62. The Privacy Act and Health Information

Definition of ‘health service’

62.21 Another definition that is central to the way health information is handled under the Privacy Act is the definition of a ‘health service’. The term ‘health service’ is used in the Privacy Act in a range of circumstances. These include: as part of the definition of ‘health information’; as a limitation on the scope of the small business exemption—small businesses that hold health information and provide a health service are not covered by the small business exemption; and as a ‘permitted purpose’ under Part VIA dealing with declared emergencies and disasters.

62.22 In addition, the term is used in several provisions that provide for the use of health information in circumstances that would normally breach the IPPs or NPPs. For example, under NPP 2.1(ea), the genetic information of one individual, collected in the course of providing a health service, may be disclosed in certain circumstances to a genetic relative of that individual without consent.[28] A health service provider may disclose personal information to a person ‘responsible for the individual’ where the individual is physically or legally incapable of giving consent to the disclosure or physically cannot communicate consent.[29] Finally, an organisation may collect health information without consent where it is necessary to provide a health service to the individual[30] or where necessary for the management, funding and monitoring of a health service.[31]

62.23 The Privacy Act defines a ‘health service’ as follows:

(a) an activity performed in relation to an individual that is intended or claimed (expressly or otherwise) by the individual or the person performing it:

(i) to assess, record, maintain or improve the individual’s health; or

(ii) to diagnose the individual’s illness or disability; or

(iii) to treat the individual’s illness or disability or suspected illness or disability; or

(b) the dispensing on prescription of a drug or medicinal preparation by a pharmacist.[32]

62.24 The definition of ‘health service’ in the draft National Health Privacy Code has a number of differences, including express references to injuries, disability support services, palliative care services, and aged care services. The draft Code definition is as follows:

‘health service’ means—

(a) an activity performed in relation to an individual that is intended or claimed (expressly or otherwise) by the individual service provider or the organisation performing it—

(i) to assess, maintain or improve the individual’s health; or

(ii) to diagnose the individual’s illness, injury or disability; or

(iii) to treat the individual’s illness, injury or disability or suspected illness, injury or disability; or

(b) a disability service, palliative care service or aged care service; or

(c) the dispensing on prescription of a drug or medicinal preparation by a pharmacist—

but does not include a health service, or a class of health service, that is prescribed as an exempt health service or to the extent that it is prescribed as an exempt health service.

62.25 The definition in the Victorian Health Records Act is very similar to that in the draft Code.[33] The definitions in the ACT health records legislation and the Northern Territory Information Act have many of the same elements.[34] The New South Wales legislation, however, takes a different approach, setting out a non-exhaustive list of the services covered—such as medical, hospital and nursing services, dental services and mental health services—rather than describing them in more general terms.[35]

Issues Paper 31

62.26 In IP 31, the ALRC asked whether the definition of ‘health service’ in the draft National Health Privacy Code was appropriate and effective and whether that definition should be adopted into the Privacy Act.[36]

62.27 There was some support expressed in submissions to IP 31 for the definition of ‘health service’ in the draft National Health Privacy Code.[37] The NHMRC stated that:

We are aware also that there is some debate in the Aged Care sector about whether residential aged care is a health service or a social/accommodation service. We support, therefore, the inclusion of a more expansive definition of ‘health service’ in the Privacy Act, incorporating reference to ‘disability services’, ‘palliative care services’, ‘aged care services’ and ‘injury’ explicitly, thereby avoiding any potential uncertainty.[38]

62.28 A number of other stakeholders agreed that the definition should be amended to cover the services that people with a disability, and those in palliative and residential aged care might use. These services provide care, supervision and assistance with daily life, rather than treatment.[39]

62.29 The Office of the Health Services Commissioner in Victoria expressed the view that:

Organisations providing a broad range of services intended to benefit the health and well-being of individuals, should be subject to the same privacy standards. As an example, HSC has received health privacy complaints concerning alternative therapists, which are included in the definition of health service under the Health Records Act and the National Code. The problem with the New South Wales approach is that a non-exhaustive definition that focuses on conventional medical and health services may be interpreted to exclude some alternative therapists, which might leave the public vulnerable.[40]

62.30 The OPC raised a number of concerns with the definition of ‘health service’ in the draft National Health Privacy Code, including the fact that the definition does not refer to ‘recording’ an individual’s health information. The draft Code definition also relies exclusively on the understanding of the health service provider as to whether a particular activity is intended or claimed to have health benefits. In contrast, the Privacy Act allows this to be judged from the perspective of the health service provider or the health consumer. The OPC did, however, express support for one element of the definition:

The Office also notes that the word ‘injury’ is added in addition to illness and disability in (a)(ii) and (iii) of the proposed NHPC definition. The nature of an injury appears to be distinct from the inherent properties of an illness or a disability, and as such, the inclusion of this word may increase the clarity of the definition.[41]

Discussion Paper proposal

62.31 In DP 72, the ALRC proposed that the definition of ‘health service’ in the Privacy Act should be extended to cover disability services, palliative care services and aged care services. These services do not fall comfortably within the existing definition of ‘health services’. They are, however, aimed at providing physical, mental and psychological care and support to individuals and often require the collection, use and disclosure of significant amounts of health information. The ALRC also expressed the view that an ‘injury’, as distinct from an ‘illness’ or a ‘disability’, should be referred to expressly in the definition of ‘health service’.

Submissions and consultations

62.32 A number of stakeholders expressed support for expanding the definition of ‘health service’ to include injuries and disability services, palliative care services and aged care services.[42] The OPC suggested, however, qualifying the references to disability, aged care and palliative care services to exclude services unrelated to health such as advocacy services.[43]

62.33 The Centre for Law and Genetics stated that:

We strongly support the proposed amendments to the definition of health service to ensure that complementary therapies are included. There has been a massive increase in the development, marketing and advertising of complementary ‘health’ products and services. These service providers should be governed by regulations no less prescriptive than those applying to the traditional health service agencies and organisations.[44]

62.34 Other stakeholders agreed that the definition should extend to complementary and alternative therapies and to ‘wellness’ services; for example, those related to pregnancy and weight loss.[45] The NHMRC suggested that cosmetic surgical procedures would not be covered by the existing definition and that the definition of ‘health service’ be amended to refer to the ‘prevention’ of illness:

We believe that prevention of illness (for example through immunisation) differs from maintenance of health, which we consider indicates an active intervention once a risk factor or disease has been identified (for example, through the supply or prescription of medications to control an individual’s blood cholesterol or blood pressure).[46]

62.35 The NHMRC also noted that a number of organisations offer genetic or other testing but do not claim to use this information to assess, predict, maintain or improve an individual’s health. Such tests are offered, for example, by providers of skin care and dietary products.

62.36 The NHMRC also discussed the case of Australian Biologics Testing Services. The Australian Competition and Consumer Commission (ACCC) instituted proceedings in the Federal Court of Australia against Australian Biologics alleging that representations made in its brochures and on its website were false, misleading, and deceptive. The representations included that thermography tests offered by Australian Biologics could be used for diagnostic purposes in the cardiac field. The ACCC alleged that the representations were not supported by scientific or medical testing.[47] The case was settled by consent on the basis that:

Australian Biologics agreed that the tests it offers are not diagnostic and the results of such tests are not indicative of a specific medical condition and undertook not to make a number of claims relating to the utility of its services for the diagnosis of specific medical conditions.[48]

62.37 A number of stakeholders were of the view that simply ‘recording’ health information should not be sufficient to bring an agency or organisation within the definition of a health service provider.[49] On the other hand, the OPC was of the view that the term ‘record’ should remain in the definition:

Nevertheless, the Office notes the potential ambiguity between organisations which record an individual’s health in the course of providing a health service, and entities which may record or document health information in ways that would not ordinarily be considered to be health service provision. The second category may include the recording of health information by health insurance companies, employers and others.[50]

62.38 The Victorian Office of the Health Services Commissioner stated that:

HSC believes the term ‘record’ is not necessary in the definition of health service, as it does not add anything that is not already covered by the other definitions. The example given at paragraph 57.26 is of health monitoring, which involves recording someone’s blood pressure, height and weight with no further action taken unless a change occurs. Such an organisation recording this information would be doing so to assess or improve an individual’s health or to diagnose or treat a condition, and would therefore be covered by the other definitions.[51]

62.39 Certain other stakeholders asked whether the provision of health insurance came within the definition of a health service.[52] Medicare Australia stated that:

Medicare Australia also receives many thousands of requests from insurance companies that seek information about pre-existing illnesses while processing claims. We take great care to ensure that the claimants provide informed consent in these cases. It is very important that these requests should not be seen as ‘collection where it is necessary to provide a health service’.[53]

ALRC’s view

62.40 The ALRC notes that the term ‘health service’ is used in the Privacy Act as part of the definition of ‘health information’, and to allow more permissive collection, use and disclosure of health information in the health services context than would normally be allowed under the NPPs. For example, under NPP 10.2, a doctor may collect health information about an individual without consent where that individual is unconscious, or too ill to provide consent, and the collection is related to providing care and treatment for the individual.

62.41 It is important to ensure that the definition of ‘health service’ is appropriately limited to the provision of services intended, for example, to assess or improve the individual’s health and does not extend to activities such as providing health insurance. It would not be appropriate for the more permissive provisions on collection, use and disclosure of health information to occur in the health insurance context. For this reason, the ALRC recommends that ‘recording’ an individual’s health should be removed from the definition of ‘health service’. The term is unnecessary and that it may lead to undesirable outcomes.

62.42 The definition should continue to allow the assessment of the service to be made by the individual or the service provider. The ALRC did not receive any submissions indicating problems with the existing provision.

62.43 The ALRC also recommends that the definition of ‘health service’ be amended to include activities that:

  • ‘predict’ the individual’s physical, mental or psychological health or status, in order to accommodate some forms of genetic testing;

  • ‘prevent’ illness, injury or disability in order to cover, for example, services to assist with diet and weight loss and immunisations; and

  • assess or predict the individual’s physical, mental or psychological ‘status’. This change is intended to capture a range of things such as genetic or other testing that is not primarily concerned with the health or disability of an existing individual—as may sometimes be the case with genetic carrier testing, where the information is primarily about the health of any possible future children.

62.44 The ALRC also recommends the inclusion of surgical or related services to capture cosmetic procedures, and has taken up the OPC’s suggestion that disability, palliative care or aged care services should be limited to health-related services. Finally, the definition should be amended to include ‘injuries’ as well as ‘illness’ and ‘disability’.

Recommendation 62-2 The Privacy Act should be amended to define a ‘health service’ as:

a. an activity performed in relation to an individual that is intended or claimed (expressly or otherwise) by the individual or the service provider to:

(i) assess, predict, maintain or improve the individual’s physical, mental or psychological health or status;

(ii) diagnose the individual’s illness, injury or disability; or

(iii) prevent or treat the individual’s illness, injury or disability or suspected illness, injury or disability;

b. a health-related disability, palliative care or aged care service;

c. a surgical or related service; or

d. the dispensing on prescription of a drug or medicinal preparation by a pharmacist.

[28] NPP 2.1(ea) is discussed further in Ch 63.

[29] Privacy Act 1988 (Cth) sch 3, NPP 2.4.

[30] Ibid sch 3, NPP 10.2.

[31] Ibid sch 3, NPP 10.3.

[32] Ibid s 6.

[33] Health Records Act 2001 (Vic) s 3.

[34] Health Records (Privacy and Access) Act 1997 (ACT) Dictionary; Information Act 2002 (NT) s 4.

[35] Health Records and Information Privacy Act 2002 (NSW) s 4.

[36] Australian Law Reform Commission, Review of Privacy, IP 31 (2006), Question 8–7.

[37] Health and Community Services Complaints Commission (South Australia), Submission PR 207, 23 February 2007; Australian Nursing Federation, Submission PR 205, 22 February 2007; Department of Health Western Australia, Submission PR 139, 23 January 2006; Australian Government Department of Human Services, Submission PR 136, 19 January 2007; Centre for Law and Genetics, Submission PR 127, 16 January 2007.

[38] National Health and Medical Research Council, Submission PR 114, 15 January 2007.

[39] New South Wales Guardianship Tribunal, Submission PR 209, 23 February 2007; Australian Institute of Health and Welfare, Submission PR 170, 5 February 2007.

[40] Office of the Health Services Commissioner (Victoria), Submission PR 153, 30 January 2007.

[41] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

[42] Government of South Australia, Submission PR 565, 29 January 2008; Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Australian Medical Association, Submission PR 524, 21 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; Pharmacy Guild of Australia, Submission PR 433, 10 December 2007; Carers Australia, Submission PR 423, 7 December 2007.

[43] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[44] Centre for Law and Genetics, Submission PR 497, 20 December 2007.

[45] New South Wales Government Department of Health, Submission PR 458, 11 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007.

[46] National Health and Medical Research Council, Submission PR 397, 7 December 2007.

[47] Australian Competition and Consumer Commission, ‘ACCC Settles Proceedings Against Australian Biologics’ (Press Release, 15 July 2004).

[48] National Health and Medical Research Council, Submission PR 397, 7 December 2007.

[49] See, eg, Confidential, Submission PR 570, 13 February 2008.

[50] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[51] Office of the Health Services Commissioner (Victoria), Submission PR 518, 21 December 2007.

[52] Confidential, Submission PR 519, 21 December 2007.

[53] Medicare Australia, Submission PR 534, 21 December 2007.

Table of Contents: