Privacy Law and Policy Reporter
On 22 November the Victorian Government introduced the Health Records Bill 2000 into the Victorian Parliament, to be debated in the 2001 sittings. Meredith Carter’s article was written before the Bill’s introduction, based on the Exposure Draft. A summary of the Exposure Draft Bill follows this article. Differences between the Exposure Draft and the Bill as introduced will be noted in a later issue — General Editor.
Following widespread criticism of the Federal Government’s Privacy Amendment (Private Sector) Bill, some State and Territory governments are developing their own information privacy legislation. Given the potential for harm and discrimination if health information is misused, escalated by electronic management of personal information, many advocate specific protection for health records. Adequate legislative privacy protection is considered fundamental to ensure ongoing consumer confidence in the integrity of the health system in the electronic era.
Consistent with this view, the Victorian Government is not only proposing generic data protection legislation — it also proposes a Health Records Bill designed to complement the Information Privacy Bill 2000 (Vic) (see 7(2) PLPR 21). To date the only Australian jurisdiction with health specific privacy legislation is the ACT, where the Health Records (Privacy and Access) Act 1997 has been in force since 1997. The Victorian proposals are closely modelled on the ACT legislation and aim to regulate health information manage-ment uniformly across both the public and private sectors.
This is in contrast to the Common-wealth’s ‘light touch’ approach which establishes different privacy regimes for the public and private sector and makes little concession to the particular concerns raised by personal health records. Submissions to the House of Represent-atives and subsequent Senate Inquiry into the Commonwealth Bill indicated that many organisations, from the Australian Medical Association (AMA) to the Consumers Health Forum, consider that the light touch approach offers little certainty for health practitioners as to the standards expected of them and provides illusory protection for health care consumers.
A uniform approach to privacy protection is vital given the extensive overlap in public and private services in health. For example, general practitioners are private practitioners but most hospital beds are in public hospitals. Services provided to patients in public hospitals are often provided by private companies, for example many radiology and pathology services. Public hospitals also treat both public and private patients. It is absurd that different standards currently apply to the management of their records. The classic example of this absurdity is that a public patient has rights of access to and correction of their medical records under freedom of information (FOI) legislation, but a private patient in the next bed does not.
The imminent shift to electronic manage-ment of personal health information makes a uniform data protection regime imperative. Electronic data sharing has the potential for many benefits in terms of integrated and streamlined provision of health care. Significant attention is also focused on the development of an integrated electronic health record. These initiatives rely on sharing personal health information between all relevant health professionals treating an individual, regardless of whether they practice in public or private sector organisations.
The capacity of electronic information management to contemporaneously collate, analyse, manipulate and disseminate multiple records unfortunately also escalates the risks of privacy abuses. This is increasingly well demonstrated by the US experience. For example, one recent error at Kaiser Permanente, America’s second largest health main-tenance organisation, resulted in the contemporaneous breach of the privacy of 858 members. Medical information belonging to other people was emailed to customers making confidential inquiries about their health through the organisation’s online advice service. One woman received a large computer file with messages intended for several hundred other members.
The Victorian Health Records Bill sets out a series of 11 Health Privacy Principles (HPPs). In addition to health services the principles bind any agency holding personally identifiable health information (cll 18 and 21). Non-health agencies might include employers who hold health information regarding their employees, schools with vaccination records and sporting clubs or fitness gyms maintaining health status reports on their customers.
The principles build on those set out in the Commonwealth’s Private Sector Bill but are tailored to the health sector. For example, HPP 8 requires organisations to allow a consumer to remain anonymous where it is practical to accommodate such a preference. Privacy is a particular issue for people engaging in activities such as intravenous use of illicit drugs, as well as for those with stigmatised conditions such as mental illnesses. Thus the option of anonymity has been integral to public health strategies to control infectious diseases such as Hepatitis C and HIV/AIDS in Australia. There is a clear public interest in ensuring that people are not deterred from seeking health care by privacy concerns.
HPP 10 deals with another contentious issue in the health sector: the transfer of health records between practitioners when a practice is closed, sold or amalgamated. HPP 10 requires public notice of the arrangements made for transfer of the records either to the new practice or a competent organisation for safe storage in Victoria. A consumer also has the option of requesting any records relating to them be given either directly to them or to another provider nominated by them.
HPP 11 facilitates consumer capacity to choose their health practitioner. It provides individuals with the right to have their records transferred from their previous health practitioner to a current practitioner.
The attempt to maintain general consistency with the weaker Commonwealth proposals is pragmatic. It aims to avoid the potential that major inconsis-tencies may result in the state legislation being rendered void. However, this policy compromise inevitably means that the Victorian proposals also fall short of the certainty sought by the health sector. This is particularly clear in terms of the use and disclosure provisions (HPP 2) and the lack of overarching powers to monitor and audit health information management in the Victorian Bill.
A major point of departure from the Commonwealth approach is the intention of the Victorian Bill to provide a framework for enforcing consumers’ privacy rights in health care. Consumer complaints will be dealt with by the Health Services Commissioner, an existing statutory office created to deal with other health complaints. Under the Common-wealth proposal the Privacy Commissioner will only directly handle complaints if no relevant organisational or industry codes and complaints handling mechanisms are in place.
The need for a consistent and enforceable framework is illustrated by the difficulties consumers have in obtaining access to their medical records. The current AMA policy is that consumers have a right to be informed of all factual information contained in the medical record relating to their care but, for example, not necessarily of any opinions the record might also encompass. Similarly, the Royal Australian College Of General Practice suggests that in most cases, provision of an accurate and up to date summary will suffice. This leaves private patients reliant on the discretion of the relevant medical practitioner.
There has been limited private sector co-operation with recommendations made for improved consumer access in the cases dealt with by the Victorian Health Services Commissioner. The Commissioner’s Office has found itself particularly ineffectual in the face of private sector health practitioners denying consumers access to their records. As a result, the Office has urged the introduction of legislation giving consumers the capacity to enforce rights of access to medical records since at least 1991.
The Commonwealth’s proposals do little to address this situation. Independent statutory Health Complaints Commissions have been established around Australia over the last 15 years as a result of the lack of public confidence in the capacity of industry bodies to deal fairly with consumer complaints regarding health care. Despite this, the Commonwealth Bill proposes that complaints, including those about consumer access to their records, should generally be handled by organ-isations themselves or by industry-wide bodies. While the Privacy Commissioner will set guidelines for interpretation of the access (and other) provisions, the guidelines are not intended to be binding. The inadequacy of this approach is compounded by the lack of appeal provisions. A consumer can seek to enforce a decision in their favour made by an industry complaints body; however, if the original determination was not in their favour, the consumer has no right of appeal.
In contrast, under the Victorian Bill the Health Services Commissioner can not only issue guidelines (cl 22), but it is also the body which handles the complaints (cl 45) and issues rulings as to whether practitioners have complied with them or not, and how any breach should be remedied. While initial rulings are not binding, the respondent must inform the Commissioner as to whether he or she intends to comply. Either the complainant or the Commissioner can then refer the matter to the Victorian Civil and Administrative Tribunal (VCAT) for binding orders.
Importantly, the Commissioner can also issue compliance notices in response to serious and repeated breaches. Further, issue of a compliance notice is not reliant on a complaint having been made. The Commissioner can issue a notice at his or her own initiative where an agency’s health information practices appear to constitute a serious or flagrant breach of the Act (cl 66). Clause 71 renders failure to comply with these notices a criminal offence. In contrast, if there is non-compliance with any guidelines the Commonwealth Privacy Commissioner has issued, he or she must decide that the non-compliance warrants revocation of the organisation or industry’s complaints handling code.
Clause 22(2) of the Victorian Bill does allow the Commissioner to issue or approve guidelines which would provide less protection than the HPPs. However, he or she must be satisfied that the public interest in doing so substantially outweighs the public interest in main-taining the level of protection envisaged by the Principles. In addition, the Minister may disallow any such determination by the Commissioner (cl 24).
The basic right of consumers to access their records detailed in HPP 6 is the centrepiece of the Victorian Bill. The Health Records Bill sets out a specific process, modelled on the ACT legislation, where the right of consumer access is in dispute. Clause 26 affirms that individuals are entitled to access their health information unless the organisation believes on reasonable grounds that access would pose a serious or immediate threat to the life or health of either the individual or any other person.
Clause 27 deals with an issue that is often contentious, being information about a consumer provided to a practitioner in confidence by a third party. This information may be withheld from the data subject. However, HPP 1.7 effectively directs practitioners to think carefully before noting what may be mere gossip on the consumer’s record; the provider must only record the information if it is relevant to the care of the data subject and must take reasonable steps to ensure that the information is accurate and not misleading. Clause 27(3) reinforces the general emphasis on subject access by requiring a practitioner to check that the information remains confidential before assuming that it cannot be revealed if a consumer subsequently requests access to their record.
As under FOI legislation, where a formal request for access has been made, the practitioner must give formal reasons for any decision not to comply. In addition, when responding, cl 37 allows the practitioner to advise whether they would consent to discussing the record with the consumer or allowing another health practitioner, nominated by the pract-itioner, to discuss the contents of the record with them. If the consumer is not satisfied with the offer made, cl 38 gives them the option of nominating an alternative practitioner with whom they would prefer to discuss the record. (The ACT Health Services Commission has on retainer medical practitioners prepared to undertake this function.)
Clauses 43 and 44 reinforce that refusals to provide access should not be common. Clause 43 states explicitly that these compromise provisions are not intended to prevent or discourage an organisation providing access to an individual, and cl 44 states that access is considered a non-negotiable contractual obligation arising from the provision of a health service.
The Bill also attempts to dissuade providers from charging a fee for access and to ensure that where a fee is charged that it is not excessive. Clause 32(1) states that an organisation is not required to charge a fee and the following subclauses restrict the extent of any fee charged. Clause 32(5) spells out that a fee cannot be imposed for lodging a request for access. The experience of the ACT Health Services Commission is that these provisions have encouraged much greater disclosure of records to consumers.
The Freedom of Information Act 1982 (Vic) also contains a process for mediated access to records in the public health sector; for example, hospital records can be offered to a consumer where this is considered desirable. As under the proposals in the Health Records Bill, this can occur through a medical practitioner nominated by the consumer. It is likely, however, that the provisions in the FOI legislation will require amendment to be brought in line with the more detailed provisions the new Bill contains.
If a consumer or a respondent provider is unhappy with the results of an FOI application they can have the matter dealt with by the VCAT. Similarly, cl 65 of the Health Records Bill enables either party to seek review by the VCAT of any ruling by the Health Services Commission as to whether there has been an interference with the consumer’s privacy.
The Victorian Bill represents a policy compromise in that consumers will not have an enforceable right of access to all aspects of health records created prior to the commencement of the legislation. Many consumers will feel that there is no cause for different grounds of access to past records other than those specified in terms of access to future records. The evidence supports consumer access on the grounds that it promotes trust within the health care relationship.
Further, the issue of access to all records maintained about individuals and their health is particularly important in an electronic environment. Regardless of when the record was created, consumer access is a critical mechanism for ensuring the accuracy of records which may be shared electronically between various practitioners for treatment purposes and utilised for various other research, quality assurance and planning purposes, whether in identified or aggregate form.
Clause 25(3) makes it clear that the Bill generally accepts these views, particularly in relation to factual information and diagnostic opinion. It details eight broad groups of information to which the general right of access must be applied regardless of when the information was recorded. Nonetheless, this clause would preclude access to some limited opinion information recorded prior to the operation of the legislation.
HPP 2 of the Victorian Bill largely reflects the Commonwealth proposals for third party access to personal records. This is probably the most disappointing and confusing aspect of the Victorian Bill, generally undermining the current ethical and legal constraints on disclosure in the state. In particular, it provides for greater access to and disclosure of consumer records to police and other agencies for a very broad spectrum of potential uses. These include the prevention and detection of possible criminal offences or seriously improper conduct, and protection of public revenue. If consumers believe that third parties can gain greater access to their records without their knowledge or consent, they may not seek the health care they require. As noted above, this presents very real dangers of undermining efforts to protect the public health.
These issues are recognised in the overview paper accompanying the Exposure Draft of the Health Records Bill. The paper notes that different organisations and individuals will remain subject to additional specific confidentiality provisions in other Acts which will override the Bill. The overview paper also suggests that registered health practitioners will continue to remain subject to the more stringent confidentiality obligations imposed by the common law. It is unfortunate that the opportunity has not been taken to clarify the common law and bring the various statutory obligations of all health practitioners into line.
It is also unclear how this principle will interact with HPP 8, which allows anonymous utilisation of services. The Bill states that these provisions do not require providers to allow police or other access to consumer records. This is unlikely to provide much comfort to consumers or to health providers unless they are particularly confident as to when they should or should not comply with third party requests for access. Nor will it assist law enforcement officers in determining when it is reasonable to seek disclosure of health records. A similar lack of legislative clarity has generated considerable contro-versy in other jurisdictions. Clause 22 of the Victorian Bill provides for the Health Services Commissioner to issue guidelines in relation to any matter covered by the HPPs. This is clearly one area where they are likely to be required urgently.
Third party access also raises the issue of increased sharing of consumer records among members of treating team. The overview paper emphasises that manage-ment of health information so as to promote co-ordination of care is high on the agenda of the Victorian Department of Human Services. ‘Primary care partnerships’ are now being formed across Victoria which incorporate an array of health and community service providers, from general practitioners to financial counsellors and meals on wheels services. This changing environment has been reflected in the drafting of the Bill. Health information has been widely defined so as to include aged care, disability and genetic information.
The HPPs also introduce the notion of sharing a consumer’s personal information between members of the treatment team without explicit consent from the subject consumer. HPP 1.1(c)(ii) proposes that information may be collected by one member of the individual’s treating team from another member of the treatment team. It would certainly be tedious for individuals to have to repeat basic personal details numerous times, particularly within the same organisation.
Clause 1.4(d) provides that unless it is obvious from the circumstances of the health service provided, the members of the treating team who will have access to the individual’s health information must be identified, preferably by name or function. The consumer must be advised that each member of the treating team will only have such access to their personal records as is necessary to perform their functions in that episode of care. Reports back to a referring practitioner appear to be dealt with by the definition of ‘treating team’ in the Bill which includes the referring practitioner. Further, HPP 2.2 specifies that any secondary use or any disclosure to a member of the consumer’s treating team can only be for the purpose of treating a later episode of care. This reflects existing provisions under s 141 of the Health Services Act 1988 (Vic).
However, it is also important that such provisions are monitored carefully. For example, many consumers might not consider a social worker to be part of their treatment team. Currently the consumer can simply refuse them access to their records. However, under the regime envisaged by this Bill, a counsellor in a primary care partnership may well form the view that it is ‘necessary’ for them to have full access to a consumer’s treatment records regardless of the consumer’s consent. In addition, the capacity to suppress certain information in a record and vary the information made available to different practitioners will be increasingly important to the acceptability of electronic records to many consumers.Thus, a hospital patient may well want a say in the level of access their health practitioners outside the hospital system have to their records post discharge.
Unfortunately the Bill lacks explicit reference to any need to accommodate this level of consumer autonomy. The discretion to determine when access is necessary appears to lie solely with the practitioners. The Bill does, however, make inducing consent under the Act by threat, intimidation or false representation a criminal offence, as is requiring another person or body to make use of information without consent where consent is required by the Act (cl 80). Requesting or obtaining access by these means is also a criminal offence (cl 82).
Specific provisions are also contained in HPP 2.4 dealing with provision of information about an individual to their immediate family members. It acknowledges that individuals may not always wish to share their health information with their family but allows for circumstances where it is necessary to enable the family to provide care to that individual or where the disclosure is made for compassionate reasons.
The Bill attempts to address some of the requirements of the electronic era and its impact on the security of records in HPP 4. Of particular note is the requirement for health services to maintain health information for at least seven years (HPP 4.2(b)(ii)) and for non-health agencies to take reasonable steps to destroy or perm-anently de-identify health information once it is no longer needed (HPP 4.3). Health agencies are generally required to take reasonable steps to protect their data holdings from misuse, loss, unauthorised access, modification or disclosure (HPP 4.1).
However, additional constraints are found in HPP 2. For example, personal information should not be used
for funding, management or planning purposes unless reasonable steps are first taken to de-identify the information (HPP 2.2(e)(i)and (iv)). Alternatively, if the information needs to be in identifiable form and it is impractical for the individual’s consent to be obtained, the identifying information is not to be published in a generally available publication and must only be used or disclosed in accordance with guidelines issued or approved by the Health Services Commissioner (HPP 2.2(e)(ii), (v) and (vi)). Similar provisos apply to the use or disclosure of personal information for research purposes.
However, the Bill is silent on the more general issue of electronic processing of sensitive health information. In contrast, data protection legislation across the European Union specifically addresses this issue. For example, in the UK data processing for health purposes (including care and treatment, health service management and health research) must only be undertaken by a health professional or a person who owes a duty of confidentiality equivalent to that which would arise if the person were a health professional (Sch 3 cl 8 Data Protection Act 1998 (UK)).
The use of unique identifiers are specifically dealt with in HPP 7, which unfortunately is internally inconsistent. HPP 7.1 is a general injunction not to use identifiers unless this is reasonably necessary for efficiency reasons. HPP 7.2 also generally prohibits the mutual use of identifiers by public and private sector agencies. However, HPP 7.4 envisages just such a use of identifiers where it is necessary for a private sector agency to fulfil its obligations to a public sector organisation. Any alternative would undermine the primary care partnership arrangements which encourage the participation of both public sector agencies and private practitioners and services.
The principle also envisages the disclosure of unique identifiers (oddly, only by private sector agencies) for all of the various secondary uses envisaged by HPP 2, once again including law enforcement purposes (HPP 7.3). This is no better than the provisions dealing with identifiers in the Commonwealth Bill.
In an emerging e-health environment, it is essential that strong monitoring and audit responsibilities reside in an independent third party and that there are effective penalties which can be imposed on those who breach their obligations to maintain the privacy of health records.
Thus, importantly, cl 54 of the Victorian Bill enables the Minister to refer a matter direct to the VCAT if he or she considers that it raises an issue of important public policy. This referral can occur regardless of whether or not the matter has been considered by the Health Services Commissioner. Under cl 71, failure to comply with a compliance notice issued by the Health Services Commissioner will be a criminal offence with penalties of up to $30,000 for corporations and $6000 for individuals. The VCAT can make orders including injunctions, orders for redress of loss or damage including injury to the complainants feelings, and compensation of up to $100,000.
Ultimately, however, the Bill relies on a complaints framework. The Commissioner does have the power to issue compliance notices and wide powers of investigation. However, there are no general powers to monitor or initiate audits of agencies without first having concerns that a serious privacy breach has occurred. This is entirely inadequate in an electronic environment, where compliance with constraints on secondary use of data is particularly difficult to monitor. In this environment, the consumer may be the last person to become aware that their privacy has been breached. This point is demonstrated by the problem of recent prosecution of a trusted Health Insurance Commission employee for browsing records relating to Asian women and those who had undergone IVF treatments. These activities were only identified through the audit system in place under legislative guidelines issued under Commonwealth health legislation. Similarly, the prosecution was initiated by the agency itself under the guidelines, not by any action of — let alone complaint by — the women whose privacy had been abused.
The Bill is a major improvement on the Commonwealth proposals in that it provides a uniform and generally clear regime for fair management of health information, whether held by public or private sector agencies. Coverage of health information held by non-health agencies is also important. The enforceable complaints framework is vital. However, it is a serious limitation of the Bill that, with the important exception of compliance notices, the Health Services Commissioner has no general powers to take action of his or her own motion with regard to the information management practices of health agencies or other organisations holding health records. Similarly, though there is clearly a role implied by the requirement to issue various sets of guidelines, the Commissioner’s duty to educate agencies as to what constitutes good practice needs to be spelt out, including requirements to consult with all relevant parties in the development of guidelines.
The exposure draft of the Bill has been subject to extensive consultation. It is to be hoped that some of the concerns detailed in this article have been addressed as a result of this process.
Meredith Carter is Executive Director of the Health Issues Centre, LaTrobe University.