A few days ago the Commonwealth Privacy Commissioner released her submission to the Department of Health request for submissions on the legislative proposals for NEHTA’s Individual Health Identifiers.
The basic information on the consultation process can be found here:
The direct link is here to the DoHA page with a link to the request for submission:
Submissions closed on August 14, 2009.
Commentary on what was said by the Privacy Commissioner is found below.
Karen Dearne | August 25, 2009
AUSTRALIANS may not be able to opt out of the planned national healthcare identity scheme despite assurances that those who do will still have access to treatment under Medicare.
Federal Privacy Commissioner Karen Curtis says "it is not clear how an individual will be able to exercise that option" under proposals on the national health ministers' agenda.
"We understand that any (authorised) healthcare provider or organisation will be able to obtain an individual's identifier from the (Medicare-operated) service without the consent of the person concerned," she said. "Potentially this could occur after treatment, when the person is no longer present."
Ms Curtis has questioned plans for a legal quick-fix that would allow the start of the Medicare-based identifier regime next year, saying the proposed service "is of sufficient scale and sensitivity to warrant specific new legislation to ensure consistency of protections and penalties nationwide".
Much more here:
The submission from the Privacy Commissioner is found here:
Healthcare identifiers and privacy: Discussion paper on proposals for legislative support; Submission to the Australian Health Ministers' Conference (August 2009)
1. The Office welcomes the opportunity to provide a submission on the Healthcare identifiers and privacy: Discussion paper on proposals for legislative support.
2. In relation to Part A of the discussion paper, dealing with the Health Identifier (HI) Service and the issuing and use of health identifiers, the Office has made a number of key recommendations:
3. The enabling legislation for the HI Service should cover:
i. provisions setting out the clearly defined healthcare-related purposes for which a provider can access the HI service to obtain an individual’s IHI and establishing that the IHI can only be accessed where the provider has a healthcare relationship with the individual
ii. prohibitions on use or disclosure of the IHI or associated personal information outside of the healthcare sector across all jurisdictions
iii. provisions which underpin the legislative status of participation agreements or provision for mandatory guidelines (see A.5.2 )
iv. requirements relating to independent auditing and mandatory reporting of breaches of HI Service policies
v. sanctions and complaint mechanisms (including a right of recourse to a relevant statutory officer like the Privacy Commissioner for the private sector and Australian Government agencies where appropriate), and
vi. provisions to ensure that any future expansion of uses of the HI Service is subject to a Privacy Impact Assessment and parliamentary scrutiny.
4. Obligations additional to those contained in the privacy principles should be established through a second-tier legislative instrument such as mandatory guidelines, and cover, amongst other things secondary uses and data security.
5. Clarification may be required in relation to whether administrative staff of healthcare providers will be able to access information in the IHI and Healthcare Provider Individual Identifier (HPI-I) databases, and if so how their use of those databases will be audited.
6. All jurisdictions provide for a common set of legislated obligations in relation to the collection and handling of health identifiers prior to the introduction of a wider common health privacy framework.
28. The discussion paper states that use of the IHI will not be a requirement to receive health services.12 However, it is not clear how an individual will be able to exercise the option not to use their IHI. The Office understands that any provider with a Healthcare Provider Individual Identifier (HPI-I) and/or a Health Provider Organisation Identifier (HPI-O) will be able to obtain an individual’s IHI from the HI Service without the consent of the individual to whom the IHI has been assigned (if they have the required individual’s demographic information). Potentially, this could occur after treatment (when the individual is no longer present).
“31. The Office would welcome clarification of whether there will be any constraints on the circumstances in which a provider (who has the minimum demographic information required to search the database) will be able to access an individual’s IHI. For example, will a provider be able to access an individual’s IHI in situations where they do not have an active healthcare relationship with the individual and have not seen the person for a number of years?”
32. The Office is also aware that many individuals may be particularly concerned about specific health information that they consider more highly sensitive and want to have tighter control over the use and disclosure of that information. The Office would welcome clarification on what options the individual may have in relation to how they can exercise control over whether or not their IHI is connected to that specific information.
Participation Agreements in IHI.
44. The discussion paper suggests that additional obligations might be set out in participation agreements.22 The Office is unsure about the mechanism by which the status of such agreements would be underpinned by law, and would welcome clarification on this matter.
49. In relation to the remaining principles (openness, access and correction, and trans-border data flows), the Office agrees in principle that these principles should be regulated through existing health privacy laws and administrative arrangements. However, as discussed in sections A.6.2.3 and A.7, currently there are no specific legislative privacy protections for health information in the public sectors of two states (Western Australian and South Australia). The Office would welcome clarification of how this gap in privacy protections will be addressed.
60. The Office supports the intent of proposal 6, that is, that the HI Service Operator will disclose information held in the Service only to authorised users; and that the term “authorised user‟ will be defined in the legislation. 29 The Office would welcome clarification of the scope of “authorised users”, particularly in relation to whether administrative staff of healthcare service providers will be able to search for an IHI or HPI-I (see A.5.2.6). It is important that the auditing process to determine who has actually accessed the service can adequately identify the actual individual who has performed the search. It is highly unlikely that a provider themselves will undertake the administrative work associated with accessing the HI Service, but rather that their administrative staff will be tasked with that responsibility.
74. The Office has previously expressed concern that the inability to specifically identify individual non-health care providers (such as administrative staff) may reduce the value of system logs and auditing as an oversight mechanism. The Office would welcome clarification of how this issue will be addressed.39
79. The paper states that the introduction of IHIs will not affect the ability of individuals to conduct health-related transactions with organisations and agencies anonymously where this is lawful and practical. 41 Although it appears from the statements in the discussion paper that it is theoretically true that individuals can choose to interact anonymously in a healthcare setting (by not using their IHI), in the Office’s view, this option may not be practicable for individuals, particularly once the identifier is linked to an individual’s health information by a provider.
80. The paper indicates that vulnerable individuals (such as victims of domestic violence) will be able to request that a pseudonym is used in conjunction with their IHI. In general, the Office supports the policy intent of providing consumers the option of using a pseudonym.
81. However, the Office is not entirely clear as to how the allocation and use of pseudonyms will work in practice. The Office would welcome clarification on this matter including:
- is the use of a pseudonym intended to protect an individual’s identity from being known by a health practitioner and/or by staff of the HI Service Operator?
- whether this feature will be available to any person enrolled in the HI Service, and if not, what criteria would determine entitlement?
- what process would individuals have to complete in order to use this feature?
---- End of Extracts.
What is being said here, as noted in the report, are a number of crucial issues, which when thought about, may prove very difficult to manage.
First it is assumed that access to the IHI will be auditable down to the level of the individual to prevent unauthorised access. If access to the service is extended to provider staff (categories not defined) then all these staff, as well as all providers, will need secure robust ID as provided by proposed National Authentication Service for Health (NASH). Given one can be sure that providers themselves are not going to be looking up and checking IHI’s we have just added a huge number of additional individuals who will require IHI tokens – or admitted the IHI access will not be properly auditable.
Second it is obvious that NEHTA and DoHA have not worked out how to prevent providers using the IHI once they have once obtained it, even though an individual’s circumstances may have changed making it important links not be made. Given everyone is to allocated an IHI it seems no one has really worked out how to ‘un-allocate’ an IHI, even when requested to do so. (The point numbered 28 puts this issue very clearly I must say!)
Third it is clear the Privacy Commissioner is concerned that jurisdictional legislation is lacking in WA and SA and that this really means a Federal Act with overriding authority before any of this can come into operation.
As the Office says “ Given the lack of uniform privacy regulation it is important that national projects involving personal information or potentially sensitive information of all Australians, such as the HI Service, have dedicated, project-specific legislation ensuring that consistent privacy protections apply regardless of jurisdiction.” (Point 35).
Last it is clear the Office believes there need to be very good reasons why Privacy Impact Assessments are not made public – with some possible excisions for security – after they have been completed and appropriate modifications made.
As the Office makes clear here:
“36. As the Privacy Act is principle-based and technology neutral, on occasion additional privacy protections are warranted and necessary to regulate large-scale initiatives that involve the handling of personal information in new ways, such as with the Tax File Number, credit reporting information and MBS and PBS claims information.16 The Office believes that the HI Service is one of these comparatively infrequent national initiatives requiring specific additional privacy regulation.
37. This is consistent with the ALRC‟s view that legislation relating to shared electronic health systems „should deal with those issues that fall outside existing privacy regulation and provide more stringent rules where necessary”
“11. While other large databases exist in Australia, such as those maintained by Medicare Australia and by the Australian Taxation Office, a very large number of users will interact with this repository whose access thus needs to be carefully handled with adequate legislative protections to minimise any potential for misuse.”
This project is very large, many are going to have access and individual’s details need to be very well protected. Reading this submission I do not believe the Privacy Commissioner is in any way comfortable yet that this is the case.
I think there really needs to be an exposure draft of the actual Federal Legislation and a further period of consultation with the public before we move forward.