Privacy Law and Policy Reporter
On 22 November the Victorian Government introduced the Health Records Bill 2000 into the Victorian Parliament, to be debated in the 2001 sittings. The Bill complements the Information Privacy Bill 2000, which did not cover health information (see 7(2) PLPR 21). The summary of the Exposure Draft of the Bill provided by the Department of Human Services is reproduced below. Differences between the Exposure Draft and the Bill as introduced will be noted in a later issue — General Editor.
The principal goals of the Health Records Bill are to:
(a) establish privacy principles which are to apply to personal health information collected and held in the public and private sectors; and
(b) provide individuals with an enforceable right of access to their own health records held in the private sector, to complement the right that already exists for health records in the public sector.
The Bill will be a companion Bill to the Information Privacy Bill 2000 (Vic), which was introduced into Parliament in Autumn. That Bill is to apply to all personal information, except health information, that is collected or held by:
The Health Records Bill will be specific legislation dedicated to health infor-mation with privacy standards that are appropriately tailored to the highly sensitive nature of health information.
The Health Privacy Principles (HPPs) in the draft Bill applies to health information held by organisations in Victoria. This means:
The Bill will enable individuals to access their health information, which is held by private sector organisations. The Freedom of Information Act 1982 (Vic) will continue to apply to health records held by public sector organisations.
Under the Health Records Bill, health information that is collected or held by organisations in Victoria must be handled in accordance with the HPPs in Sch 1. These are described in more detail below.
The Health Services Commissioner will issue guidelines to explain the content of the HPPs and how they apply in particular situations (see HPPs and Pt 4 of the Bill).
The Bill provides individuals with an enforceable right of access to their own health information when it is held by a private sector organisation. This is set out in HPP 6. Part 5 of the Bill explains in detail how the individual may exercise this entitlement and how organisations must respond to a request for access.
The right applies to all health information collected or recorded after the commencement of the Bill and also to health and treatment history collected beforehand.
Fees for the provision of access may be charged. However, the types of charges and the maximum amounts will be limited in regulations.
The Freedom of Information Act 1982 (Vic) will continue to apply to records held by public sector organisations like public hospitals and government departments. However, the draft Bill contains amendments to the Freedom of Information Act 1982 (Vic) that would make the right of access in that Act consistent with the right of access to health information held in the private sector under the Health Records Bill.
Where an individual believes that there has been ‘an interference in privacy’ of their own information, a complaint may be made to the Health Services Commissioner. This includes a contravention of the HPPs or where an individual is refused access to their own information contrary to the Act.
The Health Services Commissioner may conciliate or investigate a complaint. An agreement reached through conciliation is binding.
After an investigation, the Health Services Commissioner can make a ruling. Although such a ruling is not binding, a respondent organisation is required to indicate whether it intends to comply. If the complainant is dissatisfied with the ruling or the respondent’s reply, he or she may apply to Victorian Civil and Administrative Tribunal (VCAT) for a binding order.
A compliance notice may be issued by the Health Services Commissioner for serious or repeated breaches of the Bill.
Failure to comply with a compliance notice is an indictable offence.
If the complaint is not resolved to the complainant’s satisfaction, he or she will be able to seek a binding decision from the VCAT. The VCAT will be able to make a variety of orders to rectify or remedy an interference in privacy.
Organisations may also appeal to the VCAT against rulings and compliance notices imposed by the Commission.
Other enforcement mechanisms include criminal penalties for serious breaches of the Act (see Pt 7).
The draft HPPs are intended to be best practice formulations that are health specific. The various privacy principles that apply in Australia and in other countries have been taken into account in formulating the HPPs. The HPPs provide strong privacy protection and, at the same time, promote patient autonomy, effective service delivery, continued improvement of health services and the protection of the public health and safety.
The HPPs will not be able to be varied by separate codes of practice. This is designed to give individuals certainty about the manner in which their health information is collected, used, disclosed and stored.
The HPPs cover many different aspects of information handling.
HPP 1 sets out the framework for collection of health information. It requires collection to be an accountable and transparent process. For example, organi-sations are required to have the consent of the individual for collection or otherwise be covered by one of the additional public interest grounds that permit collection.
HPP 2 regulates the use and disclosure of health information by organisations. In general, use or disclosure is permitted for the purpose for which the health information was collected or otherwise with the consent of the subject. Secondary use or disclosure is also permitted but not compelled in cases where there is a strong public interest in doing so, and these public interest grounds are set out. The include, for example, where there is a serious threat to life, where disclosure is required by law or for research which is in the public interest and complies with guidelines.
HPP 3 is a principle about ensuring data quality; for example, health information must be accurate, complete, up to date and relevant to the functions of the organisation that holds the information.
HPP 4 sets out general requirements to ensure appropriate security and retention of data. For example, in relation to retention, it requires health information to be stored for at least seven years, subject to any specific legislation to the contrary.
HPP 5 encourages transparency by requiring organisations to document clearly their policies on management of health information and to make those policies available to the public.
HPP 6 provides individuals with a right to access their health information and to make corrections to it where necessary. This principle applies to health information held by the private sector, while the Freedom of Information Act 1982 (Vic) will continue to apply to the public sector. The proposed right to access under both will be very similar. Limited grounds for refusal are set out, but these do not compel an organisation to refuse access. If only part of the health information is covered by a legitimate ground for refusal, the organisation is compelled to provide the rest of the health information to the applicant.
HPP 7 imposes limits on the assignment of identifiers that are intended to uniquely identify individuals in relation to their health information. It also restricts the adoption, use or disclosure of identifiers assigned by a public sector organisation.
HPP 8 preserves, where lawful and practicable, the right of individuals to remain anonymous in transactions with an organisation (for example, where they wish to purchase over the counter items in a pharmacy).
HPP 9 puts limits on the flow of health information outside Victoria.
HPP 10 regulates what a health service provider must do with its stock of health records when the practice or business is sold, closed or amalgamated.
HPP 11 provides individuals with a right to have their health records transferred from a health service provider that has provided them with care in the past to a current health service provider.
Written comments on the draft Bill can be addressed to Dr Chris Brook , Chair, Information Privacy Steering Committee, Department of Human Services, 17/555 Collins Street, Melbourne Vic 3000, or submitted via e-mail to <firstname.lastname@example.org>.