This instrument is the National Health (Privacy) Rules 2025.

(1) Each provision of this instrument specified in column 1 of the table commences, or is taken to have commenced, in accordance with column 2 of the table. Any other statement in column 2 has effect according to its terms.

Commencement information
Column 1	Column 2	Column 3
Provisions	Commencement	Date/Details
The whole of this instrument	The later of: (a) the day after the first day on which this instrument is no longer liable to be disallowed; or (b) 1 April 2025.

Note 1: This table relates only to the provisions of this instrument as originally made. It will not be amended to deal with any later amendments of this instrument.

Note 2: See subsection 135AA(8) of the Act.

(2) Any information in column 3 of the table is not part of this instrument. Information may be inserted in this column, or information in it may be edited, in any published version of this instrument.

3 Authority

This instrument is made under section 135AA of the National Health Act 1953.

4 Schedule 2

Each instrument that is specified in Schedule 2 to this instrument is amended or repealed as set out in the applicable items in the Schedule concerned, and any other item in a Schedule to this instrument has effect according to its terms.

5 Definitions

Note: A number of expressions used in this instrument are defined in subsection 4(1) or subsection 135AA(11) of the Act, including the following:

(a) agency;

(b) Chief Executive Medicare;

(d) Medicare Benefits Program;

(e) old information;

(f) personal identification components;

(g) Pharmaceutical Benefits Program;

(h) pharmaceutical entitlements number.

(1) In this instrument:

Act means the National Health Act 1953.

claims information means information to which section 135AA of the Act applies.

Note: This is set out in subsections 135AA(1) and (2) of the Act.

data minimisation principle means the principle that, when disclosing, using, linking or re‑linking claims information for a particular purpose, only the claims information reasonably needed to achieve the purpose is disclosed, used, linked or re‑linked.

data sharing agreement means a data sharing agreement that complies with Schedule 1, or such an agreement as varied by the parties.

enforcement body has the same meaning as in section 6 of the Privacy Act 1988.

Health Department means the Department administered by the Minister administering the Health Insurance Act 1973.

health provider compliance function means a statutory function, duty or power of the Secretary under the Act, or the Chief Executive Medicare under the Human Services (Medicare) Act 1973, where a health provider is the subject of the performance of the function or the exercise of the duty or power.

Medicare PIN (short for Medicare personal identification number) means a number:

(a) that is maintained by Services Australia; and

(b) that is used by Services Australia to identify a particular individual included in the Medicare Benefits Program or the Pharmaceutical Benefits Program; and

(c) that is neither based on nor derived from the individual’s name, date of birth, address, telephone number or Medicare card number; and

(d) from which, on its own, the individual’s identity cannot reasonably be determined; and

(e) that does not, on its own, reveal any health-related or other personal information about the individual.

permitted purpose means:

(a) in relation to a linkage authorised by section 14—the relevant permitted purpose under subsection 14(2); and

(b) in relation to a linkage authorised by section 15—the relevant permitted purpose under subsection 15(2).

primary agency: each of the following is a primary agency:

(a) the Health Department;

(b) Services Australia.

Note: Services Australia is an Executive Agency that was established under section 65 of the Public Service Act 1999 by order on 5 December 2019.

principal executive has the same meaning as in the Privacy Act 1988.

Secretary means the Secretary of the Health Department.

secondary agency means an agency that is not a primary agency.

Meaning of references to destroying linked or re‑linked claims information

(2) In this instrument, a reference to destroying linked or re‑linked claims information is a reference to doing any of the following:

(a) destroying the linked or re‑linked claims information;

(b) destroying any additional information that was produced in order to link or re‑link the claims information;

(c) otherwise ensuring that the claims information is no longer linked or re‑linked, and that linked or re‑linked claims information is no longer stored.

Meaning of references to tracing linkages or re‑linkages of claims information

(3) In this instrument, a reference to tracing linkages or re‑linkages of claims information is a reference to ensuring that the following are reasonably ascertainable:

(a) when the claims information was linked or re‑linked;

(b) what claims information was linked or re‑linked;

(d) when the linked or re‑linked claims information was destroyed.

Note: See subsection (2) for the meaning of references to destroying linked or re‑linked claims information.

6 Simplified outline of this instrument

This instrument relates to claims information, and is made under section 135AA of the Act. This instrument is structured as follows:

• Part 1 deals with introductory material and definitions of terms used in this instrument.

• Part 2 specifies the ways in which claims information may be stored, and specifies the circumstances in which creating copies of information in paper or similar form is prohibited. Part 2 is made for the purposes of paragraph 135AA(5)(a) of the Act.

• Part 3 specifies the uses to which agencies may put claims information. Part 3 is made for the purposes of paragraph 135AA(5)(b) of the Act.

• Part 4 specifies the circumstances in which agencies may disclose claims information. Some disclosures of claims information must be done under data sharing agreements. Requirements for data sharing agreements are specified in Schedule 1 to this instrument. Part 4 is made for the purposes of paragraph 135AA(5)(c) of the Act.

• Part 5 prohibits agencies from storing in the same database information that was obtained under the Medicare Benefits Program and information that was obtained under the Pharmaceutical Benefits Program. Part 5 is made for the purposes of paragraph 135AA(5)(d) of the Act.

• Part 6 prohibits certain linkages of claims information, unless authorised in the way specified in this instrument, and specifies many of the permitted linkages. Part 6 is made for the purposes of paragraph 135AA(5)(e) of the Act.

• Part 7 specifies a variety of requirements with which agencies must comply in relation to old information. Part 7 is made for the purposes of paragraph 135AA(5)(f) of the Act.

• Part 8 deals with transitional arrangements consequent on the repeal of the National Health (Privacy) Rules 2021.

• Schedule 1 specifies requirements for data sharing agreements.

• Schedule 2 specifies the National Health (Privacy) Rules 2021 as the instrument that is repealed by section 4.

This instrument should be read alongside subsections 135AA(5A) to (5C) of the Act, which modify the effect of this instrument.

A breach of this instrument constitutes an act or practice involving interference with the privacy of an individual, for the purposes of the Privacy Act 1988. An individual may complain to the Information Commissioner in relation to breaches of this instrument. Complaints are investigated under Part V of the Privacy Act 1988 (applying in a modified form): see section 135AB of the Act.

Part 2—Ways in which claims information may be stored

Note 1: This Part is made for the purposes of paragraph 135AA(5)(a) of the Act.

Note 2: See Part 5 for a prohibition relating to storage of claims information in the same database.

7 Storage of claims information

(1) Subject to this Part, an agency may store claims information in a database if the agency establishes, for the purposes of this instrument, and maintains technical specifications relating to the database which:

(a) specify access controls relating to the database; and

(b) limit access to the database to officers or contractors who can lawfully use the information and reasonably must access it; and

(c) specify the security procedures and controls that exist to prevent unauthorised linkage or re‑linkage of records that are held in the database about the same individual; and

(d) describe the arrangements that have been made for the security of claims information stored in the database; and

(e) specify, for linked or re‑linked information, where practicable, the schedule for destroying the linked or re‑linked claims information; and

(f) identify how linkages or re‑linkages of claims information that are authorised by this instrument can be traced.

Note 1: For paragraph (e), see subsection 5(2) for the meaning of references to destroying linked or re‑linked claims information.

Note 2: For paragraph (f), see subsection 5(3) for the meaning of references to tracing linkages or re‑linkages of claims information.

(2) An agency may store a Medicare PIN in a database that stores claims information.

(3) An agency must not keep personal identification components in a database that stores claims information other than:

(a) if the database contains claims information that was obtained under the Medicare Benefits Program—any relevant Medicare card number; or

(b) if the database contains claims information that was obtained under the Pharmaceutical Benefits Program—any Pharmaceutical entitlements number.

(4) If Services Australia discloses claims information to the Health Department as described in paragraph 11(4)(a), the Health Department may not store that information once that doubt has been removed.

8 Prohibition relating to storing claims information with enrolment and entitlement database

(1) A primary agency must keep the following separate:

(a) databases of claims information that was obtained under the Medicare Benefits Program or the Pharmaceutical Benefits Program;

(b) databases of a kind referred to in paragraph 135AA(2)(b) of the Act.

Note: Paragraph 135AA(2)(b) refers to a database that:

(a) is maintained for the purpose of identifying persons who are eligible to be paid benefits under the Medicare Benefits Program or the Pharmaceutical Benefits Program; and

(b) does not contain information relating to claims for payment of such benefits.

Information contained in such databases is not “claims information”.

(2) Subsection (1) does not prevent a primary agency storing those databases in the same computer system.

9 Circumstances in which creating copies of claims information in paper or similar form is prohibited

(1) An agency must not create a copy of claims information in paper or similar form unless it is reasonably necessary to do so for a lawful purpose.

(2) An agency must not create a copy of the whole, or a major proportion, of either of the following in paper or similar form:

(a) a database that is maintained for the purposes of the Medicare Benefits Program;

(b) a database that is maintained for the purposes of the Pharmaceutical Benefits Program.

Part 3—Uses to which agencies may put claims information

Note: This Part is made for the purposes of paragraph 135AA(5)(b) of the Act.

10 Use of claims information

The table specifies the uses to which agencies may put claims information.

	Uses to which agencies may put claims information
	Column 1	Column 2	Column 3
	The following agency …	may put the following claims information …	to the following uses …
1	The Health Department	Any claims information	Use in order to perform health provider compliance functions
2	A primary agency	Any claims information	Use that: (a) is for one of the following purposes: (i) research (including medical research); (ii) statistical analysis; (iii) development of government policies and programs; and (b) complies with the data minimisation principle
3	A primary agency or a secondary agency	Claims information that was disclosed to the agency, in accordance with this instrument, for a particular purpose	Use to achieve that purpose, to the extent that the use complies with the data minimisation principle
4	A primary agency or a secondary agency	Any claims information	Any use that is required or authorised by law (other than by this section)

Part 4—Circumstances in which agencies may disclose claims information

Note: This Part is made for the purposes of paragraph 135AA(5)(c) of the Act.

11 Circumstances in which agencies may disclose claims information

(1) This section specifies the circumstances in which agencies may disclose claims information. Each of subsections (2) to (9) specifies a separate circumstance, and no subsection limits any other subsection.

Disclosure by Services Australia to the Health Department

(2) Services Australia may disclose claims information to the Health Department where the disclosure is for the purposes of the performance of the health provider compliance functions.

(3) Services Australia may disclose claims information to the Health Department so long as none of the following is disclosed together with the claims information:

(a) personal identification components;

(b) an algorithm which enables an encrypted Medicare card number to be unencrypted;

(4) Services Australia may disclose, to the Health Department, personal identification components that correspond to a particular Medicare PIN where the Secretary of the Health Department has decided that the disclosure is necessary:

(a) to clarify which information relates to a particular individual, where doubt has arisen in the conduct of an activity involving the linkage of de‑identified claims information; or

(b) for the purposes of disclosing personal information (within the meaning of the Privacy Act 1988) in a specific case, or in a specific set of circumstances, as expressly authorised or required by or under law.

Disclosure by the Health Department to Services Australia

(5) The Health Department may disclose, to Services Australia, old information for:

(a) a permitted purpose referred to in paragraph 19(a); or

(b) inclusion in a database in which Services Australia stores old information from the Medicare Benefits Program or the Pharmaceutical Benefits Program in accordance with this instrument.

Disclosures by primary agency to secondary agency

(6) A primary agency may disclose claims information to a secondary agency where:

(a) the disclosure is in accordance with a data sharing agreement (see clause 2 of Schedule 1); and

(b) the disclosure is not for the agency to undertake medical research; and

(d) the disclosure does not include both the name and the Medicare PIN of any person to whom disclosed claims information relates.

Disclosures by a primary agency for medical research

(7) A primary agency may disclose claims information to an agency or person where:

(a) the disclosure is in accordance with a data sharing agreement (see clause 3 of Schedule 1); and

(b) the disclosure is for the agency or person to undertake medical research; and

(d) if an individual is reasonably identifiable from the information that is proposed to be disclosed—before disclosing the information, the primary agency is satisfied that:

(i) each identified individual has given informed consent to the use of the information for that research; or

(ii) the research is to be conducted in accordance with guidelines issued by the National Health and Medical Research Council under section 95 of the Privacy Act 1988.

(8) A primary agency may disclose claims information to an agency for the purposes of consulting with that agency about the appropriateness of disclosing claims information in accordance with subsection (7), where the disclosure:

(a) is in accordance with a data sharing agreement; and

(b) complies with the data minimisation principle.

Disclosure as required or authorised by law

(9) If a law requires or authorises an agency to disclose claims information, the agency may disclose claims information as so required or authorised.

Example: Lawfully disclosing claims information in accordance with the secrecy provisions of a law of the Commonwealth.

Part 5—Prohibition relating to storage of claims information in the same database

Note: This Part is made for the purposes of paragraph 135AA(5)(d) of the Act.

12 Prohibition relating to storage of claims information in the same database

(1) An agency must not store in the same database:

(a) claims information that was obtained under the Medicare Benefits Program; and

(b) claims information that was obtained under the Pharmaceutical Benefits Program.

(2) Subsection (1) does not prevent a primary agency from storing information referred to in that subsection in the same database where this is necessary for an activity that is expressly authorised by this instrument.

(3) Subsection (1) does not prevent an agency storing databases containing the information referred to in that subsection in the same computer system.

Note: This section covers both old information and claims information that is not old information.

Part 6—Prohibitions on linkage, and authorisations

Note: This Part is made for the purposes of paragraph 135AA(5)(e) of the Act.

Division 1—Prohibition on linkage of claims information

13 Prohibition of linkage of claims information

An agency must not link:

(a) claims information that is held in a database maintained for the purposes of the Medicare Benefits Program; and

(b) claims information that is held in a database maintained for the purposes of the Pharmaceutical Benefits Program;

unless the linkage is authorised in a way specified in this instrument.

Note 1: Nothing in this instrument precludes the matching of information under subsection 132B(1) of the Act, or the operation of Part VIIIA of the Act generally: see subsection 135AA(5C).

Note 2: For authorisations to link claims information, see Division 2. For authorisations to re‑link old information with its personal identification components, see section 19.

Division 2—General authorisations for linkage of claims information

14 Authorised linkages—all agencies

(1) For section 13, and subject to sections 16 and 17, a linkage by a primary agency or a secondary agency is authorised if:

(a) the claims information relates to the same individual; and

(b) the linkage is by a Medicare PIN; and

(d) as soon as practicable after the purpose for which the information has been linked has been met, the agency destroys the linked claims information; and

(e) the agency has in place measures to ensure that the linkages of claims information are traceable; and

(f) the agency makes arrangements, for the purposes of this instrument, for the security of records of linked claims information; and

(g) the linkage complies with the data minimisation principle.

Note 1: For paragraph (d), see subsection 5(2) for the meaning of references to destroying linked claims information.

Note 2: For paragraph (e), see subsection 5(3) for the meaning of references to tracing linkages of claims information.

Note 3: If the claims information includes old information, it may also be necessary to re-link the old information with the personal identification components—see section 19.

(2) For paragraph 14(1)(c), a permitted purpose in relation to claims information is a use:

(a) to which the agency may put the claims information in accordance with section 10; and

(b) that is authorised by the principal executive of:

(i) where the linkage is being done by a primary agency—the primary agency; or

(ii) where the linkage is being done by a secondary agency—the primary agency that disclosed the information to the secondary agency.

15 Authorised linkages—primary agencies only

(1) For section 13, and subject to sections 16 and 17, a linkage by a primary agency is authorised if:

(a) the claims information relates to the same individual; and

(b) the linkage is for a permitted purpose (subsection (2)); and

(c) as soon as practicable after the purpose for which the information has been linked has been met, the agency destroys the linked claims information; and

(d) the agency has in place measures to ensure that the linkages of claims information are traceable; and

(e) the agency makes arrangements, for the purposes of this instrument, for the security of records of linked claims information; and

(f) the linkage complies with the data minimisation principle.

Note 1: For paragraph (c), see subsection 5(2) for the meaning of references to destroying linked claims information.

Note 2: For paragraph (d), see subsection 5(3) for the meaning of references to tracing linkages of claims information.

Note 3: If the claims information includes old information, it may also be necessary to re-link the old information with the personal identification components—see section 19.

Permitted purposes

(2) For paragraph (1)(b), each of the following is a permitted purpose for the linking of claims information:

(a) using the linked information as authorised or required by law, and as reasonably necessary for the discharge of statutory functions, duties and powers of the Secretary or the Chief Executive Medicare in relation to:

(i) the enforcement of the criminal law;

(ii) the enforcement of a law imposing a pecuniary penalty; or

(iii) the protection of the public revenue;

(b) the agency that is linking the information disclosing it as required or authorised by law;

(i) the enforcement of the criminal law; or

(ii) the enforcement of a law imposing a pecuniary penalty; or

(iii) the protection of the public revenue;

(d) determining the eligibility of the individual to whom the information relates for a benefit under a program where the eligibility for that benefit is dependent upon services provided under another program;

(e) preventing or lessening a serious and imminent threat to the life or health of any individual, where the Secretary or the Chief Executive Medicare believes on reasonable grounds that the linkage is necessary for this purpose;

(f) disclosing information to the individual to whom the information relates, or to another person on behalf of that individual, where the individual has expressly consented to the disclosure;

(g) taking action:

(i) on an unresolved compensation matter; or

(ii) on an investigation or a prosecution; or

(iii) for recovery of a debt;

(h) determining entitlement:

(i) on a late lodged claim or finalising the processing of a claim; or

(ii) for a related service rendered more than 5 years after the service which is the subject of the old information;

(i) lawfully disclosing identified information in accordance with the secrecy provisions of a law of the Commonwealth;

(j) in the case of the Health Department—the performance of the health provider compliance functions.

16 Circumstance in which linkage is not authorised

Despite this Division, a linkage is not authorised by this instrument if the use is for the purposes of a primary agency establishing a data‑matching program between:

(a) a database that is maintained for the purposes of the Medicare Benefits Program; and

(b) a database that is maintained for the purposes of the Pharmaceutical Benefits Program.

17 Reporting requirements in relation to linkages

Despite sections 14 and 15, a linkage that is authorised by those sections ceases to be authorised if, by 30 September of each year, the agency does not provide the Information Commissioner with a report that:

(a) is in a form approved by the Information Commissioner; and

(b) includes the following information for the previous financial year (the reporting period):

(i) for the records that were linked in accordance with section 14 or 15 during the reporting period:

(A) the total number that were linked under each section; and

(B) that number, broken down by reference to the permitted purposes;

(ii) for the records of linked claims information that were destroyed during the reporting period:

(A) the total number that were destroyed; and

(B) that number, broken down by reference to the permitted purposes;

(iii) if there are records that were linked during the reporting period but not destroyed:

(A) the number of such records; and

(B) the reason the linked claims information was not destroyed;

(iv) if there are records that were linked in previous reporting periods but not destroyed:

(A) the number of such records; and

(B) the reason the linked claims information was not destroyed.

Note 1: See subsection 5(2) for the meaning of references to destroying linked claims information.

Note 2: The Information Commissioner may make the report publicly available.

Part 7—Requirements with which agencies must comply in relation to old information

Note: This Part is made for the purposes of paragraph 135AA(5)(f) of the Act.

18 Requirements relating to storage of old information

(1) Subject to section 19, an agency must store old information in such a way that the personal identification components are not linked with the rest of the information.

(2) Despite subsection 7(3):

(a) a database that stores old information from the Medicare Benefits Program must not include a Medicare card number; and

(b) a database that stores old information from the Pharmaceutical Benefits Program must not include a Pharmaceutical entitlements number.

(3) However, subject to section 12, this section does not prevent an agency from storing in the same database:

(a) old information; and

(b) claims information that is not old information.

Note: Section 12 deals with the prohibition on storing, in the same database, claims information that was obtained under the Medicare Benefits Program and claims information that was obtained under the Pharmaceutical Benefits Program.

19 Requirements relating to the re-linking of old information with personal identification components

Old information may be re-linked with its personal identification components if:

(a) the re-linkage is necessary to enable a linkage that:

(i) is authorised by Part 6 because of section 14; or

(ii) is authorised by Part 6 because of section 15 with a permitted purpose mentioned in paragraph 15(2)(f), (g), (h), (i) or (j); and

(b) the re-linkage is by use of a Medicare PIN; and

(c) as soon as practicable after the purpose for which the information has been re‑linked has been met, the agency destroys the re-linked information; and

(d) the agency has in place measures to ensure that the re-linkages are traceable; and

(e) the agency makes arrangements, for the purposes of this instrument, for the security of records of re-linked information; and

(f) the re-linkage complies with the data minimisation principle.

Note: See subsections 5(2) and (3) for the meaning of references to destroying re‑linked claims information.

20 Requirements relating to reporting—old information

(1) This section applies in relation to records of old information that were re-linked with their personal identification components in accordance with section 19 (relevant records).

(2) A primary agency must, by 30 September of each year, provide the Information Commissioner with a report that:

(a) is in a form approved by the Information Commissioner; and

(b) includes the following information for the previous financial year (the reporting period):

(i) for the relevant records that were re‑linked during the reporting period:

(A) the total number that were re‑linked; and

(B) that number, broken down by reference to the permitted purposes referred to in paragraph 19(a); and

(ii) for the relevant records that were destroyed during the reporting period:

(A) the total number that were destroyed; and

(B) that number, broken down by reference to the permitted purposes referred to in paragraph 19(a); and

(iii) if there are relevant records that were re‑linked during the reporting period but not destroyed:

(A) the total number of such records; and

(B) the reason the re‑linked claims information was not destroyed; and

(iv) if there are relevant records that were re‑linked in previous reporting periods but not destroyed:

(A) the total number of such records; and

(B) the reason the linked claims information was not destroyed.

Note 1: See subsection 5(2) for the meaning of references to destroying linked claims information.

Note 2: The Information Commissioner may make the report publicly available.

Part 8—Application and transitional provisions

21 Agency may comply with certain provisions of the National Health (Privacy) Rules 2021 during the grace period

(1) This section applies during the period that:

(a) commences on the day this instrument commences (see section 2); and

(b) ends on the day at the end of the period of 6 months that commences on that day.

(2) While this section applies, an agency may store claims information in accordance with:

(a) this instrument; or

(b) the old rules (as if the old rules had not been repealed).

(3) While this section applies, an agency may use claims information that was disclosed to it in accordance with the old rules prior to their repeal in accordance with:

(a) this instrument; or

(b) the old rules (as if the old rules had not been repealed).

(4) In this section:

old rules means the National Health (Privacy) Rules 2021.