New Public Health Information Sharing System in Victoria

newpubhealthinfosharing docatpc istock 1316048214

This article applies to public health services and other ‘participating health services’.

Health Legislation Amendment (Information Sharing) Bill 2023 (Vic)

Please be advised that the Health Legislation Amendment (Information Sharing) Bill 2023 (Vic) (the Bill) passed the Victorian parliament on 22 March 2023 and will commence on a day to be fixed by proclamation, or no later than 7 February 2024. The Bill amends the Health Services Act 1988 (Vic) (the Act).


The Bill will establish a centralised Electronic Patient Health Information Sharing System (the System), which will allow public hospitals and other relevant health services to share information for the purpose of providing medical treatment to patients.

The System will be accessible by participating health services, including:

  • ambulance services;
  • metropolitan hospitals;
  • multi purpose services;
  • public health services;
  • public hospitals;
  • registered community health centres;
  • the Victorian Institute of Forensic Mental Health;
  • State funded residential aged care services;
  • the Victorian Collaborative Centre for Mental Health and Wellbeing; and
  • other prescribed entities that provide health services (under section 134ZE of the Bill).

Under the Bill, participating health services will be required to collect and disclose specified patient health information (and historical health information that may be up to 3 years old) to the Secretary of the Department of Health (Secretary) for the purpose of establishing and maintaining the System.

Specified patient health information means health information specified in a notice published in the Government Gazette under section 134ZH of the Bill that is about a person who is or has been a patient in, or has received health services from, a participating health service, but does not include a unique identification number assigned by the participating health service to that person. This may include medicines prescribed to the patient, allergies, alerts, laboratory and imaging results etc.

No requirement to obtain patient consent

Importantly, the Bill enables participating health services and the Secretary to collect, use or disclose specified patient health information for the purposes of the System, without the need to first obtain consent from the patients to whom the information relates. This is to confirm that, for patients of participating health services, the System and related arrangements are not optional – there is no way to ‘opt out’ from the System.

Access to the System

The Bill restricts access to the System to persons employed or engaged by participating health services who are specifically authorised by that health service to access the System. Persons authorised to access the system may only use and disclose specified patient health information for the purpose of providing medical treatment to a person.

These persons can also access the system to:

  • give the information to the Secretary as required; and
  • for the purposes of information security and data management.

The Bill establishes an offence prohibiting any person from knowingly accessing the system unless they are authorised, carrying a maximum penalty of 240 penalty units (currently $44,390.40) or 2 years imprisonment.

Privacy management framework

Finally, the Bill introduces a privacy management framework for the System to provide additional layers of protection for certain categories of sensitive information. Participating health services will need to ensure that they adhere to the framework as reasonably practicable. Specifically, the framework will:

  • specify categories of health information that are sensitive in nature and include a process to safeguard that information;
  • include a process to safeguard the identity of patients who may be at risk of harm, including patients who identify as being at risk of family violence;
  • include a process to facilitate patients accessing reports that specify who has accessed their health information through the System; and
  • include a process for regular audits and compliance checks of the System.

Details of the privacy management framework will be published by the Minister for Health by order in the Government Gazette as soon as practicable after the commencement of the Bill.

Please click here to access the full Bill.

How Health Legal can help:

For further information please contact the Health Legal and Law Compliance team via our contact page here.