Whose health record? Privacy in the new ehealth environment Georgie Haysom, Head of Advocacy, Avant 26/02/16
Whose health record? Privacy in the new ehealth environmentGeorgie Haysom, Head of Advocacy, Avant
26/02/16
> Provide a brief history of privacy regulation of medical records
> Provide an update on recent changes in the areas of ehealth in
particular My Health Record
> Outline compliance challenges for practitioners
> Review the Officer of the Australian Information Commissioner’s
(OAIC’s) recent ehealth privacy assessment
Privacy and eheatlh 2
In this session
Digital health:
“The electronic management of health information to deliver safer,
more efficient, better quality healthcare”.
Commonwealth Department of Health
http://www.health.gov.au/internet/main/publishing.nsf/Content/eHealth
Commonwealth ehealth initiatives:
> Telehealth
> Healthcare identifiers
> My Health record (formerly PCEHR)
Privacy and ehealth 3
What is the new ehealth environment?
Whose health record?
Privacy and ehealth 5
Whose health record?
1985 1990 1995 2000 2005 2010 2015
2014
Privacy Amendment
(Enhancing Privacy
Protection) Act 2012
(Cth)
2004
Health Records and
Information Privacy
Act 2001 (NSW)
1996
Breen v
Williams
[1996]
HCA 97
2001-2002
Health
Records
Act 2001
(Vic)
2016
My Health
Records Act
2012 (Cth)
2012
PCEHR Act
2012 (Cth)
1998
Health
Records
(Privacy and
Access) Act
1997 (ACT)
1989
Privacy
Act 1988
(Cth)
Privacy and ehealth 6
Breen v Williams [1996] HCA 57
“A claim that a patient has a right of
access to his or her medical records
is a question of great social
importance. But absent a contractual
term, such a claim has no foundation
in the law of Australia.”per Gaudron and McHugh JJ
“… it is not possible, without
distorting the basis of accepted legal
principles, for this court to create
either an unrestricted right of access
to medical records or a right of
access subject to exceptions. If
change is to be made, it must be
made by the legislature.”per Gaundron and McHugh JJ
Source: http://www.sangrea.net/free-
cartoons/privacy-cartoons.html
Privacy and ehealth
7
1998 - 2014 – privacy legislation
Privacy Act 1988
• commenced 1989
• aimed to protect
personal information
held by Australian
government agencies
• Information Privacy
Principles (IPPs)
Privacy Amendment (Private
Sector) Act 2000
• commenced December 2001
• private sector organisations
• National Privacy Principles
(NPPs)
Privacy Amendment
(Enhancing Privacy
Protection) Act 2012
• commenced 2014
• Australian Privacy
Principles (APPs)
• enhanced powers and
penalties
Other jurisdictions (private
sector)
• Health Records (Privacy and
Access) Act 1997 (ACT)
• Health Records and
Information Privacy Act 2001
(NSW)
• Health Records Act 2001
(Vic)
Privacy and ehealth 8
2012 - 2016 PCEHR and My Health Record
Personally Controlled
Electronic Health Record
Act 2012
My Health Records Act
2012
• Personally controlled by patient
• Patients can:
Access all health information on
system
Control which healthcare
providers have access
Choose to share information with
healthcare providers
Privacy and ehealth 9
Whose health record?
1985 1990 1995 2000 2005 2010 2015
2014
Privacy Amendment
(Enhancing Privacy
Protection) Act 2012
(Cth)
2004
Health Records and
Information Privacy
Act 2001 (NSW)
1996
Breen v
Williams
[1996]
HCA 97
2001-2002
Health
Records
Act 2001
(Vic)
2016
My Health
Records Act
2012 (Cth)
2012
PCEHR Act
2012 (Cth)
1998
Health
Records
(Privacy and
Access) Act
1997 (ACT)
1989
Privacy
Act 1988
(Cth)
10Privacy and ehealth
My Health Record
> health record system managed by the Department of Health
(system operator)
> Not a complete patient record
> Collection of clinical information such as:
• medical history
• medications
• allergies and adverse reactions
• immunisations
• shared health summary
• discharge summaries
• data from Medicare, PBS
• pathology and radiology
• specialist letters
> Also patient-entered notes – not accessible by healthcare provider
Privacy and ehealth 11
My Health Record
> Consumers register for an ehealth record and thereby consent to
having their health information uploaded to the ehealth system by
their health care provider
> Governed by:
– APPs set out in Privacy Act 1988 (Cth)
– My Health Records Act 2012
– My Health Records Regulation 2012
– My Health Records Rules 2016
Privacy and ehealth 12
My Health Record
> System security requirements – Rule 42 of the My Health Record
Rules 2016
– Manner of authorising access to system including suspending
access or deactivating account
– Training before access provided
– Process for identifying a person to the system operator
– Physical and information security measures including those under
rule 44 (user account management)
– Manner of authorising access of staff, consent and identification of
consumer if providing assisted registration
– Mitigation strategies to ensure security risks can be identified,
reported and acted on
– Annual policy review
Privacy and ehealth 13
My Health Record and privacy
> Data breach obligations:
– Previously in participation agreement – no longer required
– Now in section 75 of the My Health Records Act
– Unauthorised collection, use or disclosure or compromised
security
– Notify:
• system operator
• information commissioner
• affected health care recipients
• If a significant number affected, the general public
Privacy and ehealth 14
My Health Record and privacy
Compliance challenges
Privacy and ehealth 16
Compliance
Source: http://www.sangrea.net/free-cartoons/privacy-cartoons.html
Source: http://www.australiandoctor.com.au/home
OAIC Health Guidance
Consultation on draft
guidelines – closed October
2015
Currently considering
submissions
Generally well received but
some concerns
Privacy and ehealth 17
Compliance
Source: www.oaic.gov.au
Enforcement guidelines
currently under review
Outline enforcement powers
and approach to investigations
and enforcement action
OAIC regulatory approach:
“To facilitate voluntary
compliance with privacy
obligations and to work with
entities to ensure best privacy
practice and prevent privacy
breaches.” https://www.oaic.gov.au/about-us/our-regulatory-approach/privacy-
regulatory-action-policy/
Privacy and ehealth 18
Compliance
Source: www.oaic.gov.au
OAIC assessments
Power under section 33C of the Act
“An assessment provides a
professional, independent and
systematic appraisal of how well an
agency or organisation (or discrete
part of an agency/organisation)
complies with all or part of its
privacy obligations. In the past, the
OAIC has referred to these
assessments as ‘audits’.” https://www.oaic.gov.au/privacy-law/assessments/
Privacy and ehealth 19
Compliance
Source: www.oaic.gov.au
Privacy and ehea;th 20
Assessing the My Health Record
OAIC made
recommendations relating to:
• Ehealth security policy
• Privacy policy
• ICT security policy and
risk assessment
• Training
• Regular reviews
• Complaints handling
process
Source: www.oaic.gov.au
The future
Ehealth
> My Health record becoming opt-out
– Two sites to trial opt-out system
– North Queensland and Blue Mountains/Nepean
> Goodbye to the National eHealth Transition Agency
Privacy:
> Mandatory data breach notification
– Discussion paper and exposure draft legislation released by
Attorney-General’s department
– Submissions close 4 March 2016
> Goodbye to the Office of the Australian Information Commissioner?
Privacy and ehealth 22
The future
> There have been many changes in the privacy landscape over the past 20 years
that have impacted upon medical practice – increased regulation and compliance
obligations
> Many practitioners do not understand their privacy obligations and are concerned
about compliance
> Increased use of the My Health Record and other ehealth inititatives may bring
new challenges and compliance obligations for practitioners.
Privacy and ehealth 23
Key points
General disclaimer
The information in this presentation is general information relating
to legal and/or clinical issues within Australia (unless otherwise
stated). It is not intended to be legal advice and should not be
considered as a substitute for obtaining personal legal or other
professional advice or proper clinical decision-making having
regard to the particular circumstances of the situation.
While we endeavour to ensure that documents are as current as
possible at the time of preparation, we take no responsibility for
matters arising from changed circumstances or information or
material which may have become available subsequently. Avant
Mutual Group Limited and its subsidiaries will not be liable for any
loss or damage, however caused (including through negligence),
that may be directly or indirectly suffered by you or anyone else in
connection with the use of information provided in this webinar
Important notices
24