Overseas Privacy Regimes
Internal research paper comparing New Zealand’s Health Information
Privacy Code 1994 with the health privacy laws of Victoria, Ontario and
the United States
Prepared by
Sebastian Morgan-Lynch
Policy Adviser (Health)
October 2006
1
Table of Contents
A. Introduction ...................................................................................... 3
Health Records Act 2001, Victoria, Australia (“HRA, Victoria”) ........................... 4
Personal Health Information Protection Act 2004, Ontario, Canada (“PHIPA”)
...................................................................................................................................................... 5
Health Insurance Portability and Accountability Act, United States of
America (Federal) (“HIPAA”) ............................................................................................. 5
B. Transparency ..................................................................................... 7
HRA, Victoria ............................................................................................................................ 7
PHIPA, Ontario ........................................................................................................................ 8
HIPAA, USA............................................................................................................................... 8
C. Collection ........................................................................................ 11
HRA, Victoria .......................................................................................................................... 11
PHIPA, Ontario ...................................................................................................................... 12
HIPAA, USA............................................................................................................................. 14
D. Use and Disclosure ........................................................................... 15
HRA, Victoria .......................................................................................................................... 15
PHIPA, Ontario ...................................................................................................................... 16
HIPAA, USA............................................................................................................................. 18
E. Access ............................................................................................ 21
HRA, Victoria .......................................................................................................................... 21
PHIPA, Ontario ...................................................................................................................... 22
HIPAA, USA............................................................................................................................. 23
F. Accuracy and Correction .................................................................... 25
HRA, Victoria .......................................................................................................................... 25
PHIPA, Ontario ...................................................................................................................... 25
HIPAA, USA............................................................................................................................. 26
G. Security .......................................................................................... 28
HRA, Victoria .......................................................................................................................... 28
PHIPA, Ontario ...................................................................................................................... 28
HIPAA, USA............................................................................................................................. 28
H. Retention and Disposal ..................................................................... 30
HRA, Victoria .......................................................................................................................... 30
PHIPA, Ontario ...................................................................................................................... 30
HIPAA, USA............................................................................................................................. 31
I. Complaints ....................................................................................... 33
HRA, Victoria .......................................................................................................................... 33
PHIPA, Ontario ...................................................................................................................... 34
HIPAA, USA............................................................................................................................. 35
J. Adverse Consequences ...................................................................... 36
HRA, Victoria .......................................................................................................................... 36
PHIPA, Ontario ...................................................................................................................... 36
HIPAA, USA............................................................................................................................. 36
K. Penalties and Enforcement ................................................................ 37
HRA, Victoria .......................................................................................................................... 37
PHIPA, Ontario ...................................................................................................................... 37
HIPAA, USA............................................................................................................................. 37
2
A. Introduction
This research report considers the health information privacy regime in three
overseas jurisdictions, having regard to differences between the relevant
legislation and the Health Information Privacy Code 1994 (NZHIPC).
It was
prepared by the Policy Advisor (Health) to the Privacy Commissioner, a
position created with funding from the Ministry of Health.
As might be anticipated, there are areas of similarity between the New
Zealand health privacy regime and those of the other jurisdictions I have
examined. I have highlighted areas where there is a notable difference and
made recommendations for possible changes to the NZHIPC, having regard to
the need for, pros and cons of the possible change and whether the scope of
the change would be permissible under section 46 of the Privacy Act 1993.
In considering the pros and cons of any change we need to consider a number
of things – the current law, its goals, practical problems in achieving the
goals, whether a change is necessary and whether the suggested change
would be desirable. As this report is intended to be an overview, these
considerations have been abbreviated, with a view to providing suggestions
for further discussion.
Nothing in this report should be taken as indicating that the Privacy
Commissioner favours or does not favour a particular proposed change to the
NZHIPC.
Section 46
Section 46(2) sets out what may be accomplished by a code of practice issued
under the Privacy Act, namely that:
(2)
(a)
(aa)
(b)
A code of practice may—
Modify the application of any one or more of the information privacy
principles by—
(i)
Prescribing standards that are more stringent or less stringent
than the standards that are prescribed by any such principle:
(ii)
Exempting any action from any such principle, either
unconditionally or subject to such conditions as are prescribed in
the code:
Apply any one or more of the information privacy principles (but not all
of those principles) without modification:
Prescribe how any one or more of the information privacy principles are
to be applied, or are to be complied with.
Accordingly any amendment to the NZHIPC which purports to have an effect
beyond that allowed in section 46(2) risks being disallowed by the Regulations
Review Committee as being out of scope.
3
The three pieces of legislation considered below are from:



Victoria, Australia;
Ontario, Canada; and
The United States.
I have examined these three overseas health information statutes in relation
to how they address:
1. Transparency
2. Collection
3. Use and Disclosure
4. Access
5. Accuracy and Correction
6. Security
7. Retention and Disposal
8. Complaints
9. Adverse Consequences
10.Penalties and Enforcement
Ontario and Victoria and the USA all have some form of non-health specific
privacy legislation at the Federal level. The focus of this paper is examining
different methods of regulating health information rather than comparing
overall information privacy frameworks. Accordingly, I have not considered
the interaction between different levels of government or between healthspecific and non-health-specific enactments.
Health Records Act 2001, Victoria, Australia (“HRA, Victoria”)
The Health Records Act (HRA), which regulates health information privacy in
Victoria and is administered by the Health Services Commissioner, came into
force on 1 July 2002. The HRA regulates ‘organisations’, which are the
effective equivalent of the NZHIPC ‘agencies’. The HRA has 11 health
information privacy principles.
Victorians are subject to two other privacy laws, the Information Privacy Act
2000 (Vic) and the Commonwealth Privacy Act 1998.
The Information Privacy Act 2000 (Vic), administered by the Victorian Privacy
Commissioner, came into force on 1 September 2002. This Act covers
personal information (other than health information) held in the Victorian
public sector and organisations funded by the public sector.
The Commonwealth Privacy Act 1998 is a Federal act that was amended to
cover the private sector in 21 December 2001. It covers many private sector
organisations that hold personal information, and all health service providers,
and is administered by the Federal Privacy Commissioner.
4
Personal Health Information Protection Act 2004, Ontario, Canada
(“PHIPA”)
PHIPA came into effect on 1 November 2004 and sets out the rules that
“health information custodians” in Ontario must follow when collecting, using
and disclosing personal health information.
Health information custodians include healthcare providers (e.g., doctors,
nurses, etc.), hospitals, long-term care homes, homes for special care,
community care access centres, pharmacies, medical laboratories, local
medical officers of health, ambulance services, community mental health
programs, and the Ministry of Health and Long-Term Care.
A key difference between Canada’s Federal privacy statute, the Personal
Information Protection and Electronic Documents Act (PIPEDA), and PHIPA is
that PIPEDA only applies to organizations that collect, use and disclose
personal information in the course of commercial activities. PHIPA applies to
health information custodians that collect, use and disclose personal health
information, whether or not in the course of commercial activities, and does
not incorporate information privacy principles.
Health Insurance Portability and Accountability Act, United States
of America (Federal) (“HIPAA”)
HIPAA was enacted in 1996 and amended the Internal Revenue Service Code
of 1986 to improve and simplify the regulation of health insurance schemes.
Title II of the Act, Administrative Simplification, requires:
1. Improved efficiency in healthcare delivery by standardizing electronic
data interchange, and
2. Protection of confidentiality and security of health data through setting
and enforcing standards.
More specifically, HIPAA required the Department of Health and Human
Services (HHS) to publish rules ensuring:
1. Standardization of electronic patient health, administrative and financial
data
2. Unique health identifiers for individuals, employers, health plans and
health care providers
3. Security standards protecting the confidentiality and integrity of
"individually identifiable health information”.
The Department of Health and Human Services (DHHS) issued final
modifications to the Standards For Privacy Of Individually Identifiable Health
Information, the "Privacy Rule," on August 14, 2002. The Privacy Rule
regulates the activities of ‘covered entities’. References to HIPAA in this
paper mean the Privacy Rule except where otherwise noted.
Covered entities are, broadly:
5



health plans (a “health plan” is a generic package of health benefits
provided by agencies such as insurance companies, Medicare and
Medicaid contractors, or the government);
clearinghouses (entities that convert electronic health care data from
one format to another for billing or other purposes); and
health care providers who electronically transmit health information in
connection with certain transactions (including claims for payment,
benefit eligibility inquiries, and referral authorisation requests).
6
B. Transparency
There is a potential tension between an individual having control over his or
her information and an agency’s ability to carry out its functions. One way of
resolving that tension is to oblige the agency to be transparent about the use
it intends to make of the information. This can be brought about by requiring
the agency to formalise its information handling procedures.
Rule 3 of the NZHIPC requires agencies to take reasonable steps to ensure
individuals are aware of what is to be done with their information before the
act of collection, or during it. This can be effective, but does not impose any
general obligation of transparency; transparency is tied to the rule 2
obligation to collect directly from the individual, which has a number of broad
exceptions. If information is collected indirectly, or received unsolicited, there
is no obligation to inform the individual
Each of the three overseas privacy regimes considered has a general
transparency provision requiring agencies to make available to the public a
statement of their policies in relation to the management of personal health
information. This is not an obligation under the NZHIPC. While, as a matter
of best practice, many agencies will have such a document and may choose to
make it available on request it is worth considering whether this obligation
should be incorporated into the NZHIPC.
HRA, Victoria
Principle 5.1 of the HRA requires an organisation to set out in a document,
available to anyone who asks for it:


Clearly expressed policies on its management of health information and
The steps that an individual must take in order to obtain access to their
health information.
Larger health agencies in New Zealand would probably have this information
available and provide it on request, but there is no legal obligation to do so
under the NZHIPC.
There is also an obligation under this principle of the HRA to let an individual
know, on request and in general terms, what information is held about them,
for what purpose and how it is collected, held and disclosed.
Principle 1.4 provides that, when collecting information about an individual
directly from that individual, he or she should be advised of why the
information is to be collected, who is doing the collecting, who will see it and
so on. This obligation is closely analogous to that in rule 3 of the NZHIPC, but
without the explicit exceptions found in that rule. There is also an obligation,
where collecting information about an individual from a third party, to take
reasonable steps to ensure that the individual is or has been informed of the
matters in principle 1.4.
7
PHIPA, Ontario
If a health information custodian becomes aware that information it is
disclosing is inaccurate, incomplete or out-of-date it is obliged to clearly set
this out for the recipient of the information1. Also, section 12(2) obliges
agencies to notify the individual if personal health information about him or
her is lost, stolen or accessed by unauthorised persons.
There is no
counterpart to these obligations in New Zealand legislation, though
information about inaccuracy or a breach of security would probably be
personal information and, as such, obtainable by way of an access request.
The obligation to inform the individual where information is used or disclosed
outside the information privacy practices of the organisation is a potent one.
To incorporate this obligation into the NZHIPC would improve transparency
and be a strong encouragement to agencies to adhere to their own policies.
However, it may be that such a change would amount to too great a
departure from the principles as laid out in the Privacy Act. It is also
dependent, to extent, on the implementation of the general obligation of
transparency as mentioned above.
Transparency is also the goal of section 16(1), which obliges agencies to
make available to the public a written statement that provides a general
statement of the health information custodian’s information practice, contact
details, how access and correction requests may be made and how a
complaint may be made to the health information custodian and/or the
Commissioner. This has a parallel in rule 3 of the NZHIPC, with the difference
that in the case of PHIPA no collection needs to have taken place.
Section 16(2) imposes an even stronger obligation of transparency on the
health information custodian holding personal health information. If the
health information custodian uses or discloses health information about an
individual, without his or her consent, and in a manner that is outside the
scope of its own description of its practices, it is obliged to make a note of
these uses or disclosure and advise the individual of them at the first
reasonable opportunity. This last obligation, to notify the individual, does not
apply if the individual would not have a right of access in respect of the
information used or disclosed.
HIPAA, USA
Covered entities must provide a notice of their privacy practices describing
the ways in which they may use and disclose protected health information.
The notice must state the covered entity’s duties to protect privacy, provide a
notice of privacy practices, and abide by the terms of the current notice. The
notice must describe individuals’ rights, including the right to complain to HHS
and to the covered entity if they believe their privacy rights have been
1
Section 11(2)(b)
8
violated. The notice must include a point of contact for further information
and for making complaints to the covered entity. Covered entities must act in
accordance with their notices. The Rule also contains specific distribution
requirements for direct treatment providers, all other health care providers,
and health plans, requiring the notice to be delivered:



Not later than the first service encounter by personal delivery (for
patient visits), by automatic and contemporaneous electronic response
(for electronic service delivery), and by prompt mailing (for telephonic
service delivery);
By posting the notice at each service delivery site in a clear and
prominent place where people seeking service may reasonably be
expected to be able to read the notice;
In emergency treatment situations, as soon as practicable after the
emergency abates.
A covered entity must also make its notice electronically available on any web
site it maintains for customer service or benefits information.
A health plan must distribute its privacy practices notice to each of its clients,
or ‘enrollees’. Thereafter, the health plan must give its notice to each new
enrollee at enrollment, and send a reminder to every enrollee at least once
every three years that the notice is available upon request.
A health care provider with a direct treatment relationship with individuals
must make a good faith effort to obtain written acknowledgement from
patients of receipt of the privacy practices notice and must document the
reason for any failure to obtain the patient’s written acknowledgement, except
in an emergency treatment situation.2
Many of these requirements have some form of counterpart in the
commentary to the NZHIPC or in rule 3. The obligations to send a reminder
that privacy notices are available on request at least once every three years
and to get written confirmation from them that the notice has been received
are notable additions.
Inserting such obligations into the NZHIPC, in
conjunction with the general transparency requirements outlined above,
would have significant cost implications and should not be embarked on
lightly. However, there is a clear overseas trend to improve transparency by
widely disseminating information about an agency’s practices and procedures
and we should consider whether moving the NZHIPC in that direction is
desirable.
Also, covered entities must provide individuals, on request, with an
accounting of all disclosures of health information within the last six years.
This accounting is subject to a number of broad exceptions, such as
disclosures:
 To carry out treatment, payment and health care operations
 To individuals of protected health information about them
 Pursuant to an authorisation
2
http://www.hhs.gov/ocr/privacysummary.pdf
9
The request must be acted on within 60 days of receipt. Under the NZHIPC,
the same information could be obtained by a rule 6 access request. The
difference would be that individuals would be much more likely to make such
a request out of curiosity if they need such a specific right existed. This
provision in HIPAA is clearly intended to improve transparency and might
have the side effect of ensuring that transfers of information are more
carefully documented.
Points for consideration in ongoing development of HIPC:
Transparency
HRA

Obligation, when collecting information from third party, to take
reasonable steps to ensure individual is aware of what is to be done
with the information.
PHIPA


Obligation to inform individual where his or her personal health
information is lost, stolen or used contrary to information privacy
practices of organisation.
Obligation to make available a statement setting out the agencies’
privacy practices.
HIPAA

Obligation to distribute privacy practices notice to clients, and obtain
evidence that it has been received;

Obligation to provide accounting of all disclosures of health information
for previous six years.
10
C. Collection
Rules 1-4 of the NZHIPC set up a series of obligations on agencies collecting
health information. One of these obligations is, pursuant to rule 1, that they
must establish their purpose in doing so. This is of particular significance
because so many of the subsequent obligations incurred by the collecting
agency, or exceptions to those obligations, rely on the purpose for which the
information is collected.
Purpose attaches to a particular piece of information at the point of collection,
although there is some flexibility, in the form of the ‘directly related purpose’
formulation and various circumstantial exceptions3. An effect of the NZHIPC
regime in enforcing this attachment is to encourage agencies to establish their
policies and procedures before collecting personal information.
HRA, Victoria
Principle 1.1 provides that organisations can only collect information where
the individual has consented, although some exceptions apply. One such
exception is that information may be collected where it is impracticable to
obtain consent and the information is collected in accordance with guidelines
issued by the Commissioner. There is also a serious and imminent threat
exception and another for collection of personal information ‘necessary for the
establishment, exercise or defense of a legal or equitable claim’.
Principle 1.2 comprises the equivalent of the NZHIPC rule 4, enjoining
organisations to collect health information by methods that are fair, lawful
and not unreasonably intrusive.
Principle 1.3 is the equivalent of rule 2 from the NZHIPC, though without any
exceptions apart from ‘if it is reasonable and practicable to do so’.
Principle 1.7 provides that, where personal information is given in confidence,
the organisation must confirm that it is to remain confidential, record only
relevant information, make sure it is accurate and record that it is to remain
confidential.
The only equivalent in the Privacy Act to this are sections 29(1)(a) and
29(1)(b), which in certain circumstances may provide a method to prevent
personal information, obtained in confidence, being made available by way of
an access request
Importing into the NZHIPC a similar restriction to that in principle 1.7 of the
HRA could be considered. An advantage of this would be to potentially
improve the quality of information provided by third parties. A drawback
would be the weakening of individuals’ ability to obtain access to their
personal health information.
3
For instance, rules 10(1)(b) and 11(2)(a)
11
PHIPA, Ontario
Under PHIPA4, collection is defined as “to gather, acquire, receive or obtain
the information by any means from any source”; unsolicited receipt would
therefore also constitute collection. By contrast collection, as defined in
section 2 of the Privacy Act, does not include the unsolicited receipt of
information. Overall this distinction works well, as it avoids holding an agency
liable for events beyond its control. However, inevitably a health agency will
have to decide how it is to deal with unsolicited information that it receives.
The benefit of amending the NZHIPC to include unsolicited information would
be to require agencies’ policies to encompass it.
The point at which an unsolicited receipt of information becomes collection of
that information could usefully be clarified while still leaving unsolicited
information available for access under rule 6.
Under the NZHIPC, collection of information is separated from use and
disclosure. Under PHIPA, many of the same restrictions apply to collection,
use and disclosure equally. For instance, under section 29(a) a health
information custodian may not collect, use or disclose personal health
information about an individual unless it has the individual’s consent and the
information is necessary for some lawful purpose. This is subject to section
29(b), which allows collection (and use and disclosure) where specifically
permitted by the Act.
Both HRA and PHIPA place a slightly greater emphasis on consent, when it
comes to the collection of personal health information, than the NZHIPC. It
might be desirable to import a similar requirement for consent into rule 1 of
the NZHIPC, imposing a more stringent collection regime in accordance with
section 46(2) of the Privacy Act.
The benefit of this would be to increase the control individuals have over the
collection of their personal information, and to introduce a stronger parallel
between health information privacy and the requirements for informed
consent in the Code of Health and Disability Services Consumers' Rights
(“HDC Code”). Against this, agencies are already obliged to advise whether
collection of information is voluntary or mandatory – if voluntary, one might
presume the individual had consented by providing the information.
Section 30 sets out more general restrictions on collection, use and
disclosure, namely that personal health information may not be collected,
used or disclosed if other information would serve the same purpose, and that
only the minimum amount of personal health information should be collected,
used or disclosed to meet the required purpose.
Rule 1 of the NZHIPC provides that personal health information may only be
collected where collection is necessary for the intended purpose.
The
restrictions in section 30 of PHIPA might be a useful addition to rule 1 of the
NZHIPC, or to the relevant part of the commentary to that rule.
4
Collection is mainly regulated by Part IV of PHIPA
12
Where information has been collected in breach of PHIPA, section 31 prohibits
the use or disclosure of that information except where required by law. This
has no exact counterpart in the NZHIPC. Incorporating it may therefore be
out of scope for any NZHIPC amendment, as it could not therefore be said to
be a ‘more stringent’ version of one of the principles.
If it were considered not to be, though, it would address the problem of
personal health information collected for a purpose, but in breach of the
NZHIPC, being able to be used for that purpose pursuant to principles 10 and
11. For instance information collected by an agency which has failed to tell
the individual concerned its purpose may legally be used by the agency for
that purpose regardless of the possible breach of rule 3.
There are two specific provisions for collection of personal health information
for fundraising and marketing in sections 32 and 33 respectively. Section 32
permits collection for fundraising either where the individual has explicitly
consented, or where there has been implied consent and the information
being collected (or used or disclosed) is only name and contact details.
Section 33 requires explicit consent for the collection, use or disclosure of
personal health information for marketing purposes. There is no specific
provision in the NZHIPC allowing use of personal health information for
marketing or fundraising purposes. Instead, marketing or fundraising would
be considered a purpose like any other, and subject to the rule 1 necessity
test and transparency requirements of rule 3.
Requiring consent or authorisation for particular purposes would be
inconsistent with the scheme of the NZHIPC and possibly out of scope in
terms of section 46 of the Privacy Act.
Section 36, which deals with indirect collection, is the equivalent of rule 2 in
the NZHIPC. It states that personal health information may only be collected
indirectly with the consent of the individual concerned, or where one of the
other exceptions apply. Most of the exceptions involve some other legal
obligation, for instance section 36(1)(g) allows indirect collection where a
person is “permitted or required by law, treaty, agreement or arrangement
made under an Act”. Section 36(1)(b) permits indirect collection if it is
 Necessary for providing health care to the individual and
 Not reasonably possible to collect the information in an accurate or
timely manner, directly from the individual.
The main weakness of the interface between rule 2 and rule 3 in the NZHIPC
is that agencies’ obligation to be transparent about their purposes in collecting
and using information is limited to information collected directly from the
individual concerned. Where information is collected indirectly, the individual
does not have the opportunity to decline to provide the information, and its
purpose is not ‘fixed’ with regard to later use or disclosure.
Modifying rule 2 of the NZHIPC by narrowing the scope of the exceptions or
incorporating something like section 36(1)(b) is probably feasible in terms of
section 46 of the Privacy Act.
13
The argument against tightening the provisions of rule 2 is that it is already
stricter than its Privacy Act equivalent because of the rule 2(2)(a) need to
have made a rule 3(1) statement before being able to rely on an individual’s
authorisation to collect information indirectly.
HIPAA, USA
HIPAA does not regulate the collection of health information except by
prohibiting the obtaining of protected health information under "false
pretenses" and for obtaining protected health information with the intent to
sell, transfer or use it for commercial advantage, personal gain or malicious
harm.5
A modification to the Privacy Act making the obtaining of personal information
under false pretenses a crime was suggested in Necessary and Desirable, the
OPC’s 1998 review of the Privacy Act6.
Points for consideration in ongoing development of HIPC:
Collection
HRA

Obligation, when receiving confidential information, to confirm its
confidentiality, record only relevant information, make sure it is
accurate and record that it is to remain confidential;
PHIPA






5
6
Unsolicited receipt of information not excluded from definition of
‘collected’;
Application of similar restrictive principles to collection, use and
disclosure;
Stronger emphasis placed on consent;
Prohibition on use or disclosure of information collected in breach of
PHIPA;
Provisions permitting marketing and fundraising with consent;
Indirect collection permissible if necessary for providing health care and
not reasonably possible to directly collect information in accurate or
timely fashion.
Section 1177(a)(2)
Recommendation 148, page 359
14
D. Use and Disclosure
“Disclosure” requires the passing of personal information to another person or
agency. “Use” may also involve disclosing the information, either internally or
externally.
Agencies subject to the NZHIPC have taken the view that use includes internal
disclosure within an organisation or business unit, but this not a usage which
is based on anything within the Code itself. This potential uncertainty is
recognised and addressed in some of the comparative enactments.
HRA, Victoria
Under principle 2 of the HRA, organisations may use or disclose health
information for the primary purpose for which the information was collected.
Use or disclosure for other purposes is permissible where the secondary
purpose is directly related to the primary purpose, and where the individual
would “reasonably expect the organisation to use or disclose the information
for the secondary purpose”7.
This method of only permitting use or disclosure for secondary purposes
which are directly related to the primary purpose and are in circumstances
where the individual would expect secondary use could be a useful addition to
rule 10(1)(b). In the alternative, it could possibly be imported into the
directly related purpose formulation of rule 11(2)(a). The advantage of this
addition would be that it would connect the secondary, or ‘directly related’
purpose to the individual who is the subject of the personal health
information. Against that, it could be said that requiring the agency to ‘guess’
at what the individual might expect is unfair, and that the ‘directly related
purpose’ does not create significant injustice or overuse of personal health
information.
The HRA’s permissible circumstances for secondary purposes are similar to
those in rules 10 and 11 of the NZHIPC. Of these, 2.2(e) is worthy of note,
providing that an individual’s health provider may use his or her information
for a secondary purpose if it reasonably believes the use is necessary to
ensure that further health services are provided safely and effectively.
While principle 2 of the HRA relates to both use and disclosure, certain parts
of it relate solely to disclosure. Principle 2.4, interestingly, allows disclosure
to immediate family members if necessary to provide appropriate health
services to the individual or for compassionate reasons. The individual must
be incapable of giving consent, the disclosure must be limited to the minimum
amount necessary, and it must not be contrary to any previously stated wish
of the individual. Along similar lines is the principle 2.5 ability to disclose
information about a missing, dead or injured person to emergency services or
the individual’s family.
7
Principle 2.2(a)
15
The HRA’s use of the formulation “must not be contrary to any previously
stated wish of the individual” is not one that is found in the NZHIPC. It could
potentially also be added to rule 11(2), as that deals with situations where the
consent of the individual is unable to be obtained. The benefit of this addition
would be that the wishes of the individual could be incorporated more closely
into the actions of the agency in circumstances where they might not
normally be. Against this, there is the argument that there are already
enough justifications for declining to disclose personal health information in
emergency situations or to family members and that adding another one
would not be helpful. On balance, though, it seems the addition could be
beneficial and not outside the scope of section 46(2) of the Privacy Act.
PHIPA, Ontario
As noted above in ‘Collection’, the PHIPA treats collection, use and disclosure
in a similar manner. Thus, collection, use and disclosure all require both
consent of the individual concerned and that the action is necessary for a
lawful purpose, unless there is a specific permission elsewhere in the Act.
Consent is already more prominent in the NZHIPC than in the Privacy Act.
However, PHIPA’s use of consent as a more central element of collection use
and disclosure is worth noting. The NZHIPC currently does not make consent
a required element at any stage of the information lifecycle. Introducing such
a requirement would increase the autonomy of the individual, by giving them
more direct control over what is done with their health information, at the
expense of the efficiency of agencies holding and using personal health
information. It would also bring the HDC Code and the NZHIPC, conceptually,
closer together.
There is also, in section 30, a requirement that the minimum amount of
personal health information be used or disclosed. This is already incorporated
into rule 11(3) and could probably be incorporated into rule 10 as well without
difficulties. There seem to be few if any negative outcomes to this possible
change, as it would be implementing in rule 10 a change that works well in
rule 11. Use and disclosure are similar enough that the ‘minimum necessary’
principle should apply well to either.
Section 37 outlines ‘permitted uses’ for personal health information, in a
similar manner to rule 10 of the NZHIPC. For instance section 37(1)(a)
permits use “for the purpose for which the information was collected or
created and for all the functions reasonably necessary for carrying out that
purpose”. However, a notable difference is the balance of that paragraph,
which explicitly allows a veto from the individual concerned, where the
information was collected with his or her permission.
This is a major
departure from the NZHIPC formulation, and places a considerably greater
power in the hands of the data subject to prevent unwanted use of his or her
information.
This ability for the individual concerned to veto a particular use of his or her
personal health information would, if it were incorporated into the NZHIPC, be
16
a significant alteration. The only current equivalent in the NZHIPC is rule
11(1)(e), which allows individuals in hospital to veto disclosure of basic
information about them under that provision. The rule 11(1)(e) veto would
not prevent any other use or disclosure. The effect of a blanket veto would be
to reduce the discretion of the agency and increase the power of the
individual to control his or her personal information.
As noted above, any change of this nature should be based on evidence that
the level of control currently given by the NZHIPC to individuals over their
personal health information is insufficient.
Permissible disclosures are listed in sections 38 to 50, though not in any
systematic manner. Most of the listed disclosures have a parallel in the
NZHIPC. For instance section 40(1) plays a similar role to rule 11(2)(d) of the
NZHIPC in that it allows a health information custodian to disclose personal
health information about an individual if “necessary to eliminate or reduce a
significant risk of serious bodily harm to a person or group of persons”, but
without the need for the risk to be ‘imminent’.
Research uses are anticipated in section 37(3), but subject to a number of
restrictions. A research plan must be prepared and approved pursuant to
section 44.
Section 44 provides detailed guidelines for the disclosure of personal health
information for research purposes. Applications must be in writing and
include a research plan setting out the nature, objectives and anticipated
benefits of the intended research as well as a copy of the decision of the
research ethics board that approved it. Research ethics boards are required
to consider a number of matters, which are listed in section 44(3). These
include:




Whether the objectives can be accomplished without the use of
personal health information;
Whether adequate safeguards will be in place to protect the privacy and
confidentiality of the individuals concerned;
The public interest in conducting the research; and
Whether obtaining the consent of the individuals concerned would be
impractical.
Researchers are bound, under section 44(6), to only use research material for
the purposes approved by the board.
PHIPA’s detailed provisions about research ethics boards are partly echoed in
the commentary to rule 11(2)(c)(ii) of NZHIPC. Ideas from the PHIPA
provisions could usefully be incorporated into an amended commentary,
where appropriate and consistent with New Zealand values. The PHIPA option
of incorporating detailed provisions directly into legislation would probably fall
outside the section 46 scope of permissible amendments, however.
17
HIPAA, USA
The HIPAA Privacy Rule provides that a covered entity may not use or disclose
protected health information, except as the individual who is the subject of
the information (or the individual’s personal representative) authorises in
writing. The Rule contains a number of specific exceptions to this prohibition,
most of which are analogous to those in the NZHIPC8.
A covered entity may use and disclose protected health information for
purposes of:
 treatment
 payment
 the payment activities of another covered entity and of any health care
provider
 health care operations of another covered entity involving either quality
or competency assurance activities or fraud and abuse detection and
compliance activities, if both covered entities have or had a relationship
with the individual and the protected health information pertains to the
relationship.
A “limited data set” is protected health information from which certain
specified direct identifiers of individuals and their relatives, household
members, and employers have been removed. A limited data set may be used
and disclosed for research, health care operations, and public health
purposes, provided the recipient enters into a data use agreement promising
specified safeguards for the protected health information within the limited
data set.
While the NZHIPC could be said to incorporate this notion, by referring to
information used “in a form in which the individual concerned is not identified”
in rules 10(1)(e) and 11(2)(c), it does so less explicitly. Further consideration
should be given to the question of whether the idea of limited dataset is of
value to the NZHIPC. If it were so used, it would represent a shift towards a
focus on the nature of the information rather than the purpose for which it
was to be used. This could be inconsistent with the general approach of the
NZHIPC but may provide greater clarity for agencies handling personal
information.
A covered entity must obtain the individual’s written authorisation for any use
or disclosure of protected health information that is not for treatment,
payment or health care operations or otherwise permitted or required by the
Privacy Rule. A covered entity may not condition treatment, payment,
enrollment, or benefits eligibility on an individual granting an authorisation,
except in limited circumstances.
A covered entity must obtain an authorisation to use or disclose protected
health information for marketing, except for face-to-face marketing
communications between a covered entity and an individual, and for a
covered entity’s provision of promotional gifts of nominal value. An
8
Section 164.502(a)
18
authorisation for marketing that involves the covered entity’s receipt of direct
or indirect remuneration from a third party must reveal that fact.
The specific ability for a covered entity, under HIPAA, to make marketing
advances on individuals is one that we should be wary of copying. However,
the requirement that an authorisation for use of an individual’s personal
health information in marketing that involves the covered entity’s receipt of
remuneration revealing that fact seems a potentially useful and industry
specific addition, possibly under rule 3.
A central aspect of the Privacy Rule is the principle of “minimum necessary”
use and disclosure. A covered entity must make reasonable efforts to use,
disclose, and request only the minimum amount of protected health
information needed to accomplish the intended purpose of the use, disclosure,
or request. A covered entity must develop and implement policies and
procedures to reasonably limit uses and disclosures to the minimum
necessary. When the minimum necessary standard applies to a use or
disclosure, a covered entity may not use, disclose, or request the entire
medical record for a particular purpose, unless it can specifically justify the
whole record as the amount reasonably needed for the purpose.9
The requirement under HIPAA that a covered entity not use or disclose an
entire medical record for a particular purpose unless it can specifically justify
the whole record as the amount reasonably needed for the purpose could be
an appropriate addition to the NZHIPC. Though rule 11(3) goes some way to
having this effect, by requiring disclosures made under rule 11(2) to be the
minimum necessary, this restriction does not apply to the use of personal
health information under rule 10 or disclosures made under rule 11(1). The
requirement under HIPAA to develop policies and procedures limiting use and
disclosure might be appropriately noted as ‘best practice’ in the Commentary.
Points for consideration in ongoing development of HIPC: Use
and Disclosure
HRA




Obligation to only use or disclose for secondary purposes when
individual would expect secondary use;
Ability to use or disclose personal health information where reasonably
necessary to ensure further health services are provided safely and
effectively;
Ability to disclose to immediate family members where necessary to
provide appropriate health services to individual or for compassionate
reasons;
Obligation, in certain circumstances, not to disclose where individual
has previously vetoed the particular disclosure;
PHIPA


9
Obligation to use and disclose information with consent of individual;
Obligation to use and disclose minimum amount of health information;
http://www.hhs.gov/ocr/privacysummary.pdf
19


Ability of individual to veto the use or disclosure of information where
information was collected with his or her permission;
Detailed provision for preparation of research plans;
HIPAA





Concept of “limited data set”;
Obligation to obtain written authorisation for any use or disclosure of
information outside scope of treatment, payment or health care (and
not otherwise permitted);
Obligation to obtain authorisation to engage in marketing, and to
disclose any relevant remuneration arrangements;
Obligation to only use or disclose an entire medical record where it is
reasonably necessary to do so;
Obligation to develop policies and procedures limiting use and
disclosure.
20
E. Access
Rule 6 of the NZHIPC provides a right of access to health information about
the individual concerned. Requests for access may only be refused on the
grounds set out in sections 27 to 29 of the Privacy Act. Health information in
New Zealand is also subject to section 22F of the Health Act 1956, which
allows health agencies to transfer information where necessary for patients’
care, subject to certain restrictions.
HRA, Victoria
Rule 6 of the HRA’s Health Privacy Principles provides a right of access to
health information by the individual concerned.
Additional procedural
provisions are found in part 5 of the Act proper. They are, largely, similar to
those in part 5 of the Privacy Act.
One notable difference is that, under section 26, an organisation must not
disclose information where it believes that to do so “would pose a serious
threat to the life or health of the individual or any other person”. Similarly, if
information was obtained in confidence then passing it to the individual
concerned without the consent of the person providing it is prohibited.
Should a request be refused under section 26, sections 36 to 42 provide an
elaborate set of procedures that may be invoked to justify and/or challenge
that decision to refuse. In summary they allow the individual who made the
request to nominate another health provider to assess the decision to refuse
the information and, if appropriate, to reverse that decision.
There is an argument to be made for importing the provisions prohibiting
disclosure, to the individual concerned, of information posing a threat to the
public or obtained in confidence.
This would center around protecting,
respectively, the public and the quality of information provided by the public.
To incorporate them into the NZHIPC would weaken individuals’ ability to
obtain access to their health information. While the provisions in sections 3642 of the HRA provide a comprehensive way of ensuring that a decision to
refuse access is justified, it is possible that their existence is predicated on the
obligatory nature of the ground for refusal in section 26.
Under the Privacy Act all reasons for refusal of access requests are
discretionary, inasmuch as it will normally be open to the agency to supply
requested information even if a valid ground for refusal exists. Because of
this, adding a compulsory provision of this nature might not be within the
scope permitted for amendments by section 46 of the Privacy Act. However,
the steps outlined in sections 36-42 of the HRA could be considered for
incorporation into the commentary as a suggested method of resolving access
complaints short of complaining to the Commissioner.
21
An individual may give another person the authority to make a request on his
or her behalf, but the request must be in writing and signed. This is by
contrast to the NZHIPC, which only requires ‘authorisation’ without specifying
whether it needs to be in writing. Requests may be made orally, but the
organisation has the ability10 to require that a request be converted into
writing before it deals with it. This would have the effect of very marginally
weakening the right of access, if it were adopted, in the interest of making
responses to access requests easier for the agency concerned.
An organisation in receipt of an access request under the HRA has 45 days to
either provide the information or a reason why the request has been refused.
This is different from the NZ regime, both in the time period (45 days rather
than 20 working days) and the required action (giving access, rather than
simply advising that access will be granted). Obliging an organisation to
provide the information requested, rather than simply a statement that the
information will be provided would strengthen the rule 6 right of access.
One other notable element of the HRA access provisions is that, under
principle 6.1(k), a request may be refused if it is “of a kind that has been
made unsuccessfully on at least one previous occasion and there are not
reasonable grounds for making the request again”. This is a more specific
version of the NZHIPC ability to refuse frivolous and vexatious requests.
While there is merit in the three procedural specifics outlined above,
amendments would be required to be made to the Privacy Act rather than the
NZHIPC if they were to be incorporated. As such, it would require a different
vehicle than an amendment to the NZHIPC to be implemented into New
Zealand law.
PHIPA, Ontario
Section 52 of the PHIPA gives a right of access to “a record of personal health
information about the individual that is in the custody or under the control of
a health information custodian”. However, this access right does not apply to
records containing “quality of care information” or raw data from standardised
psychological tests or assessments11. Note that the section 51(1) exemption
applies to an entire class of information, and as such is comparable to section
56 of the Privacy Act, rather than the section 27-29 grounds for refusal.
Access rights in PHIPA are exercised on records, rather than on information
itself. In other words, unless a piece of personal health information is
recorded, there is no right of access to it under PHIPA.
The access request must be in writing, and a response must be provided
within 30 days by the receiving health information custodian12. Requests may
be refused for a variety of reasons, mostly comparable to those in the Privacy
Act. Worth noting is the ability to refuse access where to grant the access:
10
section 33(4)
Section 51(1)
12
section 53(1)
11
22


Would identify a person who was required by law to provide information
in the record to the custodian; or
Would identify the person who provided the information in confidence
and the custodian of the information considers it appropriate in the
circumstances that the name of the person be kept confidential.
The explicit removal of certain classes of data from the right of access in
PHIPA is a course that should be emulated only with caution. In this, as in
the obligatory refusal grounds in the HRA, it appears that the access regime
of the overseas jurisdiction is weaker than that in the NZHIPC. In the
absence of any evidence that the breadth of the rule 6 access right has
presented problems, allowing certain classes of personal health information to
be withheld as a right does not seem preferable to the targeted and
discretionary grounds for refusal currently in the NZHIPC.
That being said, the two grounds for refusal in PHIPA identified in the last
paragraph might usefully be incorporated into the commentary as examples
of circumstances where refusal under section 29(1)(a) would be appropriate.
HIPAA, USA
An individual has a right of access to inspect and obtain a copy of protected
health information about himself or herself13. Some information is able to be
withheld as of right, such as psychotherapy notes, notes held about a prison
inmate where obtaining the information would jeopardise the inmates’ health,
safety, security or rehabilitation, or information obtained in confidence.
Where personal health information is not able to be withheld as of right, the
decision to withhold is reviewable. Reviewable grounds are only that the
information might cause ‘substantial harm’ to the requester or another, and
the review is carried out by a licensed health care professional, designated by
the covered entity, and who did not take part in the initial decision to refuse
the request. Requests must be dealt with within 30 days, either by providing
the information or a statement of reasons for refusal.
The ability to refuse requests for information obtained in confidence is of
interest. Sections 29(1)(a) and 29(1)(b) carry out this function in the Privacy
Act, albeit in a more limited way.
Points for consideration in ongoing development of Privacy Act:
Access
HRA

13
Obligation not to disclose information in response to an access request
where to do so would pose a serious threat to the life or health of any
person, or where the information was obtained in confidence;
Section 164.524
23





Ability to use or disclose personal health information where reasonably
necessary to ensure further health services are provided safely and
effectively;
Ability for individual to nominate health provider to assess certain
decisions in relation to unsuccessful access requests;
Ability for agency to require oral requests to be made in writing;
Obligation to provide either information requested or reason for refusal
within 45 days;
Ability to refuse requests that have been made unsuccessfully before.
PHIPA



Quality of care information and raw data from psychological tests
excluded;
Ability to refuse request where not to do so would identify a person
required by law to provide the information to the custodian or would
identify the person who provided the information in confidence;
Obligation to provide either information requested or reason for refusal
within 30 days;
HIPAA


Classes of information that are excluded from access regime;
Ability to require review by health care professional of decision to
refuse request.
24
F. Accuracy and Correction
As with consent, the importance of accuracy in health information is a core
value of the health sector in every jurisdiction.
Decisions are made and
treatments provided on the basis of the information held about an individual
and it is therefore of paramount importance that reasonable steps are taken
to ensure the information is correct.
The NZHIPC does this in two ways, by a general obligation to ensure
information is accurate for the purpose for which it is intended to be used
(rule 8), and a right of correction (rule 7). The rule 7 right to request
correction does not give the individual the power to require correction, but
does allow him or her to require that a statement be attached to the disputed
information.
HRA, Victoria
Principle 3 of the HRA is essentially identical to rule 8 of the NZHIPC, apart
from requiring an organisation to ensure that information it collects is
accurate rather than simply that which it uses. This obligation to ensure that
information collected is accurate is interesting but puts a considerable burden
on agencies collecting information. In a clinical context it could even be
dangerous to put restrictions on what information may be gathered.
Correction, under principle 6.5 of the HRA, is handled in a similar manner to
rule 7 of the NZHIPC. One difference of note is that, if an organisation
accepts the need to correct an item of health information but considers that it
is impractical to correct the information or that to do so could harm the
individual, it must separate out the disputed information and store it
securely14. Also, if corrections are made, principle 6.8 requires the name of
the individual and the date it occurred to be recorded.
Interestingly, both of these differences reflect suggestions in the commentary
attached to the NZHIPC.
PHIPA, Ontario
Accuracy is addressed in section 11, which requires agencies using and
disclosing personal health information to take reasonable steps to ensure that
the information is as accurate, complete, and up-to-date as is necessary for
the intended purpose. This is close to rule 8 of the NZHIPC, though without
the requirement that the information be ‘relevant’.
An interesting addition to the rule 8-style formulation is found in section
11(2), however: a requirement to “clearly set out for the recipient of the
disclosure the limitations, if any, on the accuracy, completeness or up-to-date
14
Principle 6.7
25
character of the information”. This could be an effective method of improving
transparency and might be considered as an addition to rule 8.
One problem with such an addition might be that it could conflict with the
requirement to ensure information is accurate before using it. In other words,
agencies might feel able to simply acknowledge an inaccuracy rather than
ameliorate it. The competing needs of increasing transparency and improving
accuracy would need to be carefully balanced.
The right of correction found in section 55 of PHIPA only applies to personal
health information in relation to which a successful request for access has
been made. The process of correction is more formalised, in that section
55(9) provides that there is no obligation to correct information on request if
it consists of a record not originally created by the holder, or a professional
opinion or observation.
The net result is similar to that achieved by the NZHIPC, however.
Corrections are not obligatory, but, should a correction be refused, a
statement setting out the correction sought, but not made, must be placed on
the file if the individual wishes15.
HIPAA, USA
An individual has the right to request that a covered entity amend protected
health information or a record about him or her16. A covered entity may deny
an individual’s request for amendment, if it determines that the protected
health information or record that is the subject of the request




Was not created by the covered entity, unless the individual provides a
reasonable basis to believe that the originator of protected health
information is no longer available to act on the requested amendment;
Is not part of the designated record set;
Would not be available for inspection under § 164.524; or
Is accurate and complete.
If the amendment is made, the covered entity must make reasonable efforts
to inform and provide the amendment within a reasonable time to persons
identified by the individual as having received protected health information
about the individual and needing the amendment; and persons, including
business associates, that the covered entity knows have the protected health
information that is the subject of the amendment and that may have relied,
or could foreseeably rely, on such information to the detriment of the
individual.
HIPAA does not impose an obligation to attach a statement setting out the
correction sought but not made. In practice this obligation, which is reflected
in HRA and PHIPA, works well and should not be lightly discarded. One part
15
16
Section 55(11)
Section 164.526
26
of HIPAA’s correction provisions that is emulated in the commentary to rule 7
is its listing of what constitute suitable grounds for refusing a correction
request.
Points for consideration in ongoing development of HIPC:
Accuracy and Correction
HRA



Obligation to ensure information collected is accurate;
Obligation to store inaccurate information separately and securely, if it
cannot be corrected;
Obligation, where correction made, to note name of correcting staff
member and date correction occurred;
PHIPA


Obligation to set out for recipient of information any limitations on the
accuracy, completeness or up-to-date character of the information;
Correction right limited to information in respect of which a successful
access request has been made;
HIPAA
 Obligation to inform persons that may rely, or have relied, on the

inaccurate information to the detriment of the individual concerned,
that a correction has taken place;
Correction obligation does not apply if the agency receiving the
information did not create the record which is the subject of the
request.
27
G. Security
The provisions in rule 5 of the NZHIPC endeavour to ensure that health
information is kept securely, by requiring health agencies to take reasonable
steps to protect the information they hold. Protect in this sense means
keeping the information safe from unauthorised access, loss, damage or
misuse.
HRA, Victoria
Principle 4.1 of the HRA is largely identical to rule 5 of the NZHIPC. However,
although it does not require an organisation to take reasonable steps to
ensure that an organisation to which its health information is transferred will
protect that information, it does require that a written note be made of the
name and address of the individual or organisation to whom the information
was transferred.
HRA’s requirement that a written note be made of the name and address of
an individual authorisation to whom personal information is transferred, acts
as an extra security safeguard as well as increasing transparency in relation
to the movement of personal health information. A similar provision could be
considered either as an addition to rule 5 or as a note in the commentary.
PHIPA, Ontario
Section 12.1 is very similar to rule 5 of the NZHIPC. A minor addition is the
requirement that records containing personal health information are protected
against unauthorised copying, rather than simply ‘access’ as in rule 5. This
would address, for instance, a staff member who might have a right of access
but not the right to make copies for his or her own use. Another addition is
the obligation to notify the individual at the first reasonable opportunity if the
information is stolen, lost or accessed by unauthorised persons17.
These two provisions are potential additions to the overall protections against
unauthorised use in rule 5. While they would increase its scope, it does not
seem that this increase would be unreasonable.
HIPAA, USA
The HIPAA Security Rule affects all health information that is housed or
transmitted electronically and that pertains to an individual. It requires
covered entities to ensure the confidentiality, integrity, and availability of all
electronic protected health information they create, receive, maintain, or
17
Section 12(2)
28
transmit. It also requires covered entities to protect against reasonably
anticipated threats or hazards to its health information, protect against any
reasonably anticipated uses or disclosures of such information that are not
permitted or required by the Privacy Rule, and ensure compliance by their
workforce.
Required safeguards include:



application of appropriate policies and procedures,
safeguarding physical access, and
ensuring that technical security measures are in place to protect
networks, computers and other electronic devices.
The Rule does not require specific technologies to be used. Covered entities
may elect solutions that are appropriate to their operations, as long as the
selected solutions are supported by a thorough security assessment and risk
analysis.
The HIPAA security rule provides many detailed recommendations for
security, particularly in relation to electronically transmitted health
information. It should be considered closely when rewriting the commentary
to the NZHIPC.
Points for consideration in ongoing development of HIPC:
Security
HRA

Obligation to make written note of name and address of person or
agency to which information is transferred;
PHIPA


Obligation to protect personal health information against unauthorised
copying;
Obligation to notify individual at first reasonable opportunity if his or
her information is stolen, lost or accessed by unauthorised persons;
HIPAA
 Detailed recommendations for security, particularly with regard to
electronically transmitted health information.
29
H. Retention and Disposal
In rule 9, the NZHIPC requires agencies to retain health information for only
as long as they have a lawful purpose for it. The Code is also subject to
Health (Retention of Health Information) Regulations 1996, made under the
Health Act 1956. These mandate a minimum retention period for medical
records, currently 10 years from the last recorded interaction. While rule 9 is
not complex, it is open to question whether it fulfils its function of preventing
indefinite retention, since ‘lawful purpose’ could be any purpose at all not
specifically prohibited by law. In practice the Health (Retention of Health
Information) Regulations have more of an impact by prescribing a specific
period.
Since the passage of the Public Records Act 2005 health information in the
public sector, such as that held by District Health Boards, has come under the
jurisdiction of the Chief Archivist. Disposal Authorities are currently under
development which will supersede the Regulations and provide mandated
retention periods for different classes of information. However, these would
only apply to the public sector.
HRA, Victoria
Principle 4.2 of the HRA provides that an organisation must not delete
information (even if inaccurate) unless it was collected while the individual
was a child and s/he is now 25 or older, or 7 years have passed since the last
services was provided. Written notes must be made of deletions or transfers.
The HRA provision requiring agencies to retain information for a specific
period incorporates a form of the Health Act’s retention regulations, in effect.
An amendment of rule 9(2) incorporate minimum retention periods would be
a considerable departure of principle 9 of the New Zealand Privacy Act on
which it is based. Also, a similar function is already performed by the
regulations mentioned above.
The requirement to make a written note of deletion or transfer of personal
health information, however, could be a useful addition to rule 9. It would
have the effect of improving transparency and clarifying retention processes.
In the alternative, this sort of procedural requirement might be better placed
in the commentary rather than as a formal part of the NZHIPC.
PHIPA, Ontario
Section 13 of PHIPA deals with retention, and requires that records are
transferred, retained and disposed of in a secure manner. It also prohibits
the destruction or transfer of records that are subject to an access request. It
does not have more specific provisions with regard to how long records must
be retained for.
30
The requirement that records subject to an access request not be destroyed
or transferred, has potential for improving individual’s access to their personal
health information. It is open to question whether this is an issue needing
action, however; if there is no problem to be solved, an amendment to the
code may be unnecessary. It is also possible that this is an issue of more
general application that would be better dealt with by amendments to the
Privacy Act, as any modifications to Privacy Act’s procedural provisions would
also affect the NZHIPC.
HIPAA, USA
Section 164.530(j) addresses the requirements for documentation and
retention for HIPAA purposes. Required documents are limited to three areas:



Policies and procedures relative to protected health information that are
designed to comply with the standards, implementation specifications,
or other requirements of the privacy rule;
Communications required by the privacy rule to be in writing; and
Any action, activity, or designation required by the rule to be in writing.
These documents are required to be kept in written or electronic form. The
implementation specification for the documentation standard defines the
retention period for those documents. The covered entity is required to
maintain these documents for six years from the date of their creation or the
date when they were last in effect, whichever is later.
This HIPAA retention standard does not apply to the individual’s medical
record and the health information contained in it. Those time frames are
driven by State or Federal law specifically addressing those records. The
HIPAA retention standard covers only those administrative documents listed
above used to comply with HIPAA. Once the retention period has ended,
documents must be disposed of in a safe and secure fashion.
Under the NZHIPC, some this information would probably be health
information about the individual concerned, and thus would be retained in
accordance with the retention regulations and rule 9. The requirement that
policies and procedures be retained is an interesting one as it is not currently
obligatory under the NZHIPC. Since this would not be personal information, it
is probable that requiring its retention would be outside the scope of the
NZHIPC, but retention of documents setting out policies and procedures is an
issue which could be addressed in the commentary.
Points for consideration in ongoing development of HIPC:
Retention and Disposal
HRA


Obligation not to delete information unless 7 years since last interaction
or historical information collected while individual was a child;
Obligation to make written notes of deletions or transfers;
31
PHIPA

Obligation not to transfer or destroy records that are subject to an
access request;
HIPAA
 Obligation to retain certain classes of information, namely policies and
procedures and actions carried out in relation to the privacy rule, for six
years from date of creation or most recent effect.
32
I. Complaints
All the statutes studied have some provision for individuals to make
complaints about interferences with their privacy. In New Zealand these
provisions are contained in the Privacy Act. Complaints may be made to
Privacy Commissioner, who can issue a non-binding opinion as to whether an
interference has occurred. Section 66 of the Privacy Act provides that a
breach of any of the principles, coupled with some form of adverse
consequence, amounts to an interference with the privacy of the affected
individual. However, breaches of the access or correction provisions in the act
do not require an adverse consequence to have occurred. The commissioner
cannot award fines or impose damages, but Tribunals and Courts may do so,
once the Commissioner has conducted his or her investigation.
Complaints, adverse consequences and penalties are regulated by the Privacy
Act rather than the NZHIPC. Nonetheless, inasmuch as they form the
“enforcement” side of a health information privacy regime, they are worth
considering.
Also of interest are the discretions provided to Commissioners under PHIPA
and HRA to discontinue complaints, which are broader than the New Zealand
Privacy Act equivalent. However, as noted above, none of these provide
suitable material for amendment to the NZHIPC as they do not relate to
modifications of the Privacy Act principles.
HRA, Victoria
Complaints are regulated by sections 45 to 78 of the HRA. Unlike New
Zealand, Victoria has a separate Commissioner for health complaints.
Overall, the HRA is more prescriptive than the Privacy Act, more powerful in
terms of what can be done to non-compliant organisations and provides more
leeway to discard complaints that do not, in the view of the commissioner,
have substance.
On receipt of a complaint, under section 49, the Commissioner has 90 days to
determine whether or not to ‘entertain’ the complaint. Pursuant to section 51
a complaint may be refused for a broad variety of reasons, some similar to
those in section 71 of the Privacy Act and some much wider, or at least more
specific. For instance, that:





The complaint was made more than 12 months after complainant
became aware of it;
It is not an interference;
It is ‘misconceived or lacking in substance’
It is being dealt with under another enactment or proceeding,
The complainant has gone to the respondent already and the R is either
dealing with it or has not had a chance to do so.
33
Should the Commissioner dismiss the complaint, the complainant can then
order18 the Commissioner to refer it to the Victorian Civil and Administrative
Tribunal within 60 days. Should the complainant not do so the complaint
lapses and no further action may be taken. If the Commissioner receives no
response to correspondence for a period of 90 days, the complaint may also
be dismissed permanently.19
There are various avenues to send a complaint to the Tribunal. Under section
54, the relevant Minister may refer a matter to Tribunal whether or not it has
been through the Commissioner’s office.
Also, under section 56 the
complainant can force the Commissioner to transfer his or her complaint to
the Tribunal at any time
The Commissioner has some powers and obligations that have no exact NZ
counterpart. For instance, section 55 provides that, if the HC accepts a
complaint about a registered health provider, he must give a copy of the
complaint to the appropriate registration board. However, the board cannot
use that as the basis for any investigation into the complaint unless the
complaint is formally referred there. Also, under section 66 the Commissioner
may serve a compliance notice requiring an organisation to take specified
action within a specified time to ensure compliance with the Act and to report
that action to the Commissioner within a specified time. This is irrespective of
whether a complaint has been made. Under section 71 failure to do so is
punishable by a fine.
While it is also an offence not to appear before the Commissioner when
ordered to do so, a person (not an organisation) may refuse to provide
information if necessary to avoid self-incrimination pursuant to section 70.
PHIPA, Ontario
Administration and enforcement are addressed in part VI of PHIPA. Section
56 allows anyone to make a complaint about contravention of the Act and
section 58 allows the Commissioner to initiate an investigation on his own
behalf. The Commissioner has, under PHIPA, similar powers to dismiss,
mediate and resolve complaints as the Commissioner under the Privacy Act.
A notable exception to this is the ability to decide not to entertain a complaint
for “whatever reason the Commissioner thinks proper”, which is a much
broader discretion than that found in the Privacy Act.
The Commissioner has some significant powers, including the ability to enter
premises without warrant or court order20 and may make orders requiring
agencies to provide information, perform duties, implement policies and take
other appropriate actions21 as he or she sees fit. Orders are subject to
appeal22.
18
section 51(5)
section 53
20
Section 60(1)
21
Section 61(1)
22
Section 62
19
34
HIPAA, USA
Covered entities must have procedures for individuals to complain about
alleged failures to comply with the Rule, and must advise individuals of
these23.
Complaints may be made to the Secretary of the Office for Civil Rights under
section 160.306 within 180 days of the action complained about.
Points for consideration in ongoing development of Privacy Act:
Complaints
HRA




Obligation, where a complaint about a registered health practitioner is
received, to give a copy to the appropriate registration board.
Ability for the HRA Commissioner to serve compliance notices;
Privilege against self incrimination under the HRA;
Complainant’s ability to order the Commissioner to refer his or her
complaint to the appropriate Tribunal;
PHIPA


Ability to make compliance orders;
Difference between penalties assignable under PHIPA to natural
persons as opposed to corporate entities;
HIPAA
 180 day time limit to make a complaint about an alleged breach.
23
Section 164.530(d)
35
J. Adverse Consequences
The requirement, in section 66 of the Privacy Act, for a complainant to
demonstrate some form of adverse consequence in order to be considered to
have had an interference to his or her privacy acts as a form of filter on
complaints.
HRA, Victoria
There is no requirement for adverse consequences in the HRA. Section 18
states that any act or practice that breaches a principle or amounts to an
unjustified refusal to provide access to information is an interference.
PHIPA, Ontario
There is also no requirement that a complainant demonstrate an adverse
consequence in PHIPA for the Commissioner to be able to take steps, such as
making orders. However, in order to obtain damages ‘actual harm’ must be
demonstrated. This is roughly comparable in its effect to section 88 of the
New Zealand Privacy Act. Damages would be obtained by way of independent
application to the Superior Court of Justice by the complainant.
HIPAA, USA
The Privacy Rule does not have specific provisions to distinguish between
breaches that cause adverse consequences and those that do not. However,
note the ability set out below for the Secretary to mitigate or rescind penalties
applied where failure to comply was for reasonable cause and/or that the
covered entity did not know about the failure.
Points for consideration in ongoing development of Privacy Act:
Adverse Consequences
No points of note.
36
K. Penalties and Enforcement
The NZHIPC effectively shares its penalty regime with the Privacy Act 1993.
If a complaint has been considered by the Privacy Commissioner, the Human
Rights Review Tribunal has jurisdiction to hear it and may award damages of
up to $NZ200,000.
HRA, Victoria
Sections 79-84 sets out a wide range of offence provisions, which have a
much broader ambit than those in the Privacy Act, for instance:





Section 80, Unlawfully requiring consent by ‘threat, intimidation or false
representation’;
Section 81 Destroying, defacing, removing from Victoria or damaging
health information with intent to evade or frustrate the act;
Section 82 Unlawfully requesting or obtaining information by ‘threat,
intimidation or false representation’;
Section 83 Persuading a person by ‘threat, intimidation or false
representation’ not to make a request or complaint;
Section 84 Failing to attend the Commissioner or to give information.
The penalties are financial and are set out in penalty units; up to 300 for a
corporate body, and up to 60 for an individual. A penalty unit is currently
$AUS100.
PHIPA, Ontario
As noted above in the section dealing with complaints, the Commissioner may
make a wide variety of compulsory orders after having investigated a
complaint. Where the Commissioner has made such an order, a person may
apply to the Superior Court of Justice for damages for “actual harm that the
person has suffered as a result of a contravention of [PHIPA]”24. Any breach
of the provisions of the Act, effectively, is an offence25. A person found guilty
of an offence under section 72(1) is liable to a fine of up to $AUS50,000 if a
natural person and $AUS250,000 if not.
HIPAA, USA
HIPAA has civil and criminal penalties for non-compliance. The civil penalties
can include fines of up to $US25,000 for multiple violations of the same
standard in a calendar year; and
24
25
Section 65
Section 72(1)
37
The multiple violation fine26 applies in units of up to $US100 per breach,
rather than being imposed as an overall penalty. Thus 7 transactions in
breach of HIPAA could lead to a $US700 fine.
However, section 1177(2) provides that if a covered entity is able to satisfy
the Office for Civil Rights that the covered entity did not know, and by
exercising reasonable diligence would not have known, of a violation of the
HIPAA law, no penalty may be imposed.
Similarly, if the failure to comply was due to reasonable cause and not to
willful neglect; and the failure to comply was corrected during the 30-day
period beginning on the first date the person liable for the penalty knew, or by
exercising reasonable diligence would have known, that the failure to comply
occurred, no penalty may be imposed.
The criminal penalty can amount to fines of up to $US250,000 and/or
imprisonment up to 10 years for knowing misuse of individually identifiable
health information for any covered entity that knowingly uses or causes to be
used a unique health identifier, obtains individually identifiable health
information relating to an individual; or discloses individually identifiable
health information to another person in breach of the Privacy Rule.
If the offense is committed under false pretenses, the fine may be up to
$US100,000, and the imprisonment up to 5 years.
If the offense is
committed with intent to sell, transfer, or use individually identifiable health
information for commercial advantage, personal gain, or malicious harm, the
perpetrator may be fined up to $US250,000 and imprisoned up to 10 years,
or both.
There has been some confusion over whether these criminal penalties apply
only to covered entities or to any person or covered entity at all. A recent
case27 where an employee of a cancer clinic used patients’ details to obtain
credit cards in their name suggested that the latter might the case. However,
subsequent comment from the Department of Justice28 has clarified that only
people “rendered accountable by general principles of corporate criminal
liability”, in other words directors, employees and officers of the covered
entity.
Points for consideration in ongoing development of Privacy Act:
Penalties/Enforcement
HRA

Offence provisions for unlawfully requiring consent or obtaining
information, destroying or removing health information to evade or
frustrate the Act, or unlawfully influencing a person not to make a
complaint;
26
Section 1176
http://findarticles.com/p/articles/mi_qa4100/is_200501/ai_n9520488
28
http://www.usdoj.gov/olc/hipaa_final.htm
27
38

Penalties of up to $AUS6000 for an individual and up to $AUS30,000 for
a corporation;
PHIPA


Commissioner may make compulsory orders after investigating a
complaint;
Penalties of up to $AUS50,000 for an individual and up to $AUS250,000
for a corporation;
HIPAA



Penalties of up to $US100 for multiple violations, defence that did not
or could not have known about the violations;
Defence that failure to comply was due to reasonable cause and the
failure was remedied within 30 days of the failure becoming apparent;
Criminal penalties for knowing misuse of health information for
commercial advantage, personal gain or malicious harm of up to
$US250,000 and/or 10 years imprisonment;
39