Office of the Privacy Commissioner NSW | 02 8019 1600
spacer
print  Print page  
Handbook to Health Privacy

This provides our interpretation of the HRIP Act and explains important concepts like consent and Health Privacy Princiiples. The Handbook is a good resource for agencies to learn more about the HRIP Act and their obligations under the legislation.

(Download PDF version)



CONTENTS

PART 1: INTRODUCTION AND KEY CONCEPTS

1.1 BACKGROUND

  • Who Is This Handbook For?
  • The HRIP Act At A Glance
  • Why A Separate Law To Protect Health Information?
.

1.2 COVERAGE OF THE HRIP ACT
  • What Information Does The HRIP Act Protect?
      - Health information
      - In any form
      - What about health information collected prior to the commencement of the HRIP Act?
  • What Information is Not Protected?
      - Health information about a person who has been dead for more than 30 years
      - Some employee-related health information
      - Certain other health information
      - What about de-identified information?
  • Who must comply with the HRIP Act?
      - NSW organisations (includes individuals)
      - NSW organisations that are health service providers
      - Other NSW organisations that collect, hold or use health information
      - Exemption for small business operators

  • How Does The HRIP Act Relate to Existing Laws, Codes and Guidelines?
      - Relationship with professional and ethical codes and standards
      - Relationship with confidentiality
      - What if you have obligations under the Federal Privacy Act and the HRIP Act?
      - What if you have obligations under the PPIP Act and the HRIP Act?
      - What if you are required by another law to collect, use, disclose or hold health information?
Top of page

1.3 OBTAINING A PERSON'S CONSENT TO HANDLE THEIR HEALTH INFORMATION
  • Elements of consent
  • Notifying a person is not the same as seeking their consent
  • Is express or implied consent required?
  • Can a person withhold consent?
  • Are there times when consent is not needed?
  • Are there times when is it impracticable to seek a person's consent?
Top of page

1.4 CAPACITY
  • How do you assess a person's capacity under the HRIP Act?
  • When should you deal with an authorised representative?
  • Young people and capacity
Top of page


PART 2: YOUR LEGAL OBLIGATIONS UNDER THE HRIP ACT - THE 15 HEALTH PRIVACY PRINCIPLES (HPPS)

2.1 COLLECTING HEALTH INFORMATION
  • What is collection?
  • When can you collect a person's health information?
  • Information must be relevant, not excessive, accurate and not intrusive
  • Can you collect health information about a person from someone else?
Top of page
2.2 NOTIFYING A PERSON WHEN YOU COLLECT THEIR HEALTH INFORMATION
  • What and why should you notify the person?
  • When should you notify the person?
  • How should you notify the person?
  • Sometimes you may need to notify an authorised representative instead
  • In certain circumstances you are not required to notify the person
  • Notifying a person when you have collected health information about them from someone else
Top of page
2.3 USING AND DISCLOSING HEALTH INFORMATION
  • What is use and disclosure?
  • Use and disclose health information only for the primary purpose for which it was collected
  • Use and disclosure for secondary purposes - some permitted exemptions
Top of page

2.4 RETENTION AND SECURITY
  • What security safeguards should you take to protect health information?
  • How long are you required to retain health records?
  • Disposing of health information, or transferring health information to another organisation
Top of page

2.5 ACCESS AND AMENDMENT
  • Obligation to be transparent about the health information you hold
  • How can a person make a request for access or amendment?
  • Fees and charges
  • Can a request for access or amendment be made by someone other than the person to whom the information relates?
  • Check identity of person making request
  • How much time do you have to respond to a request for access or amendment?
  • Access: on what grounds can you refuse a request?
  • Access: in what form should you provide it?
  • Amendment: when should you amend health information?
  • Amendment: on what grounds can you refuse a request?
Top of page

2.6 ACCURACY
  • What are reasonable steps to ensure accuracy?
Top of page

2.7 IDENTIFERS
  • What is an identifer?
  • Prohibitions regarding the private sector and identifiers
Top of page

2.8 ANONYMITY
  • Provide a service anonymously where this is lawful and practicable
  • When is anonymity unlawful?
  • When is anonymity impracticable?
Top of page

2.9 TRANSFERRING HEALTH INFORMATION OUT OF NSW
  • When can you transfer health information out of NSW?
Top of page

2.10 LINKAGE OF HEALTH RECORDS AT STATE OR NATIONAL LEVEL
  • When does this health privacy principle apply?
Top of page


PART 3: COMPLAINTS UNDER THE HRIP ACT

3.1 THE COMPLAINTS-HANDLING PROCESS
Top of page

spacer spacer
Last updated: 3 February 2011
Home