This resource is for healthcare organisations and individual healthcare providers in the public sector. (Note: for private sector healthcare providers there is an equivalent privacy resource — Compliance obligations of private healthcare providers)
The resource focuses on compliance obligations in relation to the handling of individual healthcare identifiers (IHIs) by healthcare providers. Healthcare providers who have enquiries regarding technical or administrative aspects of the Healthcare Identifiers Service (HI Service) should contact the HI Service Operator, the Services Australia.
The HI Act requires the Office of the Australian Information Commissioner (OAIC) to oversee state and territory healthcare providers’ compliance with the HI Act and Regulations in relation to their handling of IHIs. The HI Act states that any breach of the HI Act or HI Regulations in connection with an IHI or identifying information will also be a breach of the Privacy Act 1988 (Cth).[1] The OAIC handles complaints about the handling of IHIs and identifying information by state and territory healthcare providers, and conducts assessments of privacy aspects of the HI Service.
Each state and territory is able to make laws so that a local regulator oversees the handling of healthcare identifiers by state or territory bodies, such as public hospitals. Until this occurs, the OAIC has jurisdiction over the handling of healthcare identifiers and identifying information by state and territory healthcare providers.
When handling IHIs, state and territory healthcare providers must comply with:
IHIs may only be collected from the HI Service by authorised persons, who need to access IHIs for their duties. Authorised persons may include:
If a healthcare provider organisation is authorised to collect IHIs for a particular purpose, an employee or an employee of a contracted service provider is also authorised to collect IHIs on their behalf, where their duties involve, or are reasonably connected to, implementing that purpose.[2]
Healthcare providers may only collect IHIs for the purpose of communicating or managing health information, as part of providing healthcare to a patient. It is an offence under the HI Act to collect an IHI from the HI Service for another purpose.[3]
Healthcare providers may collect IHIs for their existing patients through a bulk download from the HI Service. In this process a batch file with each patient’s identity details is provided to the HI Service and the HI Service will attempt to match the information with IHIs for those patients. The HI Service will only return IHIs when an exact match is found. If an exact match is not found, an error message will be returned to the healthcare provider.
Healthcare providers should only download their patients’ IHIs if this is necessary for communicating or managing health information as part of providing the patient with healthcare. Healthcare providers should carefully consider whether they need to collect IHIs for patients who have not used their services for a long time.
Healthcare providers must ensure that they transfer batch files securely, for example as an encrypted file. If unsure of the requirements, providers may wish to contact the HI Service Operator for further information.
The HI Act also authorises healthcare providers to disclose ‘identifying information’ of a healthcare recipient to the HI Service for the purpose of the HI Service assigning them a healthcare identifier, and for the purpose of the HI Service Operator disclosing the healthcare recipient’s healthcare identifier to the healthcare provider (s 16 HI Act).
‘Identifying information’ is defined in s 7 of the HI Act and includes the individual’s name, address, date of birth, sex, Medicare number, Department of Veterans’ Affairs file number (if applicable) and order of birth in the case of a multiple birth.
When collecting IHIs from the HI Service, healthcare providers should not provide any more information than is generally needed to uniquely identify each patient (name, sex and date of birth).
Where the details provided are insufficient to uniquely identify the patient, the HI Service will request further identity details such as the patient’s Medicare number or Veterans’ Affairs number.
State and territory healthcare providers may be required under their state privacy or information handling legislation to give notice when collecting a patient’s personal information, such as an IHI. Information about the collection of a patient’s IHI could be included as part of a collection notice and also in the healthcare provider’s privacy policy.
Healthcare providers may only use or disclose an IHI for a purpose permitted under the HI Act, that is, to communicate or manage health information as part of:
The use or disclosure of an IHI for any other purpose is an offence under the HI Act.[5]
If a staff member uses or discloses an IHI for any unauthorised purpose when carrying out their employment duties, they may have committed an offence. The healthcare provider organisation, however, may still be accountable for a breach of privacy.[6]
The HI Act allows the disclosure of an IHI as required or authorised by law. For example, a provider may be legally compelled to disclose an individual’s IHI if issued a subpoena by a court for the provision of information.
The HI Act expressly prohibits IHIs from being used or disclosed for the purpose of communicating or managing health information as part of:
To ensure that a record of every access to the HI Service is maintained, healthcare providers are required to do either one of the following:
If the provider keeps its own records, it only needs to inform the HI Service of the identity of the organisation, rather than the identity of the individual authorised user requesting the IHI, when accessing the HI Service.
The healthcare provider must retain the relevant records for as long as a staff member is authorised to access IHIs from the HI Service, and for seven years from the day after they cease to be authorised.[9]
If the HI Service makes a written request for the access record, the organisation must provide a copy to the HI Service with 14 days of receiving the request. It is an offence under the HI Act for a healthcare provider to intentionally not comply with such a request.[10]
All state and territory government healthcare providers should have procedures in place to ensure that their records of personal information are accurate. In many cases they will be specifically required to do so by state or territory privacy or information handling legislation.
Healthcare providers must have systems and processes in place to ensure that:
State and territory healthcare providers must take reasonable steps to protect the healthcare identifiers they hold from misuse, loss, and unauthorised access, modification or disclosure.[11]
Additionally, many state and territory healthcare providers will similarly be required to have data security procedures in place under state or territory privacy or information handling legislation. Providers should integrate information security safeguards for healthcare identifiers into their systems and processes.
In order to participate in the HI Service, healthcare providers are required to have IT systems that incorporate minimum standards and security features. Healthcare providers should ensure that their software conforms with these requirements. Further information is available from the HI Service Operator.
It is good privacy practice to implement audit trails within an organisation’s internal systems of individual staff member access to patients’ personal information, including IHIs (after they are initially downloaded from the HI Service), to prevent and detect improper use or disclosure. (This would be in addition to the requirement under the Regulations outlined above for healthcare providers to either keep a record, or notify the HI Service, of each individual user’s access to the HI Service).
IHIs do not alter the way in which anonymous and pseudonymous healthcare services are provided. When a patient is receiving healthcare services on a pseudonymous basis, patients can also choose to be issued with a pseudonymous IHI.[12] Patients should not be refused treatment because they do not wish their healthcare provider to access their IHI.[13]
[1] See s 29(1) of the HI Act which says that any breach of the HI Act or Regulations in connection with an IHI or an individual’s identifying information is a breach of the Privacy Act. Section 29 brings state and territory authorities into the jurisdiction of the OAIC for the handling of IHIs.
[2] See s 36A of the HI Act
[3] See s 14 of the HI Act and r 10 of the HI Regulations. A penalty of up to 50 penalty units ($11,100) may apply.
[4] See s 26(5) of the HI Act.
[5] See s 26 of the HI Act. A person convicted of this offence may be imprisoned for two years or fined 120 penalty units ($26,640), or both. If a body corporate is convicted of this offence, a court may impose a fine of up to 600 penalty units ($133,200).
[6] See s 29 of the HI Act
[7] See s 14(2) of the HI Act
[8] See r 12 of the HI Regulations
[9] See r 12(4) of the HI Regulations
[10] See r 12(5) of the HI Regulations. A penalty of up to 50 penalty units ($11,100) may apply.
[11] See s 27 of the HI Act
[13] See Explanatory Memorandum to the Healthcare Identifiers Bill 2010, p. 5