Health Legislation Amendment (eHealth) Act 2015 (Cth)

No. 157, 2015

An Act to amend the law in relation to healthcare identifiers, electronic health records and other information relating to health, and for related purposes

Contents

Health Legislation Amendment (eHealth) Act 2015

No. 157, 2015

An Act to amend the law in relation to healthcare identifiers, electronic health records and other information relating to health, and for related purposes

[Assented to 26 November 2015]

The Parliament of Australia enacts:

This Act may be cited as the Health Legislation Amendment (eHealth) Act 2015.

1. (1)

   Each provision of this Act specified in column 1 of the table commences, or is taken to have commenced, in accordance with column 2 of the table. Any other statement in column 2 has effect according to its terms.

Note: This table relates only to the provisions of this Act as originally enacted. It will not be amended to deal with any later amendments of this Act.

1. (2)

   Any information in column 3 of the table is not part of this Act. Information may be inserted in this column, or information in it may be edited, in any published version of this Act.

Legislation that is specified in a Schedule to this Act is amended or repealed as set out in the applicable items in the Schedule concerned, and any other item in a Schedule to this Act has effect according to its terms.

Schedule 1—Healthcare identifiers and health records

Copyright Act 1968

1

After section 44BA

Insert:

44BBCopyright subsisting in works shared for healthcare or related purposes

1. (1)

   The copyright in a work is not infringed by an act comprised in the copyright in the work if:

   (a) the act is done, or authorised to be done:

   1. (i)

      for a purpose for which the collection, use or disclosure of health information is required or authorised under the My Health Records Act 2012; or

   2. (ii)

      in circumstances in which a permitted general situation exists under item 1 of the table in subsection 16A(1) of the Privacy Act 1988 (serious threat to life, health or safety), or would exist if the act were done, or authorised to be done, by an entity that is an APP entity for the purposes of that Act; or

   3. (iii)

      in circumstances in which a permitted health situation exists under section 16B of the Privacy Act 1988, or would exist if the act were done, or authorised to be done, by an entity that is an organisation for the purposes of that Act; or

   4. (iv)

      for any other purpose relating to healthcare, or the communication or management of health information, prescribed by the regulations; and

   1. (b)

      either:

      1. (i)

         the work is substantially comprised of health information; or

      2. (ii)

         the work allows for the storage, retrieval or use of health information and it is reasonably necessary to do the act, or authorise it to be done, in circumstances that would otherwise infringe copyright in the work.

2. (2)

   In this section:

healthcare has the same meaning as in the My Health Records Act 2012.

health information has the same meaning as in the My Health Records Act 2012.

2

After section 104B

Insert:

104CCopyright subsisting in sound recordings and cinematograph films shared for healthcare or related purposes

1. (1)

   The copyright in a cinematograph film or a sound recording is not infringed by an act comprised in the copyright in the film or recording if:

   1. (a)

      the act is done, or authorised to be done:

      1. (i)

         for a purpose for which the collection, use or disclosure of health information is required or authorised under the My Health Records Act 2012; or

      2. (ii)

         in circumstances in which a permitted general situation exists under item 1 of the table in subsection 16A(1) of the Privacy Act 1988 (serious threat to life, health or safety), or would exist if the entity doing the thing were an APP entity for the purposes of that Act; or

      3. (iii)

         in circumstances in which a permitted health situation exists under section 16B of the Privacy Act 1988, or would exist if the entity doing the thing were an organisation for the purposes of that Act; or

      4. (iv)

         for any other purpose relating to healthcare, or the communication or management of health information, prescribed by the regulations; and

   2. (b)

      either:

      1. (i)

         the film or recording is substantially comprised of health information; or

      2. (ii)

         the film or recording allows for the storage, retrieval or use of health information and it is reasonably necessary to do the act, or authorise it to be done, in circumstances that would otherwise infringe copyright in the work.

2. (2)

   In this section:

healthcare has the same meaning as in the My Health Records Act 2012.

health information has the same meaning as in the My Health Records Act 2012.

Healthcare Identifiers Act 2010

3

After section 3

Insert:

3ASimplified outline of this Act

Under this Act, healthcare identifiers are assigned to healthcare recipients, individual healthcare providers and healthcare provider organisations.

There are strict rules on:

1. (a)

   the verification of a person’s identity before a healthcare identifier is assigned; and

2. (b)

   the purposes for which a healthcare identifier can be collected, used and disclosed; and

3. (c)

   the purposes for which the identifying information of a healthcare recipient, a healthcare provider or a healthcare provider organisation can be collected, used and disclosed.

This Act facilitates the use of the healthcare identifier for the purposes of communicating and managing health information about a healthcare recipient (including through the My Health Record system).

This Act also facilitates:

1. (a)

   the creation of a Healthcare Provider Directory, to allow healthcare providers to check the professional and business details of healthcare providers; and

2. (b)

   the use of authenticated electronic communications by healthcare providers.

4

Section 5

Insert:

Australian law has the same meaning as in the Privacy Act 1988.

5

Section 5

Insert:

authorised representative of a healthcare recipient has the same meaning as in the My Health Records Act 2012.

6

Section 5

Insert:

civil penalty provision has the same meaning as in the Regulatory Powers Act.

7

Section 5

Insert:

court/tribunal order has the same meaning as in the Privacy Act 1988.

8

Section 5 (definition of data source)

Repeal the definition.

9

Section 5 (definitions of Human Services Department and Human Services Minister)

Repeal the definitions.

10

Section 5

Insert:

linked: an individual healthcare provider is linked to a healthcare provider organisation if:

1. (a)

   the individual healthcare provider is an employee of the healthcare provider organisation; or

2. (b)

   the healthcare provider organisation provides support services or facilities to the individual healthcare provider, to facilitate the provision of healthcare by the individual healthcare provider.

11

Section 5 (definitions of Medicare Benefits Program and medicare program)

Repeal the definitions.

12

Section 5 (definition of Ministerial Council)

Repeal the definition, substitute:

Ministerial Council means the council (however described) established by the Council of Australian Governments that has responsibility for health matters.

13

Section 5

Insert:

My Health Records Act means the My Health Records Act 2012.

14

Section 5

Insert:

network of healthcare provider organisations has the meaning given by subsection 9A(4).

15

Section 5 (definition of network organisation)

Repeal the definition, substitute:

network organisation within a network has the meaning given by subsection 9A(6).

16

Section 5

Insert:

nominated representative of a healthcare recipient has the same meaning as in the My Health Records Act 2012.

17

Section 5 (definition of organisation maintenance officer)

Repeal the definition, substitute:

organisation maintenance officer for a healthcare provider organisation has the meaning given by subsection 9A(8).

18

Section 5

Insert:

personal information has the same meaning as in the Privacy Act 1988.

19

Section 5 (definition of Pharmaceutical Benefits Program)

Repeal the definition.

20

Section 5 (definition of professional and business details)

Repeal the definition.

21

Section 5 (definition of public body)

Repeal the definition.

22

Section 5

Insert:

Regulatory Powers Act means the Regulatory Powers (Standard Provisions) Act 2014.

23

Section 5 (definition of responsible officer)

Repeal the definition, substitute:

responsible officer for a healthcare provider organisation has the meaning given by subsection 9A(7).

24

Section 5 (definition of seed organisation)

Repeal the definition, substitute:

seed organisation for a network has the meaning given by subsection 9A(5).

25

Section 5 (definition of service operator)

Repeal the definition, substitute:

service operator has the meaning given by section 6.

26

After section 5

Insert:

6Identity of service operator

The service operator is:

1. (a)

   the Chief Executive Medicare; or

2. (b)

   if a body established by a law of the Commonwealth is prescribed by the regulations to be the service operator—that body.

Note: Section 33 provides that the Minister must consult with the Ministerial Council before making regulations.

27

After paragraphs 7(1)(b) and (2)(b)

Insert:

1. (ba)

   the email address, telephone number and fax number of the healthcare provider;

28

At the end of subsection 7(3)

Add:

1. ; (i)

   other information that is prescribed by the regulations for the purpose of this paragraph.

29

Before section 9

Insert:

9AASimplified outline of this Part

Healthcare identifiers are assigned to healthcare recipients, individual healthcare providers and healthcare provider organisations.

The service operator assigns healthcare identifiers to healthcare recipients. A national registration authority will usually assign a healthcare identifier to an individual healthcare provider, although there are a number of cases in which a healthcare provider is not registered by such an authority. In those cases, the healthcare identifier is assigned by the service operator. The service operator assigns a healthcare identifier to a healthcare provider organisation.

For a healthcare provider organisation to be assigned a healthcare identifier, the organisation must have at least one employee who is an individual healthcare provider providing healthcare as part of his or her duties, a responsible officer and an organisation maintenance officer. The responsible officer may also be the organisation maintenance officer. If the organisation is part of, or subordinate to, another healthcare provider organisation, it need not have its own responsible officer.

A sole practitioner may be registered as a healthcare provider organisation.

If the service operator refuses to assign a healthcare identifier, a person whose interests are affected by the decision may ask the service operator to reconsider the decision. A person may apply to the Administrative Appeals Tribunal for review of the service operator’s reconsidered decision.

The service operator must keep a record of the healthcare identifiers assigned, and other information relating to the healthcare identifiers including details of requests to the service operator to disclose a healthcare identifier.

30

Subsection 9(6)

After “healthcare identifier”, insert “of a healthcare recipient or of an individual healthcare provider”.

31

Section 9A

Repeal the section, substitute:

9AClasses of healthcare provider that may be assigned a healthcare identifier by the service operator

Healthcare identifiers for individual healthcare providers

1. (1)

   The service operator may, under paragraph 9(1)(a), assign a healthcare identifier to an individual healthcare provider if:

   1. (a)

      the individual healthcare provider is registered by a registration authority as a member of a health profession; or

   2. (b)

      the individual healthcare provider is a member of a professional association that:

      1. (i)

         relates to the healthcare that has been, is, or is to be, provided by the member; and

      2. (ii)

         has uniform national membership requirements, whether or not in legislation.

Healthcare identifiers for a healthcare provider organisation that is a seed organisation, or is not part of a network

1. (2)

   The service operator may, under paragraph 9(1)(a), assign a healthcare identifier to a healthcare provider organisation that is a seed organisation for a network, or that is not part of a network, if:

   1. (a)

      at least one of the employees of the organisation is an individual who:

      1. (i)

         is an identified healthcare provider; and

      2. (ii)

         provides healthcare as part of his or her duties; and

   2. (b)

      one, and only one of the employees of the organisation is the responsible officer for the organisation; and

   3. (c)

      either:

      1. (i)

         the organisation has at least one other employee who is an organisation maintenance officer for the organisation; or

      2. (ii)

         the responsible officer for the organisation is also the organisation maintenance officer for the organisation.

Healthcare identifiers for network organisations

1. (3)

   The service operator may, under paragraph 9(1)(a), assign a healthcare identifier to a healthcare provider organisation that is a network organisation within a network if:

   1. (a)

      the seed organisation for the network:

      1. (i)

         has been assigned a healthcare identifier that has not been retired; and

      2. (ii)

         does not object to the network organisation being assigned a healthcare identifier under this subsection; and

   2. (b)

      the responsible officer for the seed organisation for the network is also the responsible officer for every network organisation within the network; and

   3. (c)

      there is an organisation maintenance officer for the network organisation; and

   4. (d)

      the organisation maintenance officer for the network organisation is:

      1. (i)

         an employee of the network organisation (the first network organisation); or

      2. (ii)

         an employee of the seed organisation for the network; or

      3. (iii)

         an employee of another network organisation within the network that is hierarchically superior to the first network organisation.

What is a network of healthcare provider organisations?

1. (4)

   A network of healthcare provider organisations is a group of healthcare provider organisations each of which satisfies one of the following criteria:

   1. (a)

      the healthcare provider organisation is part of, or subordinate to, another healthcare provider organisation within the group;

   2. (b)

      another healthcare provider organisation within the group is part of, or subordinate to, the healthcare provider organisation.

What is the seed organisation for a network?

1. (5)

   A healthcare provider organisation is the seed organisation for a network if:

   1. (a)

      there is at least one other healthcare provider organisation that is part of, or subordinate to, the organisation; and

   2. (b)

      the organisation is not itself part of, or subordinate to, another healthcare provider organisation.

What is a network organisation within a network?

1. (6)

   A healthcare provider organisation is a network organisation within a network if it is part of, or subordinate to, another healthcare provider organisation within the network.

Responsible officers

1. (7)

   A person is the responsible officer for a healthcare provider organisation if the duties of the person include the following:

   1. (a)

      nominating the organisation maintenance officer or officers for the organisation to the service operator;

   2. (b)

      requesting the assignment or retirement of a healthcare identifier for the organisation;

   3. (c)

      if there is a network organisation of the organisation:

      1. (i)

         nominating the organisation maintenance officer for the network organisation to the service operator; and

      2. (ii)

         requesting the assignment or retirement of a healthcare identifier for the network organisation;

   4. (d)

      if the organisation is part of a merger or acquisition—requesting the merger or reconfiguration of a healthcare identifier for the organisation.

Organisation maintenance officers

1. (8)

   A person is an organisation maintenance officer for a healthcare provider organisation if the duties of the person include the following:

   1. (a)

      nominating to the service operator at least one additional person to be an organisation maintenance officer of the organisation, if required;

   2. (b)

      maintaining information that is held by the service operator about the organisation;

   3. (c)

      providing current details to the service operator about the organisation for inclusion in the Healthcare Provider Directory;

   4. (d)

      providing any other information requested by the service operator about the organisation for which the organisation maintenance officer is responsible;

   5. (e)

      if the organisation (the seed organisation) has a network organisation:

      1. (i)

         nominating to the service operator another person who meets the employment criteria in paragraph (3)(d) to be the organisation maintenance officer for the network organisation—either on the initiative of the seed organisation or if required by the service operator to do so;

      2. (ii)

         requesting the assignment or retirement of a healthcare identifier for the network organisation;

      3. (iii)

         maintaining information that is held by the service operator about the network organisation;

      4. (iv)

         providing current details to the service operator about the network organisation for inclusion in the Healthcare Provider Directory;

      5. (v)

         providing any other information requested by the service operator about the network organisation for which the organisation maintenance officer is responsible;

      6. (vi)

         if the network organisation is part of a merger or acquisition—requesting the merger or reconfiguration of a healthcare identifier for the organisation.

Sole practitioners

1. (9)

   The service operator may assign a healthcare identifier under paragraph 9(1)(a) to a healthcare provider organisation that is a sole practitioner even though subsection (2) is not satisfied, if the sole practitioner:

   1. (a)

      provides healthcare as part of his or her duties; and

   2. (b)

      performs the duties of a responsible officer and organisation maintenance officer.

Duties of the responsible officer performed by another person

1. (10)

   For the purposes of subsection (7), a person does not cease to be a responsible officer for a healthcare provider organisation if a duty mentioned in subsection (7) is performed by another employee of the organisation on behalf of the person.

32

Section 10

Omit “Division 2 or 2A of Part 3”, substitute “Division 2 or 3 of Part 3”.

33

Part 3 (heading)

Repeal the heading, substitute:

Part 3—Collection, use and disclosure of healthcare identifiers, identifying information and other information

34

Divisions 1, 2, 2A and 3 of Part 3

Repeal the Divisions, substitute:

Division 1—Simplified outline of this Part

11Simplified outline of this Part

This Part authorises the collection, use and disclosure of healthcare identifiers, identifying information and other information.

Healthcare identifiers and other information relating to healthcare recipients

The service operator may collect information about a healthcare recipient from various sources for the purpose of assigning a healthcare identifier to the recipient. Once a healthcare identifier is assigned to a healthcare recipient, the service operator may disclose it to healthcare providers to assist in communicating and managing health information. The healthcare identifier may also be disclosed to other entities to assist in the operation of the My Health Record system.

A healthcare provider can obtain the healthcare identifier of a healthcare recipient from the service operator, so that the healthcare provider can communicate and manage health information. The healthcare provider can use the healthcare identifier in providing healthcare, for example, by using it to access the My Health Record of a healthcare recipient.

Healthcare identifiers and other information relating to healthcare providers

Under Part 2, the service operator must keep a record of the healthcare identifiers that have been assigned and other information relating to healthcare identifiers. As a national registration authority assigns healthcare identifiers to most healthcare providers, the service operator may obtain information for the record from a national registration authority.

Under Part 2, the service operator assigns healthcare identifiers to healthcare providers in a number of cases. The service operator may collect information about a healthcare provider from various sources for the purposes of assigning those identifiers.

The service operator may disclose the healthcare identifiers of healthcare providers to healthcare providers to assist in communicating and managing health information. The healthcare identifier may also be disclosed to other entities to assist in the operation of the My Health Record system.

A healthcare provider can obtain the healthcare identifier of a healthcare provider from the service operator, so that the healthcare provider can communicate and manage health information. This includes the use of the identifier in electronic transmissions. The collection, use and disclosure of identifying information and healthcare identifiers is permitted for the purposes of authenticating a healthcare provider’s identity in electronic transmissions.

A person must not use or disclose information collected for the purposes of the Act or healthcare identifiers, except where required or authorised to do so under the Act or in other limited circumstances. Criminal and civil penalties apply if this obligation is breached.

Division 2—Healthcare recipients

12Collection, use and disclosure—assigning a healthcare identifier to a healthcare recipient

An entity mentioned in column 1 of an item of the following table, is authorised to take action of the kind described in column 2 of that item with information of the kind described in column 3 of that item in the circumstances described in column 4 of that item.

13Collection, use and disclosure—establishing and maintaining a record of healthcare identifiers for healthcare recipients

An entity mentioned in column 1 of an item of the following table, is authorised to take action of the kind described in column 2 of that item with information of the kind described in column 3 of that item in the circumstances described in column 4 of that item.

14Collection, use and disclosure—providing healthcare to a healthcare recipient

1. (1)

   An entity mentioned in column 1 of an item of the following table, is authorised to take action of the kind described in column 2 of that item with information of the kind described in column 3 of that item in the circumstances described in column 4 of that item.

1. (2)

   This section does not authorise the collection, use or disclosure of the healthcare identifier of a healthcare recipient for the purpose of communicating or managing health information as part of:

   1. (a)

      underwriting a contract of insurance that covers the healthcare recipient; or

   2. (b)

      determining whether to enter into a contract of insurance that covers the healthcare recipient (whether alone or as a member of a class); or

   3. (c)

      determining whether a contract of insurance covers the healthcare recipient in relation to a particular event; or

   4. (d)

      employing the healthcare recipient.

15Collection, use and disclosure—My Health Record system

The service operator is authorised to collect, use and disclose:

1. (a)

   identifying information of a healthcare recipient, an authorised representative of a healthcare recipient or a nominated representative of a healthcare recipient; and

2. (b)

   the healthcare identifier of a healthcare recipient, an authorised representative of a healthcare recipient or a nominated representative of a healthcare recipient;

for the purposes of the My Health Record system.

16Collection, use and disclosure—aged care

An entity mentioned in column 1 of an item of the following table, is authorised to take action of the kind described in column 2 of that item with information of the kind described in column 3 of that item in the circumstances described in column 4 of that item.

17Adopting the healthcare identifier of a healthcare recipient etc.

An entity mentioned in column 1 of an item of the following table, may adopt the healthcare identifier of a healthcare recipient, an authorised representative of a healthcare recipient or a nominated representative of a healthcare recipient, for a purpose mentioned in column 2 of the item.

18Disclosure of the healthcare identifier of a healthcare recipient to the healthcare recipient etc.

Any of the following entities may disclose the healthcare identifier of a healthcare recipient to the healthcare recipient, or a responsible person (within the meaning of the Privacy Act 1988) for the healthcare recipient:

1. (a)

   the service operator;

2. (b)

   the My Health Record System Operator;

3. (c)

   a healthcare provider.

19Other information relating to the healthcare identifier of a healthcare recipient may be disclosed by the service operator

The service operator may disclose information included in the record the service operator maintains under section 10 in relation to a healthcare recipient to:

1. (a)

   the healthcare recipient; or

2. (b)

   a responsible person (within the meaning of the Privacy Act 1988) for the healthcare recipient.

20Regulations relating to the healthcare identifier and identifying information of a healthcare recipient etc.

Collection, use or disclosure for other purposes

1. (1)

   The regulations may authorise the collection, use or disclosure of the following information:

   1. (a)

      identifying information of a healthcare recipient, authorised representative of a healthcare recipient or nominated representative of a healthcare recipient;

   2. (b)

      the healthcare identifier of a healthcare recipient, authorised representative of a healthcare recipient or nominated representative of a healthcare recipient.

Adoption for other purposes

1. (2)

   The regulations may authorise the adoption of the healthcare identifier of a healthcare recipient, authorised representative of a healthcare recipient or a nominated representative of healthcare recipient in the circumstances prescribed by the regulations.

Purposes for which regulation‑making powers in subsections (1) and (2) may be used

1. (3)

   However, the regulations may only authorise the collection, use, disclosure or adoption of that information for purposes related to one or more of the following:

   1. (a)

      providing healthcare to healthcare recipients, or a class of healthcare recipients;

   2. (b)

      determining whether adequate and appropriate healthcare is available to healthcare recipients, or a class of healthcare recipients;

   3. (c)

      facilitating the provision of adequate and appropriate healthcare to healthcare recipients, or a class of healthcare recipients;

   4. (d)

      assisting persons who, because of health issues (including illness, disability or injury), require support;

   5. (e)

      the My Health Record system.

Procedures relating to the disclosure of healthcare identifiers

1. (4)

   The regulations may prescribe rules about the process for disclosing the healthcare identifiers of healthcare recipients, including rules about requests to the service operator to disclose healthcare identifiers of healthcare recipients.

Information about disclosures by service operator

1. (5)

   If the service operator discloses a healthcare identifier of a healthcare recipient to an entity, the regulations may require the entity to provide prescribed information to the service operator in relation to the disclosure.

Division 3—Healthcare providers

21Collection, use and disclosure—assigning a healthcare identifier to a healthcare provider

An entity mentioned in column 1 of an item of the following table, is authorised to take action of the kind described in column 2 of that item with information of the kind described in column 3 of that item in the circumstances described in column 4 of that item.

22Collection, use and disclosure—establishing and maintaining a record of healthcare identifiers for healthcare providers

An entity mentioned in column 1 of an item of the following table, is authorised to take action of the kind described in column 2 of that item with information of the kind described in column 3 of that item in the circumstances described in column 4 of that item.

23Collection, use and disclosure—providing healthcare

An entity mentioned in column 1 of an item of the following table, is authorised to take action of the kind described in column 2 of that item with information of the kind described in column 3 of that item in the circumstances described in column 4 of that item.

24Collection, use and disclosure—My Health Record system

The service operator is authorised to collect, use and disclose:

1. (a)

   identifying information of a healthcare provider; and

2. (b)

   the healthcare identifier of a healthcare provider;

for the purposes of the My Health Record system.

25Collection, use and disclosure—enabling authentication in electronic communications

An entity mentioned in column 1 of an item of the following table, is authorised to take action of the kind described in column 2 of that item with information of the kind described in column 3 of that item in the circumstances described in column 4 of that item.

25ACollection, use and disclosure—sharing information with registration authorities

An entity mentioned in column 1 of an item of the following table, is authorised to take action of the kind described in column 2 of that item with information of the kind described in column 3 of that item in the circumstances described in column 4 of that item.

25BAdopting the healthcare identifier of a healthcare provider

An entity mentioned in column 1 of an item of the following table, may adopt the healthcare identifier of a healthcare provider for a purpose mentioned in column 2 of the item.

25CDisclosure of the healthcare identifier of a healthcare provider to the healthcare provider

Any entity who knows the healthcare identifier of a healthcare provider may disclose the healthcare identifier to the healthcare provider.

25DRegulations relating to the healthcare identifier and other information of a healthcare provider

Collection, use or disclosure for other purposes

1. (1)

   The regulations may authorise the collection, use or disclosure of the following information:

   1. (a)

      identifying information of a healthcare provider;

   2. (b)

      the healthcare identifier of a healthcare provider.

Adoption for other purposes

1. (2)

   The regulations may authorise the adoption of the healthcare identifier of a healthcare provider in the circumstances prescribed by the regulations.

Purposes for which regulation‑making powers in subsections (1) and (2) may be used

1. (3)

   However, the regulations may only authorise the collection, use, disclosure or adoption of that information for purposes related to one or more of the following:

   1. (a)

      providing healthcare to healthcare recipients, or a class of healthcare recipients;

   2. (b)

      determining whether adequate and appropriate healthcare is available to healthcare recipients, or a class of healthcare recipients;

   3. (c)

      facilitating the provision of adequate and appropriate healthcare to healthcare recipients, or a class of healthcare recipients;

   4. (d)

      assisting persons who, because of health issues (including illness, disability or injury), require support;

   5. (e)

      the My Health Record system.

Procedures relating to the disclosure of healthcare identifiers

1. (4)

   The regulations may prescribe rules about the process for disclosing the healthcare identifiers of healthcare providers, including rules about requests to the service operator to disclose healthcare identifiers of healthcare providers.

Information about disclosures by service operator

1. (5)

   If the service operator discloses a healthcare identifier of a healthcare provider to an entity, the regulations may require the entity to provide prescribed information to the service operator in relation to the disclosure.

Information to be provided to the service operator about the healthcare identifier of a healthcare provider

1. (6)

   The regulations may require an identified healthcare provider to provide to the service operator information that:

   1. (a)

      relates to the healthcare provider’s healthcare identifier; and

   2. (b)

      is prescribed by the regulations for the purposes of this section.

25EObligation to keep information accurate, up‑to‑date and complete

1. (1)

   If a healthcare provider organisation becomes aware that information held by the service operator in relation to the organisation is not accurate, up‑to‑date and complete, the organisation must:

   1. (a)

      give the service operator, in writing, accurate, up‑to‑date and complete information; and

   2. (b)

      do so within 20 business days after the organisation becomes aware that the information held by the service operator is not accurate, up‑to‑date and complete.

2. (2)

   Subsection (1) does not apply if:

   1. (a)

      the information that is no longer accurate, up‑to‑date and complete is personal information that the service operator was only able to lawfully obtain with the consent of the person to whom the information relates; and

   2. (b)

      instead of giving accurate, up‑to‑date and complete personal information within the period specified in that subsection, the healthcare provider organisation notifies the service operator within that period, in the manner and form approved by the service operator, that the person to whom the information relates has withdrawn consent for the information to be given to the service operator.

3. (3)

   Subsection (1) does not apply if:

   1. (a)

      the healthcare provider organisation, or an individual healthcare provider who is linked to the healthcare provider organisation, is required by an Australian law, or by a lawful requirement of the national registration authority, to give the national registration authority the accurate, up‑to‑date and complete information; and

   2. (b)

      the healthcare provider organisation, or the individual healthcare provider, complies with the requirement.

4. (4)

   A person is liable to a civil penalty if:

   1. (a)

      the person fails to give the service operator information in the circumstances mentioned in subsection (1); and

   2. (b)

      the person knows or is reckless as to those circumstances.

   Civil penalty: 100 penalty units.

35

Division 4 of Part 3

Repeal the heading, substitute:

Division 4—Unauthorised use and disclosure of healthcare identifiers and other information obtained under this Act

36

Section 26

Repeal the section, substitute:

26Use and disclosure of healthcare identifiers and other information obtained under this Act

1. (1)

   A person must not use or disclose information if:

   1. (a)

      the person obtains the information in response to a request under section 9B; or

   2. (b)

      the person obtains the information in the course of establishing or maintaining a record for the purposes of section 10 (a record of healthcare identifiers assigned and other matters, such as requests made to the service operator to disclose those identifiers); or

   3. (c)

      the information is identifying information and the person obtains the information in circumstances covered by a requirement or authority under this Act; or

   4. (d)

      the information is the healthcare identifier of a healthcare recipient or an individual healthcare provider.

2. (2)

   A person must not use or disclose information if the information is disclosed to the person in contravention of subsection (1).

3. (3)

   This section does not apply to the use or disclosure of a healthcare identifier if:

   1. (a)

      the use or disclosure of the healthcare identifier is required or authorised under this Act; or

   2. (b)

      the use or disclosure of the healthcare identifier is required or authorised under another Commonwealth law or a court/tribunal order; or

   3. (c)

      the use or disclosure is:

      1. (i)

         by the person to whom the healthcare identifier relates; and

      2. (ii)

         for the purposes of, or in connection with, the personal, family or household affairs of that person (within the meaning of section 16 of the Privacy Act 1988); or

   4. (d)

      a permitted general situation of the kind described in item 1, 2, 4 or 5 of the table in subsection 16A(1) of the Privacy Act 1988 exists in relation to the use or disclosure, or would exist if the person were an APP entity for the purposes of that Act; or

   5. (e)

      without limiting the exceptions under this subsection, the use or disclosure is required or authorised by the Information Commissioner, or an equivalent officer or agency of a State or Territory, in exercising powers or performing functions in relation to privacy.

   Note: A defendant bears an evidential burden in relation to the matters in subsection (3): see subsection 13.3(3) of the Criminal Code.

4. (4)

   This section does not apply to the use or disclosure of information other than a healthcare identifier if:

   1. (a)

      the use or disclosure of the information is required or authorised under this Act; or

   2. (b)

      the use or disclosure of the information is required or authorised under another Australian law or a court/tribunal order; or

   3. (c)

      the information is personal information and the use or disclosure would not be an interference with the privacy of the individual for the purposes of the Privacy Act 1988, or would not be an interference with the privacy of the individual for the purposes of that Act if the person were an agency or an organisation for the purposes of that Act; or

   4. (d)

      without limiting the exceptions under this subsection, the use or disclosure is required or authorised by the Information Commissioner, or an equivalent officer or agency of a State or Territory, in exercising powers or performing functions in relation to privacy.

   Note: A defendant bears an evidential burden in relation to the matters in subsection (4): see subsection 13.3(3) of the Criminal Code.

5. (5)

   A person commits an offence if the person contravenes subsection (1) or (2).

   Penalty: Imprisonment for 2 years or 120 penalty units, or both.

6. (6)

   A person is liable to a civil penalty if:

   1. (a)

      the person uses or discloses information in circumstances under which the use or disclosure would contravene subsection (1) or (2); and

   2. (b)

      the person knows or is reckless as to those circumstances.

   Civil penalty: 600 penalty units.

37

Before section 28

Insert:

28AASimplified outline of this Part

If a person is authorised to collect, use or disclose information under this Act, the person will not interfere with the privacy of an individual for the purposes of the Privacy Act 1988 in doing so.

Section 26 imposes a higher standard of privacy in relation to healthcare identifiers than is imposed in relation to other information. If a person uses or discloses a healthcare identifier in circumstances that are not permitted under that section, the person will not only be subject to criminal and civil penalties. That action will also be an interference with privacy for the purposes of the Privacy Act 1988, and can be dealt with as such under that Act.

38

Subsection 29(1)

Omit “An act or practice that contravenes this Act or the regulations in connection with the healthcare identifier of an individual is taken to be:”, substitute “An act or practice in connection with a healthcare identifier of a healthcare recipient or an individual healthcare provider that contravenes this Act or the regulations, or would contravene this Act or the regulations but for a requirement relating to state of mind, is taken to be:”.

39

Paragraph 29(1)(a)

Omit “of the individual”, substitute “of the healthcare recipient or individual healthcare provider”.

40

Subsection 29(3)

After “healthcare identifier”, insert “of a healthcare recipient or of an individual healthcare provider”.

41

Before section 31

Insert:

31AASimplified outline of this Part

The Healthcare Provider Directory is a directory available to healthcare providers to allow them to find information about other healthcare providers, such as:

1. (a)

   the healthcare identifier of a healthcare provider; and

2. (b)

   whether an individual healthcare provider is linked to a healthcare provider organisation; and

3. (c)

   whether a healthcare provider is registered under the My Health Record system; and

4. (d)

   whether a healthcare provider is registered with a registration authority and the status of that registration (such as whether it is conditional, suspended, cancelled or lapsed); and

5. (e)

   the type of healthcare provider that an individual is.

42

Section 31

Repeal the section, substitute:

31Healthcare Provider Directory

1. (1)

   The service operator must establish and maintain a record (the Healthcare Provider Directory) of the professional and business details of identified healthcare providers.

2. (2)

   The service operator is authorised to:

   1. (a)

      collect and use personal information for the purposes of establishing and maintaining the Healthcare Provider Directory; and

   2. (b)

      disclose personal information on the Healthcare Provider Directory to an identified healthcare provider;

but, except in the circumstances dealt with in section 31A, only with the consent of the individual to whom the personal information relates.

1. (3)

   The professional and business details of a healthcare provider disclosed on the Healthcare Provider Directory may include information sufficient to allow the person to whom the information is disclosed to determine any of the following:

   1. (a)

      the healthcare identifier of a healthcare provider;

   2. (b)

      identifying information of a healthcare provider;

   3. (c)

      whether an individual healthcare provider is linked to a particular healthcare provider organisation;

   4. (d)

      whether a healthcare provider organisation is a registered healthcare provider organisation for the purposes of the My Health Records Act;

   5. (e)

      whether an individual healthcare provider is registered with a registration authority and the status of that registration (such as conditional, suspended, cancelled or lapsed);

   6. (f)

      the type of healthcare provider that an individual is.

2. (4)

   A person to whom the professional and business details of a healthcare provider is disclosed on the Healthcare Provider Directory is authorised to collect, use and disclose that information:

   1. (a)

      for the purpose of communicating or managing health information, as part of providing healthcare to a healthcare recipient; or

   2. (b)

      in any other circumstances in which the collection, use or disclosure of the information is required or authorised by or under an Australian law or a court/tribunal order; or

   3. (c)

      in any other circumstances in which the collection, use or disclosure of the information would not be an interference with privacy under the Privacy Act 1988.

31AHealthcare Provider Directory—sharing information with the My Health Record System Operator

1. (1)

   The service operator is authorised to collect from the My Health Record System Operator, use and disclose to the My Health Record System Operator:

   1. (a)

      identifying information of a healthcare provider; and

   2. (b)

      the healthcare identifier of a healthcare provider;

for the purposes of the Healthcare Provider Directory.

1. (2)

   The My Health Record System Operator is authorised to use and disclose to the service operator:

   1. (a)

      identifying information of a healthcare provider; and

   2. (b)

      the healthcare identifier of a healthcare provider;

for the purposes of the Healthcare Provider Directory.

43

After Part 5

Insert:

Part 5A—Enforcement

31BSimplified outline of this Part

The civil penalty provisions of this Act and the regulations are enforceable under Part 4 of the Regulatory Powers Act. The provisions of this Act and the regulations are also enforceable using enforceable undertakings under Part 6 of the Regulatory Powers Act, and injunctions under Part 7 of the Regulatory Powers Act.

31CCivil penalty provisions

Enforceable civil penalty provisions

1. (1)

   Each civil penalty provision of this Act and the regulations is enforceable under Part 4 of the Regulatory Powers Act.

   Note: Part 4 of the Regulatory Powers Act allows a civil penalty provision to be enforced by obtaining an order for a person to pay a pecuniary penalty for the contravention of the provision.

Authorised applicant

1. (2)

   For the purposes of Part 4 of the Regulatory Powers Act, the Information Commissioner is an authorised applicant in relation to the civil penalty provisions of this Act and the regulations.

Relevant court

1. (3)

   For the purposes of Part 4 of the Regulatory Powers Act, each of the following courts is a relevant court in relation to the civil penalty provisions of this Act and the regulations:

   1. (a)

      the Federal Court of Australia;

   2. (b)

      the Federal Circuit Court of Australia;

   3. (c)

      a court of a State or Territory that has jurisdiction in relation to the matter.

Extension to external Territories

1. (4)

   Part 4 of the Regulatory Powers Act, as that Part applies in relation to the civil penalty provisions of this Act and the regulations, extends to every external Territory.

Liability of the Crown

1. (5)

   Part 4 of the Regulatory Powers Act, as that Part applies in relation the civil penalty provisions of this Act and the regulations, does not make the Crown liable to a pecuniary penalty.

31DEnforceable undertakings

Enforceable provisions

1. (1)

   The provisions of this Act and the regulations are enforceable under Part 6 of the Regulatory Powers Act.

   Note: Part 6 of the Regulatory Powers Act creates a framework for accepting and enforcing undertakings relating to compliance with provisions.

Authorised person

1. (2)

   For the purposes of Part 6 of the Regulatory Powers Act, each of the following persons is an authorised person in relation to the provisions of this Act and the regulations:

   1. (a)

      the service operator;

   2. (b)

      the Information Commissioner.

Relevant court

1. (3)

   For the purposes of Part 6 of the Regulatory Powers Act, each of the following courts is a relevant court in relation to the provisions of this Act and the regulations:

   1. (a)

      the Federal Court of Australia;

   2. (b)

      the Federal Circuit Court of Australia;

   3. (c)

      a court of a State or Territory that has jurisdiction in relation to the matter.

Enforceable undertaking may be published on website

1. (4)

   An authorised person in relation to a provision of this Act and the regulations may publish an undertaking given in relation to the provision on the authorised person’s website.

Extension to external Territories

1. (5)

   Part 6 of the Regulatory Powers Act, as that Part applies in relation to the provisions of this Act and the regulations, extends to every external Territory.

31EInjunctions

Enforceable provisions

1. (1)

   The provisions of this Act and the regulations are enforceable under Part 7 of the Regulatory Powers Act.

   Note: Part 7 of the Regulatory Powers Act creates a framework for using injunctions to enforce provisions.

Authorised person

1. (2)

   For the purposes of Part 7 of the Regulatory Powers Act, each of the following persons is an authorised person in relation to the provisions of this Act and the regulations:

   1. (a)

      the service operator;

   2. (b)

      the Information Commissioner.

Relevant court

1. (3)

   For the purposes of Part 7 of the Regulatory Powers Act, each of the following courts is a relevant court in relation to the provisions of this Act and the regulations:

   1. (a)

      the Federal Court of Australia;

   2. (b)

      the Federal Circuit Court of Australia;

   3. (c)

      a court of a State or Territory that has jurisdiction in relation to the matter.

Extension to external Territories

1. (4)

   Part 7 of the Regulatory Powers Act, as that Part applies in relation to the provisions of this Act and the regulations, extends to every external Territory.

44

Before section 32

Insert:

31FSimplified outline of this Part

The Minister may give directions to the service operator about the performance of the service operator’s functions under this Act, after consulting the Ministerial Council.

The Minister must also consult the Ministerial Council before regulations are made under this Act.

45

At the end of section 34

Add:

1. (4)

   If the service operator is required under section 46 of the Public Governance, Performance and Accountability Act 2013 to prepare and give to the Minister an annual report for all or part of a financial year, the service operator is not required to also give a report in relation to that financial year under this section.

46

Section 35

Repeal the section, substitute:

35Review of the operation of this Act

1. (1)

   The Minister must, after consulting the Ministerial Council, appoint an individual to review the operation of this Act and the regulations.

2. (2)

   The individual appointed must give a report to the Minister within 3 years after the commencement of Schedule 1 to the Health Legislation Amendment (eHealth) Act 2015.

3. (3)

   The Minister must:

   1. (a)

      provide a copy of the report to the Ministerial Council; and

   2. (b)

      table a copy of the report in each House of Parliament within 15 sitting days after the report is given to the Minister.

47

Before section 36

Insert:

Division 1—Simplified outline of this Part

36AASimplified outline of this Part

If an entity is authorised to collect, use or disclose information under this Act, an employee or contracted service provider of the entity is authorised to do that, provided the duties of the employee or contracted service provider involve implementing the purpose for which the collection, use or disclosure is authorised.

If an entity is authorised to disclose information to a healthcare provider, the entity is authorised to disclose the information to an employee or contracted service provider of the healthcare provider, provided the duties of the employee or contracted service provider involve implementing the purpose for which the disclosure is authorised.

This Act applies to partnerships, unincorporated associations and trusts in the same way as it applies to persons.

The service operator may delegate functions and powers under this Act.

This Part also:

1. (a)

   provides for the concurrent operation of State and Territory law; and

2. (b)

   deals with the effect Parts 3 and 4 are to have in certain constitutionally significant circumstances.

The Governor‑General may make regulations prescribing matters that are required or permitted to be prescribed by this Act, or that are necessary or convenient to be prescribed for carrying out or giving effect to this Act.

Division 2—Employees, contractors, partnerships, unincorporated associations and trusts

48

After section 36

Insert:

36AAuthorisation to disclose to employees and contracted service providers of a healthcare provider

An authorisation under this Act to an entity to disclose information to a healthcare provider for a particular purpose is an authorisation to disclose the information to:

1. (a)

   an individual:

   1. (i)

      who is an employee of the healthcare provider; and

   2. (ii)

      whose duties involve, or are reasonably connected to, implementing that purpose; or

2. (b)

   a contracted service provider of the healthcare provider, if the duties of the contracted service provider under a contract with the healthcare provider involve, or are reasonably connected with, implementing that purpose by providing information technology services relating to the communication of health information, or health information management services, to the healthcare provider; or

3. (c)

   an individual:

   1. (i)

      who is an employee of a contracted service provider to which paragraph (b) applies; and

   2. (ii)

      whose duties involve implementing that purpose as mentioned in that paragraph.

36BTreatment of partnerships

1. (1)

   This Act applies to a partnership as if it were a person, but with the changes set out in this section.

2. (2)

   An obligation that would otherwise be imposed on the partnership by this Act is imposed on each partner instead, but may be discharged by any of the partners.

3. (3)

   An offence against this Act that would otherwise have been committed by the partnership is taken to have been committed by each partner in the partnership, at the time the offence was committed, who:

   1. (a)

      did the relevant act or made the relevant omission; or

   2. (b)

      aided, abetted, counselled or procured the relevant act or omission; or

   3. (c)

      was in any way knowingly concerned in, or party to, the relevant act or omission (whether directly or indirectly and whether by any act or omission of the partner).

4. (4)

   This section applies to a contravention of a civil penalty provision in a corresponding way to the way in which it applies to an offence.

36CTreatment of unincorporated associations

1. (1)

   This Act applies to an unincorporated association as if it were a person, but with the changes set out in this section.

2. (2)

   An obligation that would otherwise be imposed on the unincorporated association by this Act is imposed on each member of the association’s committee of management instead, but may be discharged by any of the members.

3. (3)

   An offence against this Act that would otherwise have been committed by the unincorporated association is taken to have been committed by each member of the association’s committee of management, at the time the offence was committed, who:

   1. (a)

      did the relevant act or made the relevant omission; or

   2. (b)

      aided, abetted, counselled or procured the relevant act or omission; or

   3. (c)

      was in any way knowingly concerned in, or party to, the relevant act or omission (whether directly or indirectly and whether by any act or omission of the member).

4. (4)

   This section applies to a contravention of a civil penalty provision in a corresponding way to the way in which it applies to an offence.

36DTreatment of trusts with multiple trustees

1. (1)

   If a trust has 2 or more trustees, this Act applies to the trust as if it were a person, but with the changes set out in this section.

2. (2)

   An obligation that would otherwise be imposed on the trust by this Act is imposed on each trustee instead, but may be discharged by any of the trustees.

3. (3)

   An offence against this Act that would otherwise have been committed by the trust is taken to have been committed by each trustee of the trust, at the time the offence was committed, who:

   1. (a)

      did the relevant act or made the relevant omission; or

   2. (b)

      aided, abetted, counselled or procured the relevant act or omission; or

   3. (c)

      was in any way knowingly concerned in, or party to, the relevant act or omission (whether directly or indirectly and whether by any act or omission of the trustee).

4. (4)

   This section applies to a contravention of a civil penalty provision in a corresponding way to the way in which it applies to an offence.

Division 3—Delegations

36EDelegations by the service operator

1. (1)

   The service operator may, by writing, delegate one or more of his or her functions and powers to any of the following:

   1. (a)

      an APS employee in the Department;

   2. (b)

      if the service operator is not the Chief Executive Medicare—the Chief Executive Medicare;

   3. (c)

      any other person with the consent of the Minister.

2. (2)

   If the service operator is not the Chief Executive Medicare the service operator may only delegate a function or power of the service operator:

   1. (a)

      to an APS employee in the Department with the agreement of the Secretary; and

   2. (b)

      to the Chief Executive Medicare with the agreement of the Chief Executive Medicare.

3. (3)

   Each of the following must comply with any written directions of the service operator:

   1. (a)

      a delegate;

   2. (b)

      if the Chief Executive Medicare delegates under subsection 8AC(3) of the Human Services (Medicare) Act 1973 a function delegated to him or her under this section—a subdelegate.

Division 4—Constitutional matters

49

After section 38

Insert:

Division 5—Regulations

Personally Controlled Electronic Health Records Act 2012

50

Section 4

Repeal the section, substitute:

4Simplified outline of this Act

The My Health Record system is a system for making health information about a healthcare recipient available for the purposes of providing healthcare to the recipient.

A healthcare recipient will have a My Health Record if the recipient registers in the My Health Record system. The Minister may, however, provide that the opt‑out model is to apply under My Health Records Rules made under Schedule 1. A healthcare recipient covered by those Rules will be registered in the My Health Record system, and have a My Health Record, unless the recipient elects to opt‑out of the system.

The My Health Record system is operated by the System Operator. The System Operator operates the National Repositories Service, that stores key records that form part of a healthcare recipient’s My Health Record. Other records are stored by registered repository operators. Together these records make up a healthcare recipient’s My Health Record.

If a healthcare recipient is registered in the My Health Record system, a healthcare provider may upload health information about the recipient to the My Health Record system, unless the record is one which the healthcare recipient has advised the healthcare provider not to upload or the record is not to be uploaded under prescribed laws of a State or Territory.

Health information may be collected, used and disclosed from a healthcare recipient’s My Health Record for the purpose of providing healthcare to the recipient, subject to any access controls set by the recipient (or if none are set, default access controls). There are other limited circumstances in which health information may be collected, used or disclosed from a My Health Record. Criminal and civil penalties apply if a person collects, uses or discloses information from a My Health Record without authorisation. Enforceable undertakings and injunctions are also available to enforce the provisions of this Act.

An authorisation to collect, use or disclose information under this Act is also an authorisation to do so for the purposes of the Privacy Act 1988. A contravention of this Act is also an interference with privacy for the purposes of the Privacy Act 1988, and so can be investigated under that Act.

4ASchedule 1

Schedule 1 has effect.

Note: Schedule 1 deals with the opt‑out model for registering healthcare recipients in the My Health Record system.

51

Section 5

Insert:

cinematograph film has the same meaning as in the Copyright Act 1968.

52

Section 5 (definition of civil penalty order)

Repeal the definition.

53

Section 5 (definition of civil penalty provision)

Repeal the definition, substitute:

civil penalty provision has the same meaning as in the Regulatory Powers Act.

54

Section 5 (definition of Court)

Repeal the definition.

55

Section 5 (definition of healthcare)

Repeal the definition, substitute:

healthcare means health service within the meaning of subsection 6(1) of the Privacy Act 1988.

56

Section 5 (definition of health information)

Repeal the definition, substitute:

health information has the meaning given by subsection 6(1) of the Privacy Act 1988.

57

Section 5 (definition of independent advisory council

Repeal the definition.

58

Section 5 (definition of jurisdictional advisory committee)

Repeal the definition.

59

Section 5 (definition of Ministerial Council)

Repeal the definition, substitute:

Ministerial Council means the council (however described) established by the Council of Australian Governments that has responsibility for health matters.

60

Section 5

Insert:

Regulatory Powers Act means the Regulatory Powers (Standard Provisions) Act 2014.

61

Section 5

Insert:

sound recording has the same meaning as in the Copyright Act 1968.

62

Section 5

Insert:

work has the same meaning as in the Copyright Act 1968.

63

Subsections 6(9) and 7(6)

Repeal the subsections.

64

After section 7

Insert:

7ADuties of authorised representative or nominated representative

Duty to ascertain will and preferences

1. (1)

   An authorised representative or a nominated representative (a representative) of a healthcare recipient must make reasonable efforts to ascertain the recipient’s will and preferences in relation to the recipient’s My Health Record.

2. (2)

   If it is not possible to ascertain the healthcare recipient’s will and preferences, the representative must make reasonable efforts to ascertain the recipient’s likely will and preferences in relation to the recipient’s My Health Record.

3. (3)

   The healthcare recipient’s likely will and preferences may be ascertained from sources including the following:

   1. (a)

      if the representative is a nominated representative—the agreement appointing the representative;

   2. (b)

      to the extent legally possible, from consultation with people who may be expected to be aware of the recipient’s will and preferences.

Duty to give effect to will and preferences

1. (4)

   The representative must give effect to the healthcare recipient’s will and preferences, or likely will and preferences, ascertained in accordance with subsection (1) or (2).

2. (5)

   However, if to do so would pose a serious risk to the healthcare recipient’s personal and social wellbeing, the representative must instead act in a manner that promotes the personal and social wellbeing of the healthcare recipient.

Duty if will and preferences cannot be ascertained

1. (6)

   If the healthcare recipient’s will and preferences, or likely will and preferences, cannot be ascertained, the representative must act in a manner that promotes the personal and social wellbeing of the healthcare recipient.

65

At the end of subsection 9(3)

Add:

1. ; (i)

   other information that is prescribed by the regulations for the purpose of this paragraph.

66

Subsection 11(2)

Omit “or liable to a pecuniary penalty”.

67

At the end of Part 1

Add:

13BSystem Operator may use electronic communications

1. (1)

   If under this Act the System Operator is required to give information in writing, that requirement is taken to have been met if the System Operator gives the information by means of an electronic communication, as defined in the Electronic Transactions Act 1999.

2. (2)

   If under this Act the System Operator is permitted to give information in writing, the System Operator is permitted to give the information by means of an electronic communication, as defined in the Electronic Transactions Act 1999.

68

Part 2 (heading)

Repeal the heading, substitute:

Part 2—The System Operator and the functions of the Chief Executive Medicare

69

After paragraph 15(i)

Insert:

1. (ia)

   to establish and operate a test environment for the My Health Record system, and other electronic systems that interact directly with the My Health Record system, in accordance with the requirements (if any) in the My Health Records Rules;

70

Section 16

Repeal the section.

71

Subparagraph 17(2)(b)(ii)

Omit “the record was first uploaded to the National Repositories Service”, substitute “the date of birth of the healthcare recipient”.

72

Divisions 2 and 3 of Part 2

Repeal the Divisions.

73

Division 1 of Part 3

After the Division heading, insert:

Note: This Division does not apply to a healthcare recipient if the opt‑out model applies to the healthcare recipient because of My Health Records Rules made under Schedule 1 to this Act.

74

After subsection 41(3)

Insert:

1. (3A)

   A registered healthcare provider organisation is authorised to upload to the My Health Record system a record in relation to a healthcare recipient (the patient) that includes health information about another healthcare recipient (the third party), if the health information about the third party is directly relevant to the healthcare of the patient, subject to a law of a State or Territory that is prescribed by the regulations for the purposes of subsection (4).

75

Subsection 41(4)

Omit “A consent referred to in subsection (3) has”, substitute “A consent referred to in subsection (3), and an authorisation given under subsection (3A), have”.

76

After paragraph 45(b)

Insert:

1. (ba)

   upload to a repository a record of a kind specified in the My Health Records Rules for the purposes of subparagraph (b)(ii) unless the record is prepared by a person who, at the time the record is prepared, is:

   1. (i)

      an individual who is registered by a registration authority within the meaning of the Healthcare Identifiers Act 2010, and whose registration is not conditional, suspended, cancelled or lapsed (other than in circumstances prescribed in the My Health Records Rules); or

   2. (ii)

      an individual who is a member of a professional association described in paragraph 9A(1)(b) of the Healthcare Identifiers Act 2010, and whose membership is not conditional, suspended, cancelled or lapsed (other than in circumstances prescribed by the My Health Records Rules); or

77

Paragraph 45(c)

Repeal the paragraph, substitute:

1. (c)

   upload a record to a repository if uploading the record would involve an infringement of a moral right of the author, within the meaning of the Copyright Act 1968; or

78

After section 45

Insert:

45ACondition of registration—handling old records that are works subject to copyright

Old works must not be uploaded if it would be an infringement of copyright to use the work for healthcare or related purposes

1. (1)

   Subsection (2) applies to works made before section 44BB of the Copyright Act 1968 commences.

   Note: Section 44BB of the Copyright Act 1968 provides that there is no infringement of copyright if an act comprised in the copyright of a work is done, or authorised to be done, for healthcare or related purposes.

2. (2)

   A healthcare provider organisation must not, for the purposes of the My Health Record system, upload the work if it would be an infringement of the copyright in the work for the organisation or another person to do, or authorise to be done, an act comprised in the copyright of the work:

   1. (a)

      for a purpose for which the collection, use or disclosure of health information is required or authorised under this Act; or

   2. (b)

      in circumstances in which a permitted general situation exists under item 1 of the table in subsection 16A(1) of the Privacy Act 1988 (serious threat to life, health or safety), or would exist if the act were done, or authorised to be done, by an entity that is an APP entity for the purposes of that Act; or

   3. (c)

      in circumstances in which a permitted health situation exists under section 16B of the Privacy Act 1988, or would exist if the act were done, or authorised to be done, by an entity that is an organisation for the purposes of that Act; or

   4. (d)

      for any other purpose relating to healthcare, or the communication or management of health information, prescribed by the regulations.

3. (3)

   It is a condition of the registration of a healthcare provider organisation that the organisation complies with the obligation under subsection (2).

45BCondition of registration—handling old sound recordings and cinematograph films that are subject to copyright

1. (1)

   Subsection (2) applies to sound recordings and cinematograph films made before section 104C of the Copyright Act 1968 commences.

   Note: Section 104C of the Copyright Act 1968 provides that there is no infringement of the copyright if an act comprised in the copyright of a sound recording or cinematograph film is done, or authorised to be done, for healthcare or related purposes.

2. (2)

   A healthcare provider organisation must not, for the purposes of the My Health Record system, upload the sound recording or cinematograph film if it would be an infringement of the copyright in the recording or film for the organisation or another person to do an act comprised in the copyright of the recording or film:

   1. (a)

      for a purpose for which the collection, use or disclosure of health information is required or authorised under this Act; or

   2. (b)

      in circumstances in which a permitted general situation exists under item 1 of the table in subsection 16A(1) of the Privacy Act 1988 (serious threat to life, health or safety), or would exist if the act were done by an entity that is an APP entity for the purposes of that Act; or

   3. (c)

      in circumstances in which a permitted health situation exists under section 16B of the Privacy Act 1988, or would exist if the act were done by an entity that is an organisation for the purposes of that Act; or

(2) Sections 94 and 95 of the My Health Records Act 2012, as in force immediately before the commencement of this Schedule, continue to apply on and after the application day in relation to the following:

1. (a)

   an undertaking given before the application day;

2. (b)

   an application for an order made, but not decided, under subsection 95(1) of that Act before the application day;

3. (c)

   an order made under subsection 95(2) of that Act before, on or after the application day as a result of an application made before the application day.

133

Application and saving provision—injunctions

(1) Part 7 of the Regulatory Powers (Standard Provisions) Act 2014, as that Part applies under Division 3 of Part 6 of the My Health Records Act 2012, applies in relation to contraventions occurring on or after the application day.

(2) Section 96 of the My Health Records Act 2012, as in force immediately before the commencement of this Schedule, continues to apply on and after the application day in relation to contraventions occurring before the application day.

134

Amendments of the My Health Records Act 2012 relating to partnerships, unincorporated associations and trusts

The amendments made by items 97, 98 and 99 of this Schedule apply to:

1. (a)

   obligations arising on or after the application day; and

2. (b)

   offence and civil penalty provisions contravened on or after the application day.

135

Repeal of requirement for the System Operator to give an annual report

The amendment made by item 101 of this Schedule applies to financial years beginning on or after the governance restructure day.

136

Rules

(1) The Minister may, by legislative instrument, make rules prescribing matters:

1. (a)

   required or permitted by this Act to be prescribed by the rules; or

2. (b)

   necessary or convenient to be prescribed for carrying out or giving effect to this Act.

(2) Without limiting subitem (1), the rules may prescribe matters of a transitional nature (including prescribing any saving or application provisions) relating to:

1. (a)

   the amendments or repeals made by this Act; or

2. (b)

   the enactment of this Act.

(3) Without limiting subitem (2), rules made for the purposes of that subitem may provide that the following Acts have effect with any modifications prescribed by the rules:

1. (a)

   the Healthcare Identifiers Act 2010;

2. (b)

   the My Health Records Act 2012;

3. (c)

   the Privacy Act 1988.

(4) To avoid doubt, the rules may not do the following:

1. (a)

   create an offence or civil penalty;

2. (b)

   provide powers of:

   1. (i)

      arrest or detention; or

   2. (ii)

      entry, search or seizure;

3. (c)

   impose a tax;

4. (d)

   set an amount to be appropriated from the Consolidated Revenue Fund under an appropriation in this Act;

5. (e)

   directly amend the text of this Act.

(5) This Part (other than subitem (4)) does not limit the rules that may be made for the purposes of this item.

Healthcare Identifiers Act 2010

1

Section 5

Insert:

My Health Record has the same meaning as in the My Health Records Act 2012.

My Health Record system has the same meaning as in the My Health Records Act 2012.

My Health Record System Operator means the System Operator within the meaning of the My Health Records Act 2012.

2

Section 5

Insert:

participant in the My Health Record system has the same meaning as in the My Health Records Act 2012.

3

Section 5 (definition of participant in the PCEHR system)

Repeal the definition.

4

Section 5

Repeal the following definitions:

1. (a)

   definition of PCEHR;

2. (b)

   definition of PCEHR system;

3. (c)

   definition of PCEHR System Operator.

5

Section 5 (definitions of registered portal operator and registered repository operator)

Omit “Personally Controlled Electronic Health Records Act 2012”, substitute “My Health Records Act 2012”.

6

Subparagraphs 36(ba)(i) and (ii)

Omit “PCEHR”, substitute “My Health Record”.

Health Insurance Act 1973

7

Subsection 3(1)

Insert:

My Health Record System Operator has the same meaning as System Operator has in the My Health Records Act 2012.

8

Subsection 3(1) (definition of PCEHR System Operator)

Repeal the definition.

9

Subsection 3(1) (definition of registered repository operator)

Omit “Personally Controlled Electronic Health Records Act 2012”, substitute “My Health Records Act 2012”.

10

Subsection 130(1)

Omit “Personally Controlled Electronic Health Records Act 2012”, substitute “My Health Records Act 2012”.

National Health Act 1953

11

Subsection 135A(1)

Omit “Personally Controlled Electronic Health Records Act 2012”, substitute “My Health Records Act 2012”.

12

Subsection 135AA(5AA)

Omit “PCEHR” (wherever occurring), substitute “My Health Record”.

13

Subsection 135AA(11)

Insert:

My Health Record has the same meaning as in the My Health Records Act 2012.

My Health Record System Operator has the same meaning as System Operator has in the My Health Records Act 2012.

14

Subsection 135AA(11)

Repeal the following definitions:

1. (a)

   definition of PCEHR;

2. (b)

   definition of PCEHR System Operator.

Personally Controlled Electronic Health Records Act 2012

15

Section 1

Omit “Personally Controlled Electronic Health Records Act 2012”, substitute “My Health Records Act 2012”.

Note: This item amends the short title of the Act. If another amendment of the Act is described by reference to the Act’s previous short title, that other amendment has effect after the commencement of this item as an amendment of the Act under its amended short title (see section 10 of the Acts Interpretation Act 1901).

16

Section 5 (definitions of contracted service provider and index service)

Omit “PCEHR” (wherever occurring), substitute “My Health Record”.

17

Section 5

Insert:

My Health Record of a healthcare recipient means the record of information that is created and maintained by the System Operator in relation to the healthcare recipient, and information that can be obtained by means of that record, including the following:

1. (a)

   information included in the entry in the Register that relates to the healthcare recipient;

2. (b)

   health information connected in the My Health Record system to the healthcare recipient (including information included in a record accessible through the index service);

3. (c)

   other information connected in the My Health Record system to the healthcare recipient, such as information relating to auditing access to the record;

4. (d)

   back‑up records of such information.

My Health Records Rules has the meaning given by section 109.

My Health Record system means a system:

1. (a)

   that is for:

   1. (i)

      the collection, use and disclosure of information from many sources using telecommunications services and by other means, and the holding of that information, in accordance with the healthcare recipient’s wishes or in circumstances specified in this Act; and

   2. (ii)

      the assembly of that information using telecommunications services and by other means so far is it is relevant to a particular healthcare recipient, so that it can be made available, in accordance with the healthcare recipient’s wishes or in circumstances specified in this Act, to facilitate the provision of healthcare to the healthcare recipient or for purposes specified in this Act; and

2. (b)

   that involves the performance of functions under this Act by the System Operator.

18

Section 5

Insert:

participant in the My Health Record system means any of the following:

1. (a)

   the System Operator;

2. (b)

   a registered healthcare provider organisation;

3. (c)

   the operator of the National Repositories Service;

4. (d)

   a registered repository operator;

5. (e)

   a registered portal operator;

6. (f)

   a registered contracted service provider, so far as the contracted service provider provides services to a registered healthcare provider.

19

Section 5 (definition of participant in the PCEHR system)

Repeal the definition.

20

Section 5

Repeal the following definitions:

1. (a)

   definition of PCEHR;

2. (b)

   definition of PCEHR Rules;

3. (c)

   definition of PCEHR system.

21

Section 5 (definition of personally controlled electronic health record)

Repeal the definition.

22

Section 5 (definition of registered portal operator)

Omit “PCEHR”, substitute “My Health Record”.

23

Section 5 (definition of registered repository operator)

Omit “personally controlled electronic health records”, substitute “My Health Records”.

24

Section 5 (definition of registered repository operator)

Omit “PCEHR”, substitute “My Health Record”.

25

Section 5 (definitions of this Act and use)

Omit “PCEHR”, substitute “My Health Record”.

26

Paragraphs 6(3)(a) and (6)(b)

Omit “PCEHR”, substitute “My Health Record”.

27

Subsection 7(3)

Omit “PCEHR” (wherever occurring), substitute “My Health Record”.

28

Section 15

Omit “PCEHR” (wherever occurring), substitute “My Health Record”.

29

Paragraph 17(1)(b)

Omit “PCEHR”, substitute “My Health Record”.

30

Subsection 38(1)

Omit “PCEHR”, substitute “My Health Record”.

31

Subsections 41(1) to (3)

Omit “PCEHR” (wherever occurring), substitute “My Health Record”.

32

Paragraph 43(b)

Omit “PCEHR”, substitute “My Health Record”.

33

Subsection 44(2)

Omit “PCEHR” (wherever occurring), substitute “My Health Record”.

34

Section 45

Omit “PCEHR” (wherever occurring), substitute “My Health Record”.

35

Section 46 (heading)

Repeal the heading, substitute:

46Condition of registration—non‑discrimination in providing healthcare to a healthcare recipient who does not have a My Health Record etc.

36

Paragraphs 46(2)(a) and (b)

Omit “PCEHR”, substitute “My Health Record”.

37

Paragraph 48(a)

Omit “PCEHR”, substitute “My Health Record”.

38

Subsection 49(2)

Omit “PCEHR” (wherever occurring), substitute “My Health Record”.

39

Section 50

Omit “PCEHR”, substitute “My Health Record”.

40

Subsections 51(2) and (3)

Omit “PCEHR” (wherever occurring), substitute “My Health Record”.

41

Section 55 (heading)

Repeal the heading, substitute:

55My Health Records Rules may specify requirements after registration is cancelled or suspended

42

Section 55

Omit “PCEHR” (wherever occurring), substitute “My Health Record”.

43

Paragraph 55(3)(a)

Omit “PCEHRs”, substitute “My Health Records”.

44

Paragraphs 57(a) and (b)

Omit “PCEHR”, substitute “My Health Record”.

45

Part 4 (heading)

Repeal the heading, substitute:

Part 4—Collection, use and disclosure of health information included in a healthcare recipient’s My Health Record

46

Division 1 of Part 4 (heading)

Repeal the heading, substitute:

Division 1—Unauthorised collection, use and disclosure of health information included in a healthcare recipient’s My Health Record

47

Section 59 (heading)

Repeal the heading, substitute:

59Unauthorised collection, use and disclosure of health information included in a healthcare recipient’s My Health Record

48

Section 59

Omit “PCEHR” (wherever occurring), substitute “My Health Record”.

49

Subsection 60(1)

Omit “PCEHR”, substitute “My Health Record”.

50

Sections 61 and 62

Omit “PCEHR” (wherever occurring), substitute “My Health Record”.

51

Section 63 (heading)

Repeal the heading, substitute:

63Collection, use and disclosure for management of My Health Record system

52

Sections 63 to 70

Omit “PCEHR” (wherever occurring), substitute “My Health Record”.

53

Division 3 of Part 4 (heading)

Repeal the heading, substitute:

Division 3—Prohibitions and authorisations limited to My Health Record system

54

Section 71 (heading)

Repeal the heading, substitute:

71Prohibitions and authorisations limited to health information collected by using the My Health Record system

55

Subsections 71(1), (2) and (3)

Omit “PCEHR” (wherever occurring), substitute “My Health Record”.

56

Subsection 71(4) (heading)

Repeal the heading, substitute:

Information originally obtained by means of My Health Record system

57

Subsection 71(4)

Omit “PCEHR” (wherever occurring), substitute “My Health Record”.

58

Subsections 73(1) and (3)

Omit “PCEHR”, substitute “My Health Record”.

59

Section 73A

Omit “PCEHR”, substitute “My Health Record”.

60

Section 73B

Omit “PCEHR” (wherever occurring), substitute “My Health Record”.

61

Paragraph 74(1)(a)

Omit “PCEHR”, substitute “My Health Record”.

62

Section 77

Omit “PCEHR” (wherever occurring), substitute “My Health Record”.

63

Subparagraphs 99(c)(i) and (ii)

Omit “PCEHR”, substitute “My Health Record”.

64

Subsection 106(1)

Omit “PCEHR”, substitute “My Health Record”.

65

Subparagraph 106(2)(a)(i)

Omit “PCEHR”, substitute “My Health Record”.

66

Subparagraph 106(2)(a)(ii)

Omit “PCEHRs”, substitute “My Health Records”.

67

Subparagraph 106(2)(a)(ii)

Omit “PCEHR”, substitute “My Health Record”.

68

Division 7 of Part 8 (heading)

Repeal the heading, substitute:

Division 7—My Health Records Rules, regulations and other instruments

69

Section 109 (heading)

Repeal the heading, substitute:

109Minister may make My Health Records Rules

70

Subsection 109(1)

Omit “PCEHR”, substitute “My Health Record”.

71

Subsection 109(1)

Omit “PCEHR”, substitute “My Health Record”.

72

Subsection 109(3) (heading)

Repeal the heading, substitute:

My Health Records Rules may relate to registration etc.

73

Subsection 109(3)

Omit “PCEHR” (wherever occurring), substitute “My Health Record”.

74

Subsection 109(4A) (heading)

Repeal the heading, substitute:

My Health Records Rules may relate to agreements

75

Subsections 109(4A) and (5)

Omit “PCEHR”, substitute “My Health Record”.

76

Subsection 109(6) (heading)

Repeal the heading, substitute:

My Health Records Rules may relate to access control mechanisms

77

Subsection 109(6)

Omit “PCEHR” (wherever occurring), substitute “My Health Record”.

78

Subsection 109(7) (heading)

Repeal the heading, substitute:

My Health Records Rules may relate to authorised representatives and nominated representatives

79

Subsection 109(7)

Omit “PCEHR”, substitute “My Health Record”.

80

Subsection 109(7A) (heading)

Repeal the heading, substitute:

My Health Records Rules may relate to research

81

Subsection 109(7A)

Omit “PCEHR”, substitute “My Health Record”.

82

Subsection 109(8) (heading)

Repeal the heading, substitute:

My Health Records Rules may apply to specified classes of participants

83

Subsection 109(8)

Omit “PCEHR” (wherever occurring), substitute “My Health Record”.

84

Subsection 112(2)

Omit “PCEHR”, substitute “My Health Record”.

Health Insurance Act 1973

1. 1

   Subsection 3(1) (definition of registered consumer)

   Repeal the definition.

2

Subsection 3(1)

Insert:

registered healthcare recipient has the meaning given by the MyHealth Records Act 2012.

National Health Act 1953

3

Subsection 135AA(5AA)

Omit “consumer”, substitute “healthcare recipient”.

Personally Controlled Electronic Health Records Act 2012

1. 4

   Section 5 (definitions of consumer and consumer‑only notes)

   Repeal the definitions.

5

Section 5

Insert:

healthcare recipient means an individual who has received, receives, or may receive, healthcare.

healthcare recipient‑only notes, in relation to a healthcare recipient, means health information included by the healthcare recipient in his or her My Health Record and described in the My Health Record system as healthcare recipient‑only notes (whether using that expression or an equivalent expression).

6

Section 5 (definition of registered consumer)

Repeal the definition.

7

Section 5

Insert:

registered healthcare recipient means a healthcare recipient who is registered under section 41.

8

Amendments of listed provisions

Schedule 4—Further consequential amendments

Personally Controlled Electronic Health Records Act 2012

1

Subsection 109(9)

Omit “Legislative Instruments Act 2003”, substitute “Legislation Act 2003”.

Health Insurance Act 1973

2

Subsection 131(1)

Omit “or the Healthcare Identifiers Act 2010”, substitute “or instruments made under this Act”.

3

Subsection 131(2)

After “this Act”, insert “or an instrument under which the power exists”.

[Minister’s second reading speech made in—

House of Representatives on 17 September 2015

Senate on 15 October 2015]