An amendment has been made to section 36 to enable CSPs that supply information technology and/or health information management services to healthcare providers under contract (e.g. secure messaging services) to access, use and disclose Healthcare Identifiers on behalf of PCEHR system entities.
While the amendment resolved some issues relating to CSPs, now the Service is starting to interact with other programs additional concerns are emerging that pose a risk to use of the HI Service.
In planning for implementation it has become evident that IHIs and information relating to that individual will be seen by CSPs who provide services for secure messaging (for example in the event of integration errors, the CSP may have to access messages to resolve the issue). Most GPs and many jurisdictions will use a CSP. For Secure Messaging Delivery purposes CSPs will need to access the Endpoint Location Service (ELS) of the destination organisation from the HPD and include their own ELS in the HPD as the sender's address because they manage the distribution of the return message. The message itself includes both the CSP registration number and that of the HPI-O it is acting for.
Under the HI Act, the CSP can have the same authorisations as the HPI-O that contracted it and so can access the ELS in the HPD. However only an OMO can change or insert an ELS entry in the HPD. For the CSP to update ELS entries they would need to have a named employee as an OMO on behalf of the HPI-O. This would give the CSP very strong rights and control over the way their organisation interacts with the HI Service.
The 'contracted service provider' definition is similar, but not the same, in the Healthcare Identifiers and PCEHR Acts (specifies 'relating to the PCEHR System'). In the HI Act the CSP definition cross references the defined term healthcare provider, while in the PCEHR Act the CSP defined term that is cross referenced is healthcare provider organisation. Both Acts define healthcare provider and healthcare provider organisation the same way. CSPs as defined in PCEHR Act do not interact with the PCEHR system at all unless they are registered CSPs which is also a defined, and different, term.
The 'employee' definitions are the same in both Acts. The PCEHR Act requires registration of CSPs (Division 3), and includes conditions that the CSP must meet. It also has the ability to impose conditions on the registration (section 49) which is a significant difference to the Healthcare Identifiers requirements.
Recommendation 14 – Amendments to the Healthcare Identifiers Act
It is recommended that AHMAC consider the following amendments to the HI Act:
- Including additional provisions in Division 1 of Part 3 of the HI Act which enable the making of regulations in respect to the prescribing of additional organisations to which Healthcare Identifiers can be disclosed for prescribed purposes to enable the HI Service Operator to disclose HPI-Is to Medicare Locals
- To enable the disclosure of IHIs to the OAIC for the purposes of complaints investigation and resolution
- To enable AHPRA to disclose HPI-Is to providers to promote adoption and use (e.g. through inclusion on annual registration renewals)
- To expressly authorise the HI Service Operator to disclose an HPI-I to a healthcare provider organisation and expressly authorise the organisation to collect and use the HPI-Is
- Part 4 of the HI Act be amended to include a provision that ensures that for the purpose of applying Parts IV and V of the Privacy Act in connection with a Healthcare Identifier, or an act or practice relating to a Healthcare Identifier, the National Registration Authority is to be treated as if it were an agency (within the meaning of the Privacy Act)
- To clarify the definitions in the HI Act to reflect that only HPI-I and IHI are considered personal information for privacy purposes
- To amend the heading of s15(1)(a) to clarify the scope of application of this section
- Consider revising the term “healthcare provider” in section 24 to resolve uncertainty regarding the use and disclosure of Healthcare Identifiers for aged care and disability programs
- To clarify the purpose for which IHIs can be disclosed under subparagraph 24(1)(a)(ii) and if necessary, introduce a specific authority to address the disclosure of IHIs by public healthcare provider organisations to government agencies and other relevant research organisations for the purposes of monitoring, evaluating and funding healthcare
- Standardisation of the definitions and conditions relating to CSPs across the HI and PCEHR Acts.
Top of page