Embed Size (px)
Citation preview
Healthcare Identifiers Service Operator Healthcare Identifiers Service Annual Report 2011–12Executive summaryThe Healthcare Identifiers (HI) Service is funded by all Australian governments and is a foundation element of the broader eHealth system. This framework is underpinned by the Healthcare Identifiers Act 2010 (the HI Act), the Healthcare Identifiers Regulations 2010, the National Partnership Agreement on eHealth and the service level agreement between the National E-Health Transition Authority (NEHTA) and the Australian Government Department of Human Services (the Department).
On 1 July 2011, the Department began delivering the services and payments previously provided by Medicare Australia. This led to consequential amendments to the HI Act where the Chief Executive Medicare has taken over the role of HI Service Operator from the former Chief Executive Officer of Medicare Australia. The legislative amendments did not impact operations of the HI Service.
The HI Service has been successfully operating for two years. All legislative requirements have been met. During 2011–12 we have continued to assign a 16-digit individual healthcare identifier number to every person who has a new enrolment in Medicare or a Department of Veterans’ Affairs (DVA) registration. Healthcare identifiers for individual healthcare providers have been allocated through the Australian Health Practitioner Regulation Agency (AHPRA) or via direct application to the HI Service Operator. Healthcare identifiers for healthcare provider organisations have been allocated via direct application to the HI Service Operator.
The Office of the Australian Information Commissioner (OAIC) has undertaken the second audit of the HI Service and reported that the HI Service Operator is compliant in meeting its obligations under the Privacy Act 1988 (Cwlth).
During the year, system enhancements were implemented, including the provision for contracted service providers to search for healthcare provider identifiers in the Healthcare Provider Directory on behalf of a registered healthcare provider organisation.
To support the implementation of the Australian Government’s eHealth initiatives, work was also undertaken to prepare for the introduction of the Personally Controlled Electronic Health Record (PCEHR) on 1 July 2012. On 29 June 2012, the Personally Controlled Electronic Health Records (Consequential Amendments) Act 2012 came into effect. This included amendments which updated the HI Act.
In summary, this has been another successful year for the HI Service. I would like to thank all of our stakeholders, our colleagues in the Department of Health and Ageing (DoHA) and NEHTA, and our staff, for their hard work and support.
Malisa Golightly
Chief Executive Medicare
Introduction1 July 2011 to 30 June 2012 was the second year of operations for the Healthcare Identifiers (HI) Service.
On 1 July 2011, the Department of Human Services (the Department) began delivering the services and payments previously provided by Medicare Australia. This led to consequential amendments to the Healthcare Identifiers Act 2010 (the HI Act) where the Chief Executive Medicare has taken over the role of HI Service Operator from the former Chief Executive Officer of Medicare Australia. The legislative amendments did not impact operations of the HI Service, nor does the HI Service relate to the Department’s functions of making payments.
Healthcare identifiers are a building block for the Personally Controlled Electronic Health Record (PCEHR) system. To support the implementation of this and other Australian Government eHealth initiatives, work was undertaken to prepare for the introduction of the PCEHR on 1 July 2012. On 29 June 2012, the Personally Controlled Electronic Health Records (Consequential Amendments) Act 2012 came into effect. This included amendments updating the HI Act.
The PCEHR lets individuals, their nominated representatives and their nominated healthcare providers have access to the individual’s health information, making continuity of care easier and contributing to improved treatment decisions. Healthcare providers (individual healthcare providers and healthcare provider organisations) must be registered with the HI Service before they can participate in the PCEHR system.
What is the Healthcare Identifiers Service? The HI Service is a national system for uniquely identifying individuals and healthcare providers. Using healthcare identifiers helps ensure individuals and providers can have confidence that the right information is associated with the right individual at the point of care.
A healthcare identifier is not a health record. The information held by the HI Service Operator is limited to demographic information, such as an individual’s name, date of birth and sex, needed to uniquely identify the individual and their healthcare providers. The HI Act specifies that the identifiers are to be used for healthcare and related management purposes only, with penalties in place for misuse.
The inclusion of healthcare identifiers in a health record system or patient file does not change how and when healthcare providers share information about individuals, but provides a much more reliable way of referencing information, particularly in electronic communications and information management systems. Patients will continue to be involved in decisions about how their health information is handled by their healthcare providers. An individual healthcare identifier is not required to receive healthcare or to claim healthcare benefits such as Medicare. If a healthcare provider is unable to obtain an individual’s healthcare identifier from the HI Service, or the individual’s healthcare identifier is not available for any reason, treatment will not be refused.
As part of the HI Service, every person with an active Medicare enrolment or Department of Veterans’ Affairs (DVA) registration is assigned a unique 16-digit healthcare identifier number. This has been created for healthcare providers to use to improve the efficient management of an individual’s personal health information. Medicare enrolments and DVA registrations include individuals visiting from other countries with reciprocal healthcare agreements with Australia, people who may have temporarily or permanently left Australia, or individuals who may be deceased. Until confirmation is received that a person has left the country or is deceased, their Medicare enrolment remains active.
Individuals visiting or residing in Australia not eligible to claim Medicare benefits or register with DVA may also be assigned a healthcare identifier by the HI Service Operator upon their request.
Healthcare identifiers are also allocated to individual healthcare providers and healthcare provider organisations. Individual healthcare providers are allocated a healthcare identifier by the Australian Health Practitioner Regulation Agency
(AHPRA), or through direct application to the HI Service Operator. Healthcare organisations must apply directly to the HI Service Operator.
Our roles and responsibilities As the HI Service Operator, the Department is responsible for delivering the HI Service to Australians and other individuals seeking healthcare, which includes:
assigning healthcare identifiers to individuals, individual healthcare providers and healthcare provider organisations, so they can be more accurately identified in health records
working with other bodies which can also assign healthcare identifiers under the HI Act to maintain a single complete record of all healthcare identifiers which have been assigned
disclosing healthcare identifiers to individual healthcare providers and healthcare provider organisations, so healthcare identifiers can be used in the delivery of health services to the Australian community. The HI Service Operator also discloses healthcare identifiers with the businesses that healthcare provider organisations engage to help them manage health information. These businesses are typically information technology (IT) firms and are referred to in the HI Act as contracted service providers
developing and administering robust processes for sharing healthcare identifiers with individual healthcare providers, healthcare provider organisations and contracted service providers
keeping a record in an audit log each time a person’s healthcare identifier is accessed or retrieved from the HI Service
maintaining the Healthcare Provider Directory. If a healthcare provider consents, the HI Service Operator publishes professional and business details of a healthcare provider in the Healthcare Provider Directory, and other individual healthcare providers and healthcare provider organisations can access those details
disclosing healthcare identifiers of individual healthcare providers and healthcare provider organisations, to enable the individual healthcare provider or healthcare provider organisation to be securely identified in electronic communications
providing information about the HI Service to individuals and healthcare providers, both when the HI Service Operator is asked questions and through guidance material published on the HI Service website
seeking advice and direction from, and providing reports to, the Australian Health Ministers’ Conference, as required.
The framework under which we operate The HI Service is an initiative funded by all Australian governments. It is a foundation element of the broader eHealth system, designed to support other eHealth initiatives around the country by enabling better linkage of health information to the right individuals and healthcare providers.
The framework for delivery of the HI Service reflects the intergovernmental cooperation which underpins it. This framework is found in:
the HI Act and the Healthcare Identifiers Regulations 2010 (Regulations)
the National Partnership Agreement on eHealth
the service level agreement between the HI Service Operator and the National E-Health Transition Authority (NEHTA).
The HI Act and Regulations establish the rules for the operation of the HI Service. The National Partnership Agreement sets out the national governance framework, including accountabilities of the HI Service Operator to all Australian Health Ministers, and funding for the HI Service.
The service level agreement between the HI Service Operator and NEHTA, a company established by all Australian governments to develop better ways to electronically collect and securely exchange health information, deals with the implementation of technical and process requirements to support the day-to-day operations of the HI Service.
Year in review—a summary During 2011–12, healthcare identifiers for individuals, individual healthcare providers and healthcare provider organisations continued to be allocated. In collaboration with other government departments, NEHTA, and key stakeholders, the HI Service Operator:
delivered operational processes to support the implementation of eHealth initiatives, available 1 July 2012; and
updated the system to enable contracted service providers to use existing web services to search for healthcare provider identifiers in the Healthcare Provider Directory on behalf of a registered healthcare provider organisation.
In 2011–12, the HI Service Operator:
assigned 607 944 healthcare identifiers to individuals
collected or assigned 59 078 healthcare identifiers to individual healthcare providers
assigned 1247 healthcare identifiers to healthcare provider organisations
allocated nine registration numbers to contracted service providers
published 3278 entries in the Healthcare Provider Directory on behalf of consenting individual healthcare providers and healthcare provider organisations.
During 2011–12, the HI Service Operator worked closely with stakeholders, through both industry and government forums, on providing information about the HI Service and supporting its use by healthcare providers.
When requested, the HI Service Operator also:
provided advice to Medicare Locals assisting lead eHealth sites to register for healthcare identifiers (Medicare Locals are primary health care organisations established by the Department of Health and Ageing (DoHA) to coordinate primary health care delivery and tackle local health care needs and service gaps); and
engaged stakeholders in the development of new forms, processes and other HI Service material and the review of existing resources, to make registering with the HI Service simpler and more user friendly.
The HI Service Operator worked with AHPRA to ensure the seamless addition of four new professions from 1 July 2012. Policies and procedures relating to information about AHPRA were also updated to ensure our service officers have the information to handle any related enquiries.
The total number of enquiries the HI Service Operator received for 2011–12 was 3099. Enquiries from the public included requests for healthcare identifiers and clarification about information in their Individual Healthcare Identifier history. Enquiries from healthcare professionals not covered under AHPRA and from healthcare provider organisations related to applying for healthcare identifiers.
In 2011–12, the HI Service Operator received one formal complaint. A customer questioned access to their IHI record by a healthcare provider organisation. The complaint was resolved within the service level timeframes.
Operation of the HI ServiceStrategic oversight of the HI Service and its programs, projects and initiatives, the provision of financial forecasts and monitoring of service delivery performance in accordance with the agreed service levels is provided by DoHA, NEHTA and the HI Service Operator.
Assignment of healthcare identifiers The HI Act defines three types of healthcare identifiers.
Individual Healthcare Identifier (IHI)—for individuals receiving healthcare services.
Healthcare Provider Identifier–Individual (HPI-I)—for healthcare professionals involved in providing patient care.
Healthcare Provider Identifier–Organisation (HPI-O)—for organisations that deliver healthcare (such as hospitals or general practices).
IndividualsIn 2011–12, the HI Service maintained the IHIs allocated in 2010–11 and has continued to assign IHIs to individuals with a new Medicare enrolment or DVA registration, as per the legislation. Individuals visiting or residing in Australia who are not eligible to claim Medicare benefits or register with DVA have also been assigned an IHI at their request.
During 2011–12, 607 944 IHIs were assigned, bringing the total number of IHIs assigned from 1 July 2010 to 30 June 2012 to 24 659 863.
Individual healthcare providersUnder section 9 of the HI Act, the HI Service Operator and national registration authorities prescribed by the Regulations are authorised to assign healthcare identifiers to individual healthcare providers. During 2011–12, AHPRA was the only national registration authority assigning HPI-Is.
In 2010, the HI Service Operator provided AHPRA with 5.1 million HPI-I numbers for assignment to their registrants. These numbers have been quarantined by the HI Service for AHPRA’s use only.
Individual healthcare providers whose health profession is not covered under AHPRA must complete a registration form and apply directly to the HI Service
Operator to obtain their HPI-I. These forms are located on the HI Service Operator’s website.
During 2011–12, 59 078 HPI-Is were either collected from AHPRA or assigned to individual healthcare providers who had applied directly to the HI Service Operator. This has brought the total number of HPI-Is assigned from 1 July 2010 to 30 June 2012 to 587 378.
Healthcare provider organisations To get an HPI-O a principle legal entity must apply directly to the HI Service Operator and complete the registration form which is available on the HI Service Operator’s website. Once they have been assigned an HPI-O (referred to as a seed HPI-O) nominated staff within the organisation may create a hierarchy of HPI-Os (referred to as network HPI-Os) to identify important business areas or functions within the organisation’s structure.
During 2011–12, 1247 HPI-Os were assigned. This brings the total number of HPI-Os assigned from 1 July 2010 to 30 June 2012 to 1417.
Disclosure of healthcare identifiers for authorised purposes to authorised users Under sections 17, 18, 19 and 20 of the HI Act, the HI Service Operator is authorised to disclose healthcare identifiers to:
healthcare providers for the purpose of communicating or managing health information as part of providing healthcare to an individual
individuals who request their healthcare identifier
registration authorities established for the purpose of the registration authority registering the healthcare provider
entities established to provide healthcare provider authentication services for the purposes of issuing security credentials to authenticate a healthcare provider’s identity in electronic transmissions.
Disclosure of healthcare identifiers for individuals Under the HI Act, the HI Service Operator disclosed IHIs to healthcare recipients and healthcare providers through a number of channels, including via the Department’s Service Centres, over the phone, by fax or email. Additionally, searches can be made by healthcare providers and organisations using the web service channel.
When a search for an IHI is carried out, there must be an exact match from the search criteria entered before an IHI will be disclosed by the HI Service. Search criteria must include a family name, given name, date of birth and sex. In addition, at least one of the following search criteria must also be used: the Medicare card number; the DVA file number; the IHI; or an address.
Every IHI disclosed by the HI Service is a disclosure under the HI Act and does not necessarily represent the number of healthcare recipients who have had their IHIs searched for. For example, a healthcare provider may search for an IHI each time an individual presents for an appointment, resulting in multiple disclosures over time for the one individual.
During 2011–12, the HI Service Operator disclosed 138 IHIs through the Service Centres, phone, fax and email channels.
The total number of IHIs disclosed through web services was 13 182 937.
Disclosure of healthcare identifiers for individual healthcare providers and healthcare provider organisations During 2011–12, the HI Service Operator did not receive any requests to disclose healthcare provider identifiers to national registration authorities. Healthcare provider identifiers quarantined and provided to AHPRA by the HI Service Operator for the purpose of assigning the numbers to their registrants are not disclosures under the HI Act.
The HI Service Operator did disclose, in line with legislative requirements, 747 healthcare identifiers of both registered individual healthcare providers and healthcare provider organisations to an entity providing authentication services for the purpose of enabling the identity of the individual healthcare providers and healthcare provider organisations to be authenticated in electronic transmissions with the HI Service.
Healthcare Provider Directory Under section 31 of the HI Act, the HI Service Operator maintains the Healthcare Provider Directory (the directory). Healthcare providers must give consent for their details to be made available in the directory.
The directory assists healthcare providers to quickly search for and find individual healthcare providers, including AHPRA and non-AHPRA providers, and healthcare provider organisations registered to use the service.
The directory aims to facilitate communication between healthcare providers by providing a reliable source of identifying and contact information about other participating healthcare providers.
Use of the directory increased markedly in 2011–12. During 2011–12, a total of 3278 entries for individual healthcare providers and healthcare provider organisations were published in the directory. The total number of entries published in the directory from 1 July 2010 to 30 June 2012 was 3450.
Policies, processes and systems used to operate the HI Service
Policies and processesHealthcare providers and the public can access the HI Service through a number of channels, including via the Department’s Service Centres, over the phone, by fax or email. A suite of HI Service policies and procedures, which are updated as required, are available to support staff who manage enquiries through these channels.
In addition to developing policies and procedures for staff to answer questions the general public might have about the HI Service, the HI Service Operator has developed and published website information which is available directly to the general public. The information includes what healthcare identifiers are, what they can be used for and the role of the HI Service Operator (as supported in legislation).
All HI Service policies are provided to NEHTA for review to ensure they meet with NEHTA’s policy requirements and the requirements of the legislation. Policies and procedures are reviewed every six months, or when a change is required to existing material (whichever occurs first). Training in new policies and procedures is provided to HI Service staff.
To support healthcare providers who use the HI Service, the HI Service Operator provides information guides which are available on the HI Service Operator’s website. The guides provide an overview of the HI Service, the registration processes for individual healthcare providers and healthcare provider organisations and information about HI Service roles and the associated responsibilities. Website content also includes HI Service forms and links to other relevant material.
During 2010–11, through engagement with stakeholders, the HI Service Operator improved registration processes. Where an organisation or individual healthcare
provider has previously applied for a public key infrastructure (PKI) certificate and provided evidence of identity to a data source as defined in the HI Act there is no requirement to provide that information again when applying to register with the HI Service. This continues to be well received by applicants.
Maintenance of healthcare identifier information systemsThe HI Service Operator maintains the systems that contain IHI information (demographic details and addresses), HPI-I information (demographic details, addresses and specialty details) and HPI-O information (organisation names, addresses and services provided, and demographic details and addresses of the responsible officer and organisation maintenance officer, where applicable). There is no health information stored in the HI Service.
In consultation with NEHTA, the HI Service Operator implements enhancements to the system and undertakes regular maintenance to HI Service systems via a quarterly release program. Software vendors and NEHTA are given advance notice of all scheduled maintenance.
The HI Service underwent enhancements in 2011–12. During the year, additional functionality to support contracted service providers was implemented. The HI Service also underwent an enhancement which further refined requirements for retiring individual healthcare identifiers after the identifiers have been matched with fact of death data received from Births, Deaths and Marriages.
The HI Service Operator is also responsible for the management of disaster recovery and business continuity of the HI Service. The HI Service is included in the Department’s Disaster Recovery Plan and Business Continuity Plan as part of the annual business planning cycle. During 2011–12, both plans were reviewed and updated as required, and the HI Service online functions were included in the disaster recovery capability testing performed for the Department.
Collaboration with other departments and organisations in the delivery of eHealth initiativesDuring 2011–12 the HI Service Operator worked closely with DoHA and NEHTA on enhancements to the HI Service which included support for eHealth initiatives such as the PCEHR.
HI Service policies, procedures, forms and external information were updated to provide information about how the HI Service is a building block for the PCEHR.
To support the delivery of the PCEHR on 1 July 2012, the Department has also developed and implemented the Department of Human Services eHealth Record PKI solution. The PKI is a set of procedures and technology that provides security and confidentiality for electronic business. It encrypts and secures information and authenticates both the sender and receiver. The HI Service Operator created and updated a number of HI Service policies, procedures, forms and website information to support users of the interim PKI solution. The interim PKI solution allows access to the PCEHR system.
The PCEHR is a secure, opt-in electronic record accessible by a healthcare recipient, their authorised representatives and their authorised healthcare providers. The record will allow healthcare providers faster, easier access to a patient’s health information, making continuity of care easier and improving treatment decisions. Individual healthcare providers and healthcare provider organisations must be registered in the HI Service before participating in the PCEHR system.
Interactions with third party software vendors or contracted service providers As a foundation element of eHealth, the HI Service is intended to provide the basis for quick, efficient and secure management of patient health information for healthcare providers. This means the organisations that develop software for the health sector, and those that provide IT services to healthcare providers, are key partners in the development of an effective HI Service.
The HI Service Operator is represented on the eHealth ICT Industry Implementation Group. This was established by DoHA to provide a framework for consultation on eHealth initiatives, including the HI Service. This group includes representatives from DoHA, the HI Service Operator, NEHTA, the Medical Software Industry Association, the Australian Information Industry Association, the Australian Association of Practice Managers and the Aged Care IT Vendor Association.
The HI Service Operator also has representation on the eHealth Compliance, Conformance and Accreditation Governance Group (CCAGG). The CCAGG brings together leading government policy makers, organisations that develop industry standards, and representatives from the medical software industry who share a vital interest in the quality, safety and interoperability of health information systems in Australia. The CCAGG and its sub-groups regulate the two part testing process software vendor products must pass before interacting with the HI Service.
The HI Service Operator continues to provide ongoing support to third party software vendors to facilitate the development of their products. The HI Service Operator met with medical software industry stakeholder groups to identify and resolve emerging issues. Advance notice of all scheduled HI Service maintenance, updates to specifications and information about future releases is published on the HI Service Operator’s website.
Software vendors are required to accept the HI Service licence agreement (the licence agreement) for materials before they develop and test their software products to connect with the HI Service.
For software vendors to gain access to and connect with the HI Service, they must:
complete and pass all mandatory conformance requirements of the compliance, conformance and accreditation (CCA) process and sign a Declaration of Conformity. The CCA process is a set of mandatory, conditional and optional requirements on how software products store, use and share healthcare identifiers for clinical use; and
complete the HI Service Operator’s testing process and receive their HI Service Notice of Connection. The HI Service Notice of Connection testing process validates the software’s ability to interact successfully with the HI Service without adversely affecting the Department’s systems.
Contracted service providers Contracted service providers can be given access to healthcare identifiers when they are handling them for a legitimate purpose on behalf of individual healthcare providers and healthcare provider organisations.
Under the protocols, a contracted service provider must apply directly to the HI Service Operator to be allocated a unique registration number in the HI Service. Once the contracted service provider is registered, a healthcare provider organisation can link to the contracted service provider in the HI Service. Until a contracted service provider has been linked to a healthcare provider organisation, it cannot access the HI Service.
In 2010–11 significant work began to allow contracted service providers to access the HI Service on behalf of healthcare provider organisations. During 2011–12 the system was updated to enable contracted service providers to use existing web services to search for healthcare provider identifiers in the Healthcare Provider Directory on behalf of a healthcare provider organisation. Documentation to support contracted service providers’ use of this functionality has also been updated.
Service LevelsIn line with the National Partnership Agreement on eHealth, the HI Service Operator has continued with the service level agreement with NEHTA in 2011–2012.
The HI Service Operator reports monthly to NEHTA against service levels under seven different categories: HI application; data quality; customer management and support; processes, applications, data and infrastructure; identity management, authentication and support; security policies and procedures; and the HI Service Desk. Under these categories, the HI Service Operator reports against 17 service levels. Eight of these have a further total of 41 sub-requirements.
The HI Service Operator also reports on any incidents that may occur under the service level agreement. These incidents are classified into three severity levels with one being the highest and three the lowest.
All service levels and their sub-requirements were met for every month during 2011–12 with the exception of two incidences: one under the system availability service level and one under the data quality service level.
System availability service levelA severity level two incident occurred during an update to the Department’s IT systems. As a result, online functions of the HI Service were unavailable for four hours and 25 minutes. The incident was resolved within the timeframe required for incident resolution, and has not occurred since. However, the system availability service level was impacted by the outage, which caused the system to be available for 99.4 per cent of the month, rather than the required 99.5 per cent. As a result, this service level was not met for that month.
Data quality service levelA sub-requirement under the data quality service level was not met, as reported in the Healthcare Identifiers Service 2010–11 Annual Report. This was because a mandatory healthcare provider category was not sent through in a national registration authority’s data transmission. The HI Service Operator and the national registration authority have since implemented processes and system adjustments in order to prevent this from re-occurring. Both the HI Service Operator and the national registration authority have been working closely to ensure that all past affected records have been corrected. As of December 2011 the issue was resolved and for the remainder of 2011–12 this sub-requirement was met.
Also noted in the HI Service 2010–11 Annual Report was an issue relating to the postal address that healthcare organisations give the HI Service Operator when they register. This service level was not met because of a requirement of the system to match an organisation’s address as provided on a registration form with a valid Australia Post Delivery Point Identifier (DPID). Previously, if the system did not find a valid match it was flagged as such and reported to NEHTA as a service level agreement not met.
The HI Service Operator and NEHTA reviewed this requirement in June and July 2011. The review determined that it was reasonable to exclude addresses that cannot be matched against a DPID but are still valid addresses. These adjustments were made in July 2011, and for 2011–12 this sub-requirement has been met.
Communication activities to support the HI ServiceThe HI Service Operator’s area of responsibility in communication activities is to support the operation of the HI Service, and includes activities such as providing content on the HI Service Operator’s website.
Content published on the website for the public, healthcare professionals and organisations includes information about healthcare identifiers, what they can be used for and role of the HI Service Operator (as supported in legislation). An agreed set of Frequently Asked Questions (FAQs) developed by DoHA with input from NEHTA and the HI Service Operator, are also available on the website.
For software vendors, the HI Service Operator publishes quick reference guides, FAQs and contact details, as well as the HI licensed material on its website.
The HI Service Operator also worked closely with stakeholders, through both industry and government forums, on providing information about the HI Service and supporting its use by healthcare providers. The HI Service Operator provided advice to Medicare Locals assisting lead eHealth sites to register for healthcare identifiers and engaged stakeholders in process improvement work to make registering with the HI Service simpler and user friendly.
Financial StatementsThe HI Service Operator is funded on a cost recovery basis (that is, we are only paid for the actual costs we incur to operate the service).
Our core activities include:
managing the HI Service in accordance with the legislation
developing and maintaining information on policies and procedures for HI staff
developing information guides and internet content for users of the HI Service
maintaining HI licence material and information for software vendors
stakeholder engagement with medical software industry associations and users of the HI Service
provision of a helpdesk (face-to-face, telephone, email or fax)
monthly service level reporting
financial management and reporting
disaster recovery and business continuity
operating and maintaining the HI systems and the Healthcare Provider Directory.
The forecast cost for the second year of operations was $12.56 million (m), based on the agreed projections with NEHTA. Our actual operational expenditure for the year was $8.26m, $4.3m lower than the projected cost. Costs were lower than anticipated as the demand for the HI Service was less than expected.
The HI Service had additional expenditure of $2.57m for system enhancements and other work undertaken as agreed with NEHTA.
The total expenditure for 2011–12 was $10.83m.
Table 1: Healthcare Identifiers Service—operating statement for the year ending 30 June 2012
Quarter 1
Quarter 2
Quarter 3
Quarter 4
2011/12
Jul—Sep
Oct—Dec
Jan—Mar
Apr—Jun
Total
$'000 $'000 $'000 $'000 $'000
Income
Operational Revenue 2,188 2,008 2,078 1,983 8,257
Quarter 1
Quarter 2
Quarter 3
Quarter 4
2011/12
Jul—Sep
Oct—Dec
Jan—Mar
Apr—Jun
Total
$'000 $'000 $'000 $'000 $'000
Additional Activities Revenue 1,025 635 114 803 2,577
Total Income 3,213 2,643 2,192 2,786 10,834
Expenditure
HI Service Program Management
Staff Costs 685 502 629 569 2,385
Contractors 93 20 – – 113
Staff Related Costs 18 122 24 95 259
Travel 17 13 18 12 60
813 657 671 676 2,817
HI Service Help Desk
Staff Costs 251 178 230 197 856
Staff Related Costs – 25 – 30 55
Travel – – 1 – 1
Other Operational Costs 6 8 7 13 34
Quarter 1
Quarter 2
Quarter 3
Quarter 4
2011/12
Jul—Sep
Oct—Dec
Jan—Mar
Apr—Jun
Total
$'000 $'000 $'000 $'000 $'000
257 211 238 240 946
Privacy, Legal & SLA Reporting
Staff Costs 21 39 18 19 97
Staff Related Costs 12 3 1 3 19
Travel – – – – –
33 42 19 22 116
Information Technology
Staff Costs 38 25 115 54 232
Contractors 140 166 128 84 518
Computer hardware & software
907 907 907 907 3,628
1,085 1,098 1,150 1,045 4,378
Additional Activities
Staff Costs 72 49 67 286 474
Contractors 953 586 47 317 1,903
Quarter 1
Quarter 2
Quarter 3
Quarter 4
2011/12
Jul—Sep
Oct—Dec
Jan—Mar
Apr—Jun
Total
$'000 $'000 $'000 $'000 $'000
Other Build Costs – – – 200 200
1,025 635 114 803 2,577
Total Expenditure 3,213 2,643 2,192 2,786 10,834
Operating Surplus/(Deficit) – – – – –
Security, privacy and confidentialityThe government’s priority is to protect the information it holds about individuals. The Department takes the privacy and security of all information it handles seriously.
There are strict controls in place and a firm policy about accessing or disclosure of personal information for all the Department’s programs. The Department is committed to proactively protecting all personal information it holds, with appropriate penalties in place for unauthorised access, including dismissal of staff.
The Department’s privacy management procedures include:
induction training for new staff and follow-up training on identified privacy issues relevant to staff in different business areas
privacy impact assessments of new Department initiatives involving the collection, use or disclosure of personal information
proactive audits of access to personal information to identify any unauthorised access by the Department’s staff
provision of high quality and timely privacy advice to all business units to encourage the identification and resolution of any privacy issues as they arise
investigation of customer complaints and staff reports of possible privacy breaches to make sure action is taken to address any ongoing risks
specific processes for the release of personal information to any other agency or person (personal information is only disclosed in line with legislative requirements)
messages to all staff about privacy standards.
The HI Act imposes a duty of confidentiality on the HI Service Operator. It is a breach of the HI Act for the HI Service Operator to use or disclose healthcare identifier information for any other purpose than provided for under the HI Act. The authority under Part 4 of the HI Act to collect, use or disclose healthcare identifier or identifying information is also an authority to collect, use or disclose the information for the purpose of the Privacy Act 1988 (Cwlth) (the Privacy Act). All information collected by the HI Service Operator must be managed in accordance with the Privacy Act.
Individuals who believe their record has been inappropriately accessed can contact the HI Service Operator for assistance. Alternatively, they can contact their healthcare provider. The individual can also request the OAIC to undertake an investigation. The HI Service features a full audit log which tracks and identifies all interactions with the HI Service. This log will be used to identify potential inappropriate access during these investigations.
Security, privacy and confidentiality of information are protected by the use of PKI for electronic transmissions between the HI Service and healthcare providers. The PKI restricts a healthcare provider’s access to the HI Service to only those functions relating to their role. The PKI is a set of procedures and technology that provides security and confidentiality for electronic business. It encrypts and secures information and authenticates both the sender and receiver.
There have been no privacy or confidentiality breaches by staff in relation to the HI Service.
AuditsThe OAIC undertook an audit of the HI Service in 2011–12. This is the second OAIC audit since the commencement of the HI Service.
The first audit was held in 2010–11 and focussed on the handling of personal information. The OAIC did not identify any privacy risks and made no recommendations.
The second audit by the OAIC focused on the HI Service Operator’s collection and handling processes in relation to HPI-I information, as well as processes undertaken when conducting batch searches of healthcare identifier information.
The OAIC made no recommendations. In the audit, the OAIC has noted that the HI Service Operator handles identifier information in accordance with its obligations under the Information Privacy Principles. The HI Service Operator’s practices in this regard are therefore compliant with the Privacy Act.
Appendix A—documents available on the HI Service Operator’s website
Information for individuals HI Service Operator web page
Information about the Healthcare Identifiers Service
HI Service forms—individual healthcare identifier
Application to request a pseudonym Individual Healthcare Identifier
Application to create, verify or merge an Individual Healthcare Identifier
Information for healthcare providers (individuals and organisations) and contracted service providers HI Service Operator web page
Information about the Healthcare Identifiers Service
Contact Information
HI Service information guides
Introduction and overview
Responsible Officer
Organisation Maintenance Officer
Authorised Employee
Individual Healthcare Provider
Contracted Service Provider
HI Service Reference guides
HPI-O Organisation Type Classification
HPI-I Provider Type Classification
HI Service Forms—healthcare provider organisation
Application to register a Seed Organisation
Application to register a Network Organisation
Application to replace a Responsible Officer or add/remove an Organisation Maintenance Officer for an organisation
Application to amend an Organisation Officer’s personal information
Application to amend a Healthcare Organisation record
Application to deactivate, reactivate or retire a Healthcare Organisation record
Healthcare Identifiers Service—Authorised employee register form
HI Service Forms—healthcare provider individual
Application to Register a Healthcare Provider
Application to amend a Healthcare Provider Record
HI Service Forms—contracted service provider
Application to register a Contracted Service Provider
Application to add, replace or remove a Contracted Service Provider officer
Application to link or unlink a Contracted Service Provider organisation
Application to amend details of a Contracted Service Provider record
Application to amend a Contracted Service Provider Officer’s personal details
Application to deactivate or retire a Contracted Service Provider organisation record
HI Service Forms—accessing the Healthcare Identifier Service with PKI
Application to request or update a PKI certificate
Authority to publish details in the Healthcare Provider Directory and request for Healthcare Identifiers access using Public Key Infrastructure
Information for software developers HI Service Operator web page
Information about the Healthcare Identifiers Service for software developers
Frequently asked questions
Contact Information
Latest Release Information
Licence Agreement—use of the Healthcare Identifiers Licensed Material for Notice of Connection
Healthcare Identifiers Licensed Material
HI Service—Software Vendor Developers Guide
HI Service Change Guides
HI Service—IHI Searching Guide
HI Service WSDL Artefacts
HI Service System Interface Specifications (SIS)
Quick reference guides
HI Service—Release 3.2.0 B2B Web Services
HI Service—Web Services with related System Interface Specifications
Incorporating the HI Service into your software
User guide
Service Catalogue—HI Service8101.1208
