Data Governance, Data Services, Privacy & Cyber

Increase text sizeDecrease text sizeDefault text size

Client Update: Personally Controlled Electronic Health Records Bill passed

25 June 2012

In brief: After a rocky journey, federal legislation providing a platform for the creation of an online register of electronic health records has been passed. Senior Associate Michael Morris and Lawyer Andy Gian report.


The Personally Controlled Electronic Health Records Bill has, with Coalition support and a number of amendments, passed through the Senate. It establishes the framework for an online electronic health records system, and a register of consumers, healthcare providers and parties involved in the technological implementation and maintenance of the Personally Controlled Electronic Health Record (PCEHR) system. This Bill will be supplemented by a set of PCEHR Rules, which are yet to be finalised.

The system aims to provide a unified set of health records for each consumer, which will be accessible to healthcare providers. Those advocating the system argue that it will allow healthcare providers to make better-informed medical decisions regarding medical tests, medication prescriptions, allergies and medical treatments.

The Bill creates an opt-in system, whereby an individual will have to register as a consumer before creating a 'shared health summary' in conjunction with their nominated healthcare provider. The Bill's provisions reflect the intention that consumers will be able to control the circumstances in which the information in their health records is accessed. However, the finer details surrounding control, and other operational aspects of how the system will work on a day-to-day basis, are, as part of the Rules, still under consideration.

Privacy issues

From its inception, various stakeholders have expressed concerns regarding the adequacy of privacy safeguards in the PCEHR system. These relate mainly to information security and integrity, and access control mechanisms.

The Bill addresses privacy issues by deeming an act that breaches its provisions in connection with a health record as an 'interference with privacy' under the Privacy Act 1998 (Cth). By giving the Information Commissioner power to investigate such acts, the Bill has been drafted to work alongside the Privacy Act.

Due to the sensitivity of health information and the impossibility of restoring confidentiality once the information is in the public arena, the majority of stakeholders have advocated the importance of ensuring that a consumer's health records remain under their control. Information security experts have voiced concerns that information may be vulnerable to hacking, with obvious implications relating to potential fraud and identity theft. Technical specifications applying to technical service providers and healthcare providers are currently being developed, and will be published as a schedule to the Rules.

The access control mechanisms and their default settings are, as part of the Rules' finalisation, currently under consideration. The proposed default mechanisms at present allow all registered healthcare providers involved in the treatment of a consumer to access a consumer's health record unless the consumer informs them that they are not to. Under these proposed Rules, access by healthcare provider organisations will be based on a system of access flags, which will be set by healthcare providers according to the Rules, and monitored by the system operator, whose role is to maintain and administer the PCEHR system.

Accordingly, if a consumer wishes to ensure that health information is not disclosed to particular providers, they will need to positively identify any healthcare providers who may not access their shared health summary. In that respect, the proposed system is an 'opt-out' one.

The proposed Rules also contain a process by which consumers are notified by email or SMS when an organisation accesses their health record, or when a new shared health summary has been uploaded to their health record.

What's next?

Although the Rules have not yet been finalised, they will affect consumers, healthcare provider organisations and technology service providers. The Rules will set requirements for healthcare provider organisations and technology services providers to meet in order to be registered, and maintain registration under the PCEHR system. It is important that these organisations, in particular, monitor the Rules as they are finalised and take steps to prepare appropriate compliance mechanisms.

The Bill provides that the PCEHR system will be reviewed after two years, to examine issues such as its 'opt-in' nature, the identity of the system operator and governance issues.

For further information, please contact:

Share or Save for later

What are these?


To save this publication on your smartphone or
tablet for off-line reading (eg on a plane flight),
we recommend Pocket.



You can leave a comment on this publication below. Please note, we are not able to provide specific legal advice in this forum. If you would like advice relating to this topic, contact one of the authors directly. Please do not include links to websites or your comment may not be published.

Comment Box is loading comments...