Focus: Reforming privacy and health information
3 November 2008
In brief: The Australian Law Reform Commission has released a report that recommends changes to Australia's privacy laws. Partners Catherine Parr and Peter Jones , Special Counsel Karin Clark and Lawyer Francisca Hoffmann-Axthelm report on the implications for health service providers and other bodies that handle health information.
- Uniform rules for the privacy of health information
- What is 'health information' and a 'health service'?
- How should health information be regulated differently from other personal information?
- Research and research databases
- Staged implementation
- State laws
How does it affect you?
If the report's recommendations are adopted:
- One set of rules to govern the privacy of health information will replace the many different sets of rules that currently govern health information privacy, which should lead to a substantial reduction in privacy compliance costs, particularly for health service providers.
- Commonwealth public sector agencies will need to comply for the first time with the special rules that will govern the privacy of health information.
- An expanded definition of 'health service' will include businesses offering predictive genetic testing, cosmetic surgery or assistance with diet, weight loss or immunisations. Such organisations may therefore need to review their privacy compliance practices and policies.
- Consumers of health services will be given more access to their personal information when health services are sold, amalgamated or closed down and will be also given more rights to transfer their health records.
- The Office of the Privacy Commissioner will be asked to develop a new set of research rules to govern the use of health information in the conduct of medical research without the consent of individuals. Organisations with an interest in such research will be able to make submissions on these rules, which will cover important matters such as the conditions under which it is appropriate to collect personal information without consent for inclusion in a research database or to identify potential participants in research.
- The research rules will also cover the use of personal information without the consent of individuals in the conduct of research other than medical research (this has not previously been catered for).
The Australian Law Reform Commission has recently released the final version of its report, For Your Information: Australian Privacy Law and Practice (the report).
Our previous Focus publications have reported on the Uniform Privacy Principles (or UPPs) and new provisions for credit information recommended by the report. The report also has important implications for health service providers and any other bodies that handle health information.
If adopted, the report's recommendations for national consistency in privacy regulation will probably have the greatest impact in the area of health information. Currently, at least five separate sets of privacy principles1 govern health information in Australia, and the implementation of the same set of rules in all jurisdictions should lead to significant reductions in compliance costs for all private and public bodies that handle health information. It should also result in a better understanding by Australian organisations, public sector agencies and health consumers of the rules that protect the privacy of health information.
It will also mean that some bodies that currently do not comply with special privacy rules for health information will have to do so. The Information Privacy Principles that currently govern the Commonwealth public sector make no distinction between health and non-health personal information. If the reforms are adopted, Commonwealth public sector agencies will have to comply for the first time with special privacy rules for health information.
The report recommends that the definition of 'health information' in the Privacy Act be clarified by making express reference to the mental or psychological (as well as physical) health or disability of an individual.
The report also proposes amendments to the definition of what is a 'health service' to include, among other things:
- genetic testing, (for example to predict a person's health or the health of future children);
- cosmetic surgery or related services; and
- assistance with diet, weight loss or immunisations.
If this recommendation is adopted, private and public sector entities that provide these services will need to review their information management practices and policies. All personal information collected to provide a health service will be deemed to be 'health information', so even information such as contact details collected by a health service provider will need to be handled as 'sensitive' information under the Privacy Act.
The report recognises that, while as much uniformity as possible is desirable in Australian privacy law, health information needs to be subject to some special rules. It recommends that while health information should (together with all other kinds of personal information) be governed by the proposed UPPs, these should be supplemented by a new set of Privacy (Health Information) Regulations (the Health Regulations), which would document additional requirements for health information. The report also recommends that the Office of the Privacy Commissioner (the OPC ) should publish a document containing a set of the UPPs as they relate to health information to assist understanding.
The report's recommendations for the new Health Regulations include the following:
- In the course of providing a health service, health service providers should be able to collect the health information of third parties relevant to the family, social or medical history of the patient without the consent of the third parties, if to do so is necessary for providing the service. This would formalise current Public Interest Determinations issued by the OPC. It is interesting to note, however, that in its discussion of this issue, the report does not recommend that there should be a similar provision made where insurance companies collect health information (without consent) about third parties where such information may be relevant to the individuals whom they insure. The report instead notes that insurers should seek their own Public Interest Determination for the collection of health information of such third parties (where the identity of such third parties may be able to be inferred from the information), in order to avoid a breach of the Privacy Act.
- To facilitate the sharing of health information between members of a treating team, a health service provider should be able to collect health information about any individual if this is necessary to provide a health service and the collection would be reasonably expected by the individual.
- Where an organisation or agency that provides a health service is sold, amalgamated or closed down, or an individual health service provider dies, reasonable steps must be taken to make users of the health service aware and inform them about proposed arrangements for the transfer or storage of individuals' health information.
- Where an individual requests a health service provider to transfer their health information to another health service provider, a health service provider must transfer their health information to another health service provider, within a reasonable time of the request.
The last two recommendations substantially reflect the position in Victoria under the Health Records Act 2002 (Vic) but their implementation throughout Australia will lead to greater consistency in the access that health consumers have to their records.
The report contains significant recommendations in the areas of medical and non-medical research, although the final impact of these recommendations will depend on the outcome of further consultation by the OPC.
Currently, exceptions to the 'Collection' and 'Use and Disclosure' principles of the National Privacy principles (the NPPs) allow the conduct of medical research using identified or identifiable personal information without the consent of individuals, provided certain conditions are met, including review by Human Research Ethics Committees (HRECs) and compliance with certain guidelines currently issued by the National Health and Medical Research Council (NHMRC)2 . The report recommends that the proposed UPPs should continue to provide for such research to be subject to review by HRECs, but should also be subject to a new set of 'research rules' to be issued by the OPC (instead of the two sets of [different] guidelines currently issued by the NHMRC).
The reformulated research rules are likely to lead to an overhaul of this area, and the ALRC envisages that the OPC would consult with a broad range of stakeholders in their development. The ALRC anticipates that the research rules would cover issues such as the circumstances and conditions in which it is appropriate to collect, use or disclose personal information without consent:
- for inclusion in a database or register for research purposes; or
- in order to identify potential participants in research.
One of the advantages of these issues being covered by research rules to be issued by the OPC is that they can be more quickly updated or revised as new or innovative methods of conducting research emerge.
Also significant is the report's recommendation that the exceptions for medical research be extended to cover all human research. This recognises that areas of research such as sociology and criminology also have a strong public interest basis and that research increasingly involves multi-disciplinary approaches.
If these recommendations are adopted, organisations that conduct medical and non-medical research should take advantage of the opportunity to make submissions to the OPC about the scope and content of the new research rules.
Senator John Faulkner has stated that the Federal Government will consider the report in two stages. The recommendations summarised above are included in the first stage, for which legislation is expected within 18 months.
Among the numerous other recommendations in the report are ones for the removal of the employee records and small business exemptions. The Federal Government has stated that these recommendations will be considered in the second stage of the Federal Government's consideration of the report, for which no timetable has been announced as yet.
Small businesses are subject to the Privacy Act if they provide a health service and hold any health information (other than in an employee record). If the small business exemption is removed then all small businesses will have to comply with the UPPs and the Health Regulations if they collect health information, even if they do not provide a health service.
If the employee record exemption is removed then all health information held by employers (for example, sick leave records and records relating to medical history held for insurance purposes) will need to be handled in accordance with the UPPs and the Health Regulations.
Achieving a single set of rules for the handling of health information will require cooperation from the states and territories. The New South Wales Law Reform Commission in its Consultation Paper 3: Privacy Legislation in New South Wales proposes the transfer of the regulation of the handling of health information by private sector organisations to the Commonwealth. It canvasses merging the regulation of health records and health information in the hands of the NSW public sector and regulation of personal information generally in the hands of the NSW public sector into a single piece of legislation, which should be drafted so as to achieve national uniformity. Similar moves will need to occur in other states and territories if true uniformity is to be achieved.
For more information, or for assistance with assessing the potential impact of the changes on your business, feel free to contact us.
- The National Privacy Principles (for private sector organisations) and the Information Privacy Principles (for the Commonwealth public sector) under the Privacy Act 1988 (Cth) govern the privacy of health information, as do separate health privacy principles that apply under Victorian, New South Wales and ACT statutes, and state and territory laws that impose confidentiality obligations in the state and territory public health sectors.
- Section 95 of the Privacy Act provides for guidelines to be issued in relation to public sector health research and section 95A provides for guidelines to be issued in relation to private sector health research.
You can leave a comment on this publication below. Please note, we are not able to provide specific legal advice in this forum. If you would like advice relating to this topic, contact one of the authors directly. Please do not include links to websites or your comment may not be published.