Allens Arthur Robinson

• Introduction
• Overview
• NPPs & codes
• Complying
• Legislation & links
• Industries
  • Credit providers
  • Government work
  • Health
    • Genetic privacy
    • Research
    • Electronic records
    • Insurance
    • Sale of health records
    • Checklist
  • Insurance
  • Media
  • Superannuation
  • Telecommunications
  • Telemarketing
• News
• Contacts
• Glossary
• Publications

Health providers face special privacy problems, as much of the information they hold is particularly personal.

The Privacy Act 1988 recognises this - health information has special protection as sensitive information. It regulates access to and use of personal health information by organisations which provide a health service, as well as other organisations.

A number of the recommendations made on 18 May 2005 in the Commissioner's review of the private sector provisions of the Privacy Act 1988 would impact on organisations or individuals in health-related fields and those accessing health-related services. Many of the recommendations involve the adoption of a finalised version of the National Health Ministers' Council's National Health Privacy Code (NHPC). The NHPC contains National Health Privacy Principles (NHPPs), which apply to health information. For more, see our analysis of the health implications of the review.

• What does the Privacy Act mean for health providers?
• Are small businesses exempt?
• What does it mean for patients?
• State legislation may apply
• Private sector regulation
• Additional obligations - public sector

What does the Privacy Act mean for health providers?

Just like other organisations, health providers must handle personal information in accordance with the standards imposed by the NPPs. But they must also comply with the slightly higher standards imposed by the regime's special protection for health information.

We've put together a checklist to give you some guidance.

Some areas that are particularly tricky include:

• genetic privacy
• health research
• electronic records
• insurance
• the sale of health records 

Are small businesses exempt?

The small business exemption does not apply to health service providers. If you are a small business and you provide a health service you must comply with the legislation.

What does it mean for patients?

When dealing with private sector health service providers, patients have:

• the right to access health information held by any organisation (NPP6);
• the right to have any errors corrected (NPP6);
• the security of knowing that health information:

• can only be collected with their consent or in specific circumstances (NPP10); 
• must be stored securely (NPP4); and 
• generally cannot be used without their consent for any purpose other than that for which it was collected, and cannot be disclosed to third parties (NPP2). 

The public healthcare sector is also subject to heavy regulation in the area of privacy. The Commonwealth Privacy Act 1988 regulates, through the Commonwealth IPPs, the handling of personal information by federal public sector bodies, such as the Health Insurance Commission, public hospitals and other federal health institutions.

State legislation may apply 

State or Territory legislation (such as the Victorian Health Records Act 2001 and the ACT Health Records (Privacy and Access) Act) may also apply to health information held in the public as well as the private sectors and in some cases may create additional compliance obligations now or in the future. For more, see our State legislation page.

Private sector regulation

• NPP 2 - Use and disclosure 
• NPP 6 - Access and correction 
• NPP 10 - Sensitive Information

NPP 2 - Use and disclosure

Health information may be used or disclosed for research relevant to public health or safety in certain circumstances. Health information may also be disclosed to parents, relatives or guardians where:

• an individual is incapable of consenting to the disclosure; 
• disclosure is necessary for treatment or for compassionate reasons; and 
• the disclosure is not contrary to any previously expressed wish of the individual. 

NPP 6 - Access

Subject to numerous exceptions, NPP 6 allows individuals to access information about them on request.

In the case of health information an additional ground for denying access exists where it would pose a serious threat to the life or health of an individual. If access is denied for this reason then the organisation must think about allowing alternative access through the use of an intermediary.

NPP 10 - Sensitive Information

Under NPP 10, specific consent must usually be obtained to collect sensitive information (including health information). But an organisation may collect health information about an individual without consent in two circumstances.

First, where:

• collection is necessary for:

• research relevant to public health or safety; 
• compiling or analysing statistics relevant to public health or safety; or 
• the management, funding or monitoring of a health service; and 

• that purpose cannot be served by collecting data that does not identify the individual or from which the individual's identity cannot reasonably be ascertained; and 
• it is impractical to seek consent to the collection; and 
• the information is collected following rules on professional confidentiality or guidelines approved by the Privacy Commissioner. 

Or second, where:

• the information is necessary to provide a health service to the individual; and 
• the information is collected in accordance with the law or rules established by competent medical bodies.

Unless the individual agrees, any health information collected must be permanently de-identified before it is disclosed.

The health section of the Commissioner's Review released in May 2005 contains recommendations relating to the collection of information without consent. In brief, the Review recommends that the Federal Government consider amending NPP 10.2 to allow the collection of health information when 'authorised by law' in addition to when 'required by law' and also recommends that the Federal Government consider amending NPP 10.2 to clarify the nature and content of the binding rules referred to.

Voluntary codes

There are a number of voluntary codes which regulate the handling of personal information. These include:

• AS 4400 (1995) - The Protection of Personal Privacy and Health Information Systems. This deals with both the inappropriate disclosure of personal health information and the collection, storage, access and use of such information. The code has not been universally adopted.
• Royal Australian College of General Practitioners Code of Practice for the Management of Health Information in General Practice.
• AS/NZS 4444 (2:2000) - Information Security Management. This code deals with the management of information security. It specifies requirements for establishing, implementing and documenting information security management system and appropriate security controls.

Additional obligations - public sector

The public sector is also subject to federal and state Freedom of Information legislation which provides patients with a right to access their medical records held by public authorities. For more information, see the various FoI Acts (Commonwealth; ACT; NSW; Queensland; SA; Victoria; WA; Tasmania).