Provision of health services

62.58 The following section deals with the impact of the Privacy Act on the provision of health services to health consumers. It was suggested in consultations that the Privacy Act impeded the provision of health services to consumers, for example, by interfering with the appropriate sharing of an individual’s health information between members of the team of health professionals treating the individual.[66] This may be a result of problems with the Privacy Act, which are discussed in Chapter 63 in relation to particular privacy principles, or it may be for other reasons. For example, there may be a chilling effect on the sharing of information based on a misunderstanding of, or an overly cautious approach to, the Act or the privacy principles.

62.59 In its submission to the Office of the Privacy Commissioner review of the private sector provisions of the Privacy Act (the OPC Review),[67] the NHMRC stated that:

The NHMRC considers that the application and/or interpretation of the Privacy Act is impairing the quality, effectiveness and timeliness of management of health information. In their efforts to ensure compliance with the law, health care professionals and administrators are experiencing considerable difficulty in developing and implementing practical policies that do not ‘over-interpret’ their obligations and do not impair the legitimate flow of information between providers for patient care purposes.

The NHMRC also considers that the overall public interest and the interests of the majority of individual patients are served by the efficient transfer of all necessary clinical information between health care providers for the purposes of the current care of an individual patient. There is, in fact, considerable potential for individual harm as a result of a privacy regime which results in individual health care providers being uncertain about their legal obligations, afraid of breaking the law by transferring health information without explicit consent, and implementing ineffective and inefficient procedures in their efforts to comply with the law.[68]

62.60 The OPC Review recommended the development of further guidance in relation to the use and disclosure of health information in the health services context under the NPPs.[69]

Submissions and consultations

62.61 In its submission to the Inquiry, DOHA stated that:

It is not possible to point to specific evidence of incidents where the present regulatory environment for health information has impeded the provision of health service delivery. Anecdotally, in handling enquiries on privacy matters Departmental officers are aware of instances where callers have complained about a request for information being refused ‘because of the Privacy Act’. In discussions with private medical practitioners, frustration has been expressed about not being able to easily obtain information from a public hospital about a recent admission of one of their patients for the purpose of treatment. These kinds of responses and perceptions often result from a misunderstanding of the privacy regulation, something that is not helped by the inconsistencies, complexities and confusion that results from the present regulatory environment.[70]

62.62 This is consistent with comments in other submissions that indicated that the problem is not the content of the privacy principles themselves, but rather a lack of understanding of relevant legislation and principles.[71] The Western Australian Department of Health also suggested that part of the problem lies in changing clinical practice that now involves multiple health service providers from a greater range of institutions in the treatment of one individual. The Department noted the need for communication and education to manage this transition.[72]

62.63 The NHMRC expressed the view that the principles could be made clearer:

The NHMRC has significant anecdotal evidence and survey responses indicating that disclosure of health information for the purposes of current treatment is being impeded by the privacy regulatory regime. We consider that disclosure of relevant health information for current treatment purposes should be permitted provided there is no indication to the disclosing organisation that such disclosure is or would be unacceptable to the patient; and there are no other circumstances which could reasonably be expected to alert the disclosing organisation that the patient would object to disclosure. We consider that this issue is of sufficient significance to warrant recognition, through a binding determination, legislative or regulatory change, of the circumstances in which disclosure can be made for the purposes of ongoing clinical care.[73]

62.64 The OPC, however, expressed the view that the NPPs are consistent with best practice and professional ethical standards in the health services context. The OPC suggested that the major impediments to appropriate information flow between health service providers was uncertainty created by regulatory complexity and overlapping and inconsistent legislation regulating the handling of health information in different jurisdictions.[74]

62.65 The Victorian Office of the Health Services Commissioner was of the view that the Health Privacy Principles (HPPs) in the Health Records Act were based on good standards of health service delivery and did not cause problems of the type discussed above. The Office suggested that the problem arose from a different source:

As a result of the introduction of privacy legislation, individuals who believe their privacy has been breached have somewhere to complain, and this makes some health providers more cautious in their dealings with individuals. Some health service providers have interpreted privacy to mean secrecy. The solution is training, resources and support.[75]

ALRC’s view

62.66 While there was some evidence in submissions and consultations that the regulation of health information in Australia is causing problems for health service providers, there was very little evidence that the problem lies with the IPPs or NPPs. The problems identified included confusion caused by regulatory complexity and a lack of understanding of some of the principles and how they might apply in the health services context. The recommendations in Chapter 3, aimed at achieving national consistency in privacy regulation, in combination with the recommendation for one set of Unified Privacy Principles (UPPs)[76] and a rationalisation of the exceptions and exemptions in the Privacy Act,[77] will go a long way towards resolving the uncertainty and confusion caused by the existing regime.

62.67 As discussed in Chapter 4, a principles-based privacy regime focuses on high-level, broadly stated principles rather than detailed, prescriptive rules. This is intended to shift the regulatory focus from process to outcomes. Principles-based regulation facilitates regulatory flexibility through a statement of general principles that can be applied to new and changing situations. This is considered entirely appropriate and workable in the health services context.

62.68 The model UPPs provide that health information generally must be collected with consent, although that consent may be express or implied. Health information may be used or disclosed for the purpose for which it was collected and any other directly related purpose, within the reasonable expectations of the individual health consumer. These principles provide extensive scope for exchange of information among members of treatment teams, while encouraging good communication with health consumers about the collection, use and disclosure of their health information. They do not require written consent from the health consumer for every collection, use or disclosure, nor do they prevent the sharing of health information among the members of a team of health service providers treating a health consumer. There was no evidence provided to the Inquiry that these basic principles were inappropriate or unworkable, in practice.

62.69 In addition, there are a number of exceptions to the principles that, while applying broadly to personal information, are relevant to the handling of health information in the health services context. These include the exceptions in:

  • the ‘Collection’ principle, which allows the collection of sensitive information, including health information, without consent where the collection is necessary to prevent or lessen a serious threat to the life or health of any individual, where the individual to whom the information relates is incapable of giving consent; and

  • the ‘Use and Disclosure’ principle, which allows the use or disclosure of personal information, including health information, if the agency or organisation reasonably believes that the use or disclosure is necessary to lessen or prevent a serious threat to an individual’s life, health or safety or to public health or public safety.

62.70 Finally, there are a number of principles and exceptions that apply only to health information. In Chapter 60, the ALRC recommends that these principles and exceptions should sit in the new Privacy (Health Information) Regulations.[78] Each of these additions to the model UPPs is considered in Chapter 63.

62.71 The OPC Review recommended the development of further guidance in relation to the use and disclosure of health information in the health services context.[79] The ALRC supports this approach and notes that the OPC has issued a number of new information sheets including Information Sheet 25: Sharing Health Information to Provide a Health Service.[80] In light of the comments from stakeholders noted above, it seems clear that there is a need for guidance and training for health service providers to ensure a better understanding of the intent and application of principles-based regulation and the privacy principles. In addition, this issue may require further attention from providers of education and training in the health services context. The ALRC notes, however, that in a principles-based regime there always will be a need for the exercise of judgment and discretion by agencies and organisations handling health information.

[66] NHMRC Privacy Working Committee, Consultation PC 13, Canberra, 30 March 2006.

[67] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005).

[68] National Health and Medical Research Council, Submission to the Office of the Privacy Commissioner Review of the Private Sector Provisions of the Privacy Act 1988, 10 December 2004.

[69] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), recs 77, 78.

[70] Australian Government Department of Health and Ageing, Submission PR 273, 30 March 2007.

[71] Australian Nursing Federation, Submission PR 205, 22 February 2007; Centre for Law and Genetics, Submission PR 127, 16 January 2007; A Smith, Submission PR 79, 2 January 2007.

[72] Department of Health Western Australia, Submission PR 139, 23 January 2006.

[73] National Health and Medical Research Council, Submission PR 114, 15 January 2007.

[74] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

[75] Office of the Health Services Commissioner (Victoria), Submission PR 153, 30 January 2007.

[76] Recommendation 18–2.

[77] As recommended in Part E.

[78] Rec 60–1.

[79] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), recs 77, 78.

[80] Office of the Privacy Commissioner, Sharing Health Information to Provide a Health Service, Information Sheet 25 (2008).