Wednesday, October 3, 2012

The Office Of The Australian Information Commissioner Provides Submissions Received On PCEHR Enforcement Guidelines.

The following appeared a few days ago - with a few late submissions.

eHealth record system – OAIC Enforcement Guidelines – August 2012

Submissions to this consultation closed on 18 September 2012.


The Personally Controlled Electronic Health Records Act 2012 (PCEHR Act) establishes the personally controlled electronic health (eHealth) record system and provides for its regulatory framework.
The PCEHR Act provides that the Information Commissioner (the Commissioner) is the independent privacy regulator for the eHealth record system and gives the Commissioner the power to investigate alleged contraventions of the Act and pursue enforcement mechanisms that are appropriate in the circumstances of the case.
The PCEHR Act also requires the Commissioner, by legislative instrument, to make guidelines relating to the exercise of his enforcement powers under the PCEHR Act or a power under another Act that is related to such powers. The Privacy Act 1988 (Privacy Act) is a related Act. The Commissioner is required to have regard to these guidelines when exercising his enforcement powers.
The draft of the Personally Controlled Electronic Health Records System – Enforcement Guidelines for the Information Commissioner 2012 (draft Enforcement Guidelines) set out the Commissioner’s general approach to the exercise of enforcement and investigatory powers under both the PCEHR Act and the Privacy Act. The guidelines also set out some of the factors the Commissioner may have regard to in determining the appropriate enforcement response.
To assist the public consider the draft Enforcement Guidelines and prepare comments, the OAIC published a consultation paper (PDF) in August 2012. The draft Enforcement Guidelines are available in PDF, RTF and Word versions.

Submissions received

The following submissions on the draft Enforcement Guidelines are presented as received by the OAIC with redactions to remove personal information not relevant to the submission. If you have difficulty accessing a submission please contact us for an alternative version.
  1. Australian Dental Association Inc. (.pdf)
  2. Australian Federation of AIDS Organisations Inc. (.docx)
  3. Information and Privacy Commission (New South Wales) (.doc)
  4. Consumers Health Forum of Australia (.docx)
  5. Health Services Commissioner (Victoria) (.doc)
  6. Office of the Information Commissioner (Queensland) (.doc)
  7. The Royal Australian & New Zealand College of Psychiatrists (.pdf)
  8. Australian Medical Association (.rtf)
  9. NEHTA - National E-Health Transition Authority (.pdf)
  10. Australian Medical Students' Association (.pdf)
  11. Australian Information Industry Association (.pdf)
  12. Medical Software Industry Association (.docx)
  13. Australian Privacy Foundation (.pdf)
  14. Avant Law Pty Ltd (.txt)
Here is the direct link:
I think it would be fair to say that most who responded were reasonably happy with what the OAIC was suggesting. Interestingly a substantial number of respondents felt the need to a clear consumer and practitioner friendly explanation of just what the actuality and implications of all this is.
Before discussing what others thought - the only area I am concerned about that does not appear to be covered is the mandatory reporting of all breaches so the public know just how well things are working. How this is done - and with what protections for small accidental breachers does not really concern me. I just believe there should be full public transparency and it seems to me this is not achieved with what is proposed.
On the submissions it is clear the Australian Privacy Foundation is not at all happy!
This paragraph makes their views clear - bottom of page 1 in bold!
“The APF does not agree with the Commissioner’s proposed approach to eHealth record system enforcement. The OAIC’s draft Enforcement Guidelines set out the Commissioner’s proposed approach in a clear but  unhelpful manner. It informs the community that the OAIC’s approach to PCEHR system security is founded on complex, opaque, and potentially discretionary information security and privacy rules and risk assessments. The Office has consistently failed to embark on responses to address problems at a systematic level. Rather the OAIC (formerly the Office of the Privacy Commissioner) has restricted considerations to the individual case, and that effectively in secret. The role outlined for them in the eHealth record system OAIC Enforcement Guidelines instrument would not be effective against systemic risk mitigation design flaws. The community cannot rely upon or trust measures outlined in the instrument for PCEHR system participants. “
On a different tack it is clear the Medical Software Industry Association is concerned about the interaction of the OAIC Commissioner and the System Operator (The Secretary of the Department of Health) who they feel has rather been made too ‘impregnable’ in terms of responsibility and accountability for things going wrong.
This paragraph makes their concern pretty clear (Page 6)!
“This may not instil confidence in the final exercise of power, as it could appear to be self-regulatory where the party being reported on provides the report. It could be said to result in  “…supervision of the sheep by the wolves, for the benefit of the wolves …”. The  OAIC stated in its submission in respect of the PCEHR Concept of Operations, that it is appropriate for the System Operator to hear complaints but not be final arbiter. Management and rule setting functions should be separate from accountability and oversight functions.”
I am not sure at all this issue has been addressed by anyone to date.
Both NSW and Queensland are a little concerned about the practicalities of the interaction between State and Federal laws.
From NEHTA we had an interesting paragraph (Page 2):
“Sections 4.4 and 4.5 of the Enforcement Guidelines refer to ‘health practitioner(s)’. NEHTA submits that the term ‘health professional(s)’ should be used rather than ‘health practitioner(s)’. This is because access to a consumer’s PCEHR will be available to a broader group of healthcare staff than qualified health practitioners. Other health professionals who may be afforded access to a consumer’s PCEHR will include authorised users such as administrative staff. Further, the term ‘health professional(s)’ is used in existing PCEHR system collateral and NEHTA submits that wherever possible, the language and terminology used in relation to the PCEHR system should be consistent across all materials.”
Some would surely say this is rather to broad and I would tend to agree.
NEHTA also seems to want a tougher approach to poor behaviour.(Page 4):
“General approach to complaints
NEHTA acknowledges that the Information Commissioner’s preferred approach to complaints is to use investigative powers and processes outlined in Part V of the Privacy Act and, wherever possible, the Information Commissioner will aim to facilitate conciliation between the complainant and the respondent as a primary dispute resolution model.
However, we note that the PCEHR Act gives the Information Commissioner new enforcement powers that it does not currently have under the Privacy Act. This includes the power to apply to a Court for an order that a person who is alleged to have contravened a civil penalty provision pay the Commonwealth a pecuniary penalty.
NEHTA submits that in some circumstances it will be wholly appropriate to use the enhanced enforcement powers without attempting conciliation, such as when responding to severe non-compliance. These enhanced enforcement powers reflect the will of the Parliament, as informed by extensive community consultation. The PCEHR System introduces a new way of collecting, using and disclosing a consumer’s health information that must be protected by multiple layers of security including technical and physical measures as well as legislative penalties. NEHTA submits that by using these enforcement powers in a measured way, the Information Commissioner will be acting in line with community and Government expectations.”
I have to say it is hard to argue with this view and it may be that this view fits with rather well with my opening comments on the need to be fully informed about what is going on.
The next step is to see if there is any official response to these suggestions! I am not holding my breath.