Commonwealth: Healthcare Identifiers Act 2010 (Cth)

Healthcare Identifiers Act 2010 No. 72, 2010 Compilation No. 19 Compilation date: 14 October 2024 Includes amendments: Act No. 38, 2024 About this compilation This compilation This is a compilation of the Healthcare Identifiers Act 2010 that shows the text of the law as amended and in force on 14 October 2024 (the compilation date). The notes at the end of this compilation (the endnotes) include information about amending laws and the amendment history of provisions of the compiled law. Uncommenced amendments The effect of uncommenced amendments is not shown in the text of the compiled law. Any uncommenced amendments affecting the law are accessible on the Register (www.legislation.gov.au). The details of amendments made up to, but not commenced at, the compilation date are underlined in the endnotes. For more information on any uncommenced amendments, see the Register for the compiled law. Application, saving and transitional provisions for provisions and amendments If the operation of a provision or amendment of the compiled law is affected by an application, saving or transitional provision that is not included in this compilation, details are included in the endnotes. Editorial changes For more information about any editorial changes made in this compilation, see the endnotes. Modifications If the compiled law is modified by another law, the compiled law operates as modified but the modification does not amend the text of the law. Accordingly, this compilation does not show the text of the compiled law as modified. For more information on any modifications, see the Register for the compiled law. Self‑repealing provisions If a provision of the compiled law has been repealed in accordance with a provision of the law, details are included in the endnotes. Contents Part 1—Preliminary 1 Short title 2 Commencement 3 Purpose of this Act 3A Simplified outline of this Act 4 Act to bind the Crown 4A External Territories 5 Definitions 6 Identity of service operator 7 Meaning of identifying information 8 Meaning of national registration authority Part 2—Assigning healthcare identifiers 9AA Simplified outline of this Part 9 Assigning healthcare identifiers 9A Classes of healthcare provider that may be assigned a healthcare identifier by the service operator 9B Information that may be requested before assigning healthcare identifiers 9C Review of decision not to assign a healthcare identifier 10 Service operator must keep record of healthcare identifiers etc. Part 3—Collection, use and disclosure of healthcare identifiers, identifying information and other information Division 1—Simplified outline of this Part 11 Simplified outline of this Part Division 2—Healthcare recipients 12 Collection, use and disclosure—assigning a healthcare identifier to a healthcare recipient 13 Collection, use and disclosure—establishing and maintaining a record of healthcare identifiers for healthcare recipients 14 Collection, use and disclosure—providing healthcare to a healthcare recipient 15 Collection, use and disclosure—My Health Record system 16 Collection, use and disclosure—aged care 17 Adopting the healthcare identifier of a healthcare recipient etc. 18 Disclosure of the healthcare identifier of a healthcare recipient to the healthcare recipient etc. 19 Other information relating to the healthcare identifier of a healthcare recipient may be disclosed by the service operator 20 Regulations relating to the healthcare identifier and identifying information of a healthcare recipient etc. Division 3—Healthcare providers 21 Collection, use and disclosure—assigning a healthcare identifier to a healthcare provider 22 Collection, use and disclosure—establishing and maintaining a record of healthcare identifiers for healthcare providers 23 Collection, use and disclosure—providing healthcare 24 Collection, use and disclosure—My Health Record system 25 Collection, use and disclosure—enabling authentication in electronic communications 25A Collection, use and disclosure—sharing information with registration authorities 25B Adopting the healthcare identifier of a healthcare provider 25C Disclosure of the healthcare identifier of a healthcare provider to the healthcare provider 25D Regulations relating to the healthcare identifier and other information of a healthcare provider 25E Obligation to keep information accurate, up‑to‑date and complete Division 4—Unauthorised use and disclosure of healthcare identifiers and other information obtained under this Act 26 Use and disclosure of healthcare identifiers and other information obtained under this Act Division 5—Protection of healthcare identifiers 27 Protection of healthcare identifiers Part 4—Interaction with the Privacy Act 1988 28AA Simplified outline of this Part 28 Interaction with the Privacy Act 1988 29 Functions of Information Commissioner 30 Annual reports by Information Commissioner Part 5—Healthcare Provider Directory 31AA Simplified outline of this Part 31 Healthcare Provider Directory 31A Healthcare Provider Directory—sharing information with the My Health Record System Operator Part 5A—Enforcement 31B Simplified outline of this Part 31C Civil penalty provisions 31D Enforceable undertakings 31E Injunctions Part 6—Oversight role of Ministerial Council 31F Simplified outline of this Part 32 Directions to service operator 33 Consultation with Ministerial Council about regulations 34 Annual reports by service operator 35 Review of the operation of this Act Part 7—Miscellaneous Division 1—Simplified outline of this Part 36AA Simplified outline of this Part Division 2—Employees, contractors, partnerships, unincorporated associations and trusts 36 Extent of authorisation 36A Authorisation to disclose to employees and contracted service providers of a healthcare provider 36B Treatment of partnerships 36C Treatment of unincorporated associations 36D Treatment of trusts with multiple trustees Division 3—Delegations 36E Delegations by the service operator Division 4—Constitutional matters 37 Relationship to State and Territory laws 38 Severability—additional effect of Parts 3 and 4 Division 5—Regulations 39 Regulations Endnotes Endnote 1—About the endnotes Endnote 2—Abbreviation key Endnote 3—Legislation history Endnote 4—Amendment history An Act to provide for healthcare identifiers, and for related purposes Part 1—Preliminary 1 Short title This Act may be cited as the Healthcare Identifiers Act 2010. 2 Commencement This Act commences on the day after this Act receives the Royal Assent. 3 Purpose of this Act (1) The purpose of this Act is to provide a way of ensuring that an entity that provides, or an individual who receives, healthcare is correctly matched to health information that is created when healthcare is provided. (2) This purpose is to be achieved by assigning a unique identifying number to each healthcare provider and healthcare recipient. 3A Simplified outline of this Act Under this Act, healthcare identifiers are assigned to healthcare recipients, individual healthcare providers and healthcare provider organisations. There are strict rules on: (a) the verification of a person's identity before a healthcare identifier is assigned; and (b) the purposes for which a healthcare identifier can be collected, used and disclosed; and (c) the purposes for which the identifying information of a healthcare recipient, a healthcare provider or a healthcare provider organisation can be collected, used and disclosed. This Act facilitates the use of the healthcare identifier for the purposes of communicating and managing health information about a healthcare recipient (including through the My Health Record system). This Act also facilitates: (a) the creation of a Healthcare Provider Directory, to allow healthcare providers to check the professional and business details of healthcare providers; and (b) the use of authenticated electronic communications by healthcare providers. 4 Act to bind the Crown (1) This Act binds the Crown in right of the Commonwealth, of the States, of the Australian Capital Territory and of the Northern Territory. Note: The Minister must, in certain circumstances, declare that certain provisions of this Act do not apply to the public bodies of a specified State or Territory: see subsection 37(4). (2) This Act does not make the Crown liable to be prosecuted for an offence. 4A External Territories This Act extends to every external Territory. 5 Definitions In this Act: aged care, in relation to a person, has the same meaning as in: (a) if the Aged Care Act 1997 applies in relation to the person—that Act; and (b) if the Aged Care (Transitional Provisions) Act 1997 applies in relation to the person—that Act. Aged Care Department means the Department administered by the Aged Care Minister. Aged Care Minister means the Minister administering the Aged Care Act 1997. aged care purpose means: (a) the purpose of enabling the Aged Care Department to create and maintain a record about aged care provided to a person by an approved provider (within the meaning of the Aged Care Quality and Safety Commission Act 2018); or (b) the purpose of the Aged Care Department verifying the identity of a person who is receiving, or who is to receive, aged care. Australian law has the same meaning as in the Privacy Act 1988. authorised representative of a healthcare recipient has the same meaning as in the My Health Records Act 2012. Chief Executive Medicare has the same meaning as in the Human Services (Medicare) Act 1973. civil penalty provision has the same meaning as in the Regulatory Powers Act. contracted service provider, of a healthcare provider, means an entity that provides: (a) information technology services relating to the communication of health information; or (b) health information management services; to the healthcare provider under a contract with the healthcare provider. court/tribunal order has the same meaning as in the Privacy Act 1988. date of birth accuracy indicator means a data element that is used to indicate how accurate a recorded date of birth is. date of death accuracy indicator means a data element that is used to indicate how accurate a recorded date of death is. Defence Department means the Department that: (a) deals with matters arising under section 1 of the Defence Act 1903; and (b) is administered by the Minister who administers that section. employee, of an entity, includes: (a) an individual who provides services for the entity under a contract for services; or (b) an individual whose services are made available to the entity (including services made available free of charge). entity means: (a) a person; or (b) a partnership; or (c) any other unincorporated association or body; or (d) a trust; or (e) a part of another entity (under a previous application of this definition). healthcare means health service within the meaning of subsection 6(1) of the Privacy Act 1988. healthcare identifier has the meaning given by section 9. healthcare provider means: (a) an individual healthcare provider; or (b) a healthcare provider organisation. Healthcare Provider Directory has the meaning given by subsection 31(1). healthcare provider organisation means an entity, or a part of an entity, that has conducted, conducts, or will conduct, an enterprise that provides healthcare (including healthcare provided free of charge). Example: A public hospital, or a corporation that runs a medical centre. healthcare recipient means an individual who has received, receives, or may receive, healthcare. health information has the meaning given by subsection 6(1) of the Privacy Act 1988. Human Research Ethics Committee has the meaning given by: (a) the National Statement on Ethical Conduct in Human Research issued in March 2007 by the Chief Executive Officer of the National Health and Medical Research Council under the National Health and Medical Research Council Act 1992; or (b) if that Statement is amended—that Statement as amended. Note: In 2010, the text of the Statement was accessible through the National Health and Medical Research Council website (www.nhmrc.gov.au). identified healthcare provider means a healthcare provider who has been assigned a healthcare identifier under section 9. identifying information has the meaning given by section 7. individual healthcare provider means an individual who: (a) has provided, provides, or is to provide, healthcare; or (b) is registered by a registration authority as a member of a particular health profession. law includes: (a) an Act or legislative instrument; or (b) an Act or legislative instrument of a State or Territory. linked: an individual healthcare provider is linked to a healthcare provider organisation if: (a) the individual healthcare provider is an employee of the healthcare provider organisation; or (b) the healthcare provider organisation provides support services or facilities to the individual healthcare provider, to facilitate the provision of healthcare by the individual healthcare provider. Ministerial Council means a body (however described) that consists of the Minister of the Commonwealth, and the Minister of each State and Territory, who is responsible, or principally responsible, for matters relating to health. My Health Record has the same meaning as in the My Health Records Act 2012. My Health Records Act means the My Health Records Act 2012. My Health Record system has the same meaning as in the My Health Records Act 2012. My Health Record System Operator means the System Operator within the meaning of the My Health Records Act 2012. national registration authority has the meaning given by section 8. network of healthcare provider organisations has the meaning given by subsection 9A(4). network organisation within a network has the meaning given by subsection 9A(6). nominated representative of a healthcare recipient has the same meaning as in the My Health Records Act 2012. organisation maintenance officer for a healthcare provider organisation has the meaning given by subsection 9A(8). participant in the My Health Record system has the same meaning as in the My Health Records Act 2012. personal information has the same meaning as in the Privacy Act 1988. professional association means an organisation that: (a) is a separate legal entity under a law of the Commonwealth or a State or Territory; and (b) has the following characteristics: (i) its members practise the same healthcare profession; (ii) it has enough membership to be considered representative of the healthcare profession practised by its members; (iii) it sets its own admission requirements, including acceptable qualifications; (iv) it sets and publishes standards of practice and ethical conduct; (v) it aims to maintain the standing of the healthcare profession practised by its members; (vi) it has written rules, articles of association, by‑laws or codes of conduct for its members; (vii) it has the ability to impose sanctions on members who contravene the association's written rules, articles of association, by‑laws or codes of conduct; (viii) it sets requirements to maintain its members' professional skills and knowledge by continuing professional development; and (c) has members who: (i) may take part in decisions affecting their profession; and (ii) have the right to vote at meetings of the association; and (iii) have the right to be recognised as being members of the professional association. registered portal operator has the same meaning as in the My Health Records Act 2012. registered repository operator has the same meaning as in the My Health Records Act 2012. registration authority means an entity that is responsible under a law for registering members of a particular health profession. Regulatory Powers Act means the Regulatory Powers (Standard Provisions) Act 2014. responsible officer for a healthcare provider organisation has the meaning given by subsection 9A(7). retirement, for a healthcare provider organisation's healthcare identifier, means a state imposed by the service operator on the healthcare identifier so that it may no longer be used by the healthcare provider organisation to identify the healthcare provider organisation. seed organisation for a network has the meaning given by subsection 9A(5). service operator has the meaning given by section 6. sole practitioner means a person who is both an individual healthcare provider and a healthcare provider organisation. State or Territory authority has the meaning given by the Privacy Act 1988. under this Act includes under the regulations. Veterans' Affairs Department means the Department that: (a) deals with matters arising under: (i) section 1 of the Australian Participants in British Nuclear Tests and British Commonwealth Occupation Force (Treatment) Act 2006; or (ii) section 1 of the Military Rehabilitation and Compensation Act 2004; or (iia) section 1 of the Treatment Benefits (Special Access) Act 2019; or (iii) section 1 of the Veterans' Entitlements Act 1986; and (b) is administered by the Minister who administers that section. 6 Identity of service operator The service operator is: (a) the Chief Executive Medicare; or (b) if a body established by a law of the Commonwealth is prescribed by the regulations to be the service operator—that body. Note: Section 33 provides that the Minister must consult with the Ministerial Council before making regulations. 7 Meaning of identifying information (1) Each of the following is identifying information of a healthcare provider who is an individual, if the service operator requires it for the purpose of performing the service operator's functions under this Act in relation to the healthcare provider: (a) the name of the healthcare provider; (b) the address of the healthcare provider; (ba) the email address, telephone number and fax number of the healthcare provider; (c) the date of birth, and the date of birth accuracy indicator, of the healthcare provider; (d) the sex of the healthcare provider; (e) the type of healthcare provider that the individual is; (f) if the healthcare provider is registered by a registration authority—the registration authority's identifier for the healthcare provider and the status of the registration (such as conditional, suspended or cancelled); (g) other information that is prescribed by the regulations for the purpose of this paragraph. (2) Each of the following is identifying information of a healthcare provider that is not an individual, if the service operator requires it for the purpose of performing the service operator's functions under this Act in relation to the healthcare provider: (a) the name of the healthcare provider; (b) the address of the healthcare provider; (ba) the email address, telephone number and fax number of the healthcare provider; (c) if applicable, the ABN (within the meaning of the A New Tax System (Australian Business Number) Act 1999) of the healthcare provider; (d) if applicable, the ACN (within the meaning of the Corporations Act 2001) of the healthcare provider; (e) other information that is prescribed by the regulations for the purpose of this paragraph. (3) Each of the following is identifying information of a healthcare recipient, if the service operator requires it for the purpose of performing the service operator's functions under this Act in relation to the healthcare recipient: (a) if applicable, the Medicare number of the healthcare recipient; (b) if applicable, the Veterans' Affairs Department file number of the healthcare recipient; (c) the name of the healthcare recipient; (d) the address of the healthcare recipient; (e) the date of birth, and the date of birth accuracy indicator, of the healthcare recipient; (f) the sex of the healthcare recipient; (g) for a healthcare recipient who was part of a multiple birth—the order in which the healthcare recipient was born; Example: The 2nd of twins. (h) if applicable, the date of death, and the date of death accuracy indicator, of the healthcare recipient; (i) other information that is prescribed by the regulations for the purpose of this paragraph. 8 Meaning of national registration authority A national registration authority is a registration authority that is prescribed by the regulations for the purposes of this section. Part 2—Assigning healthcare identifiers 9AA Simplified outline of this Part Healthcare identifiers are assigned to healthcare recipients, individual healthcare providers and healthcare provider organisations. The service operator assigns healthcare identifiers to healthcare recipients. A national registration authority will usually assign a healthcare identifier to an individual healthcare provider, although there are a number of cases in which a healthcare provider is not registered by such an authority. In those cases, the healthcare identifier is assigned by the service operator. The service operator assigns a healthcare identifier to a healthcare provider organisation. For a healthcare provider organisation to be assigned a healthcare identifier, the organisation must have at least one employee who is an individual healthcare provider providing healthcare as part of his or her duties, a responsible officer and an organisation maintenance officer. The responsible officer may also be the organisation maintenance officer. If the organisation is part of, or subordinate to, another healthcare provider organisation, it need not have its own responsible officer. A sole practitioner may be registered as a healthcare provider organisation. If the service operator refuses to assign a healthcare identifier, a person whose interests are affected by the decision may ask the service operator to reconsider the decision. A person may apply to the Administrative Review Tribunal for review of the service operator's reconsidered decision. The service operator must keep a record of the healthcare identifiers assigned, and other information relating to the healthcare identifiers including details of requests to the service operator to disclose a healthcare identifier. 9 Assigning healthcare identifiers (1) The service operator is authorised to assign a number (a healthcare identifier) to uniquely identify: (a) a healthcare provider to whom section 9A applies; or (b) a healthcare recipient. (2) A national registration authority is authorised to assign a number (a healthcare identifier) to uniquely identify a healthcare provider, if: (a) the healthcare provider is an individual who is a member of a particular health profession; and (b) the national registration authority is responsible under a law for registering members of that health profession. (3) The types of healthcare identifiers include: (a) an identifier that is assigned to an individual healthcare provider; and (b) an identifier that is assigned to a healthcare provider organisation; and (c) an identifier that is assigned to a healthcare recipient. Note: A sole practitioner may be assigned: (a) a healthcare identifier of the type mentioned in paragraph (3)(a); and (b) a different healthcare identifier of the type mentioned in paragraph (3)(b). (4) In exercising a power under subsection (1), the service operator is not required to consider whether a healthcare provider or healthcare recipient agrees to having a healthcare identifier assigned to the healthcare provider or healthcare recipient. (6) A healthcare identifier of a healthcare recipient or of an individual healthcare provider is a government related identifier for the purposes of the Privacy Act 1988. 9A Classes of healthcare provider that may be assigned a healthcare identifier by the service operator Healthcare identifiers for individual healthcare providers (1) The service operator may, under paragraph 9(1)(a), assign a healthcare identifier to an individual healthcare provider if: (a) the individual healthcare provider is registered by a registration authority as a member of a health profession; or (b) the individual healthcare provider is a member of a professional association that: (i) relates to the healthcare that has been, is, or is to be, provided by the member; and (ii) has uniform national membership requirements, whether or not in legislation. Healthcare identifiers for a healthcare provider organisation that is a seed organisation, or is not part of a network (2) The service operator may, under paragraph 9(1)(a), assign a healthcare identifier to a healthcare provider organisation that is a seed organisation for a network, or that is not part of a network, if: (a) at least one of the employees of the organisation is an individual who: (i) is an identified healthcare provider; and (ii) provides healthcare as part of his or her duties; and (b) one, and only one of the employees of the organisation is the responsible officer for the organisation; and (c) either: (i) the organisation has at least one other employee who is an organisation maintenance officer for the organisation; or (ii) the responsible officer for the organisation is also the organisation maintenance officer for the organisation. Healthcare identifiers for network organisations (3) The service operator may, under paragraph 9(1)(a), assign a healthcare identifier to a healthcare provider organisation that is a network organisation within a network if: (a) the seed organisation for the network: (i) has been assigned a healthcare identifier that has not been retired; and (ii) does not object to the network organisation being assigned a healthcare identifier under this subsection; and (b) the responsible officer for the seed organisation for the network is also the responsible officer for every network organisation within the network; and (c) there is an organisation maintenance officer for the network organisation; and (d) the organisation maintenance officer for the network organisation is: (i) an employee of the network organisation (the first network organisation); or (ii) an employee of the seed organisation for the network; or (iii) an employee of another network organisation within the network that is hierarchically superior to the first network organisation. What is a network of healthcare provider organisations? (4) A network of healthcare provider organisations is a group of healthcare provider organisations each of which satisfies one of the following criteria: (a) the healthcare provider organisation is part of, or subordinate to, another healthcare provider organisation within the group; (b) another healthcare provider organisation within the group is part of, or subordinate to, the healthcare provider organisation. What is the seed organisation for a network? (5) A healthcare provider organisation is the seed organisation for a network if: (a) there is at least one other healthcare provider organisation that is part of, or subordinate to, the organisation; and (b) the organisation is not itself part of, or subordinate to, another healthcare provider organisation. What is a network organisation within a network? (6) A healthcare provider organisation is a network organisation within a network if it is part of, or subordinate to, another healthcare provider organisation within the network. Responsible officers (7) A person is the responsible officer for a healthcare provider organisation if the duties of the person include the following: (a) nominating the organisation maintenance officer or officers for the organisation to the service operator; (b) requesting the assignment or retirement of a healthcare identifier for the organisation; (c) if there is a network organisation of the organisation: (i) nominating the organisation maintenance officer for the network organisation to the service operator; and (ii) requesting the assignment or retirement of a healthcare identifier for the network organisation; (d) if the organisation is part of a merger or acquisition—requesting the merger or reconfiguration of a healthcare identifier for the organisation. Organisation maintenance officers (8) A person is an organisation maintenance officer for a healthcare provider organisation if the duties of the person include the following: (a) nominating to the service operator at least one additional person to be an organisation maintenance officer of the organisation, if required; (b) maintaining information that is held by the service operator about the organisation; (c) providing current details to the service operator about the organisation for inclusion in the Healthcare Provider Directory; (d) providing any other information requested by the service operator about the organisation for which the organisation maintenance officer is responsible; (e) if the organisation (the seed organisation) has a network organisation: (i) nominating to the service operator another person who meets the employment criteria in paragraph (3)(d) to be the organisation maintenance officer for the network organisation—either on the initiative of the seed organisation or if required by the service operator to do so; (ii) requesting the assignment or retirement of a healthcare identifier for the network organisation; (iii) maintaining information that is held by the service operator about the network organisation; (iv) providing current details to the service operator about the network organisation for inclusion in the Healthcare Provider Directory; (v) providing any other information requested by the service operator about the network organisation for which the organisation maintenance officer is responsible; (vi) if the network organisation is part of a merger or acquisition—requesting the merger or reconfiguration of a healthcare identifier for the organisation. Sole practitioners (9) The service operator may assign a healthcare identifier under paragraph 9(1)(a) to a healthcare provider organisation that is a sole practitioner even though subsection (2) is not satisfied, if the sole practitioner: (a) provides healthcare as part of his or her duties; and (b) performs the duties of a responsible officer and organisation maintenance officer. Duties of the responsible officer performed by another person (10) For the purposes of subsection (7), a person does not cease to be a responsible officer for a healthcare provider organisation if a duty mentioned in subsection (7) is performed by another employee of the organisation on behalf of the person. 9B Information that may be requested before assigning healthcare identifiers (1) The service operator may request an individual healthcare provider to provide the following information before assigning the healthcare provider a healthcare identifier: (a) identifying information of the healthcare provider; Note: Identifying information is defined in section 7. (b) information that shows that section 9A applies to the healthcare provider. (2) The service operator may request a healthcare provider organisation to provide the following information before assigning the healthcare provider a healthcare identifier: (a) identifying information of the healthcare provider; Note: Identifying information is defined in section 7. (b) information that shows that section 9A applies to the healthcare provider; (c) information identifying the healthcare provider's responsible officer and organisation maintenance officer, including the person's name, work address, work email address, work telephone number or work fax number. (3) The healthcare provider must give the information in any form requested by the service operator. Example: A healthcare provider may be asked for original documentation, or for the information to be given in writing or in a statutory declaration. (4) If the service operator is not satisfied by the information given, it does not have to assign a healthcare identifier to the healthcare provider. 9C Review of decision not to assign a healthcare identifier (1) This section applies to a decision by the service operator not to assign a healthcare identifier to a healthcare provider under paragraph 9(1)(a). Note: This section does not apply to a decision to assign a healthcare identifier to a healthcare recipient under paragraph 9(1)(b), or a decision by a national registration authority not to assign a healthcare identifier to an individual healthcare provider under subsection 9(2). (2) The service operator must give written notice of the decision to a person whose interests are affected by the decision, including a statement: (a) that the person may apply to the service operator to reconsider the decision; and (b) of the person's rights to seek review under subsection (8) of a reconsidered decision. (3) A failure of the service operator to comply with subsection (2) does not affect the validity of the decision. (4) A person whose interests are affected by the decision may, by written notice to the service operator within 28 days after receiving notice of the decision, ask the service operator to reconsider the decision. (5) A request under subsection (4) must mention the reasons for making the request. (6) The service operator must: (a) reconsider the decision within 28 days after receiving the request; and (b) give to the person who requested the reconsideration written notice of the result of the reconsideration and of the grounds for the result. (7) The notice must include a statement that the person may apply to the Administrative Review Tribunal for review of the reconsideration. (8) A person may apply to the Administrative Review Tribunal for a review of a decision of the service operator made under subsection (6). 10 Service operator must keep record of healthcare identifiers etc. The service operator must establish and maintain an accurate record of: (a) healthcare identifiers that have been assigned; and (b) the information that the service operator has that relates to those healthcare identifiers, including details of requests made to the service operator for the service operator to disclose those healthcare identifiers under Division 2 or 3 of Part 3. Part 3—Collection, use and disclosure of healthcare identifiers, identifying information and other information Division 1—Simplified outline of this Part 11 Simplified outline of this Part This Part authorises the collection, use and disclosure of healthcare identifiers, identifying information and other information. Healthcare identifiers and other information relating to healthcare recipients The service operator may collect information about a healthcare recipient from various sources for the purpose of assigning a healthcare identifier to the recipient. Once a healthcare identifier is assigned to a healthcare recipient, the service operator may disclose it to healthcare providers to assist in communicating and managing health information. The healthcare identifier may also be disclosed to other entities to assist in the operation of the My Health Record system. A healthcare provider can obtain the healthcare identifier of a healthcare recipient from the service operator, so that the healthcare provider can communicate and manage health information. The healthcare provider can use the healthcare identifier in providing healthcare, for example, by using it to access the My Health Record of a healthcare recipient. Healthcare identifiers and other information relating to healthcare providers Under Part 2, the service operator must keep a record of the healthcare identifiers that have been assigned and other information relating to healthcare identifiers. As a national registration authority assigns healthcare identifiers to most healthcare providers, the service operator may obtain information for the record from a national registration authority. Under Part 2, the service operator assigns healthcare identifiers to healthcare providers in a number of cases. The service operator may collect information about a healthcare provider from various sources for the purposes of assigning those identifiers. The service operator may disclose the healthcare identifiers of healthcare providers to healthcare providers to assist in communicating and managing health information. The healthcare identifier may also be disclosed to other entities to assist in the operation of the My Health Record system. A healthcare provider can obtain the healthcare identifier of a healthcare provider from the service operator, so that the healthcare provider can communicate and manage health information. This includes the use of the identifier in electronic transmissions. The collection, use and disclosure of identifying information and healthcare identifiers is permitted for the purposes of authenticating a healthcare provider's identity in electronic transmissions. A person must not use or disclose information collected for the purposes of the Act or healthcare identifiers, except where required or authorised to do so under the Act or in other limited circumstances. Criminal and civil penalties apply if this obligation is breached. Division 2—Healthcare recipients 12 Collection, use and disclosure—assigning a healthcare identifier to a healthcare recipient An entity mentioned in column 1 of an item of the following table, is authorised to take action of the kind described in column 2 of that item with information of the kind described in column 3 of that item in the circumstances described in column 4 of that item. Collection, use and disclosure for the purpose of assigning a healthcare identifier to a healthcare recipient Item Column 1 Column 2 Column 3 Column 4 Entity Permitted action Information Circumstances 1 identified healthcare provider use identifying information of a healthcare recipient the use or disclosure is for the purpose of assisting the service operator to assign a healthcare identifier to the healthcare recipient disclose to the service operator 2 Chief Executive Medicare use identifying information of a healthcare recipient the use or disclosure is for the purpose of assisting the service operator to assign a healthcare identifier to the healthcare recipient Veterans' Affairs Department disclose to the service operator Defence Department 3 service operator collect from: identifying information of a healthcare recipient the collection or use is for the purpose of assigning a healthcare identifier to a healthcare recipient (a) an identified healthcare provider; or (b) the Chief Executive Medicare; or (c) the Veterans' Affairs Department; or (d) the Defence Department use 13 Collection, use and disclosure—establishing and maintaining a record of healthcare identifiers for healthcare recipients An entity mentioned in column 1 of an item of the following table, is authorised to take action of the kind described in column 2 of that item with information of the kind described in column 3 of that item in the circumstances described in column 4 of that item. Collection, use and disclosure for the purpose of establishing and maintaining a record of healthcare identifiers for healthcare recipients Item Column 1 Column 2 Column 3 Column 4 Entity Permitted action Information Circumstances 1 any entity that has access to the healthcare identifier of a healthcare recipient use healthcare identifier of the healthcare recipient the use or disclosure is for the purposes of assisting the service operator to establish and maintain a record mentioned in section 10 (a record of healthcare identifiers assigned and other matters, such as requests made to the service operator to disclose those identifiers) disclose to the service operator information that relates to the healthcare identifier of the healthcare recipient 2 service operator collect from any entity that has access to the healthcare identifier of a healthcare recipient healthcare identifier of the healthcare recipient the collection or use is for the purposes of establishing and maintaining a record mentioned in section 10 (a record of healthcare identifiers assigned and other matters, such as requests made to the service operator to disclose those identifiers) use information that relates to the healthcare identifier of the healthcare recipient 14 Collection, use and disclosure—providing healthcare to a healthcare recipient (1) An entity mentioned in column 1 of an item of the following table, is authorised to take action of the kind described in column 2 of that item with information of the kind described in column 3 of that item in the circumstances described in column 4 of that item. Collection, use and disclosure for the purpose of providing healthcare to a healthcare recipient Item Column 1 Column 2 Column 3 Column 4 Entity Permitted action Information Circumstances 1 identified healthcare provider use identifying information of a healthcare recipient the use or disclosure is for the purpose of assisting the service operator to disclose the healthcare identifier of the healthcare recipient to the healthcare provider disclose to the service operator 2 service operator collect from an identified healthcare provider identifying information of a healthcare recipient the collection, use or disclosure is for the purpose of disclosing the healthcare identifier of the healthcare recipient to the healthcare provider use disclose to an identified healthcare provider 3 service operator use healthcare identifier of a healthcare recipient the use or disclosure is for the purpose of assisting the healthcare provider to communicate or manage health information, as part of providing healthcare to the healthcare recipient disclose to an identified healthcare provider 4 identified healthcare provider collect from the service operator healthcare identifier of a healthcare recipient the collection is for the purpose of communicating or managing health information, as part of providing healthcare to the healthcare recipient 5 healthcare provider use healthcare identifier of a healthcare recipient the use or disclosure is for the purpose of communicating or managing health information as part of: disclose to another entity (a) the provision of healthcare to the healthcare recipient; or (b) the management (including the investigation or resolution of complaints), funding, monitoring or evaluation of healthcare; or (c) the provision of indemnity cover for a healthcare provider; or (d) the conduct of research that has been approved by a Human Research Ethics Committee 6 entity to whom healthcare identifier of a healthcare recipient is disclosed for a purpose mentioned in column 4 of item 5 collect healthcare identifier of a healthcare recipient the collection, use or disclosure is for the purpose for which the information was disclosed use disclose (2) This section does not authorise the collection, use or disclosure of the healthcare identifier of a healthcare recipient for the purpose of communicating or managing health information as part of: (a) underwriting a contract of insurance that covers the healthcare recipient; or (b) determining whether to enter into a contract of insurance that covers the healthcare recipient (whether alone or as a member of a class); or (c) determining whether a contract of insurance covers the healthcare recipient in relation to a particular event; or (d) employing the healthcare recipient. 15 Collection, use and disclosure—My Health Record system The service operator is authorised to collect, use and disclose: (a) identifying information of a healthcare recipient, an authorised representative of a healthcare recipient or a nominated representative of a healthcare recipient; and (b) the healthcare identifier of a healthcare recipient, an authorised representative of a healthcare recipient or a nominated representative of a healthcare recipient; for the purposes of the My Health Record system. 16 Collection, use and disclosure—aged care An entity mentioned in column 1 of an item of the following table, is authorised to take action of the kind described in column 2 of that item with information of the kind described in column 3 of that item in the circumstances described in column 4 of that item. Collection, use and disclosure for an aged care purpose Item Column 1 Column 2 Column 3 Column 4 Entity Permitted action Information Circumstances 1 identified healthcare provider disclose to the Aged Care Department identifying information of a healthcare recipient the disclosure is for an aged care purpose 2 Aged Care Department collect from an identified healthcare provider identifying information of a healthcare recipient the collection, use or disclosure is for an aged care purpose use disclose to an identified healthcare provider 3 identified healthcare provider collect from the Aged Care Department identifying information of a healthcare recipient the collection or use is for an aged care purpose use 4 Aged Care Department disclose to the service operator identifying information of a healthcare recipient the disclosure is for an aged care purpose 5 service operator collect from the Aged Care Department identifying information of a healthcare recipient the collection or use is for an aged care purpose use 6 service operator use healthcare identifier of a healthcare recipient the use or disclosure is for an aged care purpose disclose to the Aged Care Department 7 healthcare provider disclose to the Aged Care Department healthcare identifier of a healthcare recipient the disclosure is for an aged care purpose 8 Aged Care Department collect from the service operator or a healthcare provider healthcare identifier of a healthcare recipient the collection or use is for an aged care purpose use 17 Adopting the healthcare identifier of a healthcare recipient etc. An entity mentioned in column 1 of an item of the following table, may adopt the healthcare identifier of a healthcare recipient, an authorised representative of a healthcare recipient or a nominated representative of a healthcare recipient, for a purpose mentioned in column 2 of the item. Adopting the healthcare identifier of a healthcare recipient Item Column 1 Column 2 Entity Purpose 1 healthcare provider for use as the healthcare provider's own identifier of the healthcare recipient, the authorised representative of a healthcare representative or the nominated representative of a healthcare recipient 2 My Health Record System Operator for use as the My Health Record System Operator's own identifier for the purposes of the My Health Record system 3 registered repository operator for use as that operator's own identifier for the purposes of the My Health Record system registered portal operator 18 Disclosure of the healthcare identifier of a healthcare recipient to the healthcare recipient etc. Any of the following entities may disclose the healthcare identifier of a healthcare recipient to the healthcare recipient, or a responsible person (within the meaning of the Privacy Act 1988) for the healthcare recipient: (a) the service operator; (b) the My Health Record System Operator; (c) a healthcare provider. 19 Other information relating to the healthcare identifier of a healthcare recipient may be disclosed by the service operator The service operator may disclose information included in the record the service operator maintains under section 10 in relation to a healthcare recipient to: (a) the healthcare recipient; or (b) a responsible person (within the meaning of the Privacy Act 1988) for the healthcare recipient. 20 Regulations relating to the healthcare identifier and identifying information of a healthcare recipient etc. Collection, use or disclosure for other purposes (1) The regulations may authorise the collection, use or disclosure of the following information: (a) identifying information of a healthcare recipient, authorised representative of a healthcare recipient or nominated representative of a healthcare recipient; (b) the healthcare identifier of a healthcare recipient, authorised representative of a healthcare recipient or nominated representative of a healthcare recipient. Adoption for other purposes (2) The regulations may authorise the adoption of the healthcare identifier of a healthcare recipient, authorised representative of a healthcare recipient or a nominated representative of healthcare recipient in the circumstances prescribed by the regulations. Purposes for which regulation‑making powers in subsections (1) and (2) may be used (3) However, the regulations may only authorise the collection, use, disclosure or adoption of that information for purposes related to one or more of the following: (a) providing healthcare to healthcare recipients, or a class of healthcare recipients; (b) determining whether adequate and appropriate healthcare is available to healthcare recipients, or a class of healthcare recipients; (c) facilitating the provision of adequate and appropriate healthcare to healthcare recipients, or a class of healthcare recipients; (d) assisting persons who, because of health issues (including illness, disability or injury), require support; (e) the My Health Record system. Procedures relating to the disclosure of healthcare identifiers (4) The regulations may prescribe rules about the process for disclosing the healthcare identifiers of healthcare recipients, including rules about requests to the service operator to disclose healthcare identifiers of healthcare recipients. Information about disclosures by service operator (5) If the service operator discloses a healthcare identifier of a healthcare recipient to an entity, the regulations may require the entity to provide prescribed information to the service operator in relation to the disclosure. Division 3—Healthcare providers 21 Collection, use and disclosure—assigning a healthcare identifier to a healthcare provider An entity mentioned in column 1 of an item of the following table, is authorised to take action of the kind described in column 2 of that item with information of the kind described in column 3 of that item in the circumstances described in column 4 of that item. Collection, use and disclosure for the purpose of assigning a healthcare identifier to a healthcare provider Item Column 1 Column 2 Column 3 Column 4 Entity Permitted action Information Circumstances 1 service operator collect from: identifying information of a healthcare provider the collection or use is for the purpose of assigning a healthcare identifier to the healthcare provider (a) the Chief Executive Medicare; or (b) the Veterans' Affairs Department; or (c) the Defence Department use 2 Chief Executive Medicare use identifying information of a healthcare provider the use or disclosure is for the purpose of assisting the service operator to assign a healthcare identifier to the healthcare provider Veterans' Affairs Department disclose to the service operator Defence Department 3 service operator collect from a healthcare provider information requested by the service operator under section 9B the collection or use is for the purpose of assigning a healthcare identifier to the healthcare provider use 22 Collection, use and disclosure—establishing and maintaining a record of healthcare identifiers for healthcare providers An entity mentioned in column 1 of an item of the following table, is authorised to take action of the kind described in column 2 of that item with information of the kind described in column 3 of that item in the circumstances described in column 4 of that item. Collection, use and disclosure for the purpose of establishing and maintaining a record of healthcare identifiers for healthcare providers Item Column 1 Column 2 Column 3 Column 4 Entity Permitted action Information Circumstances 1 a national registration authority use health