This article applies to public health services and other ‘participating health services’ under the Health Services Act 1988 (Vic)
Health Legislation Amendment (Information Sharing) Act 2023 (Vic)
On 7 February 2024, the Health Legislation Amendment (Information Sharing) Act 2023 (Vic) (the Amending Act) amended the Health Services Act 1988 (Vic) (the Act).
Although the Amending Act has commenced, it is proposed that the System will be progressively implemented across Victorian public health services from 2024. At the time of writing, the System has not been rolled out in public health services and it is unclear when, and which, participating health services will need to comply with these requirements.
Electronic Patient Health Information Sharing System
The Amending Act inserts a new Part 6C into the Act which establishes a centralised Electronic Patient Health Information Sharing System (the System), which allows hospitals and other relevant health services to share information for the purpose of providing medical treatment to patients. The System is established and maintained by the Secretary of the Department of Health (the Secretary).
The System is accessible by participating health services, including:
- ambulance services;
- metropolitan hospitals;
- multi purpose services;
- public health services;
- public hospitals;
- registered community health centres;
- the Victorian Institute of Forensic Mental Health;
- State funded residential aged care services;
- the Victorian Collaborative Centre for Mental Health and Wellbeing; and
- other prescribed entities that provide health services (under section 134ZE of the Amending Act).
Under the new Part 6C of the Act, participating health services are required to collect and disclose specified patient health information (and historical health information that may be up to 3 years old) to the Secretary for the purpose of establishing and maintaining the System.
Specified patient health information means health information specified in a notice published in the Government Gazette under section 134ZH of the Act that is about a person who is or has been a patient in, or has received health services from, a participating health service, but does not include a unique identification number assigned by the participating health service to that person. This may include medicines prescribed to the patient, allergies, alerts, laboratory and imaging results, etc.
No requirement to obtain patient consent
Importantly, the new Part 6C of the Act enables participating health services and the Secretary to collect, use or disclose specified patient health information for the purposes of the System, without the need to first obtain consent from the patients to whom the information relates. This is to confirm that, for patients of participating health services, the System and related arrangements are not optional – there is no way to ‘opt out’ from the System.
Access to the System
The new Part 6C of the Act restricts access to the System to persons employed or engaged by participating health services who are specifically authorised by that health service to access the System. Persons authorised to access the System. Persons authorised to access the system may only use and disclose specified patient health information for the purpose of providing medical treatment to a person.
These persons can also access the System to:
- give the information to the Secretary as required; and
- for the purposes of information security and data management.
Part 6C of the Act establishes an offence prohibiting any person from knowingly accessing the System unless they are authorised, carrying a maximum penalty of 240 penalty units (currently $46,154.40) or 2 years’ imprisonment.
Privacy Management Framework
Finally, the new Part 6C of the Act introduces a Privacy Management Framework for the System to provide additional layers of protection for certain categories of sensitive information. Participating health services will need to ensure that they adhere to the Framework as reasonably practicable. Relevantly, the Framework will:
- specify categories of health information that are sensitive in nature and include a process to safeguard that information;
- include a process to safeguard the identity of patients who may be at risk of harm, including patients who identify as being at risk of family violence;
- include a process to facilitate patients accessing reports that specify who has accessed their health information through the System; and
- include a process for regular audits and compliance checks of the System.
Details of the Privacy Management Framework will be published by the Minister for Health by order in the Government Gazette as soon as practicable after the commencement of the Amending Act.
Conclusion
Organisations that are participating health services should ensure that their systems and processes are appropriately updated to reflect the new requirements that have been introduced alongside the establishment of the System.
