Burwood Westfield Medical Centre (Privacy) [2023] AICmr 108
Introduction
The Office of the Australian Information Commissioner (OAIC) began an investigation on 8 February 2023 on Burwood Westfield Medical Centre (the Respondent) to determine whether it was compliant with rules 41 and 42 of the My Health Records Rule 2016 (MHR Rule). The investigation was commenced under section 40(2) of the Privacy Act 1988 (Cth) (the Privacy Act) following a survey and assessment of 300 general practice clinics against certain requirements under the My Health Records Act 2012 (MHR Act).
Facts
The My Health Record system is a digital system that allows registered healthcare provider organisations (HPO) to access and view an individual’s health information if they are involved in the individual’s care. Under section 42 of the MHR Act, a HPO may apply to the Australian Digital Health Agency (ADHA) for registration if it meets the requirements under section 43 of the MHR Act. Notably, section 43 of the MHR Act highlights that a HPO is eligible for registration provided it complies with the requirements that are specified within the MHR Rule.
Rule 41 of the MHR Rule outlines that to remain eligible for registration as a HPO, the HPO must also comply with any requirements prescribed under Division 3 of the MHR Rule. One of these requirements being that the HPO “must have a written policy that reasonably addresses the matters specified in subrule 42(4)”. The matters specified in subrule 42(4) relate to the access, usage, security, and registration with regards to the My Health Record’s system.
The OAIC, in conjunction with the ADHA, prepared and published guidance for HPOs to aid them in developing a written policy that complies with the requirements under rule 42 of the MHR Rule. Relevantly to this specific case, the written policy of the HPO was required to address the following matters:
- the process for identifying a person who requests access to a healthcare recipient’s My Health Record and communicating the person’s identity to the ADHA so that the healthcare provider organisation is able to meet its obligations under section 74 of the MHR Act; and
- mitigation strategies to ensure My Health Record system-related security risks can be promptly identified, acted upon, and reported to the healthcare provider organisation’s management.
Under section 78 of the MHR Act, which is included in Part 5, a contravention of the MHR Rule may result in a civil penalty for non-compliance. Further to this, section 73 of the MHR Act outlines that an act or practice that is in contravention of a provision in Part 4 or 5 of that Act is considered to be an intrusion of a healthcare recipients’ privacy for the purposes of the Privacy Act. As a result of this, the Commissioner has the power to investigate such an act or practice.
In addition, the Commissioner also has the power to investigate a HPO’s acts or practices under section 40(2) of the Privacy Act if it believes those acts or practices may interfere with an individual’s privacy.
Investigation and Evidence
The respondent had communicated to the OAIC that it had been granted registration to access the digital health records on 27 November 2012, meaning that the respondent’s registration was granted under the Personally Controlled Electronic Health Records Act 2012 (Cth) (the PCEHR Act) and associated Personally Controlled Electronic Health Records Rules 2012 (PCEHR Rules). The PCEHR Act and Rules was the legislation that governed HPO’s prior to being repealed the MHR Rule.
The OAIC received three versions of the respondent’s written policy which had been titled ‘MHR Security and Access Policy’. These policies had been dated 2016 (which coincided with the MHR Rule’s introduction), July 2019 and April 2022. These written policies were deemed to reasonably address the matters specified in subrules 42(4)(a), (b), (d) and (f) of the MHR Rule.
Subrule 42(4)(c):
The written policy of a HPO is required to reasonably address “the process for identifying a person who requests access to a healthcare recipient’s My Health Record and communicating the person’s identity to the System Operator so that the healthcare provider organisation is able to meet its obligations under section 74 of the MHR Act”.
The respondent used a template provided by the Royal Australian College of General Practitioners (RACGP) to develop its written policy. Under the heading of ‘Requests to access a patient’s My Health Record’ in the provided template, the following text was suggested:
“Our practice has established processes for identifying a person who requests access to a patient’s My Health Record.”
The respondent’s written policy, however, stated the following:
“Our practice has established processes for informing a person who requests access to a patient’s My Health Record.”
In the RACGP template, the use of the word ‘identifying’ directs the HPO to provide the ADHA with information to identify an individual who requests access a healthcare recipient’s My Health Record. The use of the word ‘informing’ by the respondent alternatively suggests that an individual who is requesting access to a healthcare recipient’s My Health Record is being informed of their own request.
As a result of this discrepancy, it was determined that the respondent’s written policies failed to describe the way in which it identifies individuals who request access to a healthcare recipients’ My Health Records and how it communicates that information to the ADHA. As such, the respondent’s written policies fail to comply with subrule 42(4)(c) of the MHR Rule.
Subrule 42(4)(e):
The written policy of a HPO is also required to reasonably address “mitigation strategies to ensure My Health Record system-related security risks can be promptly identified, acted upon and reported to the healthcare provider organisation’s management”.
The investigation revealed that the respondent failed to have any written policies whatsoever that would address the necessary mitigation strategies with relation to the My Health Record security risks. The result of this being that the respondent failed to satisfy subrule 42(4)(e) of the MHR Rule.
Decision
It was deemed that the respondent’s written policy had not reasonably addressed the matter consistent with subrule 42(4) of the MHR Rule. Further to this, no evidence was provided by the respondent to support the finding that they were applicable for an exemption under subrule 42(5). The respondent was therefore found to be in contravention of Part 5 of the MHR Act as a result of their interference with the privacy of a healthcare recipient within the meaning of section 73(1)(a) of the MHR Act and section 13 of the Privacy Act.
The Deputy Commissioner of the OAIC, Elizabeth Hampton, declared that:
- under section 52(1A)(a), the respondent’s failure to comply with Part 5 of the MHR Act is deemed to be an interference with the privacy of a healthcare recipient and therefore must refrain from repeating or continuing that act or practice; and
- under section 52(1A)(b), the respondent is required to take the following steps to ensure that its actions are not repeated or continued:
- prepare and implement a written policy that complies with the requirements of rule 42 of the MHR Rule within 30 days, specifically addressing subrules 42(4)(c) and (e);
- provide a copy of the written policy to the OAIC within 7 days of its implementation; and
- ensure that a written policy is maintained that complies with all requirements of both the MHR Act and MHR Rule whilst the respondent is registered under Division 2 of Part 3 of the MHR Act.
Compliance Impact
Organisations that are registered to access My Health Records should pay close attention to the determination in this case. In order to ensure full compliance, organisations who are registered as HPO’s and have access to My Health Records should review their obligations under the MHR Act and MHR Rule with specific attention to their written policy to ensure it addresses all the matters outlined within subrule 42(4) of the MHR Rule.
