There is a growing trend towards the use of electronic records and databases for the collection, storage and transfer of health information, and the integration of health information systems to create shared electronic health records. While this allows health service providers to better access health information, it also has important implications for privacy.
The ALRC's Final Report considered this trend and the Australian Government's proposal to establish national shared electronic health records (SEHR) based on a unique healthcare identifiers system (UHI). The ALRC found that in general, collecting health information into electronic health information systems did not require specific legislative control, provided the Privacy Act was updated to deal with new technologies. However, the ALRC recommended that any SEHR or UHI scheme should be established under specific enabling legislation to address privacy risks, including:
- nominating an agency or organisation to be responsible and accountable for managing the systems
- eligibility criteria, rights and requirements for participation in the UHI and SEHR schemes by health consumers and health service providers, including consent requirements
- permitted and prohibited uses and transfers of personal information and UHIs, and sanctions in relation to misuse.
The Privacy Commissioner made similar recommendations in its submission to the National E-Health Transition Authority (NEHTA) on the Privacy Blueprint for the Individual Electronic Health Record, which was released before the ALRC report was finalised. The Blueprint outlines a proposed approach to an Individual Electronic Healthcare Records (IEHR) system. This would initially be implemented through 'mass contracting', where the IEHR organisation would enter into participation agreements with individual consumers and healthcare providers. It envisages supporting legislation in the future to assist in the regulation of the systems, including privacy issues.
The Privacy Commissioner expressed concern with the mass contracting approach, as it does not guarantee individuals a right to enforce participation agreements and seek remedies for inappropriate handling of health information. The Privacy Commissioner recommended introducing specific legislation to regulate the IEHR system, not only to ensure that robust privacy safeguards are in place, but also as an important element in establishing and maintaining public confidence that an individual's privacy will be protected and enforced. Other key recommendations include:
- the ability for individuals to opt-in to the system
- implementing 'sensitivity labels' in the system to restrict access to certain information within the IEHR
- audit logs to enable individuals to see who has accessed their records.
The responses to the Blueprint will provide input into NEHTA's business case for funding of a national approach to IEHR, which is expected to be submitted for consideration by the Council of Australian Governments in late 2008.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
