Commissioner eyes tough e-health privacy laws

Privacy Commissioner Timothy Pilgrim has proposed laws around e-health records in Australia that would tighten use and disclosure of data and penalise any privacy breaches.

Pilgrim also proposed laws that would keep e-health record storage in Australia to combat data security concerns.

The Privacy Commissioner made 32 recommendations in total on the operation of the Government's planned $467 million personally-controlled electronic health record (PCEHR) system, which was to be implemented by the National E-Health Transition Authority (NEHTA).

While some recommendations were of a technical or housekeeping nature, others required legislation to clarify responsibility for the management of the PCEHR and the health information held in it.

The proposed laws would regulate the permitted information flows of health records, restrict the secondary use and disclosure of records to avoid function creep, install transparent governance mechanisms and outline specific sanctions and remedies for breaches.

Also sought were a set of minimum terms/rights and responsibilities for participation in the PCEHR by individuals and healthcare providers, and a mandate for uniform complaint-handling mechanisms.

Lack of details and precise powers available to health users had upset key privacy organisations such as the Australian Privacy Foundation whose chair, Roger Clarke, lambasted the Health Minister Nicola Roxon over how the eHealth system would fulfil its privacy promise.

The "opt-in" nature of the PCEHR was expected to allay some privacy concerns.

Data location

The Privacy Commissioner said he shared AGIMO’s concerns about the ability of cloud solution providers to deliver adequate privacy protections.

“The security of data stored by conformant repositories could be further enhanced by the inclusion in the legislative framework of a requirement for data to be stored within Australia," Pilgrim noted.

"The storage of data in other jurisdictions may reduce the security of data, for example, where local laws authorise access to information.”

Wider consultation

The Office of the Australian Information Commissioner (OAIC) - the umbrella organisation under which Pilgrim sits - also chided NEHTA for restricting consumer consultation on e-health records to an ‘invitation only’ basis.

It noted that the consumer groups consulted were already committed to the e-health system and may have given NEHTA a misleading view about privacy concerns.

“While the OAIC recognises the significant potential benefit of the PCEHR to individuals who regularly interact with the health system, the office notes that the views of these groups may not necessarily reflect those of the broader community," it said.

"Individuals who interact less frequently with the health system may have a different perspective on the appropriate balance between privacy and potential health benefits.”

The OAIC said that early engagement with “a wide range of the community has the potential to proactively address the concerns of a large number of stakeholders” to enhance the long term uptake of the system.

The most optimistic estimate of the take-up by users was "up to 500,000" individual records by the time it launched on 1 July 2012.