Personally Controlled Electronic Health Records Act 2012
No. 63, 2012
An Act to provide for a system of access to electronic health records, and for related purposes
Contents
1 Short title
2 Commencement
3 Object of Act
4 Simplified outline of Act
5 Definitions
6 Definition of authorised representative of a consumer
7 Definition of nominated representative of a consumer
8 Things done etc. under provisions of other Acts
9 Definition of identifying information
10 Definition of shared health summary
11 Act to bind the Crown
12 Concurrent operation of State laws
13 External Territories
13A System Operator may arrange for use of computer programs to make decisions
Part 2—The System Operator, advisory bodies and other matters
Division 1—System Operator
14 Identity of the System Operator
15 Functions of the System Operator
16 System Operator to have regard to advisory bodies’ advice etc.
17 Retention of records uploaded to National Repositories Service
Division 2—Jurisdictional advisory committee
18 Establishment, functions and status of the jurisdictional advisory committee
19 Membership of the jurisdictional advisory committee
20 Termination of appointment of members of the jurisdictional advisory committee
21 Substitute members of the jurisdictional advisory committee
22 Application of the Remuneration Tribunal Act
23 Regulations may provide for matters relating to committee
Division 3—Independent advisory council
Subdivision A—Establishment, functions and status
24 Establishment and functions of the independent advisory council
25 Independent advisory committee has privileges and immunities of the Crown
Subdivision B—Membership
26 Membership of the independent advisory council
27 Appointment of members
28 Acting appointments
Subdivision C—Members’ terms and conditions
29 Remuneration
30 Leave
31 Disclosure of interests to the Minister
32 Disclosure of interests to the independent advisory council
33 Resignation
34 Termination of appointment
35 Other terms and conditions
Subdivision D—Procedures of the independent advisory council
36 Who presides at meetings
37 Regulations may provide for other procedural matters
Division 4—Functions of Chief Executive Medicare
38 Registered repository operator
Part 3—Registration
Division 1—Registering consumers
39 Consumers may apply for registration
40 When a consumer is eligible for registration
41 Registration of a consumer by the System Operator
Division 2—Registering healthcare provider organisations
42 Healthcare provider organisation may apply for registration
43 When a healthcare provider organisation is eligible for registration
44 Registration of a healthcare provider organisation
45 Condition of registration—uploading of records, etc.
46 Condition of registration—non‑discrimination in providing healthcare to a consumer who does not have a PCEHR etc.
Division 3—Registering repository operators, portal operators and contracted service providers
47 Persons may apply for registration as a repository operator, a portal operator or a contracted service provider
48 When a person is eligible for registration as a repository operator, a portal operator or a contracted service provider
49 Registration of a repository operator, a portal operator or a contracted service provider
50 Condition about provision of information to System Operator
Division 4—Cancellation, suspension and variation of registration
51 Cancellation or suspension of registration
52 Variation of registration
53 Notice of cancellation, suspension or variation of registration etc.
54 Effect of suspension
55 PCEHR Rules may specify requirements after registration is cancelled or suspended
Division 5—The Register
56 The Register
57 Entries to be made in Register
Division 6—Information use and disclosure for identity verification
58 Identifying information may be used and disclosed
Part 4—Collection, use and disclosure of health information included in a registered consumer’s PCEHR
Division 1—Unauthorised collection, use and disclosure of health information included in a consumer’s PCEHR
59 Unauthorised collection, use and disclosure of health information included in a consumer’s PCEHR
60 Secondary disclosure
Division 2—Authorised collection, use and disclosure
Subdivision A—Collection, use and disclosure in accordance with access controls
61 Collection, use and disclosure for providing healthcare
62 Collection, use and disclosure to nominated representative
Subdivision B—Collection, use and disclosure other than in accordance with access controls
63 Collection, use and disclosure for management of PCEHR system
64 Collection, use and disclosure in the case of a serious threat
65 Collection, use and disclosure authorised by law
66 Collection, use and disclosure with consumer’s consent
67 Collection, use and disclosure by a consumer
68 Collection, use and disclosure for indemnity cover
69 Disclosure to courts and tribunals
70 Disclosure for law enforcement purposes, etc.
Division 3—Prohibitions and authorisations limited to PCEHR system
71 Prohibitions and authorisation limited to health information collected by using the PCEHR system
Division 4—Interaction with the Privacy Act 1988
72 Interaction with the Privacy Act 1988
73 Contravention of this Act is an interference with privacy
73A Information Commissioner may disclose details of investigations to System Operator
73B Obligations of System Operator in relation to correction, etc.
Part 5—Other civil penalty provisions
74 Registered healthcare provider organisations must ensure certain information is given to System Operator
75 Certain participants in the PCEHR system must notify data breaches etc.
76 Requirement to notify if cease to be eligible to be registered
77 Requirement not to hold or take records outside Australia
78 Participant in the PCEHR system must not contravene PCEHR Rules
Part 6—Civil penalty supporting provisions
Division 1—Civil penalty orders
79 Civil penalty orders
80 Civil enforcement of penalty
81 Conduct contravening more than one civil penalty provision
82 Multiple contraventions
83 Proceedings may be heard together
84 Civil evidence and procedure rules for civil penalty orders
85 Contravening a civil penalty provision is not an offence
Division 2—Relationship to other proceedings
86 Civil proceedings after criminal proceedings
87 Criminal proceedings during civil proceedings
88 Criminal proceedings after civil proceedings
89 Evidence given in civil proceedings not admissible in criminal proceedings
Division 3—Other matters
90 Ancillary contravention of civil penalty provisions
91 Mistake of fact
92 State of mind
93 Civil penalty provisions contravened by employees, agents or officers
Part 7—Voluntary enforceable undertakings and injunctions
94 Acceptance of undertakings
95 Enforcement of undertakings
96 Injunctions
Part 8—Other matters
Division 1—Review of decisions
97 Review of decisions
Division 2—Delegations
98 Delegations by the System Operator
Division 3—Authorisations of entities also cover employees
99 Authorisations extend to employees etc.
Division 4—Treatment of certain entities
100 Treatment of partnerships
101 Treatment of unincorporated associations
102 Treatment of trusts with multiple trustees
103 Exception in certain circumstances
104 Division does not apply to Division 3 of Part 3
Division 5—Alternative constitutional bases
105 Alternative constitutional bases
Division 6—Annual reports and review of Act
106 Annual reports by Information Commissioner
107 Annual reports by System Operator
108 Review of operation of Act
Division 7—PCEHR Rules, regulations and other instruments
109 Minister may make PCEHR Rules
110 Minister may determine a law of a State or Territory to be a designated privacy law
111 Guidelines relating to the Information Commissioner’s enforcement powers etc.
112 Regulations
Personally Controlled Electronic Health Records Act 2012
No. 63, 2012
An Act to provide for a system of access to electronic health records, and for related purposes
[Assented to 26 June 2012]
The Parliament of Australia enacts:
This Act may be cited as the Personally Controlled Electronic Health Records Act 2012.
(1) Each provision of this Act specified in column 1 of the table commences, or is taken to have commenced, in accordance with column 2 of the table. Any other statement in column 2 has effect according to its terms.
Commencement information | ||
Column 1 | Column 2 | Column 3 |
Provision(s) | Commencement | Date/Details |
1. Sections 1 and 2 and anything in this Act not elsewhere covered by this table | The day this Act receives the Royal Assent. | 26 June 2012 |
2. Sections 3 to 112 | A day or days to be fixed by Proclamation. However, if any of the provision(s) do not commence by the later of: (a) 1 July 2012; and (b) the day this Act receives the Royal Assent; they commence on the day after the later of those days. | 29 June 2012 (see F2012L01395) |
Note: This table relates only to the provisions of this Act as originally enacted. It will not be amended to deal with any later amendments of this Act.
(2) Any information in column 3 of the table is not part of this Act. Information may be inserted in this column, or information in it may be edited, in any published version of this Act.
The object of this Act is to enable the establishment and operation of a voluntary national system for the provision of access to health information relating to consumers of healthcare, to:
(a) help overcome the fragmentation of health information; and
(b) improve the availability and quality of health information; and
(c) reduce the occurrence of adverse medical events and the duplication of treatment; and
(d) improve the coordination and quality of healthcare provided to consumers by different healthcare providers.
(1) This section provides a simplified outline of this Act.
(2) This Part contains definitions and other preliminary provisions. It defines key concepts, including:
(a) the PCEHR system, which is an electronic system for collecting, using and disclosing certain information and involves the System Operator; and
(b) the PCEHR of a consumer, which is constituted by a record created and maintained by the System Operator and information that can be obtained by means of that record; and
(c) the entities that are participants in the PCEHR system.
(3) Part 2 is about the System Operator, the System Operator’s functions, committees to advise the System Operator and the functions of the Chief Executive Medicare.
(4) Part 3 is about the registration by the System Operator of consumers, healthcare provider organisations, repository operators, portal operators and contracted service providers. Registration enables them to participate in the PCEHR system. It does so:
(a) by authorising them to collect, use and disclose health information in specified circumstances; and
(b) by imposing certain obligations on them to maintain the integrity of the PCEHR system.
(5) Division 1 of Part 4 provides for civil penalties for:
(a) unauthorised collection, by means of the PCEHR system, of information included in a registered consumer’s PCEHR; and
(b) unauthorised use or disclosure of such information.
(6) Division 2 of Part 4 contains authorisations of various collections, uses and disclosures. The authorisations also have effect for the purposes of the Privacy Act 1988.
(7) Contraventions of this Act relating to health information included in a consumer’s PCEHR can also be investigated under the Privacy Act 1988.
(8) Part 5 contains additional civil penalty provisions to maintain the integrity of the PCEHR system.
(9) Parts 6 and 7 support the civil penalty provisions and provide for enforceable undertakings and injunctions.
(10) Part 8 provides for general matters, including:
(a) review of decisions; and
(b) annual reports to be provided by the System Operator and the Information Commissioner; and
(c) legislative instruments, including the PCEHR Rules.
In this Act:
approved form means a form approved by the System Operator, in writing, for the purposes of the provision in which the expression occurs.
Australia, when used in a geographical sense, includes the external Territories.
authorised representative of a consumer has the meaning given by section 6.
Chief Executive Medicare has the same meaning as in the Human Services (Medicare) Act 1973.
civil penalty order has the meaning given by subsection 79(4).
civil penalty provision: a subsection of this Act (or a section of this Act that is not divided into subsections) is a civil penalty provision if the words “civil penalty” and one or more amounts in penalty units are set out at the foot of the subsection (or section).
consumer means an individual who has received, receives or may receive healthcare.
Note: This is the same as the definition of healthcare recipient in the Healthcare Identifiers Act 2010.
consumer‑only notes, in relation to a consumer, means health information included by the consumer in his or her PCEHR and described in the PCEHR system as consumer‑only notes (whether using that expression or an equivalent expression).
contracted service provider of a healthcare provider organisation means an entity that provides:
(a) information technology services relating to the PCEHR system; or
(b) health information management services relating to the PCEHR system;
to the healthcare provider organisation under a contract with the healthcare provider organisation.
Court means:
(a) the Federal Court of Australia; or
(b) the Federal Magistrates Court; or
(c) a court of a State or Territory that has jurisdiction in relation to matters arising under this Act.
date of birth accuracy indicator means a data element that is used to indicate how accurate a recorded date of birth is.
date of death accuracy indicator means a data element that is used to indicate how accurate a recorded date of death is.
Defence Department means the Department that:
(a) deals with matters arising under section 1 of the Defence Act 1903; and
(b) is administered by the Minister who administers that section.
designated privacy law means a law determined under section 110 to be a designated privacy law.
employee of an entity includes the following:
(a) an individual who provides services for the entity under a contract for services;
(b) an individual whose services are made available to the entity (including services made available free of charge).
enforcement body has the same meaning as in the Privacy Act 1988.
entity means:
(a) a person; or
(b) a partnership; or
(c) any other unincorporated association or body; or
(d) a trust; or
(e) a part of an entity (under a previous application of this definition).
genetic relative of an individual (the first individual) means another individual who is related to the first individual by blood, including a sibling, a parent or a descendant of the first individual.
healthcare means:
(a) an activity performed in relation to an individual that is intended or claimed (expressly or otherwise) by the individual or the person performing it:
(i) to assess, record, maintain or improve the individual’s health; or
(ii) to diagnose the individual’s illness or disability; or
(iii) to treat the individual’s illness or disability or suspected illness or disability; or
(b) the dispensing on prescription of a drug or medicinal preparation by a pharmacist.
Note: This is the same as the definition of health service in the Privacy Act 1988.
healthcare provider means:
(a) an individual healthcare provider; or
(b) a healthcare provider organisation.
healthcare provider organisation means an entity that has conducted, conducts, or will conduct, an enterprise that provides healthcare (including healthcare provided free of charge).
Note: Because of paragraph (e) of the definition of entity, a healthcare provider organisation could be a part of an entity.
Health Department of a State or Territory means a Department of state that:
(a) deals with matters relating to health; and
(b) is administered by the State/Territory Health Minister of the State or Territory.
health information means:
(a) information or an opinion about:
(i) the health or a disability (at any time) of an individual; or
(ii) an individual’s expressed wishes about the future provision of healthcare to him or her; or
(iii) healthcare provided, or to be provided, to an individual;
that is also personal information; or
(b) other personal information collected to provide, or in providing, healthcare; or
(c) other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances; or
(d) genetic information about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual.
Note: This is substantially the same as the definition of health information in the Privacy Act 1988.
Human Services Department means the Department administered by the Minister administering the Human Services (Medicare) Act 1973.
identifying information has the meaning given by section 9.
independent advisory council means the council established by section 24.
index service means the index service maintained by the System Operator for the purposes of the PCEHR system, as mentioned in paragraph 15(a).
individual healthcare provider means an individual who:
(a) has provided, provides, or is to provide, healthcare; or
(b) is registered by a registration authority as a member of a particular health profession.
jurisdictional advisory committee means the committee established by section 18.
Ministerial Council has the meaning given by:
(a) the National Partnership Agreement on E‑Health made on 7 December 2009 between the Commonwealth, the States, the Australian Capital Territory and the Northern Territory; or
(b) if that Agreement is amended—that Agreement as amended; or
(c) if that Agreement is not in force—the COAG council (however described) responsible for health matters.
Note: In 2011, the text of the Agreement was accessible through the Council of Australian Governments website (www.coag.gov.au).
National Law means:
(a) for a State or Territory other than Western Australia—the Health Practitioner Regulation National Law set out in the Schedule to the Health Practitioner Regulation National Law Act 2009 of Queensland, as it applies (with or without modification) as a law of the State or Territory; or
(b) for Western Australia—the Health Practitioner Regulation National Law (WA) Act 2010 of Western Australia, so far as that Act corresponds to the Health Practitioner Regulation National Law set out in the Schedule to the Health Practitioner Regulation National Law Act 2009 of Queensland.
National Repositories Service means the service referred to in paragraph 15(i).
nominated healthcare provider: a healthcare provider is the nominated healthcare provider of a consumer if:
(a) an agreement is in force between the healthcare provider and the consumer that the healthcare provider is the consumer’s nominated healthcare provider for the purposes of this Act; and
(b) a healthcare identifier has been assigned to the healthcare provider under paragraph 9(1)(a) of the Healthcare Identifiers Act 2010; and
(c) the healthcare provider is an individual registered by a registration authority as one of the following:
(i) a medical practitioner within the meaning of the National Law;
(ii) a registered nurse within the meaning of the National Law;
(iii) an Aboriginal health practitioner, a Torres Strait Islander health practitioner or an Aboriginal and Torres Strait Islander health practitioner within the meaning of the National Law who is included in a class prescribed by the regulations for the purposes of this subparagraph;
(iv) an individual, or an individual included in a class, prescribed by the regulations for the purposes of this subparagraph.
nominated representative of a consumer has the meaning given by section 7.
parental responsibility: a person has parental responsibility for a consumer (the child) if, and only if:
(a) the person:
(i) is the child’s parent (including a person who is presumed to be the child’s parent because of a presumption (other than in section 69Q) in Subdivision D of Division 12 of Part VII of the Family Law Act 1975); and
(ii) has not ceased to have parental responsibility for the child because of an order made under the Family Law Act 1975 or a law of a State or Territory; or
(b) under a parenting order (within the meaning of the Family Law Act 1975):
(i) the child is to live with the person; or
(ii) the child is to spend time with the person; or
(iii) the person is responsible for the child’s long‑term or day‑to‑day care, welfare and development; or
(c) the person is entitled to guardianship or custody of, or access to, the child under a law of the Commonwealth, a State or a Territory.
Note: The presumptions in the Family Law Act 1975 include a presumption arising from a court finding that a person is the child’s parent, and a presumption arising from a man executing an instrument under law acknowledging that he is the father of the child.
participant in the PCEHR system means any of the following:
(a) the System Operator;
(b) a registered healthcare provider organisation;
(c) the operator of the National Repositories Service;
(d) a registered repository operator;
(e) a registered portal operator;
(f) a registered contracted service provider, so far as the contracted service provider provides services to a registered healthcare provider.
PCEHR means a personally controlled electronic health record.
PCEHR Rules has the meaning given by section 109.
PCEHR system means a system:
(a) that is for:
(i) the collection, use and disclosure of information from many sources using telecommunications services and by other means, and the holding of that information, in accordance with consumers’ wishes or in circumstances specified in this Act; and
(ii) the assembly of that information using telecommunications services and by other means so far as it is relevant to a particular consumer, so that it can be made available, in accordance with the consumer’s wishes or in circumstances specified in this Act, to facilitate the provision of healthcare to the consumer or for purposes specified in this Act; and
(b) that involves the performance of functions under this Act by the System Operator.
personal information has the same meaning as in the Privacy Act 1988.
personally controlled electronic health record of a consumer means the record of information that is created and maintained by the System Operator in relation to the consumer, and information that can be obtained by means of that record, including the following:
(a) information included in the entry in the Register that relates to the consumer;
(b) health information connected in the PCEHR system to the consumer (including information included in a record accessible through the index service);
(c) other information connected in the PCEHR system to the consumer, such as information relating to auditing access to the record;
(d) back‑up records of such information.
record includes a database, register, file or document that contains information in any form (including in electronic form).
Register has the meaning given by section 56.
registered consumer means a consumer who is registered under section 41.
registered contracted service provider means a contracted service provider that is registered under section 49.
registered healthcare provider organisation means a healthcare provider organisation that is registered under section 44.
registered portal operator means a person that:
(a) is the operator of an electronic interface that facilitates access to the PCEHR system; and
(b) is registered as a portal operator under section 49.
registered repository operator means a person that:
(a) holds, or can hold, records of information included in personally controlled electronic health records for the purposes of the PCEHR system; and
(b) is registered as a repository operator under section 49.
registration authority means an entity that is responsible under a law for registering members of a particular health profession.
shared health summary has the meaning given by section 10.
State or Territory authority has the same meaning as in the Privacy Act 1988.
State/Territory Health Minister means:
(a) the Minister of a State; or
(b) the Minister of the Australian Capital Territory; or
(c) the Minister of the Northern Territory;
who is responsible, or principally responsible, for the administration of matters relating to health in the State or Territory, as the case may be.
System Operator has the meaning given by section 14.
this Act includes:
(a) regulations made under this Act; and
(b) the PCEHR Rules.
use health information included in a consumer’s PCEHR includes the following:
(a) access the information;
(b) view the information;
(c) modify the information;
(d) delete the information.
Veterans’ Affairs Department means the Department that:
(a) deals with matters arising under section 1 of the Veterans’ Entitlements Act 1986; and
(b) is administered by the Minister who administers that section.
Veterans’ Affairs Department file number means a number allocated to a consumer by the Veterans’ Affairs Department.
6 Definition of authorised representative of a consumer
Consumers aged under 18
(1) For the purposes of this Act, each person who the System Operator is satisfied has parental responsibility for a consumer aged under 18 is the authorised representative of the consumer.
(2) If there is no person who the System Operator is satisfied has parental responsibility for a consumer aged under 18, the authorised representative of the consumer is:
(a) a person who the System Operator is satisfied is authorised to act on behalf of the consumer for the purposes of this Act under the law of the Commonwealth or a State or Territory, or a decision of an Australian court or tribunal; or
(b) if there is no such person—a person:
(i) who the System Operator is satisfied is otherwise an appropriate person to be the authorised representative of the consumer; or
(ii) who is prescribed by the regulations for the purposes of this paragraph.
(3) Despite subsections (1) and (2), a person is not the authorised representative of a consumer aged under 18 years if the System Operator is satisfied that the consumer:
(a) wants to manage his or her own PCEHR; and
(b) is capable of making decisions for himself or herself.
Consumers aged at least 18
(4) For the purposes of this Act, if the System Operator is satisfied that a consumer aged at least 18 is not capable of making decisions for himself or herself, the authorised representative of the consumer is:
(a) a person who the System Operator is satisfied is authorised to act on behalf of the consumer under the law of the Commonwealth or a State or Territory or a decision of an Australian court or tribunal; or
(b) if there is no such person—a person:
(i) who the System Operator is satisfied is otherwise an appropriate person to be the authorised representative of the consumer; or
(ii) who is prescribed by the regulations for the purposes of this paragraph.
(5) An authorisation referred to in paragraph (2)(a) or (4)(a) may be conferred by specific reference to the purposes of this Act, or conferred by words of general authorisation that are broad enough to cover that purpose.
(6) A person cannot be the authorised representative of a consumer unless:
(a) a healthcare identifier has been assigned to the person under paragraph 9(1)(b) of the Healthcare Identifiers Act 2010; or
(b) the PCEHR Rules provide that a healthcare identifier is not required to have been so assigned.
Effect of being an authorised representative
(7) At a time when a consumer has an authorised representative:
(a) the authorised representative is entitled to do any thing that this Act authorises or requires the consumer to do; and
(b) the consumer is not entitled to do any thing that this Act would, apart from this subsection, authorise or require the consumer to do; and
(c) this Act has effect for all purposes, in relation to a thing done by an authorised representative, as if the consumer had done the thing.
(8) At a time when a consumer has one or more authorised representatives, any thing that this Act authorises or requires to be done in relation to the consumer is to be done in relation to at least one of the consumer’s authorised representatives. This Act has effect for all purposes as if the thing had been done in relation to the consumer.
Authorised representative to act in best interests of consumer
(9) An authorised representative of a consumer must act in the consumer’s best interests, having regard to any directions communicated to the authorised representative at a time when the System Operator is satisfied the consumer was capable of making decisions for himself or herself.
7 Definition of nominated representative of a consumer
(1) For the purposes of this Act, an individual is the nominated representative of a consumer if:
(a) an agreement is in force between the individual and the consumer that the individual is the consumer’s nominated representative for the purposes of this Act; and
(b) the consumer has notified the System Operator that the individual is his or her nominated representative.
Effect of being a nominated representative
(2) At a time when a consumer has a nominated representative:
(a) the nominated representative is entitled to do any thing that this Act authorises or requires the consumer to do, subject to any limitations:
(i) to which the consumer’s agreement is subject; and
(ii) that have been notified to the System Operator by the consumer; and
(b) this Act has effect for all purposes, in relation to a thing done by a nominated representative, as if the consumer had done the thing, subject to any modifications prescribed by the regulations.
(3) Despite subsection (2), the System Operator must not permit a nominated representative of a consumer to set access controls in relation to the consumer’s PCEHR unless:
(a) a healthcare identifier has been assigned to the nominated representative under paragraph 9(1)(b) of the Healthcare Identifiers Act 2010; or
(b) the PCEHR Rules provide that a healthcare identifier is not required to have been so assigned.
(4) The fact that a consumer has a nominated representative does not prevent the consumer doing any thing that this Act authorises or requires the consumer to do.
(5) At a time when a consumer has one or more nominated representatives, any thing that this Act authorises or requires to be done in relation to the consumer may be done in relation to one of the consumer’s nominated representatives and not in relation to the consumer to the extent:
(a) agreed between the consumer and the nominated representative; and
(b) notified to the System Operator by the consumer.
This Act has effect for all purposes as if the thing had been done in relation to the consumer.
Nominated representative to act in best interests of consumer
(6) A nominated representative of a consumer must act in the consumer’s best interests, subject to any directions of the consumer that have been communicated to the nominated representative.
8 Things done etc. under provisions of other Acts
(1) A reference in section 6 or 7 to any thing that this Act authorises or requires a consumer to do is taken to include a reference to any thing that a prescribed provision of another Act authorises or requires a consumer to do.
(2) A reference in section 6 or 7 to any thing that this Act authorises or requires to be done in relation to a consumer is taken to include a reference to any thing that a prescribed provision of another Act authorises or requires to be done in relation to a consumer.
9 Definition of identifying information
(1) Each of the following is identifying information of a healthcare provider who is an individual:
(a) the name of the healthcare provider;
(b) the address of the healthcare provider;
(c) the email address, telephone number and fax number of the healthcare provider;
(d) the date of birth, and the date of birth accuracy indicator, of the healthcare provider;
(e) the sex of the healthcare provider;
(f) the type of healthcare provider that the individual is;
(g) if the healthcare provider is registered by a registration authority—the registration authority’s identifier for the healthcare provider and the status of the registration (such as conditional, suspended or cancelled);
(h) other information that is prescribed by the regulations for the purpose of this paragraph.
(2) Each of the following is identifying information of a healthcare provider that is not an individual:
(a) the name of the healthcare provider;
(b) the address of the healthcare provider;
(c) the email address, telephone number and fax number of the healthcare provider;
(d) if applicable, the ABN (within the meaning of the A New Tax System (Australian Business Number) Act 1999) of the healthcare provider;
(e) if applicable, the ACN (within the meaning of the Corporations Act 2001) of the healthcare provider;
(f) other information that is prescribed by the regulations for the purpose of this paragraph.
(3) Each of the following is identifying information of an individual, other than an individual in the capacity of a healthcare provider:
(a) if applicable, the Medicare number of the individual;
(b) if applicable, the Veterans’ Affairs Department file number of the individual;
(c) the name of the individual;
(d) the address of the individual;
(e) the date of birth, and the date of birth accuracy indicator, of the individual;
(f) the sex of the individual;
(g) if the individual was part of a multiple birth—the order in which the individual was born;
Example: The second of twins.
(h) if applicable, the date of death, and the date of death accuracy indicator, of the individual.
10 Definition of shared health summary
The shared health summary of a registered consumer, at a particular time, is a record that:
(a) was prepared by the consumer’s nominated healthcare provider and described by him or her as the consumer’s shared health summary; and
(b) has been uploaded to the National Repositories Service; and
(c) at that time, is the most recent such record to have been uploaded to the National Repositories Service.
Note: This means that there is only one shared health summary for a consumer at a particular time.
(1) This Act binds the Crown in each of its capacities.
(2) This Act does not make the Crown liable to be prosecuted for an offence or liable to a pecuniary penalty.
Note: Subsection (2) does not limit other rights and remedies.
12 Concurrent operation of State laws
It is the intention of the Parliament that this Act is not to apply to the exclusion of a law of a State or Territory to the extent that that law is capable of operating concurrently with this Act.
This Act extends to every external Territory.
13A System Operator may arrange for use of computer programs to make decisions
(1) The System Operator may arrange for the use, under the System Operator’s control, of computer programs for any purposes for which the System Operator may make decisions under this Act.
(2) A decision made by the operation of a computer program under an arrangement made under subsection (1) is taken to be a decision made by the System Operator.
Part 2—The System Operator, advisory bodies and other matters
14 Identity of the System Operator
(1) The System Operator is:
(a) the Secretary of the Department; or
(b) if a body established by a law of the Commonwealth is prescribed by the regulations to be the System Operator—that body.
(2) Before regulations are made for the purposes of paragraph (1)(b), the Minister must be satisfied that the Ministerial Council has been consulted in relation to the proposed regulations.
15 Functions of the System Operator
The System Operator has the following functions:
(a) to establish and maintain an index service, for the purposes of the PCEHR system, that:
(i) allows information in different repositories to be connected to registered consumers; and
(ii) facilitates the retrieval of such information when required, and ensures that registered consumers, and participants in the PCEHR system who are authorised to collect, use and disclose information, are able to do so readily;
(b) to establish and maintain mechanisms (access control mechanisms) that, subject to any requirements specified in the PCEHR Rules:
(i) enable each registered consumer to set controls on the healthcare provider organisations and nominated representatives who may obtain access to the consumer’s PCEHR; and
(ii) specify default access controls that apply if a registered consumer has not set such controls; and
(iii) specify circumstances in which access to a consumer’s PCEHR is to be automatically suspended or cancelled;
(c) without limiting paragraph (b), to ensure that the access control mechanisms enable each registered consumer to specify that access to a consumer’s PCEHR is only to be:
(i) by healthcare provider organisations and nominated representatives specified by the consumer; and
(ii) in accordance with any limitations specified by the consumer, including limitations on the kind of health information to be collected, used or disclosed by such healthcare provider organisations and nominated representatives;
(d) to establish and maintain a reporting service that allows assessment of the performance of the system against performance indicators;
(e) to establish and maintain the Register (see section 56);
(f) to register consumers and participants in the PCEHR system (see Part 3) and to manage and monitor, on an ongoing basis, the system of registration;
(g) to establish and maintain an audit service that records activity in respect of information in relation to the PCEHR system;
(h) without limiting paragraph (g)—to establish and maintain mechanisms:
(i) that enable each registered consumer to obtain electronic access to a summary of the flows of information in relation to his or her PCEHR; and
(ii) that enable each registered consumer to obtain a complete record of the flows of information in relation to his or her PCEHR, on application to the System Operator;
(i) to operate a National Repositories Service that stores key records that form part of a registered consumer’s PCEHR (including the consumer’s shared health summary);
(j) to establish a mechanism for handling complaints about the operation of the PCEHR system;
(k) to ensure that the PCEHR system is administered so that problems relating to the administration of the system can be resolved;
(l) to advise the Minister on matters relating to the PCEHR system, including in relation to the matters to be included in the PCEHR Rules (see section 109);
(m) to educate consumers, participants in the PCEHR system and members of the public about the PCEHR system;
(ma) to prepare and provide de‑identified data for research or public health purposes;
(n) such other functions as are conferred on the System Operator by this Act or any other Act;
(o) to do anything incidental to or conducive to the performance of any of the above functions.
16 System Operator to have regard to advisory bodies’ advice etc.
The System Operator must, in performing functions and exercising powers, have regard to the advice and recommendations (if any) given by the jurisdictional advisory committee and the independent advisory council.
17 Retention of records uploaded to National Repositories Service
(1) This section applies to a record if:
(a) the record is uploaded to the National Repositories Service; and
(b) the record includes health information that is included in the PCEHR of a consumer.
(2) The System Operator must ensure that the record is retained for the period:
(a) beginning when the record is first uploaded to the National Repositories Service; and
(b) ending:
(i) 30 years after the death of the consumer; or
(ii) if the System Operator does not know the date of death of the consumer—130 years after the record was first uploaded to the National Repositories Service.
Division 2—Jurisdictional advisory committee
18 Establishment, functions and status of the jurisdictional advisory committee
(1) The jurisdictional advisory committee is established by this section.
(2) The jurisdictional advisory committee has the following functions:
(a) to advise the System Operator on matters relating to the interests of the Commonwealth, States and Territories in the PCEHR system;
(b) such other functions as are prescribed by the regulations.
(3) The jurisdictional advisory committee has the privileges and immunities of the Crown in right of the Commonwealth.
19 Membership of the jurisdictional advisory committee
(1) The jurisdictional advisory committee consists of the following members:
(a) a member to represent the Commonwealth;
(b) a member to represent each State, the Australian Capital Territory and the Northern Territory.
(2) The jurisdictional advisory committee member referred to in paragraph (1)(a) is to be appointed by the Minister by written instrument.
(3) The jurisdictional advisory committee member representing a State or Territory is to be appointed by the head (however described) of the Health Department of the State or Territory by written instrument.
(4) A jurisdictional advisory committee member holds office on a part‑time basis.
(5) Meetings of the jurisdictional advisory committee are to be chaired by the members referred to in paragraph (1)(b) on a rotating basis.
20 Termination of appointment of members of the jurisdictional advisory committee
(1) The Minister may at any time terminate the appointment of the jurisdictional advisory committee member representing the Commonwealth.
(2) The head of the Health Department of a State or Territory may at any time terminate the appointment of the jurisdictional advisory committee member representing the State or Territory.
21 Substitute members of the jurisdictional advisory committee
(1) If the jurisdictional advisory committee member representing the Commonwealth is unable to be present at a meeting of the committee, the Minister may nominate a person to attend the meeting in that member’s place.
(2) If a jurisdictional advisory committee member representing a State or Territory is unable to be present at a meeting of the committee, the head of the Health Department of the State or Territory may nominate a person to attend the meeting in the member’s place.
22 Application of the Remuneration Tribunal Act
An office of jurisdictional advisory committee member is not a public office for the purposes of Part II of the Remuneration Tribunal Act 1973.
23 Regulations may provide for matters relating to committee
The regulations may provide for the following in relation to the jurisdictional advisory committee:
(a) the qualifications of the member appointed to represent the Commonwealth;
(b) subject to section 20—the terms and conditions applicable to members, including terms and conditions relating to:
(i) remuneration; and
(ii) allowances; and
(iii) leave of absence; and
(iv) disclosure of interests;
(c) subject to subsection 19(5) and section 21—the operation and procedures of the committee, including by allowing the committee to determine its own procedure on any matter.
Division 3—Independent advisory council
Subdivision A—Establishment, functions and status
24 Establishment and functions of the independent advisory council
(1) The independent advisory council is established by this section.
(2) The council has the function of advising the System Operator on:
(a) the operation of the PCEHR system; and
(b) participation in the PCEHR system; and
(c) clinical, privacy and security matters relating to the operation of the PCEHR system; and
(d) such other matters as are prescribed by the regulations.
25 Independent advisory committee has privileges and immunities of the Crown
The independent advisory committee has the privileges and immunities of the Crown in right of the Commonwealth.
26 Membership of the independent advisory council
The independent advisory council consists of the following members:
(a) the Chair of the council;
(b) the Deputy Chair of the council;
(c) at least 7, but not more than 10, other members.
(1) A member of the independent advisory council is to be appointed by the Minister by written instrument.
Note: The member may be reappointed: see section 33AA of the Acts Interpretation Act 1901.
(2) When appointing members the Minister must ensure that:
(a) at least 3 of the members have significant experience in or knowledge of consumers’ receipt of healthcare; and
(b) between them, the members have experience or knowledge of the following matters:
(i) the provision of services as a medical practitioner within the meaning of the National Law;
(ii) the provision of services as a healthcare provider other than a medical practitioner within the meaning of the National Law;
(iii) law and/or privacy;
(iv) health informatics and/or information technology services relating to healthcare;
(v) administration of healthcare;
(vi) healthcare for Aboriginal or Torres Strait Islander people;
(vii) healthcare for people living or working in regional areas.
(3) None of the members referred to in paragraph (2)(a) is to be a healthcare provider.
Membership is part‑time
(4) A member of the independent advisory council holds office on a part‑time basis.
Term of membership
(5) A member of the independent advisory council holds office for the period specified in the instrument of his or her appointment. The period must not exceed 5 years.
(1) The Minister may, by written instrument, appoint a member of the independent advisory council to act as the Chair:
(a) during a vacancy in the office of Chair (whether or not an appointment has previously been made to the office); or
(b) during any period, or during all periods, when the Chair:
(i) is absent from duty or from Australia; or
(ii) is, for any reason, unable to perform the duties of the office.
Note: For rules that apply to acting appointments, see section 33A of the Acts Interpretation Act 1901.
(2) The Minister may, by written instrument, appoint a member of the independent advisory council to act as the Deputy Chair:
(a) during a vacancy in the office of Deputy Chair (whether or not an appointment has previously been made to the office); or
(b) during any period, or during all periods, when the Deputy Chair:
(i) is absent from duty or from Australia; or
(ii) is, for any reason, unable to perform the duties of the office.
Note: For rules that apply to acting appointments, see section 33A of the Acts Interpretation Act 1901.
(3) The Minister may, by written instrument, appoint a person to act as a member (other than the Chair and the Deputy Chair) of the independent advisory council:
(a) during a vacancy in the office of member (whether or not an appointment has previously been made to the office); or
(b) during any period, or during all periods, when the member:
(i) is absent from duty or from Australia; or
(ii) is, for any reason, unable to perform the duties of the office.
Note: For rules that apply to acting appointments, see section 33A of the Acts Interpretation Act 1901.
Subdivision C—Members’ terms and conditions
(1) A member of the independent advisory council is to be paid the remuneration that is determined by the Remuneration Tribunal. If no determination of that remuneration by the Tribunal is in operation, the member is to be paid the remuneration that is prescribed by the regulations.
(2) However, a member of the independent advisory council is not entitled to be paid remuneration if he or she holds an office or appointment, or is otherwise employed, on a full‑time basis in the service or employment of:
(a) a State; or
(b) a corporation (a public statutory corporation) that:
(i) is established for a public purpose by a law of a State; and
(ii) is not a tertiary education institution; or
(c) a company limited by guarantee, where the interests and rights of the members in or in relation to the company are beneficially owned by a State; or
(d) a company in which all the stock or shares are beneficially owned by a State or by a public statutory corporation.
Note: A similar rule applies to a committee member who has a similar relationship with the Commonwealth or a Territory: see subsection 7(11) of the Remuneration Tribunal Act 1973.
(3) A member of the independent advisory council is to be paid the allowances that are prescribed by the regulations.
(4) This section (except subsection (2)) has effect subject to the Remuneration Tribunal Act 1973.
(1) The Minister may grant leave of absence to the Chair of the independent advisory council on the terms and conditions that the Minister determines.
(2) The Chair of the independent advisory council may grant leave of absence to any other member of the council on the terms and conditions that the Chair determines.
31 Disclosure of interests to the Minister
A member of the independent advisory council must give written notice to the Minister of all interests, pecuniary or otherwise, that the member has or acquires and that conflict or could conflict with the proper performance of the member’s functions.
32 Disclosure of interests to the independent advisory council
(1) A member of the independent advisory council who has an interest, pecuniary or otherwise, in a matter being considered or about to be considered by the council must disclose the nature of the interest to a meeting of the council.
(2) The disclosure must be made as soon as possible after the relevant facts have come to the member’s knowledge.
(3) The disclosure must be recorded in the minutes of the meeting.
(4) Unless the council otherwise determines, the member:
(a) must not be present during any deliberation by the council on the matter; and
(b) must not take part in any decision of the council with respect to the matter.
(5) For the purposes of making a determination under subsection (4), the member:
(a) must not be present during any deliberation of the council for the purpose of making the determination; and
(b) must not take part in making the determination.
(6) A determination under subsection (4) must be recorded in the minutes of the meeting of the council.
(1) A member of the independent advisory council may resign his or her appointment by giving the Minister a written resignation.
(2) The resignation takes effect on the day it is received by the Minister or, if a later day is specified in the resignation, on that later day.
(1) The Minister may terminate the appointment of a member of the independent advisory council for misbehaviour or physical or mental incapacity.
(2) The Minister may terminate the appointment of a member of the independent advisory council if:
(a) the member:
(i) becomes bankrupt; or
(ii) applies to take the benefit of any law for the relief of bankrupt or insolvent debtors; or
(iii) compounds with his or her creditors; or
(iv) makes an assignment of his or her remuneration for the benefit of his or her creditors; or
(b) the member is absent, except on leave of absence, from 3 consecutive meetings of the council; or
(c) the member fails, without reasonable excuse, to comply with section 31 or 32.
(3) Before terminating the appointment of a member of the independent advisory council, the Minister must consult the System Operator.
(4) However, the termination of appointment of a member is not invalid merely because the Minister did not consult the System Operator as mentioned in subsection (3).
A member of the independent advisory council holds office on the terms and conditions (if any) in relation to matters not covered by this Act that are determined by the Minister.
Subdivision D—Procedures of the independent advisory council
(1) The Chair of the independent advisory council presides at all meetings of the council at which he or she is present.
(2) If the Chair is not present at a meeting of the independent advisory council but the Deputy Chair is present, the Deputy Chair presides at the meeting.
(3) If neither the Chair nor the Deputy Chair is present at a meeting of the independent advisory council, the members of the council present must elect a member to preside at the meeting.
37 Regulations may provide for other procedural matters
The regulations may provide for the operation and procedures of the independent advisory council, including by allowing the council to determine its own procedure on any matter.
Division 4—Functions of Chief Executive Medicare
38 Registered repository operator
(1) It is a function of the Chief Executive Medicare to seek to become a registered repository operator and, if registered, to operate a repository for the purposes of the PCEHR system in accordance with subsection (2).
(2) Without limiting the way in which the repository is to be operated, at any time when the Chief Executive Medicare is a registered repository operator, the Chief Executive Medicare:
(a) may at his or her discretion upload health information held by the Chief Executive Medicare about a registered consumer to the repository operated by the Chief Executive Medicare; and
(b) with the consent of a registered consumer—may at his or her discretion make available to the System Operator health information held by the Chief Executive Medicare about the consumer.
Note: Section 58 authorises the Chief Executive Medicare to disclose identifying information to the System Operator.
(3) The health information referred to in subsection (2) in relation to a consumer may include the name of one or more healthcare providers that have provided healthcare to the consumer.
Division 1—Registering consumers
39 Consumers may apply for registration
(1) A consumer may apply to the System Operator for registration of the consumer.
(2) The application must:
(a) be in the approved form; and
(b) include, or be accompanied by, the information and documents required by the form; and
(c) be lodged at a place, or by a means, specified in the form.
40 When a consumer is eligible for registration
A consumer is eligible for registration if:
(a) a healthcare identifier has been assigned to the consumer under paragraph 9(1)(b) of the Healthcare Identifiers Act 2010; and
(b) the following information has been provided to the System Operator in relation to the consumer:
(i) full name;
(ii) date of birth;
(iii) healthcare identifier, Medicare card number or Department of Veterans’ Affairs file number;
(iv) sex;
(v) such other information as is prescribed by the regulations.
41 Registration of a consumer by the System Operator
(1) The System Operator must decide to register a consumer if:
(a) an application has been made under section 39 in relation to the consumer; and
(b) the consumer is eligible for registration under section 40; and
(c) the System Operator is satisfied, having regard to the matters (if any) specified in the PCEHR Rules, that the identity of the consumer has been appropriately verified.
Note: The System Operator is not permitted to register a consumer in any other circumstances.
(2) Despite subsection (1), the System Operator is not required to register a consumer if the System Operator is satisfied that registering the consumer may compromise the security or integrity of the PCEHR system, having regard to the matters (if any) prescribed by the PCEHR Rules.
(3) The System Operator is not required to register a consumer if the consumer does not consent to a registered healthcare provider organisation uploading to the PCEHR system any record that includes health information about the consumer, subject to the following:
(a) express advice given by the consumer to the registered healthcare provider organisation that a particular record, all records or a specified class of records must not be uploaded;
(b) a law of a State or Territory that is prescribed by the regulations for the purposes of subsection (4).
(4) A consent referred to in subsection (3) has effect despite a law of a State or Territory that requires consent to the disclosure of particular health information:
(a) to be given expressly; or
(b) to be given in a particular way;
other than a law of a State or Territory prescribed by the regulations for the purposes of this subsection.
(5) A decision under subsection (1) takes effect when it is made.
Division 2—Registering healthcare provider organisations
42 Healthcare provider organisation may apply for registration
(1) A healthcare provider organisation may apply to the System Operator for registration of the healthcare provider organisation.
(2) The application must:
(a) be in the approved form; and
(b) include, or be accompanied by, the information and documents required by the form; and
(c) be lodged at a place, or by a means, specified in the form.
43 When a healthcare provider organisation is eligible for registration
A healthcare provider organisation is eligible for registration if:
(a) a healthcare identifier has been assigned under paragraph 9(1)(a) of the Healthcare Identifiers Act 2010 to the healthcare provider organisation; and
(b) the healthcare provider organisation complies with such requirements as are specified in the PCEHR Rules; and
(c) the healthcare provider organisation has agreed to be bound by the conditions imposed by the System Operator on the registration.
44 Registration of a healthcare provider organisation
(1) The System Operator must decide to register a healthcare provider organisation if:
(a) the healthcare provider organisation has made an application under section 42; and
(b) the healthcare provider organisation is eligible for registration under section 43.
(2) Despite subsection (1), the System Operator is not required to register a healthcare provider organisation if the System Operator is satisfied that registering the healthcare provider organisation may compromise the security or integrity of the PCEHR system, having regard to the matters (if any) prescribed by the PCEHR Rules.
(3) The System Operator may impose conditions on the registration.
(4) A decision under subsection (1) takes effect when it is made.
45 Condition of registration—uploading of records, etc.
It is a condition of registration of a healthcare provider organisation that the healthcare provider organisation does not, for the purposes of the PCEHR system:
(a) upload a record that includes health information about a registered consumer to a repository other than:
(i) a repository that forms part of the National Repositories Service; or
(ii) a repository to which a registered repository operator’s registration relates; or
(b) upload to a repository a record:
(i) that purports to be the shared health summary of a registered consumer, unless the record would, when uploaded, be the shared health summary of the registered consumer; or
(ii) that is a record of a kind specified in the PCEHR Rules for the purposes of this paragraph, unless the record has been prepared by an individual healthcare provider to whom a healthcare identifier has been assigned under paragraph 9(1)(a) of the Healthcare Identifiers Act 2010; or
(c) upload a record to a repository if uploading the record would involve:
(i) an infringement of copyright; or
(ii) an infringement of a moral right of the author;
within the meaning of the Copyright Act 1968; or
(d) upload to a repository a record that includes health information about a registered consumer if the consumer has advised that the record is not to be uploaded.
Consumer who is not registered
(1) It is a condition of registration of a healthcare provider organisation that the organisation does not:
(a) refuse to provide healthcare to a consumer because the consumer is not registered under this Part; or
(b) otherwise discriminate against a consumer in relation to the provision of healthcare because the consumer is not registered under this Part.
Registered consumer’s access controls
(2) It is a condition of registration of a healthcare provider organisation that the organisation does not:
(a) refuse to provide healthcare to a registered consumer because the consumer has set particular access controls on his or her PCEHR; or
(b) otherwise discriminate against a consumer in relation to the provision of healthcare because the consumer has set particular access controls on his or her PCEHR.
Division 3—Registering repository operators, portal operators and contracted service providers
(1) A person may apply to the System Operator for registration as any of the following:
(a) a repository operator;
(b) a portal operator;
(c) a contracted service provider.
(2) An application for registration as a repository operator must specify each repository to which the registration is proposed to relate.
A person is eligible for registration as a repository operator, a portal operator or a contracted service provider if the System Operator is satisfied that:
(a) the person complies with any PCEHR Rules that apply in relation to registration of the particular kind; and
(b) the person has agreed to be bound by the conditions imposed by the System Operator on the person’s registration; and
(c) in the case of a repository operator or a portal operator—the central management and control of the repository operator or portal operator will be located in Australia at all times when the repository operator or portal operator is registered; and
(d) in the case of a repository operator or a portal operator that:
(i) is a State or Territory authority, or an instrumentality of a State or Territory; and
(ii) is not bound by a designated privacy law of the State or Territory;
the repository operator or portal operator is prescribed under section 6F of the Privacy Act 1988.
49 Registration of a repository operator, a portal operator or a contracted service provider
(1) The System Operator must decide to register a person as a repository operator, a portal operator or a contracted service provider if:
(a) the person has made an application under section 47 for registration of that kind; and
(b) the person is eligible for registration of that kind under section 48.
(2) Despite subsection (1), the System Operator is not required to register a person as a repository operator, a portal operator or a contracted service provider if the System Operator is satisfied that registering the person may compromise the security or integrity of the PCEHR system, having regard to the matters (if any) prescribed by the PCEHR Rules.
(3) The System Operator may impose conditions on the registration.
(4) If the System Operator decides to register a person as a repository operator, the decision must specify the repositories to which the registration relates.
(5) A decision under subsection (1) takes effect when it is made.
50 Condition about provision of information to System Operator
It is a condition of registration of a registered repository operator, a registered portal operator or a registered contracted service provider that it must provide to the System Operator information included in the PCEHR of a consumer if requested to do so by the System Operator.
Division 4—Cancellation, suspension and variation of registration
51 Cancellation or suspension of registration
Cancellation or suspension on request
(1) The System Operator must, in writing, decide to cancel or suspend the registration of a consumer or other entity if the consumer or other entity requests the System Operator, in writing, to cancel or suspend the registration.
Cancellation or suspension if consumer no longer eligible, etc.
(2) The System Operator may, in writing, decide to cancel or suspend the registration of a consumer if:
(a) the System Operator is no longer satisfied that the consumer is eligible to be registered; or
(b) the System Operator is no longer satisfied, having regard to the matters (if any) specified in the PCEHR Rules, that the identity of the consumer has been appropriately verified; or
(c) the System Operator is satisfied that, unless the registration of the consumer is cancelled, the security or integrity of the PCEHR system may be compromised, having regard to the matters (if any) prescribed by the PCEHR Rules; or
(d) the System Operator is satisfied that the consent referred to in subsection 41(3) in relation to the consumer has been withdrawn; or
(e) the System Operator is satisfied that the consent referred to in subsection 41(3) in relation to the consumer was given by an authorised representative or nominated representative of the consumer, and:
(i) the authorised representative or nominated representative who gave the consent ceases to be an authorised representative or nominated representative of the consumer; and
(ii) the System Operator requests the consumer to give consent of the kind referred to in subsection 41(3); and
(iii) the consumer does not, within a reasonable period, give the consent.
Cancellation or suspension if other entity no longer eligible, etc.
(3) The System Operator may, in writing, decide to cancel or suspend the registration of an entity other than a consumer if:
(a) the System Operator is no longer satisfied that the entity is eligible to be registered; or
(b) the System Operator is satisfied that:
(i) the entity has contravened this Act or a condition of the entity’s registration; or
(ii) cancellation or suspension of registration is reasonably necessary to prevent such a contravention; or
(iii) cancellation or suspension of registration is otherwise appropriate, having regard to the need to protect the security and integrity of the PCEHR system.
Suspension while investigating action in relation to consumer’s registration
(4) The System Operator may, in writing, decide to suspend the registration of a consumer while the System Operator investigates whether to take action under subsection (2) in relation to the consumer’s registration.
Suspension while investigating action in relation to entity’s registration
(5) The System Operator may, in writing, decide to suspend the registration of an entity other than a consumer while the System Operator investigates whether to take action under subsection (3) in relation to the entity’s registration.
Cancellation of registration of consumer on death
(6) The System Operator must decide to cancel the registration of a consumer if the System Operator is satisfied that the consumer has died.
When cancellation or suspension takes effect
(7) A decision under this section takes effect:
(a) when it is made; or
(b) if the decision is made at the request of the consumer or other entity, and the request states that the consumer or other entity wishes the cancellation or suspension to occur at a specified future time—at that future time.
(1) The System Operator may decide, on the System Operator’s initiative or on the request of a consumer or other entity, to vary the registration of the consumer or other entity:
(a) to impose conditions, or additional conditions, on the registration; or
(b) to vary or revoke conditions imposed on the registration; or
(c) in the case of a registered repository operator—to vary the repositories to which the registration relates; or
(d) to correct an error or omission in the registration.
(2) A decision under this section takes effect:
(a) when it is made; or
(b) if the decision is made at the request of the consumer or other entity, and the request states that the consumer or other entity wishes the variation to occur at a specified future time—at that future time.
53 Notice of cancellation, suspension or variation of registration etc.
Written notice before cancellation etc. other than in urgent circumstances
(1) The System Operator must give written notice to a consumer or other entity before:
(a) cancelling or suspending the registration of the consumer or entity under subsection 51(2), (3), (4) or (5); or
(b) varying the entity’s registration under section 52;
other than as mentioned in subsection (4) of this section (urgency).
(2) The notice:
(a) must state that the System Operator proposes to cancel, suspend or vary the registration and the reasons why; and
(b) in the case of an entity that the System Operator is satisfied has contravened or may contravene this Act or a condition of the entity’s registration—may specify steps that the entity must take in order to address the contravention or possible contravention; and
(c) must invite the consumer or other entity to make a written submission, within the period specified in the notice, to the System Operator in relation to the proposed cancellation, suspension or variation.
(3) If the System Operator gives written notice to a consumer or other entity under subsection (1), the System Operator must not decide to cancel, suspend or vary the registration until after the end of the period referred to in paragraph (2)(c).
Cancellation etc. in urgent circumstances
(4) If the System Operator is satisfied that it is necessary, because of the urgency of the circumstances, to cancel, suspend or vary the registration of a consumer or other entity with immediate effect, the System Operator must give written notice to the consumer or other entity:
(a) cancelling or suspending the registration of the consumer or entity under subsection 51(2), (3), (4) or (5); or
(b) varying the entity’s registration under section 52.
(5) A cancellation, suspension or variation referred to in subsection (4) takes effect:
(a) when the notice referred to in that subsection is received by the consumer or other entity; or
(b) if a later time is specified in the notice—at that later time.
During any period when the registration of a consumer or other entity is suspended:
(a) the consumer or other entity is taken not to be registered for the purposes of Division 2 of Part 4 (authorised collection, use and disclosure of health information), other than:
(i) paragraph 63(b) (collection, use or disclosure on request of the System Operator); and
(ii) subsection 64(1) (serious threat); and
(b) if the entity is a registered repository operator, a registered portal operator or a registered contracted service provider—the entity is taken to be registered for the purposes of the remaining provisions of this Act.
55 PCEHR Rules may specify requirements after registration is cancelled or suspended
(1) The PCEHR Rules may specify the requirements to which the System Operator or another entity is subject after the registration of a consumer or other entity is cancelled or suspended.
(2) The PCEHR Rules cannot modify the effect of section 54.
(3) The requirements specified in the PCEHR Rules may include requirements relating to the following:
(a) retention, transfer or disposal of PCEHRs;
(b) retention, transfer or disposal of other records.
(1) The System Operator must establish and maintain a Register.
(2) The Register may be maintained in electronic form and may be divided into separate parts.
(3) The Register is not a legislative instrument.
57 Entries to be made in Register
If the System Operator decides under this Part to register a consumer or other entity or to cancel, suspend or vary such a registration, the System Operator must, as soon as practicable after making the decision, ensure that the following information is entered in the Register in relation to the consumer or other entity:
(a) such administrative information as is necessary for the purposes of the proper operation of the PCEHR system;
(b) such information (if any) as is specified in the PCEHR Rules for the purposes of this paragraph.
Division 6—Information use and disclosure for identity verification
58 Identifying information may be used and disclosed
(1) The Chief Executive Medicare, the Human Services Department, the Veterans’ Affairs Department and the Defence Department are authorised to use, and to disclose to the System Operator, identifying information about a consumer or healthcare provider organisation if:
(a) the consumer or healthcare provider organisation is applying, or has applied, for registration; and
(b) the use or disclosure is for the purpose of verification by the System Operator of the identity of the consumer or healthcare provider organisation.
(2) The Chief Executive Medicare, the Human Services Department, the Veterans’ Affairs Department and the Defence Department are authorised to use, and to disclose to the System Operator, identifying information about a consumer or healthcare provider if the use or disclosure:
(a) is for the purpose of verification by the System Operator of the identity of the consumer or healthcare provider; and
(b) relates to the performance of functions or the exercise of powers by the System Operator in respect of the PCEHR system.
(3) The Chief Executive Medicare, the Human Services Department, the Veterans’ Affairs Department and the Defence Department are authorised to use, and to disclose to the System Operator, identifying information about the authorised representative or nominated representative of a consumer if:
(a) the authorised representative or nominated representative is applying, or has applied, for registration of the consumer; and
(b) the use or disclosure is for the purpose of verification by the System Operator of the identity of the authorised representative or nominated representative.
(4) The Chief Executive Medicare, the Human Services Department, the Veterans’ Affairs Department or the Defence Department must, as soon as practicable after becoming aware that information provided under subsection (1), (2) or (3) has changed, inform the System Operator of the change in the information.
59 Unauthorised collection, use and disclosure of health information included in a consumer’s PCEHR
(1) A person must not collect from the PCEHR system health information included in a consumer’s PCEHR if the collection by the person is not authorised under Division 2, and the person knows or is reckless as to that fact.
Civil penalty: 120 penalty units.
(2) A person must not use or disclose health information included in a consumer’s PCEHR if:
(a) the person obtained the information by using or gaining access to the PCEHR system; and
(b) the use or disclosure is not authorised under Division 2, and the person knows or is reckless as to that fact.
Civil penalty: 120 penalty units.
(1) A person must not use or disclose health information included in a consumer’s PCEHR if:
(a) the information was disclosed to the person in contravention of subsection 59(2); and
(b) the person knows that, or is reckless as to whether, the disclosure of the information to the person contravened that subsection.
Civil penalty: 120 penalty units.
(2) Subsection (1) does not apply if the person discloses the information for the purpose of an appropriate authority investigating the contravention mentioned in paragraph (1)(a).
Division 2—Authorised collection, use and disclosure
Subdivision A—Collection, use and disclosure in accordance with access controls
61 Collection, use and disclosure for providing healthcare
(1) A participant in the PCEHR system is authorised to collect, use and disclose health information included in a registered consumer’s PCEHR if the collection, use or disclosure of the health information is:
(a) for the purpose of providing healthcare to the registered consumer; and
(b) in accordance with:
(i) the access controls set by the registered consumer; or
(ii) if the registered consumer has not set access controls—the default access controls specified by the PCEHR Rules or, if the PCEHR Rules do not specify default access controls, by the System Operator.
(2) Subsection (1) does not authorise a participant in the PCEHR system to collect, use or disclose health information included in consumer‑only notes.
62 Collection, use and disclosure to nominated representative
A participant in the PCEHR system is authorised to disclose health information included in a registered consumer’s PCEHR for any purpose if the disclosure of the health information is:
(a) to the registered consumer’s nominated representative; and
(b) in accordance with:
(i) the access controls set by the registered consumer; or
(ii) if the consumer has not set access controls—the default access controls specified by the PCEHR Rules or, if the PCEHR Rules do not specify default access controls, by the System Operator.
Subdivision B—Collection, use and disclosure other than in accordance with access controls
63 Collection, use and disclosure for management of PCEHR system
A participant in the PCEHR system is authorised to collect, use and disclose health information included in a consumer’s PCEHR if:
(a) the collection, use or disclosure is undertaken for the purpose of the management or operation of the PCEHR system, if the consumer would reasonably expect the participant to collect, use or disclose the health information for that purpose; or
(b) the collection, use or disclosure is undertaken in response to a request by the System Operator for the purpose of performing a function or exercising a power of the System Operator.
Note: For example, the System Operator might make a request under paragraph (b) for the purposes of section 69 or 70.
64 Collection, use and disclosure in the case of a serious threat
(1) A participant in the PCEHR system is authorised to collect, use and disclose health information included in a registered consumer’s PCEHR if:
(a) the participant reasonably believes that:
(i) the collection, use or disclosure is necessary to lessen or prevent a serious threat to an individual’s life, health or safety; and
(ii) it is unreasonable or impracticable to obtain the consumer’s consent to the collection, use or disclosure; and
(b) unless the participant is the System Operator—the participant advises the System Operator of the matters in paragraph (a); and
(c) the collection, use or disclosure occurs not later than 5 days after that advice is given.
(2) A participant in the PCEHR system is authorised to collect, use and disclose health information included in a consumer’s PCEHR if the participant reasonably believes that the collection, use or disclosure by the participant is necessary to lessen or prevent a serious threat to public health or public safety.
(3) Subsections (1) and (2) do not authorise a participant in the PCEHR system to collect, use or disclose consumer‑only notes.
65 Collection, use and disclosure authorised by law
(1) Subject to section 69, a participant in the PCEHR system is authorised to collect, use and disclose health information included in a consumer’s PCEHR if the collection, use or disclosure is required or authorised by Commonwealth, State or Territory law.
(2) Subsection (1) does not authorise a participant in the PCEHR system to collect, use or disclose consumer‑only notes.
66 Collection, use and disclosure with consumer’s consent
(1) A participant in the PCEHR system is authorised to disclose for any purpose health information included in a consumer’s PCEHR to the consumer.
(2) A participant in the PCEHR system is authorised to collect, use and disclose for any purpose health information included in a consumer’s PCEHR with the consent of the consumer.
67 Collection, use and disclosure by a consumer
A consumer is authorised to collect, use and disclose, for any purpose, health information included in his or her PCEHR.
Note: The information the consumer can collect through the PCEHR system after cancellation of the consumer’s registration may be limited.
68 Collection, use and disclosure for indemnity cover
(1) A participant in the PCEHR system is authorised to collect, use and disclose health information included in a consumer’s PCEHR for purposes relating to the provision of indemnity cover for a healthcare provider.
(2) Subsection (1) does not authorise a participant in the PCEHR system to collect, use or disclose consumer‑only notes.
69 Disclosure to courts and tribunals
(1) If:
(a) a court or tribunal other than a coroner orders or directs the System Operator to disclose health information included in a consumer’s PCEHR to the court or tribunal; and
(b) the order or direction is given in the course of proceedings relating to:
(i) this Act; or
(ii) unauthorised access to information through the PCEHR system; or
(iii) the provision of indemnity cover to a healthcare provider; and
(c) apart from this Part, the System Operator would be required to comply with the order or direction;
the System Operator must comply with the order or direction.
(2) If a coroner orders or directs the System Operator to disclose health information included in a consumer’s PCEHR to the coroner, the System Operator must comply with the order or direction.
(3) Except as mentioned in subsection (1) or (2), a participant in the PCEHR system, or a consumer, cannot be required to disclose health information included in a consumer’s PCEHR to a court or tribunal.
(4) Except as mentioned in subsection (1) or (2), the System Operator is not authorised to disclose health information included in a consumer’s PCEHR to a court or tribunal unless the consumer consents.
(5) Subsections (1) and (2) do not authorise the System Operator to disclose consumer‑only notes.
70 Disclosure for law enforcement purposes, etc.
(1) The System Operator is authorised to use or disclose health information included in a consumer’s PCEHR if the System Operator reasonably believes that the use or disclosure is reasonably necessary for one or more of the following things done by, or on behalf of, an enforcement body:
(a) the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law;
(b) the enforcement of laws relating to the confiscation of the proceeds of crime;
(c) the protection of the public revenue;
(d) the prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct;
(e) the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal.
(2) So far as subsection (1) relates to paragraph (1)(e), it is subject to section 69.
(3) The System Operator is authorised to use or disclose health information included in a consumer’s PCEHR if the System Operator:
(a) has reason to suspect that unlawful activity that relates to the System Operator’s functions has been, is being or may be engaged in; and
(b) reasonably believes that use or disclosure of the information is necessary for the purposes of an investigation of the matter or in reporting concerns to relevant persons or authorities.
(4) If the System Operator uses or discloses personal information under this section, it must make a written note of the use or disclosure.
(5) This section does not authorise the System Operator to use or disclose consumer‑only notes.
Division 3—Prohibitions and authorisations limited to PCEHR system
71 Prohibitions and authorisation limited to health information collected by using the PCEHR system
(1) The prohibitions and authorisations under Divisions 1 and 2 in respect of the collection, use and disclosure of health information included in a consumer’s PCEHR are limited to the collection, use or disclosure of health information obtained by using the PCEHR system.
(2) If health information included in a consumer’s PCEHR can also be obtained by means other than by using the PCEHR system, such a prohibition or authorisation does not apply to health information lawfully obtained by those other means, even if the health information was originally obtained by using the PCEHR system.
Information stored for more than one purpose
(3) Without limiting the circumstances in which health information included in a consumer’s PCEHR and obtained by a person is taken not to be obtained by using or gaining access to the PCEHR system, it is taken not to be so obtained if:
(a) the health information is stored in a repository operated both for the purposes of the PCEHR system and other purposes; and
(b) the person lawfully obtained the health information directly from the repository for those other purposes.
Note: For example, information that is included in a registered consumer’s PCEHR may be stored in a repository operated by a State or Territory for purposes related to the PCEHR system and other purposes. When lawfully obtained directly from the repository for those other purposes, the prohibitions and authorisations in this Part will not apply.
Information originally obtained by means of PCEHR system
(4) Without limiting the circumstances in which health information included in a consumer’s PCEHR and obtained by a person is taken not to be obtained by using or gaining access to the PCEHR system, it is taken not to be so obtained if:
(a) the health information was originally obtained by a participant in the PCEHR system by means of the PCEHR system in accordance with this Act; and
(b) after the health information was so obtained, it was stored in such a way that it could be obtained other than by means of the PCEHR system; and
(c) the person subsequently obtained the health information by those other means.
Note: For example, information that is included in a registered consumer’s PCEHR may be downloaded into the clinical health records of a healthcare provider and later obtained from those records.
Division 4—Interaction with the Privacy Act 1988
72 Interaction with the Privacy Act 1988
An authorisation to use or disclose health information under this Act is also an authorisation to use or disclose the health information for the purposes of the Privacy Act 1988.
73 Contravention of this Act is an interference with privacy
(1) An act or practice that contravenes this Act in connection with health information included in a consumer’s PCEHR or a provision of Part 4 or 5, or would contravene this Act but for a requirement relating to the state of mind of a person, is taken to be:
(a) for the purposes of the Privacy Act 1988, an interference with the privacy of a consumer; and
(b) covered by section 13 or 13A of that Act.
(2) The respondent to a complaint under the Privacy Act 1988 about an act or practice, other than an act or practice of an agency or organisation, is the individual who engaged in the act or practice.
(3) In addition to the Information Commissioner’s functions under the Privacy Act 1988, the Information Commissioner has the following functions in relation to the PCEHR system:
(a) to investigate an act or practice that may be an interference with the privacy of a consumer under subsection (1) and, if the Information Commissioner considers it appropriate to do so, to attempt by conciliation to effect a settlement of the matters that gave rise to the investigation;
(b) to do anything incidental or conducive to the performance of those functions.
(4) The Information Commissioner has power to do all things that are necessary or convenient to be done for or in connection with the performance of his or her functions under subsection (3).
Note: An act or practice that is an interference with privacy may be the subject of a complaint under section 36 of the Privacy Act 1988.
73A Information Commissioner may disclose details of investigations to System Operator
The Information Commissioner is authorised to disclose to the System Operator any information or documents that relate to an investigation the Information Commissioner conducts because of the operation of section 73, if the Information Commissioner is satisfied that to do so will enable the System Operator to monitor or improve the operation or security of the PCEHR system.
73B Obligations of System Operator in relation to correction, etc.
(1) The System Operator may, in order to meet its obligations under the Privacy Act 1988 in relation to the correction and alteration of records:
(a) request a participant in the PCEHR system to correct personal information contained in a record included in the PCEHR system and, if the participant does so, to upload the corrected record to the PCEHR system; and
(b) if the participant refuses to do so—direct the participant to attach to the record a note prepared by the consumer in relation to personal information included in the record, and to upload the record and note to the PCEHR system.
(2) A participant in the PCEHR system who is given a direction under paragraph (1)(b) must comply with the direction.
Part 5—Other civil penalty provisions
(1) A registered healthcare provider organisation is liable for a civil penalty if:
(a) an individual requests access to a consumer’s PCEHR on behalf or purportedly on behalf of the registered healthcare provider organisation; and
(b) the individual does not give enough information to the System Operator to enable the System Operator to identify the individual who made the request without seeking further information from another person.
Civil penalty: 100 penalty units.
(2) Subsection (1) does not require an individual to give more than the minimum information necessary to identify the individual by name.
75 Certain participants in the PCEHR system must notify data breaches etc.
(1) This section applies to an entity if:
(a) the entity is, or has at any time been, the System Operator, a registered repository operator or a registered portal operator; and
(b) the entity becomes aware that:
(i) a person has, or may have, contravened this Act in a manner involving an unauthorised collection, use or disclosure of health information included in a consumer’s PCEHR; or
(ii) an event has occurred or circumstances have arisen (whether or not involving a contravention of this Act) that compromise, or may compromise, the security or integrity of the PCEHR system; and
(c) the contravention, event or circumstances directly involved, may have involved or may involve the entity.
(2) If the entity is a registered repository operator or a registered portal operator, the entity must:
(a) in the case of an entity that is a State or Territory authority or an instrumentality of a State or Territory—notify the System Operator as soon as practicable after becoming aware of the contravention, event or circumstances referred to in subsection (1); or
(b) otherwise—notify both the System Operator and the Information Commissioner as soon as practicable after becoming aware of the contravention, event or circumstances referred to in subsection (1).
Civil penalty: 100 penalty units.
(3) If the entity is the System Operator, the entity must notify the Information Commissioner as soon as practicable after becoming aware of the contravention, event or circumstances referred to in subsection (1).
(4) The entity must also, as soon as practicable after becoming aware of the contravention, event or circumstances, do the following things:
(a) so far as is reasonably practicable, contain the contravention, event or circumstances and undertake a preliminary assessment of the causes;
(b) evaluate any risks that may be related to or arise out of the contravention, event or circumstances;
(c) if the entity is the System Operator:
(i) notify all affected consumers; and
(ii) if a significant number of consumers are affected, notify the general public;
(d) if the entity is not the System Operator—ask the System Operator:
(i) to notify all affected consumers; and
(ii) if a significant number of consumers are affected, to notify the general public;
(e) take steps to prevent or mitigate the effects of further contraventions, events or circumstances described in paragraph (1)(b).
Note: A contravention of this subsection is not a civil penalty provision. However, contraventions of this Act may have other consequences (for example, cancellation of registration).
(5) The System Operator must comply with a request under paragraph (4)(d).
76 Requirement to notify if cease to be eligible to be registered
A registered healthcare provider organisation, a registered repository operator, a registered portal operator or a registered contracted service provider must give written notice to the System Operator within 14 days of ceasing to be eligible to be so registered.
Civil penalty: 80 penalty units.
77 Requirement not to hold or take records outside Australia
(1) The System Operator, a registered repository operator, a registered portal operator or a registered contracted service provider that holds records for the purposes of the PCEHR system (whether or not the records are also held for other purposes) or has access to information relating to such records, must not:
(a) hold the records, or take the records, outside Australia; or
(b) process or handle the information relating to the records outside Australia; or
(c) cause or permit another person:
(i) to hold the records, or take the records, outside Australia; or
(ii) to process or handle the information relating to the records outside Australia.
Civil penalty: 120 penalty units.
(2) Despite subsection (1), the System Operator is authorised, for the purposes of the operation or administration of the PCEHR system:
(a) to hold and take such records outside Australia, provided that the records do not include:
(i) personal information in relation to a consumer or a participant in the PCEHR system; or
(ii) identifying information of an individual or entity; and
(b) to process and handle such information outside Australia, provided that the information is neither of the following:
(i) personal information in relation to a consumer or a participant in the PCEHR system;
(ii) identifying information of an individual or entity.
(3) This section does not limit the operation of section 99.
78 Participant in the PCEHR system must not contravene PCEHR Rules
A person that is, or has at any time been, a registered repository operator or a registered portal operator must not contravene a PCEHR Rule that applies to the person.
Civil penalty: 80 penalty units.
Part 6—Civil penalty supporting provisions
Division 1—Civil penalty orders
Application for order
(1) The Information Commissioner may apply to a Court for an order that a person who is alleged to have contravened a civil penalty provision pay the Commonwealth a pecuniary penalty.
(2) The Information Commissioner must make the application within 6 years of the alleged contravention.
Court may order person to pay pecuniary penalty
(3) If the Court is satisfied that the person has contravened the civil penalty provision, the Court may order the person to pay to the Commonwealth such pecuniary penalty for the contravention as the court determines to be appropriate.
Note: Subsection (5) sets out the maximum penalty that the court may order the person to pay.
(4) An order under subsection (3) is a civil penalty order.
Determining pecuniary penalty
(5) The pecuniary penalty must not be more than:
(a) if the person is a body corporate—5 times the pecuniary penalty specified for the civil penalty provision; and
(b) otherwise—the pecuniary penalty specified for the civil penalty provision.
(6) In determining the pecuniary penalty, the Court may take into account all relevant matters, including:
(a) the nature and extent of the contravention; and
(b) the nature and extent of any loss or damage suffered because of the contravention; and
(c) the circumstances in which the contravention took place; and
(d) whether the person has previously been found by a court in proceedings under one or more of the following to have engaged in any similar conduct:
(i) this Act;
(ii) the Crimes Act 1914 or the Criminal Code in relation to this Act; and
(e) the steps taken by the person to notify the contravention to appropriate persons (if any); and
(f) the steps taken by the person to prevent further contraventions.
80 Civil enforcement of penalty
(1) A pecuniary penalty is a debt payable to the Commonwealth.
(2) The Commonwealth may enforce a civil penalty order as if it were an order made in civil proceedings against the person to recover a debt due by the person. The debt arising from the order is taken to be a judgement debt.
81 Conduct contravening more than one civil penalty provision
(1) If conduct constitutes a contravention of 2 or more civil penalty provisions, proceedings may be instituted under this Part against a person in relation to the contravention of any one or more of those provisions.
(2) However, the person is not liable to more than one pecuniary penalty under this Part in relation to the same conduct.
(1) A Court may make a single civil penalty order against a person for multiple contraventions of a civil penalty provision if proceedings for the contraventions are founded on the same facts, or if the contraventions form, or are part of, a series of contraventions of the same or a similar character.
(2) However, the penalty must not exceed the sum of the maximum penalties that could be ordered if a separate penalty were ordered for each of the contraventions.
83 Proceedings may be heard together
A Court may direct that 2 or more proceedings for civil penalty orders are to be heard together.
84 Civil evidence and procedure rules for civil penalty orders
A Court must apply the rules of evidence and procedure for civil matters when hearing proceedings for a civil penalty order.
85 Contravening a civil penalty provision is not an offence
A contravention of a civil penalty provision is not an offence.
Division 2—Relationship to other proceedings
86 Civil proceedings after criminal proceedings
A Court may not make a civil penalty order against a person for a contravention of a civil penalty provision if the person has been convicted of an offence constituted by conduct that is the same, or substantially the same, as the conduct constituting the contravention.
87 Criminal proceedings during civil proceedings
(1) Proceedings for a civil penalty order against a person for a contravention of a civil penalty provision are stayed if:
(a) criminal proceedings are commenced or have already been commenced against the person for an offence; and
(b) the offence is constituted by conduct that is the same, or substantially the same, as the conduct alleged to constitute the contravention.
(2) The proceedings for the order (the civil proceedings) may be resumed if the person is not convicted of the offence. Otherwise, the civil proceedings are dismissed.
88 Criminal proceedings after civil proceedings
Criminal proceedings may be commenced against a person for conduct that is the same, or substantially the same, as conduct that would constitute a contravention of a civil penalty provision regardless of whether a civil penalty order has been made against the person in relation to the contravention.
89 Evidence given in civil proceedings not admissible in criminal proceedings
(1) Evidence of information given, or evidence of production of documents, by an individual is not admissible in criminal proceedings against the individual if:
(a) the individual previously gave the evidence or produced the documents in proceedings for a civil penalty order against the individual for an alleged contravention of a civil penalty provision (whether or not the order was made); and
(b) the conduct alleged to constitute the offence is the same, or substantially the same, as the conduct alleged to constitute the contravention.
(2) However, subsection (1) does not apply to criminal proceedings in relation to the falsity of the evidence given by the individual in the proceedings for the civil penalty order.
90 Ancillary contravention of civil penalty provisions
(1) A person must not:
(a) attempt to contravene a civil penalty provision; or
(b) aid, abet, counsel or procure a contravention of a civil penalty provision; or
(c) induce (by threats, promises or otherwise) a contravention of a civil penalty provision; or
(d) be in any way, directly or indirectly, knowingly concerned in, or party to, a contravention of a civil penalty provision; or
(e) conspire with others to effect a contravention of a civil penalty provision.
Note: Section 92 (which provides that a person’s state of mind does not need to be proven in relation to a civil penalty provision) does not apply to this subsection.
Civil penalty
(2) A person who contravenes subsection (1) in relation to a civil penalty provision is taken to have contravened the provision.
(1) A person is not liable to have a civil penalty order made against the person for a contravention of a civil penalty provision if:
(a) at or before the time of the conduct constituting the contravention, the person:
(i) considered whether or not facts existed; and
(ii) was under a mistaken but reasonable belief about those facts; and
(b) had those facts existed, the conduct would not have constituted a contravention of the civil penalty provision.
(2) For the purposes of subsection (1), a person may be regarded as having considered on an occasion (the present occasion) whether or not facts existed if:
(a) the person had considered, on a previous occasion, whether those facts existed in the circumstances surrounding the previous occasion; and
(b) the person honestly and reasonably believed that the circumstances surrounding the present occasion were the same, or substantially the same, as those surrounding the previous occasion.
(3) A person who wishes to rely on subsection (1) or (2) in proceedings for a civil penalty order bears an evidential burden in relation to that matter.
(1) In proceedings for a civil penalty order against a person for a contravention of a civil penalty provision (other than a contravention under subsection 90(1)), it is not necessary to prove:
(a) the person’s intention; or
(b) the person’s knowledge; or
(c) the person’s recklessness; or
(d) the person’s negligence; or
(e) any other state of mind of the person;
other than as expressly provided in the civil penalty provision concerned.
(2) An expression used in a civil penalty provision that expressly provides for a state of mind has the same meaning as in the Criminal Code.
(3) Subsection (1) of this section does not affect the operation of section 91 (mistake of fact).
93 Civil penalty provisions contravened by employees, agents or officers
If an element of a civil penalty provision is done by an employee, agent or officer of a body corporate acting within the actual or apparent scope of his or her employment, or within his or her actual or apparent authority, the element must also be attributed to the body corporate.
Part 7—Voluntary enforceable undertakings and injunctions
(1) The System Operator or the Information Commissioner may accept any of the following undertakings:
(a) a written undertaking given by a person that the person will, in order to comply with this Act, take specified action;
(b) a written undertaking given by a person that the person will, in order to comply with this Act, refrain from taking specified action;
(c) a written undertaking given by a person that the person will take specified action directed towards ensuring that the person does not contravene this Act, or is unlikely to contravene this Act, in the future.
(2) If the System Operator or the Information Commissioner accepts an undertaking, he or she is the recipient of the undertaking for the purposes of this Part.
(3) The undertaking must be expressed to be an undertaking under this section.
(4) The person may withdraw or vary the undertaking at any time, but only with the written consent of the recipient of the undertaking.
(5) A consent under subsection (4) is not a legislative instrument.
(6) The recipient of the undertaking may, by written notice given to the person, cancel the undertaking.
(7) The recipient of the undertaking may publish a copy of the undertaking on the recipient’s website.
95 Enforcement of undertakings
(1) If:
(a) a person has given an undertaking under section 94; and
(b) the undertaking has not been withdrawn or cancelled; and
(c) the recipient of the undertaking considers that the person has breached the undertaking;
the recipient of the undertaking may apply to a Court for an order under subsection (2).
(2) If the Court is satisfied that the person has breached the undertaking, the Court may make any or all of the following orders:
(a) an order directing the person to comply with the undertaking;
(b) an order directing the person to pay to the Commonwealth an amount up to the amount of any financial benefit that the person has obtained directly or indirectly and that is reasonably attributable to the breach;
(c) any order that the Court considers appropriate directing the person to compensate any other person who has suffered loss or damage as a result of the breach;
(d) any other order that the Court considers appropriate.
(1) If a person has engaged, is engaging or is proposing to engage in any conduct that constituted, constitutes or would constitute a contravention of this Act, a Court may, on the application of the System Operator or the Information Commissioner, grant an injunction:
(a) restraining the person from engaging in the conduct; and
(b) if in the Court’s opinion it is desirable to do so, requiring the person to do any act or thing.
(2) If:
(a) a person has refused or failed, or is refusing or failing, or is proposing to refuse or fail, to do an act or thing; and
(b) the refusal or failure was, is, or would be a contravention of this Act;
a Court may, on the application of the System Operator or the Information Commissioner, grant an injunction requiring the person to do that act or thing.
(3) If an application is made to a Court for an injunction under this section, the Court may, if in the Court’s opinion it is desirable to do so, grant an interim injunction before considering the application, pending the determination of the application.
(4) A Court may discharge or vary an injunction granted by the Court under this section.
(5) The power of a Court to grant an injunction restraining a person from engaging in conduct of a particular kind may be exercised:
(a) if the Court is satisfied that the person has engaged in conduct of that kind—whether or not it appears to the court that the person intends to engage again, or to continue to engage, in conduct of that kind; or
(b) if it appears to the Court that, if an injunction is not granted, it is likely that the person will engage in conduct of that kind—whether or not the person has previously engaged in conduct of that kind and whether or not there is an imminent danger of substantial damage to any person if the person engages in conduct of that kind.
(6) The power of a Court to grant an injunction requiring a person (the first person) to do a particular act or thing may be exercised:
(a) if the Court is satisfied that the first person has refused or failed to do that act or thing—whether or not it appears to the court that the first person intends to refuse or fail again, or to continue to refuse or fail, to do that act or thing; or
(b) if it appears to the Court that, if an injunction is not granted, it is likely that the first person will refuse or fail to do that act or thing—whether or not the first person has previously refused or failed to do that act or thing and whether or not there is an imminent danger of substantial damage to any person if the first person refuses or fails to do that act or thing.
(7) If the System Operator or the Information Commissioner makes an application to a Court for the grant of an injunction under this section, the Court must not require the System Operator, the Information Commissioner or any other person, as a condition of the granting of an interim injunction, to give any undertakings as to damages.
(8) The powers conferred on a Court under this section are in addition to, and not in derogation of, any powers of the Court, whether conferred by this Act or otherwise.
Division 1—Review of decisions
(1) This section applies to the following decisions of the System Operator:
(a) a decision under section 6 that a person is or is not the authorised representative of a consumer;
(b) a decision under section 41 to refuse to register a consumer;
(c) a decision under section 44 to refuse to register a health provider organisation or to impose a condition on such a registration;
(d) a decision under section 49 to refuse to register a person as:
(i) a repository operator; or
(ii) a portal operator; or
(iii) a contracted service provider;
or to impose a condition on such a registration;
(e) a decision under section 49 to refuse to specify a repository as a repository to which the registration of a repository operator relates;
(f) a decision under section 51 to cancel or suspend the registration of a consumer or other entity;
(g) a decision under section 51 to refuse to cancel or suspend the registration of a consumer or other entity on request;
(h) a decision under section 52 to vary the registration of a consumer or other entity on request;
(i) a decision under section 52 to refuse to vary the registration of a consumer or other entity.
(2) The System Operator must take such steps as are reasonably necessary in the circumstances to give written notice of the decision to each person affected by the decision, including a statement:
(a) that the person may apply to the System Operator to reconsider the decision; and
(b) of the person’s rights to seek review under subsection (8) of a reconsidered decision.
(3) A failure of the System Operator to comply with subsection (2) does not affect the validity of the decision.
(4) A person who is given a written notice under subsection (2) may, by written notice given to the System Operator within 28 days after receiving the notice, ask the System Operator to reconsider the decision.
(5) A request under subsection (4) must mention the reasons for making the request.
(6) The System Operator must:
(a) reconsider the decision within 28 days after receiving the request; and
(b) give to the person who requested the reconsideration written notice of the result of the reconsideration and of the grounds for the result.
(7) The notice must include a statement that the person may apply to the Administrative Appeals Tribunal for review of the reconsideration.
(8) A person may apply to the Administrative Appeals Tribunal for review of a decision of the System Operator made under subsection (6).
98 Delegations by the System Operator
(1) If the System Operator is the Secretary, the System Operator may, by writing, delegate one or more of his or her functions and powers to any of the following:
(a) an APS employee in the Department;
(b) the Chief Executive Medicare;
(c) any other person with the consent of the Minister.
(2) Despite subsection (1), the System Operator must not delegate the function referred to in paragraph 15(l) (advising the Minister).
Subdelegation
(3) If, under subsection (1), the System Operator delegates a function or power to the Chief Executive Medicare, the Chief Executive Medicare may, by writing, subdelegate the function or power to a Departmental employee (within the meaning of the Human Services (Medicare) Act 1973).
(4) Sections 34AA, 34AB and 34A of the Acts Interpretation Act 1901 apply in relation to the subdelegation in a corresponding way to the way in which they apply in relation to a delegation.
(5) A delegate or subdelegate must comply with any written directions of the System Operator.
Division 3—Authorisations of entities also cover employees
99 Authorisations extend to employees etc.
An authorisation under this Act to an entity (the first entity) is also an authorisation of:
(a) an individual:
(i) who is an employee of the first entity; and
(ii) whose duties involve doing an act that is authorised in relation to the first entity; or
(b) a contracted service provider of a healthcare provider whose duties under a contract with a healthcare provider involve providing information technology services relating to the communication of health information, or health information management services, to the healthcare provider; or
(c) a person (the contractor) performing services under a contract between the contractor and the first entity, if:
(i) the first entity is a participant in the PCEHR system, other than a registered healthcare provider organisation or a registered contracted service provider; and
(ii) the contract relates to the PCEHR system; or
(d) an individual:
(i) who is an employee of a contracted service provider to which paragraph (b) applies or a contractor to which paragraph (c) applies; and
(ii) whose duties relate to the contract mentioned in whichever of those paragraphs applies.
Division 4—Treatment of certain entities
(1) This Act applies to a partnership as if it were a person, but with the changes set out in this section.
(2) An obligation that would otherwise be imposed on the partnership by this Act is imposed on each partner instead, but may be discharged by any of the partners.
(3) A civil penalty provision that would otherwise be contravened by the partnership is taken to have been contravened by each partner.
101 Treatment of unincorporated associations
(1) This Act applies to an unincorporated association as if it were a person, but with the changes set out in this section.
(2) An obligation that would otherwise be imposed on the unincorporated association by this Act is imposed on each member of the association’s committee of management instead, but may be discharged by any of the members.
(3) A civil penalty provision that would otherwise be contravened by the unincorporated association is taken to have been contravened by each member.
102 Treatment of trusts with multiple trustees
(1) If a trust has 2 or more trustees, this Act applies to the trust as if it were a person, but with the changes set out in this section.
(2) An obligation that would otherwise be imposed on the trust by this Act is imposed on each trustee instead, but may be discharged by any of the trustees.
(3) A civil penalty provision that would otherwise be contravened by the trust is taken to have been contravened by each trustee.
103 Exception in certain circumstances
A partner, a member of the committee of management of an unincorporated association or a trustee does not contravene a civil penalty provision because of subsection 100(3), 101(3) or 102(3) if he or she:
(a) does not know of the circumstances that constitute the contravention of the provision concerned; or
(b) knows of those circumstances, but takes all reasonable steps to correct the contravention as soon as possible after becoming aware of those circumstances.
104 Division does not apply to Division 3 of Part 3
This Division does not have effect for the purposes of Division 3 of Part 3.
Note: An applicant for registration under that Division must be a legal person.
Division 5—Alternative constitutional bases
105 Alternative constitutional bases
(1) Without limiting its effect apart from each of the following subsections of this section, this Act also has effect as provided by that subsection.
(2) This Act also has the effect it would have if the System Operator were expressly permitted to perform functions and duties, and exercise powers, under this Act only:
(a) in connection with:
(i) the provision of pharmaceutical, sickness or hospital benefits; or
(ii) the provision of medical services or dental services (without any form of civil conscription); or
(b) for purposes relating to census or statistics; or
(c) in relation to a Territory or a place acquired by the Commonwealth for a public purpose.
(3) This Act also has the effect it would have if each reference to collection, use or disclosure of health information were expressly confined to collection, use or disclosure of health information:
(a) in connection with trade or commerce:
(i) between Australia and other countries; or
(ii) among the States; or
(iii) between a Territory and a State or another Territory; or
(b) by means of a postal, telegraphic, telephonic or other like service; or
(c) in connection with:
(i) the provision of pharmaceutical, sickness or hospital benefits; or
(ii) the provision of medical services or dental services (without any form of civil conscription); or
(d) for purposes relating to census or statistics; or
(e) in a Territory or a place acquired by the Commonwealth for a public purpose; or
(f) in relation to a matter that is of international concern.
. (4) This Act also has the effect it would have if each reference to collection, use or disclosure of health information were expressly confined to collection from or by, use by or disclosure by or to:
(a) a corporation to which paragraph 51(xx) of the Constitution applies; or
(b) the Commonwealth; or
(c) an authority of the Commonwealth.
(5) This Act also has the effect it would have if each reference to a registered healthcare provider organisation, registered repository operator, registered portal provider or contracted service provider were expressly confined to a reference to a registered healthcare provider organisation, registered repository operator, registered portal provider or contracted service provider that:
(a) is a corporation to which paragraph 51(xx) of the Constitution applies; or
(b) is the Commonwealth; or
(c) is an authority of the Commonwealth; or
(d) is operating in a Territory or a place acquired by the Commonwealth for a public purpose.
(6) This Act also has the effect it would have if its operation in relation to each of the following were expressly confined to an operation for the purposes of giving effect to Australia’s obligations under an agreement between 2 or more countries:
(a) the System Operator;
(b) the Chief Executive Medicare;
(c) the Secretary of the Human Services Department, the Veterans’ Affairs Department or the Defence Department;
(d) a registered healthcare provider organisation;
(e) a registered repository operator;
(f) a registered portal provider;
(g) a contracted service provider;
(h) a consumer.
(7) This Act also has the effect it would have if each reference to a consumer were expressly confined to a reference to a consumer who is:
(a) an alien; or
(b) a resident of a Territory.
Definitions
(8) A term used in this section and the Constitution has the same meaning in this section as it has in the Constitution.
Division 6—Annual reports and review of Act
106 Annual reports by Information Commissioner
(1) The Information Commissioner must, as soon as practicable after the end of each financial year, prepare a report on the Commissioner’s activities during the financial year relating to the PCEHR system.
(2) The report must include:
(a) statistics of the following:
(i) complaints received by the Commissioner in relation to the PCEHR system;
(ii) investigations made by the Commissioner in relation to PCEHRs or the PCEHR system;
(iii) enforceable undertakings accepted by the Commissioner under this Act;
(iv) proceedings taken by the Commissioner in relation to civil penalty provisions, enforceable undertakings or injunctions; and
(b) any other matter prescribed by the regulations.
(3) The Information Commissioner must give a copy of the report to the Minister, and to the Ministerial Council, no later than 30 September after the end of the financial year to which the report relates.
(4) The Minister must table a copy of the report in each House of the Parliament within 15 sitting days after the Information Commissioner gives a copy of the report to the Minister.
107 Annual reports by System Operator
(1) The System Operator must, as soon as practicable after the end of each financial year, prepare a report on the System Operator’s activities under this Act during the financial year.
(2) The report must include:
(a) statistics of the following:
(i) registrations, and cancellations and suspensions of registrations, under this Act;
(ii) use of the PCEHR system by healthcare providers and consumers;
(iii) complaints received, and investigations undertaken, in relation to the PCEHR system;
(iv) occurrences compromising the integrity or security of the PCEHR system;
(v) enforceable undertakings accepted by the System Operator under this Act;
(vi) proceedings taken by the System Operator in relation to enforceable undertakings or injunctions; and
(b) any other matter prescribed by the regulations.
(3) The report may include information about the operation of the jurisdictional advisory committee and the independent advisory council.
(4) The System Operator must give a copy of the report to the Minister, and to the Ministerial Council or such other entity as the Ministerial Council directs, no later than 30 September after the end of the financial year to which the report relates.
(5) The Minister must table a copy of the report in each House of the Parliament within 15 sitting days after the System Operator gives a copy of the report to the Minister.
108 Review of operation of Act
(1) The Minister must cause a review of the operation of this Act to be undertaken.
(2) The review must:
(a) start 2 years after the commencement of this section; and
(b) be completed within 6 months.
(3) Before the Minister appoints a person to conduct the review, the Minister must consult the Ministerial Council in relation to the appointment.
(4) The person undertaking the review must call for and consider submissions from members of the public.
(4A) Without limiting the matters to be covered by the review, the review must consider the following matters:
(a) the identity of the System Operator;
(b) alternative governance structures for the PCEHR system;
(c) the opt‑in nature of the PCEHR system, including the feasibility and appropriateness of a transition to an opt‑out system.
(5) The Minister must cause a written report about the review to be prepared.
(6) The Minister must:
(a) provide a copy of the report to the Ministerial Council or to such other entity as the Ministerial Council directs; and
(b) cause a copy of the report to be laid before each House of the Parliament within 15 sitting days of that House after the Minister receives the report.
Division 7—PCEHR Rules, regulations and other instruments
109 Minister may make PCEHR Rules
(1) The Minister may, by legislative instrument, make rules called the PCEHR Rules about matters required or permitted by this Act to be dealt with in the PCEHR Rules.
Minister must consult committee and council
(2) Before the Minister makes PCEHR Rules, the Minister must consult the jurisdictional advisory committee and the independent advisory council. A failure to consult the jurisdictional advisory committee or the independent advisory council does not affect the validity of the Rules.
PCEHR Rules may relate to registration etc.
(3) The PCEHR Rules may specify the following:
(a) requirements that a healthcare provider organisation must meet in order to be registered;
(b) requirements that a person, or a repository or other facility (however described) owned or operated by the person, must meet for the person to be registered as a repository operator, a portal operator or a contracted service provider;
(c) conditions on the registration of participants in the PCEHR system;
(d) other requirements relating to the PCEHR system that apply to consumers or participants in the PCEHR system.
(4) Requirements referred to in subsection (3) include technical specifications and other requirements in relation to the following:
(a) storage of data and records;
(b) records management;
(c) administration and day‑to‑day operations;
(d) physical and information security;
(e) uploading specified kinds of records.
PCEHR Rules may relate to agreements
(4A) The PCEHR Rules may specify that a person must enter into a specified kind of agreement in order to be, and remain, a registered healthcare provider organisation, registered repository operator, registered portal operator or registered contracted service provider.
(5) The PCEHR Rules may specify requirements relating to registration of consumers, including requirements relating to registering a consumer who has been issued with a healthcare identifier under a pseudonym, and for that purpose may specify such modifications of this Act as are necessary to facilitate such registration.
PCEHR Rules may relate to access control mechanisms
(6) The PCEHR Rules may specify matters relating to access control mechanisms, including the following:
(a) the circumstances in which a nominated representative may set access controls;
(b) the circumstances in which access to a consumer’s PCEHR is to be automatically suspended or cancelled;
(c) default access controls.
PCEHR Rules may relate to authorised representatives and nominated representatives
(7) The PCEHR Rules may specify matters relating to authorised representatives and nominated representatives, including the following:
(a) methods of establishing that an individual is an authorised representative or a nominated representative of a consumer;
(b) requiring a consumer to verify his or her identity when the consumer ceases to have an authorised representative;
(c) specifying circumstances in which an authorised representative or a nominated representative is not required to have been assigned a healthcare identifier under paragraph 9(1)(b) of the Healthcare Identifiers Act 2010.
PCEHR Rules may relate to research
(7A) The PCEHR Rules may specify requirements with which the System Operator and other entities must comply in relation to the preparation and provision of de‑identified data for research or public health purposes.
PCEHR Rules may apply to specified classes of participants
(8) The PCEHR Rules may specify the classes of participants in the PCEHR system to whom, or to which, a particular PCEHR Rule applies.
110 Minister may determine a law of a State or Territory to be a designated privacy law
(1) The Minister may, by legislative instrument, determine that a law of a State or Territory is a designated privacy law for the purposes of this Act.
(2) A determination made under subsection (1) is a legislative instrument.
111 Guidelines relating to the Information Commissioner’s enforcement powers etc.
(1) In exercising a power conferred on the Information Commissioner by this Act, or a power under another Act that is related to such a power, the Information Commissioner must have regard to any relevant guidelines in force under subsection (2).
(2) The Information Commissioner must, by legislative instrument, formulate guidelines for the purposes of subsection (1).
Note: For consultation requirements, see Part 3 of the Legislative Instruments Act 2003.
(1) The Governor‑General may make regulations prescribing matters:
(a) required or permitted by this Act to be prescribed; or
(b) necessary or convenient to be prescribed for carrying out or giving effect to this Act.
(2) Without limiting subsection (1), the Governor‑General may make regulations on any matter about which the Minister may make PCEHR Rules.
(3) Before the Governor‑General makes regulations, the Minister must consult the Ministerial Council.
(4) The regulations may prescribe penalties of not more than 50 penalty units for offences against the regulations.
(5) The regulations may provide for civil penalties for contraventions of the regulations, which must not be more than:
(a) 50 penalty units for an individual; or
(b) 250 penalty units for a body corporate.
[Minister’s second reading speech made in—
House of Representatives on 23 November 2011
Senate on 29 February 2012]
(269/11)