This provides our interpretation of the HRIP Act and explains important concepts like consent and Health Privacy Princiiples. The Handbook is a good resource for agencies to learn more about the HRIP Act and their obligations under the legislation.

(Download PDF version)



CONTENTS

PART 1: INTRODUCTION AND KEY CONCEPTS

1.1 BACKGROUND

• Who Is This Handbook For?
• The HRIP Act At A Glance
• Why A Separate Law To Protect Health Information?

• What Information Does The HRIP Act Protect?
  - Health information
  - In any form
  - What about health information collected prior to the commencement of the HRIP Act?

• What Information is Not Protected?
  - Health information about a person who has been dead for more than 30 years
  - Some employee-related health information
  - Certain other health information
  - What about de-identified information?

• Who must comply with the HRIP Act?
  - NSW organisations (includes individuals)
  - NSW organisations that are health service providers
  - Other NSW organisations that collect, hold or use health information
  - Exemption for small business operators
  
  
• How Does The HRIP Act Relate to Existing Laws, Codes and Guidelines?
  - Relationship with professional and ethical codes and standards
  - Relationship with confidentiality
  - What if you have obligations under the Federal Privacy Act and the HRIP Act?
  - What if you have obligations under the PPIP Act and the HRIP Act?
  - What if you are required by another law to collect, use, disclose or hold health information?

• Elements of consent
• Notifying a person is not the same as seeking their consent
• Is express or implied consent required?
• Can a person withhold consent?
• Are there times when consent is not needed?
• Are there times when is it impracticable to seek a person's consent?

• How do you assess a person's capacity under the HRIP Act?
• When should you deal with an authorised representative?
• Young people and capacity

• What is collection?
• When can you collect a person's health information?
• Information must be relevant, not excessive, accurate and not intrusive
• Can you collect health information about a person from someone else?

• What and why should you notify the person?
• When should you notify the person?
• How should you notify the person?
• Sometimes you may need to notify an authorised representative instead
• In certain circumstances you are not required to notify the person
• Notifying a person when you have collected health information about them from someone else

• What is use and disclosure?
• Use and disclose health information only for the primary purpose for which it was collected
• Use and disclosure for secondary purposes - some permitted exemptions

• What security safeguards should you take to protect health information?
• How long are you required to retain health records?
• Disposing of health information, or transferring health information to another organisation

• Obligation to be transparent about the health information you hold
• How can a person make a request for access or amendment?
• Fees and charges
• Can a request for access or amendment be made by someone other than the person to whom the information relates?
• Check identity of person making request
• How much time do you have to respond to a request for access or amendment?
• Access: on what grounds can you refuse a request?
• Access: in what form should you provide it?
• Amendment: when should you amend health information?
• Amendment: on what grounds can you refuse a request?

• What are reasonable steps to ensure accuracy?

• What is an identifer?
• Prohibitions regarding the private sector and identifiers

• Provide a service anonymously where this is lawful and practicable
• When is anonymity unlawful?
• When is anonymity impracticable?

• When can you transfer health information out of NSW?

• When does this health privacy principle apply?