From 1 July 2012, all Australians can register for their own personally controlled electronic health (eHealth) record. Initially, an eHealth record contains basic information but as the system develops, healthcare providers (including allied health providers) will be able to add more information such as treatments, medications and allergies. Although this is an ‘opt-in’ system, health practitioners may experience mounting pressure to participate, either through their patients’ demands or from an evolving duty for healthcare providers to access health information online.
The legislative framework that governs and regulates the eHealth records system includes the Personally Controlled Electronic Health Records Act 2012 (PCEHR Act) and the Personally Controlled Electronic Health Records Regulation 2012.
The PCEHR Act limits when and how health information included in an eHealth record can be collected, used and disclosed. As denoted by its name, a PCEHR is a personally controlled eHealth record, meaning the patient is in complete control of what health information is uploaded, assessed or deleted from their eHealth record.
This system is an ‘opt in’ record system, which means both patients and practitioners must elect to be a part of the system. Security in relation to access and use of the PCEHR is assisted by the use of ‘Identifiers’. Every Australian can choose to register for a PCEHR, receiving an individual healthcare identifier (IHI) following standard identity checks. Medicare Australia and the Department of Veteran Affairs members have been allocated an IHI.
To access a PCEHR all healthcare providers must be registered and have a healthcare provider identifier (HPI-I). Healthcare organisations such as hospitals and multi-disciplinary practices must register and will then be provided with a healthcare provider identifier – organisation (HPI-O).
If health practitioners choose to opt in, they will be assigned a unique HPI-I. The health practitioner will have only one HPI-I, regardless of the number of qualifications attained or healthcare organisations they work for.
Health practitioners can seek a HPI-I from the Australian Health Practitioner Regulation Agency (AHPRA). We are aware that AHPRA has been issuing HPI-Is to registrants since mid-2010. Health professionals not covered by AHPRA can register for an HPI-I directly with Medicare Australia. Healthcare organisations such as hospitals and multi-disciplinary practices need to apply to to be assigned an HPI-O.
Patients control access to the information on their PCEHR. Patients can limit access to certain information or limit access to nominated healthcare providers or organisations. Patients can expressly advise healthcare providers not to post information on their PCEHR and can even delete a document in its entirety.
What does a PCEHR look like?
A PCEHR contains data categorised as a ‘Shared Health Summary’, an ‘Event Summary’ and a ‘Consolidated View’. There will be automatic population of information from the following data repositories:
- Medicare Benefits Scheme;
- Pharmaceutical Benefits Scheme;
- Australian Childhood Immunisation Register;
- Australian Organ Donor Register.
The Event Summary, which can be uploaded by a registered healthcare provider/organisation, is used to capture key health information about significant healthcare events relevant to the patient’s ongoing care. The fields include details such as the date and reason for the visit, any allergies and alerts, as well as a record of medicines, the diagnosis, the interventions, the diagnostic investigations and observations.
A patient can elect a medical practitioner, a nurse or an aboriginal and Torres Strait Islander health practitioner to be a ‘nominated healthcare provider’. A nominated healthcare provider must prepare, create, upload and curate a Shared Health Summary that includes up-to-date curated information about the patient’s healthcare status. It is a document intended to capture significant information contained in previously posted Event Summaries. A nominated healthcare provider is the only entity that can generate a Shared Health Summary.
A Consolidated View is an electronically generated ‘overview’ of a patient’s events (a snapshot in time) which cannot be edited by the patient or healthcare provider.
The role of healthcare identifiers (HI)
Under the PCEHR system, healthcare identifiers will be used to:
- identify the patient whose eHealth record the practitioner wishes to access. Access can be gained to an individual’s eHealth record by using the individual’s IHI. Sometimes other information may be required such as a patient’s access code or additional identifying information; and
- enable the eHealth record system operator to authenticate the identity of all individuals who access an eHealth record and to record all their activity through the audit trail.
Penalty provisions under the PCEHR
The HI Act and the relevant Regulations contain criminal penalties and the PCEHR Act contains civil penalties for specified breaches. By way of example, Part 4: of the PCEHR Act prohibits:
Unauthorised collection, use and disclosure. There are criminal and civil penalty provisions in the Acts. The key provision is the prohibition on the unauthorised collection, use and disclosure of information included in a consumer’s PCEHR.
The PCEHR gives the Information Commissioner broad powers to accept undertakings and applying for Court Orders.
Summary
The key points are:
- From 1 July 2012, anyone who seeks healthcare in Australia, even overseas visitors, can register to have a PCEHR following appropriate identification checks. A successful applicant will be provided with an IHI.
- A health practitioner may register for an HPI-I through the Australian Health Practitioner Regulation Agency.
- This is an ‘opt in’ system and a practitioner can choose whether or not they want to register.
- If a patient has a PCEHR and a health provider/ organisation is registered, the Healthcare provider, with the patient’s consent, will upload an ‘Event Summary’ following a consultation. The registered healthcare provider or organisation can access a patient’s health information on the PCEHR subject to any limitations that the patients may place upon the access.
At this stage it is important for health practitioners to be aware of the system and guide their patients accordingly. The PCEHR is not intended to replace the current procedures for documentation of history, clinical assessment, diagnosis, treatment, records and point-to-point communication.
Kellie Dell’Oro and Nevena Brown are happy to answer your questions about this topic or any other health legal matter.