Sunday, March 20, 2016

The DoH Asks That Some Information On Legislative Changes With The mHR Be Distributed. Happy To Oblige And Comment.

This arrived by e-mail a day or so ago and I assume I was being asked to distribute to my readers.

Update on legislative changes affecting the My Health Record system

The purpose of this email is to provide an update regarding recent legislative changes that impact on participants in the My Health Record system.  Please consider disseminating this information to your organisation’s members (if any). 
The Health Legislation Amendment (eHealth) Act 2015 which came into effect in late 2015 made legislative changes which affect the legal obligations of participants in the My Health Record system.  These changes commenced on 1 March 2016.
The key changes are as follows:
 Participation Agreements
Healthcare provider organisations and other entities no longer need to enter into participation agreements in order to register in the My Health Record system.  This makes the process of registering simpler.  The obligations in the participation agreement have been included in My Health Records Rules.  Organisations that registered before 1 March 2016 will continue to have a valid participation agreement in force after 1 March 2016.  The process for termination of those agreements is still being determined and the Department will be in contact with participants.
Changes to the My Health Record System Operator
The System Operator is the entity that administers the day-to-day running of the My Health Record system.  The System Operator is currently the Secretary of the Department of Health.  It is expected that from 1 July 2016 the System Operator will be the newly formed Australian Digital Health Agency.
Changes to Penalties
Changes have been made to the penalty arrangements as part of aligning the frameworks of the My Health Record system and Healthcare Identifiers Service.  These changes better protect the sensitive information that can be contained in a My Health Record and allow for us to respond more proportionally to the seriousness of a breach.
Unauthorised collection, use or disclosure of information in the My Health Record system, of healthcare identifiers or of other information collected in relation to the My Health Record system or Healthcare Identifiers Service is now subject to both civil and criminal penalties where an action is deliberate or reckless.  These penalties do not apply where a mistake has been made – for example, if a healthcare provider inadvertently or accidently accesses an individual’s My Health Record.
The penalty for not complying with the My Health Records Rules is $18,000 for individuals and $90,000 for bodies corporate.
Notification of Data Breaches
Participants need to notify the System Operator of potential and actual data breaches.  These obligations are contained in the My Health Records Act 2012.  The amended My Health Records Act 2012 now makes clear what constitutes a data breach and the entity that needs to report it. 
A data breach is an unauthorised collection, use or disclosure of health information in an individual’s health record or an event or circumstance that may compromise the security or integrity of the My Health Record system.  Where there is a potential data breach healthcare provider organisations must take steps to contain and evaluate the breach.  The healthcare provider organisation must also report the potential breach to the System Operator as soon as practicable.  Data breaches can be notified by calling the My Health Record help line on 1800 723 471.
Healthcare Provider Directory
Healthcare provider organisation information is automatically published on the Healthcare Provider Directory without the need for consent.  This approach reflects the treatment of such information by the Privacy Act 1988 where it is considered general business information, not personal or identifying information.  This will help improve communication between healthcare providers, and reduce administration by removing the need for provider organisations to have to consent to publication. 
New Intellectual Property Arrangements
Intellectual property licences are no longer required because of a new copyright exception.  The exception allows information that is downloaded from the My Health Record System for health and other permitted purposes to be used for those purposes without constituting an infringement of copyright.
Update on Healthcare Providers Uploading Information
Healthcare providers who do not have the appropriate professional authority should not author information that is uploaded to the My Health Record system.  There was previously no legislative restriction on this occurring.  The legislative changes provide that healthcare providers whose professional registration or membership in a professional association is cancelled, suspended, lapsed or conditional are prohibited from authoring anything that is uploaded to a My Health Record.  The only exception is for those who simply haven’t paid their renewal fees.
Uploading Third Party Information
Healthcare provider organisations are now expressly authorised to upload information to a My Health Record if it includes relevant information about a third party, removing any ambiguity about providers’ authority – for example, in relation to the person’s ongoing treatment of hypertension, the information may reference the fact that the person’s mother has a heart condition.  Certain state laws (specified in the My Health Records Regulation 2012) may still require the provider to get express or written consent form the third party before uploading certain sensitive information – for example, in relation to the person’s medical history, the information may reference the fact that the person’s mother was diagnosed with HIV during pregnancy (in this case, the NSW Public Health Act 2010 requires a provider to get express consent of the person who had HIV before disclosing it).
More detailed information about these changes is attached.  This information will also be published at www.myhealthrecord.gov.au.  More detailed fact sheets on these changes are currently being developed and will be available on the website over the coming weeks. 
If you have any queries regarding these changes please write to ehealth.legislation@health.gov.au.
Paul Madden
Deputy Secretary and Special Adviser
Strategic Health Systems and Information Management
Department of Health
-----
The attachment covers the timing of the various changes.

MY HEALTH RECORD: Timing for legislative changes

 Overview

Legislative changes are being made to the My Health Record system (previously known as the personally controlled electronic health record or PCEHR system) and the Healthcare Identifiers Service (HI Service).  These are taking effect at different times between November 2015 and July 2016.  Some of the changes will affect the obligations of participants in the My Health Record system – that is, the System Operator* and healthcare provider organisations, contracted service providers, repository operators and portal operators that are registered.
Please note this is not a summary of all changes – it is only a summary of changes that will affect individuals or participants.  More detailed fact sheets on the changes will be will be published on www.myhealthrecord.gov.au in coming weeks.
Forms, guides and other published information about the system are being updated to reflect these changes.
*The System Operator is the entity that administers the day-to-day running of the My Health Record system.  The System Operator is currently the Secretary of the Department of Health.  From 1 July 2016 the System Operator will be the newly formed Australian Digital Health Agency.
Changes in effect now
The following changes are minor and should not have any notable impact on individuals or participants in the My Health Record system.  They started on 27 November 2015.
·         The name of the personally controlled electronic health record system is now the My Health Record system.  The legislation (including the rules and regulations) is similarly renamed.
All material, including webpages and brochures, will be updated to reflect the new name and logo.
·         The Minister can implement an opt-out My Health Record system in trial areas.  These have been specified in My Health Records Rules which commenced on 9 February 2016.
The system currently operates on an opt-in basis for consumers.  In opt-out trials – in Northern Queensland and Nepean Blue Mountains – consumers will automatically have a My Health Record created for them unless they notify the System Operator that they do not want one.
·         The meaning of health service now expressly includes aged care, palliative care and disability services.
Previously there was ambiguity as to whether these services were considered healthcare services and therefore, for example, whether they were eligible to get an HPI-O and participate in the My Health Record system.  This change removes the ambiguity.
·         The meaning of health information has been clarified.
This now expressly includes reference to injury and illness, reflecting changes made to the meaning of “health service”.
·         A new permitted health situation is established under the Privacy Act to provide for the collection of third party health information as part of providing a health service to a person.
This means that an individual’s record can include information about a third party such as a family member where it is relevant to the individual’s healthcare – for example, in relation to the ongoing treatment of a patient’s hypertension, the information may reference the fact that the patient’s mother has a heart condition.  This applies to healthcare records in general, not just the My Health Record.
·         The System Operator can communicate electronically with individuals and participants.
Until now the System Operator has had to communicate decisions to individuals by letter.  The System Operator can now collect individuals’ email addresses and mobile phone numbers (optional) to communicate by email or SMS.
·         Records in the My Health Record system will be held for 30 years after the individual (about whom the record relates) dies or, if that is not known, 130 years from their date of birth.
The System Operator previously had to store records for 130 years from the time it was uploaded if the date of death was unknown.
·         Regulations can authorise other entities to collect, use, disclose and adopt healthcare identifiers.
This means it is possible for regulations to prescribe entities such as the National Disability Insurance Agency to use healthcare identifiers.  Previously this could only be achieved through amendments to the Act.
·         The term “network hierarchy” of a healthcare provider organisation is no longer used and is now just referred to as a “network”.
A network of healthcare provider organisations is a group of healthcare provider organisations linked together.  A network consists of a seed organisation (the head of the network) and one or more other healthcare provider organisations.
·         If the System Operator decides to cancel/suspend an individual’s My Health Record or other entity’s registration, the decision has effect from the date of notification or a specified date.
This removes a previous ambiguity about when such a decision would take effect.
Changes in effect from 18 December 2015
The following change will affect healthcare providers providing assisted registration and commenced on 18 December 2015.
·         Organisations providing assisted registration will no longer need to store individuals’ signed application forms, and may dispose of forms they already hold.
Healthcare provider organisations will still need to obtain a person’s consent before helping them to register for a My Health Record.  Previously, organisations had to store forms for three years, or send them to the System Operator to store for three years.
Changes in effect from 1 March 2016
The following changes affect the legal obligations of participants in the My Health Record system.  They started on 1 March 2016.    
·         Healthcare provider organisations and other participants no longer need to enter into a participation agreement with the System Operator as obligations in the agreement are now included in My Health Records Rules (where still relevant).
Healthcare provider organisations and other entities previously had to enter into a participation agreement in order to register.  This change makes the process of registering simpler because the entity no longer needs to select the type of participation agreement appropriate to their legal entity and enter into it as part of their registration application.  For organisations that are already registered, their participation agreement is still valid so the System Operator will contact them regarding the termination of their participation agreement.
·         The legislation requires all participants to notify the System Operator of potential and actual data breaches.
Healthcare provider organisations were previously subject to this requirement via the participation agreement.  This change centralises the notification requirement for all participants in the My Health Records Act.  These changes also make clearer what constitutes a data breach and when an entity needs to report it.
A data breach is an unauthorised collection, use or disclosure of health information in an individual’s health record or an event or circumstance that may compromise the security or integrity of the My Health Record system.  Where there is a potential data breach healthcare provider organisations must take steps to contain and evaluate the breach.  The healthcare provider organisation must also report the potential breach to the System Operator as soon as practicable.  Data breaches can be notified by calling the My Health Record help line on 1800 723 471.
·         The My Health Record system operates without the need to rely on intellectual property licences to avoid infringing copyright.
Organisations no longer need to license the System Operator (and be licensed) so that information uploaded to the My Health Record system can be used, copied, etc., in order to avoid infringing the author’s copyright.  This change establishes an exception so that use of this information does not constitute an infringement of copyright, including once it is downloaded from the My Health Record system for health and other permitted purpose’s.
·         Authorised and nominated representatives of individuals need to act in accordance of the will and preferences of the individual they represent.
Previously a representative was required to act in the best interests of the individual they represent.  This change reflects international changes in the treatment of individuals who require supported decision-making.
·         Healthcare providers whose professional registration (or membership in a professional association if they are not registered with AHPRA) is cancelled, suspended, lapsed or conditional are prohibited from authoring anything that is uploaded to a My Health Record unless they are suspended because their registration (or membership) fees are overdue by less than six months.
It is intended that healthcare providers who do not have the appropriate professional authority should not author information that is uploaded to the My Health Record system given the clinical risks.  The only exception is for those providers who simply haven’t paid their renewal fees.  There was previously no restriction on this occurring.
·         The System Operator is now able to remove (or instruct the removal of) documents from a My Health Record if they are uploaded by a healthcare provider without the necessary professional registration (or membership).
The System Operator can remove (or instruct a healthcare provider organisation to remove) documents with a defamatory statement or that may affect the security/integrity of the system.  This change addresses circumstances where a provider’s professional registration is suspended and their documents could pose a clinical risk.
·         Healthcare provider organisations are now expressly authorised to upload information to a My Health Record if it includes relevant information about a third party.
This change addresses concerns that providers have had about including third party information in an individual’s My Health Record.  It enables a healthcare provider to upload information which includes, for example, reference to the fact that a patient’s mother has a heart condition in relation to the ongoing treatment of the patient’s hypertension.   Certain state laws (specified in regulations) may still require the provider to get express or written consent from the third party before uploading certain sensitive information – for example, in relation to the patient’s medical history, the information may reference the fact that the patient’s mother was diagnosed with HIV during pregnancy (in this case the NSW Public Health Act 2010 required a provider to get express consent of a person with HIV before disclosing it).
·         The System Operator can temporarily suspend access to a My Health Record by an individual, representative or participant for security, technical or operational reasons.
This power was previously limited to suspension for reasons associated with the participant’s IT system, risk to the individual or the representative’s eligibility.  It has been expanded to support situations such as where the participant’s physical security arrangements pose a risk or the validity of an individual’s identity verification is under investigation.
·         The System Operator can collect, use and disclose information about an individual who has opted in for the purpose of including their health information in their My Health Record.
This change removes any doubt about the System Operator’s ability to take these actions.
·         If an entity is authorised (by law) to provide information to a healthcare provider, the information can be provided to an employee or person acting on behalf of that healthcare provider (or an employee/contractor acting for the contracted service provider). 
This reflects the practical operation of healthcare provider organisations that may have a variety of different structures governing their business and impacting on how information is received by the organisation.  All authorisations, obligations and penalties set out in the Healthcare Identifiers Act now apply to all relevant entities, notwithstanding different structures.
Changes relating to healthcare identifiers
·         Additional sanctions are available in relation to the HI Service.
Unlike the My Health Record system, the HI Service previously had no form of sanctions for a breach other than imposing a criminal penalty or doing nothing.  As part of aligning the frameworks of both systems, sanctions available in the My Health Record system (namely, that a person or entity may give an enforceable undertaking, or be the subject of an injunction, to take or refrain from taking certain actions to comply with the requirements) are now available in the HI Service.  This broader range of sanctions enables a more robust enforcement framework that is consistent with the My Health Record system and that allows the sanction to be better proportioned to the seriousness of the offence. 
·         Healthcare provider organisation information which is collected as part of assigning a healthcare identifier to an organisation is now automatically published on the Healthcare Provider Directory without the need for their consent.
The healthcare identifier of a healthcare provider organisation (an HPI-O) will is no longer treated as identifying information.  This approach reflects the treatment of such information by the Privacy Act 1988 where it is considered general business information, not personal or identifying information.
The HI Service Operator is authorised to publish contact and other details of the healthcare provider organisations registered with the HI Service.  This will help improve communication between healthcare providers, and will reduce administration by removing the need for provider organisations to have to consent to publication.
·         Any entity who knows a healthcare provider’s healthcare identifier may provide it to that healthcare provider.
This is to allow healthcare providers easy access to their healthcare identifiers which may have been previously unknown to the healthcare provider.  This is currently limited to certain entities.
·         A healthcare provider can adopt (for their organisation’s records) the healthcare identifiers of a person’s authorised and nominated representatives.
It may be necessary for healthcare providers to use the representatives’ healthcare identifiers in order to correctly associate the representative with the patient.
·         The obligation of healthcare provider organisations to update particular information about them held by the HI Service Operator is expanded to ensure that all information held by the HI Service Operator is maintained. 
The move to include all healthcare provider organisations in the Healthcare Provider Directory means that all information held by the Service Operator needs to be maintained.  A civil penalty of up to 100 units applies if a person knowingly or recklessly fails to comply with this provision (up to $18,000 for individuals and $90,000 for bodies corporate).  Responsible Officers and Organisation Maintenance Officers have additional obligations to update their organisation’s professional and contact information direct to the HI service.  The HI Service Operator will share that information with the My Health Record system to ensure that information is up to date.
·         The HI Service Operator can disclose identifying information about an individual to a healthcare provider in order to provide a healthcare identifier to the provider.
When a healthcare provider requests an individual’s healthcare identifier from the HI Service Operator, they provide identifying information about the individual.  The Service Operator is not always able to exactly match this information to an individual so it is cannot provide the healthcare identifier.  This change improves the success rate of matching a healthcare identifier to an individual and providing to the healthcare provider.
·         The System Operator can disclose an individual’s healthcare identifier to the individual or a responsible person (as defined by the Privacy Act).
The System Operator could already disclose this healthcare identifier to the HI Service Operator and healthcare providers.  This additional power makes it easier for individuals and responsible persons to get an individual’s healthcare identifier – for example, as part of their dealings with the System Operator rather than being referred to the Service Operator.
Changes to penalty provisions
·         The unauthorised collection, use or disclosure of information in the My Health Record system, of healthcare identifiers or of other information collected in relation to either the My Health Record system or HI Service is subject to civil and criminal penalties.
These changes better protect the sensitive information that can be contained in a My Health Record and allow for the System Operator to respond more proportionally to the seriousness of a breach.
Previously, misuse of healthcare identifiers was subject to criminal penalties while misuse of My Health Record information was subject to civil penalties.  This change aligns the enforcement options under the HI Act and the My Health Records Act and supports a graduated range of mechanisms to address contraventions allowing sanctions to be appropriately applied in a range of circumstances, proportional to the seriousness of the breach.  Penalties do not apply if a mistake has been made. 
Misuse may incur a penalty of up to two years’ imprisonment or a fine of up to 600 penalty units ($108,000 for individuals or $540,000 for bodies corporate).  Penalties will apply slightly differently to partnerships, incorporated associations and trusts.
·         If a participant (not including healthcare providers) takes My Health Record system information outside Australia, they are subject to civil and criminal penalties.
There is a prohibition on My Health Record system information being taken outside Australia which is consistent with broader Government policy regarding security of information collected by the Commonwealth.  This action was previously subject to a civil penalty.  The broadening of the penalties to include criminal penalties reflects the sensitivities of information in the My Health Record system and allows responses to match more proportionally to the seriousness of a breach.  A participant may incur a penalty of up to two years’ imprisonment or a fine of up to 600 penalty units ($108,000 for individuals or $540,000 for bodies corporate).  Penalties apply slightly differently to partnerships, incorporated associations and trusts. 
·         The penalty for failing to comply with the My Health Records Rules (previously known as the PCEHR Rules) will increase to 100 penalty units (up to $18,000 for individuals and $90,000 for bodies corporate).
The current penalty is 80 units ($14,400 for individuals and $72,000 for bodies corporate).  This increase better protects the sensitive information in the My Health Record system.
Changes in effect from 3 March 2016
The following changes affect the content of the My Health Record system, individuals in trial sites and may affect healthcare providers.  They started on 3 March 2016.
·         Individuals in the Nepean Blue Mountains and Northern Queensland may have a My Health Record created for them as part of the opt-out trials.
A record will be created if a person’s Medicare address is located in a postcode specified in the My Health Records (Opt‑out Trials) Rule on 3 March 2016.  Individuals will be notified in writing and given the opportunity to opt-out.
Changes in effect from 1 July 2016
The following changes will affect the governance of the My Health Record system.  They will start on a date yet to be specified (known as the governance restructure day) but is expected to be 1 July 2016 to allow time for the Australian Digital Health Agency (previously referred to in the explanatory memorandum to the My Health Records Bill as the Australian Commission for eHealth) to be established.
·         The Independent Advisory Council and Jurisdictional Advisory Committee will be abolished.
New committees will be established in the Australian Digital Health Agency to meet these functions.
·         The Australian Digital Health Agency will become the My Health Record System Operator.
The System Operator is the entity that administers the day to day running of the My Health Record system. The Secretary to the Department of Health is currently the System Operator.  A new regulation will need to be made to change the System Operator to the Australian Digital Health Agency.
·         The Minister will be required to consult the Australian Health Ministers’ Advisory Council and the System Operator before making My Health Records Rules (previously known as PCEHR Rules).
The Minister is currently required to consult the Independent Advisory Council and Jurisdictional Advisory Committee.
-----
You can find information on the Healthcare Provider Directory here:
I have to say some of the provisions seem a little problematic.
With respect to the Breach Notification one has to wonder just why, when the system operator is notified regarding a breach, those who might be affected are not also told!
I also wonder what the controls are on the information after it is downloaded -it might be good to make sure proper controls are in place wherever the record can be downloaded and stored.
Last I am not sure family history and family information are fully addressed in the summary we are given. A record of heritable illnesses of relatives in a patient record can be more than a bit of a problem in terms of privacy and security.
Anyway it is useful to have the official position on what is planned.
David.

10 comments:

Anonymous said...

David, Bernard it should be apparent to all that the MHR will be rolled out across every PHN regardless of whatever shortcomings it might have. The Government remain convinced they can deliver the goods regardless of whether they are needed or not.

That being so the question that you and your readers should be asking is: If the Government cannot or should not be developing the MHR WHO could or should be doing so?

Anonymous said...

The government's actions to blindly roll-out the MHR (in the absence of any credible evidence base or cost justification to support its development, deployment and continued operation) does not in any way raise the question of who should be doing (the MHR roll-out) if not the government - the roll-out should never have been contemplated - it is mindless stupidity and incompetence that has seen such a profligate waste of tax payers money and the rot should simply stop. Please do not dignify the ill-conceived and grossly incompetent actions of the government by suggesting that someone else should do it - the MHR is a rotting corpse that needs to be buried ASAP !!

Anonymous said...

"the roll-out should never have been contemplated - it is mindless stupidity and incompetence" ...... be that as it may 11:46 AM how then can the rot be stopped?

As thins stand another $485M+++ is being poured into to preserving and protecting your rotting corpse from being buried?

Anonymous said...

In response to 2-52pm,
"how then can the rot be stopped? " .... stop funding the nonsense ! This corpse was the making of the government ... it is a project that was ill-conceived, ill-planned, lacking any prudent justification and awash with money which has been thrown around irresponsibly (and feeding all the usual parasites).
The time has come for the government to properly acknowledge what an immense and costly failure this "project" has been ... and in so doing, cut the funding (and umbilical cord used to feed the parasites and other vermin with conflicted self-interests that have continued to support and advise the government to keep the project going)

Anonymous said...

It looks like they might not be legally entitled to use the name My Health Record if the trade marks database is any indication. It seems more than a little odd that their application to trade mark the name was approved by IP Australia on 5 May 2015 and then revoked two months later in July!

Anonymous said...

3:25 pm makes it sound so easy but hey, the advisory ADHA Board has a strong vested interest by being extremely well remunerated to keep it going. They have no interest in seeing the gravy train dry up.

john scott said...

I suggest that there are three questions that need to be addressed before any change can be made in regard to the PCEHR:

1. What trigger would cause the Federal Government to seriously question how long it has to come up with Plan B?

2. What is Plan B? Here we need to recognize that what drives a lot of the PCEHR enthusiasm from the Commonwealth's perspective is access to patient-level data for policy and regulation. Absent a meaningful answer to the need to better inform the design of our health care system, they will continue with Plan A. Plan B realistically has to provide a narrative and evidence for a new and different e-health strategy. It must be one that engages all medicos, not just GPs and it must equally apply to the private sector of health care.

3. How is the transition from Plan A to Plan B work? The UK Government had a major financial crisis on its hands and so had the right opportunity to ditch the old e-health strategy. The Australian transition has to provide cover for a retreat and that cover has to include some welcoming support for the change of heart. Perceptions matter in politics and no more so than when you have to admit that what government has been pursuing was ill-advised. Here is part of the solution, you need someone to blame. And, it won't be the relevant Ministers because they all acted 'in good faith' on the advice they received.

I suggest we move on from despair toward helping the government think strategically about the Stakes in Prospect with a change and the Stakes at Risk with continuation of Plan A. We equally need to solicit what Plan B might look like in order to articulate the 'stakes in prospect'.


Bernard Robertson-Dunn said...

"1. What trigger would cause the Federal Government to seriously question how long it has to come up with Plan B?"

An election.

"2. What is Plan B?"

Discontinue all attempts to make it opt-out. Then explain to everyone why they (the Federal government, who has no direct role in primary health care) have any right or need to hold anyone's health data. And also convince the population that it is not a back-door surveillance system.

If use of the system increases significantly, where the measure is the number of health summaries created and regularly maintained, not the number of registrations - that's meaningless - then keep the system, which will grow over time and be used by people who value it.

If its use does not increase, then dump it when Accenture's contract comes up for renewal and disband the DHA.

Anonymous said...

Re ... the Federal government, has no direct role in primary health care ... " - I disagree. The Federal Government funds and is responsible for primary health care. The States fund and are responsible for hospitals.

Bernard Robertson-Dunn said...

You misunderstand what I mean by "direct role in primary health care"

When you are sick you don't go to a federal government department or a doctor employed by a federal government department for treatment. Some veterans and defence personnel may but not your average citizen.

Funding is not the same as health service delivery.