Health Privacy
It’s My Business
Health Records Act
2001 (Vic)
Learning objectives
Explore the concept of privacy and
health information
Examine the 3 privacy laws which
affect Victorians, and their interaction
Identify the aims of the Health
Records Act, who is covered by it,
and key terms
Discuss how the Health Records Act
applies to minors and deceased
individuals
Describe the Health Privacy
Principles included in the Health
Records Act
Key Elements
Health Privacy Principles (HPPs)
- applicable to public and private
sectors
Right of access to personal health
information in the private sector
- Breen v Williams
Privacy for Victorians
Victorian :
Health Records Act 2001 (the Act)
Information Privacy Act 2000 - applies to all
personal information (except health
information) that is collected or held by –
the Victorian public sector; and
organisations funded by the public
sector.
Commonwealth:
Privacy Act 1988 - extended to private
sector from 21 December 2001
Three important aspects of
Privacy:
1.Confidentiality
2.Data protection
3.Consumer choice
Objects of the Act (s.6)
To ensure responsible handling of health
information
To balance public interest in protecting privacy
with public interest in legitimate use of
information
To enhance ability of individuals to be informed
about their health care
To promote provision of quality health services
Who is covered by the Act?
Most organisations hold health information about
individuals
The Act covers:
health service providers;
any other person/organisation that
collects/handles personal health information.
(e.g. schools, employers)
Health service providers are subject to additional
standards reflecting their special relationship with
consumers.
Health Service Providers are those
who engage in:
an activity to assess, maintain or improve an
individual’s health;
an activity to diagnose and treat illness, injury or
disability;
providing disability, aged or palliative care
services (includes physical and intellectual
disability services, nursing homes and hostels);
dispensing of medication on prescription
(pharmacists).
“Health Information” differs
depending on what you do:
For health service providers “health
information”means:
all identifying personal information collected to
provide a health service;
e.g. includes next of kin information
For non health service providers “health
information” means:
all identifying personal information about the
health or disability of an individual;
it does not cover other personal information like
payroll or bank account details.
Personal information means:
Information or opinion about an individual whose
identity is apparent, or can be reasonably
ascertained
Does not have to be true
Does not have to be recorded in a material form
Includes that forming part of a database
Minors
No change to current common law situation:
A minor is capable of giving informed consent
when they achieve sufficient understanding
and intelligence to enable him or her to
understand fully what is proposed
No set age, must be assessed on a case by
case basis
Deceased individuals (s 95)
The Act applies in relation to the health
information of a deceased individual who has
been dead for 30 years or less in the same way it
applies to the health information of a living
person.
Legal representative can exercise rights on
behalf of the deceased individual.
Legal representative defined as executor of will or
administrator of the estate.
Any consent by legal representative is void if s/he
knows that action does not accord with wishes
expressed by an individual whilst still alive.
Health Privacy Principles: Interaction
with other legislation
The HPPs do not override other legislation.
Existing provisions in other statutes governing the
confidentiality, use and disclosure of health
information and those that regulate access to
certain kinds of personal information (e.g.
adoption information) continue to apply.
Specific statutory provisions override the general
standards in the Health Records Act to the extent
of any inconsistency.
e.g. s.141 Health Services Act governs disclosure
(not use) for hospitals & community health centres
Recap
Privacy laws
Aspects of privacy
Aims of the HRA
Who does it affect?
Health vs. personal info
Minors
Deceased individuals
Interaction with other
legislation
HPPs
Based on various privacy principles that
apply in Australia and other countries,
reflecting worldwide trends.
Tailored to health information.
Scope
The eleven HPPs:
govern the life cycle of information;
cover collection, use, disclosure,
quality, security and disposal of
information;
are legally binding on organisations
that hold health information about an
individual.
A contravention of the HPPs is:
“an interference with the privacy of an
individual” and could give rise to a
complaint to the Health Services
Commissioner.
Outcomes for non compliance include:
1. Complaints
2. Prosecution
3. Compliance notices
Health Privacy Principles
1. Collection
2. Use &
Disclosure
3. Data Quality
4. Data Security &
Retention
5. Openness
6. Access &
Correction
8. Anonymity
9. Transborder Data
Flows
10.Transfer / closure
of practice of
health service
provider
11.Making
information
available to
another health
HPPs apply regardless of the
time of collection
If an organisation holds personal health
information the HPPs apply even if the
health information was collected prior to
the Act commencing (other than HPP
1).
Only access rules are different
depending upon when the health
information was collected.
Behaviour causing a breach of privacy
must have occurred after 1 July 2002.
HPP 1: Collection
Only collect health information necessary for the
performance of your functions or activities
Generally need consent to collect health
information (either express or implied)
Provide a ‘collection statement’ to notify those
you collect from about what you do with the
information and that they can gain access to it.
An organisation must collect health information
only by lawful and fair means and not in an
unreasonably intrusive way.
HPP 2: Use & Disclosure
Only use or disclose health information for the
primary purpose for which it was collected or a
directly related secondary purpose the person
would reasonably expect.
Other use/disclosure allowed in certain
circumstances – includes with consent.
Information can be disclosed to an immediate
family member for compassionate reasons
where the individual is incapable of consent.
HPP 3: Data Quality
Take reasonable steps to ensure the
health information you hold is:
accurate, complete, and up-to-date
relevant to the functions you
perform
HPP 4: Security & Retention
An organisation must take reasonable steps to protect
the health information it holds from misuse, loss,
unauthorised modification or disclosure.
A health service provider must keep health information
for a minimum of 7 years since the last occasion a
health service was provided. For a child the
information must be kept until the child turns 25 years
or 7 years after last contact.
A non health service provider must take reasonable
steps to destroy health information once it is no longer
needed for the purpose it was collected.
HPP 5: Openness
Organisations must have a document with
clearly expressed policies on:
• how they manage the health information
they hold; and
• the steps an individual may take to obtain
access to health information about them
held by the organisation
Conduct privacy audit, determine legal
obligations, set privacy policies.
Make privacy policy available to all
who ask
HPP 6: Access & Correction
Individuals have a right to seek access to heath
information about them held in the private sector.
They also have a right to correct it if it is
inaccurate, incomplete, misleading or not up-todate.
The FOI Act continues to give individuals a right
of access to health information about themselves
held by public sector organisations.
HPP 7: Identifiers
Only assign a number to identify a
person if it is reasonably necessary to
carry out your functions efficiently.
The use of public sector identifiers by
the private sector is limited, e.g. an
organisation should not file records
using the Medicare number.
HPP 8: Anonymity
Give individuals the option of entering
transactions with you anonymously, wherever
this is lawful and practicable.
HPP 9: Transborder Data Flows
Only transfer health information outside
Victoria with consent or if the organisation
receiving it is subject to laws which are
substantially similar to the HPPs.
Other exceptions may also apply.
HPP 10: Transfer/closure of practice
of a health service provider
Health service providers whose business or
practice are being sold, transferred or closed
down, without the individual continuing to
provide services, must give notice of the transfer
or closure to service users.
Aims to encourage individuals to apply for their
health information while it is still readily
available.
Enables individuals to provide their current
treating practitioner with their existing health
information.
HPP 11: Making information available to
another health service provider
If you’re a health service provider, you
must make health information relating
to the individual available to another
health service provider if requested by
the individual.
This must be done as soon as
practicable.
Recap
Health Privacy
Principles
Scope
Contravention
Collection of
information
Health Privacy
Principles 1 - 11
ACCESS
In the Private sector
(FOI Act continues to provide access to
health information held in the public sector)
Application:
The right of access applies in full to
health information collected after 1 July
2002.
There is no right of access to nonfactual information collected prior to
1July 2002 (such as practitioners’
comments).
How access is to be provided:
For information collected after 1 July 2002 the
individual can exercise right of access in any one or
more of the following ways:
• By inspecting the health information with an
opportunity to take notes;
• Receiving a copy; or
• Viewing the health information and, if it is held by a
health service provider, having its content
explained.
How access is to be provided:
For information collected before 1 July
2002 access can be granted in full if the
holder of the information agrees.
If they don’t agree, the individual is
entitled to receive an accurate summary
of the information.
Mandatory limits to access
Access must not be granted where:
an organisation believes on reasonable
grounds that granting access would pose
a serious threat to the life or health of the
person making the request or any other
person; or
the information was given in confidence
by another person (but not a health
service provider), unless that person
consents.
Other limits to access
An organisation may refuse access where:
access would have an unreasonable impact on the
privacy of others;
information relates to existing legal proceedings
and the information would not be discoverable or is
subject to legal professional privilege;
denying access is required or authorised by law; or
granting access would prejudice law enforcement
by a law enforcement agency.
Fees
There is no requirement to charge a fee
Reasonable fees can be charged by
organisations to recover the costs of providing
access.
No ‘lodgement fee’ may be charged.
Health service providers can charge their ‘usual
consultation fee’ for explaining the contents of
records to consumers.
Fees have been capped by regulations.
Recap
Access in the
private sector
Application
How access is
provided?
Limits to access
Fees
Correction
An organisation must take reasonable steps to correct
information if the individual is able to establish that the
information is inaccurate, incomplete, misleading or
not up to date.
The information must not be deleted otherwise than in
accordance with HPP 4.2.
If an organisation is not willing to make the correction
it must take reasonable steps to associate a written
statement of the correction with the information.
If the information is corrected the organisation must
take reasonable steps to ensure only the corrected
information is available to anyone providing health
services to the individual.
Exemptions
Very few exemptions apply. These relate to:
the judiciary and quasi-judicial bodies
(Courts & tribunals such as VCAT) when
exercising their judicial or quasi-judicial
functions;
genuine news activities carried out by
organisations whose dominant function is
disseminating news;
information relating to personal, family or
household affairs.
HSC Complaints Process
Many people make enquiries without lodging a
formal complaint.
Approx 50% of telephone inquiries result in
lodgement of a complaint.
Complaints must be received in writing.
A person must have standing to make a complaint.
Consent is obtained from complainants to send
their complaint to the respondent.
HSC Complaints Process (2)
Approx 90% of complaints are resolved
informally.
Approx 10% of complaints go to
conciliation.
If a complaint is not resolved through
conciliation the complainant may
request the complaint be referred to
VCAT for hearing.
Offences
Unlawfully requiring consent – by threat,
intimidation or false representation.
Unlawful destruction, defacing or damage to
health information to evade the Act.
Unlawful requesting or obtaining access to health
information.
Persuading another not to exercise rights under
the Act.
Failure to attend before the Health Services
Commissioner.
Summary offences – charges would be brought
before the Magistrates Court, penalties apply.
Results of non-compliance
Commissioner is able to serve compliance notices
where serious breaches occur or if the breach
constitutes a serious or flagrant contravention of
the Act.
Serious breach is defined as 5 episodes within the
previous 2 years.
Commissioner can make rulings that specifies to
remedy the complaint.
Penalties apply for failing to comply with a
compliance notice.
Recap
Correction of
information
Exemptions
HSC complaint
process
Offences
Non-compliance
Health Services Commissioner
Contact Details
Level 30 570 Bourke Street Melbourne
Tel: 03 8601 5222
Toll free: 1800 136 066
Website: www.health.vic.gov.au/hsc
Email: hra@dhs.vic.gov.au
Fax: (03) 8601 5219
TTY: 1300 550 275
DX: 210182