Health Legislation Amendment (eHealth) Act 2015 (157 of 2015)
Schedule 1 Healthcare identifiers and health records
Part 1 Amendments
Healthcare Identifiers Act 2010
34 Divisions 1, 2, 2A and 3 of Part 3
Repeal the Divisions, substitute:
Division 1 - Simplified outline of this Part
11 Simplified outline of this Part
This Part authorises the collection, use and disclosure of healthcare identifiers, identifying information and other information.
Healthcare identifiers and other information relating to healthcare recipients
The service operator may collect information about a healthcare recipient from various sources for the purpose of assigning a healthcare identifier to the recipient. Once a healthcare identifier is assigned to a healthcare recipient, the service operator may disclose it to healthcare providers to assist in communicating and managing health information. The healthcare identifier may also be disclosed to other entities to assist in the operation of the My Health Record system.
A healthcare provider can obtain the healthcare identifier of a healthcare recipient from the service operator, so that the healthcare provider can communicate and manage health information. The healthcare provider can use the healthcare identifier in providing healthcare, for example, by using it to access the My Health Record of a healthcare recipient.
Healthcare identifiers and other information relating to healthcare providers
Under Part 2, the service operator must keep a record of the healthcare identifiers that have been assigned and other information relating to healthcare identifiers. As a national registration authority assigns healthcare identifiers to most healthcare providers, the service operator may obtain information for the record from a national registration authority.
Under Part 2, the service operator assigns healthcare identifiers to healthcare providers in a number of cases. The service operator may collect information about a healthcare provider from various sources for the purposes of assigning those identifiers.
The service operator may disclose the healthcare identifiers of healthcare providers to healthcare providers to assist in communicating and managing health information. The healthcare identifier may also be disclosed to other entities to assist in the operation of the My Health Record system.
A healthcare provider can obtain the healthcare identifier of a healthcare provider from the service operator, so that the healthcare provider can communicate and manage health information. This includes the use of the identifier in electronic transmissions. The collection, use and disclosure of identifying information and healthcare identifiers is permitted for the purposes of authenticating a healthcare provider's identity in electronic transmissions.
A person must not use or disclose information collected for the purposes of the Act or healthcare identifiers, except where required or authorised to do so under the Act or in other limited circumstances. Criminal and civil penalties apply if this obligation is breached.
Division 2 - Healthcare recipients
12 Collection, use and disclosure - assigning a healthcare identifier to a healthcare recipient
An entity mentioned in column 1 of an item of the following table, is authorised to take action of the kind described in column 2 of that item with information of the kind described in column 3 of that item in the circumstances described in column 4 of that item.
|
Collection, use and disclosure for the purpose of assigning a healthcare identifier to a healthcare recipient |
||||
|---|---|---|---|---|
|
Item |
Column 1
Entity |
Column 2
Permitted action |
Column 3
Information |
Column 4
Circumstances |
|
1 |
identified healthcare provider |
use disclose to the service operator |
identifying information of a healthcare recipient |
the use or disclosure is for the purpose of assisting the service operator to assign a healthcare identifier to the healthcare recipient |
|
2 |
Chief Executive Medicare Veterans' Affairs Department Defence Department |
use disclose to the service operator |
identifying information of a healthcare recipient |
the use or disclosure is for the purpose of assisting the service operator to assign a healthcare identifier to the healthcare recipient |
|
3 |
service operator |
collect from: (a) an identified healthcare provider; or (b) the Chief Executive Medicare; or (c) the Veterans' Affairs Department; or (d) the Defence Department use |
identifying information of a healthcare recipient |
the collection or use is for the purpose of assigning a healthcare identifier to a healthcare recipient |
13 Collection, use and disclosure - establishing and maintaining a record of healthcare identifiers for healthcare recipients
An entity mentioned in column 1 of an item of the following table, is authorised to take action of the kind described in column 2 of that item with information of the kind described in column 3 of that item in the circumstances described in column 4 of that item.
|
Collection, use and disclosure for the purpose of establishing and maintaining a record of healthcare identifiers for healthcare recipients |
||||
|---|---|---|---|---|
|
Item |
Column 1
Entity |
Column 2
Permitted action |
Column 3
Information |
Column 4
Circumstances |
|
1 |
any entity that has access to the healthcare identifier of a healthcare recipient |
use disclose to the service operator |
healthcare identifier of the healthcare recipient information that relates to the healthcare identifier of the healthcare recipient |
the use or disclosure is for the purposes of assisting the service operator to establish and maintain a record mentioned in section 10 (a record of healthcare identifiers assigned and other matters, such as requests made to the service operator to disclose those identifiers) |
|
2 |
service operator |
collect from any entity that has access to the healthcare identifier of a healthcare recipient use |
healthcare identifier of the healthcare recipient information that relates to the healthcare identifier of the healthcare recipient |
the collection or use is for the purposes of establishing and maintaining a record mentioned in section 10 (a record of healthcare identifiers assigned and other matters, such as requests made to the service operator to disclose those identifiers) |
14 Collection, use and disclosure - providing healthcare to a healthcare recipient
(1) An entity mentioned in column 1 of an item of the following table, is authorised to take action of the kind described in column 2 of that item with information of the kind described in column 3 of that item in the circumstances described in column 4 of that item.
|
Collection, use and disclosure for the purpose of providing healthcare to a healthcare recipient |
||||
|---|---|---|---|---|
|
Item |
Column 1
Entity |
Column 2
Permitted action |
Column 3
Information |
Column 4
Circumstances |
|
1 |
identified healthcare provider |
use disclose to the service operator |
identifying information of a healthcare recipient |
the use or disclosure is for the purpose of assisting the service operator to disclose the healthcare identifier of the healthcare recipient to the healthcare provider |
|
2 |
service operator |
collect from an identified healthcare provider use disclose to an identified healthcare provider |
identifying information of a healthcare recipient |
the collection, use or disclosure is for the purpose of disclosing the healthcare identifier of the healthcare recipient to the healthcare provider |
|
3 |
service operator |
use disclose to an identified healthcare provider |
healthcare identifier of a healthcare recipient |
the use or disclosure is for the purpose of assisting the healthcare provider to communicate or manage health information, as part of providing healthcare to the healthcare recipient |
|
4 |
identified healthcare provider |
collect from the service operator |
healthcare identifier of a healthcare recipient |
the collection is for the purpose of communicating or managing health information, as part of providing healthcare to the healthcare recipient |
|
5 |
healthcare provider |
use disclose to another entity |
healthcare identifier of a healthcare recipient |
the use or disclosure is for the purpose of communicating or managing health information as part of: (a) the provision of healthcare to thehealthcare recipient; or (b) the management (including the investigation or resolution of complaints), funding, monitoring or evaluation of healthcare; or (c) the provision of indemnity cover for a healthcare provider; or (d) the conduct of research that has been approved by a Human Research Ethics Committee |
|
6 |
entity to whom healthcare identifier of a healthcare recipient is disclosed for a purpose mentioned in column 4 of item 5 |
collect use disclose |
healthcare identifier of a healthcare recipient |
the collection, use or disclosure is for the purpose for which the information was disclosed |
(2) This section does not authorise the collection, use or disclosure of the healthcare identifier of a healthcare recipient for the purpose of communicating or managing health information as part of:
(a) underwriting a contract of insurance that covers the healthcare recipient; or
(b) determining whether to enter into a contract of insurance that covers the healthcare recipient (whether alone or as a member of a class); or
(c) determining whether a contract of insurance covers the healthcare recipient in relation to a particular event; or
(d) employing the healthcare recipient.
15 Collection, use and disclosure - My Health Record system
The service operator is authorised to collect, use and disclose:
(a) identifying information of a healthcare recipient, an authorised representative of a healthcare recipient or a nominated representative of a healthcare recipient; and
(b) the healthcare identifier of a healthcare recipient, an authorised representative of a healthcare recipient or a nominated representative of a healthcare recipient;
for the purposes of the My Health Record system.
16 Collection, use and disclosure - aged care
An entity mentioned in column 1 of an item of the following table, is authorised to take action of the kind described in column 2 of that item with information of the kind described in column 3 of that item in the circumstances described in column 4 of that item.
|
Collection, use and disclosure for an aged care purpose |
||||
|---|---|---|---|---|
|
Item |
Column 1
Entity |
Column 2
Permitted action |
Column 3
Information |
Column 4
Circumstances |
|
1 |
identified healthcare provider |
disclose to the Aged Care Department |
identifying information of a healthcare recipient |
the disclosure is for an aged care purpose |
|
2 |
Aged Care Department |
collect from an identified healthcare provider use disclose to an identified healthcare provider |
identifying information of a healthcare recipient |
the collection, use or disclosure is for an aged care purpose |
|
3 |
identified healthcare provider |
collect from the Aged Care Department use |
identifying information of a healthcare recipient |
the collection or use is for an aged care purpose |
|
4 |
Aged Care Department |
disclose to the service operator |
identifying information of a healthcare recipient |
the disclosure is for an aged care purpose |
|
5 |
service operator |
collect from the Aged Care Department use |
identifying information of a healthcare recipient |
the collection or use is for an aged care purpose |
|
6 |
service operator |
use disclose to the Aged Care Department |
healthcare identifier of a healthcare recipient |
the use or disclosure is for an aged care purpose |
|
7 |
healthcare provider |
disclose to the Aged Care Department |
healthcare identifier of a healthcare recipient |
the disclosure is for an aged care purpose |
|
8 |
Aged Care Department |
collect from the service operator or a healthcare provider use |
healthcare identifier of a healthcare recipient |
the collection or use is for an aged care purpose |
17 Adopting the healthcare identifier of a healthcare recipient etc.
An entity mentioned in column 1 of an item of the following table, may adopt the healthcare identifier of a healthcare recipient, an authorised representative of a healthcare recipient or a nominated representative of a healthcare recipient, for a purpose mentioned in column 2 of the item.
|
Adopting the healthcare identifier of a healthcare recipient |
||
|---|---|---|
|
Item |
Column 1
Entity |
Column 2
Purpose |
|
1 |
healthcare provider |
for use as the healthcare provider's own identifier of the healthcare recipient, the authorised representative of a healthcare representative or the nominated representative of a healthcare recipient |
|
2 |
My Health Record System Operator |
for use as the My Health Record System Operator's own identifier for the purposes of the My Health Record system |
|
3 |
registered repository operator registered portal operator |
for use as that operator's own identifier for the purposes of the My Health Record system |
18 Disclosure of the healthcare identifier of a healthcare recipient to the healthcare recipient etc.
Any of the following entities may disclose the healthcare identifier of a healthcare recipient to the healthcare recipient, or a responsible person (within the meaning of the Privacy Act 1988) for the healthcare recipient:
(a) the service operator;
(b) the My Health Record System Operator;
(c) a healthcare provider.
19 Other information relating to the healthcare identifier of a healthcare recipient may be disclosed by the service operator
The service operator may disclose information included in the record the service operator maintains under section 10 in relation to a healthcare recipient to:
(a) the healthcare recipient; or
(b) a responsible person (within the meaning of the Privacy Act 1988) for the healthcare recipient.
20 Regulations relating to the healthcare identifier and identifying information of a healthcare recipient etc.
Collection, use or disclosure for other purposes
(1) The regulations may authorise the collection, use or disclosure of the following information:
(a) identifying information of a healthcare recipient, authorised representative of a healthcare recipient or nominated representative of a healthcare recipient;
(b) the healthcare identifier of a healthcare recipient, authorised representative of a healthcare recipient or nominated representative of a healthcare recipient.
Adoption for other purposes
(2) The regulations may authorise the adoption of the healthcare identifier of a healthcare recipient, authorised representative of a healthcare recipient or a nominated representative of healthcare recipient in the circumstances prescribed by the regulations.
Purposes for which regulation-making powers in subsections (1) and (2) may be used
(3) However, the regulations may only authorise the collection, use, disclosure or adoption of that information for purposes related to one or more of the following:
(a) providing healthcare to healthcare recipients, or a class of healthcare recipients;
(b) determining whether adequate and appropriate healthcare is available to healthcare recipients, or a class of healthcare recipients;
(c) facilitating the provision of adequate and appropriate healthcare to healthcare recipients, or a class of healthcare recipients;
(d) assisting persons who, because of health issues (including illness, disability or injury), require support;
(e) the My Health Record system.
Procedures relating to the disclosure of healthcare identifiers
(4) The regulations may prescribe rules about the process for disclosing the healthcare identifiers of healthcare recipients, including rules about requests to the service operator to disclose healthcare identifiers of healthcare recipients.
Information about disclosures by service operator
(5) If the service operator discloses a healthcare identifier of a healthcare recipient to an entity, the regulations may require the entity to provide prescribed information to the service operator in relation to the disclosure.
Division 3 - Healthcare providers
21 Collection, use and disclosure - assigning a healthcare identifier to a healthcare provider
An entity mentioned in column 1 of an item of the following table, is authorised to take action of the kind described in column 2 of that item with information of the kind described in column 3 of that item in the circumstances described in column 4 of that item.
|
Collection, use and disclosure for the purpose of assigning a healthcare identifier to a healthcare provider |
||||
|---|---|---|---|---|
|
Item |
Column 1
Entity |
Column 2
Permitted action |
Column 3
Information |
Column 4
Circumstances |
|
1 |
service operator |
collect from: (a) the Chief Executive Medicare; or (b) the Veterans' Affairs Department; or (c) the Defence Department use |
identifying information of a healthcare provider |
the collection or use is for the purpose of assigning a healthcare identifier to the healthcare provider |
|
2 |
Chief Executive Medicare Veterans' Affairs Department Defence Department |
use disclose to the service operator |
identifying information of a healthcare provider |
the use or disclosure is for the purpose of assisting the service operator to assign a healthcare identifier to the healthcare provider |
|
3 |
service operator |
collect from a healthcare provider use |
information requested by the service operator under section 9B |
the collection or use is for the purpose of assigning a healthcare identifier to the healthcare provider |
22 Collection, use and disclosure - establishing and maintaining a record of healthcare identifiers for healthcare providers
An entity mentioned in column 1 of an item of the following table, is authorised to take action of the kind described in column 2 of that item with information of the kind described in column 3 of that item in the circumstances described in column 4 of that item.
|
Collection, use and disclosure for the purpose of establishing and maintaining a record of healthcare identifiers for healthcare providers |
||||
|---|---|---|---|---|
|
Item |
Column 1
Entity |
Column 2
Permitted action |
Column 3
Information |
Column 4
Circumstances |
|
1 |
a national registration authority |
use disclose to the service operator |
healthcare identifier of a healthcare provider information that relates to the healthcare identifier of a healthcare provider |
the use or disclosure is for the purposes of assisting the service operator to establish and maintain a record mentioned in section 10 (a record of healthcare identifiers assigned and other matters, such as requests made to the service operator to disclose those identifiers) |
|
2 |
service operator |
collect from a national registration authority use |
healthcare identifier of a healthcare provider information that relates to the healthcare identifier of a healthcare provider |
the collection or use is for the purposes of establishing and maintaining a record mentioned in section 10 (a record of healthcare identifiers assigned and other matters, such as requests made to the service operator to disclose those identifiers) |
23 Collection, use and disclosure - providing healthcare
An entity mentioned in column 1 of an item of the following table, is authorised to take action of the kind described in column 2 of that item with information of the kind described in column 3 of that item in the circumstances described in column 4 of that item.
|
Collection, use and disclosure for the purpose of providing healthcare |
||||
|---|---|---|---|---|
|
Item |
Column 1
Entity |
Column 2
Permitted action |
Column 3
Information |
Column 4
Circumstances |
|
1 |
identified healthcare provider |
use disclose to the service operator |
identifying information of a healthcare provider |
the use or disclosure is for the purpose of assisting the healthcare provider to communicate or manage health information, as part of providing healthcare to a healthcare recipient |
|
2 |
service operator |
collect from an identified healthcare provider |
identifying information of a healthcare provider |
the collection is for the purpose of assisting the healthcare provider to communicate or manage health information, as part of providing healthcare to a healthcare recipient |
|
3 |
service operator |
use disclose to an identified healthcare provider |
healthcare identifier of a healthcare provider |
the use or disclosure is for the purpose of assisting the healthcare provider to communicate or manage health information, as part of providing healthcare to a healthcare recipient |
|
4 |
identified healthcare provider |
collect from the service operator |
healthcare identifier of a healthcare provider |
the collection is for the purpose of communicating or managing health information, as part of providing healthcare to a healthcare recipient |
|
5 |
healthcare provider |
collect from another healthcare provider use disclose to another healthcare provider |
healthcare identifier of a healthcare provider |
the collection, use or disclosure is the purpose of communicating or managing health information, as part of providing healthcare to a healthcare recipient |
24 Collection, use and disclosure - My Health Record system
The service operator is authorised to collect, use and disclose:
(a) identifying information of a healthcare provider; and
(b) the healthcare identifier of a healthcare provider;
for the purposes ofthe My Health Record system.
25 Collection, use and disclosure - enabling authentication in electronic communications
An entity mentioned in column 1 of an item of the following table, is authorised to take action of the kind described in column 2 of that item with information of the kind described in column 3 of that item in the circumstances described in column 4 of that item.
|
Collection, use and disclosure for the purpose of facilitating electronic communications |
||||
|---|---|---|---|---|
|
Item |
Column 1
Entity |
Column 2
Permitted action |
Column 3
Information |
Column 4
Circumstances |
|
1 |
service operator registration authority |
use disclose to any entity |
identifying information of a healthcare provider healthcare identifier of a healthcare provider |
the use or disclosure is for the purpose of enabling the healthcare provider's identity to be authenticated in electronic transmissions |
|
2 |
an entity to whom information is disclosed for the purposes of enabling a healthcare provider's identity to be authenticated in electronic communications |
collect from any entity use disclose to any entity |
identifying information of a healthcare provider healthcare identifier of a healthcare provider |
the collection, use or disclosure is for the purpose of enabling the healthcare provider's identity to be authenticated in electronic transmissions |
25A Collection, use and disclosure - sharing information with registration authorities
An entity mentioned in column 1 of an item of the following table, is authorised to take action of the kind described in column 2 of that item with information of the kind described in column 3 of that item in the circumstances described in column 4 of that item.
|
Collection, use and disclosure for the purpose of sharing information with registration authorities |
||||
|---|---|---|---|---|
|
Item |
Column 1
Entity |
Column 2
Permitted action |
Column 3
Information |
Column 4
Circumstances |
|
1 |
service operator |
use disclose to a registration authority |
healthcare identifier of a healthcare provider |
the use or disclosure is for the purpose of assisting the registration authority to register the healthcare provider |
|
2 |
registration authority |
collect use |
healthcare identifier of a healthcare provider |
the collection or use is for one of the following purposes: (a) registering the healthcare provider; (b) performing any other function of the registration authority under an Australian law |
|
3 |
service operator |
collect from a registration authority use disclose to a registration authority |
identifying information of a healthcare provider healthcare identifier of a healthcare provider |
the collection, use or disclosure is for the purpose of ensuring that information held by the service operator or the registration authority is accurate, up-to-date and complete |
|
4 |
registration authority |
collect from the service operator use disclose to the service operator |
identifying information of a healthcare provider healthcare identifier of a healthcare provider |
the collection, use or disclosure is for the purpose of ensuring that information held by the service operator or the registration authority is accurate, up-to-date and complete |
25B Adopting the healthcare identifier of a healthcare provider
An entity mentioned in column 1 of an item of the following table, may adopt the healthcare identifier of a healthcare provider for a purpose mentioned in column 2 of the item.
|
Adopting the healthcare identifier of a healthcare provider |
||
|---|---|---|
|
Item |
Column 1
Entity |
Column 2
Purpose |
|
1 |
My Health Record System Operator |
for use as the My Health Record System Operator's own identifier for the purposes of the My Health Record system |
|
2 |
registered repository operator registered portal operator |
for use as that operator's own identifier for the purposes of the My Health Record system |
|
3 |
a participant in the My Health Record system to whom the healthcare identifier is disclosed by a registered repository operator or a registered portal operator under section 58A of the My Health Records Act |
for use in authenticating the identity of the healthcare provider in electronic transmissions |
25C Disclosure of the healthcare identifier of a healthcare provider to the healthcare provider
Any entity who knows the healthcare identifier of a healthcare provider may disclose the healthcare identifier to the healthcare provider.
25D Regulations relating to the healthcare identifier and other information of a healthcare provider
Collection, use or disclosure for other purposes
(1) The regulations may authorise the collection, use or disclosure of the following information:
(a) identifying information of a healthcare provider;
(b) the healthcare identifier of a healthcare provider.
Adoption for other purposes
(2) The regulations may authorise the adoption of the healthcare identifier of a healthcare provider in the circumstances prescribed by the regulations.
Purposes for which regulation-making powers in subsections (1) and (2) may be used
(3) However, the regulations may only authorise the collection, use, disclosure or adoption of that information for purposes related to one or more of the following:
(a) providing healthcare to healthcare recipients, or a class of healthcare recipients;
(b) determining whether adequate and appropriate healthcare is available to healthcare recipients, or a class of healthcare recipients;
(c) facilitating the provision of adequate and appropriate healthcare to healthcare recipients, or a class of healthcare recipients;
(d) assisting persons who, because of health issues (including illness, disability or injury), require support;
(e) the My Health Record system.
Procedures relating to the disclosure of healthcare identifiers
(4) The regulations may prescribe rules about the process for disclosing the healthcare identifiers of healthcare providers, including rules about requests to the service operator to disclose healthcare identifiers of healthcare providers.
Information about disclosures by service operator
(5) If the service operator discloses a healthcare identifier of a healthcare provider to an entity, the regulations may require the entity to provide prescribed information to the service operator in relation to the disclosure.
Information to be provided to the service operator about the healthcare identifier of a healthcare provider
(6) The regulations may require an identified healthcare provider to provide to the service operator information that:
(a) relates to the healthcare provider's healthcare identifier; and
(b) is prescribed by the regulations for the purposes of this section.
25E Obligation to keep information accurate, up-to-date and complete
(1) If a healthcare provider organisation becomes aware that information held by the service operator in relation to the organisation is not accurate, up-to-date and complete, the organisation must:
(a) give the service operator, in writing, accurate, up-to-date and complete information; and
(b) do so within 20 business days after the organisation becomes aware that the information held by the service operator is not accurate, up-to-date and complete.
(2) Subsection (1) does not apply if:
(a) the information that is no longer accurate, up-to-date and complete is personal information that the service operator was only able to lawfully obtain with the consent of the person to whom the information relates; and
(b) instead of giving accurate, up-to-date and complete personal information within the period specified in that subsection, the healthcare provider organisation notifies the service operator within that period, in the manner and form approved by the service operator, that the person to whom the information relates has withdrawn consent for the information to be given to the service operator.
(3) Subsection (1) does not apply if:
(a) the healthcare provider organisation, or an individual healthcare provider who is linked to the healthcare provider organisation, is required by an Australian law, or by a lawful requirement of the national registration authority, to give the national registration authority the accurate, up-to-date and complete information; and
(b) the healthcare provider organisation, or the individual healthcare provider, complies with the requirement.
(4) A person is liable to a civil penalty if:
(a) the person fails to give the service operator information in the circumstances mentioned in subsection (1); and
(b) the person knows or is reckless as to those circumstances.
Civil penalty: 100 penalty units.