• Introduction
• Overview
• NPPs & codes
• Complying
  • Sanctions
  • Commissioner's activities
    • Detailed analysis of review
    • Health implications of review
    • Case notes
  • Guidelines and information sheets
  • Other obligations
• Legislation & links
• Industries
• News
• Contacts
• Glossary

A number of the recommendations made in the review of the private sector provisions of the Privacy Act 1988 will impact on organisations or individuals in health-related fields and those accessing health-related services.

• Consistency in protection of health information
• Accessing health information
• Transfer of health records
• Access to health information when a health service provider ceases to operate
• Medical research
• Decision-making where capacity is impaired
• NPP 2: When is a purpose 'Directly Related' to the collection of health information
• Collecting health information without consent
• Information relating to deceased persons

The review of the Private Sector Provisions of the Privacy Act 1988 by the Office of the Privacy Commissioner was released on 18 May 2005. Many of the recommendations involve the adoption of a finalised version of the National Health Ministers' Council's National Health Privacy Code (NHPC). The NHPC contains National Health Privacy Principles (NHPPs), which apply to health information.

Consistency in protection of health information

The current situation

Currently the handling of health-related information at the Commonwealth level is governed by the Privacy Act 1988, which outlines the National Privacy Principles (NPPs), the Information Privacy Principles (IPPs) and allows for Public Interest Determinations. There is also overlapping state and territory privacy legislation or administrative policies and arrangements applicable to the public sector. New South Wales, Victoria and the ACT also have privacy legislation that governs the private sector.

This situation leads to increased compliance costs for organisations operating in the health sphere, particularly if they operate nationally. There is also the possibility that potential plaintiffs may 'forum shop' to select the most advantageous legislation when making a complaint.

Recommendations

To ensure consistency between jurisdictions, the Review of the Private Sector Provisions of the Privacy Act (the Review) has recommended that the NHPC be consistently implemented in each jurisdiction (Recommendation 12). The Review further recommends that the Federal Government adopt the NHPC as a schedule to the Privacy Act (Recommendation 13). This would apply the NHPC to all the bodies already covered by the Privacy Act. It has been recommended that this occur even if agreement is not reached between all governments on implementing the NHPC, so as to provide greater consistency between the handling of information by Federal Government agencies and the private sector.

Accessing health information

The current situation

An individual has the right, with some exceptions, to access their personal (including health) information held by an organisation (NPP 6.1). An organisation can charge for making available the information held (but cannot charge to lodge a request for information) and the charge must not be excessive (NPP 6.4). If the information held is not accurate, complete and up-to-date, then reasonable steps must be taken to correct it (NPP 6.5).

An organisation can withhold access to health information, however where providing access would pose a serious threat to the life or health of any individual (NPP 6.1(b)).

Where one of the exceptions to supplying information applies, the organisation holding the information, 'must, if reasonable, consider whether the use of mutually agreed intermediaries would allow sufficient access [to the information] to meet the needs of both parties' (NPP 6.3).

Issues

A number of issues arise in relation to access to health information:

• The Australian Medical Association (AMA) has submitted that the threshold for denying access set out in NPP 6.1(b) is too high and could allow access that would be damaging to the therapeutic relationship. The AMA also feels that currently a doctor's private and preliminary views are not protected from disclosure. Organisations providing life insurance may also have to disclose the medical reports upon which they base their assessments even where the organisation is unaware of what the doctor may have told their client or of any risk to their client's life or health.
• The Privacy Act does not set out a schedule of fees. This has led to a wide variety of fees being charged for access. This results, on the one hand, in some individuals feeling that they have been charged an unreasonable amount and, on the other hand, some organisations being out of pocket after providing the information.
• Before information held by an organisation must be corrected, the individual requesting the correction must 'establish' that the information being held by an organisation is inaccurate, incomplete or not up-to-date. There is uncertainty as what is necessary to 'establish' any inaccuracy or incompleteness and hence when an individual will be able to request that information be corrected.

Recommendations

The Review has recommended that where, because of an individual's request, an organisation corrects the personal information it holds under NPP 6.5, there should be an obligation to 'notify third parties, where practicable, that they have received inaccurate information.' (Recommendation 28). This may impose considerable compliance costs on organisations, who will need to track where all health information has been sent.

On the issue of intermediaries, the Review recommends the adoption of the NHPC as a schedule to the Privacy Act (Recommendation 29). The NHPC provides for a stronger right to an intermediary. Under the NHPC, the intermediary may, having considered the validity of the organisation's refusal to reveal the information, discuss the content of the health information with the individual.

The Office of the Privacy Commissioner (OPC) will develop guidelines on what constitutes a 'serious threat to life or health', which will emphasise that a serious threat to the therapeutic relationship can constitute a serious threat to a person's health (Recommendation 30).

The OPC will also develop guidelines on fees for access to information and on what is needed to 'establish' that the information held by an organisation is not accurate (Recommendations 31 and 32 respectively).

Transfer of health records

Under the NPPs and the Privacy Act, there are no specific obligations involving the transfer of health records to another health service provider.

The draft NHPC provides that where a health service provider has been requested or authorised by an individual to provide his or her health information to another service provider, then the original record, a copy of the record, or a summary of the record, must be provided (NHPP 11.1).

The Review has recommended that the issue of transfers be dealt with by the adoption of the NHPC as a schedule to the Privacy Act (Recommendation 33). This would allow for the transfer of health information as outlined above.

In the event that the NHPC is not adopted as part of the Privacy Act, the Review recommended amendment of the NPPs so as to reflect principles in line with the NHPP 11 (Recommendation 34).

Given that state-based legislation, such as the Health Records Act 2001 (Vic), can apply in such situations, allowing for the transfer of health records to health service providers not covered by the Privacy Act will require careful changes to all state laws affecting health records.

Access to health information when a health service provider ceases to operate

Problems have arisen with individuals not being able to access their health information once their health service provider has ceased to operate.

To counter this problem, in some jurisdictions there is provision for orphaned records to be retained by a central body.

NHPPs

The draft NHPC provides that where the practice or business of a health service provider is to be sold, amalgamated, transferred or closed, reasonable and appropriate steps must be taken to (NHPP 10.1):

• make individual users of the health service aware of the sale, transfer, closure or amalgamation of the practice or business; and
• inform individual users of the health service about the proposed arrangements for the transfer or storage of individuals' records; and
• make appropriate entries in the practice or business register required under NHPP 4.3, about any transfer, storage or destruction of individual records.

Where a practice is closing, amalgamating, transferring or being sold, an individual can request that his or her health information be given to themselves or another health service provider (NHPP 10.2).

Recommendations

The Review has recommended the adoption of the NHPC as a schedule to the Privacy Act (Recommendation 35). This will have the effect of adopting NHPP 10.

In the event that the NHPC is not adopted, the Review has recommended the amendment of the NPPs to incorporate obligations along the lines of NHPP 10.

Medical research

Principles relating to medical research

The NPPs currently allow for health information to be collected, used and disclosed for medical research, provided certain criteria are met.

NPP 2.1(d) allows for the use and disclosure of health information without an individual's consent if: the use or disclosure is relevant to public health and safety and is necessary for research or for the compilation or analysis of statistics, and:

• it is impracticable to seek the individual's consent; and
• the use or disclosure is conducted within guidelines issued by the National Health and Medical Research Council (NHMRC) (or a prescribed authority) and approved by the Privacy Commissioner; and
• for disclosure – the organisation reasonably believes that the recipient of the health information will not disclose it or any personal information derived from it.

NPP 10.3 allows for the collection of health information about an individual where the collection is for research relevant to public health or safety; for the compilation or analysis of statistics relevant to public health or safety; or for the management, funding or monitoring of a health service; and:

• that purpose cannot be served by collecting health information that doesn't identify an individual or from which an individual's identity cannot reasonably be ascertained; and
• it is impractical to seek the individual's consent for the collection; and
• the information is collected: as required by law; or in accordance with binding rules established by health or medical bodies; or in accordance with guidelines issued by the NHMRC (or a prescribed authority) and approved by the Privacy Commissioner.

Where information has been collected in accordance with NPP 10.3, then the collecting organisation must take reasonable steps to permanently de-identify the information before disclosure (NPP 10.4).

Issues

The complexity of the privacy regulations, including the Privacy Act and other federal and state legislation, may be hampering medical research.

Currently the Privacy Act treats the public and private sectors differently in regard to research. Any guidelines governing public sector research can only relate to medical research (but need not be related to public health and safety) while the NPP 2.1(d) guidelines cannot cover private sector medical research that is not for public health or safety.

There is also inconsistency between the Privacy Act and the NHMRC's Statement on Ethical Conduct of Research Involving Humans, which allows consent to be dispensed with if consent would cause 'unnecessary anxiety' or if the scientific value of the research would be prejudiced.

Further issues include the complexity of reporting obligations under guidelines governing medical research and inconsistencies in the assessment by ethics committees of the benefits of research versus threats to privacy. The issue of de-identification of information also raises difficulties as it may be hard to determine whether someone's identity is 'apparent or can be reasonably ascertained'.

Recommendations

The Review has recommended that, as part of a broader inquiry into the Privacy Act the Federal Government consider (Recommendation 60):

• how to achieve greater consistency in regulating research activities under the Privacy Act;
• whether there is a need for reform in regard to de-identification of information as it relates to research;
• the balance between research beneficial to the community and protecting an individual's privacy;
• whether there is a need to amend NPP 2 to allow for the use and disclosure of personal information for research that doesn't involve health information; and
• undertaking further research and education within the community to ensure the balance between research and privacy accords with community expectations.

The OPC will also issue guidelines regarding NPP 2 to clarify under what circumstances organisations can disclose health information for the management, funding and monitoring of a health service (Recommendation 61). This will put the disclosure and collection of such information on a more equal footing.

The OPC will work with the NHMRC to simplify reporting procedures for human research ethics committees (Recommendation 62).

Decision-making where capacity is impaired

The current situation

Except under certain circumstances, an organisation cannot collect an individual's sensitive (including health) information without their consent (NPP 10.1). Collection is allowed if it is necessary to prevent or lessen a serious and imminent threat to the life or health of an individual, and the individual is incapable (legally or physically) of giving consent or cannot physically communicate that consent (NPP 10.1(c)).

In general, an organisation must not use or disclose sensitive (including health) information other than for the primary purpose for which it was collected or a directly related secondary purpose (NPP 2.1).

However, if an organisation provides a health service to an individual who is incapable of giving consent (legally or physically), or who physically cannot communicate consent, it may disclose health information to a person responsible for that individual where (NPP 2.4):

• the disclosure is necessary to provide appropriate care or treatment; or
• the disclosure is for compassionate reasons; and
• the disclosure is not contrary to any wish of the individual; and
• the disclosure is limited to the extent reasonable and necessary for the purpose for which the disclosure is being made.

It may be that, in certain situations, organisations are being overly cautious in their interpretation of the Privacy Act as it applies to individuals whose decision-making capacity is impaired and who rely on others to care and make decisions for them. There is also an issue of consistency between the private and public sectors when they handle those caring for individuals with impaired function.

Even though disclosure of non-health-related information to a person responsible for an individual with impaired decision-making might be in that individual's best interests, there is no equivalent of NPP 2.4 for non-health-related information.

Recommendations

The Review has recommended (Recommendation 63) that the Federal Government consider amending NPP 2 to allow disclosure of non-health-related information, where an organisation considers the disclosure to be necessary for the management of the individual's affairs so as to ensure their financial or other interests are safeguarded.

The OPC will also develop guidelines to help organisations make decisions on disclosure of health information under NPP 2 (Recommendation 64).

NPP 2: When is a purpose 'Directly Related' to the collection of health information

The current position

Health information can be used and disclosed for a purpose, which is directly related to the primary purpose for which it was collected, and where the individual would reasonably expect such use or disclosure (NPP 2.1(a)).

The OPC has interpreted the primary purpose for the collection of health information, by a health service provider, as being the dominant reason for an individual seeking 'assessment, treatment or care'.

It has been suggested that the OPC's definition of 'primary purpose' is too narrow as it focuses only on the current treatment or care being sought. The AMA wants the 'primary purpose' to be the 'health care and well being of the patient'.

Recommendations

To address this issue, the OPC will work with the health sector to develop guidance on the operations of NPP 2 and the issue of primary and secondary purposes in health care (Recommendation 77).

The OPC will also provide clearer guidance on the operation of NPP 2 to take into account the 'range of relationships between health services and individuals, particularly where individuals agree to a holistic approach to the delivery of a health service' (Recommendation 78).

Collecting health information without consent

The current situation

Subject to certain exceptions, NPP 10.1(a) prohibits the collection of an individual's sensitive (including health) information without consent. One exception is where health information is collected to provide a health service to the individual and it is collected as required by law, or, in accordance with binding rules, established by competent health or medical bodies, which deal with obligations of professional confidentiality (NPP 10.2).

Disclosure of health information without consent is allowed under NPP 2.1(g) where the disclosure is 'required or authorised by or under law'. Thus disclosure of health information is not as restricted as the collection of health information. This discrepancy is even more pronounced because of a lack of any binding rules meeting the requirements of NPP 10.2.

Recommendations

The Review recommends that the Federal Government consider amending NPP 10.2 to allow the collection of health information when 'authorised by law' in addition to when 'required by law' (Recommendation 83).

The Review has also recommended that the Federal Government consider amending NPP 10.2 to clarify the nature and content of the binding rules referred to (Recommendation 84).

Information relating to deceased persons

The current position

Currently the Privacy Act does not create any obligations in regard to the personal information of people who have died. This is due to the fact that 'personal information' is defined in section 6(1) as being about an individual, where an 'individual' is defined as a 'natural person'. The OPC considers the term 'natural person' to exclude those people who have died. This view is supported by the fact that under the Privacy Act a complaint can only be made by the individual whose privacy has been interfered with (section 36(1)).

Other legislation does protect information for a given period after a person's death. For instance, the Victorian Health Records Act 2001 covers the personal information of persons who have been deceased for less than 30 years. The draft NHPC adopts the same position by recommending a 30-year time limit.

Recommendations

The Review has recommended that the Federal Government consider, as part of a wider review into the Privacy Act, whether the Privacy Act should be extended to cover personal information of deceased persons (Recommendation 85). This will happen automatically if the NHPC is adopted into the Privacy Act.

This would impose privacy obligations on information that is currently not covered by the Privacy Act. It may therefore increase compliance costs as information regarding deceased persons will have to be treated in exactly the same manner as information held on the living. This extension of privacy protection may also adversely impact on organisations conducting medical research using information relating to deceased persons.