Privacy Commissioner reveals investigative powers over PCEHR
The Office of the Australian Information Commissioner (OAIC) has released details of the powers it has been awarded under the PCEHR Act to investigate breaches of the new system.
The Office of the Australian Information Commissioner (OAIC) was appointed as the independent privacy regulator of the PCEHR under the new Act, which came into effect last week.
In a statement released by the OAIC, the organisation said that under the PCEHR legislation, the office will have a range of enforcement powers available to it following an investigation, including the power to seek civil penalties, to seek an injunction to prohibit or require particular conduct, to accept enforceable undertakings, and to use its existing Privacy Act investigative and enforcement mechanisms, including complaint conciliation and formal determinations.
The OAIC will issue enforcement guidelines which will outline the commissioner's approach to enforcement issues under the legislation, it said.
The Australian Privacy Commissioner, Timothy Pilgrim, welcomed the extension of his role to cover the new eHealth system, and reminded Australians to make informed decisions about their privacy.
“The eHealth system is an important initiative aimed at improving the delivery of health services in Australia,” he said in the statement. “I encourage individuals to read the terms and conditions of the system carefully."
"You are in control, so make sure you understand how your personal and health information will be collected, used and disclosed. You can decide which healthcare providers can see your record and what information they can access. Have a conversation with your healthcare provider about what will be uploaded and accessed from your eHealth record.”
However, the chair of the Australian Privacy Foundation's health committee, Juanita Fernando, said while the AFP welcomed Mr Pilgrim's comments about informed consent and access control management, she “was not comfortable” with the context of his comments on the rights of Australians to make informed decisions about the PCEHR and the records stored within it.
“The national PCEHR system seems to overlook individual human rights fairly significantly,” she said. “Essentially, there is little information about upon which one might base informed consent in the rules and regulations supporting the PCEHR, so I don't understand the commissioner's advice.
“These rules and regulations are complex and offer very little by way of solid information – lots of "mays" and "mights" and references to hypertext links where one might look through legislation for information."
Dr Fernando said her reading of the PCEHR enrolment documents suggests every health worker, the Crown and their agencies can use and collect individual healthcare identifiers, individual demographics and patient diary information in any administrative way they see fit now.
“That doesn't sound like a PCEHR system that seeks to improve patient health and wellbeing to me. As I have stated previously, PCEHR system privacy and security is a bit like the Emperor's New Clothes – it isn't really there.
"There are no mechanisms to support health data reliability or availability and PCEHR system confidentiality has been operationalised to mean that every Australian health worker – and who are these undefined people? – the Crown and their agencies and even some others are entitled to collect, use and manage one's data.
“One might enrol in the PCEHR system but informed consent simply isn't available right now.”
She said it was “a sad time for proponents of a useful electronic health record system, such as the APF and others, and the potential contribution of such to the health and wellbeing of Australians”.
For healthcare providers, Mr Pilgrim encouraged them to understand their obligations under the new laws, which impose extra obligations to those already existing under the Privacy Act 1988.
"Healthcare providers' obligations include not collecting more information from a patient's eHealth record than is necessary, and making sure their staff are trained in how to handle eHealth records correctly," Mr Pilgrim said.
He also encouraged people to exercise their privacy rights. "If you think that information in your eHealth record has been mishandled you can make a complaint,” he said. “I now have the power to seek civil penalties and accept enforceable undertakings from health providers who don't protect this information.”
The OAIC has developed privacy tips for individuals and healthcare providers, available on the OAIC's website.
Posted in Australian eHealth