Government rejigs electronic health records system with opt-out approach

By Ian McGill
Data & Privacy Healthcare Startups Technology & Outsourcing Technology, Media & Telecommunications

In brief

The Federal Government's electronic health records system may have a new lease on life following the introduction of a new Bill that attempts to improve the system's effectiveness with key changes such as the transition to an 'opt-out' approach. Partner Ian McGill, Senior Associate Phil O'Sullivan and Associate Emily Cravigan report.

How does it affect you?

If the Health Legislation Amendment (eHealth) Bill 2015 is passed, these key changes will follow.
  • All Australians can be registered for an electronic health record, provided that trials of the 'opt-out' approach are successful.
  • New civil and criminal penalties and tighter mandatory data breach notification requirements will be introduced to better protect sensitive data.
  • Governance arrangements will change with the National eHealth Transition Authority to be dissolved and replaced by the Australian Commission for eHealth.
  • Participation agreements will be done away with, lessening the administrative burden on healthcare providers.
  • The system will be renamed the 'My Health Record'.


The Personally Controlled Electronic Health Record (PCEHR) was introduced in July 2012 as part of the Federal Government's plan to radically reform the national health sector by allowing individuals and healthcare providers to access and share health records electronically.

Although the PCEHR is often discussed in terms of its benefits to patients (particularly those with chronic illnesses), its intended purpose is much broader. Since its inception, the PCEHR has been propelled by the idea that it will vastly improve the efficiency of the healthcare system itself, reducing healthcare costs by minimising the occurrence of adverse medical events and the duplication of work.

In late 2013, the Federal Minister for Health commissioned a review of the PCEHR by a small panel of health and IT experts (the Review Panel) to consider implementation and uptake issues. Although the Review Panel reported 'overwhelming support' for continuing with an electronic health records system, it was noted that the full benefits of the system were not being realised due to poor uptake.1 Accordingly, the Review Panel made a number of recommendations designed to correct implementation issues and allow the Government to more quickly realise the expected benefits of the system.

The Government responded in the 2015-2016 Budget by pledging $485 million (over four years) to the PCEHR and announcing its intention to implement many of the Review Panel's recommendations. The Government's determination to make the system a success stems from the prediction that the Commonwealth's healthcare costs will skyrocket to a staggering $250 billion by 2050 – the Government's view is that 'leveraging eHealth is one of the few strategies available to drive microeconomic reform to reduce Commonwealth health outlays'.2

Key changes to electronic health records system (PCEHR)

Move to opt-out system

When the PCEHR was first introduced, some critics predicted that the opt-in model (where individuals voluntarily sign-up to the system) would result in limited uptake, jeopardising the success of the system. Only 2.4 million Australians (approximately 10 per cent of the Australian population) have actually 'opted-in'3, with the Government concluding that the low uptake is to blame for the lack of adoption of and investment in the system by healthcare providers.4

As such, the Government is looking to implement the Review Panel's suggestion that the system be transitioned to an opt-out model, with all Australians being included in the system unless they take active steps to opt-out.

This will be achieved via a staged implementation over 2016 and 2017, with the Bill allowing the Government to undertake opt-out trials in selected areas. The Bill also enables the Government to implement an opt-out system nationally (without the need for further legislative approval) if trial results support this. The Government's recently-released trial site selection criteria indicates that trial sites, with populations of approximately 250,000-500,000 people, will among other criteria have existing eHealth capabilities and 'higher than average' PCEHR uptake.5

A move to an opt-out system can secure a 'critical mass' of information and users that may strengthen the system's utility, although we note that healthcare providers' participation in the system will remain optional.

Consumers to retain control over health records

There has always been a tension between the need to allow consumers control (to facilitate confidence in the system) and the clinical need for complete, unedited electronic health records. The health sector has raised concerns about the clinical safety risks posed by incomplete and inaccurate data since the system was first introduced.6 The Government appears to have taken the view that the consumer-controlled approach remains vital to allay privacy concerns and to generate public confidence in the system. However, it remains to be seen as to whether the Bill will be passed unamended by both houses of the Australian Parliament (particularly in respect of privacy aspects).

Better protections for data – new criminal penalties and more severe civil penalties

As the PCEHR allows highly sensitive personal information to be accessed by large numbers of individuals and organisations, it is not surprising that privacy concerns continue to dominate its development.

To better protect sensitive health information, the Bill will introduce new criminal penalties, including imprisonment, for the unlawful handling of information, to ensure that the most serious matters are dealt with independently by the Director of Public Prosecutions. The Bill will also introduce new civil penalties (of up to $108,000 for individuals and $540,000 for corporations).

Currently, for penalties to be imposed, there must be an element of intention or recklessness, a requirement that has been strongly criticised by privacy advocates.7 The Bill should allay this concern by making it clear that where a person has handled data unlawfully but does not have the required state of mind to make out the penalty, there will still be an interference with privacy, allowing the Information Commissioner to, for example, investigate the matter.

Although this new penalty regime is intended to 'provide a more graduated framework for responding to inappropriate behaviour that is proportional to the severity of a breach,'8 penalties can be a rather blunt tool in protecting privacy and ensuring data integrity. It may be that amendments are proposed to the Bill in relation to privacy, and that further legislative amendments are required over time to ensure development of (and ongoing compliance with) appropriate information security measures and standards for participants.

Better protections for data – tighter mandatory breach notification requirements

Currently, the PCEHR legislation only requires registered repository operators and registered portal operators to report data breaches to the System Operator9 and the Information Commissioner. Healthcare providers and contracted service providers are not subject to this legislative requirement, but are instead contractually obliged to report data breaches under their participation agreement with the System Operator. The Bill will tighten the mandatory breach notification requirements and standardise data breach reporting for all participants, including by replacing the contractual obligations placed on healthcare providers and contracted service providers with statutory obligations. The Office of the Information Commissioner (OAIC) has recently released guidance on how entities should comply with their mandatory data breach notification obligations under the PCEHR legislation,10 which, if the Bill is passed, may need to be updated to include guidance for healthcare providers and contracted service providers.

Although not directly linked to the PCEHR, the OAIC has also recently released other guidance relevant to the health sector – drafts of 11 new business resources and two new consumer fact sheets. They aim to help healthcare providers understand their privacy obligations when collecting, using and disclosing health information.

New governance arrangements

The Bill will address concerns about the existing governance structure by dissolving the National eHealth Transition Authority (NEHTA) and replacing it with the Australian Council on eHealth (ACeH) (to be established as a statutory authority), in line with the Review Panel's recommendation. The Review Panel took the view that although the composition of the NEHTA board (mainly representatives from public organisations) was appropriate during the initial phase of the PCEHR, NEHTA should be replaced with a governing body that is more representative of the broader healthcare industry (including public and private healthcare providers, the medical software industry and individuals).

Reduced regulatory burden on healthcare providers – removal of participation agreements

The Bill aims to reduce the regulatory burden on healthcare providers, not just by moving to an opt-out system, but by simplifying the registration process. Healthcare providers will no longer be required to enter into participation agreements with the System Operator. As the participation agreements currently deal with copyright issues (by providing for copyright in health records to be licensed from healthcare providers to the System Operator, and sub-licensed from the System Operator to other healthcare providers), the Bill will amend the Copyright Act 1968 (Cth) to ensure that the sharing and use of health records as contemplated by the legislation does not constitute an infringement of copyright.

Next steps

The Bill passed the House of Representatives with bipartisan support on 16 October 2015 and will now be sent to the Senate. It is possible that some aspects of the Bill (with respect to privacy) will be referred to an inquiry for further scrutiny.
Although moving to an opt-out system is likely to be a significant step forward in terms of strengthening the system's utility, it will not be a magic fix. There is still much work to be done, particularly in relation to ensuring the security of data, encouraging healthcare provider participation and incentivising innovation to improve the system. We expect that the private sector will have a key role to play in this regard.


  1. Review of the Personally Controlled Electronic Health Record (December 2013).
  2. The Parliament of the Commonwealth of Australia, House of Representatives, Health Legislation Amendment (eHealth) Bill 2015, Explanatory Memorandum (2015) 5.
  3. PCEHR statistics., Australian Government Department of Health (2015).
  4. The Parliament of the Commonwealth of Australia, House of Representatives, Health Legislation Amendment (eHealth) Bill 2015, Explanatory Memorandum (2015) 6.
  5. Trial sites selection process. Australian Government Department of Health (2015).
  6. David Ramli, 'Medibank points to data privacy woes', The Australian Financial Review, 19 October 2011, 58.
  7. Karen Dearne, 'Privacy group slams e-health liability law', The Australian, 1 November 2011, 41.
  8. The Parliament of the Commonwealth of Australia, House of Representatives, Health Legislation Amendment (eHealth) Bill 2015, Explanatory Memorandum (2015) 83.
  9. Presently the Secretary of the Federal Department of Health, but the System Operator will be the Australian Commission for eHealth if the Bill is passed unamended.
  10. Office of the Australian Information Commissioner (2015), Guide to mandatory data breach notification in the PCEHR system, 5.