The Australian Digital Health Agency has provided the following media statement in relation to incorrect claims regarding employment checks and the My Health Record.
The following legislation is clear:
Section 14(2) of the Healthcare Identifiers Act 2010 specifically prohibits use by insurers and for employment checks.
14 Collection, use and disclosure—providing healthcare to a healthcare recipient
(2) This section does not authorise the collection, use or disclosure of the healthcare identifier of a healthcare recipient for the purpose of communicating or managing health information as part of:
(a) underwriting a contract of insurance that covers the healthcare recipient; or
(b) determining whether to enter into a contract of insurance that covers the healthcare recipient (whether alone or as a member of a class); or
(c) determining whether a contract of insurance covers the healthcare recipient in relation to a particular event; or
(d) employing the healthcare recipient.
Simply put it is illegal to access a person’s My Health Record for the purpose of an employment check.
Any claims to the contrary are incorrect.
A health provider who breaches the My Health Records Act 2012 or the Healthcare Identifiers Act 2010 would face significant penalties.
All access to My Health Record is monitored and tracked and consumers can see who has accessed their My Health Record and when.
The only way an approved health care provider can access an individual’s My Health Record is when they have the required Individual Health Identifier (regulated under Healthcare Identifiers Act 2010).
Identity in the My Health Record system is based on the Individual Health Identifier (regulated under Healthcare Identifiers Act 2010). Not their Medicare card.
The steps required for an approved healthcare practitioner to view a patient’s My Health Record are robust and require a number of authentications to take place, including:
1. They must be a registered healthcare provider (for example Registered with the Australian Health Practitioner Regulation Agency (AHPRA)) and have a valid HPI-I (a Provider Identifier).
2. A person with an HPI-I must work within an organisation that has registered as a healthcare organisation and received an HPI-O (organisational Identifier).
3. The organisation must have conformant software, which has a secure and encrypted connection to the My Health Record system.
4. The patient must have a record on the local system (clinical information system), as a patient of the practice, before an Individual Health Identifier (IHI) can be entered into the system.
5. The conformant system uses 6 pieces of information to find or validate the patients IHI:
- Medicare or DVA number
- First name
- Date of birth
6. A valid IHI can only be used if the above conditions have been met.
7. Only then is an IHI returned, which is then used to retrieve an individual’s My Health Record – through their secure and encrypted Clinical Information System.