A major focus of the Australian Government’s "eHealth" agenda is the personally controlled electronic health record system (PCEHR system). On 1 July 2012 the PCEHR system became available for online registration for individuals. The PCEHR system allows an individual to access their own health information and nominate which of their healthcare providers obtain access to that information.
An overview of the PCEHR system
The Personally Controlled Electronic Health Records Act 2012 (Act) provides the legal framework for establishing a voluntary national system of internet-based personal medical records. The aim of the PCEHR system is to improve the co-ordination of individuals' health information by making it more readily available and ensuring the most up to date information is used to assess the individuals' treatment. In addition the PCEHR system aims to reduce the risk of adverse medical intervention or the duplication of treatment.
Individuals must opt-in to the PCEHR system by a registration process. Access control mechanisms will enable individuals to choose their settings to determine which healthcare providers can view their records and the level of access they are granted. Healthcare providers must also apply for registration under the PCEHR system by lodging an application with the system operator of the PCEHR system, (the Secretary of the Department of Health and Aging). Individuals who register with the PCEHR system will be able to view who has accessed their records. The access control mechanisms will be able to be overridden to allow healthcare providers to have access in the event of a serious threat to an individual's life, health or safety.
Opponents of the "opt-in" system, such as the Australian Medical Association, argued that patients should not be able to hide key information from their profile on the PCEHR system as this could undermine the effectiveness of the system and may affect doctors' willingness to use the system.
Privacy Concerns and the PCEHR system
A Privacy Impact Assessment was undertaken and a majority of the 112 recommendations made in the Privacy Impact Assessment were incorporated in the final legislation. The PCEHR system is intended to work in conjunction with the Privacy Act 1988 (Cth), using the same definitions for "health information" and "personal information". It is more restrictive in some instances, however, recognising that the PCEHR system will "create a new, relatively rich data source in relation to participating consumers and, as a result, deserves increased protections compared to existing laws". For example, while the Privacy Act allows disclosure "as required by law", specific requirements must be met to release, in response to a Court order, information held on the PCEHR system.
The Information Commissioner will have the power to investigate suspected breaches of privacy of the PCEHR system and may bring an action against individuals who collect, use or disclose health information from the PCEHR system when they are not authorised to do so. Individuals face a civil penalty of $13,200 for unauthorised viewing of an individual's eHealth record, and organisations may be liable for a civil penalty of $66,000 (the penalty will be calculated by reference to the number of records unlawfully accessed). The availability of civil penalties under the PCEHR does not preclude the possibility of criminal liability under existing criminal laws.