Artboard 1Icon/UI/CalendarIcons/Ionic/Social/social-pinterestIcon/UI/Video-outline
Search

New National Health (Privacy) Rules commence

24 March 2025

4 min read

#Data & Privacy

Published by:

Elizabeth Carroll
Elizabeth Carroll
New National Health (Privacy) Rules commence

Set to commence on 1 April 2025, the National Health (Privacy) Rules 2025 (the Rules) significantly enhance the privacy settings applicable to sharing health claims information. The Rules, issued under section 135AA of the National Health Act 1953, establish requirements for Australian Government agencies concerning the use, storage, disclosure, and linkage of Medicare Benefits Schedule (MBS) and Pharmaceutical Benefits Schedule (PBS) claims information. With the commencement date fast approaching, agencies, researchers and industries should ensure they understand the changes in the Rules.

Consultation process

The importance of maintaining rigorous protections around MBS and PBS data has been highlighted by recent large scale data breaches relating to health information. The MBS and PBS claims information plays an important role in developing health policy, promoting public health, tracking medical trends and identifying areas for improvement. Recognising the dynamic nature of health information management and increasing community expectations for data privacy, the Office of the Australian Information Commissioner (OAIC) conducted a comprehensive review of the existing National Health (Privacy) Rules 2021 with a view to updating the Rules to ensure they remain fit for purpose.

A public consultation process was held with submissions closing on 1 May 2024. The OAIC commissioned Information Integrity Solutions Pty Ltd (IIS) to prepare a Review Report and the OAIC published its response to the IIS Final Report. The Information Commission made the Rules in August 2024 specifying a commencement date of 1 April 2025.

Key features

Key features of the Rules aimed at protecting privacy and security of health claims information include:

  • data storage: Agencies must implement stringent measures for storing claims information, including requirements relating to data encryption, access controls, and security measures to prevent unauthorised linkage and data breaches. The Rules prohibit agencies from storing MBS and PBS claims information in the same database, except in limited circumstances
  • use: The Rules specify permissible uses of claims information by agencies. For example, Services Australia and the Department of Health may use claims information for research, statistical analysis and development of government policies
  • data linkages: The Rules prohibit agencies from linking MBS and PBS claims information in the same database unless authorised. This measure aims to reduce the risk of unauthorised data linkages that could compromise individual privacy
  • disclosure: The Rules limit the circumstances under which agencies may disclose claims information to 8 listed situations. The first 4 of the situations relate to disclosure between the Department of Health and Services Australia. For example, Services Australia may disclose claims information to the Department of Health where the disclosure is for the purposes of the health provider compliance functions.
    • Disclosure is also permitted when required or authorised by law, such where disclosure is lawful under a public interest certificate issued for the purposes of secrecy provisions of a Commonwealth law. In addition, the Department of Health and Services Australia may disclose limited claims information to agencies for the purposes of consultation regarding whether further disclosure under a data sharing agreement is appropriate.
  • data sharing agreements: The remaining 2 grounds for disclosure concern the Department of Health or Service Australia disclosing claims information to another agency or a third party. The Rules introduce new requirements to enter data sharing agreements when disclosing claims information in these circumstances. These agreements are designed to ensure that data sharing practices comply with privacy standards and that the receiving party understands and adheres to the required data protection obligations.

Data sharing agreements

If the Department of Health or Services Australia intends to disclose claims information to another agency or an external entity (such as a research institute or university), the parties must enter a data sharing agreement. These requirements do not apply if the disclosure is otherwise authorised or required by law, or if the disclosure is for the purposes of consulting about the appropriateness of disclosure.

The data sharing agreement must meet various requirements in the Rules including:

  • purpose of data sharing: A clear and specific description of the objectives for which the data is being shared. The agreement must not permit the use for other purposes
  • data minimisation: Compliance with the principle that only the claims information reasonably needed to achieve the purposes is disclosed, used, linked or re-linked
  • re-identification: Obligations of the receiving party to promptly notify the disclosing agency of any re-identification incidents involving the shared data
  • on-disclosure: Prohibition for on-disclosure of claims information provided under the data sharing agreement.

Takeaway

MBS and PBS data is central to Australia’s healthcare system, informing health policy and research. Given the sensitive nature of the information involved, it is important that the Rules ensure that information from claims is appropriately protected to meet current community expectations in the ever-changing cybersecurity environment. Government agencies, healthcare providers and researchers should assess the new Rules to ensure compliance with these changes, including the circumstances requiring a data sharing agreement and the essential elements of such agreements. Engaging proactively with the new requirements will assist in ensuring appropriate protection of health information in an evolving digital landscape.

If you have any questions regarding the upcoming changes, please get in touch with a member of our team below.

Disclaimer
The information in this article is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this article is accurate at the date it is received or that it will continue to be accurate in the future.

Published by:

Elizabeth Carroll
Elizabeth Carroll
Share this

Related Posts

18 February 2025 - Knowledge

Latest developments in AI, cyber security and digital platforms regulation

#Data & Privacy, #Technology, Media & Communications

AI advancements, major privacy breaches and cyber security concerns will continue to drive legislative changes in 2025. This update covers the latest in AI, cyber security laws and the progress of ongoing privacy reforms.

19 December 2024 - Knowledge

First phase of privacy law reform passes – what’s next?

#Data & Privacy

The passing of the Privacy and Other Legislation Amendment Bill signals the implementation of 23 out of the first 25 proposals from the Privacy Act Review, including a new statutory tort for serious invasions of privacy.

Key Contacts

Dan Pearce

Dan Pearce

General Counsel

Melbourne
Elizabeth Carroll

Elizabeth Carroll

Managing Partner

Canberra
Lyn Nicholson

Lyn Nicholson

General Counsel

Sydney
Joanne Jary

Joanne Jary

Partner

Brisbane

Holding Redlich respectfully acknowledges the Traditional Owners of the land on which we operate as the continuing custodians of this land. We recognise their continuing connection to Country, practices, knowledge systems and communities. We pay our respects to Elders, past and present.

Holding Redlich © 2025