Privacy Law and Policy Reporter
In response to a proposal in 1990 to electronically link pharmacists with the Health Insurance Commission, amendments to the National Health Act 1953 (Cth) were introduced in 1991 requiring the Privacy Commissioner to issue guidelines relating to the privacy protection of Medicare and Pharmaceutical Benefits information. Difficulties in the interpretation of the original amendment led to it being repealed and replaced by the current s135AA of the National Health Act. The amending Act (the National Health Amendment Act 1993 (Cth)) also made related amendments to the Privacy Act 1988. s135AA and s135AB of the National Health Act provide the legislative basis for the Guidelines. These sections include provisions which require the Privacy Commissioner to issue guidelines; set out the information to which the guidelines apply; set out issues the guidelines must cover; define various terms used in the section; set down requirements for consultation, tabling and disallowance; define a breach of the guidelines as an ''interference with privacy'; and provide that the Privacy Commissioner may accept and deal with a complaint about a breach of the guidelines in the same manner as IPP complaints under s36 of the Privacy Act.
The National Health Amendment Act 1993 also amended the Privacy Act by adding to the list of ''interferences with privacy' in s13 Privacy Act 1988, a breach of the guidelines issued under s135AA of the National Health Act and by addingto the list of Commissioner's functions (in s27 of the Privacy Act), the issuing of guidelines under s135AA of the National Health Act.
The Guidelines will take effect on 15 April 1994, unless disallowed by Parliament (see dates above). It is proposed that the Guidelines will be reviewed after 12 months operation and consideration will be given at that time to whether any amendments are necessary.
The Guidelines apply to individuals' information collected in connection with claims under the Medicare and pharmaceutical benefits programs. They do not apply to information which identifies providers of services; ''eligibility' or ''entitlement' databases; or information which is not stored on a computer database.
The Guidelines have two main themes:
(a) the separation of Medicare and pharmaceutical benefits claims information; and
(b) the ''de-identification' of claims information after it is five years old.
The Health Insurance Commission will retain the ability to link to an identifiable individual the personal identification number associated with the claims information held by the Department of Health, Housing, Local Government and Community Services but the Guidelines strictly limit the circumstances in which this can occur. In this way claims information over five years old is de-identified but the capacity to re-identify the information in certain circumstances is retained.
The guidelines do not prevent claims information from being disclosed to researchers or retained by researchers after the information is more than five years old with the concerned individual's free and informed consent.
(The full text of the revised Guidelines is contained in the Federal Privacy Handbook, or is available separately from the Privacy Commissioner.)
Rhonda Nelson, Privacy Branch, Human Rights and Equal Opportunity Commission