If you are a service provider that provides health information management services to healthcare providers, you must understand how to manage the information you collect. How you treat an individual’s healthcare identifier is particularly important, with the introduction of the COVID-19 digital certificate and checking vaccination information. A COVID-19 digital certificate contains personal information. While not all versions contain a health identifier, it is essential to understand what it is and its obligations. This article sets out what health identifiers are, the regulatory frameworks that protect them, the privacy obligations involved and the consequences of not complying with them.
What is an Individual Health Identifier?
An Individual Healthcare Identifier (IHI) is a unique number used to identify an individual for healthcare purposes.
In particular, the IHI is not only sensitive (health) information, but it is a government identifier that attracts a high level of protection under the Privacy Act.
The entities authorised to collect this include:
- identified healthcare providers (including aged care providers);
- certain Government agencies and service operators of those Government entities; and
- entities providing healthcare services to individuals.
Generally, if an entity has authorisation to collect, use or disclose IHIs, then any service providers they contract also have authorisation, provided:
- the contract between the entities sets out and limits the purpose of the collection, use or disclosure of the IHI; and
- the purpose for the disclosure is reasonably connected with the original purpose for the collection and relates to the communication of health information or health management services to the healthcare provider
Privacy Obligations Concerning IHIs
Due to how sensitive the IHI is, a party may only access, use or disclose it for limited purposes. A key obligation under both the Privacy Act and HI Act is for entities to take reasonable steps to secure personal information and healthcare identifiers they hold.
For example, under section 27 of the HI Act, an entity must:
- take reasonable steps to protect healthcare identifiers the entity holds from:
- misuse and loss; and
- unauthorised access, modification or disclosure; and
- comply with any requirements prescribed by the regulations for the protection of healthcare identifiers the entity holds.
What are Reasonable Steps?
The Office of the Australian Information Commissioner (OAIC) suggests that the ‘reasonably necessary’ test is an objective one.
Determining what constitutes reasonable steps will turn on the circumstances of the collection of the information, which include:
- the size, resources, complexity and business model of the entity;
- the amount and sensitivity of the personal information the entity holds;
- the adverse consequences for an individual in the case of a breach; and
- the practical implications of implementing security measures, such as the time and cost.
The OAIC has also published a guide on reasonable steps to protect personal information. At the time of this article, the OAIC is in the process of updating this guide.
As a practice, you should avoid collecting or storing IHIs. The OAIC advises that it is generally appropriate to sight an individual’s COVID-19 digital certificate and not collect a copy of the certificate, especially one that contains an IHI. You can do this by recording the sighting and confirming, such as placing a tick next to the person’s name.
Failing to Comply With Obligations
Unauthorised use and disclosure of an IHI may attract substantial criminal and civil penalties under the HI Act, Privacy Act and even the My Health Records Act 2012 (Cth). For example, under the HI Act, penalties include:
- imprisonment of up to 2 years;
- 120 penalty units; or
- 600 penalty units where the person knows or is reckless about the unauthorised use or disclosure.

Your business’ brand represents your values, identity and reputation. Learn how to create a successful brand and protect it.
Key Takeaways
COVID-19 digital health certificates are increasingly common. However, these certificates contain sensitive information protected by regulatory frameworks. Accordingly, it is crucial to ensure you treat such information appropriately.
If you have any questions about your obligations concerning individual health identifiers, our experienced lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.
Frequently Asked Questions
An individual healthcare identifier is a unique 16-digit number used to identify an individual for healthcare purposes. This can be found on an individual’s COVID-19 digital certificate.
This is largely dependent on the circumstances of the collection, which includes factors such as the entity’s size, resources, complexity and business model and the amount and sensitivity of the personal information held.
We appreciate your feedback – your submission has been successfully received.