Part 2: Your Legal Obligations Under The Hrip Act – The 15 Health Privacy Principles (HPPs)

Where am I now? Lawlink > privacynsw > NSW Privacy Laws > Part 2: Your Legal Obligations Under The Hrip Act – The 15 Health Privacy Principles (HPPs)

Print page

Part 2: Your Legal Obligations Under The Hrip Act – The 15 Health Privacy Principles (HPPs)

2.1 Collection Health Information
2.2 Notifying A Person When You Collect Their Health Information
2.3 Using And Disclosing Health Information
2.4 Retention And Security
2.5 Access And Amendment
2.6 Accuracy
2.7 Identifers
2.8 Anonymity
2.9 Transferring Health Information Out Of NSW
2.10 Linkage Of Health Records At State Or National Level

2.1 COLLECTING HEALTH INFORMATION

You can collect a person’s health information for a lawful purpose that is directly related to your organisation’s functions.

Only collect the health information that you need and do it in a fair, direct and unobtrusive manner.

Health privacy principles 1-3

What is collection?
In very general terms, ‘collection’ refers to the process by which you come into possession of a person’s health information. You collect health information if you gather, acquire or obtain it directly from the person to whom it relates or from another source.

Collection occurs at the point where you first receive the person’s health information. Subsequent exchanges of information between staff are referred to as “use”, and discussed at Part 2.3 of this handbook.

Unsolicited collection

For the purposes of the HRIP Act, health information is not collected by an organisation if the receipt of the information by the organisation is unsolicited. see Section 10 of the HRIP Act. The term ‘unsolicited’ is not defined in the HRIP Act.

However if the information is kept, it is then considered to be "held". Once held it becomes subject to the HPPs, which do not require collection as a prerequisite.

Can you collect health information merely by seeing or hearing it?

It is not possible to collect health information purely by seeing or hearing it, and without actually recording it anywhere. See the case of Vice Chancellor, Macquarie University v FM [2005] NSWCA 192.

In this case, the NSW Court of Appeal held that the primary context of the legislation, which gives meaning to the words “holds information”, strongly indicates that the words do not extend to information held within the mind of an employee.

When can you collect a person’s health information?

You can only collect health information for a purpose that is directly related to your organisation’s functions or activities. The collection must be necessary for that purpose.

Tip for compliance:
At the time of collection, think carefully about your organisation’s functions and the purpose for which you are collecting the health information. Do you really need the health information in order to carry out your purpose?

Information cannot be collected by unlawful means.

Example:
Health information cannot be collected through recording a conversation without a person’s consent, as this would breach laws relating to listening devices in NSW.

Information must be relevant, and accurate. It must not be excessive and the collection should not be intrusive

You must collect only as much health information as is needed to carry out your purpose. The information should be relevant, accurate, up to date, complete and not excessive.

Example:
An organisation’s form contains multiple fields to collect much standard information. The form is used for a number of purposes. Often, people may have the impression that they must fill in all the fields, even if this is unnecessary and inappropriate. This would probably be an irrelevant and excessive collection of health information.

The collection of information must not unreasonably intrude on the personal affairs of the person.

Example:
An employee provides a medical certificate to his/her employer for sick leave. The medical certificate states that the employee has undergone surgery. It might be unreasonably intrusive for the employer to demand to know more details about the employee’s operation, before approving the sick leave.

Can you collect health information about a person from someone else?

You should collect health information about a person directly from that person, unless it is unreasonable or impracticable to do so. If it is unreasonable or impracticable, you may collect health information from someone else.

Some examples of when it may be unreasonable or impracticable to collect directly from the person are:

If a person is admitted unconscious to an emergency ward you may, as a health service provider, need to ask their relatives for any background health information of relevance to how the person is treated.
If a person lacks the capacity to provide their health information, you may need to collect health information about them from an authorised representative such as a carer or guardian.
In the course of taking the family, social or medical history of a patient, you may collect health information about a person other than your patient, if this is relevant to providing the health service to your patient.
In certain circumstances your organisation may collect health information about a person from another person or organisation rather than directly from the person themselves.

2.2 NOTIFYING A PERSON WHEN YOU COLLECT THEIR HEALTH INFORMATION

When you collect a person’s health information you are required to notify them of certain things. This is the case even when you collect a person’s health information from someone else. You must take reasonable steps to ensure that the person is aware of:

the identity of your organisation and how to contact it
the purposes for which the information is collected
any other organisation which is usually provided with the same information
any law that requires the particular information to be collected
the fact that they are able to request access to the information
the main consequences, if any, for the person if all or part of the information is not provided

Health privacy principle 4

What and why should you notify the person?

When you collect a person’s health information you must notify the person of the information set out above. This promotes transparency and shared expectations between the person and your organisation. It allows you to explain why you are collecting the person’s health information and who will see it. It allows the person to make informed decisions on the basis of this information.

Notifying patients of information sharing amongst the ‘treating team’

It is common in the Australian health system for practitioners to adopt a multi-disciplinary approach to health care. The treating team will often work together to treat the patient, and share any information about the patient regarded as relevant to the treatment.

It is Privacy NSW’s experience that privacy complaints can occur where patients have not been told that their information will be shared amongst the treating team, and do not expect it.

As discussed in Part 1.3 of this handbook, notifying a person of how their health information will be handled is not the same as seeking their consent to do those things. However by notifying the person of the team-based approach to treatment and of the likelihood that their information will be shared amongst members of the ‘treating team’, you are reducing the risk of misunderstandings and subsequent privacy complaints.

If you have notified the person that their information could be used by or disclosed to other health practitioners in this way, there is a persuasive argument that such a use or disclosure would be within the person’s ‘reasonable expectations’. This would put you in a better position to rely on the ‘directly related secondary purpose within the reasonable expectations of the individual’ exemption as regards use and disclosure of health information in HPPs 10(1)(b) and 11(1)(b). Please refer to Part 2.3 of this handbook for more information. The case of KJ v Wentworth Area Health Service [2004] NSWADT 84 also involves the issue of sharing of health information among clinicians in a multidisciplinary treating ‘team’. Here, KJ was receiving treatment for cancer in hospital. The notes of KJ’s consultations with the hospital’s psychologist and psychiatrist were placed on KJ’s general medical file held by the hospital. Please refer to the Privacy NSW website: www.lawlink.nsw.gov.au/privacynsw for the case notes.

Tip for compliance:
Your aim here should be to ensure that your patient’s expectations for the use and disclosure of their health information align with yours and actual practice. If unsure, you should check with the patient.

When should you notify the person?

You must notify the person of the required information at or before the time of collection. If that is not practicable, you must notify them as soon as practicable after that time.

Example:
Where a patient presents to the hospital’s emergency department, there simply may not be time, or the person may not be in a fit state, to comprehend the information. In such circumstances, you should notify them of the required information as soon as it is practical afterwards.

How should you notify the person?

You must take steps that are reasonable in the circumstances to notify the person of the required information. This can be done in a variety of ways, including verbally, or by means of written communications, or a combination of the two. From a risk management point of view, however, it is easier to demonstrate compliance if the notification was in writing.

Tip for compliance:
Where your organisation collects health information by way of a form, your obligations under HPP 4(1) could be satisfied by a prominent and easy to read statement on that form. For health service providers, one useful way to provide the information is by a notice clearly displayed in the admissions or patient waiting area of the organisation, or by the use of pamphlets and brochures.

Sometimes you may need to notify an authorised representative instead

If you reasonably believe that the person is incapable of understanding the general nature of these points, you may notify the person’s authorised representative instead. For more information on who is an authorised representative and when they should be contacted, please see Part 1.4 of this handbook.

Best practice tip:
Where you need to deal with an authorised representative you should still, where practicable, explain the points to the person to whom the information relates in a way that is appropriate to their level of understanding. This is to enable the person to be involved in the notification process to the greatest extent possible.

In certain circumstances you are not required to notify the person

In some circumstances, notifying the person is not necessary or appropriate. You are not required to notify the person if:

the person has expressly consented to not being notified
your organisation is lawfully authorised or required not to notify the person
not notifying the person is permitted or is necessarily implied or reasonably contemplated under an Act or any other law
notifying the person would prejudice their interests
the information has been collected for law enforcement purposes
your organisation is an investigative agency and notifying the person might detrimentally affect or prevent the proper exercise of your organisation’s complaint handling or investigative functions. (The term ‘investigative agency’ is defined in section 4 of the HRIP Act.)

Notifying a person when you have collected health information about them from someone else

You are required to notify a person of the required information even when you have collected health information about them from someone else. The exceptions are where:

you collect health information about the person from someone else and notifying the person would pose a serious threat to the life or health of any person or
you comply with the NSW Privacy Commissioner’s statutory guidelines.

Statutory guidelines on notifying a person when you have collected health information about them from someone else

The NSW Privacy Commissioner’s statutory guidelines provide that you do not have to notify a person when you have collected health information about them from someone in circumstances where:

You collected information from the third party because it was unreasonable or impracticable to collect directly from the person and it would also be unreasonable or impracticable to notify the person;
The information was collected in the process of recording a family, social or medical history and this was necessary to provide health services to the client;
The information was collected from an authorised representative, because you believe the person was incapable of understanding the nature of the information required;
The information was initially collected by another organisation and there are reasonable grounds to believe that the person has already been informed of the required information by the first organisation.

You should view the full requirements of the statutory guidelines, if you wish to rely on them. Please click here to view the statutory guidelines on notifying a person, when you have collected health information about them from someone else. These are published on the Privacy NSW website.

2.3 USING AND DISCLOSING HEALTH INFORMATION

In general, you may only use and disclose health information about a person for the primary purpose for which the information was collected.

However in certain circumstances (outlined below), health information may be used and disclosed for a secondary purpose other than the primary purpose for which it was collected.

Health privacy principles 10 & 11

What is use and disclosure?

Usually:

‘use’ refers to the communication or handling of health information within an organisation.
‘disclosure’ refers to the communication or transfer of information outside an organisation.

Sometimes, the distinction between ‘use’ and ‘disclosure’ is not clearly defined. However, in practice this is less important. Under the HRIP Act, the rules about how you can use health information (see HPP 10) and disclose health information (see HPP 11) are almost identical.

Use and disclose health information only for the primary purpose for which it was collected

Use and disclosure for a secondary purpose

Generally, you may use and disclose health information about a person only for the primary purpose for which the information was collected. The primary purpose is the main or dominant reason for which the information was collected and is strictly necessary to discharge your organisation’s functions and activities. Other purposes are ‘secondary’.

Example 1:

If a person is admitted to hospital for day surgery, the primary purpose for collecting their health information at admission is to provide them with the day surgery. The person’s information may be used by those involved in providing the day surgery, including anaesthetists, nurses and pathologists

as the information is being used for the same primary purpose for which it was collected. Such uses may occur without obtaining the further consent of the person.

Example 2:

An insurance company asks a person to fill in a form outlining details of the injuries that they sustained in an accident in order to process their insurance claim. The information can be used by the insurance company’s claims manager in order to assess and process the claim, because that is the primary purpose for which the information was collected.

Use and disclosure for a secondary purpose

In certain circumstances health information may be used and disclosed for a secondary purpose other than the primary purpose for which it was collected

Secondary purposes include some that are considered ‘directly related’ to the primary purpose and others which are more remote.

Example:

Some months after a patient’s discharge, the oncology unit proposes to conduct a fundraising drive and wants to use the information from medical records to target recent admissions. As fundraising was not the primary purpose for which this information was collected, the use for this secondary purpose could only proceed if it comes within one of the permitted exemptions below.

Use and disclosure for secondary purposes – some permitted exemptions

The secondary purposes for which you are permitted to use or disclose health information are outlined below.

With the consent of the person

Health privacy principles 10(1)(a) &11(1)(a)

You may use or disclose a person’s health information for almost any secondary purpose if you have the person’s consent. The concept of consent is explained in more detail in Part 1.3 of this handbook.

Example:

An organisation assists those who are frail, aged, or have a disability, to remain at home rather than in institutional care by undertaking modifications to their home (such as installing handrails and ramps). The organisation collects health information in order to do this.

A wheelchair manufacturer approaches the organisation asking it to disclose the contact details of any immobile clients. The manufacturer wants to send the clients marketing material about a new wheelchair product. In this context the contact names and details alone would be ‘health information’ and covered by the HRIP Act, because they say something about the physical health of the person. Provided the organisation obtains the consent of the clients, it can disclose their health information for this secondary purpose.

Directly related secondary purpose within the reasonable expectations of the person

Health privacy principles 10(1)(b) & 11(1)(b)

You may use or disclose health information without the consent of the person when there is:

a directly related secondary purpose that is
within the reasonable expectations of the person.

Example:

If the health information is collected in order to provide a health service to the person, the use of the information to provide a further health service to the person is a secondary purpose directly related to the primary purpose. This should usually be within the reasonable expectations of the person. The further consent of the person is not required.

In deciding what the reasonable expectations of the person are, you should look at what the ordinary person in the street, who has no special knowledge of the organisation or industry, would expect.

Examples of uses and disclosures that may fall within this ‘direct relation’ exemption include:

Using the information to provide ongoing care to patients, or an ongoing service to clients
Disclosing information to another person or organisation involved in the ongoing care of the patient, or the ongoing service to the client
Investigating and managing adverse incidents or complaints about care or patient safety
Sending reminders to a person where the person receives a service on a regular basis or requires a follow up service
Disclosing information to a debt collection agency to follow up an overdue payment
Using information for quality assurance activities carried out by the organisation such as monitoring, evaluating, auditing the provision of a particular product or service the organisation has or is providing the person
Disclosing information to an auditor or quality assessor for the purposes of monitoring, evaluating, auditing the provision of a particular product or service the organisation has provided or is providing to the person (as long as the individual reviewing the records understands and agrees to be bound by the HPPs or their equivalent)
Managing a legal claim made by the person

Best practice tip:

You should make the person aware that these activities are carried out as part of the normal functioning of your organisation. If you make it clear to the person that their information may be used or disclosed for these purposes, there is a more persuasive argument that the person would ‘reasonably expect’ you to use or disclose their information in these ways.

Serious threat to health or welfare

Health privacy principles 10(1)(c) & 11(1)(c)

You may use or disclose health information without the consent of the person to lessen or prevent:

a serious and imminent threat to the life health or safety of any person, or
a serious threat to public health or public safety

Such disclosure or use must be approached with caution. Situations of serious and imminent threat will be a relatively uncommon occurrence. You must reasonably believe that the use or disclosure of the health information is necessary to prevent that threat. You need to carefully assess the level of risk before acting.

Example:

A person attends a counselling session in a highly agitated state, and expresses an intention to return home and inflict serious harm on their partner. The client has a history of domestic violence and has faced previous assault charges. The counsellor would have reasonable grounds to believe that the client’s partner was at serious and imminent risk and could therefore appropriately disclose the information, in order to address this risk.

Management of health services, training or research

Health privacy principles 10(1)(d), 11(1)(d), 10(1)(e), 11(1)(e), 10(1)(f), 11(1)(f)

You may use or disclose health information without the consent of the person for:

the funding, management, planning or evaluation of health services;
training;
research, or the compilation or analysis of statistics, in the public interest.

However these exemptions only apply where you have satisfied the following threshold issues:

the use or disclosure is reasonably necessary for the purpose; and
you have taken reasonable steps to de-identify the information, or the purpose of the activity cannot be served by using or disclosing de-identified information; and it is impracticable to seek the consent of the person to the use or disclosure; and
if the information could reasonably be expected to identify people, the information is not going to be published in a generally available publication; and
the use or disclosure of the information is in accordance with the NSW Privacy Commissioner’s statutory guidelines.

Tip for compliance

: Before relying on the management of health services, training or research exemptions, you should consider whether you may be able to use or disclose:

with the consent of the person under the ‘consent’ exemption; or
under the ‘directly related secondary purpose within the reasonable expectations of the person’ exemption.

Is the use or disclosure reasonably necessary?

When deciding whether the use or disclosure is reasonably necessary, consider to what degree the health information is needed for the activity. For example sometimes the activity may be just as effectively undertaken using hypothetical case studies, or simulated situations.

Example

Question: A researcher proposes to assess the effectiveness of a software package for use by psychologists. The researcher wants to do this by monitoring how the psychologist enters information into the system during sessions with clients (eg. which icons the psychologist uses, how many keystrokes the psychologist takes to get to particular screens). The researcher proposes to monitor this remotely (that is, the researcher will not be present in the session). However the researcher will be able to view all of the client’s information as it is entered into the system. Is such a disclosure reasonably necessary?

Answer:

No. The disclosure of the client’s health information to the researcher is not reasonably necessary here. Simulated situations should suffice to achieve the purpose, or the consent of the client should be sought.

The purpose cannot be served by de-identified information

If the activity could be undertaken using or disclosing de-identified information, then you should proceed this way. This may involve converting ‘identifiable’ information (information that allows the identification of a specific person) into ‘de-identified’ information. De-identified information is information, from which identifiers have been permanently removed, or where identifiers have never been included. De-identified information cannot be re-identified.

However sometimes de-identified information cannot achieve the purpose of the activity. This could be, for example, where an activity involves linking information about individuals from two or more sources and you need identified information to correctly link records from each data source.

It is impracticable to seek the person’s consent

The considerations when deciding whether it is impracticable to seek the person’s consent are explained in Part 1.3 of this handbook.

Reasonable steps to de-identify the information

When de-identifying information, you should consider the capacity of the person or organisation receiving the information to re-identify it or re-link it to identifiable information. Removing the name and address may not always be enough, particularly if there are unusual features in the case, a small population, or there is a discussion of a rare clinical condition. Reasonable steps to de-identify information might also include removing other features, such as date of birth, ethnic background and diagnosis that could otherwise allow an individual to be identified in certain circumstances.

The information will not be published in a generally available publication

A ‘generally available publication’ is defined in section 4 of the HRIP Act to mean a publication that is generally available to members of the public, either in paper or electronic form.

The NSW Privacy Commissioner’s statutory guidelines

The NSW Privacy Commissioner has issued statutory guidelines that set out the last set of conditions, under which health information may be used or disclosed for management, research and training. The statutory guidelines form part of the law. You must comply with them if you are seeking to rely on the management, research or training exemptions.

The statutory guidelines on the management of health services require that you ask a series of questions about the proposed management activity before using or disclosing. If any of the questions are answered in the affirmative, the management of the health services activity must be approved by a Human Research Ethics Committee before you can use or disclose. To view the statutory guidelines on the management of health services please see the Privacy NSW website: www.lawlink.nsw.gov.au/privacynsw/

The statutory guidelines on research are consistent with, and mirror, the guidelines developed by the National Health & Medical Research Council under sections 95 and 95A of the Federal Privacy Act 1988. The statutory guidelines on research require that a Human Research Ethics Committee approve the research proposal before you can use or disclose. To view the statutory guidelines on research please see the Privacy NSW website: www.lawlink.nsw.gov.au/privacynsw/

The statutory guidelines on training require that every employee or person working with the organisation, who will be trained or who will access the health information during the training process, signs an undertaking stating that they have been made aware of the requirements of the HPPs in the HRIP Act and that they understand they are required to comply with them. The statutory guidelines on training also set requirements for managing such training. To view the statutory guidelines on training please see the Privacy NSW website: www.lawlink.nsw.gov.au/privacynsw/

Find missing person

Health privacy principles 10(1)(g) & 11(1)(h)

You may use or disclose health information without the consent of the person if the information is to be used by a law enforcement agency to find a missing person. This exemption only applies if the person has been reported as missing.

Section 4 of the HRIP Act defines ‘law enforcement agency’ to mean any of the following:

NSW Police or the police force of another State or Territory
Australian Federal Police
NSW Crime Commission
Australian Crime Commission
Director of Public Prosecutions of NSW or of another State or Territory or of the Commonwealth
Department of Corrective Services
Department of Juvenile Justice

Example:

The police have received a report from a family that their 17 year old son is missing. The boy has a chronic condition requiring regular treatment in hospital. The police request information from a hospital to ascertain if he has been admitted, as a result of a failure to take his medication. The hospital would be entitled to provide this information under the ‘find missing person’ exemption.

Suspected unlawful activity, unsatisfactory professional conduct or breach of discipline

Health privacy principles 10(1)(h) & 11(1)(i)

Organisations may use or disclose health information without the consent of the person where the organisation has reasonable grounds to suspect that:

unlawful activity has been or may be engaged in, or
a person has or may have engaged in conduct that may be unsatisfactory professional conduct or professional misconduct under a health registration Act, or conduct that may be grounds for disciplinary action.

The use or disclosure must be a necessary part of investigating or reporting suspected unlawful activity.

This exemption recognises that organisations have a legitimate function in conducting internal investigations and reporting suspected unlawful activity.

Example: Staff members have raised concern about a colleague’s conduct towards female clients. They have witnessed the colleague being sexually inappropriate towards female clients and using derogatory terms to describe females in his file notes.

In order to conduct an internal investigation, the organisation may need to review client files (some containing health information). The organisation may rely on the ‘suspected unlawful activity’ exemption to use health information in this way.

Law enforcement

Health privacy principles 10(1)(i) & 11(1)(j)

You may use or disclose health information without the consent of the person if:

this is reasonably necessary for a law enforcement agency to carry out its functions, and
there are reasonable grounds to believe that an offence may have been committed.

The list of law enforcement agencies is set out under the ‘Find missing person’ exemption above.

This exemption does not require you to provide information to the law enforcement agency. In the absence of a warrant or other legal authority, you are entitled not to disclose the information. This exemption is also not intended to override any duties of confidentiality that you may owe (for example between a medical practitioner and a patient). This exemption exists to permit you to lawfully co-operate with agencies performing law enforcement functions where appropriate.

Tip for compliance:
In deciding whether to disclose to a law enforcement agency, you should consider:

the seriousness of the offence being investigated (an investigation into an alleged murder might justify disclosure more than an investigation into property theft)
whether the circumstances indicate a serious and imminent threat to the life, health or safety of any person (such circumstances might better justify a disclosure)
your relevant professional and ethical obligations
how to best balance the protection of the person’s privacy as against the investigation and enforcement of the law.

Tip for compliance:
If you decide to disclose to the law enforcement agency, you should:

limit your disclosure to information that is relevant and necessary for their purpose (information disclosed should be limited to confirmation of identity and address)
obtain and document proof that the person seeking the information is a representative of the appropriate law enforcement agency
keep a written record that you have disclosed.

Example:
Question: The police are investigating a series of sexual assaults committed by a serial rapist. The offender has indicated that he will rape again. The most recent victim has described very specific injuries that she inflicted on the offender during her attack. Can a doctor who has recently treated someone with these specific injuries, and believes that the patient may be the offender, disclose information to the police?
Answer: If the injury is so distinct that it is unlikely that anyone but the offender would have sustained the injury, disclosure may be justified under this ‘law enforcement’ exemption Note that section 316 of the Crimes Act 1900 (NSW) also prohibits a person from concealing a serious indictable offence.

Investigative agencies

Health privacy principles 10(1)(j) & 11(1)(k)

You may use or disclose health information without the consent of the person where this is reasonably necessary for investigative agencies to exercise their complaint handling or investigative functions.

Section 4 of the HRIP Act defines ‘investigative agency’ to mean any of the following:

Ombudsman’s Office
Independent Commission Against Corruption
Police Integrity Commission, the Inspector of the Police Integrity Commission and any staff of the Inspector
Community Services Commission
Health Care Complaints Commission
Office of the Legal Services Commissioner

Where the public sector agency is not an investigative agency but it is handling a matter that has been referred from, or could be referred to, an investigative agency, this exemption also applies HPP 10(5), and HPP 11(6).

Tip for compliance:

As with the ‘law enforcement’ exemption, in the absence of a warrant or other legal authority you are permitted, but not required, to disclose to an investigative agency. In deciding whether to disclose to an investigative agency you should apply the same considerations as set out under the ‘law enforcement’ exemption above.

Prescribed circumstances

Health privacy principles 10(1)(k) and 11(1)(l)

The HRIP Act permits you to use or disclose health information as prescribed by regulations made by the Governor See section 75 and Schedule 2 of the HRIP Act. To date, no regulations have been made for the purposes of this paragraph.

Lawfully authorised or required, or permitted under another law

Health privacy principles 10(2) and 11(2)

You may use or disclose health information without the consent of the person, where you are lawfully authorised or required, or permitted under another law to do so. The HRIP Act does not override other legislation.

Example:
You may be required to:

disclose health information to the Department of Community Services (DOCS) where a child or young person is at risk of harm under section 23 of the Children and Young Persons (Care and Protection Act)
disclose health information involving notifiable diseases pursuant to the Public Health Act 1991
disclose health information pursuant to search warrants or subpoenas.

Disclosures on compassionate grounds

Health privacy principle 11(1)(g)

You may disclose health information without the consent of the person to an immediate family member for compassionate reasons where:

the person is incapable of giving consent, and
the disclosure is not contrary to any wish expressed by the person (and not withdrawn) of which you are aware or could reasonably make yourself aware, and
if the immediate family member is under the age of 18 years, you reasonably believe that they have sufficient maturity in the circumstances to receive the information, and
the disclosure is limited to the extent reasonable for those compassionate reasons.

An ‘immediate family member’ Section 4 of the HRIP Act means a:

parent, child or sibling of the person, or
spouse of the person, or
member of the person’s household who is a relative of the person, or
person nominated to an organisation by the person as someone to whom health information relating to the person may be disclosed.

Example:

A patient is admitted to the emergency ward of a hospital unconscious as the result of a car accident. This exemption permits the hospital to contact the patient’s next of kin to advise them of the patient’s admission.

2.4 RETENTION AND SECURITY

You must take reasonable measures to protect the health information you hold (or that someone holds on your behalf) from misuse and loss, and from unauthorised access, use, modification or disclosure.

You must keep health information for no longer than is necessary for the purpose of its lawful use (however noting minimum retention periods prescribed by law).

Dispose of health information securely and in accordance with any retention and disposal requirements to which you are bound.

Health privacy principle 5

If you are in the private sector you are also governed by Part 4, Division 2

What security safeguards should you take to protect health information?

You must take such security safeguards as are reasonable in the circumstances to protect the security of the health information. If health information is not held and managed securely, the risks of privacy breaches (intentional and unintentional) are increased.

Some reasonable physical safeguards might include:

Locking filing cabinets and unattended storage areas
Physically securing the areas in which the health information is stored
Not storing health information in public areas
Positioning computer terminals and fax machines so that they cannot be seen or accessed by unauthorised people or members of the public.

Some reasonable technical safeguards might include:

Using passwords to restrict computer access, and requiring regular changes to passwords
Establishing different access levels so that not all staff can view all information
Ensuring information is transferred securely (for example, not transmitting health information via non-secure email)
Using electronic audit trails
Installing virus protections and firewalls.

Some reasonable administrative safeguards might include:

Introducing appropriate policies and procedures to address information security
Training staff on those policies and procedures.

How long are you required to retain health records?

You are required to destroy or permanently de-identify health information once it is no longer needed for further uses or disclosures authorised by the HRIP Act. However this requirement is not absolute. If other legislation requires you to retain records for a minimum period, then this must be followed.

Public sector agencies

Public sector agencies are subject to the requirements of the State Records Act 1998 (NSW). That Act has extensive provisions as to the minimum length of time that public records should be retained. You should go to www.records.nsw.gov.au for further information.

Private sector health service providers

Part 4, section 25(1)

Private sector health service providers must retain health information relating to the person as follows:

In the case of health information collected while the person was an adult – for 7 years from the last occasion on which you provided the person with a health service
In the case of health information collected while the person was under the age of 18 years – until the person has attained the age of 25 years.

Disposing of health information, or transferring health information to another organisation

You are required to dispose of health information securely.

Private sector health service providers

Part 4, section 25(2)-(4)

When private sector health service providers delete or dispose of a person’s health information they must keep a record of:

the name of the person
the period covered by the health information
the date on which it was deleted or disposed of.

When private sector health service providers transfer a person’s health information to another organisation (and do not continue to hold a record of that information) they must keep a record of the name and address of the organisation to which they transferred the health information.

2.5 ACCESS AND AMENDMENT

People have a right to request access to the health information that you hold about them. You should give a person access to their health information, if they ask for it, unless particular circumstances apply.

People have a right to request amendments to the health information that you hold about them, where they believe the information is inaccurate, irrelevant or misleading. Where appropriate, you should make these amendments.

Health privacy principles 6, 7 & 8

If you are in the private sector you are also governed by Part 4, Divisions 3 & 4

Obligation to be transparent about the health information you hold

Health privacy principle 6

Before people can seek to access or amend their health information, they need to know who holds it. You are required to take reasonable steps to enable any person to find out what health information you hold about them, why, and how they can seek access to it.

Best practice tip:

Your organisation’s privacy policy is one way of being transparent about the health information that you hold as required by HPP 6.

How can a person make a request for access or amendment?

The rights of access and amendment are triggered by a request from the person to whom the health information relates. A person should follow a certain format when making a request for access and / or amendment under the HRIP Act. The rules about the format of a request differ depending on whether the request is to a public sector or private sector organisation.

Requests to public sector agencies

Where a person seeks to access or amend their health information held by an organisation in the public sector, the HRIP Act does not require the person’s request to be in writing.

Example:
During a consultation at her public hospital, Jane asks for a copy of her latest test results. The hospital can satisfy this request for access by simply providing a copy of the information at the time.

If the request is not as straightforward as the example above, you may prefer to ask the person to put their request in writing. A written request allows clarity about the information for which access or amendment is sought and provides a written record of the request on file. There are no rules under the HRIP Act about what information a request to a public sector organisation should contain.

Note that access to health information held by public sector agencies may also be available under the Freedom of Information Act 1989 or the State Records Act 1998. If people are seeking access to their health information under those Acts, they should comply with the requirements set out under those Acts.

Example:

Question: What is the difference between access under the Freedom of Information Act 1989 and access under the HRIP Act?

Answer: The FOI Act allows

any

person to apply for access to

any

documents held by the government. It is designed to facilitate open and transparent Government. The HRIP Act allows a person to apply for access to their

own

health information (not limited to documents).

Requests to the private sector

Part 4, section 26

Where a person seeks to access or amend their health information held by a private sector organisation, the HRIP Act requires the person’s request to:

be in writing, and
state the name and address of the person making the request, and
identify the health information they wish to access or amend, and

If the request is for access, the person must specify the form in which they require the information to be provided.

If the request is for amendment on the grounds of incomplete or out of date health information, the request must contain the information the person claims is necessary to complete the health information or bring it up to date.

Difference with Federal Privacy Act

Under the

Federal Privacy Act

, it is not a legal requirement that requests be made in writing.

Tip for compliance:

Even if the person’s request is not in the form set out above, you may still decide to provide the person with the access or amendment that they have requested. The HRIP Act is not intended to prevent or discourage you from providing a person with access or amendment in other circumstances. For example if someone from a non-English speaking background has difficulties putting their request in writing, you may decide to grant them with access on the basis of a verbal request.

Fees and charges
Privacy NSW encourages organisations to provide access and amendment without charge.

However you are permitted to charge a fee to cover the administrative costs of providing access (e.g. for copying or printing records). The fee should not be excessive, nor should it discourage people from seeking access to their health information For health service providers in the public sector, the access fees and charges set out in DOH Circular 2002/22 will apply.

Can a request for access or amendment be made by someone other than the person to whom the information relates?

Where a person lacks capacity to make a request about their own health information, an authorised representative may make a request on the person’s behalf. See Part 1.4 of this handbook for more on capacity and authorised representatives.

A person can also consent for someone else to access health information on their behalf. For example a person can consent to, or authorise any third party, such as a relative, interpreter, medical practitioner, legal representative, employer or insurer, to have access to their health information. Members of parliament making representations on behalf of a constituent are also required to have the person’s authorisation. It is important to check how specific the authority is, and the exact scope of the authority that the person has provided. You must ensure that such authorisations are in writing and clearly state the name of person who is authorised to have access.

For information on circumstances where a parent wants to see their child’s health information, please see Part 1.4 of this handbook.

Check identity of person making request

You should check the identity of the person making the request and be satisfied that the person is who they say they are.

How much time do you have to respond to a request for access or amendment?

Public sector

Health privacy principle 7

If you are in the public sector, the HRIP Act requires you to respond to a request for access ‘without excessive delay’. Responses to requests for amendment should also be responded to without excessive delay.

Tip for compliance:
‘Without excessive delay’ is not defined in the HRIP Act. However as a guide, it is the Privacy Commissioner’s view that the total time for processing a request from the time it is received should not exceed 45 days. In cases where urgent amendments are required, 45 days may be too long.

Private sector

Part 4, section 27

If you are in the private sector, the HRIP Act requires you to respond to a request for access or amendment within 45 days after receiving the request.

Difference with Federal Privacy Act

The

Federal Privacy Act

does not specify how much time you have to respond to a request for access. However as a guide, it is the Federal Privacy Commissioner’s view that the total time for processing a request from the time it is received should not exceed 30 days (see Guidelines on Privacy in the Private Health Sector).

Best practice tip:

Processing the request within 30 days will ensure that you comply with the Federal Privacy Commissioner’s guide and with the NSW law.

Access: on what grounds can you refuse a request?

Public sector

HPP 7

The general principle under both the HRIP Act and the FOI Act is that a person will be presumed to have a right to access their own files.

You can refuse a person access to their health information, only if denying access is required or authorised by another law. For example if access can be refused on the basis of the FOI Act, then you will be lawfully authorised to refuse access under the HRIP Act. For more information about the grounds on which access can be refused under the FOI Act, you should contact your FOI officer or the NSW Premier’s Departments website at:
www.premiers.nsw.gov.au/NSWCommunity/FreedomOfInformation/

Private sector

Part 4, Section 29

You can refuse a person access to their health information only if:

providing access would pose a serious threat to the life or health of any person (for example where there is a risk that the information may cause the person significant distress, so as to result in them harming themselves or another)
providing access would have an unreasonable impact on the privacy of other people (however, where a person’s health record contains information about someone else, you can prevent an unreasonable impact on that other person’s privacy by removing that other person’s identifying details before releasing the information)
the information relates to legal proceedings (existing or anticipated) between your organisation and the person, and the information is subject to legal professional privilege or would not be accessible by the process of discovery
providing access would reveal your organisation’s intentions in relation to negotiations with the person in such a way as to expose you to disadvantage (for example, regarding the settlement of a negligence claim)
providing access would be unlawful
denying access is required or authorised under another law
providing access would be likely to prejudice an investigation of possible unlawful activity
you have been asked by a law enforcement agency performing a lawful security function not to provide access, as it would be likely to cause damage to the security of Australia
the request for access is one that has been made unsuccessfully on at least one previous occasion and there are no reasonable grounds for making the request again
the person has been provided with access to their information already under the HRIP Act and is making an unreasonable repeated request for access to the same information in the same manner.

If you decide to refuse access, you must provide a written reason for the refusal. The reason must be provided for under the HRIP Act. In other words, the refusal must be for one of the reasons listed above. Access may be refused to a part of the information, to which a request relates, but provided to the remainder of the information.

Access refused because of serious threat to person – use of intermediary

Part 4, section 30

Where a private sector organisation refuses to provide the person with access to their health information on the grounds that providing access would pose a serious threat to their life or health, the notice of refusal must:

advise the person that he or she may nominate a medical practitioner to be given access to the health information instead, and
advise the person that any nomination must be made within 21 days, after receipt of the notice of refusal.

Access must then be provided to the nominated medical practitioner within 21 days of receiving the person’s nomination.

Access: in what form should you provide it?

Access may be provided in a number of different ways. You may decide to grant the person access by:

giving the person a copy of the health information
providing a reasonable opportunity for the person to inspect the health information, take notes on its contents and talk through the contents with an appropriate staff member, if required
allowing the person to listen to or view the contents of an audio or visual recording
giving the person a print-out of the information if it is stored electronically, or giving them an electronic copy of the information.

Private sector

For private sector organisations, if the person requests access to be provided in a particular form (for example, they request to receive a paper copy of their health information), then you should generally provide access in that form. You may only refuse to provide access in that form, if it would:

place unreasonable demands on your organisation’s resources
be detrimental to the preservation of the information
involve an infringement of copyright.

In these cases, you should provide access in another convenient form.

Amendment: when should you amend health information?

In response to a request for amendment, you may amend (by way of corrections, deletions or additions) the health information to ensure:

the information is accurate
the information is relevant, up to date, complete and not misleading, taking into account the purpose for which the information is collected and used.

The HRIP Act states that amendments can be made by way deletions. However for legal and medical reasons, Privacy NSW acknowledges it is generally advisable not to permanently delete the information.

Some requests for amendment will be easy to deal with, for example where a person requests changes to their address details. In these cases you should make such amendments via your usual process, as long as you are satisfied of the identity of the person.

Other requests for amendment will be more difficult to deal with, for example where a person challenges a medical opinion, evaluation or diagnosis.

Amendment: on what grounds can you refuse a request?

HPP 8 and Part 4, section 34

You can refuse to amend the person’s health information if you are satisfied that:

the health information is not incomplete, incorrect, irrelevant, out of date or misleading, or
the request contains information that is incorrect or misleading.

Public sector

If you are not prepared to make the amendment requested, the person can ask you to attach to the record their statement requesting the amendment. You must take reasonable steps to do this.

Private sector

Part 4, section 34 and section 35

If you are not prepared to make the amendment requested, you must give the person a written reason for the refusal. The person can then ask you (by notice in writing) to add a notation to the health information specifying their claims.

2.6 ACCURACY

You must take reasonable steps before using health information to ensure that it is relevant, accurate, up to date, complete and not misleading.

Health privacy principle 9

What are reasonable steps to ensure accuracy?

When collecting health information, you understandably rely on the person providing it to give you information that is relevant, accurate, up to date and not misleading.

It would be burdensome for you to have to continually check and recheck the accuracy of all the data you hold and the HRIP Act does not require this. However, you are required to take reasonable steps to ensure the quality and integrity of your data, before using it.

The term ‘reasonable steps’ is not defined in the HRIP Act. However some factors you might like to consider when determining reasonable steps in the circumstances include:

how recently the information was collected (if it was collected recently, then there may be no need to recheck it now)
the reliability of the source providing the information (information from an unreliable source should be checked, before it is used)
the likelihood that the information is accurate, up to date and not misleading (the lesser the likelihood, the greater reason to check)
what you are proposing to use the information for (for example, if you are using it to make a decision about the person’s future health care, then it is important that you take steps to ensure the information is accurate).

2.7 IDENTIFERS

You can only assign an identifier to a person, where this is reasonably necessary to carry out your organisation’s functions efficiently.

Private sector organisations are prohibited from adopting, using or disclosing an identifier assigned by a government agency, except in prescribed circumstances.

Health privacy principle 12

What is an identifer?

An identifier is defined in section 4 of the HRIP Act to mean something (usually a number) that an organisation assigns to a person in order to uniquely identify that person. The identifier will have either been created, adopted, used or disclosed in conjunction with or in relation to the person’s health information. A person’s name is not an identifier.

Example:

The Medical Records Number (MRN) and the Unique Patient Identifier (UPI) are identifiers in the NSW public health system. The Medicare number is an identifier issued by an Australian government agency.

Identifiers bring important benefits for efficient record management. However they also pose privacy risks and can lead to large quantities of data about a person, from different sources, data-matched and amalgamated into a single source. Although identifiers do not contain a person’s name, they are designed to be unique to a particular person and hence will be classified as health information and subject to the HRIP Act.

Prohibitions regarding the private sector and identifiers

A private sector organisation may only adopt a public sector agency identifier as its own where:

person concerned has consented to this, or
the use or disclosure of the identifier is required or authorised by or under law.

Example:

An insurance company could not adopt the UPI as its own identifier unless one of the above two conditions has been met.

A private sector organisation may only use or disclose a public sector agency identifier in certain circumstances. See HPP 12(3) & (4) for a full list of permissible circumstances.

2.8 ANONYMITY

Wherever it is lawful and practicable, you must give people the opportunity to remain anonymous when entering into transactions with, or receiving health services from, your organisation.

Health privacy principle 13

Provide a service anonymously where this is lawful and practicable

Sometimes people may wish to remain anonymous or use an alias when dealing with organisations. This may be the case where they are using counselling services, or attending sexual health clinics. They may have other reasons for not wishing to identify themselves, for example, to avoid being targeted for direct marketing or to avoid being located by an abusive partner. You should permit the person to remain anonymous wherever this is lawful and practicable.

When is anonymity unlawful?

In some cases it will be unlawful to transact with the person anonymously. This is usually because there is a legal requirement stating that you must collect identifying information from the person. For example:

when prescribing a restricted drug, you are legally required to provide the name of the person who will receive the drug.
where a person has been diagnosed with certain medical conditions listed as “scheduled medical conditions” under the Public Health Act, the medical practitioner is required to record certain details, including identity, to allow the matter to be reported to the Department of Health.
where significant cash transactions take place, the law requires the parties to a transaction to be identified.

When is anonymity impracticable?

In some cases it will be impracticable to transact with the person anonymously. For example:

where ongoing health care is required and the service requires a follow-up – if the person does not provide details to allow this, their ongoing health care may be compromised
where a transaction cannot be carried out without providing identifying information, such as in credit card transactions or payments by cheque.

2.9 TRANSFERRING HEALTH INFORMATION OUT OF NSW

Before transferring health information out of New South Wales, make sure the recipient is subject to substantially similar privacy standards or laws.

If equivalent privacy protections do not exist, then you can only transfer the health information out of NSW under certain circumstances (outlined below).

Remember that in transferring health information out of NSW, you will also need to comply with the rules about use and disclosure contained in health privacy principles 10 and 11.

Health privacy principle 14

When can you transfer health information out of NSW?
You can transfer health information out of NSW in the following circumstances:

Recipient subject to substantially similar privacy standards or laws

You reasonably believe that the recipient is subject to a law, binding scheme or contract that imposes substantially similar obligations to those imposed by the HPPs.

Consent

The person has consented to the transfer.

Contractual obligation

The transfer is necessary for the performance of a contract between your organisation and the person.

Benefit to the person

The transfer is for the benefit of the person, and it is impracticable to obtain their consent, and, if it were practicable to obtain such consent, the person would be likely to give it.

Serious threat to health or welfare

The transfer is reasonably believed to be necessary to lessen or prevent a serious and imminent threat to the life, health or safety to any person, or a serious threat to public health or public safety. See Part 2.3 of this handbook for more information.

Reasonable steps

You have taken reasonable steps to ensure that the health information you transfer will not be held, used or disclosed by the recipient inconsistently with the HPPs.

Lawful authorisation

The transfer is permitted or required by an Act (including an Act of the Commonwealth) or any other law.

2.10 LINKAGE OF HEALTH RECORDS AT STATE OR NATIONAL LEVEL

You must obtain the express consent of the person, before including their health information in a state or national electronic health records scheme. Participation is opt-in, not opt-out.

Health privacy principle 15

When does this health privacy principle apply?

HPP 15 does not apply to all electronic storage and linkage of health records. It does not affect the ability of organisations to store or link health their information electronically

HPP 15 is designed to deal with electronic health records systems that link health records at a state or national level, for example:

The Health e-Link electronic health records scheme in NSW
The Health Connect electronic health records scheme a federal level

It requires that such schemes must be “opt-in”, meaning that a patient must give express consent to participate.

]

Previous Page | Back to Lawlink Home | Top of Page

Last updated 19 March 2007

Crown Copyright �

Hosted by