House of Representatives

Explanatory Memorandum

(Circulated by authority of the Minister for Health and Aged Care, the Hon Mark Butler MP)

Statement of Compatibility with Human Rights

Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011

HEALTH LEGISLATION AMENDMENT (MODERNISING MY HEALTH RECORD- SHARING BY DEFAULT) BILL 2024

This Bill is compatible with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011.

Overview of the Bill

The purpose of the Health Legislation Amendment (Modernising My Health Record - Sharing by Default) Bill 2024 (the Bill) is to establish a legislative framework for requiring key health information to be shared with the My Health Record system, subject to exceptions.

Part 1 of Schedule 1 of the Bill will amend the My Health Records Act to require prescribed constitutional corporations to become registered under the My Health Records Act and to upload prescribed information to the My Health Record system.

Rules to be made under the My Health Records Act 2012 (My Health Records Act) and the Health Insurance Act 1973 (Health Insurance Act) will prescribe which constitutional corporations and records will be in scope of this framework. If a health service or record is prescribed, rules will also prescribe the information about that health service or record that must be shared to My Health Record.

New section 10B establishes exceptions to the requirement to upload, including practical necessity, the healthcare recipient's preference and clinical discretion in cases of serious concern for a healthcare recipient's health, wellbeing or safety.

New section 78C requires prescribed corporations to keep records in cases where an exception is applied.

New sections 41B and 78B provide a process for providers to seek an extension, where they need more time to update their systems and processes to become registered or enable sharing by default.

New civil penalties will apply to prescribed constitutional corporations who do not comply with the requirement to upload to My Health Record, keep records where an exception is applied and publish notices if they are not uploading.

New information sharing powers will also support compliance and enforcement of the new sharing by default requirements.

Part 2 of Schedule 1 will amend the Health Insurance Act to provide that Medicare benefits will no longer be payable for prescribed healthcare services, unless required information is shared to the My Health Record system. This condition is subject to the same exceptions as in the My Health Records Act. The healthcare services subject to the condition to upload will be prescribed in rules to be made under the Health Insurance Act.

In many cases, Medicare benefits are claimed at the time the health service is delivered, for example when a scan is performed, and the required information won't be able to be uploaded until later when the report is prepared. The amendments provide that healthcare providers will be able to continue to claim Medicare benefits, which will be paid as advance payments, subject to the required information being uploaded in the time period set out in the rules.

If a healthcare provider or their associated healthcare provider organisation have not uploaded the required information within the prescribed timeframe and are unable to provide any evidence of an upload exception applying, the amendments will apply such that the payment will become a debt recoverable by the Commonwealth. Medicare benefits that are recoverable, will be able to be pursued as a debt or be off set against future amounts payable to the healthcare provider.

The decision to raise a debt will be subject to the notice and review processes, similar to those which currently exist for Medicare debts under the Health Insurance Act.

Parallel record keeping requirements to those under the My Health Records Act will apply, requiring practitioners to keep records for 2 years of any upload exceptions that may apply when the required information is not uploaded, or ensure that someone else keeps them.

The amendments also provide for an extension process for providers who need more time to upgrade their systems, mirroring the process that will apply under the My Health Records Act, under which the My Health Record System Operator may approve periods when sharing information to the My Health Record system is not required. Under these processes, individual healthcare providers may rely on extensions sought by healthcare provider organisations that they are associated with.

Schedule 2 makes amendments to the National Health Act 1953 to enable limited data matching between Medicare and My Health Record information to support compliance and enforcement with the new share by default requirements. It also enables the Australian Commission on Safety and Quality in Health Care to disclose information about healthcare providers to the Secretary or My Health Record System Operator for compliance purposes.

Schedule 2 also makes consequential amendments to the Health Insurance Act and other Acts to ensure that even if Medicare benefits are not payable because information hasn't been uploaded, that this doesn't affect how those services are treated by other Acts and programs. These include GST treatment of medical services, private health insurance benefit requirements and the calculation of the Medicare safety net.

Human rights implications

This Bill engages the following rights:

•

Article 12(1) of the International Covenant on Economic, Social and Cultural Rights (ICESCR) being the right to the enjoyment of the highest attainable standard of physical and mental health;

•

The right to privacy under Article 17 of the International Covenant on Civil and Political Rights (ICCPR); and

•

Criminal offence process rights under Article 14 of the ICCPR.

Right to health

Article 12(1) of the ICESCR provides that everyone has the right to the enjoyment of the highest attainable standard of physical and mental health. To give effect to this right, better sharing of health information will support healthcare recipient's and their healthcare providers to have access to information required to make informed decisions about their health and care planning. Better access to health information will also support greater accessibility of health information and services.

The Strengthening Medicare Taskforce Report, released in 2022, highlighted that access to real time health information is a critical foundation for a modern and connected healthcare system. It recommended requiring that information be shared by default for private and public practitioners and services.

My Health Record is the only national repository within Australia's federated health system with the ability to connect a healthcare recipient's key health information between healthcare providers and across care settings in both public and private health services and across jurisdictional borders. The sharing by default requirements in the Bill will ensure consistent and timely health information sharing to support a healthcare recipient's healthcare journey. They will help reduce delays in diagnosis, treatment and unnecessary duplicate testing.

The Bill promotes the right to an adequate standard of living and the right to the enjoyment of the highest attainable standard of physical and mental health for Australians.

Right to privacy

The protection against arbitrary or unlawful interference with privacy is contained in Article 17 of the ICCPR. Article 17 provides that no one shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home or correspondence, nor to unlawful attacks on his or her honour or reputation, and that everyone has the right to the protection of the law against such interference or attacks.

Although the United Nations Human Rights Committee has not defined 'privacy', it should be understood to comprise freedom from unwarranted and unreasonable intrusions into activities that society recognises as falling within the sphere of individual autonomy.

The right to privacy includes respect for informational privacy, including in respect of storing, using and sharing private information and the right to control the dissemination of personal and private information. The right to privacy also includes the right to the protection of one's personal data. The Human Rights Committee has said that, pursuant to Article 17(2) of the ICCPR, States are required to regulate the processing, use and conveyance of automated personal data, and to protect those affected against misuse. The Committee has said, moreover, that State Parties must take all appropriate measures to ensure that the gathering, storage and use of sensitive personal data is consistent with their obligations under Article 17.

The right to privacy under Article 17 can be permissibly limited in order to achieve a legitimate objective and where the limitations are lawful and not arbitrary. The term 'unlawful' in Article 17 of the ICCPR means that no interference can take place except as authorised under domestic law. Additionally, the term 'arbitrary' in Article 17(1) of the ICCPR means that any interference with privacy must be in accordance with the provisions, aims and objectives of the ICCPR and should be reasonable in the particular circumstances. The Committee has interpreted 'reasonableness' to mean that any limitation must be proportionate and necessary in the circumstances.

To the extent that the share by default requirements in the Bill authorise the collection, use or disclosure of personal or health information or may interfere with the right to privacy, such measures are lawful and nonarbitrary. The measure aims to achieve the legitimate objective of assuring the consistency and completeness of key health information as well as improved access to a healthcare recipient's own information.

The limitations on the right to privacy under the Bill are reasonable, necessary and proportionate as they appropriately balance the competing objectives of transparency and oversight with an individual's right to privacy.

The Bill contains protections to ensure health information is being collected, used and disclosed in an appropriate and non-invasive manner to achieve the legitimate public health aims and objectives of the Bill.

Amendments to the My Health Records Act and Health Insurance Act both provide exceptions to the share by default requirements. Currently, information cannot be uploaded to an individual's My Health Record against their wishes, and this Bill confirms that right by providing that an individual's wish to not have their information uploaded is a valid exception to the share by default requirement. An individual's privacy is further safeguarded by a discretion that can be exercised by healthcare providers that sharing the individual's health information would be detrimental to their health, safety or wellbeing.

The Bill contains provisions that enable the sharing of personal, identifying or health information for the purposes of managing compliance and enforcement with the share by default requirements. These requirements are necessary and proportionate to the objectives of the Bill. Personal, identifying and very limited health information will need to be collected from the My Health Record system and matched with medicare data to accurately identify individuals and healthcare providers and ensure information has been shared to My Health Record as required for prescribed health services.

The amendments reduce privacy risks and safeguard an individual's right to privacy in the following ways.

Evidence required from healthcare providers to support their claims where exceptions apply to the share by default requirements will be limited to recording the matters outlined in new sections 10B of the My Health Records Act and 19AD(3) of the Health Insurance Act. They will not include clinical notes or other sensitive information.

Information contained in an individual's My Health Record shared for compliance purposes will be a limited set of data, sufficient to establish compliance, with relevant data to be set out in rules. These rules will be subject to further consultation and will be disallowable. The information shared won't include clinical notes or the contents of test results.

The existing secrecy provision in the Health Insurance Act is being amended. This means that the information disclosed under these amendments can only be done in particular circumstances, such as in the performance of the functions and duties of those assisting the Secretary and the Chief Executive Medicare.

Outcomes of compliance actions may be disclosed to the Australian Commission on Safety and Quality in Health Care which oversees accreditation and standards for healthcare providers. These disclosures will not contain the personal or health information of individual healthcare recipients. Compliance with share by default provisions are expected to be included into future accreditation standards for prescribed healthcare providers. This amendment is proportionate and appropriate to support the function of the Commission in overseeing accreditation standards for the healthcare sector. A corresponding power will allow the Commission to disclose non-compliance with share by default provisions that accrediting agencies may become aware of in their accreditation activities, for appropriate action. This is considered proportionate and appropriate to ensure that non-compliance can be appropriately actioned when another Commonwealth entity has become aware of it.

Amendments to the National Health Act limit the data matching activities that may be done by the Chief Executive Medicare for specific purposes that are necessary to effectively manage compliance with the share by default requirements.

Criminal offence process rights

The right to a fair trial and fair hearing are protected by Article 14(1) of the ICCPR. The right to a fair trial and fair hearing applies to both criminal and civil proceedings. A range of protections are afforded to persons accused and convicted of criminal offences under Article 14. These include the presumption of innocence (Article 14(2)), the right to not incriminate oneself (Article 14(3)(g)), and the right to have a sentence reviewed by a higher tribunal (Article 14(5)). Civil penalty provisions may engage the criminal process rights under Article 14 of the ICCPR where the penalty may be regarded as 'criminal' for the purpose of international human rights law. While the UN Human Rights Committee has not issued guidance on how civil penalties may be considered criminal, the following matters are considered to be relevant:

•

classification of the penalty under domestic law

•

the nature of the penalty, and

•

the severity of the penalty.

The Bill introduces new civil penalties for certain healthcare provider organisations which may engage Article 14 of the ICCPR. New section 76A introduces a new civil penalty of 1,500 penalty units for healthcare provider organisations failing to notify the Australian Digital Health Agency – the My Health Record System Operator – that they are unable to meet the conditions on their My Health Record registration. This new penalty is consistent with the existing penalty in section 76 of the My Health Records Act. That penalty currently applies to healthcare provider organisations who fail to notify that they are unable to meet the conditions of their registration. However, due to other amendments made by this Bill, existing section 76 will not continue to apply to this failure to notify so the new section 76A penalty is being introduced to maintain consistency. The security of the My Health Record system and the health information of millions of Australians that it contains is of paramount importance. This penalty has very limited application. It is intended as an important deterrent for organisations to ensure that they are adequately notifying the System Operator in the event that they are unable to meet the security and practice standards expected of them to be trusted users of the My Health Record system. This penalty is not considered to be criminal for the purposes of human rights law.

New civil penalties are also introduced for constitutional corporations subject to the new share by default provisions, with many of these subject to an infringement notice as well. These penalties will be limited in application to those constitutional corporations that are to be prescribed in the rules. They are lower level penalties that broadly align with other similar penalties. The most significant new penalty is 250 penalty units for a prescribed constitutional corporation failing to register for My Health Record as required under the Bill. This penalty is a deterrent for corporations to ignore the new share by default requirements and in that way undermine access to critical health information by healthcare recipient's and their healthcare teams. This penalty is not considered to be criminal for the purposes of human rights law. While not considered to criminal for the purposes of human rights law, these penalties are also considered to be consistent with the criminal process protections in the ICCPR.

Conclusion

The Bill is compatible with human rights because it promotes better health outcomes for Australians by enabling better access to critical health information by individuals and their healthcare providers. The Bill engages the rights to privacy for the legitimate objective of promoting better public health outcomes and to the extent that any rights to privacy are limited, this is reasonable, necessary and proportionate in the circumstances. The Bill also ensures the inclusion of civil penalties, including through an infringement notice, is consistent with human rights criminal process guarantees.