Transcript Health Privacy It`s My Business

Health Privacy
It’s My Business
An Introduction to the
Health Records Act
2001 (Vic)
Angela Palombo
Legal & Policy Officer
17 April 2013
2013
1
Impact of privacy laws
 Privacy laws provide people with more control over
how organisations handle their personal information.
 Privacy laws should not stop an organisation carrying
out their core business, but may mean changes to the
way personal information is handled.
 Privacy laws promote openness and transparency in
the handling of personal information.
 The right to privacy has to be balanced against the
necessary flow of information for provision of services
2013
2
Privacy protection is a
balancing act:
Maximising the
level of control
that individuals
have over their
personal
information
2013
while ensuring
that the right
information is
available to the
right people at
the right time in
the right way to
enable necessary
operations and
services.
3
Privacy for Victorians
Victoria:
 Health Records Act 2001
 Information Privacy Act 2000 - applies to all personal
information (except health information) that is
collected or held by –
 the Victorian public sector; and
 organisations funded by the public sector.
 Commonwealth:
 Privacy Act 1988 - extended to private sector from 21
December 2001
2013
4
Office of the Australian
Information Commissioner
 Began operation 1 November 2010
 The Australian Information
Commissioner is the head of the Office,
supported by the Privacy Commissioner
and the FOI Commissioner
 Independent oversight of privacy and
FOI & advising Government on broader
government information management
2013
5
Key Elements
 Health Privacy Principles (HPPs)
- applicable to public and private sectors
 Right of access to personal health information
in the private sector
- Breen v Williams, High Court
2013
6
Three important aspects of
Privacy:
1. Confidentiality
2. Data protection
3. Consumer choice
2013
7
Objects of the Act (s.6)
 To ensure responsible handling of health
information
 To balance public interest in protecting privacy
with public interest in legitimate use of
information
 To enhance ability of individuals to be informed
about their health care
 To promote provision of quality health services
2013
8
Who is covered by the Act?
Most organisations hold health information about
individuals.
The Act covers:

health service providers;

any other person/organisation that
collects/handles personal health information.
(e.g. schools, employers, churches)
2013
9
What is health information?
 For health service providers it is all
identifying personal information collected
to provide a health service;
 For non health service providers it is
all identifying personal information about
the health or disability of an individual.
2013
10
Personal information means:
 Information or opinion about an individual
whose identity is apparent, or can be
reasonably ascertained
 Does not have to be true
 Does not have to be recorded
 Includes that forming part of a database
2013
11
Minors
No change to current common law
situation:
 A minor is capable of giving informed
consent when they achieve sufficient
understanding and intelligence to enable
him or her to understand fully what is
proposed
 No set age, must be assessed on a case
2013
12
by case basis
Deceased individuals
 The Act applies in relation to the
health information of a deceased
individual who has been dead for 30
years or less in the same way it
applies to the health information of a
living person.
2013
13
Deceased individuals
 Legal representative can exercise rights
on behalf of the deceased individual.
 Legal representative defined as executor
of will or administrator of the estate.
 Any consent by legal representative is
void if s/he knows that action does not
accord with wishes expressed by an
individual whilst still alive.
2013
14
Impact of other legislation
 The Health Records Act does not override other
legislation.
 Existing provisions in other statutes governing the
confidentiality, use and disclosure of health information
and those that regulate access to certain kinds of
personal information continue to apply.
e.g. Health Services Act, s.141
Children, Youth and Families Act 2005
Public Health & Wellbeing Regulns 2009 (some in coded
form)
2013
15
Health Privacy Principles
1.
2.
3.
4.
Collection
Use & Disclosure
Data Quality
Data Security &
Retention
5. Openness
6. Access &
Correction
7. Identifiers
2013
8. Anonymity
9. Trans border Data
Flows
10. Transfer / closure of
practice of health
service provider
11. Making information
available to another
health service
provider
16
A contravention of the HPPs is:
“an interference with the privacy of an
individual” and could give rise to a
complaint to the Health Services
Commissioner.
Outcomes for non compliance include:
1.
2.
2013
Complaints
Compliance notices – for serious or persistent
breaches
17
Consent
 Individual has the capacity to
consent
 Voluntary
 Informed
 Specific
 Current
2013
18
HPP 1: Collection
 Only collect health information necessary
for the performance of your functions or
activities
 Generally need consent to collect health
information (either express or implied)
 Provide a ‘collection statement’ to notify
those you collect from about what you do
with the information and that they can gain
access to it.
2013
19
When collecting personal
information, tell the person:
 who is collecting the information;
 what it will be used for;
 whether the collection is required by law;
 who else the information will usually be disclosed to;
 what the main consequences, if any, are for them if
they do not provide the information.
 how they can get access to the information.
2013
20
HPP 2: Use & Disclosure

Only use or disclose health information for the
primary purpose for which it was collected or
a directly related secondary purpose the
person would reasonably expect.

Other use/disclosure allowed in certain
circumstances – includes with consent, or as
required by law, eg auditing by Victorian
Workcover Authority or TAC
2013
21
Public interest disclosure
without consent
 HPP 2.2(h) : disclosure is permitted if the
provider reasonably believes the disclosure is
necessary to prevent(a) a serious & imminent threat to an
individual’s life, health, safety or welfare, or
(b) a serious threat to public health, public
safety or public welfare
2013
22
Case Study (1) – Psychiatrist writing to
referring GP
: Collection & Disclosure
 A GP refers a patient to a psychiatrist. After visiting the
psychiatrist, the patient visits the GP and realises that
the psychiatrist has revealed all her conversation with
him in a letter to the GP.
 The patient is upset- she didn’t realise this would
happen & did not want the GP to know some of the
information. Did any breach of the Health Records Act
occur?
 Issues to consider:
 HPP 1.4 - Information given at the time of collection
 HPP 2.2(a) - Use and disclosure of health
information
2013
23
The eHealth record system
 From July 2012, Australians can choose to register for
their own personally controlled electronic health
(eHealth) record.
 The eHealth record system provides access to key
health information drawn from a patient’s health
records. With the patient’s consent, this information
can be quickly shared between healthcare
organisations and other healthcare professionals
involved in the patient’s care.
2013
24
The eHealth record system
 Over time, an eHealth record will grow to
contain a summary of a patient’s key
healthcare events and activities, including
medical history, allergies & current
medications. The system is designed to be
integrated into existing local clinical information
systems.
 An individual can control their own eHealth
record, including by choosing to restrict which
healthcare provider organisations can access it
& what information is included.
2013
25
The eHealth record system
 The PCEHR Act limits when and how
health information included in an eHealth
record can be collected, used and
disclosed.
 Unauthorised collection, use or
disclosure of eHealth record information
is both a contravention of the PCEHR Act
and an interference with privacy.
2013
26
Does an eHealth record replace
existing records?
From ehealth.gov.au: FAQs for healthcare professionals:
 eHealth records will not replace existing medical records.
Healthcare professionals will continue to take and review clinical
notes. More detailed patient information will be available on local
clinical information systems, as per current practice.
 The eHealth record system provides an active online record that
follows patients as they move through Aust’s health system, and
includes important clinical and treatment information.
 It is expected that, in the future, the availability of eHealth records
will save healthcare professionals valuable time.
2013
27
HPP 3: Data Quality
Take reasonable steps to ensure
the health information you hold
is:
 accurate, complete, and up-to-date
 relevant to the functions you
perform
2013
28
HPP 4: Security & Retention
 An organisation must take reasonable steps to protect
the health information it holds from misuse, loss,
unauthorised modification or disclosure.
 A health service provider must keep health information
for a minimum of 7 years since the last occasion a
health service was provided. For a child the
information must be kept until the child turns 25 years
or 7 years after last contact, whichever is the later.
 Public sector organisations retain records in
accordance with the Public Records Act.
2013
29
Management of Personal
Information
Physical security might include:
 locking
filing cabinets;
 restricting access to certain areas;
 positioning computer terminals so they
cannot be seen by unauthorised
personnel; and
 questioning unaccompanied or
unrecognised visitors.
2013
30
Management of Personal
Information
Operational Security might include:
 rules on levels of access;
 audit trails to detect unauthorised access;
 changing of passwords at frequent
intervals;
 avoiding collecting information in public
waiting rooms where possible;
 Use of fictitious information for training;
and
 procedures for dealing with employees
who leave.
2013
31
Management of Personal
Information
Security of transmission:
 programming fax machines to avoid risk
of misdialling;
 retaining fax activity history reports;
 controlling the type of information sent;
and
 telephoning intended recipient prior to
transmission.
2013
32
Management of Personal
Information
E-mail:




guidelines for use of e-mail;
encrypting files;
blind carbon copying address details; and
e-mail privacy notices.

Royal Australian College of General Practitioners'
"Computer and Information Security Standards" published
October 2011:
http://www.racgp.org.au/ehealth/ciss

take care not to display contents of letters
through window envelopes.
Post:
2013
33
HPP 5: Openness
 Organisations must have a document with
clearly expressed policies on:
•
•
how they manage the health information they hold;
and
the steps an individual may take to obtain access to
health information about them held by the
organisation
 Make privacy policy available to all who ask
2013
34
HPP 6: Access & Correction
 Individuals have a right to seek access to
heath information about them held in the
private sector.
 They also have a right to correct it if it is
inaccurate, incomplete, misleading or not upto-date.
 The FOI Act continues to give individuals a
right of access to health information about
themselves held by public sector organisations.
2013
35
Mandatory limits to access
Access must not be granted where:
 an organisation believes on reasonable
grounds that granting access would pose a
serious threat to the life or health of the
person making the request or any other
person; or
 the information was given in confidence by
another person (but not a health service
provider), unless that person consents.
2013
36
HPP 10: Transfer/closure of practice
of a health service provider
 Health service providers whose business or practice is
being sold, transferred or closed down, without the
individual continuing to provide services, must give
notice of the transfer or closure to service users. Letter
to current clients, notice at the premises and
advertisement in local paper.
 Aims to encourage individuals to apply for their health
information while it is still readily available.
 Enables individuals to provide their current treating
practitioner with their existing health information.
2013
37
HPP 11: Making information available to
another health service provider
 If you’re a health service provider, you must
make health information relating to the
individual available to another health service
provider if requested by the individual.
 This must be done as soon as practicable.
2013
38
Exemptions
 The judiciary and quasi-judicial bodies
(Courts & tribunals) when exercising their
judicial or quasi-judicial functions;
 Genuine news activities carried out by
organisations whose dominant function is
disseminating news;
 Information relating to personal, family or
household affairs.
2013
39
HSC Complaints Process
 Many people make enquiries without lodging a
formal complaint.
 Approx 50% of telephone inquiries result in
lodgement of a complaint.
 Complaints must be received in writing.
 A person must have standing to make a
complaint.
 Consent is obtained from complainants to send
their complaint to the respondent.
2013
40
HSC Complaints Process (2)
 Approx 90% of complaints are resolved
informally.
 Approx 10% of complaints go to
conciliation.
 If a complaint is not resolved through
conciliation the complainant may
request the complaint be referred to
VCAT for hearing.
2013
41
Case study (2)- Second opinion
disclosed to first doctor
 A man has a surgical procedure of a cosmetic nature.
Is dissatisfied & obtains a second opinion from another
surgeon
 The man discovers the first surgeon had obtained a
copy of the reviewing surgeon’s letter to the referring
GP
 -HPP 1.4: Collection statement
-HPP 2.1: Disclosure permitted for primary purpose for
which the information was collected
-HPP 2.2(a) Disclosure based on patient’s reasonable
expectation
2013
42
Case study (3)- Disclosure to
work colleagues
 A woman complained her employer disclosed to staff
members she was absent from work because she was
on stress leave and seeing a psychiatrist.
 The employer stated he thought it was necessary in
order to make staff aware of the need to cover her role
until her return.
 After discussions with OHSC, employer accepted it
had not been necessary to tell other staff the reasons
for the absence. He apologised to the woman who was
satisfied with this outcome.
2013
43
Key points
Privacy laws do not prevent the legitimate
flows of information necessary for the
provision of a health service.
Become familiar with the privacy principles
and apply them to the way you handle
personal information.
2013
44
Key points
2013

Collect only the information you need.

Advise people why you need the information and
how it will be used and disclosed.

Use and disclose for the primary purpose of
collection unless the person consents or an
exemption applies.

Take steps to ensure the quality of the information.

Secure the information.
45
Health Records Act 2001
Online training now available
 Is your organisation regulated by the
Health Records Act 2001 (Vic)? Do you
or your staff need training?
 The Office of the Health Services
Commissioner has contracted e3Learning
Solutions to operate a low-cost online training
course available to organisations regulated by
the Health Records Act 2001 (Vic).
2013
46
Online training
The training course:
• is free;
• is suitable for staff of all organisations
regulated by the Act;
• provides basic training for staff and
organisations regulated by the Act; and
• includes the production of a Certificate of
Completion for staff who successfully complete
the course.
2013
47
Health Services Commissioner
Contact Details:
Level 30 570 Bourke Street Melbourne
Tel: 03 8601 5222
Toll free: 1800 136 066
Website: www.health.vic.gov.au/hsc
Email: [email protected]
Fax: (03) 8601 5219
TTY: 1300 550 275
DX: 210182
2013
49