Privacy

(ATTENTION ALL VICTORIAN MEMBERS: Here is a brief summary to assist you with the imminent legislation that is being introduced in Victoria. For more detailed information you should visit www.dhs.vic.gov.au/ahs/healthrecords/regs.htm )

HEALTH RECORDS ACT

HEALTH PRIVACY PRINCIPLES

RIGHT OF ACCESS

Effective March 1st 2002

Victorian members need to be aware and comply with the Health Records Act and Privacy Principles set down by the Victorian government. This is in addition to the National Privacy Principles Guidelines, which came into effect December 21st 2001.

The Act: Gives individuals a legally enforceable right of access to health information about them which is contained in records held in the private sector; and Establishes Health Privacy Principles (HPPs) that will apply to personal health information collected and handled in both the public and private health sectors.

These guidelines concern the collection, use and disclosure of health information for the purposes of research or the compilation or analysis of statistics, in the public interest, and the actions which must be taken to notify service users when a health service provider's practice is sold, transferred or closed down.

Collection

Personal health information must not be collected unless it is:

. Necessary for research

. Does not identify any individual

. Is impractical to seek consent

or

. Complies with the Commissioner's guidelines

When health information may be collected:

The organisation must not collect health information about an individual unless the information is necessary for one or more of its functions and at least one of the following applies:

. The individual has consented

. The collection is required, authorised or permitted under law

. The information is essential to provide the health service and the individual is incapable of giving consent and it is not practical to obtain permission from an authorised representative or the individual does not have an authorised representative.

. If the collection is necessary for research, that purpose cannot be served by the collection of information that does not identify the individual and it is impracticable for the organisation to seek the individual's consent to the collection

. The collection is necessary to prevent or lessen a serious and imminent threat to the life, health, safety or welfare of any individual or a serious threat to public health

. The collection is by or on behalf of a law enforcement agency

. The collection is necessary for the establishment exercise or defense of a legal or equitable claim

. The collection is in the prescribed circumstances

How health information is to be collected

. An organisation must collect information only by lawful and fair means and not by any unreasonably intrusive way.

. If it is practical, an organisation must collect health information about an individual only from that individual.

. At or before collection ensure the individual is generally aware of-

. The identity of the organisation and how to contact it

. The fact that he or she is able to gain access to the information

. The purpose for which the information is collected

. To whom the organisation usually discloses information of that kind

. Any law that requires the particular information to be collected

. The main consequence (if any) for the individual if all or part of the information is not provided


If the organisation collects the health information from someone else about that individual it should ensure where feasible that the individual has been made aware of the points above, except where disclosure may be given in confidence or it may pose a threat to the life or health of any individual.

Information given in confidence

If the health information is given in confidence to the health provider about the individual other than by that individual, or a health service provider in the course of provision of health services to the individual with a request that the information not be communicated to the individual, the provider must:

. confirm the information is to remain confidential

. record the information only if it is relevant to the provision of health services

. ensure that the information is accurate and not misleading

. record that the information is given in confidence and is to remain confidential

Use or disclosure

Use infers internal and disclosure infers external of the organisation.

There is both primary and secondary use or disclosure. Primary purpose as in, for example, research, and secondary may be for another purpose, for example statistical analysis or public interest. In both circumstances the points mentioned above under collection still apply.

If disclosure is considered, the disclosing organisation must reasonably believe the recipient will not further disclose and that the information will not be published in any identifying form.

An organisation must not use or disclose health information about an individual for a purpose other than the primary purpose for which the information was collected unless:

. the secondary purpose is directly related to the primary purpose

and

. the individual would reasonable expect the organisation to use or disclose the information for the secondary purpose

or

. the individual has consented

Health Service Commissioners Guidelines

These guidelines should be followed under the spirit of the National Statement on Ethical Conduct in Research Involving Humans, which the AOA endorses. This statement provides general ethical principles that should be applied to all research involving humans.

(www.nhmrc.gov.au/publications/synopses/e35syn.htm)

A cornerstone of all three sets of guidelines and of the National Statement is the use of human research ethics committees (HRECs) to review research proposals. As HRECs operate in all research and teaching institutions and in the Victorian Department of Human Services, the Commissioner is confident that the need for HREC approval and monitoring required by these guidelines will not impose a burden on researchers seeking to use health information or from organisations from whom information is sought.

Complaint mechanisms

An individual may complain to the Health Services Commissioner about an act or practice that may be an interference with the privacy of the individual. In addition, complaints may be made to an organisation conducting research or statistical compilation or analysis in the public interest, and/or the relevant HREC in relation to the conduct of an approved activity that may interfere with the privacy of the individual involved.

Sale, transfer or close of a practice

Where the practice of a health service provider is to be:

. Sold or otherwise transferred and the provider will not be providing health services in the new practice;

. Closed down

In these circumstances, the provider must publish a notice in the local paper setting out details of the sale, transfer or closure and what the provider intends to do with the health information held by the practice. The provider must ensure adequate notice as set down by the guidelines. In addition, particular needs of some patients should be considered and notify past or current patients as well as those with forward appointments or other health service providers and what is intended to be done with the health information held by the practice.

In addition, the provider will place a written notice containing this information in clear view in the practice for not less than two months prior to the date of the sale, transfer or closure

or

if not possible to comply, a lesser period that is practicable

and

provide that information in a personally addressed letter to each patient currently receiving a program of care

and

where a significant portion of patients have as their first language other than English, publish a notice providing information in such non-English language local newspapers.

Not earlier than 21 days after giving notice the organisation or health services provider must in relation to the health information about an individual held by, or on behalf of, the practice or business, elect to retain the information or transfer it to:

. The health services provider who is taking over the practice

or

. the individual or a health services provider nominated by him or her.


A business or practice of a provider is transferred if it is amalgamated with another organisation and the successor organisation is a private sector organisation

Data Security and Data Retention

An organisation must protect the health information from misuse and loss and from unauthorised access, modification or disclosure

A health service provider must not delete health information relating to an individual even if it is later found or claimed to be inaccurate unless:

. The deletion is permitted or authorised by law

. The case of health information collected while an individual was a child, after the individual attains the age of 25 years

or

. in any case more than 7 years after the last occasion on which a health service was provided


A health service provider who deletes health information must make a written note of the name of the individual, the period covered by it and the date on which it was deleted.

A health service provider who transfers health information to another individual and does not continue to hold a record must make note of the name and address of the individual or organisation to whom it was transferred. Data must be recorded in a durable and appropriately referenced form. The department or research must establish procedures for the retention of data and for the keeping of records of data held.

For data that is published a minimum period of retention is at least five years from the date of publication but for specific types of research, such as clinical research, fifteen years may be more appropriate. The original data must be retained in the department or research unit in which they were generated.

Confidentiality agreements to protect intellectual property rights may be agreed between the institution, the researcher and a sponsor of the research.

All confidentiality agreements should be made known at an early stage to the head of the research institution, or nominated representative.

Researchers must be responsible for ensuring the appropriate security for any confidential material, including that held in computing systems.

This article is an abbreviated version of the Victorian legislation and AOA members are urged to note their obligations by observing the full content of the Act.

This article was prepared in the interests of assisting AOA members.