Health Legislation Amendment (Information Sharing) Act 2023 (Vic)
Health Legislation Amendment (Information Sharing) Act 2023
No. 4 of 2023
table of provisions
Section Page
Part 1—Preliminary
1Purposes
2Commencement
3Principal Act
Part 2—Amendment of Health Services Act 1988
4New Part 6C inserted
Part 3—Consequential amendment of Health Records Act 2001
5Consequential amendment of Health Records Act 2001
Part 4—Repeal of this Act
6Repeal of this Act
═════════════
Endnotes
1 General information
Health Legislation Amendment (Information Sharing) Act 2023
No. 4 of 2023
[Assented to 28 March 2023]
The Parliament of Victoria enacts:
PART 1—PRELIMINARY
1Purposes
The main purposes of this Act are—
(a)to amend the Health Services Act 1988—
(i)to establish a centralised electronic system to enable public hospitals and other specified health services to share specified patient health information for the purpose of providing medical treatment to patients; and
(ii)to provide for public hospitals and other specified health services to collect and disclose specified patient health information to the Secretary for the purpose of establishing and maintaining the Electronic Patient Health Information Sharing System; and
(b)to consequentially amend the Health Records Act 2001.
2Commencement
(1)Subject to subsection (2), this Act comes into operation on a day or days to be proclaimed.
(2)If a provision of this Act does not come into operation before 7 February 2024, it comes into operation on that day.
3Principal Act
In this Act, the Health Services Act 1988 is called the Principal Act.
PART 2—AMENDMENT OF HEALTH SERVICES ACT 1988
4New Part 6C inserted
After Part 6B of the Principal Act insert—
'PART 6C—ELECTRONIC PATIENT HEALTH INFORMATION SHARING SYSTEM
Division 1—Definitions
134ZEDefinitions
In this Part—
Electronic Patient Health Information Sharing System means the system established under section 134ZF;
health information has the same meaning as in the Health Records Act 2001;
participating health service means—
(a)an ambulance service within the meaning of the Ambulance Services Act 1986; or
(b)a denominational hospital listed in Schedule 2; or
(c)a metropolitan hospital listed in Schedule 3; or
(d)a multi purpose service; or
(e)a public health service listed in Schedule 5; or
(f)a public hospital listed in Schedule 1; or
(g)a registered community health centre; or
(h)the Victorian Institute of Forensic Mental Health established by section 610 of the Mental Health and Wellbeing Act 2022; or
(i)a residential care service within the meaning of the Aged Care Act 1997 of the Commonwealth that provides State funded residential aged care services, including State funded residential aged care homes but not including supported residential services within the meaning of the Supported Residential Services (Private Proprietors) Act 2010; or
(j)the Victorian Collaborative Centre for Mental Health and Wellbeing established by section 640 of the Mental Health and Wellbeing Act 2022; or
(k)a prescribed entity or a prescribed class of entity that provides health services;
Privacy Management Framework means the Privacy Management Framework established under section 134ZT;
specified patient health information means health information specified in a notice published in the Government Gazette under section 134ZH that is about a person who is or has been a patient in, or has received health services from, a participating health service, but does not include a unique identification number assigned by the participating health service to that person.
Division 2—Electronic Patient Health Information Sharing System
134ZFElectronic Patient Health Information Sharing System
(1)The Secretary must establish and maintain the Electronic Patient Health Information Sharing System for the purposes of—
(a)collecting specified patient health information required to be given to the Secretary under this Part; and
(b)disclosing that information to participating health services for the purpose of providing medical treatment to a person.
(2)The Secretary is to keep the Electronic Patient Health Information Sharing System in a form to be determined by the Secretary.
134ZGContent of Electronic Patient Health Information Sharing System
The Electronic Patient Health Information Sharing System must contain any specified patient health information required to be given to the Secretary by a participating health service under this Part.
134ZHNotice of health information required to be given to the Secretary
(1)The Secretary, by notice published in the Government Gazette, may specify health information to be given to the Secretary by a participating health service for the purposes of the Electronic Patient Health Information Sharing System.
(2)The Secretary may also specify in the notice published under subsection (1) a relevant date in relation to health information specified in the notice, being not earlier than 3 years before the commencement of this Part.
(3)A participating health service must give to the Secretary—
(a)the health information specified in a notice published under subsection (1) that it holds about a person who is or has been a patient in, or has received health services from, the participating health service, if it was collected by the participating health service on or after the relevant date specified for that information; and
(b)the unique identification number assigned by the participating health service to a person referred to in paragraph (a).
(4)The participating health service must give the health information and unique identification numbers referred to in subsection (3) to the Secretary—
(a)within 5 days after the publication of the notice; or
(b)by any later date specified in the notice.
134ZIHealth information collected after publication of notice
(1)A participating health service must give to the Secretary—
(a)the health information specified in any notice published under section 134ZH(1) that it collects after the publication of that notice about a person who is or has been a patient in, or has received health services from, the participating health service; and
(b)the unique identification number assigned by the participating health service to a person referred to in paragraph (a).
(2)The participating health service must give the health information and unique identification numbers referred to in subsection (1) to the Secretary within 5 days after the information is collected.
134ZJDirection to comply with notice
(1)If a participating health service has not complied with section 134ZH(4) or 134ZI(2), the Secretary may give a written direction to a participating health service that requires the participating health service to give to the Secretary the health information or any unique identification number required to be given under section 134ZH(4) or 134ZI(2).
(2)The direction may specify the manner and form in which the health information or unique identification number referred to in subsection (1) is to be given to the Secretary.
(3)Subject to section 134ZK, a participating health service must comply with a direction given under this section within 3 months after the direction is given.
134ZKExtension of time to comply with notice
(1)A participating health service to which a direction under section 134ZJ has been given may request that the Secretary extend the time for the health service to comply with the direction.
(2)The Secretary, by written notice given to the participating health service, may grant an extension to a participating health service for a specified period of not more than 6 months after the direction is given.
(3)If the Secretary grants an extension to a participating health service, the health service must comply with the direction within the time specified in the notice.
134ZLNo consent required
(1)A participating health service may collect, use or disclose specified patient health information as permitted or authorised by this Part without the consent of the person to whom the information relates.
(2)The Secretary may collect, use or disclose specified patient health information as permitted or authorised by this Part without the consent of the person to whom the information relates.
Division 3—Access to the Electronic Patient Health Information Sharing System
134ZMAccess to, use and disclosure of information held in Electronic Patient Health Information Sharing System for provision of medical treatment
A person employed or engaged by a participating health service and who is authorised by that health service may access the Electronic Patient Health Information Sharing System and use and disclose specified patient health information for the purpose of providing medical treatment to a person.
134ZNAccess to and use of information for purposes of establishing and maintaining Electronic Patient Health Information Sharing System
(1)A person employed or engaged by a participating health service and who is authorised by that health service may access the Electronic Patient Health Information Sharing System and use specified patient health information for the purposes of—
(a)giving the information to the Secretary as required by sections 134ZH, 134ZI, 134ZJ and 134ZK; and
(b)information security and data management.
(2)In this section and section 134ZO—
information security and data management means—
(a)examination and analysis of information contained in the Electronic Patient Health Information Sharing System to the extent reasonably required for the purpose of verifying the accuracy of that information; and
(b)examination and analysis of information to the extent reasonably necessary to ensure the Electronic Patient Health Information Sharing System operates securely and effectively.
134ZOSecretary authorised to access Electronic Patient Health Information Sharing System and use and disclose specified patient health information
(1)The Secretary, or a person employed or engaged and authorised in writing by the Secretary, may access the Electronic Patient Health Information Sharing System and use and disclose specified patient health information for the following purposes—
(a)establishing, maintaining and operating the Electronic Patient Health Information Sharing System;
(b)undertaking information security and data management in relation to the Electronic Patient Health Information Sharing System;
(c)otherwise ensuring that the Electronic Patient Health Information Sharing System operates securely and effectively.
(2)The Secretary, or a person employed or engaged and authorised in writing by the Secretary, may use unique identification numbers given to the Secretary under this Part for the following purposes—
(a)establishing, maintaining and operating the Electronic Patient Health Information Sharing System;
(b)undertaking information security and data management in relation to the Electronic Patient Health Information Sharing System;
(c)otherwise ensuring that the Electronic Patient Health Information Sharing System operates securely and effectively.
Division 4—Offences
134ZPOffence of unauthorised access to Electronic Patient Health Information Sharing System
(1)A person must not knowingly access the Electronic Patient Health Information Sharing System unless the person is authorised under this Part to access the Electronic Patient Health Information Sharing System.
Penalty:240 penalty units or 2 years imprisonment.
(2)Subsection (1) does not apply if—
(a)the person is authorised or required by or under this Act or any other Act to access the Electronic Patient Health Information Sharing System; or
(b)the person is required to access the Electronic Patient Health Information Sharing System by law.
(3)For the purposes of subsection (2)(a), "any other Act" does not include the Health Privacy Principles in the Health Records Act 2001 or Part 3 or Part 5 of that Act.
134ZQOffence of access to Electronic Patient Health Information Sharing System for unauthorised purpose
(1)A person who is authorised under this Part to access the Electronic Patient Health Information Sharing System must not access the Electronic Patient Health Information Sharing System other than in accordance with this Part.
Penalty:240 penalty units or 2 years imprisonment.
(2)Subsection (1) does not apply if—
(a)the person accesses the Electronic Patient Health Information Sharing System as authorised or required by or under any other Act; or
(b)the person is required to access the Electronic Patient Health Information Sharing System by law.
(3)For the purposes of subsection (2)(a), "any other Act" does not include the Health Privacy Principles in the Health Records Act 2001 or Part 3 or Part 5 of that Act.
134ZROffence of unauthorised use or disclosure of specified patient health information
(1)A person who is authorised under this Part to access the Electronic Patient Health Information Sharing System must not use or disclose specified patient health information obtained by that person from the Electronic Patient Health Information Sharing System other than in accordance with this Part.
Penalty:240 penalty units or 2 years imprisonment.
(2)Subsection (1) does not apply if—
(a)the use or disclosure of the specified patient health information is expressly authorised or required by or under any other Act; or
(b)the use or disclosure of the specified patient health information is authorised by law.
(3)For the purposes of subsection (2)(a), "any other Act" does not include the Health Privacy Principles in the Health Records Act 2001 or Part 3 or Part 5 of that Act.
(4)This section applies whether or not the use or disclosure would otherwise be permitted under section 141.
Division 5—Disapplication of the Freedom of Information Act 1982
134ZSFreedom of Information Act 1982 does not apply
(1)The Freedom of Information Act 1982 does not apply to—
(a)a document given to the Secretary for the purposes of complying with a notice under section 134ZH or 134ZI or a direction under section 134ZJ; or
(b)the Electronic Patient Health Information Sharing System.
(2)In this section—
document has the same meaning as in the Freedom of Information Act 1982.
Division 6—Privacy Management Framework
134ZTMinister must establish Privacy Management Framework
(1)The Minister, by order published in the Government Gazette, must establish a Privacy Management Framework for the Electronic Patient Health Information Sharing System as soon as practicable after the day on which this Part comes into operation.
(2)In establishing the Privacy Management Framework, the Minister must consult with the following persons and bodies in relation to whether certain health information or classes of health information should require additional levels of protection under the Privacy Management Framework—
(a)relevant groups and organisations that represent the interests of patients, carers or health care workers;
(b)any relevant public sector body within the meaning of the Public Administration Act 2004;
(c)participating health services.
(3)The Privacy Management Framework must—
(a)specify categories of health information that are sensitive in nature and include a process to safeguard that information; and
(b)include a process to safeguard the identity of patients who may be at risk of harm, including patients who identify as being at risk of family violence; and
(c)include a process to facilitate patients accessing reports that specify who has accessed their health information through the Electronic Patient Health Information Sharing System; and
(d)include a process for regular audits and compliance checks of the Electronic Patient Health Information Sharing System.
(4)The Privacy Management Framework takes effect on—
(a)the day on which it is published in the Government Gazette; or
(b)a later day as specified in the order.
Note
Section 41A of the Interpretation of Legislation Act 1984 provides that the power to make an instrument includes the power to repeal, revoke, rescind, amend, alter or vary the instrument in the exercise of that power.
134ZUCompliance with Privacy Management Framework
Any person who is authorised or permitted under this Part to access the Electronic Patient Health Information Sharing System must comply with the Privacy Management Framework to the extent reasonably practicable.
Division 7—Independent review of this Part
134ZVIndependent review by expert panel
(1)The Minister must cause an independent review of the operation of this Part, including the Privacy Management Framework, to be conducted by an expert panel after the second anniversary of the day on which this Part comes into operation.
(2)The independent review must examine and make recommendations in relation to the following—
(a)whether health information is sufficiently protected;
(b)which health services should be participating health services for the purposes of this Part;
(c)the misuse of specified patient health information;
(d)the costs of compliance and the administrative burden imposed on participating health services by this Part;
(e)whether the Electronic Patient Health Information Sharing System is operating as intended.
(3)The independent review may examine and make recommendations in relation to the following—
(a)current issues and trends relating to health information systems;
(b)data management;
(c)information technology security;
(d)patient privacy;
(e)any other relevant matter.
(4)The independent review must be completed no later than the third anniversary of the day on which this Part comes into operation.
(5)The Minister must cause a copy of a report of the independent review to be laid before each House of Parliament no later than 3 sitting days after the day on which the final report of the independent review is given to the Minister.
(6)The Minister must consider any recommendations made by the independent review, including any recommendations to amend this Act, and within 18 months of receiving the final report—
(a)implement the recommendations made by the independent review; or
(b)advise Parliament why the recommendations have not been implemented.
134ZWAppointment of expert panel
(1)For the purposes of section 134ZV, the Minister must appoint 3 persons to form the expert panel.
(2)The Minister must ensure that each person appointed to the expert panel has experience in one or more of the following—
(a)human rights and privacy matters;
(b)legal and regulatory compliance;
(c)health information systems;
(d)clinical care;
(e)health care quality and patient safety;
(f)consumer or patient advocacy.
(3)The Minister must not appoint a person to the expert panel if the person is—
(a)a current employee or executive officer of a registered political party within the meaning of the Electoral Act 2002; or
(b)a current or former member of Parliament.'.
PART 3—CONSEQUENTIAL AMENDMENT OF HEALTH RECORDS ACT 2001
5Consequential amendment of Health Records Act 2001
After section 14E of the Health Records Act 2001 insert—
"14F Health information collected or held by the Electronic Patient Health Information Sharing System
(1)Nothing in HPP 1.3 or 1.5 applies to the collection of health information by the Secretary for the purposes of the Electronic Patient Health Information Sharing System established by Part 6C of the Health Services Act 1988.
(2)Nothing in Part 5 or HPP 6 applies to health information held by the Secretary in the Electronic Patient Health Information Sharing System established by Part 6C of the Health Services Act 1988.".
PART 4—REPEAL OF THIS ACT
6Repeal of this Act
This Act is repealed on 7 February 2025.
Note
The repeal of this Act does not affect the continuing operation of the amendments made by it (see section 15(1) of the Interpretation of Legislation Act 1984).
═════════════
ENDNOTES
1 General information
See for Victorian Bills, Acts and current authorised versions of legislation and up-to-date legislative information.
Minister's second reading speech—
Legislative Assembly: 8 February 2023
Legislative Council: 23 February 2023
The long title for the Bill for this Act was "A Bill for an Act to amend the Health Services Act 1988 to establish a centralised electronic system to enable public hospitals and other specified health services to share specified patient health information, to make consequential amendments to the Health Records Act 2001 and for other purposes."
0
0
0