Commonwealth: Health Legislation Amendment (eHealth) Act 2015 (Cth)

Health Legislation Amendment (eHealth) Act 2015 No. 157, 2015 An Act to amend the law in relation to healthcare identifiers, electronic health records and other information relating to health, and for related purposes Contents 1 Short title 2 Commencement 3 Schedules Schedule 1—Healthcare identifiers and health records Part 1—Amendments Copyright Act 1968 Healthcare Identifiers Act 2010 Personally Controlled Electronic Health Records Act 2012 Privacy Act 1988 Part 2—Rule‑making powers, application and transitional provisions Schedule 2—Renaming PCEHR as My Health Record Healthcare Identifiers Act 2010 Health Insurance Act 1973 National Health Act 1953 Personally Controlled Electronic Health Records Act 2012 Schedule 3—Renaming consumers as healthcare recipients Health Insurance Act 1973 National Health Act 1953 Personally Controlled Electronic Health Records Act 2012 Schedule 4—Further consequential amendments Part 1—Amendments relating to the Legislation Act 2003 Personally Controlled Electronic Health Records Act 2012 Part 2—Amendments relating to delegations Health Insurance Act 1973 Health Legislation Amendment (eHealth) Act 2015 No. 157, 2015 An Act to amend the law in relation to healthcare identifiers, electronic health records and other information relating to health, and for related purposes [Assented to 26 November 2015] The Parliament of Australia enacts: 1 Short title This Act may be cited as the Health Legislation Amendment (eHealth) Act 2015. 2 Commencement (1) Each provision of this Act specified in column 1 of the table commences, or is taken to have commenced, in accordance with column 2 of the table. Any other statement in column 2 has effect according to its terms. Commencement information Column 1 Column 2 Column 3 Provisions Commencement Date/Details 1. Sections 1 to 3 and anything in this Act not elsewhere covered by this table The day this Act receives the Royal Assent. 26 November 2015 2. Schedules 1, 2 and 3 The day after this Act receives the Royal Assent. 27 November 2015 3. Schedule 4, item 1 The later of: 5 March 2016 (a) immediately after the commencement of the provisions covered by table item 2; and (paragraph (b) applies) (b) the commencement of Schedule 1 to the Acts and Instruments (Framework Reform) Act 2015. 4. Schedule 4, items 2 and 3 Immediately after the commencement of the provisions covered by table item 2. 27 November 2015 Note: This table relates only to the provisions of this Act as originally enacted. It will not be amended to deal with any later amendments of this Act. (2) Any information in column 3 of the table is not part of this Act. Information may be inserted in this column, or information in it may be edited, in any published version of this Act. 3 Schedules Legislation that is specified in a Schedule to this Act is amended or repealed as set out in the applicable items in the Schedule concerned, and any other item in a Schedule to this Act has effect according to its terms. Schedule 1—Healthcare identifiers and health records Part 1—Amendments Copyright Act 1968 1 After section 44BA Insert: 44BB Copyright subsisting in works shared for healthcare or related purposes (1) The copyright in a work is not infringed by an act comprised in the copyright in the work if: (a) the act is done, or authorised to be done: (i) for a purpose for which the collection, use or disclosure of health information is required or authorised under the My Health Records Act 2012; or (ii) in circumstances in which a permitted general situation exists under item 1 of the table in subsection 16A(1) of the Privacy Act 1988 (serious threat to life, health or safety), or would exist if the act were done, or authorised to be done, by an entity that is an APP entity for the purposes of that Act; or (iii) in circumstances in which a permitted health situation exists under section 16B of the Privacy Act 1988, or would exist if the act were done, or authorised to be done, by an entity that is an organisation for the purposes of that Act; or (iv) for any other purpose relating to healthcare, or the communication or management of health information, prescribed by the regulations; and (b) either: (i) the work is substantially comprised of health information; or (ii) the work allows for the storage, retrieval or use of health information and it is reasonably necessary to do the act, or authorise it to be done, in circumstances that would otherwise infringe copyright in the work. (2) In this section: healthcare has the same meaning as in the My Health Records Act 2012. health information has the same meaning as in the My Health Records Act 2012. 2 After section 104B Insert: 104C Copyright subsisting in sound recordings and cinematograph films shared for healthcare or related purposes (1) The copyright in a cinematograph film or a sound recording is not infringed by an act comprised in the copyright in the film or recording if: (a) the act is done, or authorised to be done: (i) for a purpose for which the collection, use or disclosure of health information is required or authorised under the My Health Records Act 2012; or (ii) in circumstances in which a permitted general situation exists under item 1 of the table in subsection 16A(1) of the Privacy Act 1988 (serious threat to life, health or safety), or would exist if the entity doing the thing were an APP entity for the purposes of that Act; or (iii) in circumstances in which a permitted health situation exists under section 16B of the Privacy Act 1988, or would exist if the entity doing the thing were an organisation for the purposes of that Act; or (iv) for any other purpose relating to healthcare, or the communication or management of health information, prescribed by the regulations; and (b) either: (i) the film or recording is substantially comprised of health information; or (ii) the film or recording allows for the storage, retrieval or use of health information and it is reasonably necessary to do the act, or authorise it to be done, in circumstances that would otherwise infringe copyright in the work. (2) In this section: healthcare has the same meaning as in the My Health Records Act 2012. health information has the same meaning as in the My Health Records Act 2012. Healthcare Identifiers Act 2010 3 After section 3 Insert: 3A Simplified outline of this Act Under this Act, healthcare identifiers are assigned to healthcare recipients, individual healthcare providers and healthcare provider organisations. There are strict rules on: (a) the verification of a person's identity before a healthcare identifier is assigned; and (b) the purposes for which a healthcare identifier can be collected, used and disclosed; and (c) the purposes for which the identifying information of a healthcare recipient, a healthcare provider or a healthcare provider organisation can be collected, used and disclosed. This Act facilitates the use of the healthcare identifier for the purposes of communicating and managing health information about a healthcare recipient (including through the My Health Record system). This Act also facilitates: (a) the creation of a Healthcare Provider Directory, to allow healthcare providers to check the professional and business details of healthcare providers; and (b) the use of authenticated electronic communications by healthcare providers. 4 Section 5 Insert: Australian law has the same meaning as in the Privacy Act 1988. 5 Section 5 Insert: authorised representative of a healthcare recipient has the same meaning as in the My Health Records Act 2012. 6 Section 5 Insert: civil penalty provision has the same meaning as in the Regulatory Powers Act. 7 Section 5 Insert: court/tribunal order has the same meaning as in the Privacy Act 1988. 8 Section 5 (definition of data source) Repeal the definition. 9 Section 5 (definitions of Human Services Department and Human Services Minister) Repeal the definitions. 10 Section 5 Insert: linked: an individual healthcare provider is linked to a healthcare provider organisation if: (a) the individual healthcare provider is an employee of the healthcare provider organisation; or (b) the healthcare provider organisation provides support services or facilities to the individual healthcare provider, to facilitate the provision of healthcare by the individual healthcare provider. 11 Section 5 (definitions of Medicare Benefits Program and medicare program) Repeal the definitions. 12 Section 5 (definition of Ministerial Council) Repeal the definition, substitute: Ministerial Council means the council (however described) established by the Council of Australian Governments that has responsibility for health matters. 13 Section 5 Insert: My Health Records Act means the My Health Records Act 2012. 14 Section 5 Insert: network of healthcare provider organisations has the meaning given by subsection 9A(4). 15 Section 5 (definition of network organisation) Repeal the definition, substitute: network organisation within a network has the meaning given by subsection 9A(6). 16 Section 5 Insert: nominated representative of a healthcare recipient has the same meaning as in the My Health Records Act 2012. 17 Section 5 (definition of organisation maintenance officer) Repeal the definition, substitute: organisation maintenance officer for a healthcare provider organisation has the meaning given by subsection 9A(8). 18 Section 5 Insert: personal information has the same meaning as in the Privacy Act 1988. 19 Section 5 (definition of Pharmaceutical Benefits Program) Repeal the definition. 20 Section 5 (definition of professional and business details) Repeal the definition. 21 Section 5 (definition of public body) Repeal the definition. 22 Section 5 Insert: Regulatory Powers Act means the Regulatory Powers (Standard Provisions) Act 2014. 23 Section 5 (definition of responsible officer) Repeal the definition, substitute: responsible officer for a healthcare provider organisation has the meaning given by subsection 9A(7). 24 Section 5 (definition of seed organisation) Repeal the definition, substitute: seed organisation for a network has the meaning given by subsection 9A(5). 25 Section 5 (definition of service operator) Repeal the definition, substitute: service operator has the meaning given by section 6. 26 After section 5 Insert: 6 Identity of service operator The service operator is: (a) the Chief Executive Medicare; or (b) if a body established by a law of the Commonwealth is prescribed by the regulations to be the service operator—that body. Note: Section 33 provides that the Minister must consult with the Ministerial Council before making regulations. 27 After paragraphs 7(1)(b) and (2)(b) Insert: (ba) the email address, telephone number and fax number of the healthcare provider; 28 At the end of subsection 7(3) Add: ; (i) other information that is prescribed by the regulations for the purpose of this paragraph. 29 Before section 9 Insert: 9AA Simplified outline of this Part Healthcare identifiers are assigned to healthcare recipients, individual healthcare providers and healthcare provider organisations. The service operator assigns healthcare identifiers to healthcare recipients. A national registration authority will usually assign a healthcare identifier to an individual healthcare provider, although there are a number of cases in which a healthcare provider is not registered by such an authority. In those cases, the healthcare identifier is assigned by the service operator. The service operator assigns a healthcare identifier to a healthcare provider organisation. For a healthcare provider organisation to be assigned a healthcare identifier, the organisation must have at least one employee who is an individual healthcare provider providing healthcare as part of his or her duties, a responsible officer and an organisation maintenance officer. The responsible officer may also be the organisation maintenance officer. If the organisation is part of, or subordinate to, another healthcare provider organisation, it need not have its own responsible officer. A sole practitioner may be registered as a healthcare provider organisation. If the service operator refuses to assign a healthcare identifier, a person whose interests are affected by the decision may ask the service operator to reconsider the decision. A person may apply to the Administrative Appeals Tribunal for review of the service operator's reconsidered decision. The service operator must keep a record of the healthcare identifiers assigned, and other information relating to the healthcare identifiers including details of requests to the service operator to disclose a healthcare identifier. 30 Subsection 9(6) After "healthcare identifier", insert "of a healthcare recipient or of an individual healthcare provider". 31 Section 9A Repeal the section, substitute: 9A Classes of healthcare provider that may be assigned a healthcare identifier by the service operator Healthcare identifiers for individual healthcare providers (1) The service operator may, under paragraph 9(1)(a), assign a healthcare identifier to an individual healthcare provider if: (a) the individual healthcare provider is registered by a registration authority as a member of a health profession; or (b) the individual healthcare provider is a member of a professional association that: (i) relates to the healthcare that has been, is, or is to be, provided by the member; and (ii) has uniform national membership requirements, whether or not in legislation. Healthcare identifiers for a healthcare provider organisation that is a seed organisation, or is not part of a network (2) The service operator may, under paragraph 9(1)(a), assign a healthcare identifier to a healthcare provider organisation that is a seed organisation for a network, or that is not part of a network, if: (a) at least one of the employees of the organisation is an individual who: (i) is an identified healthcare provider; and (ii) provides healthcare as part of his or her duties; and (b) one, and only one of the employees of the organisation is the responsible officer for the organisation; and (c) either: (i) the organisation has at least one other employee who is an organisation maintenance officer for the organisation; or (ii) the responsible officer for the organisation is also the organisation maintenance officer for the organisation. Healthcare identifiers for network organisations (3) The service operator may, under paragraph 9(1)(a), assign a healthcare identifier to a healthcare provider organisation that is a network organisation within a network if: (a) the seed organisation for the network: (i) has been assigned a healthcare identifier that has not been retired; and (ii) does not object to the network organisation being assigned a healthcare identifier under this subsection; and (b) the responsible officer for the seed organisation for the network is also the responsible officer for every network organisation within the network; and (c) there is an organisation maintenance officer for the network organisation; and (d) the organisation maintenance officer for the network organisation is: (i) an employee of the network organisation (the first network organisation); or (ii) an employee of the seed organisation for the network; or (iii) an employee of another network organisation within the network that is hierarchically superior to the first network organisation. What is a network of healthcare provider organisations? (4) A network of healthcare provider organisations is a group of healthcare provider organisations each of which satisfies one of the following criteria: (a) the healthcare provider organisation is part of, or subordinate to, another healthcare provider organisation within the group; (b) another healthcare provider organisation within the group is part of, or subordinate to, the healthcare provider organisation. What is the seed organisation for a network? (5) A healthcare provider organisation is the seed organisation for a network if: (a) there is at least one other healthcare provider organisation that is part of, or subordinate to, the organisation; and (b) the organisation is not itself part of, or subordinate to, another healthcare provider organisation. What is a network organisation within a network? (6) A healthcare provider organisation is a network organisation within a network if it is part of, or subordinate to, another healthcare provider organisation within the network. Responsible officers (7) A person is the responsible officer for a healthcare provider organisation if the duties of the person include the following: (a) nominating the organisation maintenance officer or officers for the organisation to the service operator; (b) requesting the assignment or retirement of a healthcare identifier for the organisation; (c) if there is a network organisation of the organisation: (i) nominating the organisation maintenance officer for the network organisation to the service operator; and (ii) requesting the assignment or retirement of a healthcare identifier for the network organisation; (d) if the organisation is part of a merger or acquisition—requesting the merger or reconfiguration of a healthcare identifier for the organisation. Organisation maintenance officers (8) A person is an organisation maintenance officer for a healthcare provider organisation if the duties of the person include the following: (a) nominating to the service operator at least one additional person to be an organisation maintenance officer of the organisation, if required; (b) maintaining information that is held by the service operator about the organisation; (c) providing current details to the service operator about the organisation for inclusion in the Healthcare Provider Directory; (d) providing any other information requested by the service operator about the organisation for which the organisation maintenance officer is responsible; (e) if the organisation (the seed organisation) has a network organisation: (i) nominating to the service operator another person who meets the employment criteria in paragraph (3)(d) to be the organisation maintenance officer for the network organisation—either on the initiative of the seed organisation or if required by the service operator to do so; (ii) requesting the assignment or retirement of a healthcare identifier for the network organisation; (iii) maintaining information that is held by the service operator about the network organisation; (iv) providing current details to the service operator about the network organisation for inclusion in the Healthcare Provider Directory; (v) providing any other information requested by the service operator about the network organisation for which the organisation maintenance officer is responsible; (vi) if the network organisation is part of a merger or acquisition—requesting the merger or reconfiguration of a healthcare identifier for the organisation. Sole practitioners (9) The service operator may assign a healthcare identifier under paragraph 9(1)(a) to a healthcare provider organisation that is a sole practitioner even though subsection (2) is not satisfied, if the sole practitioner: (a) provides healthcare as part of his or her duties; and (b) performs the duties of a responsible officer and organisation maintenance officer. Duties of the responsible officer performed by another person (10) For the purposes of subsection (7), a person does not cease to be a responsible officer for a healthcare provider organisation if a duty mentioned in subsection (7) is performed by another employee of the organisation on behalf of the person. 32 Section 10 Omit "Division 2 or 2A of Part 3", substitute "Division 2 or 3 of Part 3". 33 Part 3 (heading) Repeal the heading, substitute: Part 3—Collection, use and disclosure of healthcare identifiers, identifying information and other information 34 Divisions 1, 2, 2A and 3 of Part 3 Repeal the Divisions, substitute: Division 1—Simplified outline of this Part 11 Simplified outline of this Part This Part authorises the collection, use and disclosure of healthcare identifiers, identifying information and other information. Healthcare identifiers and other information relating to healthcare recipients The service operator may collect information about a healthcare recipient from various sources for the purpose of assigning a healthcare identifier to the recipient. Once a healthcare identifier is assigned to a healthcare recipient, the service operator may disclose it to healthcare providers to assist in communicating and managing health information. The healthcare identifier may also be disclosed to other entities to assist in the operation of the My Health Record system. A healthcare provider can obtain the healthcare identifier of a healthcare recipient from the service operator, so that the healthcare provider can communicate and manage health information. The healthcare provider can use the healthcare identifier in providing healthcare, for example, by using it to access the My Health Record of a healthcare recipient. Healthcare identifiers and other information relating to healthcare providers Under Part 2, the service operator must keep a record of the healthcare identifiers that have been assigned and other information relating to healthcare identifiers. As a national registration authority assigns healthcare identifiers to most healthcare providers, the service operator may obtain information for the record from a national registration authority. Under Part 2, the service operator assigns healthcare identifiers to healthcare providers in a number of cases. The service operator may collect information about a healthcare provider from various sources for the purposes of assigning those identifiers. The service operator may disclose the healthcare identifiers of healthcare providers to healthcare providers to assist in communicating and managing health information. The healthcare identifier may also be disclosed to other entities to assist in the operation of the My Health Record system. A healthcare provider can obtain the healthcare identifier of a healthcare provider from the service operator, so that the healthcare provider can communicate and manage health information. This includes the use of the identifier in electronic transmissions. The collection, use and disclosure of identifying information and healthcare identifiers is permitted for the purposes of authenticating a healthcare provider's identity in electronic transmissions. A person must not use or disclose information collected for the purposes of the Act or healthcare identifiers, except where required or authorised to do so under the Act or in other limited circumstances. Criminal and civil penalties apply if this obligation is breached. Division 2—Healthcare recipients 12 Collection, use and disclosure—assigning a healthcare identifier to a healthcare recipient An entity mentioned in column 1 of an item of the following table, is authorised to take action of the kind described in column 2 of that item with information of the kind described in column 3 of that item in the circumstances described in column 4 of that item. Collection, use and disclosure for the purpose of assigning a healthcare identifier to a healthcare recipient Item Column 1 Column 2 Column 3 Column 4 Entity Permitted action Information Circumstances 1 identified healthcare provider use identifying information of a healthcare recipient the use or disclosure is for the purpose of assisting the service operator to assign a healthcare identifier to the healthcare recipient disclose to the service operator 2 Chief Executive Medicare use identifying information of a healthcare recipient the use or disclosure is for the purpose of assisting the service operator to assign a healthcare identifier to the healthcare recipient Veterans' Affairs Department disclose to the service operator Defence Department 3 service operator collect from: identifying information of a healthcare recipient the collection or use is for the purpose of assigning a healthcare identifier to a healthcare recipient (a) an identified healthcare provider; or (b) the Chief Executive Medicare; or (c) the Veterans' Affairs Department; or (d) the Defence Department use 13 Collection, use and disclosure—establishing and maintaining a record of healthcare identifiers for healthcare recipients An entity mentioned in column 1 of an item of the following table, is authorised to take action of the kind described in column 2 of that item with information of the kind described in column 3 of that item in the circumstances described in column 4 of that item. Collection, use and disclosure for the purpose of establishing and maintaining a record of healthcare identifiers for healthcare recipients Item Column 1 Column 2 Column 3 Column 4 Entity Permitted action Information Circumstances 1 any entity that has access to the healthcare identifier of a healthcare recipient use healthcare identifier of the healthcare recipient the use or disclosure is for the purposes of assisting the service operator to establish and maintain a record mentioned in section 10 (a record of healthcare identifiers assigned and other matters, such as requests made to the service operator to disclose those identifiers) disclose to the service operator information that relates to the healthcare identifier of the healthcare recipient 2 service operator collect from any entity that has access to the healthcare identifier of a healthcare recipient healthcare identifier of the healthcare recipient the collection or use is for the purposes of establishing and maintaining a record mentioned in section 10 (a record of healthcare identifiers assigned and other matters, such as requests made to the service operator to disclose those identifiers) use information that relates to the healthcare identifier of the healthcare recipient 14 Collection, use and disclosure—providing healthcare to a healthcare recipient (1) An entity mentioned in column 1 of an item of the following table, is authorised to take action of the kind described in column 2 of that item with information of the kind described in column 3 of that item in the circumstances described in column 4 of that item. Collection, use and disclosure for the purpose of providing healthcare to a healthcare recipient Item Column 1 Column 2 Column 3 Column 4 Entity Permitted action Information Circumstances 1 identified healthcare provider use identifying information of a healthcare recipient the use or disclosure is for the purpose of assisting the service operator to disclose the healthcare identifier of the healthcare recipient to the healthcare provider disclose to the service operator 2 service operator collect from an identified healthcare provider identifying information of a healthcare recipient the collection, use or disclosure is for the purpose of disclosing the healthcare identifier of the healthcare recipient to the healthcare provider use disclose to an identified healthcare provider 3 service operator use healthcare identifier of a healthcare recipient the use or disclosure is for the purpose of assisting the healthcare provider to communicate or manage health information, as part of providing healthcare to the healthcare recipient disclose to an identified healthcare provider 4 identified healthcare provider collect from the service operator healthcare identifier of a healthcare recipient the collection is for the purpose of communicating or managing health information, as part of providing healthcare to the healthcare recipient 5 healthcare provider use healthcare identifier of a healthcare recipient the use or disclosure is for the purpose of communicating or managing health information as part of: disclose to another entity (a) the provision of healthcare to the healthcare recipient; or (b) the management (including the investigation or resolution of complaints), funding, monitoring or evaluation of healthcare; or (c) the provision of indemnity cover for a healthcare provider; or (d) the conduct of research that has been approved by a Human Research Ethics Committee 6 entity to whom healthcare identifier of a healthcare recipient is disclosed for a purpose mentioned in column 4 of item 5 collect healthcare identifier of a healthcare recipient the collection, use or disclosure is for the purpose for which the information was disclosed use disclose (2) This section does not authorise the collection, use or disclosure of the healthcare identifier of a healthcare recipient for the purpose of communicating or managing health information as part of: (a) underwriting a contract of insurance that covers the healthcare recipient; or (b) determining whether to enter into a contract of insurance that covers the healthcare recipient (whether alone or as a member of a class); or (c) determining whether a contract of insurance covers the healthcare recipient in relation to a particular event; or (d) employing the healthcare recipient. 15 Collection, use and disclosure—My Health Record system The service operator is authorised to collect, use and disclose: (a) identifying information of a healthcare recipient, an authorised representative of a healthcare recipient or a nominated representative of a healthcare recipient; and (b) the healthcare identifier of a healthcare recipient, an authorised representative of a healthcare recipient or a nominated representative of a healthcare recipient; for the purposes of the My Health Record system. 16 Collection, use and disclosure—aged care An entity mentioned in column 1 of an item of the following table, is authorised to take action of the kind described in column 2 of that item with information of the kind described in column 3 of that item in the circumstances described in column 4 of that item. Collection, use and disclosure for an aged care purpose Item Column 1 Column 2 Column 3 Column 4 Entity Permitted action Information Circumstances 1 identified healthcare provider disclose to the Aged Care Department identifying information of a healthcare recipient the disclosure is for an aged care purpose 2 Aged Care Department collect from an identified healthcare provider identifying information of a healthcare recipient the collection, use or disclosure is for an aged care purpose use disclose to an identified healthcare provider 3 identified healthcare provider collect from the Aged Care Department identifying information of a healthcare recipient the collection or use is for an aged care purpose use 4 Aged Care Department disclose to the service operator identifying information of a healthcare recipient the disclosure is for an aged care purpose 5 service operator collect from the Aged Care Department identifying information of a healthcare recipient the collection or use is for an aged care purpose use 6 service operator use healthcare identifier of a healthcare recipient the use or disclosure is for an aged care purpose disclose to the Aged Care Department 7 healthcare provider disclose to the Aged Care Department healthcare identifier of a healthcare recipient the disclosure is for an aged care purpose 8 Aged Care Department collect from the service operator or a healthcare provider healthcare identifier of a healthcare recipient the collection or use is for an aged care purpose use 17 Adopting the healthcare identifier of a healthcare recipient etc. An entity mentioned in column 1 of an item of the following table, may adopt the healthcare identifier of a healthcare recipient, an authorised representative of a healthcare recipient or a nominated representative of a healthcare recipient, for a purpose mentioned in column 2 of the item. Adopting the healthcare identifier of a healthcare recipient Item Column 1 Column 2 Entity Purpose 1 healthcare provider for use as the healthcare provider's own identifier of the healthcare recipient, the authorised representative of a healthcare representative or the nominated representative of a healthcare recipient 2 My Health Record System Operator for use as the My Health Record System Operator's own identifier for the purposes of the My Health Record system 3 registered repository operator for use as that operator's own identifier for the purposes of the My Health Record system registered portal operator 18 Disclosure of the healthcare identifier of a healthcare recipient to the healthcare recipient etc. Any of the following entities may disclose the healthcare identifier of a healthcare recipient to the healthcare recipient, or a responsible person (within the meaning of the Privacy Act 1988) for the healthcare recipient: (a) the service operator; (b) the My Health Record System Operator; (c) a healthcare provider. 19 Other information relating to the healthcare identifier of a healthcare recipient may be disclosed by the service operator The service operator may disclose information included in the record the service operator maintains under section 10 in relation to a healthcare recipient to: (a) the healthcare recipient; or (b) a responsible person (within the meaning of the Privacy Act 1988) for the healthcare recipient. 20 Regulations relating to the healthcare identifier and identifying information of a healthcare recipient etc. Collection, use or disclosure for other purposes (1) The regulations may authorise the collection, use or disclosure of the following information: (a) identifying information of a healthcare recipient, authorised representative of a healthcare recipient or nominated representative of a healthcare recipient; (b) the healthcare identifier of a healthcare recipient, authorised representative of a healthcare recipient or nominated representative of a healthcare recipient. Adoption for other purposes (2) The regulations may authorise the adoption of the healthcare identifier of a healthcare recipient, authorised representative of a healthcare recipient or a nominated representative of healthcare recipient in the circumstances prescribed by the regulations. Purposes for which regulation‑making powers in subsections (1) and (2) may be used (3) However, the regulations may only authorise the collection, use, disclosure or adoption of that information for purposes related to one or more of the following: (a) providing healthcare to healthcare recipients, or a class of healthcare recipients; (b) determining whether adequate and appropriate healthcare is available to healthcare recipients, or a class of healthcare recipients; (c) facilitating the provision of adequate and appropriate healthcare to healthcare recipients, or a class of healthcare recipients; (d) assisting persons who, because of health issues (including illness, disability or injury), require support; (e) the My Health Record system. Procedures relating to the disclosure of healthcare identifiers (4) The regulations may prescribe rules about the process for disclosing the healthcare identifiers of healthcare recipients, including rules about requests to the service operator to disclose healthcare identifiers of healthcare recipients. Information about disclosures by service operator (5) If the service operator discloses a healthcare identifier of a healthcare recipient to an entity, the regulations may require the entity to provide prescribed information to the service operator in relation to the disclosure. Division 3—Healthcare providers 21 Collection, use and disclosure—assigning a healthcare identifier to a healthcare provider An entity mentioned in column 1 of an item of the following table, is authorised to take action of the kind described in column 2 of that item with information of the kind described in column 3 of that item in the circumstances described in column 4 of that item. Collection, use and disclosure for the purpose of assigning a healthcare identifier to a healthcare provider Item Column 1 Column 2 Column 3 Column 4 Entity Permitted action Information Circumstances 1 service operator collect from: identifying information of a healthcare provider the collection or use is for the purpose of assigning a healthcare identifier to the healthcare provider (a) the Chief Executive Medicare; or (b) the Veterans' Affairs Department; or (c) the Defence Department use 2 Chief Executive Medicare use identifying information of a healthcare provider the use or disclosure is for the purpose of assisting the service operator to assign a healthcare identifier to the healthcare provider Veterans' Affairs Department disclose to the service operator Defence Department 3 service operator collect from a healthcare provider information requested by the service operator under section 9B the collection or use is for the purpose of assigning a healthcare identifier to the healthcare provider use 22 Collection, use and disclosure—establishing and maintaining a record of healthcare identifiers for healthcare providers An entity mentioned in column 1 of an item of the following table, is authorised to take action of the kind described in column 2 of that item with information of the kind described in column 3 of that item in the circumstances described in column 4 of that item. Collection, use and disclosure for the purpose of establishing and maintaining a record of healthcare identifiers for healthcare providers Item Column 1 Column 2 Column 3 Column 4 Entity Permitted action Information Circumstances 1 a national registration authority use healthcare identifier of a healthcare provider the use or disclosure is for the purposes of assisting the service operator to establish and maintain a record mentioned in section 10 (a record of healthcare identifiers assigned and other matters, such as requests made to the service operator to disclose those identifiers) disclose to the service operator information that relates to the healthcare identifier of a healthcare provider 2 service operator collect from a national registration authority healthcare identifier of a healthcare provider the collection or use is for the purposes of establishing and maintaining a record mentioned in section 10 (a record of healthcare identifiers assigned and other matters, such as requests made to the service operator to disclose those identifiers) use information that relates to the healthcare identifier of a healthcare provider 23 Collection, use and disclosure—providing healthcare An entity mentioned in column 1 of an item of the following table, is authorised to take action of the kind described in column 2 of that item with information of the kind described in column 3 of that item in the circumstances described in column 4 of that item. Collection, use and disclosure for the purpose of providing healthcare Item Column 1 Column 2 Column 3 Column 4 Entity Permitted action Information Circumstances 1 identified healthcare provider use identifying information of a healthcare provider the use or disclosure is for the purpose of assisting the healthcare provider to communicate or manage health information, as part of providing healthcare to a healthcare recipient disclose to the service operator 2 service operator collect from an identified healthcare provider identifying information of a healthcare provider the collection is for the purpose of assisting the healthcare provider to communicate or manage health information, as part of providing healthcare to a healthcare recipient 3 service operator use healthcare identifier of a healthcare provider the use or disclosure is for the purpose of assisting the healthcare provider to communicate or manage health information, as part of providing healthcare to a healthcare recipient disclose to an identified healthcare provider 4 identified healthcare provider collect from the service operator healthcare identifier of a healthcare provider the collection is for the purpose of communicating or managing health information, as part of providing healthcare to a healthcare recipient 5 healthcare provider collect from another healthcare provider healthcare identifier of a healthcare provider the collection, use or disclosure is the purpose of communicating or managing health information, as part of providing healthcare to a healthcare recipient use disclose to another healthcare provider 24 Collection, use and disclosure—My Health Record system The service operator is authorised to collect, use and disclose: (a) identifying information of a healthcare provider; and (b) the healthcare identifier of a healthcare provider; for the purposes of the My Health Record system. 25 Collection, use and disclosure—enabling authentication in electronic communications An entity mentioned in column 1 of an item of the following table, is authorised to take action of the kind described in column 2 of that item with information of the kind described in column 3 of that item in the circumstances described in column 4 of that item. Collection, use and disclosure for the purpose of facilitating electronic communications Item Column 1 Column 2 Column 3 Column 4 Entity Permitted action Information Circumstances 1 service operator use identifying information of a healthcare provider the use or disclosure is for the purpose of enabling the healthcare provider's identity to be authenticated in electronic transmissions registration authority disclose to any entity healthcare identifier of a healthcare provider 2 an entity to whom information is disclosed for the purposes of enabling a healthcare provider's identity to be authenticated in electronic communications collect from any entity identifying information of a healthcare provider the collection, use or disclosure is for the purpose of enabling the healthcare provider's identity to be authenticated in electronic transmissions use healthcare identifier of a healthcare provider disclose to any entity 25A Collection, use and disclosure—sharing information with registration authorities An entity mentioned in column 1 of an item of the following table, is authorised to take action of the kind described in column 2 of that item with information of the kind described in column 3 of that item in the circumstances described in column 4 of that item. Collection, use and disclosure for the purpose of sharing information with registration authorities Item Column 1 Column 2 Column 3 Column 4 Entity Permitted action Information Circumstances 1 service operator use healthcare identifier of a healthcare provider the use or disclosure is for the purpose of assisting the registration authority to register the healthcare provider disclose to a registration authority 2 registration authority collect healthcare identifier of a healthcare provider the collection or use is for one of the following purposes: use (a) registering the healthcare provider; (b) performing any other function of the registration authority under an Australian law 3 service operator collect from a registration authority identifying information of a healthcare provider the collection, use or disclosure is for the purpose of ensuring that information held by the service operator or the registration authority is accurate, up‑to‑date and complete use healthcare identifier of a healthcare provider disclose to a registration authority 4 registration authority collect from the service operator identifying information of a healthcare provider the collection, use or disclosure is for the purpose of ensuring that information held by the service operator or the registration authority is accurate, up‑to‑date and complete use healthcare identifier of a healthcare provider disclose to the service operator 25B Adopting the healthcare identifier of a healthcare provider An entity mentioned in column 1 of an item of the following table, may adopt the healthcare identifier of a healthcare provider for a purpose mentioned in column 2 of the item. Adopting the healthcare identifier of a healthcare provider Item Column 1 Column 2 Entity Purpose 1 My Health Record System Operator for use as the My Health Record System Operator's own identifier for the purposes of the My Health Record system 2 registered repository operator for use as that operator's own identifier for the purposes of the My Health Record system