The HRIP Act has commenced on 1 September 2004.
Brief introduction to the HRIP Act
The Health Records and Information Privacy Act 2002 (or HRIP Act) governs the handling of health information in both the public and private sectors in NSW. This includes hospitals whether public or private, doctors, and other health care organisations. It also includes other organisations that have any type of health information. This can be as varied as a university that undertakes research, or a gymnasium that records information about a person’s health and injuries.
The HRIP Act contains 15 health privacy principles (HPPs) which concern the collection, storage, access & accuracy, use, disclosure, identifiers & anonymity, and transferrals & linkage. These obligations are subject to a number of legal exemptions from these principles.
The PPIP Act the HRIP Act empowers the Privacy Commissioner to investigate and concilate complaints regarding the handling of health information.
What is health information?
Health information includes personal information that is information or an opinion about the physical or mental health or a disability of an individual.
Health information also includes personal information that is information or an opinion about:
- a health service provided, or to be provided, to an individual
- an individual’s express wishes about the future provision of health services to him or her
- other personal information collected in connection with the donation of human tissue
- genetic information that is or could be predictive of the health of an individual or their relatives or descendants.
If your organisation is a health service provider, ‘health information’ includes all of the above plus any other personal information collected to provide, or in providing a health service.
What is a health service provider?
A "health service provider" is an organisation that provides a health service. According to the definitions outlined in the HRIP Act, a "health service" includes the following services, whether provided as public or private services:
(a) medical, hospital and nursing services,
(b) dental services,
(c) mental health services,
(d) pharmaceutical services,
(e) ambulance services,
(f) community health services,
(g) health education services,
(h) welfare services necessary to implement any services referred to in paragraphs (a)–(g),
(i) services provided by podiatrists, chiropractors, osteopaths, optometrists, physiotherapists, psychologists and optical dispensers in the course of providing health care,
(j) services provided by dietitians, masseurs, naturopaths, acupuncturists, occupational therapists, speech therapists, audiologists, audiometrists and radiographers in the course of providing health care,
(k) services provided in other alternative health care fields in the course of providing health care,
(l) a service prescribed by the regulations as a health service for the purposes of this Act.
For more information see the definitions in Part 1 of the HRIP Act.
What is a private sector person or organisation?
The HRIP Act applies to both individual people and organisations in the private sector. The types of organisations covered are body corporates, partnerships, trusts and unincorporated associations.
Individuals and organisations that will be regulated by the HRIP Act are:
- health service providers of any size (for example, an individual GP, a partnership of physiotherapists or a large private hospital), and
- organisations that handle health information and have a turnover of more than $3 million per annum (for example, an insurance company).
Health privacy principles at a glance
In some cases, organisations do not have to follow one or more of the Health Privacy Principles (HPPs). For more information about exemptions, contact the Privacy Contact Officer in the organisation or the Office of the Privacy Commissioner. Download fact sheet
1. Lawful – when an organisation collects your health information, the information must be collected for a lawful purpose. It must also be directly related to the organisation’s activities and necessary for that purpose.
2. Relevant – the organisation must ensure that your health information is relevant, accurate, up to date and not excessive. The collection should not unreasonably intrude into your personal affairs.
3. Direct – your health information must be collected directly from you, unless it is unreasonable or impracticable for the organisation to do so.
4. Open – you must be told why your health information is being collected, what will be done with it, and who else might see it. You must also be told how you can see and correct your health information, and any consequences if you decide not to provide it.
Even if an organisation collects health information about you from someone else, they must still take reasonable steps to ensure that you are aware of the above points.
5. Secure – your health information must be stored securely, not kept any longer than necessary, and disposed of appropriately. It should be protected from unauthorised access, use or disclosure.
Access & Accuracy
6. Transparent – the organisation must provide you with details about what health information they are storing about you, why they are storing it and what rights you have to access it.
7. Accessible – the organisation must allow you to access your health information without unreasonable delay or expense.
8. Correct –the organisation must allow you to update, correct or amend your health information where necessary.
9. Accurate – the organisation must make sure that your health information is relevant and accurate before using it.
10. Limited – the organisation can only use your health information for the purpose for which it was collected, or a directly related purpose that you would expect. Otherwise they can only use it with your consent (unless one of the exemptions in HPP 10 applies).
11. Limited - the organisation can only disclose your health information for the purpose for which it was collected, or a directly related purpose that you would expect. Otherwise they can only disclose it with your consent (unless one of the exemptions in HPP 11 applies).
Identifiers & Anonymity
12. Not identified – an organisation can only give you an identification number if it is reasonably necessary to carry out their functions efficiently.
13. Anonymous – you are entitled to receive health services anonymously, where this is lawful and practicable.
Transferrals & Linkage
14. Controlled – your health information can only be transferred outside New South Wales in accordance with HPP 14.
15. Authorised – your health information can only be included in a system to link health records across more than one organisation if you expressly consent to this.
Enforcement of the HRIP Act
Under the HRIP Act, both public sector agencies and private sector persons and organisations must comply with the 15 HPPs. There are also special rules for private sector individuals and organisations on keeping and giving access to health information.
Where a person believes that a public sector agency, private sector individual or private sector organisation has not complied with the HRIP Act in terms of the handling of their health information, they may make a complaint. The process followed for complaints about the privacy of health information will depend on who the complaint is about.
Complaints against a public sector agency
If a complaint is against a NSW public sector agency, it should be dealt with as an internal review by the agency. After the internal review, the complainant can take their complaint to the Administrative Decisions Tribunal if they want an enforceable decision. See here for more about this process.
Complaints against a private sector person or organisation
If the complaint is against a private sector person or organisation, the complainant should lodge the complaint with Office of the Privacy Commissioner.
Special rules on keeping and giving access to health information
In addition to the HPPs, Part 4 of the HRIP Act sets out special rules for private sector persons or organisations in relation to:
- the retention of health information by health service providers,
- giving people access to their health informaiton (inlcuding when access can be refused), and
- allowing peopel to amend their health information held by the person or organisation.
These provisions are further explained in the Handbook to Health Privacy.
The Office of the Privacy Commissioner has developed four statutory guidelines under the Health Records and Information Privacy Act 2002. The statutory guidelines are not a plain English guide to the HRIP Act. They are legally binding documents that define the scope of particular exemptions in the health privacy principles. They describe how the exemption applies and what you need to do in order to comply with the exemption. They are as important as the exemption itself. They relate to the:
A Fact Sheet is available which explains the statutory guidelines in more detail.
- use or disclosure of health information for the management of health services (PDF, 274)
- use or disclosure of health information for training purposes (PDF, 272kb)
- use or disclosure of health information for research purposes (PDF, 343kb) (HREC Form [Word] [PDF] and
- use or disclosure of information from a third party (PDF, 267kb)