You are here

Australian Information Commissioner issues new privacy guidance for handling health information

15 October 2015 | Australia, Brisbane, Melbourne, Perth, Sydney
Legal Briefings – By Daniel Forrest, David Miller and Kaman Tsoi

Share

The Office of the Australian Information Commissioner (OAIC) has issued a series of draft health industry resources regarding the handling of health information. The draft documents provide guidance regarding the collection, use, storage and disclosure of health information, the types of organisations that will be considered health service providers and a wide range of other matters including guidance for vendors and purchasers of health service provider businesses.

New OAIC privacy guidance for health information

What has been released?

The Office of the Australian Information Commissioner (OAIC), which is the federal agency responsible for regulation of the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), has issued a series of draft health privacy guidance resources for public review and consultation (Health Information Resources).

The Health Information Resources comprise 11 resources for businesses that collect, use, store and disclose health information as well as 2 consumer-facing fact sheets that set out consumers’ rights in respect of the handling of health information by regulated entities.

The OAIC has stated that the draft Health Information Resources are intended to:

  • reflect the recent 2014 reforms to the Privacy Act 1988 (Cth) and the publication of the APP Guidelines,
  • replace the OAIC’s existing health privacy guidance for providers and consumers, and
  • provide information specifically tailored to the health sector covering matters which arise most frequently for health service providers.

New clarification and worked examples

The draft Health Information Resources, which are summarised and available via the hyperlinks below, provide important insights into how the Commissioner will approach issues regarding health information.

Definition of health service providers

The guidance makes clear that ‘health service providers’ may include not just organisations traditionally thought of as health service providers such as hospitals and pathologists but also organisations whose primary activities do not necessarily relate to the provision of traditional health services. The Commissioner lists private schools, gyms, weight loss clinics, drug and alcohol services and child care centres as examples of organisations that will be considered health service providers in certain circumstances.

Access to health information held by health service providers

Organisations are required under APP 12 to provide individuals with access to personal information held about them on request unless an exception applies. The situations in which access to health information may be refused is addressed in the ‘Access to health information held by health service providers’ resource. The guidance provides a number of worked examples to illustrate when refusal of access will be acceptable, for example in relation to threats to the therapeutic relationship and patients with histories of violence or self-harm.

Change of business circumstances or closure of a health service

There is also new guidance for vendors and purchasers of health service provider businesses. The guidance clearly indicates that, pursuant to APP 3.3, when an entity (the ‘new health service provider’) acquires the business collects of another health service provider that involves the collection of patient health information from the existing health service provider, the new health provider must:

  • obtain each patient’s consent to the collection of the information (regardless of whether or not the new health service provider will use or disclose the information for new purposes), and
  • ensure that all the information it collects from the old health service provider is reasonably necessary for one or more of the new health service provider’s functions or activities.

The guidance states that if an individual does not consent to the new health service provider collecting their health information, it must not collect the information. Critically, the guidance also indicates that, while consent can be express or implied, health service providers should generally seek express consent from patients before handling their health information – due to the greater privacy impact that unauthorised collection could have.

Feedback sought

The OAIC is seeking comments on the draft Health Information Resources from stakeholders. The closing date for public submissions is Tuesday 20 October 2015.  Further information about submitting feedback is available here.

The draft Health Information Resources

As noted above, the draft health privacy guidance comprises 11 resources for businesses that collect health information and 2 consumer fact sheets:

Resource type

Summary

Primarily for business

Handling health information under the Privacy Act: a general overview for private sector health service providers

Provides a general overview of the obligations that apply to providers under the APPs, including the interaction of federal and state health privacy laws, the operation of the ‘personally controlled electronic health record system’, professional and ethical codes and data security requirements.

Primarily for business

Key health privacy concepts for health service providers

Provides explanations of key health privacy concepts, including ‘health service provider’, ‘health information’ and the ‘permitted health situation’ and ‘permitted general situation’ exceptions under the APPs.

Primarily for business

Collecting patients’ health information

Provides guidance on the collection of health information, the meaning of ‘collection’ in practical circumstances, when implied consent may be sufficient and the requirements for privacy notices in the context of health information.

Primarily for business

Using and disclosing patients’ health information

Provides guidance on the use and disclosure of health information, including the meaning of ‘use’ and ‘disclosure’, the requirements for sharing information with other health service providers without consent and using or disclosing health information with consent.

Primarily for business

Access to health information held by health service providers

Provides guidance on the requirements for providing access to health information held by health service providers, including processing and responding to access requests, permitted access costs and situations where access can be refused.

Primarily for business

Correction of health information by health service providers

Provides guidance on the requirements for maintaining correct, accurate and up-to-date information and dealing with requests for correction of information.

Primarily for business

Collecting, using and disclosing health information for health management activities

Provides guidance specific to providers that are collecting, using or disclosing health information for the purposes of managing, funding or monitoring a health service.

Primarily for business

Collecting, using and disclosing health information for research

Provides guidance specific to private sector health service providers (or other private sector organisations) that are seeking to collect, use or disclose health information without consent for research or statistical purposes relevant to public health or public safety.

Primarily for business

Using and disclosing genetic information to lessen or prevent a serious threat to the life, health or safety of genetic relatives

Provides guidance specific to providers that intend to use or disclose patient genetic information without consent, including where such information may be disclosed to a genetic relative of a patient.

Primarily for business

Disclosure of health information and impaired capacity

Provides guidance specific to providers that intend to disclose patient health information to relatives and others where the patient is unable to provide consent.

Primarily for business

Change of business circumstances or closure of a health service

Provides guidance regarding how health service providers facing a change in business circumstances should handle personal information under the APPs, including in respect of data quality, requirements where patients cannot be contacted and where a health service provider ceases operating.

Primarily for consumers

Fact sheet: Privacy and your health information

Provides consumers with an overview of their rights regarding the collection, holding, use and disclosure of their health information, including examples of exceptions to general rules.

Primarily for consumers

Fact sheet: How you can access or correct your health information

Provides consumers with information regarding how they can access and correct health information held about them, including when providers can refuse access and step consumers can take where a provider refuses access.

 

Key Contacts