Privacy Law and Policy Reporter
Elizabeth Longworth and Tim McBride
In this extract from their new book, The Privacy Act - A Guide, Longworth and McBride explain NZ's Health Information Privacy Code 1994, the first code to be issued under NZ's Privacy Act 1993, and a significant pointer to the types of codes which might be developed under future Australian legislation. The book was launched by NZ Privacy Commissioner Bruce Slane on 20 December 1994.
Patient confidentiality is a fundamental aspect of the relationship between the individual and the health professional. Individuals may reveal intimate information about themselves in a situation of confidence. To find later that this sensitive information has been used in an unauthorised manner, or has been accessed by others not entitled, undermines the relationship between the individual and the health professional. It may also impact on the public's confidence in the health system.
The Privacy Act 1933 (NZ) provides for codes of practice to be issued by the Privacy Commissioner to regulate the information practices of particular agencies, industries or sectors. The first code to be issued under the Privacy Act was the Health Information Privacy Code 1993 (Temporary). It has since been replaced by the Health Information Privacy Code 1994 (Health Code).
In 1993 the Health and Disability Services Act was enacted. The structure of the health system now involves regional health authorities (RHAs), as the purchaser of health services, contracting with healthcare providers such as crown health enterprises (CHEs), GPs and physiotherapists.
One outcome of the restructuring initiated under the Health and Disability Services Act was specific legislation addressing health privacy. This took the form of amendments to the Health Act 1956 which are designed to co-exist with the Privacy Act.
The changes in the health sector emphasised the need to clarify how personal health information may be used. It was recognised that the privacy of health information needed to be specifically addressed. Therefore, within one month of the Privacy Act coming into force, the Commissioner issued a Health Code.
Rules in the Health Code will not be breached if the action is authorised or required by or under law (s 7 Privacy Act). In terms of the health sector, the relevant statutory law is largely contained in the Health Act 1956, the Accident Rehabilitation and Compensation Insurance Act 1992, the Health and Disability Services Act 1993, the NZ Bill of Rights Act 1990 (ss 10 and 11), the Evidence Amendment Act (No 2) 1980 (ss 32, 33), the Health Research Council Act 1990 and the Official Information Act 1982.
One of the effects of the Health Code has been to strengthen and formalise the protection of personal health information by codifying in law what previously has been recognised by health professionals as a mix of ethical duties, statutory requirements and good practice.
After consultation with various health sector organisations, patient groups and advocates, Maori groups and government departments, the Health Information Privacy Code 1993 (Temporary) was issued as an urgent code. It was superseded by the Health Information Privacy Code 1994 on 30 July 1994. A further review will take place before 1 July 1999. The final version of the Code addresses many of the issues and uncertainties which arose during the time of the temporary code.
The Health Code has modified the information privacy principles, bringing them into effect immediately with regard to the special nature of health information. The Code works in conjunction with the Privacy Act so that, where there is no specific provision within the Health Code, the relevant provisions in the Privacy Act apply.
To help explain particular aspects of the Code, a commentary is printed at the end of each clause and rule. The commentary is an explanatory aid to illustrate and clarify particular provisions of the Code; it is not binding. The Privacy Commissioner has also published fact sheets to help people to interpret the Health Code.
Any breach of the Code has the same effect as a breach of the equivalent principle under the Act and gives rise to all the Act's remedies. This means that one of the effects of the Code is to strengthen and formalise the protection of personal health information by incorporating within the Code the tradition of confidentiality of such information historically found in case law.
The Code makes a health agency accountable to the individual in a way which is far more accessible. Measures such as the appointment of privacy officers within the health agencies and the complaints procedure make it easier for individuals to pursue a breach under the Privacy Act without having to rely on the court system. Finance is no longer a barrier to pursuing these breaches.
The Health Code modifies a number of Privacy Act provisions to take into account specific aspects of the health sector. Health information is information or classes of information about an identifiable individual relating to his or her particular health status. If the individual cannot be identified then the Code does not apply.
Not all information held by a health agency will be health information. A person employed by the health agency will be required to give their employer particular personal information. The information privacy principles will apply to this information and not the Health Code.
There is a difference between the definitions of an individual in the Privacy Act and the Health Code. Under the Privacy Act, the definition of an individual excludes a deceased person, whereas s 46(6) of the Act provides that for the purposes of issuing the Health Code principle 11 of the Act shall be read as if the term 'individual' includes a deceased person. Rule 11(5) reiterates this interpretation. This unique feature of the protection of health information about deceased persons stems from the WMA International Code of Medical Ethics declaration on being admitted to the medical profession.
I will respect the secrets which are confided in me, even after the patient has died ... A physician shall preserve absolute confidentiality on all he knows about his patient even after the patient has died.
The Code lists the categories of organisations and health professionals who are defined as health agencies and are therefore bound by the Code. The definition includes all health and disability service providers.
The Privacy Act applies to any employee or person in the service of, or training in, a health agency. Any action or disclosure in the course of that employee's or person's duties are deemed to be those of the health agency.
The purpose of the Code is to ensure that individual privacy is promoted and protected by a health agency. Each health agency is responsible for ensuring that at least one individual within the agency (or, if the health agency is an individual, that person) encourages compliance, deals with requests and works with the Privacy Commissioner on any investigations. That individual is called the privacy officer.
The Code goes further than the Act in that it requires the health agency to designate a person to deal with complaints (Health Code, cl 8) as an intermediary step in its complaints procedure prior to involving the Privacy Commissioner. The purpose is to encourage the health agencies to be proactive in developing complaints procedures which can resolve problems without having to take the matter further. If the health agency is an individual, a complainant may not want to deal directly with that person if it is the same person responsible for allegedly breaching the Code. In such a situation the individual can complain directly to the Privacy Commissioner.
Some of the ways in which the Health Code rules have modified the information privacy principles in the Privacy Act are:
(a) some limited and specific exceptions have been included where it was anticipated that there would be difficulties with compliance;
(b) certain exceptions which appeared in the principles but have no relevance to the health sector have been omitted;
(c) reference has been made to 'representatives' of people unable to act on their own behalf;
(d) the Code's language has been adapted to refer to the health sector; and
(e) all rules are effective immediately.
Rule 1 repeats the prohibition in principle 1 that health information must not be collected by any health agency unless for a lawful purpose connected with a function or activity of the health agency and the collection is necessary for that purpose.
The commentary to the Health Code asks the health agency to consider whether the purpose of collection is within the agency's legal power, such as within the terms of any hospital licence or other health registration. It also points out that the main purpose, connected with a function or activity of the agency, is for patient care and treatment. Other closely-related purposes include administration, training and education and monitoring the quality of patient care, treatment and health status.
It is now necessary for the health agency to ensure that the questions asked are only relevant to the particular purpose, so that standard admission forms may need to be reviewed. In the past it has been a common occurrence to be asked for information about religious persuasion or marital status. However, unless this is required to carry out the function or activity of the health agency, then this information may not be necessary and therefore the question is inappropriate in terms of the Code.
Rule 1 interacts with r 10 (limits on use of health information). If the information on the ward is collected for the specific purpose of treatment and care, then that should not be used by the finance department for another purpose unless the individual is aware and has consented to such a use (or the other exceptions apply).
Rule 2 provides that the health agency must collect health information directly from the individual concerned unless the exceptions apply. A number of these are in addition to, or modify, the exceptions in principle 2.
The exceptions include:
Another issue arising out of this rule is the parameters on what amounts to a collection. The Act says that 'collect' does not include receipt of unsolicited information. This makes it difficult to decide if information is being collected where a family member volunteers information about the health need of some other member of the family.
Rule 3 mirrors principle 3 of the Act by requiring the health agency to give certain explanations to the individual when the agency collects information from that person. These explanations are to ensure that the person or representative is aware of the fact and purpose of the collection, the intended recipients of the information, details of the agency which is collecting or holding the information, whether the supply is voluntary or mandatory, the consequences of non-supply and his or her rights of access and correction.
Unlike principle 3, this rule extends to representatives of a child or of people who are simply unable to exercise their rights (for example, where the individual is unconscious or has mental or intellectual disabilities). This practicality is of obvious importance in the health sector.
In a hospital environment much information about an individual is obtained when an informal conversation takes place, rather than the formal interview on admission. An individual may not be aware that information given by them is being collected and recorded in patient notes. Often the people who get closest to a patient in hospital are the auxiliary and domestic staff. Sometimes very important information can be obtained at this time by these people. A privacy issue arises where information is recorded but the patient is unaware of the fact and possibly would not have disclosed had she or he known.
Rule 4 provides that health information must not be collected by means that are unlawful, unfair or which unreasonably intrude into the personal affairs of the individual. The commentary to the Health Code provides examples of what is meant by the prohibitions in r 4. For example, unfair means of collection could include videoing or taping the individual without consent (see r 3 notice requirements) or being overbearing or threatening when stressing the consequences of not supplying information. A major privacy concern is whether or not sensitive questions are being asked in a public area where the response may be overheard.
Avoiding reasonable intrusion into an individual's interest in health information privacy may involve:
Rule 5 provides that a health agency must store health information with adequate protection against loss, unauthorised access, use, modification or disclosure. The commentary notes the different types of security; that is, physical, operational and technical security. It also sets out examples of the security procedures which should be adopted. Many of these are practical and do not require huge spending on compliance costs.
One of the biggest issues is that, within an agency, the patient's personal information needs to be stored in a manner which prevents unauthorised use under r 10, such as where other members of the health agency can see an individual's personal health information even though they may not be involved in the care or treatment or have any associated purpose under r 1. It re-emphasises the need to differentiate personal health information into different levels of sensitivity to ensure that only those involved in a particular aspect of care can access the appropriate information.
Rule 6 entitles individuals or their agent (see s 45(b)(ii) of the Privacy Act) to access personal health information providing the information is held in a way that is readily retrievable. This means that information on paper or x-rays or videos would be readily retrievable. Conversation which was not documented at the time of the interview might not be considered readily retrievable.
This access right has raised issues in respect of parents who want access to their child's health information. Similarly a teacher who refers a child to the public health nurse may expect to have access to the outcome. This rule does not grant these people access rights. However, the information may be able to be disclosed if they are acting as the child's representative (see s 22F of the Health Act 1956 and r 11(2)(b) of the Health Code). The commentary clarifies that children now have a right of access to their own health information, although access may be refused if the child is under 16 years of age and disclosure would be contrary to that child's interests (s 99(1)(d) of the Privacy Act).
Rule 7 mirrors principle 7 of the Act by entitling individuals to request a correction, or a statement of a correction sought but not made, to their health information. This rule is subject to Pt V of the Act which sets out the procedural provisions on the correction of information. The commentary notes that this right is not dependent on the individual having been granted access. It interacts with r 6 because access is often required by the individual to see what personal health information is held in order to correct it.
The alternative to correcting the information is to attach a statement under r 7 (1)(b) or 7(3). The individual may request this in the first instance, or the agency may respond this way because it is unwilling to correct the information. For example, in the area of an ongoing diagnosis of mental health, a person may have been diagnosed as having manic depression, although later the diagnosis is changed. The changing diagnosis indicates the health history of the individual and it might not be prudent for future care to remove earlier health information. A statement from the individual attached to the information may indicate a wider picture of their health history.
The individual is not entitled to physically change the information themselves but is still entitled to see and authorise (by signature) any correction made by the agency. The health agency will make any required changes.
Rule 8 mirrors principle 8 of the Act by prohibiting a health agency that holds health information from using that information unless it has taken reasonable steps under the circumstances to ensure that the information is accurate, up to date, complete, relevant and not misleading for the purpose it is proposed to be used.
The commentary provides examples of reasonable steps for ensuring accuracy and the factors to consider in developing procedures to update the health information. It also recommends that a health agency collecting the information from another health agency should check its accuracy with the individual concerned at the earliest opportunity and, perhaps, record the source on file.
Rule 9 prohibits a health agency from retaining health information longer than required for any lawful use. This rule is similar to principle 9 of the Act, except that it goes on to clarify that the destruction of a document containing health information is not required if it is necessary or desirable to retain that information to provide health or disability services to the individual concerned.
There is an important contrast which distinguishes health information from some other personal information held by an agency and covered by the Privacy Act. The purpose of health information is often ongoing and stays with the individual throughout his or her life, for example, information held by a general practitioner. By contrast, other personal information may have a short term purpose after which it should no longer be retained, for example, information obtained through a hire purchase agreement.
The commentary to r 9 acknowledges that there is concern in disposing of health information too soon, rather than retaining it for too long. It also recognises that there may be good reasons to retain records well after they have ceased to be relevant for the primary purpose of care and treatment of the individual, but warns that the information should be regularly assessed to see if it is still required for the purposes for which it may be lawfully used. It should also be checked for accuracy (r 8 of the Health Code).
(Extracted from E Longworth & T McBride The Privacy Act - A Guide, Wellington, 1994, GP Publications - PO Box 12 052 Wellington NZ, or Freefax 0800 80 4454, NZ$39.95 plus $3.75 postage)
This extract will be continued in the next issue with a discussion of rules 10-12 and other legislative provisions affecting privacy of health information.