Focus: Reforming privacy and health information
9 November 2009
In brief: The Federal Government has released the first stage of its response to the Australian Law Reform Commission's report on privacy law. Partner Catherine Parr , Special Counsel Karin Clark and Lawyer Jacqueline Goodall report on the implications for health service providers, and other bodies that handle health information.
- National consistency
- What is 'health information' and a 'health service'?
- How should health information be regulated differently from other personal information?
- Research and research databases
- Next steps
How does it affect you?
- The impact of the Government's response cannot be assessed fully until its draft exposure Bill is released, which is expected in early 2010. However, the Government's response to the Australian Law Reform Commission's (ALRC) recommendations gives some indication of the changes that can be expected:
- One set of 'Privacy Principles' to govern the privacy of personal information (including health information), which will mean that federal public sector agencies will need to comply, for the first time, with special rules that will govern the privacy of health information.
- A revised definition of 'health service' will make it clear that this will include businesses offering predictive genetic testing, cosmetic surgery or assistance with diet, weight loss or immunisations. Such organisations may therefore need to review their privacy compliance practices and policies.
- Consumers of health services will be given better access to their health information when health services are sold, amalgamated, disaggregated or closed down, and will be also given more rights to transfer their health records.
- The National Health and Medical Research Council (NHMRC) will be asked to develop, in conjunction with other appropriate bodies, a new set of 'Research Rules' to govern the use of health information, without the consent of individuals, in the conduct of medical research by public and private sector researchers to replace the two sets of binding guidelines the NHMRC currently issues.
- The Research Rules will also cover the use of personal information without the consent of individuals in the conduct of research in the public interest (not just health and medical research).
The Federal Government recently released its first-stage response to the Australian Law Reform Commission's report, For Your Information: Australian Privacy Law and Practice (the report).
We summarised the report's recommendations, with its implications for health service providers and any other bodies that handle health information, in a previous Focus.
The first stage of the Government's response addresses 28 of the report's recommendations that specifically relate to health information. Of these, 13 have been accepted either in full or in principle, and a further 11 have been accepted with qualifications.
Other recommendations that apply to personal information generally will impact on the area of health information.
The Federal Government has accepted the ALRC's recommendation to enact a single set of Privacy Principles to apply both to the federal public sector and relevant businesses in the private sector. Health information will be regulated under the general provisions of the Privacy Act 1988 (Cth) (the Act) and the new Privacy Principles.
Having one set of 'Privacy Principles' to govern the privacy of personal information (including health information) will mean that federal public sector agencies will need to comply for the first time with special rules that will govern the privacy of health information.
This change will go some way towards enabling health information to be shared more reliably, securely and efficiently between public and private healthcare providers. However, state and territory laws also regulate the handling of health information in a number of jurisdictions, and some of these include privacy principles that impose different standards. The Federal Government has indicated its intention to work with the State and Territory Governments to progress national consistency in privacy regulation. Such national consistency is required before significant reductions in compliance costs can be achieved for all private and public bodies that handle health information.
The Government has accepted the recommendation that the definition of 'health information' in the Act be amended to make express reference to the physical, mental or psychological (as well as physical) health or disability of an individual.
The Government has also accepted the recommendation that the definition of 'health service' be amended to make it clear that it includes activities that, among other things:
- 'predict' the individual's health or the health of future children (eg genetic testing);
- 'prevent' illness, injury or disability (eg services to assist with diet and weight loss and immunisations); and
- surgical or related services (including health-related cosmetic surgery).
Once an organisation is classified as a 'health service', all the information it collects to provide that service qualifies as 'health information' under the Act and is subject to a higher level of protection (eg it generally cannot be collected without consent). At the same time, the Government has accepted the ALRC's recommendation that such 'health services' should be able to collect third-party information from an individual, without the third party's consent, for inclusion in the individual's family, social or medical history. (Currently, this practice is allowed by virtue of a Public Interest Determination issued by the Privacy Commissioner.)
The Government also proposes that the definition of 'health service' will expressly exclude activities performed for reasons other than health care or treatment, such as non-health-related aged care or disability services, and life, health or other forms of insurance. The Governor-General will also have the power to make regulations to exclude, specifically or by class, organisations from the definition of 'health service'.
The Government did not accept the recommendation that new Privacy (Health Information) Regulations permit imposition of more, or less, stringent requirements on agencies or organisations than will be required by the Privacy Principles, preferring that rights and obligations in relation to the handling of health information be set out in the Act.
Some of the Government's proposals in relation to health information include the following:
- collection: collection of health information by health service providers:
- information about the individual will be allowed without consent if it is necessary to provide a health service to the individual, and the individual would reasonably expect the organisation to collect the information for that purpose;
- information about third parties will be allowed without consent if it is necessary to enable the provision of a health service directly to the individual, and is relevant to the individual's family, social or medical history.
- use and disclosure: an agency or organisation may disclose health information about an individual to a person who is responsible for the individual, if the individual is incapable of giving consent and all other conditions currently set out in NPP 2.4 are met (ie disclosure is necessary to provide care or treatment, or made for compassionate reasons, and the disclosure is not contrary to the individual's wish, and limited to the extent that is reasonable and necessary).
There will no longer be a requirement that the person responsible for the individual be over the age of 18 years. However, in considering whether to disclose an individual's health information to a person responsible for him or her who is under 18, a health service provider must consider, on a case-by-case basis, that person's maturity and capacity to understand the information.
The circumstances in which an individual is incapable of giving consent will be clarified to cover circumstances where a person is incapable of:
- understanding the general nature and effect of disclosing the information; or
- indicating whether he or she agrees to the disclosure.
- genetic information: the Privacy Act will permit the use and disclosure of genetic information where necessary to lessen or prevent a serious threat to the life, health or safety of a genetic relative (equivalent to current NPP 2.1(ea)), and where this occurs within the framework of rules issued by the NHMRC and approved by the Privacy Commissioner. To facilitate such disclosures, the Act will be amended to permit a health service provider to:
- collect the contact details of a patient's genetic relatives (which may constitute 'health information'); or
- use those contact details when that information is already in the health practitioner's possession.
- access and correction: an individual denied access to his or her own health information for certain reasons should be given the opportunity to nominate a suitably qualified and appropriate health service provider to have access to the information. For example, an individual may be denied access to his or her health information on the basis that it would pose a serious threat to his or her life, health or safety. If the nominated health service provider is satisfied that the grounds for denying access are not met, they may provide the health information to the individual. If the agency or organisation objects to the nominated health service provider and refuses to provide the health information, the individual may nominate another health service provider or lodge a complaint with the Privacy Commissioner.
- data security: where an organisation or agency that provides a health service is sold, amalgamated or closed down, or where the health service is a partnership and the partnership is dissolved, de-merged or disaggregated, or an individual health service provider dies, reasonable steps must be taken to make users of the health service aware of this, and inform them about proposed arrangements for the transfer or storage of individuals' health information.
- transfer of health information: a health service provider must transfer an individual's health information to another health service provider within a reasonable time after an individual's request to do so, subject to the following qualifications:
- exceptions permitting the denial of access to the information;
- permitting charges for transfer, provided they are not excessive; and
- transferring health information in the manner requested by the individual (including summary form).
- collection and use: an agency may collect, use or disclose health information where necessary for funding, management, monitoring or evaluation of a health service (but not planning, as was recommended in the report) where:
- the purpose cannot be achieved by the collection, use or disclosure of de-identified information;
- it is impracticable for the agency or organisation to seek the individual's consent before the collection, use or disclosure (the Government did not accept the recommendation for an additional unreasonableness test, as it was considered to broaden unnecessarily and unintentionally the effect of the exception); and
- the collection, use or disclosure is conducted in accordance with rules issued by the NHMRC (not the Privacy Commissioner, as was recommended in the report) and approved by the Privacy Commissioner.
The Government's response supports two central proposals to facilitate the conduct of medical research using identified or identifiable personal information without the consent of individuals:
- a new set of Research Rules for the use of health information by public and private sector researchers issued by the NHMRC, in consultation with other bodies such as the Australian Research Council and Universities Australia, and approved by the Privacy Commissioner (rather than issued by the Privacy Commissioner, as was recommended in the report). These Research Rules will replace the two sets of binding guidelines currently issued by the NHMRC; and
- expansion of the research provisions in the Act to allow such use for research in the public interest (not just health and medical research).
The Government has proposed that those elements dealing with privacy under the National Statement on Ethical Conduct in Human Research, including the review of research proposals by Human Research Ethics Committees (HRECs), should be aligned with the Act and Research Rules, to minimise confusion for institutions, researchers and HRECs.
A number of stakeholder submissions argued that the requirement that HRECs, before approving a research activity that involves collection, use or disclosure of sensitive information, or the use and disclosure of other personal information, without consent, should be satisfied that the research activity substantially outweighs the public interest in maintaining the level of privacy provided by the Act, failed to achieve an appropriate public interest balance. The ALRC consequently recommended removing the word 'substantially' from the public interest test.
While the Government's response stated that the public interest test should favour research activities progressing, it also stated that, in its view, the requirement of substantiality achieves the appropriate balance. It is difficult to see how retaining the requirement of substantiality helps to ensure there is a clear balance in favour of research activity progressing.
Nevertheless, the Government's acceptance of the proposal that only one set of Research Rules should be issued, and that they should apply to human research generally (and not just health and medical research), should go a substantial way towards facilitating research in circumstances where it is not practicable to obtain individuals' consent to the use of their information.
The changes the Government has decided to make will be reflected in the draft exposure Bill early in 2010. This will provide an opportunity for health service providers, and other interested individuals and entities, to comment on changes.
Please feel free to contact us for more information, or for assistance with assessing the potential impact of the changes on your business.