This appeared an hour or two ago.
Roxon folds and releases draft health identifier rules
- Karen Dearne
- From: Australian IT
- March 12, 2010
FEDERAL Health Minister Nicola Roxon has buckled and released proposed draft regulations for the Healthcare Identifiers service, after privacy and security experts told a Senate inquiry the HI Bill could not rationally be considered without the accompanying rules that underpin the legislation.
A consultation paper prepared by the Australian Health Ministers’ Advisory Council was also released late Friday afternoon.
But it may be a case of too little, too late, with the regulations providing little new detail, and failing to address problems with the bill including the compulsory nature of the scheme, under which every Australian will be issued a 16-digit unique healthcare identifier from July 1 for improved medical information-sharing across the health sector.
Liberty Victoria's spokesman Tim Warner described the release as another "stunning performance by those guiding the e-health initiatives".
"To release documents that give at least a skeletal outline of what is actually going to happen - 24 hours after the last testimony was given to the inquiry (into the governing bill) and one week after the close of public comment - is a bravura performance in the theatre of transparency," Mr Warner said.
"Yes, they have released the regulations before the Senate committee reports its findings (on Monday) and the Senate votes. But after all of the lodged submissions and testimony had to be made blind."
Law Professor Graham Greenleaf, co-director of the Cyberspace Law and Policy Centre, University of NSW, this week told the inquiry the bill "shares a surprisingly large number of elements with both the Australia Card scheme of a couple of decades ago, and the (previous government's) Access Card proposals of 2006-07".
"There has been inadequate consultation and inadequate time for all concerned to really deal with the real details," he said. "Even now, none of us are in a position to know what this is about, because we do not have the rest of the legislative scheme (the regulations)."
Professor Greenleaf said the healthcare identifiers database, to be initially operated by Medicare, would become "the key national information system for just about the most sensitive thing that there is in the community - medical information".
"There is always the potential (for the system to be hacked)," he said. "Given how many databases these health identifiers will be the key to, with many other systems based around this number as the primary access key, there may well be very attractive illegal uses from access to that set of numbers.
"So yes, it becomes a very attractive location for unauthorised access. That increases the dangers that are involved."
What to say? I have had a look and the regulations are pretty brief.
This material amazes me (Last page of Consultation Paper) which is available here (italics mine):
----- Begin Extract
f. Information requested after disclosure of healthcare identifiers
In certain situations, the Service Operator may need to request information from a healthcare provider; for example, to assist in the investigation of a complaint or enquiry from an individual about access to the individual’s records held by the Service Operator.
Section 22 of the Bill allows regulations to require a healthcare provider to make available to the Service Operator certain information about the disclosure of a healthcare identifier to that provider.
Regulation 11 provides that, on request from the Service Operator, a healthcare provider must provide sufficient information to identify the person who accessed the Service, in relation to the disclosure of a healthcare identifier to that provider.
It is recognised that healthcare providers currently work with a wide range of IT and identity management systems that may not at present be able to record details of every individual who requests healthcare identifiers from the HI Service on the organisation’s behalf. However, to ensure sufficient certainty for consumers that access to information held about them by the Service Operator will be able to be subject to enquiry and investigation in the event of a suspected unauthorised access, it will be necessary for healthcare providers to make changes to systems and practices that will record all requests to the HI Service at the individual employee level.
In practice, many healthcare providers may be transitioning to an improved state of identity management and security over the next couple of years as uptake of e-health and electronic records systems becomes more widespread. During this period it is important that expectations around standards on rules for interaction with the Service Operator are clearly established from the outset. A penalty has been provided for in Regulation 11 to make clear that these standards will be enforceable.
Consideration is being given to allowing a period of transition for the enforcement of this penalty provision. During this period, the specified penalties would not be actively enforced, except in exceptional circumstances. The focus of this transition period (with a suggested period of 2 years) would be educative, helping providers to incorporate improved identity management standards in their systems. After this period penalties would be enforced.
If such a transition period were in place, this would not remove the requirement from a healthcare provider to make available to the Service Operator on request as much detail as they have on their records about a particular request for a healthcare identifier to assist in any enquiry or investigation. In addition, the transition period is only being proposed in relation to the requirements in Regulation 11. All other penalties provided for in the Bill and the regulations would be enforced from the commencement of the legislation.
Stakeholder feedback is sought on whether a transition period for enforcement of penalties in relation to Regulation 11 is an appropriate way to achieve a balance between ensuring appropriate security and identity management practices are in place to support a healthcare provider’s interaction with the HI Service, while at the same time allowing sufficient time for providers to transition IT systems and day to day procedures to reflect these standards.
----- End Extract.
Is this not a just a license to just not bother about identifying who is using the HI system and make the planned audit trails a joke? Or have I missed something?