Laws establishing the new eHealth system include a new role for the Office of the Australian Information Commissioner (OAIC) as the system's independent privacy regulator.

 

The Australian Privacy Commissioner, Timothy Pilgrim, welcomed the extension of his role to cover the new eHealth system, and reminded Australians to make informed decisions about their privacy.

 

 "The eHealth system is an important initiative aimed at improving the delivery of health services in Australia. I encourage individuals to read the terms and conditions of the system carefully."

 

"You are in control, so make sure you understand how your personal and health information will be collected, used and disclosed. You can decide which healthcare providers can see your record and what information they can access. Have a conversation with your healthcare provider about what will be uploaded and accessed from your eHealth record," Mr Pilgrim said.

 

The Privacy Commissioner also reminded Healthcare providers participating in the eHealth record system that they need to take steps to understand their obligations under the eHealth laws. These laws impose new obligations in addition to the existing obligations under the Privacy Act 1988.

 

"Healthcare providers' obligations include not collecting more information from a patient's eHealth record than is necessary, and making sure their staff are trained in how to handle eHealth records correctly," Mr Pilgrim warned.

 

The Commissioner also encouraged people to exercise their privacy rights.

 

"If you think that information in your eHealth record has been mishandled you can make a complaint.  I now have the power to seek civil penalties and accept enforceable undertakings from health providers who don't protect this information," Mr Pilgrim said.

 

The Personally Controlled Electronic Health Records Act 2012 (PCEHR Act) provides strict controls on the collection, use and disclosure of health information included in an individual's eHealth record. A collection, use or disclosure which is not authorised by the legislation is both a contravention of the PCEHR Act and an interference with the privacy of the individual under the Privacy Act 1988. The legislation also imposes mandatory data breach notification obligations on the System Operator, repository operators and portal operators. 

 

The OAIC regulates the handling of personal information under the eHealth record system by individuals, Australian Government agencies, private sector organisations and some state and territory agencies, instrumentalities and authorities (in particular circumstances).

 

The OAIC's regulatory role includes investigating complaints about the mishandling of health information in an eHealth record, as well as conducting 'own motion investigations'. Along with the System Operator, the OAIC will also accept data breach notifications and assist affected entities to deal with data breaches in accordance with the legislative requirements.

 

The OAIC will have a range of enforcement powers available to it following an investigation, including:

  • the power to seek civil penalties
  • the power to seek an injunction to prohibit or require particular conduct
  • the power to accept enforceable undertakings
  • existing Privacy Act investigative and enforcement mechanisms, including complaint conciliation and formal determinations.
  •  

The OAIC will issue Enforcement Guidelines which will outline the Commissioner's approach to enforcement issues under the legislation.

 

For further information, see the fact sheets and agency resources available on the OAIC website at: http://www.privacy.gov.au/law/other/the-ehealth-record-system.