Privacy Law and Policy Reporter
In stark contrast to the lack of action on privacy in the Federal Parliament during 1997, the other legislature in Canberra gave its citizens a welcome Christmas present. The Legislative Assembly of the ACT closed 1997 with the biggest extension of privacy rights in the Australian community for more than five years. The Chief Minister, Kate Carnell, introduced the Health Records (Privacy and Access) Bill 1997 in her capacity as Minister for Health and Community Care and, on 11 December, the Assembly enacted it into law with only two minor technical amendments. The new law will take effect on 1 February 1998, and provides ACT residents with comprehensive privacy protection and information privacy rights in respect of all personal health information, whether held in the public or private sectors or by voluntary organisations.
The introduction of the new law is in line with a commitment by the ACT government following their publication of a position paper Health Records: Privacy and Access in May 1997, but the speed of its passage has taken many people by surprise.
While the new law is a welcome addition to the statutory framework for privacy protection, and may help to advance the cause of more general privacy legislation in both in the ACT and in other jurisdictions, many practical questions about how it will work remain to be answered. Some useful clarification of the then proposed law was provided in a paper by Ken Patterson, the ACT Community and Health Services Complaints Commissioner, in a paper to the IBC 1997 Australian Privacy Summit in Sydney in October 1997.
The precise coverage of the law depends on the interaction of several key definitions, such as health service provider, health record, and personal health information. Patterson makes it clear that while health service providers such as doctors, hospitals and clinics are subject to the Act in relation to all health records, any other organisation or individual will also be covered in respect of any personal health information they hold. Employers and insurance companies, for example, will be subject to the law in relation to any information about an individual’s ‘health, illness or disability’ that they may hold for whatever purpose.
At the heart of the new ACT law lie a set of Information Privacy Principles based on the IPPs in the Commonwealth Act, but modified for application to the health care sector. The regime has a number of interesting and innovative features which could well form a model for other future laws. These include:
Most of the principles apply to opinions as well as facts — opinions recorded after commencement (as well as facts whenever recorded) are accessible. Exemptions from the right of access are only very limited — where provision could be a significant risk to life or health, where it would contravene another law, and where the material has been provided in confidence. In relation to this last ground, which could be abused, Principle 8 includes a requirement for health service providers to discourage persons providing information in future from placing an ‘in-confidence’ condition on it. Even where information is provided in confidence, the record-keeper remains responsible for taking reasonable steps to ensure it is accurate and not misleading.
The law makes a distinction between members of a consumer’s ‘treating team’ who, sensibly, are allowed access to personal information without the patient(customer)’s express consent, provided their identity is either obvious or has been notified by the treating team leader; and most other third parties, to whom strict access rules apply. However, there is a potential loophole in the special provision, in Principles 9 and 10, for access by persons involved in the ‘management, funding or quality of health services’. This would appear to potentially allow access to and use of very detailed and sensitive health information by administrators, auditors and insurance companies without the customer even being aware of it.
It seems odd that there is a presumption of notification in relation to members of the treating team, but an almost complete exemption for these ‘administrative’ users, whom a patient may be less inclined to trust. The Explanatory Memorandum explains that these provisions are expressly designed to allow the free flow of information for the administrative, funding or quality control purposes, and there are strict limits on the use of the information for other purposes, but it is difficult to see why there needs to be such a blanket exemption from the notification requirements.
While most potential breaches of the new law are dealt with by way of a complaints process and civil remedies, there are strong offence provisions covering threats, intimidation and false representation, and acts deliberately designed to evade or frustrate the operation of the Act (including moving it out of the Territory) (ss 20-23).
Complaints under the Act will be handled by the ACT’s Community and Health Services Complaints Commissioner (currently Ken Patterson). The complaints regime and remedies are set out in the existing Community and Health Services Complaints Act 1993, and differ in some important respects from the provisions of the Privacy Act 1988 (Cth) which applies to most ACT government agencies. For example the ACT Commissioner can only seek mediated outcomes whereas the Privacy Commissioner can make a determination (although it can only be enforced, ultimately, by the Federal Court.)
Ken Patterson indicated in October that the new law was supported (and presumably now welcomed) by many interest groups, but that some health professionals — notably the AMA and the Division of General Practice, were opposed and had a range of concerns. He listed a range of issues, ranging from genuine fears for the safety of patients to more self-interested concerns about being sued! It is hoped that now that the law has been enacted, doctors and other health professionals will work with the Complaints Commissioner, consumer groups and others to work through any substantive issues about the operation of the Act.
Apart from providing welcome protection to the residents of Canberra, the implications of the ACT legislation could be quite far-reaching. It represents another fragment in the ‘patchwork’ of inconsistent privacy rules which the business community, and privacy advocates, would strongly prefer to avoid. The stubbornness of the federal government in abandoning its commitment to uniform and comprehensive privacy law is to blame. Mirroring the general policy in the health field, the federal Minister for Health has indicated the government’s preference for self regulation, calling for a voluntary code dealing with access to medical records. But as Ken Patterson has said:
The AMA’s clear policy on access is not put into practice, even by AMA members, and even the NH&MRC’s guidelines on the provision of access to patients, generally regarded as an excellent model for information sharing, are only put into practice by a minority of doctors.
In the ACT at least, time has run out and access is now a legal right, along with the full range of other privacy protections. Health service providers, may of whom operate across the Territory’s borders, will now have to decide whether to run two separate systems, with a different, and lower standard of information handling practice for their customers outside the ACT. How long the differential will be tolerated by consumers elsewhere will be another factor in the mounting pressure on the Federal Government to honour its original commitment to effective national protection.
Nigel Waters, Associate Editor.