A separate set of Health Privacy Principles?

60.55 At the federal level, health information is generally treated as a sub-set of ‘sensitive information’ under the Privacy Act, although there are a number of provisions and principles that deal specifically with health information. As noted above, three of the states and territories have taken a different approach. New South Wales, Victoria and the ACT have separate legislation—including a separate set of privacy principles—dealing specifically with health information.^[63]

60.56 In considering the Privacy Amendment (Private Sector) Bill 2000 (Cth), the House of Representatives Standing Committee on Legal and Constitutional Affairs noted that the inclusion of health information was the most contentious aspect of the Bill.^[64] Some stakeholders expressed the view that health information should not be included in the Bill because:

• the health sector is so different from other sectors that the attempt to incorporate it within the general framework of the Bill was misguided;

• the rights contained in the Bill enabling individuals to obtain access to their own health information were inadequate; and

• the Bill created inconsistent standards governing privacy rights in the public and private sectors.^[65]

60.57 Other stakeholders expressed the view that health information should be included in the Bill on the basis that such information is held in a variety of contexts other than the health services context—such as insurance and employment—and that a different approach to the handling of health information would make it difficult to achieve a nationally consistent privacy framework. In addition, stakeholders expressed the view that the modifications made in relation to the handling of sensitive information in the NPPs provided an appropriate and workable framework for the handling of health information.^[66]

60.58 The House of Representatives Standing Committee concluded that health information should be included in the Bill.^[67] The Committee expressed concern, however, about ‘the resulting plethora of principles that will then apply to both the public and private health sectors’.^[68] The Committee recommended that:

the Government encourage all relevant parties to reach an agreed position on the major issues raised in the evidence to this inquiry, such as the harmonisation of privacy principles applicable to the public and private sectors, as a matter of urgency.^[69]

60.59 The issue of national consistency was central to these recommendations, but the Committee did not consider in any detail the argument that health information and the health context are so unique that they require a separate set of principles.

The Privacy Act 1988 (Cth)

60.60 As discussed in Chapter 5, the federal Privacy Act originally regulated the handling of personal information by Australian Government and ACT public sector agencies. The Act required agencies to apply the IPPs in handling all personal information. The IPPs do not draw a distinction between personal information and sensitive information or health information.^[70]

60.61 The Privacy Amendment (Private Sector) Act 2000 (Cth), and the NPPs set out in that Act, however, do draw a distinction between personal information, sensitive information and health information. ‘Sensitive information’ is defined to include ‘health information’ and is given a higher level of protection under the NPPs than other personal information. Sensitive information:

• may be collected only with consent, except in specified circumstances;^[71]

• must not be used or disclosed without consent for a secondary purpose unless that purpose is directly related to the primary purpose of collection and within the reasonable expectations of the individual;^[72]

• must not be used for the secondary purpose of direct marketing;^[73] and

• cannot be shared by ‘related bodies corporate’ in the same way that they may share other personal information.^[74]

60.62 The NPPs also make special and specific provision for the collection, use and disclosure of health information in some circumstances, for example, for the: management, funding and monitoring of a health service;^[75] and for the purposes of research, or the compilation or analysis of statistics, relevant to public health or public safety.^[76]

60.63 In addition, NPP 10.2 provides for the collection of health information without consent where the information is necessary to provide a health service to the individual. The information must be collected only as required or authorised by or under law, or in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality that bind the organisation.^[77]

60.64 NPP 2.1(ea) deals specifically with genetic information that has been collected in the course of providing a health service to an individual and allows an organisation to use or disclose that information to a genetic relative where the organisation reasonably believes that the use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of the genetic relative. NPP 2.1(ea) also provides that any such use or disclosure must be in accordance with guidelines issued by the NHMRC and approved by the Privacy Commissioner.^[78]

60.65 NPP 2.4 establishes a regime under which a health service provider may disclose an individual’s health information to ‘a person who is responsible for the individual’ including certain family members, carers and legal guardians in some circumstances. These include where the individual is physically or legally incapable of giving consent to the disclosure.^[79]

60.66 NPP 6.1(b) provides a special exception to the access principle in relation to health information. An organisation need not provide access to an individual’s health information where providing access would pose a serious threat to the life or health of any individual. In these circumstances the organisation must, if reasonable, consider whether the use of mutually agreed intermediaries would allow sufficient access to meet the needs of both parties.^[80]

The draft National Health Privacy Code

60.67 In June 2000, Australian Health Ministers established the Australian Health Ministers’ Advisory Council (AHMAC) National Health Privacy Working Group. The purpose of the Working Group was to address the need for a nationally consistent framework for health information privacy. The AHMAC Working Group was made up of representatives of state and territory health authorities and the Australian Government Attorney-General’s Department; and was chaired by DOHA. The Health Insurance Commission, the Australian Institute of Health and Welfare and the OPC had observer status on the AHMAC Working Group and provided specialist advice.^[81]

60.68 The framework developed by the AHMAC Working Group has become known as the draft National Health Privacy Code (the draft Code). In order to achieve national consistency, the draft Code was intended to apply to all health service providers and organisations that collect, hold or use health information across the public and private sectors in every Australian state and territory.^[82] The draft Code contains 11 National Health Privacy Principles (NHPPs) and additional detailed procedures for providing individuals with access to their health information.

60.69 Following a public consultation process, a revised version of the draft Code, as well as draft mandatory research guidelines and explanatory notes for the use or disclosure of genetic information, were developed.^[83] These, however, have not been made available publicly. Consequently, where provisions of the draft Code are discussed in this Report, references are to the provisions released for public comment in 2003. While much of its content was finalised, as at August 2006 the draft Code had not been endorsed formally at a ministerial level^[84] and an implementation mechanism had not been settled.^[85]

60.70 Although the NHPPs have much in common with the NPPs, there are also numerous differences. In general, the NHPPs are more detailed and provide specific guidance on issues such as the handling of health information on the death of a health service provider or where a health service closes, is sold or amalgamates with another service. Some specific NHPPs differ from their equivalent NPPs. For example, while NPP 4 requires organisations to take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed,^[86] NHPP 4 requires health service providers to retain health information for at least seven years.^[87]

State and territory health privacy legislation

60.71 The Health Records and Information Privacy Act 2002 (NSW) regulates the handling of health information in the public and private sectors and includes a set of 15 Health Privacy Principles (HPPs). The HPPs expressly address issues such as the use of health information without consent for: the funding, management, planning or evaluation of health services;^[88] research;^[89] and health records linkage.^[90] The Act also includes detailed provisions on providing access to health information.

60.72 The Health Records Act 2001 (Vic) also regulates the handling of health information in the public and private sectors and includes a set of 11 HPPs. The Victorian HPPs require the retention of health information records for at least seven years.^[91] The HPPs also expressly address issues such as: the use of health information without consent in the funding, management, planning, monitoring, improvement or evaluation of health services;^[92] the use of health information in research;^[93] the transfer of health information when a consumer changes health service provider; and arrangements for the custody of health information when a health service provider closes or dies.^[94] As in New South Wales, the Act includes detailed provisions on providing access to health information.

60.73 The Health Records (Privacy and Access) Act 1997 (ACT) regulates the handling of health information in the public and private sectors and includes a set of 12 Privacy Principles. These principles expressly address issues such as: the sharing of information among members of a treating team;^[95] transfer or closure of a health service provider’s practice; and the transfer of a health consumer’s health information from one health service provider to another when the consumer changes health service provider.^[96] In common with the legislation in New South Wales and Victoria, the Act includes detailed provisions on providing access to health information.

Issues Paper 31

60.74 In IP 31, the ALRC asked whether the draft National Health Privacy Code was an effective away to achieve a nationally consistent and appropriate regime for the regulation of health information.^[97] Implicit in this question was the question of whether the handling of health information requires a separate and distinct set of principles.

Submissions and consultations

60.75 In consultation, the Office of the Health Services Commissioner (Victoria) expressed the view that health information does require a separate set of principles because of the intimate nature of the information and the fact that some health information—such as mental health information—can lead to stigmatisation or discrimination.^[98] In its submission, the Office of the Health Services Commissioner also expressed the view that the draft Code provided a good starting point:

A great deal of important work and consultation with key stakeholders has already taken place. It would be a regrettable waste of public resources not to utilize the work involved in drafting the National Code. Mirror or applied legislation as set out in paragraph 8.43 of the Issues Paper are the most desirable and effective models for implementing the National Code.^[99]

60.76 A number of other stakeholders agreed that health information and the health services context are unique and require a specific regulatory regime.^[100] Some stakeholders expressed support for the draft Code.^[101]

60.77 The Australian Nursing Federation stressed the need for consistent and carefully crafted principles to assist health service providers to achieve the difficult balances that are required in their daily decision making. The Federation also noted the considerable investment in the development of the draft National Health Privacy Code and expressed the view that the draft Code was an appropriate vehicle for developing a nationally consistent framework for the regulation of health information.^[102]

60.78 The Western Australian Department of Health expressed support for a separate set of health principles, noting the need to use health information for continuity of care in relation to individuals and monitoring and protecting the community on public health issues. The Department noted, however, that a separate set of principles may lead to uncertainty in some contexts—such as child welfare—about which principles apply.^[103]

60.79 On the other hand, a significant number of other stakeholders were of the view that, for simplicity and consistency, one set of privacy principles should apply to personal information, including health information. There was recognition, however, that there may be a need for supplementary principles or guidance on the detailed application of the principles in the health services context.^[104]

60.80 The NHMRC expressed some support for the draft National Health Privacy Code, but stated that it would prefer a uniform national system incorporating specific elements regulating health information, rather than a separate code.^[105] The OPC agreed with the NHMRC, stating that:

Health privacy regulation could be enhanced by building upon existing provisions, without the necessity of an additional instrument or an entirely new set of principles.

The Office understands that other stakeholders may hold differing views on this matter and would prefer a separate regulatory instrument specifically for the health sector. The Office submits that a uniform and coherent approach to privacy regulation is best served by incorporating privacy protections into a single body of regulation.

A single body of regulation is also likely to reduce regulatory complexity for those agencies and organisations that handle both health and non-health information. The existence of separate sets of principles may create confusion by requiring agencies and organisations to refer to different instruments, depending on the type of personal information they are handling at any given time.^[106]

60.81 In the course of the OPC Review, the OPC considered whether it would be possible to incorporate elements of the draft Code into the NPPs. The OPC stated that

the resulting principles would be longer and more complex. This option would require the insertion of multiple sub-principles and exceptions to the NPPs to take account of the code.

This approach would run counter to the intent of delivering general, high-level principles for all business and government sectors. For instance, the approach would mean that non-health organisations and agencies would need to deal with a more complex set of privacy principles, where much of the content may not apply to them. This would not improve, and may even increase, regulatory complexity overall.^[107]

60.82 In addition, the OPC stated in its submission on IP 31 that the draft National Health Privacy Code seemed ‘unwieldy, complex and overly prescriptive’.^[108]

60.83 The Australian Privacy Foundation stated that, while in principle the draft Code could form the basis of more detailed principles for health information:

One difficulty with the development of a separate code is that it encourages drafters and stakeholders to adjust the information privacy principles more than necessary, creating arbitrary or intricate differences that then create confusion. This is evident in the creation of the Health Records Act in Victoria, which adopts much of the information privacy principles that appeared in the State’s Information Privacy Act but is more prescriptive and creates distinctions that may or may not be significant yet cause confusion.^[109]

Discussion Paper proposals

60.84 In DP 72, the ALRC expressed the view that health information should be regulated under the general provisions of the Privacy Act and the UPPs. Certain additions to the proposed UPPs, relating specifically to the handling of health information, were to be promulgated in new regulations under the Privacy Act—the Privacy (Health Information) Regulations.^[110]Some of these proposed regulations were based on elements of the draft National Health Privacy Code and are discussed in detail in Chapter 63. The intent of the proposal was to capture those elements of the draft Code that stakeholders considered most valuable and to build them into a system based on the Privacy Act and the UPPs. This was intended to ensure that the principles regulating personal information and health information were the same, as far as possible. The additional provisions dealing with health information, to be set out in the new regulations, were designed to sit comfortably with the UPPs.

60.85 The ALRC also proposed that the OPC should publish a document bringing together the UPPs and any health-specific additions set out in the regulations.^[111] It was intended that this document would contain a complete set of UPPs and regulations relating to health information. Finally, the ALRC proposed that the OPC—in consultation with DOHA and other relevant stakeholders—should develop guidelines on the handling of health information under the Privacy Act and regulations.^[112]

Submissions and consultations

60.86 These proposals received a mixed response in submissions and consultations. A number of stakeholders expressed the view that the proposed regulatory structure had the potential to lead to confusion, as agencies and organisations handling health information would be required to consider both the UPPs and the regulations.^[113] Another stakeholder was concerned that the proposed framework would not support national consistency.^[114]

60.87 The Victorian Office of the Health Services Commissioner remained of the view that a separate set of health privacy principles was necessary. The Office also stated that high-level principles are sometimes not sufficient for dealing with the handling of health information and that more prescriptive rules are necessary in some circumstances. The Office noted that rules-based regulation does not have an adverse effect on cooperative, compliant organisations and provides certain and enforceable provisions where necessary.^[115]

60.88 On the other hand, the Government of South Australia was of the view that the model UPPs would provide sufficient protection for health information and that additional regulations would be unnecessary. If there was a need for additional provisions, the Government of South Australia was of the view that they should be included in the UPPs.^[116] The OPC agreed that any additional provisions should be included in the body of the UPPs.^[117]

60.89 The Australian Privacy Foundation expressed support for the proposals, while expressing some concern about the complexity of the ALRC’s proposed regulatory framework and the efficacy and balance of OPC guidance.^[118] Other stakeholders expressed support for the ALRC’s proposed regulatory structure.^[119] The Centre for Law and Genetics expressed support, noting that the proposals

seek to maximise achieving consistency of the revised federal principles (proposed UPPs) but at the same time, acknowledging the special considerations pertaining to the health area. We believe that this will adequately cater for the practical needs of this complex area without detracting from a coherent national privacy scheme in Australia.^[120]

60.90 The Australian Government Department of Human Services noted that the proposed approach would provide certainty in terms of requirements, and administrative flexibility where health-specific amendments to the UPPs were necessary.^[121]

60.91 There was significant support for the ALRC’s proposal that the OPC develop guidance on the handling of health information,^[122] with a number of stakeholders noting that the consultation process should involve state and territory agencies, health service providers, health insurers, health consumers and others.^[123] Carers Australia noted that this guidance could assist health service providers to engage and share information with carers in appropriate circumstances.^[124]

ALRC’s view

60.92 The ALRC recognises that handling health information does raise some unique issues and that these require additional consideration in the development of privacy principles, rules and guidelines. For example, in ALRC 96, the ALRC and AHEC noted:

The collection of family medical history is an established part of medical practice. When providing a health service, health professionals may need to collect family medical history in order to diagnose a patient’s condition accurately … If this information is not collected the medical care or advice provided to the patient may be compromised.^[125]

60.93 The ALRC also acknowledges the investment of time and effort that has gone into developing the draft National Health Privacy Code and the level of support the draft Code has among stakeholders. The provisions of the draft Code, taken as a whole, are very detailed and highly prescriptive. As discussed in Chapter 4, the ALRC’s preference is for principles-based regulation as the foundation of privacy regulation in Australia, only relying on more prescriptive rules where absolutely necessary.

60.94 Chapter 4 examines the differences between principles-based regulation and prescriptive rules-based regulation. Principles-based regulation sets out objectives without providing inflexible rules on how to achieve those objectives. Principles-based regulation provides greater flexibility, enabling the regime to respond to new issues as they arise without having to create new rules. Rules-based regulation is less flexible and can impose requirements that are not always appropriate in every situation. The draft Code includes a significant amount of material that is closer in nature to rules than principles, setting out how health information is to be handled in particular situations. For example, the Code includes 17 clauses on access to health information. This level of detail is not necessary and has the potential to stymie creative approaches to providing access to health information.

60.95 The ‘Access and Correction’ principle, discussed in Chapter 29, provides a suggested framework for access to personal information. Much of the detail provided in the draft Code in relation to access—for example, how a right of access may be exercised and in what form health information may be provided—is consistent with this principle and could be included in guidelines issued by the OPC. The guidelines could make clear, for example, that organisations may provide a copy of the health information to the individual or, if the individual agrees, an accurate summary of the health information.^[126] The ALRC recommends that the OPC develop such guidelines in consultation with relevant stakeholders and is of the view that the draft Code would provide a valuable starting point in the development of such guidelines.

60.96 In addition, the ALRC is strongly of the view that it is undesirable to have two sets of privacy principles, one set dealing with health information and one set dealing with other personal information. In Chapter 14, the ALRC examines the impact of inconsistency and fragmentation in the privacy regime and notes that one cost is less sharing of information in appropriate circumstances. This is a particular problem in the health services context where appropriate sharing of health information between members of treating teams is essential to the wellbeing of health consumers.

60.97 The Taskforce on Reducing Regulatory Burdens on Business (the Regulatory Taskforce) noted that achieving nationally consistent privacy laws is an important factor in reducing compliance costs for business.^[127] The Regulatory Taskforce recommended that the Australian Government ask the Standing Committee of Attorneys-General to endorse national consistency in all privacy-related legislation based on the concept of minimum effective regulation.^[128] In its response to Rethinking Regulation, the Australian Government stated that:

The Australian Government agrees to the recommendation and supports the goal of national consistency in privacy-related legislation. At the April 2006 meeting of the Standing Committee of Attorneys-General, Attorneys-General agreed to establish a working group to advise Ministers on options for improving consistency in privacy regulation, including workplace privacy.^[129]

60.98 Having one set of principles regulating the handling of health information and another set of principles regulating the handling of other personal information would not reduce compliance costs for business and would not be consistent with the goal of national consistency in privacy legislation. The provisions of the draft Code are not consistent with the provisions of the Privacy Act, or with the model UPPs. Having two regimes running side by side would contribute to fragmentation, inconsistency and compliance costs for all stakeholders, particularly those who handle both health and non-health information.

60.99 Health information is handled in a range of contexts, not only the health services context. Agencies and organisations that handle health information as well as other personal information should not be required to comply with two sets of principles. There is significant overlap in the basic approach to handling health information in state and territory legislation, the NHPPs and the model UPPs. For example, UPP 5 provides that sensitive information, including health information, may be used for the purpose for which it was collected or a directly related secondary purpose where the individual would reasonably expect the information to be used in that way. This is consistent with the Victorian HPPs and the NHPPs. The NSW HPPs and the ACT privacy principles only require that the secondary purpose be directly related to the purpose for which it was collected.

60.100 The model UPPs provide a suitable basic framework for handling health information. With some health-specific additions to the UPPs, a single legislative scheme would work effectively to regulate both health information and other personal information. These additions, including some health-specific exceptions to the UPPs and a number of health-specific additional privacy principles, are discussed in Chapter 63 and include some of the provisions developed in the context of the draft National Health Privacy Code.

60.101 The ALRC has considered whether the health-specific principles and exceptions should sit within the UPPs or outside the UPPs. Each approach has advantages and disadvantages. If the additional elements were included in the UPPs, the UPPs would be longer and more complex, but agencies and organisations would only have to refer to one source of guidance in handling all personal information, including health information. On balance, however, the ALRC recommends that the additional health information principles and exceptions to the UPPs be set out in regulations to be called the Privacy (Health Information) Regulations. This means that, for those agencies and organisations that do not handle health information, the UPPs will be more concise and accessible.

60.102 For those agencies and organisations that do handle health information, the ALRC recommends that the OPC publish a document setting out the UPPs as amended by the new Privacy (Health Information) Regulations. This document will provide a complete set of privacy principles covering health information, as well as other personal information. It would be possible to include a note in the UPPs indicating that those agencies and organisations that handle health information should refer to the Privacy (Health Information) Regulations.

60.103 The other reason that the ALRC proposes that health information-specific principles and exceptions be included in regulations is that health is an area in which the application of the model UPPs may need to be modified or clarified from time to time. In 2006, for example, the NPPs were amended to provide for the use and disclosure of genetic information to lessen or prevent a serious threat to the life, health or safety of a genetic relative.^[130] This kind of change is achieved more easily through regulation, than by amendment of the UPPs in the principal Act.