Commonwealth Numbered Regulations - Explanatory Statements
[Index] [Search] [Download] [Related Items] [Help]
HEALTHCARE IDENTIFIERS REGULATIONS 2020 (F2020L01072)
Explanatory Statement
Healthcare Identifiers Act 2010
Healthcare Identifiers Regulations 2020
The Healthcare Identifiers Act 2010 (the HI Act) supports the Healthcare Identifiers Service (the HI Service) which is a national system for consistently uniquely identifying consumers and healthcare providers for healthcare purposes. The HI Service assigns healthcare identifiers (a unique 16 digit number) to individuals, individual healthcare providers and healthcare provider organisations for the purpose of ensuring that health information is correctly matched to an individual or entity. The HI Act specifies the circumstances in which healthcare identifiers can be collected, used or disclosed, and by whom.
Section 39 of the HI Act provides that the Governor-General may make regulations, not inconsistent with the HI Act, prescribing matters required or permitted by the HI Act to be prescribed, or necessary or convenient to be prescribed for carrying out or giving effect to the HI Act.
The Healthcare Identifiers Regulations 2020 (the HI Regulations) repeal and replace the Healthcare Identifiers Regulations 2010 (the old Regulations).
The purpose of the HI Regulations is to provide additional guidance regarding how the provisions of the HI Act are applied and to enable additional authorisations for the handling of healthcare identifiers. No changes to the substantive meaning or operation of the old Regulations are made apart from minor updates in the drafting style to align with current drafting practices. The HI Regulations:
* clarify how the Regulations apply in relation to partnerships, trusts and unincorporated associations;
* prescribe the meaning of "national registration authority" for the purposes of the HI Act and HI Regulations.
* prescribe identifying information of individual healthcare providers, healthcare provider organisations and healthcare recipients;
* authorise healthcare providers to handle the necessary information (healthcare identifiers and identifying information) to assist individuals wishing to register with My Health Record;
* authorise healthcare providers to use, or disclose to an entity, a healthcare provider's healthcare identifier for the purpose of:
o communicating or managing health information; or
o management, funding, monitoring or evaluation of healthcare,
and authorise entities to use and disclose healthcare provider's healthcare identifiers for the purpose for which they collected it; and
* prescribe the process for disclosing healthcare identifiers and related information required to be given to the HI Service Operator.
Details of the proposed Regulations are set out in the Attachment.
Section 33 of the HI Act provides that the Minister must consult with the Ministerial Council before the Governor-General makes a regulation for the purpose of the HI Act. Ministerial Council is defined in the HI Act as the council (however described) established by the Council of Australian Governments that has responsibility for health matters.
In April 2020, a discussion paper on the old Regulations was provided for comment to stakeholders including the Healthcare Identifiers Service Operator (HI Service Operator), the Australian Digital Health Agency, the Office of the Australian Information Commissioner and jurisdictions (jurisdictional Health Chief Information Officers and Chief Executive Officers were consulted as representatives for jurisdictions). Overall, feedback from stakeholders was generally supportive and no substantive changes were proposed.
In addition, to meet obligations under section 33 of the HI Act, the exposure draft regulations were provided to the Australian Health Ministers' Advisory Council (AHMAC) on 1 June 2020 for consideration. All jurisdictions responded in agreement to the HI Regulations.
A Preliminary Assessment was completed and the Department of Health provided a certification letter to the Office of Best Practice Regulation (OBPR) dated 28 May 2020 indicating a Regulation Impact Statement is not required for this new instrument. The OBPR provided written confirmation that a certification letter is appropriate.
The HI Regulations are a legislative instrument for the purposes of the Legislation Act 2003.
The HI Regulations commence on the day after it is registered on the Federal Register of Legislation.
ATTACHMENT
Details of the Healthcare Identifiers Regulations 2020
Part 1 - Preliminary
Section 1 - Name of Regulations
This section provides that the title of the Regulations is the Healthcare Identifiers Regulations 2020 (the HI Regulations).
Section 2 - Commencement
This section provides that the HI Regulations take effect the day after the instrument is registered.
Section 3 - Authority
This section provides that the Healthcare Identifiers Regulations 2020 is made under the Healthcare Identifiers Act 2010 (the HI Act).
Section 4 - Schedule(s)
This section provides that each instrument that is specified in a Schedule to this instrument is amended or repealed as set out in the applicable items in the Schedule concerned, and any other item in a Schedule to this instrument has effect according to its terms.
Section 5 - Definitions
This section defines particular terms used in the HI Regulations.
Section 6 - Application of this instrument to partnerships, trusts and unincorporated associations
Healthcare provider organisations assigned healthcare identifiers under the HI Act are structured in a variety of ways. For example, healthcare provider organisations could be structured as partnerships, trusts or unincorporated associations, none of which are legal entities in their own right. The HI Act applies to these entities in the same way as it applies to persons.
This section clarifies that the HI Regulations also treat partnerships, trusts and unincorporated associations as if they were a person. That is, that sections 36B, 36C and 36D of the HI Act apply to the HI Regulations, and obligations, offences, and civil penalty provisions in the HI Regulations, in the same way as they apply to the HI Act, and obligations, offences and civil penalty provisions in the HI Act. This ensures that authorisations, obligations and penalties are applied appropriately regardless of organisational structure.
Section 7 - National registration authorities
This section is made for the purposes of section 8 of the HI Act which provides that a national registration authority is a registration authority that is prescribed by this instrument for the purposes of that section. Section 8 gives mean to the term national registration authority, which is defined in section 5 of the HI Act and used throughout the HI Act.
This section prescribes that each of the following registration authorities is a national registration authority: a National Health Practitioner Board established by the National Law; and if it is authorised under the National Law to assign healthcare identifiers - the Australian Health Practitioner Regulation Agency established by the National Law.
Section 8 - Identifying information
Paragraphs 7(1)(g), 7(2)(e) and 7(3)(i) of the HI Act provide that the HI Regulations may prescribe identifying information for individual healthcare providers, healthcare provider organisations and healthcare recipients respectively.
This section prescribes specific information as identifying information for individual healthcare providers, healthcare provider organisations and healthcare recipients.
Subsection 8(1) prescribes that identifying information of individual healthcare providers includes the following types of information (in addition to those types of identifying information already specified in subsection 7(1) of the HI Act):
(a) whether the healthcare provider is registered with a registration authority and the status of that registration (such as conditional, suspended, cancelled or lapsed);
(b) whether the healthcare provider is a member of a professional association of a kind described in paragraph 9A(1)(b) of the HI Act and the status of that membership (such as conditional, suspended, cancelled or lapsed);
(c) whether the healthcare provider is, or is likely to be deceased;
(d) whether the death of healthcare provider has been verified; and
(e) whether the healthcare provider is linked to a healthcare provider organisation and, if so, the name of the organisation and the ABN or ACN of the organisation (whichever is applicable).
This information enables the HI Service Operator and the My Health Record System Operator to determine the status of individual healthcare providers' healthcare identifiers. That is, whether the status of an individual provider's healthcare identifier is recorded by the HI Service Operator as 'active', 'retired' or 'deactivated'.
Subsection 8(2) prescribes that identifying information of healthcare provider organisations includes the following types of information (in addition to those types of identifying information already specified in subsection 7(2) of the HI Act):
(a) whether the organisation is registered under Division 2 of Part 3 of the My Health Records Act 2012 (MHR Act);
(b) whether the organisation has notified the service operator that the organisation does not wish to use a healthcare identifier, either temporarily or permanently;
(c) if applicable, the organisation's business name on the register established under section 22 of the Business Names Registration Act 2011;
o The note in this section provides assistance to the reader by highlighting related components of the HI Act. That is, paragraph 7(2)(a) of the HI Act states that the name of the healthcare provider is also identifying information.
(d) the type of healthcare service the organisation provides to another healthcare provider or a healthcare recipient.
o The note in this section provides examples for types of healthcare services - general practice services, public hospital services or diagnostic imaging services;
(e) the name, date of birth and date of death (if applicable) of the organisation's responsible officer (the officer with day-to-day contact with the HI Service Operator to manage the healthcare identifiers of the organisation) and organisation maintenance officer (a delegate of the responsible officer);
(f) the work address, email address, telephone number and fax number of the organisation's responsible officer and organisation maintenance officer;
(g) the identifying number assigned to the organisation's responsible officer and organisation maintenance officer by the service operator;
(h) whether an evidence of identity process has been undertaken for the organisation's responsible officer and organisation maintenance officer;
(i) if an evidence of identity process is being undertaken for the organisation's responsible officer and organisation maintenance officer - the name of the agency or service operator undertaking the process;
(j) if an evidence of identity process has been undertaken for the organisation's responsible officer and organisation maintenance officer--the name of the agency or service operator that undertook the process, the outcome of the process and when the process was undertaken;
(k) the record that specifies the network address and technical requirements permitting electronic messages to be sent to the organisation;
(l) any other network organisation or seed organisation (within the meaning of section 9A of the HI Act) that the healthcare provider organisation is linked to in a network;
(m) whether any individual healthcare providers are linked to the organisation and, if so, the names and other identifying information of those individual healthcare providers.
The note in this section provides assistance to the reader by highlighting related components of the HI Act. That is, other identifying information may be required by the service operator from healthcare provider - see section 7 of the HI Act.
This information is necessary for the performance of the HI Service Operator's functions under a number of provisions in the HI Act, including:
* assigning healthcare identifiers to healthcare provider organisations;
* publishing professional and business details of a healthcare provider organisation to the healthcare provider directory; and
* enabling the My Health Record System Operator to maintain a database of healthcare provider organisations registered to participate in the My Health Record system for the purposes of section 56 of the MHR Act.
Subsection 8(3) prescribes that identifying information of individual healthcare recipients includes the following types of information (in addition to those types of identifying information already specified in subsection 7(3) of the HI Act):
(a) the telephone number of the healthcare recipient;
(b) the electronic address of the healthcare recipient;
(c) whether the identity of the healthcare recipient has been verified;
(d) whether a healthcare identifier assigned to the healthcare recipient has been assigned provisionally (for example, because it has not been possible to verify the identity of the healthcare recipient);
(e) if information relating to the identity of the healthcare recipient has been, or is to be, verified using a particular form of identification document (such as a driver's licence or passport), details of that document, including:
i. the document number; and
ii. the State or Territory in which the document was issued; and
iii. the name of the entity that issued the document;
(f) if information relating to the identity of the healthcare recipient has been, or is to be, verified by using a verification service, the response of that service to any verification inquiry in relation to the healthcare recipient;
(g) whether the healthcare recipient is, or is likely to be, deceased;
(h) whether the death of the healthcare recipient has been verified;
(i) whether the healthcare recipient is a registered healthcare recipient for the purposes of the MHR Act;
(j) whether the healthcare recipient is an authorised representative, or nominated representative, of another healthcare recipient, and the identity of the other healthcare recipient;
(k) whether the healthcare recipient, or an authorised representative or nominated representative of the healthcare recipient, has made an election under clause 5 of Schedule 1 to the MHR Act that the healthcare recipient not be registered under that Act.
Prescribing this information, in conjunction with the information that is already prescribed in subsection 7(3) of the HI Act, permits information to be collected, used and disclosed as part of verifying healthcare recipients' identities, communicating with healthcare recipients and determining the status of healthcare recipients' healthcare identifiers (such as whether it is recorded by the HI Service Operator as 'active', 'deceased', 'retired', 'expired' or 'resolved').
Part 2 - Collection, use and disclosure of identifying information and healthcare identifiers
Section 9 - Authorisation of collection, use and disclosure - healthcare provider assisting a healthcare recipient to register for a My Health Record
Not all eligible Australians will have a My Health Record. For instance, some individuals may have chosen to 'opt-out' during the opt-out period, or cancel their My Health Record. Healthcare providers may assist individuals who do not have a My Health Record to register for a My Health Record (if the individual wishes to be registered). This is called assisted registration and requires the healthcare provider to disclose identifying information and the healthcare identifier of the healthcare recipient to the My Health Record System Operator.
This section ensures that healthcare providers are authorised to collect, use or disclose to the My Health Record System Operator, the identifying information or healthcare identifier of a healthcare recipient for the purposes of registering the healthcare recipient in the My Health Record system.
Section 10 - Collection, use and disclosure of healthcare provider's healthcare identifier - providing healthcare to a healthcare recipient etc.
This section authorises healthcare providers to use, and disclose to another entity, a healthcare provider identifier (known as an HPI-I) for the purpose of communicating or managing health information as part of:
a) the provision of healthcare to a healthcare recipient; or
b) the management (including the investigation or resolution of complains), funding, monitoring or evaluation of healthcare.
Further, the entity to which a healthcare identifier has been disclosed, can collect, use and disclose that identifier for the same purposes for which it was disclosed.
This section recognises that individual healthcare providers' healthcare identifiers can be used for a range of reasons associated with clinical, administrative and business activities regularly undertaken to support the delivery of healthcare, e.g. the funding or evaluation of healthcare.
Part 3 - Requests by healthcare provider organisations to access healthcare identifiers
Section 11 - Details of responsible officer and organisation maintenance officer
This section requires that a healthcare provider organisation must not request the HI Service Operator to disclose a healthcare identifier to the organisation, unless:
a) the identity of the organisation's responsible officer and the identity of the organisation maintenance officer have been verified through an evidence of identity process; and
b) information in relation to those officers of the kind mentioned in paragraphs 8(2)(e) to (j) of this instrument has been given to the service operator; and
c) the information is accurate, up to date and complete.
If the HI Service Operator were to receive a request to disclose a healthcare identifier from a healthcare provider organisation that has made the request in contravention of subsection 11(2), the HI Service Operator must refuse to comply with the organisation's request.
This arrangement ensures that the HI Service Operator has current details for key personnel in healthcare provider organisations to which healthcare identifiers are being disclosed, and that the identity of these individuals has been verified. These requirements establish safeguards to ensure accountability and legitimate use of the HI Service.
Section 12 - Identity of individual making request
This section is based on elements of section 11. If a healthcare provider organisation requests the HI Service Operator to disclose a healthcare identifier, subsection 12(2) requires that the organisation must, if it is reasonably practicable to do so, provide the HI Service Operator enough information to ensure the HI Service Operator can identify by name the individual making the request without having to seek further information. The note in this section makes clear that the information may be given as part of the data transmitted to the HI Service Operator from a healthcare provider organisation's practice management software.
If a healthcare provider organisation complies with subsection 12(2), they do not need to keep records of the identities of the individuals requesting disclosure, or of the identifying information given to the HI Service Operator, because the HI Service Operator will record the information that has been sent to it - see section 10 of the HI Act.
Subsection 12(3) requires that if it is not reasonably practicable to provide the HI Service Operator the required information at the time a request is made to disclose a healthcare identifier, the healthcare provider organisation must keep a record of the identity of the individual who accessed the healthcare identifier for the organisation. This record must be kept for the retrieval period for that individual. The record is able to be drawn from a healthcare provider organisation's own records identifying the authorised person. These records may be kept in logs as part of the healthcare provider organisation's practice management software.
Paragraph 12(3)(c) provides that if, during the "retrieval period" for the individual making the request for disclosure, the HI Service Operator gives the healthcare provider organisation notice in writing requiring the organisation to identify the individual, the provider must identify the individual to the HI Service Operator within 14 days.
Subsection 12(4) defines a retrieval period for an individual as any period during which the individual is authorised by the healthcare provider organisation to access healthcare identifiers on the organisation's behalf. If the individual ceases to be authorised by the healthcare provider organisation to access healthcare identifiers on the organisation's behalf, the retrieval period extends for a further seven years starting on the day after the person ceased to be authorised.
Subsection 12(5) creates a civil penalty, whereby healthcare provider organisations are liable of up to 50 penalty units if the organisation contravenes subsections 12(2) or 12(3) of this instrument.
Liability of 50 penalty units is deemed appropriate and justified. This penalty makes clear that the obligation to provide a record is enforceable where a healthcare provider organisation does not comply with subsection 12(2). Failure by a healthcare provider to keep a record, assuming that the healthcare provider does not comply with subsection 12(2), may mean that it is not possible to conduct an effective investigation into why a disclosure of a healthcare identifier occurred. This might result in a potentially significant adverse effect on public confidence in the safeguards surrounding the Healthcare Identifiers Service. Given this situation, and the desire to adopt an approach consistent with that taken in the HI Act in relation to breaches, a civil penalty is considered appropriate.
As healthcare provider organisations will typically be body corporates within the meaning of the Regulatory Powers (Standard Provisions) Act 2014, the pecuniary penalty for a contravention of subsections 12(2) or (3) of the Regulations by a body corporate will currently be a maximum of 250 penalty units. This is sufficiently high enough to justify going to court to enforce the penalty. In addition, subsection 39(2) of the HI Act (the regulation making power) provides that the regulations may not impose a penalty of more than 50 penalty units for a contravention of a regulation.
Part 4 - Application, saving and transitional provisions
Division 1 - Application, saving and transitional provisions in relation to the commencement of this instrument
Section 13 - Definitions
This section defines particular terms used in this division of this instrument. The terms include commencement day (meaning the day this instrument commences), and old regulations (meaning the Healthcare Identifiers Regulations 2010, as in force immediately before the commencement day).
Section 14 - Things done under the old regulations
This section provides that if a thing was done for a particular reason under the old regulations, and the thing could be done for that purpose under this instrument, the thing has effect for the purposes of this instrument as if it had been done for that purpose under this instrument. For example, a notice made for a particular purpose under the old regulations continues to be valid if the notice could be made for the purposes of this new instrument.
Subsection 14(2) makes clear that a reference in subsection 14(1) to a thing being done includes, but is not limited to, a reference to a notice, request or other instrument being given or made.
Section 15 - Use and disclosure of healthcare identifier of a healthcare provider
This section provides that section 10 applies in relation to the use and disclosure of information on or after the commencement day, regardless of whether the information was collected before, on, or after that day.
The purpose of this provision is to transition authority from the old Regulations to this new instrument in relation to collection, use and disclosure. If a healthcare provider was authorised to use and to disclose to another entity a healthcare provider's healthcare identifier under the old Regulations for the purposes specified in section 10 of this new instrument, then the healthcare provider will continue to be authorised to do so under section 10 notwithstanding that the collection may have been made prior to this new instrument's commencement day. The collecting entity is authorised to collect, use and disclose that healthcare identifier for the same purpose under section 10 of this new instrument notwithstanding that the collection, by either the healthcare provider or the collecting entity, was made under the old Regulations prior to this new instrument's commencement day.
This section authorises a prospective action (i.e. use and disclosure of a healthcare provider's healthcare identifier) and clarifies that the action does not become unauthorised because the initial collection was validly made under the previous delegated legislation.
Section 16 - Continued operation of certain provisions not affected
If a provision of a previous version of the Healthcare Identifiers Regulations 2010, (specifically, a version of those regulations other than the version that was in force immediately before they became repealed by this new instrument) is continuing in operation, this section ensures the continuing operation of that provision is not affected by the repeal of the old Regulations. For example, if regulation 8 of the Healthcare Identifiers Regulations 2010 (as in force immediately before 15 December 2015) is preserved by clause 3 of Schedule 1 to the old Regulations, this new instrument does not affect the continued operation of that regulation 8.
Part 1 of Schedule 1 to the old regulations outlines that provisions of the amending regulation (the Health Legislation Amendment (eHealth) Regulation 2015) apply on or after 1 March 2016. Provisions of those amending regulations relate to the definition of "identifying information", the treatment of partnerships, trusts and unincorporated associations, and requests for identifiers. Therefore any requests for healthcare identifiers made prior to 1 March 2016 continues to be subject to requirements of Healthcare Identifiers Regulations 2010 (as in force immediately before 15 December 2015). In summary, this provision preserves that requests for healthcare identifiers made prior to
1 March 2016 are subject to requirements of Healthcare Identifiers Regulations 2010 (as in force immediately before 15 December 2015). Requests for healthcare identifiers on or after 1 March 2016 are subject to requirements under this instrument.
Subsection 16(2) clarifies that this section does not limit the effect of section 7 of the Acts Interpretation Act 1901 (as it applies as a result of paragraph 13(1)(a) of the Legislation Act 2003).
Schedule 1 - Repeals
Item 1 repeals the whole of the Healthcare Identifiers Regulations 2010.
Statement of Compatibility with Human Rights
Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011
Healthcare Identifiers Regulations 2020
This Bill/Disallowable Legislative Instrument is compatible with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011.
Overview of the Bill/Disallowable Legislative Instrument
The Healthcare Identifiers Act 2010 (the HI Act) supports the Healthcare Identifiers Service (HI Service) which is a national system for consistently uniquely identifying consumers and healthcare providers for healthcare purposes. The Healthcare Identifiers Service assigns healthcare identifiers (a unique 16 digit number) to individuals, individual healthcare providers and healthcare provider organisations. The HI Act specifies the circumstances in which healthcare identifiers can be collected, used or disclosed, and by whom. The purpose of the Healthcare Identifiers Regulations 2020 (the HI Regulations) is to provide additional guidance regarding how the provisions of the HI Act are applied and to enable additional authorisations necessary for the handling of healthcare identifiers.
The HI Regulations:
* clarify how the Regulations apply in relation to partnerships, trusts and unincorporated associations;
* prescribe the meaning of "national registration authority" for the purposes of the HI Act and HI Regulations.
* prescribe identifying information of individual healthcare providers, healthcare provider organisations and healthcare recipients;
* authorise healthcare providers to handle the necessary information (healthcare identifiers and identifying information) to assist individuals wishing to register with My Health Record;
* authorise healthcare providers to use, or disclose to an entity, a healthcare provider's healthcare identifier for the purpose of:
o communicating or managing health information; or
o management, funding, monitoring or evaluation of healthcare,
and authorise entities to use and disclose healthcare provider's healthcare identifiers for the purpose for which they collected it; and
* prescribe the process for disclosing healthcare identifiers and related information required to be given to the HI Service Operator.
Human rights implications
This Disallowable Legislative Instrument engages the following rights:
* Right to Privacy and Reputation
Article 17 of the International Covenant on Civil and Political Rights (ICCPR) prohibits the unlawful or arbitrary interference with a person's privacy and unlawful attacks on a person’s reputation. This right is also reflected in Article 22 of the Convention on the Rights of Persons with Disabilities (CRPD) and Article 16 of the Convention on the Rights of the Child (CRC).
The right to privacy includes respect for informational privacy including the right to respect the storing, use and sharing of private information and right to control the dissemination of private information. The HI Regulations engage the right to privacy by:
* prescribing identifying information for individual healthcare providers, healthcare provider organisations and healthcare recipients that can be collected, used and disclosed to various participants in accordance with the HI Act;
* prescribing the collection, use and disclosure of identifying information or healthcare identifiers for the purposes of registering a healthcare recipient in the My Health Record system;
* prescribing information in relation to the identity of individuals who make a request on behalf of healthcare provider organisations.
For the HI Service and the My Health Record system to operate effectively and to ensure the correct healthcare recipient, healthcare provider and healthcare organisation is registered, and associated with the correct health information, identifying information must be prescribed and collection, use and disclosure by the HI Service Operator and various participants in the My Health Record system must be authorised. The necessity to prescribe this information and authorise collection, use and disclosure in specific circumstances is also applicable where an individual wishes to cancel their registration with the My Health Record system. Without this information being shared between these parties, the individuals' and organisations' identities could not be accurately verified and the HI Service and the My Health Records system would not be able to operate effectively or securely. The inability to operate effectively and securely would significantly impact the ability for the expected health improvements to be realised. Further, the accurate identification of individuals is critical in all health communication. The efficacy and security of the HI Service provides a way for healthcare providers to more accurately match the right records to the person they are treating and improve accuracy when communicating information with other healthcare providers. While the Regulations prescribe identifying information and circumstances for collection, use and disclosure additional to those prescribed in the HI Act, any effect on the right to privacy is a proportionate, necessary and reasonable way of achieving the policy objective of improved health outcomes for all Australians.
Any unauthorised collection, use or disclosure of healthcare identifiers or identifying information is subject to the penalties and remedies set out in the HI Act, the My Health Records Act 2012 and the Privacy Act 1988. Criminal and civil penalties for misuse of healthcare identifiers or identifying information are a privacy positive outcome.
Conclusion
The Bill/Disallowable Legislative Instrument is compatible with human rights because they advance the protection of human rights, specifically the right to privacy.