Wednesday, 8 February 2023
Bills
Health Legislation Amendment (Information Sharing) Bill 2023
Bills
Health Legislation Amendment (Information Sharing) Bill 2023
Statement of compatibility
Mary-Anne THOMAS (Macedon – Leader of the House, Minister for Health, Minister for Health Infrastructure, Minister for Medical Research) (10:30): In accordance with the Charter of Human Rights and Responsibilities Act 2006 I table a statement of compatibility in relation to the Health Legislation Amendment (Information Sharing) Bill 2023.
In accordance with section 28 of the Charter of Human Rights and Responsibilities Act 2006, I table a statement of compatibility for with respect to the Health Legislation Amendment (Information Sharing) Bill 2023
In my opinion, the Health Legislation Amendment (Information Sharing) Bill, as introduced to the Legislative Assembly, is compatible with the human rights as set out in the Charter. I base my opinion on the reasons outlined in this statement.
Overview of the Bill
The Bill amends the Health Services Act 1988 (HS Act) to provide for the establishment of a secure electronic system to enable public hospitals and specified health services to share specified patient health information for the purpose of providing medical treatment to patients. The Bill also permits information access, use and disclosure for system establishment and maintenance, and makes consequential amendments to the Health Records Act 2001 (HR Act).
Human Rights Issues
The Bill engages the Charter rights to privacy (s 13(a)), freedom of expression (s 15) and rights in criminal proceedings (s 25(1)). To the extent that the Bill limits any Charter rights, such limits are reasonable and justifiable in accordance with section 7(2) of the Charter.
Electronic Health Information Sharing System
The Bill amends the HS Act to require the Secretary to the Department of Health to establish and maintain an Electronic Patient Health Information Sharing System (the System) (cl 4). The System must contain any specified patient health information that the Secretary requires to be collected. The Secretary can, by notice published in the Government Gazette, specify health information to be given by a participating health service for the purposes of the System, and a relevant date in relation to that health information. A participating health service must give to the Secretary prescribed health information and unique identification numbers assigned to persons the subject of the information, if the information was collected on or after the date specified, within certain timeframes. Where a relevant health service does not comply with a gazetted notice, the Bill provides for the Secretary to give written directions to a participating health service to give the specified health information or unique identification numbers required.
Under the Bill, the Secretary and participating health services may collect, use and disclose specified patient health information as permitted or authorised by the Bill without the consent of the person to whom the information relates. Access to and use of prescribed information held on the System is limited to persons who are employed or engaged by a participating health service and who are authorised by that service to access the System and use and disclose specified patient health information for the purposes of providing medical treatment to that patient. The only other reasons that persons authorised by a participating health service may access information on the System are for the purpose of giving the information to the Secretary as required by the Bill or for information security and data management purposes. The Secretary, or a person employed or engaged and authorised in writing by them, may also access the System to use and disclose specified patient health information or unique identification numbers for the purposes of establishing, maintaining and operating it, undertaking information security and data management, and otherwise ensuring that the System operates securely and effectively.
Privacy (s 13(a))
Section 13(a) of the Charter provides that a person has the right not to have their privacy, family, home or correspondence unlawfully or arbitrarily interfered with. An interference will be lawful if it is permitted by a law which is precise and appropriately circumscribed, and will be arbitrary only if it is capricious, unpredictable, unjust or unreasonable, in the sense of being disproportionate to the legitimate aim sought.
The amendments contained in the Bill will allow for the interference with the privacy of persons to whom specified patient health information or identifiers stored on the System (System information) relates. System information may be ‘health information’ under the HR Act. Health information can include information on the physical, mental or psychological health of a person, or other personal information collected in the course of providing them a health service. Compulsorily collecting such information from health services and providing access to it without consent or an option to opt-out will engage the right in section 13(a) of the Charter.
However, to the extent that the amendments which provide for the System interfere with the Charter right to privacy, I consider that the right will not be limited. Any interference will be authorised by legislation that is appropriately circumscribed. Where the Bill provides for matters relevant to the collection or use of information for the System to be prescribed by notice in the Government Gazette, such as specified health information to be given by participating health services, these powers are appropriately constrained. In accordance with the provisions of the Bill, the Secretary may only prescribe, for collection for the System, the health information of a person who has received treatment from a participating health service, and that health information is being collected for the purpose of providing medical treatment to the person. Reasonable time limits apply to the retrospective application of gazetted notices which provide certainty as to the scope of health information that is collected for the System. Although the Bill does not further restrict the categories of information that may be prescribed, I am satisfied that this formulation is necessarily flexible to allow for the Secretary to prescribe emerging types of health information required for medical treatment and care, whilst being clearly connected to the purpose of the System. I am therefore satisfied that such interferences with privacy will be lawful.
I am also satisfied those interferences with individuals’ privacy that may occur under these provisions will be predicable and proportionate to the objects of the System and will therefore not be arbitrary. The amendments will not require the collection of new information from individuals but rather facilitate the transfer of copies of existing information, already collected and held by public hospitals and health services, to a central platform. Access to the System will be limited to persons working at participating health services, who would have been able to access the same information through the records of the participating health service, or to seek the information from other health services, albeit on a one-to-one, rather than one-to-many information-sharing basis. Use of System information will only be permitted for the important purpose of providing medical treatment, or for System maintenance. The Bill also contains safeguards to protect against misuse of System information, including by creating offences for:
• unauthorised persons knowingly accessing the System unless authorised to do so under new Part 6C of the HS Act (Part 6C), otherwise unless the person was authorised or required under the Bill or another Act to do so, or required by law;
• authorised persons accessing the System other than in accordance with Part 6C, unless the person did so as authorised or required by the Bill or another Act, or as required by law; and
• authorised persons accessing the System using and disclosing specified patient health information obtained by that person other than in accordance with Part 6C, unless expressly required authorised or required by the Bill or any other Act, or required by law.
The legislative protections that apply to health information in the HR Act, and to personal information under the PDP Act will remain largely unaffected by the Bill (subject to the amendments discussed below). Any interference with privacy occasioned by the establishment and operation of the System is for the beneficial purpose of improving medical care by providing clinicians with better access to persons’ medical records held across multiple health services to improve patient safety and quality of care.
To the extent that the security and protection of information is related to the privacy of information, I note that strong technical measures in addition to the safeguards provided in the Bill will apply to the System to protect against any unauthorised access. Furthermore, the System will be subject to the Victorian Protective Data Security Standards.
Accordingly, I consider that the provisions in the Bill providing for the establishment and use of the System will not limit the Charter right to privacy.
Limits on access to System information
The Bill amends the HR Act to exclude the System from the requirements in Health Protection Principles (HPP) 1.3 that organisations only collect health information from the individual the subject of the information, and the requirement in HPP 1.5 that where organisations collect health information about individuals from other parties, that they make those individuals aware of the third-party collection and other factors (cl 5). The Bill also amends the HR Act to exclude persons’ right of access to and correction of System information in HPP 6 and Part 5 (cl 5), and amends the HS Act to provide that the Freedom of Information Act 1982 (FOI Act) (cl 4) does not apply a document given to the Secretary for the purposes of complying with new Part 6C or the System and therefore not subject to requests for access under the FOI Act. A consequential effect of this amendment is that a person’s right under s 39 of the FOI Act to request the correction or amendment of documents that contain personal information will not apply.
Privacy (s 13(a))
The Charter right to privacy in s 13(a) is based on Article 17 of the International Covenant on Civil and Political Rights. The United Nations Human Rights Committee has issued guidance on Article 17 which provides that persons should have the ability to ascertain which public authorities control their data, and to request the correction or deletion of personal data that contains incorrect information.
The right to privacy may appear relevant to clauses 4 and 5 of the Bill because they limit individuals’ right of access to and correction of their personal information held on the System. However, any interference with privacy occasioned by these limits will be authorised by legislation, and appropriately tailored to achieve their purpose. The System will only contain copies of information already stored by public health services. Limiting access to, and the right to seek correction by a person of System information relating to them, is to ensure the coherence of individual’s health information. Information relating to a person that is held on the System may only capture part of their health information, whereas it is more likely that individual health services hold information that is complete and in context. Should an individual wish to access or amend their health information, or had concerns about incorrect information being recorded, they can access and correct the information through their health service provider. If this occurs, a participating health service would be required to share that updated information with the System. Therefore, correcting information through a participating health service will effectively trigger an automatic update to System records.
Clauses 4–5 therefore do not restrict the ability of persons to access their own information or frustrate their right to correct it, but rather just ensure that information is accessed or corrected through a health service. This will ensure that, in substance, only health services can amend System information, requiring that health services vet information that is collected by the System. This avoids the risk that the System would become a ‘source of truth’ for health records that are the responsibility of health services, or of System information about a person being amended without the person’s health service provider being notified. Therefore, in my view, these clauses do not engage the right in s 13(a) of the Charter. Even if clauses 4-5 were found to interfere with the privacy right in s 13(a), I consider that the right would not be limited because the interference is both lawful and not arbitrary - particularly because persons would have alternative means of accessing and correcting the same information as contained on the System and, moreover, that the establishment for the System is for the beneficial purpose of improving medical treatment and care by providing clinicians with better access to a persons’ medical records.
Freedom of expression (s 15)
Section 15 of the Charter provides that every person has the right to hold an opinion without interference and has the right to freedom of expression which includes the freedom to seek, receive and impart information and ideas of all kinds. This has been interpreted to include a positive right to access information held by the government. Section 15 also provides that lawful restrictions may be reasonably necessary to respect personal rights and reputations, or for the protection of national security, public order, public health or public morality.
Clauses 4–5 may engage the right to freedom of expression by limiting access to information on the System. However, the same information will be accessible from the participating health service. As above, persons will have the ability to access information through a public health service. Therefore I consider that although the right to freedom of expression may be relevant to these clauses, the right will not be limited. Even if these provisions were considered to limit the right in s 15 of the Charter, I consider that any limit would be reasonable and justifiable under s 7(2) of the Charter. This is because the clauses will not restrict the information actually available to persons, just the sources from which they could seek to obtain and correct it. Any such limitation is considered to be necessary for the efficient operation of the System, having regard to its overall beneficial purpose, and therefore is compatible with the Charter.
Criminal penalties
As mentioned, the Bill will amend the HS Act to insert three new offences for unauthorised use of the System, or unauthorised access, use and disclosure of System information, to protect the privacy of System information. Relevantly, the offences will incur penalties of 240 penalty units or two years imprisonment. Each offence will not apply if the person was authorised or required by the Bill or another Act, or required by law, to access the System. For the offence of unauthorised use or disclosure of System information, the threshold is “expressly” authorised or required by or under the Bill, another Act, or by law.
Rights in criminal proceedings (s 25(1))
Section 25(1) of the Charter provides that a person charged with a criminal offence has the right to be presumed innocent until proved guilty according to law. The right is relevant where a statutory provision shifts the burden of proof onto an accused in a criminal proceeding, so that the accused is required to prove matters to establish, or raise evidence to suggest, that they are not guilty of an offence.
The right to presumption of innocence may appear to be relevant because for each new offence in the Bill, the offence provision will not apply if the person was authorised or required by the Bill, or required by law, to access the System. Because these provisions prohibit an act from being done unless it is committed by persons with specified authorisations, it may be viewed as imposing an evidential burden on the accused. However, in doing so, these provisions do not transfer the legal burden of proof. Rather, they provide a carve-out which will enable an accused to escape liability where they had a lawful basis for accessing the System. The prosecution is still required to prove all the other elements of each offence. I do not consider that an evidential onus such as is contained in these provisions limits the right to be presumed innocent, and courts in other jurisdictions have taken this approach.
For the reasons set out in this Statement, in my opinion, the Bill is compatible with the human rights as set out in the Charter.
The Hon Mary-Anne Thomas MP
Minister for Health
Minister for Health Infrastructure
Minister for Medical Research
Second reading
That this bill be now read a second time.
I ask that my second-reading speech be incorporated into Hansard.
Incorporated speech as follows:
Introduction
Most Victorian patients will visit more than one health service for health care and treatment. The availability of complete and accurate health information at the right time and at the right place will save lives and is essential for providing the very best care for patients.
Currently in Victoria, critical health information is spread across different health services, in separate systems and in paper-records.
This fragmentation of patient health information often means that clinicians manually gather patient health information, through fax or phone calls. This is inconsistent with modern health record sharing standards, and the approach taken by other Australian jurisdictions such as New South Wales, Queensland, ACT and South Australia, which have successfully implemented health information sharing at the point of care.
The Health Legislation Amendment (Information Sharing) Bill will enable information-sharing between specified health services, through a secure platform operated and managed by the Department of Health (the Department).
The Department would have the authority to securely hold and share health information between and across public health services electronically.
The Bill will amend the Health Services Act 1988 to establish a health information platform, for relevant health services to share certain health information for the purpose of providing medical treatment and care to patients.
The amendments will also authorise collection and disclosure of health information to the Secretary for the purpose of establishing and maintaining the electronic health information platform.
The Bill changes will apply to the following specified entities:
• public hospitals,
• multi-purpose services,
• denominational hospitals,
• metropolitan hospitals,
• prescribed health services,
• registered community health centres,
• the ambulance service,
• the Victorian Institute of Forensic Mental Health; and
• the Victorian Collaborative Centre for Mental Health and Wellbeing.
The application of the Bill recognises the challenges of siloed information across the Victorian public healthcare system, and the importance of strengthening the system for the health and wellbeing of all Victorians. We recognise that a consolidated picture of a patient’s medical and health history is essential to the provision of the safe and high-quality care in our public hospitals.
The main objectives of the Bill are to establish a single, secure platform for health records, enable interchange of information between health services when required, improve patient safety, decrease avoidable harm and deliver person-centred care. The patient’s care journey can take them to many different public health services over the course of their illness or condition. There are risks to the quality and safety of patient care when information is fragmented or missing across that journey.
Failure to correctly identify patients across health services, match their information, and accurately share that information can lead to poor health outcomes for patients. These include unintended injury, infections, problems with medications, as well as unnecessary duplication of diagnostic tests.
In urgent situations and emergencies where the patient and their family are not able to provide a full and clear picture of their past medical history, this can compromise and delay the delivery of safe, timely and high-quality care.
Creating an easier, safer, and more secure way of sharing of health information between public health services will ensure that treating clinicians have a complete and integrated picture of a patient’s history.
This will support clinical decision-making and reduce the risk of missing important medicines information and allergies. It will let the treating clinician see important medical images and laboratory results, to manage the patient more safely.
The reforms are fundamental to strengthening the Victorian healthcare system and delivering on key government commitments as outlined in the 2016 Targeting Zero Report. The Royal Commission into Victoria’s Mental Health System also acknowledged the lack of information sharing culture.
More recently, both the flood crisis and the COVID-19 pandemic demonstrated where better health information sharing practices could have been used to support doctors, nurses, and allied health staff with their clinical decision making, benefitting the whole community.
The COVID-19 pandemic has exposed the barriers to health information sharing and some consequences of those barriers for patients and clinical staff. Clinicians in our hospitals can only access COVID test results where that test was done by their own pathology service.
More than 15 laboratories contribute to COVID testing across Victoria, however. This means that the majority of COVID test results are not available to treating clinicians in their health service record systems. COVID test results done in a drive-through or in another other health service must be individually requested. This delays patient care, increases the risk of exposure of patients and staff to COVID, and adds a further administration burden to the processes of patient care.
The recent floods caused damaged to hospitals and loss of paper records. During these difficult circumstances, flood-affected Victorians were treated at facilities where they did not normally attend. Many patients were also seen by telehealth services provided by Victoria’s virtual ED. The inability to access a single information sharing platform meant that sometimes access to timely healthcare was delayed in these circumstances until health professionals could get a better understanding of a patient’s medical history.
Enabling information sharing through state-of-the-art technology operated by the Department is critical to supporting the reforms under way to modernise and future-proof our health system for the health and wellbeing of all Victorians.
The Victorian Government recognises both the sensitive nature of health information and the importance of having critically strict safety, security and privacy measures put in place to ensure it is protected.
To deal with this, extra safety steps will be taken when handling personal health information. Only authorised health service staff will be able to view this information for the purposes of treating a patient. This Bill introduces three new criminal offences to specifically deal with unauthorised access to the platform, access to the platform for unauthorised purposes and unauthorised use or disclosure of information contained in the system.
These criminal offences will attract a fine of 240 penalty units or a maximum term of imprisonment of two years.
The Bill also continues the current position set out in Victorian privacy laws that permit sharing health information for the provision of care and treatment. Rights to access health information and correct it will also be unchanged.
The new platform will improve the way data is stored, making it a safer and more secure system than faxes and phone calls.
Central to these changes of creating a stronger, healthier, and more connected Victoria by sharing information responsibly, safely, and appropriately are robust safeguards and audit processes to securely manage data and protect patient privacy.
There will be real-time business processes and audit checks in place to ensure that health information remains safe and protected. Strong and secure technical measures, including Next-Generation antivirus tools, will protect against any unauthorised access.
The Bill will also provide for an independent review of its effectiveness two years from its commencement. This will allow the impact of the Bill to be assessed and potential improvements to be made.
The government will continue to work with partners including health and legal advocates, health care providers, clinician, and consumer groups to ensure our public hospital system has efficient and connected information sharing that safeguards data, security, and privacy.
In addition, the Department will establish an oversight body to advise the Secretary on key decisions for the safe and secure operation of the health information sharing platform.
Strong clinical governance will be in place to ensure patient safety and quality of care is at the centre of the operation of the platform. These arrangements place the consumer experience at the forefront.
The Department will build on the current practices within Victorian public hospitals to safeguard the sharing of sensitive information by putting in place a privacy management framework. This will limit access to information to designated health service staff who need to see the information for clinical decision‐making purposes.
It would provide additional protections for vulnerable groups for issues such as family violence, child protection. It will maintain higher levels of confidentiality for highly sensitive information such as sexual and mental health.
Importantly, the Bill limits the use of the system to the purposes of patient care, treatment and any necessary system maintenance. Robust and effective mechanisms are already in place to support service planning, policy development and research.
The availability of complete and accurate health information at the right time and place saves lives. it is essential to providing the best care and treatment for patients across Victoria.
The Department of Health will continue to work closely with health services to support them in this transition as the new platform is implemented to ensure privacy management compliance and to optimise patient safety, and continuity of care.
Sharing information safely and securely is the foundation of a modern health care system. Through this Bill the Victorian Government continues to put the health, privacy, and security of Victorians first.
I commend the Bill to the house.
Cindy McLEISH (Eildon) (10:31): I move:
That the debate be adjourned.
Motion agreed to and debate adjourned.
Ordered that debate be adjourned for two weeks. Debate adjourned until Wednesday 22 February.