Healthcare identifiers

The OAIC is the independent regulator of the privacy aspects of the Healthcare Identifiers Act 2010 (HI Act) and the Healthcare Identifiers Regulations 2020 (HI Regulations).

The HI Act implements a national system for assigning unique identifiers to individuals, healthcare providers, and healthcare provider organisations. The identifiers are assigned and administered through the Healthcare Identifiers Service (HI Service), currently operated by the Chief Executive Medicare.

There are three types of healthcare identifiers issued by the HI Service, namely:

• Individual Healthcare Identifiers (IHI) — for individuals receiving healthcare in Australia
• Healthcare Provider Identifier – Individual (HPI-I) — for individual healthcare providers, such as GPs, allied health professionals, nurses, dentists and pharmacists
• Healthcare Provider Identifier – Organisation (HPI-O) — for organisations delivering healthcare, such as hospitals and general practices.

The aim of individual healthcare identifiers is to help healthcare providers accurately communicate information with each other and identify and access patient records in the My Health Record system. The purpose of healthcare provider identifiers is to identify providers accessing the HI Service database and to link records with the right healthcare provider, at the right location.

The handling of healthcare identifiers is regulated through the HI Act, the HI Regulations and the Privacy Act 1988 and healthcare identifiers may only be accessed, used and disclosed for limited purposes. The HI Act imposes a high standard of privacy on healthcare identifiers and if a healthcare identifier is used or disclosed in circumstances not permitted by the HI Act or HI Regulations, criminal and civil penalties may apply. Unauthorised use or disclosure of healthcare identifiers will also be an interference or breach of privacy under the Privacy Act. As the privacy regulator, the OAIC has a range of functions and enforcement powers to ensure compliance with privacy requirements relating to healthcare identifiers. For further information about the OAIC’s regulatory powers, see our Guide to Privacy Regulatory Action.

Healthcare identifiers and the My Health Record system

Healthcare identifiers are an important foundation of the My Health Record system, which is regulated by the My Health Records Act 2012. The My Health Record system uses healthcare identifiers (as opposed to an individual’s Medicare number) to provide greater certainty that the right information is attributed to the right individual.

The OAIC regulates the privacy aspects of the My Health Record system, including how information in the My Health Record system, such as healthcare identifiers, may be collected, used and disclosed.

For further information about the My Health Record system and healthcare identifiers, see the Australian Digital Health Agency website.

For further information about privacy and the My Health Record system, see our My Health Record page.

Healthcare Identifiers (HI) Service

The HI Service is administered by the Chief Executive Medicare and can be contacted via the following details:

• enquiries line: 1300 361 457
• email: healthcareidentifiers@humanservices.gov.au
• website for individuals
• website for healthcare providers.

The Department of Health and Aged Care website also contains information about the HI Service.

Individual healthcare identifiers

For information relating to individual healthcare identifiers (IHI) for individuals, see the What is an individual healthcare identifier?.

Private healthcare providers’ privacy obligations

This information is for individual healthcare providers and healthcare provider organisations in the private sector, such as general practices, private hospitals, allied healthcare professionals, nurses, dentists and pharmacists.

Compliance obligations – the HI Act and the Privacy Act

When handling IHIs you have compliance obligations under the HI Act and HI Regulations. You also have compliance obligations under the Privacy Act, which contains 13 Australian Privacy Principles (APPs) that set out standards, rights and obligations for the handling, holding, use, accessing and correction of personal information (including health information).

The HI Act sets out how IHIs may be collected, used, disclosed and adopted, and requires you to store them securely. You must also comply with the Privacy Act, including for matters such as notifying patients, data quality and providing anonymous healthcare where this is practicable. Healthcare identifiers are considered personal information, and health information, under the Privacy Act.

Under the HI Act, a breach of certain information handling provisions relating to a healthcare identifier or identifying information will not only be subject to criminal and civil penalties, but the action will also be an interference with privacy for the purposes of the Privacy Act.

The OAIC regulates your compliance with these obligations, which are set out further in the sections below.

For further information about the OAIC’s regulatory powers, see our Guide to Privacy Regulatory Action.

Collecting IHIs from the HI Service

To access healthcare identifiers and use the HI Service, you would normally need to be registered with the HI Service and be assigned a healthcare provider identifier.

Under the HI Act, you may collect, from the HI Service, IHIs for the purpose of communicating or managing health information, as part of providing healthcare to a patient.[1] This includes for accessing a patient’s My Health Record.

Healthcare provider organisations must not request access to IHIs from the HI Service unless they have first informed the HI Service of the ‘responsible officer’ and the ‘organisation maintenance officer’, and have that person or persons’ identity verified.[2] The HI Service may refuse to comply with a request to disclose a healthcare identifier if the healthcare provider organisation has not complied with these requirements.

For further information about the roles and responsibilities of the ‘responsible officer’ and the ‘organisation maintenance officer’, see https://www.digitalhealth.gov.au/get-started-with-digital-health/registration/roles-responsibilities.

If you collect IHIs for patients through a bulk download from the HI Service, you should consider whether you need to collect IHIs for patients who have not used your service recently. This will help ensure that you are complying with your APP 3 obligations to only collect personal information where it is reasonably necessary for your functions or activities.

For further information on registering with the HI Service, contact the HI Service Operator.

Disclosing ‘identifying information’ to the HI Service

Under the HI Act, if you have a healthcare provider identifier, you may disclose a patient’s ‘identifying information’ to the HI Service for the purposes of the HI Service assigning the patient an IHI and disclosing the patient’s IHI to you.[3] A patient’s ‘Identifying information’ includes:

• Medicare number
• Veterans’ Affairs Department file number
• name
• address (including electronic address)
• date of birth (and if applicable, for multiple births, the order in which the patient was born)
• sex
• date of death
• telephone number, and
• other information as prescribed by the HI Regulations.[4]

Keeping records of access to the HI Service

To ensure that a record of every access to the HI Service is maintained, healthcare provider organisations are required to either:

• if it is reasonably practicable, give the HI Service enough information to identify, by name, the individual making the request on behalf of the organisation, without the HI Service having to seek further information. This information may be given, for example, as part of the data sent to the HI Service from the healthcare provider organisation’s practice management software, or

• if it is not reasonably practicable to do the above at the time the request is made, the healthcare provider organisation must:
  • keep a record of the identity of the individual who accessed the healthcare identifier for the organisation from the HI service
  • keep that record for the ‘retrieval period’ for that individual, and
  • if, during the retrieval period for that individual, the HI Service gives the organisation written notice requiring the organisation to identify the individual, the organisation must identify the individual to the HI Service within 14 days after the notice is given.[5]

  The ‘retrieval period’ is any period that the individual is authorised by the healthcare provider organisation to access healthcare identifiers on behalf of the organisation, and, for seven years from the day they cease to be authorised.

  Under the HI Regulations, a civil penalty may apply if the organisation contravenes these requirements.[6]

  Notifying patients of the collection of IHIs

  You must notify patients of the collection of their IHIs under APP 5 – notification of the collection of personal information. APP 5 requires you to take reasonable steps to ensure the patient is aware of certain matters, such as the purpose of the collection, usual disclosures of that information and the consequences if the information is not collected. For further information, see APP Guidelines – Chapter 5.

  Reasonable steps might be to include information about the collection of a patient’s IHI as part of a collection notice provided to patients. You could also provide information about how you handle IHIs in your APP 1 Privacy Policy.

  Authorised use and disclosure of IHIs

  Under the HI Act, you may use or disclose an IHI for the purpose of communicating or managing health information as part of the:

  • provision of healthcare to the patient
  • management (including the investigation or resolution of complaints), funding, monitoring or evaluation of healthcare
  • provision of indemnity cover for a healthcare provider, or
  • conduct of research that has been approved by a Human Research Ethics Committee.[7]

  You may also be able to use or disclose a healthcare identifier in the following situations, where:

  • the use or disclosure is required or authorised under the HI Act or another Commonwealth law or court/tribunal order[8]
  • you reasonably believe that the use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of an individual or to public health or safety, and it is unreasonable or impracticable to obtain the patient’s consent[9]
  • you reasonably believe this is necessary to take appropriate action in relation to suspected unlawful activity or serious misconduct[10]
  • it is reasonably necessary for the establishment, exercise or defence of a legal or equitable claim[11]
  • it is reasonably necessary for the purposes of a confidential alternative dispute resolution process,[12] or
  • the use or disclosure is required or authorised by the Information Commissioner, or an equivalent officer or agency of a State or Territory, in exercising powers or performing functions in relation to privacy.[13]

  Both criminal and civil penalties may apply for the use or disclosure of healthcare identifiers outside these circumstances.[14]

  Prohibited use and disclosure of IHIs

  The HI Act specifically prohibits the collection, use or disclosure of an IHI for the purpose of communicating or managing health information as part of:

  • underwriting a contract of insurance that covers a patient
  • determining whether to enter into a contract of insurance that covers a patient (whether alone or as a member of a class)
  • determining whether a contract of insurance covers a patient in relation to a particular event, or
  • non-healthcare related employment purposes.[15]

  Collection, use and disclosure of identifying information and IHIs – My Health Record registration

  Under the HI Regulations, you may collect from a patient or use or disclose to the My Health Record System Operator, the patient’s identifying information or IHI for the purpose of registering the patient in the My Health Record system.[16]

  Using IHIs to identify patients

  Under the HI Act, you are authorised to use (or adopt) an IHI as your own identifier of the healthcare recipient.[17]

  This is one of the exceptions to the general position under APP 9 that the adoption of a government-related identifier is not permitted. For further information about APP 9 – adoption, use or disclosure of government related identifiers, see the APP Guidelines – Chapter 9.

  Exchanging information with the Aged Care Department

  Under the HI Act, you may disclose to the Aged Care Department a patient’s IHI and, if authorised, ‘identifying information’ for an aged care purpose. If you have a healthcare provider identifier, you may also collect and use identifying information from the Aged Care Department, for an aged care purpose.[18]

  ‘Aged care purpose’ means:

  • the purpose of enabling the Aged Care Department to create and maintain a record about aged care provided to a person by an approved provider (within the meaning of the Aged Care Act 1997), or
  • the purpose of the Aged Care Department verifying the identity of a person who is receiving, or who is to receive, aged care.[19]

  Quality of information

  Information about health providers

  Under the HI Act, if a healthcare provider organisation becomes aware that information held by the service operator about them is not accurate, up‑to‑date and complete, they must update the HI Service Operator in writing within 20 business days (some exceptions apply).[20] This is to ensure that all information held by the HI Service Operator and subsequently the listing in the Healthcare Provider Directory is maintained.

  The deliberate or reckless failure to give the HI Service information in the relevant circumstances may attract a civil penalty.

  Patient information

  One of the main purposes of healthcare identifiers is to ensure that records are accurately matched with the correct patient. You must have systems and processes in place to ensure that you reference patient records with the correct healthcare identifier and that the information you reference with the identifier is accurate, complete and up to date.

  Under APP 10, you are also required to take reasonable steps to make sure that the personal information you collect, use and disclose is accurate, up to date and complete. Further information about APP 10 and guidance on what may constitute ‘reasonable steps’ is available in Chapter 10 of the APP Guidelines.

  Security of personal information

  Under the HI Act, you must take reasonable steps to protect the healthcare identifiers you hold from misuse, loss, and unauthorised access, modification or disclosure.[21]

  To participate in the HI Service, a healthcare provider business is required to have IT systems that incorporate minimum standards and security features. For further information about technical requirements, contact the HI Service Operator.

  Compliance tip: it is good privacy practice to implement audit trails of individual staff access to patient records, including IHIs, held in your systems. This will help your organisation prevent and detect improper activity.

  APP 11 contains a similar requirement, for entities to protect personal information held from misuse, interference, loss and from unauthorised access, modification or disclosure. The OAIC has produced the Guide to Securing Personal Information, which provides guidance on the reasonable steps entities are required to take under the Privacy Act to comply with APP 11.

  Anonymous and pseudonymous healthcare

  APP 2 requires you to allow patients to interact with you on an anonymous or pseudonymous basis, where this is lawful and practicable.

  IHIs do not alter the way in which anonymous and pseudonymous healthcare services are provided to patients. When a patient is receiving healthcare services on a pseudonymous basis, they can choose to be issued with a pseudonymous IHI, and have a My Health Record created using that pseudonym identity or alias. Patients should not be refused treatment because they do not wish their healthcare provider to access their IHI.

  For further information about APP 2, see the APP Guidelines – Chapter 2.

  For further information about pseudonym identification and IHIs, see the Department of Health website.

  State and territory healthcare providers’ privacy obligations

  This information is for individual healthcare providers and healthcare provider organisations in the public sector.

  Compliance obligations – the HI Act and the Privacy Act

  The OAIC has regulatory oversight over the privacy aspects of the HI Act and HI Regulations and oversees state and territory healthcare providers’ compliance with their obligations regarding the handling of healthcare identifiers.

  Each state and territory is able to make laws so that a local regulator has oversight of the handling of healthcare identifiers by state and territory authorities, such as public hospitals. Until this occurs, the OAIC regulates the handling of healthcare identifiers and identifying information by state and territory healthcare providers.

  When handling healthcare identifiers, healthcare providers must comply with the HI Act, HI Regulations and any existing obligations under state or territory privacy or information handling legislation.

  Under the HI Act, a breach of certain information handling provisions relating to healthcare identifiers or identifying information will not only be subject to criminal and civil penalties, but the action will also be an interference with privacy for the purposes of the Privacy Act. Section 29 of the HI Act brings state and territory authorities into the jurisdiction of the OAIC for the handling of IHIs.

  The OAIC regulates your compliance with these obligations, which are set out further in the sections below.

  For further information about the OAIC’s regulatory powers, see our Guide to Privacy Regulatory Action.

  Collecting IHIs from the HI Service

  To access healthcare identifiers and use the HI Service, you will need to be registered with the HI Service and have been assigned a healthcare provider identifier.

  Under the HI Act, you may collect IHIs from the HI Service for the purpose of communicating or managing health information, as part of providing healthcare to a patient.[22] This includes for accessing a patient’s My Health Record.

  Healthcare provider organisations must not request access to IHIs from the HI Service unless they have first informed the HI Service of the ‘responsible officer’ and the ‘organisation maintenance officer’, and have that person or persons’ identity verified.[23] The HI Service may refuse to comply with a request to disclose a healthcare identifier if the healthcare provider organisation has not complied with these requirements.

  For further information about the roles and responsibilities of the ‘responsible officer’ and the ‘organisation maintenance officer’, see https://www.digitalhealth.gov.au/get-started-with-digital-health/registration/roles-responsibilities.

  If you collect IHIs for patients through a bulk download from the HI Service, you should consider whether you need to collect IHIs for patients who have not used your service recently, taking into account APP 3 obligations to only collect personal information where it is reasonably necessary for your functions or activities.

  For further information on registering with the HI Service, contact the HI Service Operator.

  Disclosing ‘identifying information’ to the HI Service

  Under the HI Act, if you have a healthcare provider identifier, you may disclose a patient’s ‘identifying information’ to the HI Service for the purposes of the HI Service assigning the patient an IHI and disclosing the patient’s IHI to you.[24]

  A patient’s ‘Identifying information’ includes Medicare number, Veterans’ Affairs Department file number, name, address (including electronic address), date of birth (and if applicable, for multiple births, the order in which the patient was born), sex, date of death, telephone number and other information as prescribed by the HI Regulation.[25]

  Keeping records of access to the HI Service

  To ensure that a record of every access to the HI Service is maintained, healthcare provider organisations are required to either:

  • if it is reasonably practicable, give the HI Service enough information to identify, by name, the individual making the request on behalf of the organisation, without the HI Service having to seek further information. This information may be given, for example, as part of the data sent to the HI Service from the healthcare provider organisation’s practice management software, or
  • if it is not reasonably practicable to do the above at the time the request is made, the healthcare provider organisation must:
    • keep a record of the identity of the individual who accessed the healthcare identifier for the organisation from the HI service
    • keep that record for the ‘retrieval period’ for that individual, and
    • if, during the retrieval period for that individual, the HI Service gives the organisation written notice requiring the organisation to identify the individual, the organisation must identify the individual to the HI Service within 14 days after the notice is given.[26]

    The ‘retrieval period’ is any period that the individual is authorised by the healthcare provider organisation to access healthcare identifiers on behalf of the organisation, and, for seven years from the day they cease to be authorised.

    Under the HI Regulations, a civil penalty may apply if the organisation contravenes these requirements.[27]

    Notifying patients of the collection of IHIs

    State and Territory healthcare providers may be required under their state and territory privacy or information handling legislation to give notice when collecting a patient’s personal information, such as an IHI. To give notice, they might consider including information about the collection of a patient’s IHI as part of a collection notice and in the healthcare provider’s privacy policy.

    Authorised use and disclosure of IHIs

    Under the HI Act, you may use or disclose an IHI for the purpose of communicating or managing health information as part of the:

    • provision of healthcare to the patient
    • management (including the investigation or resolution of complaints), funding, monitoring or evaluation of healthcare
    • provision of indemnity cover for a healthcare provider, or
    • conduct of research that has been approved by a Human Research Ethics Committee.[28]

    A healthcare provider may also be able to use or disclose a healthcare identifier in the following situations, where:

    • the use or disclosure is required or authorised under the HI Act or another Commonwealth law or court/tribunal order[29]
    • you reasonably believe that the use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of an individual or to public health or safety, and it is unreasonable or impracticable to obtain the patient’s consent[30]
    • you reasonably believe this is necessary to take appropriate action in relation to suspected unlawful activity or serious misconduct[31]
    • it is reasonably necessary for the establishment, exercise or defence of a legal or equitable claim[32]
    • it is reasonably necessary for the purposes of a confidential alternative dispute resolution process[33], or
    • the use or disclosure is required or authorised by the Information Commissioner, or an equivalent officer or agency of a State or Territory, in exercising powers or performing functions in relation to privacy.[34]

    Both criminal and civil penalties may apply for the use or disclosure of healthcare identifiers outside these circumstances.[35]

    Prohibited use and disclosure of IHIs

    The HI Act specifically prohibits the collection, use or disclosure of an IHI for the purpose of communicating or managing health information as part of:

    • underwriting a contract of insurance that covers a patient
    • determining whether to enter into a contract of insurance that covers a patient (whether alone or as a member of a class)
    • determining whether a contract of insurance covers a patient in relation to a particular event, or
    • non-healthcare related employment purposes.[36]

    Collection, use and disclosure of identifying information and IHIs – My Health Record registration

    Under the HI Regulations, you may collect from a patient or use or disclose to the My Health Record System Operator, the patient’s identifying information or IHI for the purpose of registering the patient in the My Health Record system.[37]

    Using IHIs to identify patients

    Under the HI Act, you are authorised to use (or adopt) an IHI as your own identifier of the healthcare recipient.[38]

    Exchanging information with the Aged Care Department

    Under the HI Act, healthcare providers may disclose to the Aged Care Department a patient’s IHI and, if authorised, ‘identifying information’ for an aged care purpose. If you have a healthcare provider identifier, you may also collect and use identifying information from the Aged Care Department, for an aged care purpose.[39]

    ‘Aged care purpose’ means:

    • the purpose of enabling the Aged Care Department to create and maintain a record about aged care provided to a person by an approved provider (with the meaning of the Aged Care Act 1977), or
    • the purpose of the Aged Care Department verifying the identity of a person who is receiving, or who is to receive, aged care.[40]

    Quality of information

    Information about health providers

    Under the HI Act, if a healthcare provider organisation becomes aware that information held by the service operator about them is not accurate, up‑to‑date and complete, they must update the HI Service Operator in writing within 20 business days (some exceptions apply).[41] This is to ensure that all information held by the HI service Operator and subsequently the listing in the Healthcare Provider Directory is maintained.

    The deliberate or reckless failure to give the HI Service information in the relevant circumstances may attract a civil penalty.

    Patient information

    One of the main purposes of healthcare identifiers is to ensure that records are accurately matched with the correct patient. You must have systems and processes in place to ensure that you reference patient records with the correct healthcare identifier and that the information you reference with the identifier is accurate, complete and up to date.

    Security of personal information

    Under the HI Act, healthcare providers must take reasonable steps to protect the healthcare identifiers they hold from misuse, loss, and unauthorised access, modification or disclosure.[42]

    To participate in the HI Service, a healthcare provider business requires IT systems that incorporate minimum standards and security features. For further information about technical requirements, contact the HI Service Operator.

    Additionally, many states and territory healthcare providers will similarly be required to have data security procedures in place under state or territory privacy or information handling legislation.

    Compliance tip: it is good privacy practice to implement audit trails of individual staff access to patient records, including IHIs, held in your systems. This will help your organisation prevent and detect improper activity.

    Anonymous and pseudonymous healthcare

    IHIs do not alter the way in which anonymous and pseudonymous healthcare services are provided to patients. When a patient is receiving healthcare services on a pseudonymous basis, they can choose to be issued with a pseudonymous IHI, and have a My Health Record created using that pseudonym identity or alias. Patients should not be refused treatment because they do not wish their healthcare provider to access their IHI.

    For further information about pseudonym identification and IHIs, see the Department of Health website.

    Footnotes

    [1] s 14 of the HI Act.

    [2] Regulations 6 of the HI Regulations

    [3] ss 12 and 14 of the HI Act.

    [4] s 7(3) of the HI Act and regulation 5 of the HI Regulations.

    [5] Regulation 7 of the HI Regulations.

    [6] Regulation 7 of the HI Regulations.

    [7] s 14 of the HI Act.

    [8] s 26(3)(a) and (b) of the HI Act.

    [9] s 26(3)(d) of the HI Act and s 16A(1) of the Privacy Act (permitted general situation, item 1).

    [10] s 26(3)(d) of the HI Act and s 16A(1) of the Privacy Act (permitted general situation, item 2).

    [11] s 26(3)(d) of the HI Act and s 16A(1) of the Privacy Act (permitted general situation, item 4).

    [12] s 26(3)(d) of the HI Act and s 16A(1) of the Privacy Act (permitted general situation, item 5).

    [13] s 26(3)(e) of the HI Act.

    [14] s 26(5) and (6) of the HI Act.

    [15] s 14(2) of the HI Act.

    [16] Regulation 8 of the HI Regulations.

    [17] s 17 of the HI Act.

    [18] s 16 of the HI Act.

    [19] s 5 of the HI Act.

    [20] s 25E of the HI Act.

    [21] s 27 of the HI Act.

    [22] s 14 of the HI Act.

    [23] Regulation 6 of the HI Regulations

    [24] ss 12 and 14 of the HI Act.

    [25] s 7(3) of the HI Act and regulation 5 of the HI Regulations.

    [26] Regulation 7 of the HI Regulations.

    [27] Regulation 7 of the HI Regulations.

    [28] s 14 of the HI Act.

    [29] s 26(3)(a) and (b) of the HI Act.

    [30] s 26(3)(d) of the HI Act and s 16A(1) of the Privacy Act (permitted general situation, item 1).

    [31] s 26(3)(d) of the HI Act and s 16A(1) of the Privacy Act (permitted general situation, item 2).

    [32] s 26(3)(d) of the HI Act and s 16A(1) of the Privacy Act (permitted general situation, item 4).

    [33] s 26(3)(d) of the HI Act and s 16A(1) of the Privacy Act (permitted general situation, item 5).

    [34] s 26(3)(e) of the HI Act.

    [35] s 26(5) and (6) of the HI Act.

    [36] s 14(2) of the HI Act.

    [37] Regulation 8 of the HI Regulations.

    [38] s 17 of the HI Act.

    [39] s 16 of the HI Act.

    [40] s 5 of the HI Act.

    [41] s 25E of the HI Act.

    [42] s 27 of the HI Act.