Healthcare Identifiers Regulations 20101
Select Legislative Instrument 2010 No. 190
I, QUENTIN BRYCE, Governor-General of the Commonwealth of Australia, acting with the advice of the Federal Executive Council, make the following Regulations under the Healthcare Identifiers Act 2010.
Dated 29 June 2010
Governor-General
By Her Excellency’s Command
NICOLA ROXON
Contents
1 Name of Regulations
2 Commencement
3 Definitions
4 National registration authorities
5 Identifying information
6 Updating healthcare provider information held by service operator
7 Rules about requesting disclosure of healthcare identifiers from the service operator
8 Maintaining records about healthcare identifiers disclosed by service operator
These Regulations are the Healthcare Identifiers Regulations 2010.
These Regulations commence on 1 July 2010.
In these Regulations:
Act means the Healthcare Identifiers Act 2010.
National Law means:
(a) for a State or Territory other than Western Australia — the Health Practitioner Regulation National Law set out in the Schedule to the Health Practitioner Regulation National Law Act 2009 (Qld) as it applies (with or without modification) as law of the State or Territory; or
(b) for Western Australia — the legislation enacted by the Health Practitioner Regulation National Law (WA) Act 2010 that corresponds to the Health Practitioner Regulation National Law.
Note The Intergovernmental Agreement for a National Registration and Accreditation Scheme for the Health Professions that was made on 26 March 2008 provides for the enactment of the State and Territory legislation mentioned in this definition.
4 National registration authorities
For section 8 of the Act, each of the following registration authorities is a national registration authority:
(a) a National Health Practitioner Board established by the National Law;
(b) if it is authorised under the National Law to assign healthcare identifiers to healthcare providers — the Australian Health Practitioner Regulation Agency established by the National Law.
Note National Health Practitioner Boards and the Australian Health Practitioner Regulation Agency are expected to be established by all States and Territories under the National Law.
(1) For paragraph 7 (1) (g) of the Act, each of the following is identifying information:
(a) an email address;
(b) a telephone number;
(c) a fax number.
(2) For paragraph 7 (2) (e) of the Act, each of the following is identifying information:
(a) an email address;
(b) a telephone number;
(c) a fax number.
Note Other identifying information may be required by the service operator from a healthcare provider — see section 7 of the Act.
6 Updating healthcare provider information held by service operator
(1) This regulation applies to a person:
(a) who is any of the following:
(i) a healthcare provider organisation that is an identified healthcare provider;
(ii) a partner in a partnership that is a healthcare provider organisation;
(iii) a trustee of a trust that is a healthcare provider organisation;
(iv) an office holder of an unincorporated association or body that is a healthcare provider organisation;
(v) an individual healthcare provider who is an identified healthcare provider and who is not regulated under the National Law; and
(b) for whom the entity mentioned in paragraph (a) that applies to the person, if any, is assigned a healthcare identifier by the service operator.
Note An individual healthcare provider who is regulated only under the National Law is not subject to subregulations (2) to (4), but must tell the national registration authority that regulates the person of specified events and changes of circumstances — see the National Law.
(2) For section 14 of the Act, the person must, within 28 days after becoming aware of the change, tell the service operator about:
(a) any change of circumstance that removes the healthcare provider from a class of healthcare providers mentioned in section 9A of the Act unless the change of circumstance is that the healthcare provider no longer has a responsible officer or organisation maintenance officer; and
(b) a change of circumstance that is that the healthcare provider no longer has a responsible officer or organisation maintenance officer.
(3) For section 14 of the Act, an individual healthcare provider must also tell the service operator about any change to the identifying information of the healthcare provider, other than a change mentioned in paragraph (2) (a) or (b), within 28 days of becoming aware of the change.
(4) A person mentioned in subregulation (1) commits an offence if the person does not to comply with paragraph (2) (a).
Penalty: 50 penalty units.
7 Rules about requesting disclosure of healthcare identifiers from the service operator
(1) For section 21 of the Act, a healthcare provider is authorised to request the service operator to disclose an identifier that is assigned to a healthcare recipient to the person making the request if:
(a) the healthcare provider is:
(i) an identified healthcare provider; and
(ii) within a class of healthcare providers mentioned in section 9A of the Act at the time the request for disclosure is made; and
(b) the healthcare provider is to use or disclose the healthcare identifier to manage or communicate information supporting the provision of healthcare; and
(c) the person making the request:
(i) provides healthcare; or
(ii) has duties relating to its provision; or
(iii) is an employee of a contracted service provider of the healthcare provider, who has duties relating to the provision of healthcare.
Note The service operator may disclose healthcare identifiers to an employee of an identified healthcare provider or of a contracted service provider of an identified healthcare provider, for certain purposes, if the healthcare provider has, by notice to the service operator, authorised the employee or contracted service provider to act on its behalf — see section 17 of the Act.
(2) Subregulation (3) applies to the following persons:
(a) a healthcare provider organisation that is a person;
(b) a partner in a partnership that is a healthcare provider organisation;
(c) a trustee of a trust that is a healthcare provider organisation;
(d) an office holder of an unincorporated association or body that is a healthcare provider organisation.
Note A person includes a body corporate — see paragraph 22 (1) (a) of the Acts Interpretation Act 1901. A healthcare provider organisation may be a person — see the definition of healthcare provider organisation in section 5 of the Act. A sole practitioner is both an individual healthcare provider and a healthcare provider organisation — see the definition of sole practitioner in section 5 of the Act.
(3) A person mentioned in subregulation (2) commits an offence if:
(a) the healthcare provider organisation mentioned in subregulation (2) requests disclosure of a healthcare identifier from the service operator; and
(b) either:
(i) paragraph (1) (a) or (b) does not apply in relation to the healthcare provider organisation; or
(ii) paragraph (1) (c) does not apply in relation to the person making the request; and
(c) the service operator discloses a healthcare identifier to the healthcare provider organisation.
Penalty: 50 penalty units.
(4) For section 21 of the Act, a healthcare provider organisation that requests the service operator to disclose a healthcare identifier must ensure that:
(a) the service operator has the current names and contact details of the provider’s responsible officer and organisation maintenance officer; and
(b) its responsible officer, organisation maintenance officer and any other person authorised to access healthcare identifiers that have been disclosed are aware of their obligations under the Act and these Regulations.
Note 1 A healthcare provider organisation must also comply with section 27 of the Act in relation to the protection of healthcare identifiers. All healthcare providers must comply with the Privacy Act 1988 in relation to the protection of health information as defined in subsection 6 (1) of that Act, or with equivalent State or Territory legislation, to the extent that it applies to them.
Note 2 A breach of the regulations in relation to the healthcare identifier of an individual is taken to be an interference with the privacy of the individual for the purposes of the Privacy Act 1988. The act or practice may be the subject of a complaint to the Privacy Commissioner under section 36 of that Act — see subsection 29 (1) of the Act.
8 Maintaining records about healthcare identifiers disclosed by service operator
(1) For section 22 of the Act, a healthcare provider must:
(a) at the time of making a request for disclosure of a healthcare identifier — give enough identifying information to ensure the service operator can identify by name the person making the request without having to seek additional information from another person; or
(b) if the healthcare provider does not comply with paragraph (a):
(i) keep a retrievable record of each person who accessed, from the service operator, a healthcare identifier for the healthcare provider; and
(ii) give the record to the service operator upon written request from the service operator.
Example for paragraph (a)
Identifying information may be given as part of the data transmitted to the service operator from a healthcare provider’s practice management software.
Note A healthcare provider that complies with paragraph (1) (a) need not keep records of the identities of the individuals requesting disclosure, or of the identifying information given to the service operator, because the service operator will record the information — see section 10 of the Act.
(2) For paragraph (1) (b), the retrievable record must:
(a) include the person’s name or other information that can be used to identify the individual; and
(b) be kept:
(i) while the person accessing healthcare identifiers for the healthcare provider is authorised by the healthcare provider organisation to access healthcare identifiers; and
(ii) for 7 years starting on the day after the person ceased to be authorised.
Example
The retrievable record may be drawn from a healthcare provider’s own records identifying the authorised person. These records may be kept in logs as part of the healthcare provider’s practice management software.
(3) Subregulation (4) applies to the following persons:
(a) a healthcare provider organisation that is a person;
(b) a partner in a partnership that is the healthcare provider organisation;
(c) a trustee of a trust that is the healthcare provider organisation;
(d) an office holder of an unincorporated association or body that is the healthcare provider organisation.
(4) A person mentioned in subregulation (3) commits an offence if the healthcare provider organisation mentioned in subregulation (3):
(a) does not comply with paragraph (1) (a); and
(b) does not give the information mentioned in paragraph (2) (a):
(i) if requested by the service operator — in writing; and
(ii) within 14 days after receiving the request.
Penalty: 50 penalty units.
Note
1. All legislative instruments and compilations are registered on the Federal Register of Legislative Instruments kept under the Legislative Instruments Act 2003. See http://www.frli.gov.au.