive extensive on-the- job training to ensure that they acquire the
necessary digital health subject matter knowledge.
To assist OAIC staff in developing a comprehensive understanding of digital health policy issues
and initiatives, the My Health Record system, and the OAIC’s regulatory role, a training package was
developed and delivered to staff.
13
The Australian Community Attitudes to Privacy SurveyThe OAIC conducted the Australian Community Attitudes to Privacy Survey (ACAPS) again in 2017.
ACAPS is the longest standing and most in-depth study of how Australian attitudes to privacy
have evolved.
A significant finding this year was that 83 per cent of Australians think that online environments are
inherently more risky than offline. Sixty-nine per cent of Australians say they are more concerned about
their online privacy than they were five years ago. While this figure may not represent the true risk of
online transactions, it does reflect a real perception to manage.
The survey also revealed that the highest level of trust shown by the community is for health
service providers (79 per cent).
Given the desirability – for efficiency, policy and service delivery – of promoting online transactions,
building greater community comfort with online environments such as the My Health Record system
remains vital.
Monitoring developments in digital health and the My Health Record systemUnder the MOU with the Agency, the OAIC is required to monitor developments in digital health and
the My Health Record system to ensure it is able to provide informed advice about privacy aspects
of the operation of the system and the broader digital health context. During the reporting period,
staff attended:
• the annual Health Informatics Conference in Melbourne which included presentations by executive
staff of the Agency and presentations on issues such as cyber-security and health data
• the Royal Australian College of General Practitioners’ eHealth forum (via live streaming),
which included discussions about digital health and the use of patient data to improve
health outcomes
• the Health Data Analytics conference in Brisbane, organised by the Health Informatics Society
of Australia and covered developments in the health IT industry. This included presentations on the
use of big data in healthcare and on cyber-security
• a number of Agency webinars on topics such as how to embed patient registration processes for the
My Health Record in a practice’s workflow, event summaries and shared health summaries in the
My Health Record system, the National Digital Health Strategy, and a question and answer on the
future of digital health care in Australia
• the digital health stream of the Australia Healthcare Week conference, which included a roundtable
on building the backbone for the future of health care, and presentations by the Agency, state and
Commonwealth agencies, academics and business representatives
• the Privacy Matters Forum ‘your health privacy in the digital era – now and into the future’ hosted by
the NSW Office of the Privacy Commissioner
ANNUAL REPORT OF THE AUSTRALIAN INFORMATION COMMISSIONER’S ACTIVITIES IN RELATION TO DIGITAL HEALTH 2016–17
14
• a Privacy Awareness Week 2017 webcast from the Queensland’s Office of the
Information Commissioner which had a section on electronic health records
• a workshop facilitated by the International Association of Privacy Professionals (iappANZ) in Sydney
on privacy and security in digital health
• a webinar on privacy and confidentiality for general practice, hosted by HotDoc, an online service
that streamlines how general practitioners and patients communicate health information.
In addition, OAIC staff:
• reviewed the World Health Organisation (WHO) report ‘From innovation to implementation –
eHealth in the WHO European region’ (2016), which describes trends in electronic health in the
WHO European Region
• the Australian Commission on Safety and Quality in Health Care’s Fifth and Sixth Clinical
Safety Review reports of the My Health Record system
• monitored news clips, relevant parliamentary committees and digital health and related
websites and blogs.
Media The OAIC responded to eight media enquiries regarding digital health and the My Health Record
system during 2016–17. The media outlets were Australian Doctor (x2 enquiries), CeBIT, Channel Nine,
Healthcare IT News Australia, News.com.au, The Medical Republic, and Radio 5AA.
15
Part 4: OAIC and the Healthcare Identifiers ServiceThe HI Service is a foundation service for a range of digital health initiatives in Australia, particularly the
My Health Record system. Accordingly, the use of healthcare identifiers has increased since the launch of
the My Health Record system on 1 July 2012. Under the My Health Record system, healthcare identifiers:
• are used to identify healthcare recipients who register for a My Health Record
• enable the My Health Record System Operator to authenticate the identity of all individuals who
access a My Health Record and record activity through the audit trail
• help ensure the correct health information is associated with the correct healthcare recipient’s
My Health Record
• registration with the HI Service is a prerequisite for a healthcare provider organisation to be
registered for the My Health Record system.
OAIC compliance and enforcement activities Complaints relating to the HI ServiceNo complaints were received during the reporting period.
Investigations relating to the HI ServiceNo complaint investigations or Commissioner initiated investigations (CIIs) were commenced or finalised
during the reporting period. At 30 June 2017, there were no HI investigations open.
Assessments relating to the HI Service Under the MOU with the Agency, the OAIC was required to conduct at least one assessment in 2016–17
from the following targets:
• the HI Service Operator (DHS-Medicare), and
• agencies or organisations or state and territory authorities using healthcare identifiers.
The OAIC finalised one assessment in 2016–17 that was commenced in the previous reporting period.
ANNUAL REPORT OF THE AUSTRALIAN INFORMATION COMMISSIONER’S ACTIVITIES IN RELATION TO DIGITAL HEALTH 2016–17
16
The OAIC has initiated contact with an assessment target for an assessment relating to the handling of
individual healthcare identifiers.
Assessment subject No. entities assessed Year opened Closed
Assessment of the Australian Health Practitioner Regulation Agency – APP 10 and 11 1 2015–2016 October 2016
Assessment of the Australian Health Practitioner Regulation AgencyThe OAIC conducted an assessment into the handling of personal information by the Australian Health
Practitioner Regulation Agency (AHPRA) in its role as a national registration authority for
healthcare practitioners. The assessment focused on AHPRA’s handling of healthcare identifiers
and associated identifying information under APPs 10 (data quality) and 11 (security).
Healthcare identifiers advice, guidance, liaison and other activities AdviceIn relation to the Healthcare Identifiers service, the OAIC provided advice to:
• the Agency on provisions of the Healthcare Identifiers Act 2010 (HI Act) relating to the handling of
healthcare identifiers
• the Department of Health on a draft privacy impact assessment on the National Cancer
Screening Register. The comments included an overview of the provisions of the HI Act that
authorise the handling of healthcare identifiers
• a member of the public relating to an enquiry regarding the use of healthcare identifiers by
medical practitioners.
GuidanceReview of existing resourcesFollowing consultation and a review of the healthcare identifier resources available on the OAIC’s website,
the OAIC updated its healthcare identifier resource material to better meet stakeholder needs.
The updated healthcare identifier information will be available on the OAIC website.
17
Other activitiesMonitoring developments in digital health and the HI ServiceUnder the MOU with the Agency, the OAIC is required to monitor developments in digital health and the
HI Service to ensure the OAIC is aware of the implications of any developments for the HI Service and is
able to offer informed advice about privacy aspects of the HI Service in the broader digital health context.
During the reporting period, the OAIC:
• monitored developments relating to digital health and the HI Service through news clips and digital
health websites and blogs
• as outlined above in relation to the My Health Record system, attended various conferences related
to digital health.
Reporting on activitiesIn addition to liaison meetings with the Agency to discuss MOU activities, the OAIC also reported to the
Agency on activities performed in relation to the HI Service through its two biannual reports. The biannual
reports are published on the OAIC website.
Timothy Pilgrim PSM
Australian Information Commissioner
Australian Privacy Commissioner
30 September 2017
ANNUAL REPORT OF THE AUSTRALIAN INFORMATION COMMISSIONER’S ACTIVITIES IN RELATION TO DIGITAL HEALTH 2016–17
18
