Access to health information

Background

63.107 In Breen v Williams,[98] the High Court of Australia unanimously held that health consumers do not have a right of access to their medical records as a matter of common law. Consequently, health consumers must rely on legislation, including the Privacy Act, to provide them with a right of access to the health information held in medical records.

63.108 IPP 6 provides in relation to agencies that:

Where a record-keeper has possession or control of a record that contains personal information, the individual concerned shall be entitled to have access to that record, except to the extent that the record-keeper is required or authorised to refuse to provide the individual with access to that record under the applicable provisions of any law of the Commonwealth that provides for access by persons to documents.

63.109 The exceptions to IPP 6 include, for example, those situations in which a record-keeper is required or authorised to refuse access under the Freedom of Information Act 1982 (Cth) (the FOI Act) and the Archives Act 1983 (Cth). Chapter 15 considers how this legislation, including the exemptions set out in the legislation, interacts with the Privacy Act.

63.110 NPP 6 provides that organisations must provide individuals with access to their personal information on request, subject to a number of exceptions. In the case of health information, organisations are not required to provide access if doing so would pose a serious threat to the life or health of any individual.[99] The list of exceptions also includes situations in which: providing access would have an unreasonable impact on the privacy of other individuals;[100] the information relates to existing or anticipated legal proceedings between the organisation and the individual, and the information would not be accessible by the process of discovery;[101] and denying access is required or authorised by or under law.[102]

63.111 The draft National Health Privacy Code provides very detailed provisions on providing access to health information and for dealing with situations in which access is refused. As discussed in Chapter 60, this level of detail should not be included in a principles-based regime, but could be included in guidelines as suggested best practice. The grounds provided in NHPP 6 for refusing access are essentially the same as those provided in NPP 6.[103]

63.112 Both health consumers and health service providers appear to have concerns relating to access to health information. Of the 330 complaints under the NPPs against health care providers received by the OPC between 21 December 2001 and 31 January 2005, roughly half (163) concerned a refusal of access to health records.[104]

Breakdown in therapeutic relationship

63.113 In the course of the OPC Review, the AMA and the Mental Health Privacy Coalition expressed concern that, in the health care context, there are occasions when providing access to medical records could cause harm to the health consumer or interfere with the therapeutic relationship between a health consumer and a health service provider.[105] The OPC Review stated that access issues can cause breakdowns in therapeutic relationships and that this may give rise to a serious risk to patient health.[106]

63.114 The OPC expressed the view that NPP 6.1(c)—which allows an organisation to deny access where it would have an unreasonable impact on the privacy of someone else—might be relied upon to protect health service providers’ views in some circumstances. The OPC did not address the situation in which providing access might cause a breakdown in the therapeutic relationship, but would not pose a serious threat to the life or health of an individual. The OPC did not recommend an amendment to NPP 6,[107] but has issued further guidance in an information sheet on this matter: Denial of Access to Health Information due to a Serious Threat to Life or Health.[108]

Issues Paper 31

63.115 In IP 31, the ALRC asked whether the exception in NPP 6.1(b)—that allows access to be denied if it would pose a serious threat to the life or health of any person—was appropriate. The ALRC asked whether the exception should be extended to allow a health service provider to deny access to health information if providing access would pose a threat to the therapeutic relationship between the health service provider and the health consumer.[109]

Submissions and consultations

63.116 There was strong support among stakeholders for the existing exception in NPP 6.1(b)[110] and little support for extending the exception to include threats to the therapeutic relationship alone. A number of submissions noted that, while denying access to health information can damage therapeutic relationships, health consumers are at liberty to change health service providers if the relationship does break down. The ANF was strongly of the view that:

This exception should NOT be extended to allow a health service provider to deny access to health information if providing access to the information would pose a threat to the therapeutic relationship between the health service provider and the health consumer. If the therapeutic relationship is so fragile then it is not going to be improved if the health service provider refuses to provide access. There is also the potential for a person to deny access for an improper purpose eg the information reveals an adverse event, inappropriate care or treatment or other information that a person may be entitled to have.[111]

63.117 The OPC stated that NPP 6.1(b) is an appropriate and effective exception, and should not be extended to include threats to the therapeutic relationship alone.

The fact that the threat must be ‘serious’ reflects the principle that access to one’s own personal information should be the rule, rather than the exception. At the same time the exception is broad enough to encompass serious threats to any relevant person (including threats to mental health), such as the individual themselves, other patients, practitioners and staff, and the individual’s family. Similar language is used in the equivalent exceptions under NSW and Victorian health records legislation.[112]

63.118 The OPC suggested, however, that the phrase ‘would pose a serious threat’ in NPP 6.1(b), requires a degree of certainty that may not always be achievable in clinical environments. It is not always possible to predict how a health consumer will react to being granted access to their health information. On this basis, the OPC suggested an alternative test of ‘reasonably likely to pose a serious threat to the life or health of any individual’.

ALRC’s view

63.119 There was little support for extending the exception in NPP 6.1(b) to include a threat to the therapeutic relationship, and the ALRC view is that there is no case to recommend this change.

63.120 The ALRC agrees with the OPC that the current test—‘providing access would pose a serious threat to the life or health of any individual’—requires a level of certainty that may be very difficult to establish. The ‘Access and Correction’ principle, discussed in detail in Chapter 29, has adopted the approach suggested by the OPC. The principle provides in part that, if an individual requests access to personal information, an agency or organisation must respond within a reasonable time and provide the individual with access to the information except to the extent that:

  • in the case of an agency, the agency is required or authorised to refuse to provide the individual with access under the applicable provisions of any law of the Commonwealth that provides for access by persons to documents. Under this exception, agencies may deny an individual access on the basis of exceptions set out in the FOI Act. The FOI Act provides that access may be denied where disclosure ‘would, or could reasonably be expected to endanger the life or physical safety of any person’;[113] and

  • in the case of an organisation, providing access would be reasonably likely to pose a serious threat to the life or health of any individual.[114]

Use of intermediaries

63.121 The IPPs do not provide expressly for the use of intermediaries to resolve situations in which access to information is denied by an agency under the Privacy Act. A consumer denied access to health information, however, could lodge a complaint with the Privacy Commissioner under s 36 of theAct. The FOI Act provides that where an agency denies a request for access to a document containing personal information provided by a ‘qualified person’, on the basis that disclosure of the information might be detrimental to the applicant’s physical or mental health or wellbeing, the agency may provide the document to a ‘qualified person’ nominated by the applicant.[115]

63.122 In relation to organisations, NPP 6.3 sets out a process involving the use of intermediaries to assist in situations in which access is denied.

If the organisation is not required to provide the individual with access to the information because of one or more of paragraphs 6.1(a) to (k) (inclusive), the organisation must, if reasonable, consider whether the use of mutually agreed intermediaries would allow sufficient access to meet the needs of both parties.

63.123 The OPC Review noted that this mechanism is very limited.[116] Organisations are only required to consider whether the use of an intermediary would meet the needs of the parties but are not required to take any further action.

63.124 There is a more stringent right to the use of an intermediary in the draft National Health Privacy Code where access to health information is refused on the ground that providing access would pose a serious threat to the life or health of the individual. A health service provider may offer to discuss information with the consumer, or nominate a suitably qualified health service provider to discuss the information with the individual. If this does not occur, or the health consumer is not satisfied with the process, the health consumer may nominate a health service provider to act as intermediary.

63.125 Once an intermediary has been appointed, the health service provider must provide the intermediary with the individual’s health information. The intermediary may then consider, among other things, the validity of the refusal to grant access and, if he or she thinks it appropriate to do so, discuss the content of the health information with the individual.[117]

63.126 In IP 31, the ALRC asked whether the provisions of the draft National Health Privacy Code established a more appropriate and effective framework for providing access to health information than the Privacy Act.[118]

Submissions and consultations

63.127 The ANF expressed the view that:

There remains significant resistance across the health system in granting access to health consumers to their personal health information that will require major culture change. Whether it is in relation to fear of revealing litigable conduct or health professional censure; or is part of the characteristic paternalism that is linked to benevolence that has been a feature of the provision of health services over many years, is neither here nor there. It does, however indicate that there needs to be significant efforts made to inform and actively assist that culture to change.[119]

63.128 Although the OPC was generally of the view that the provisions in the draft National Health Privacy Code dealing with access to health information were overly complex and prescriptive, the Office did express support for stronger provisions around the use of intermediaries to assist with access to health information.[120]

63.129 The NHMRC also expressed support for amending the Privacy Act to provide a more explicit right to the use of an intermediary.[121]

Discussion Paper proposals

63.130 In DP 72, the ALRC proposed that the ‘Access and Correction’ principle should provide stronger provisions on the use of intermediaries than the existing provisions in NPP 6.3. The proposed principle required organisations to take reasonable steps to reach a compromise involving the use of a mutually agreed intermediary, rather than simply requiring the organisation to consider the use of a mutually agreed intermediary.[122] The ALRC proposed that the OPC should provide guidance about what would amount to ‘reasonable steps’ in this context.[123] The ALRC also expressed the preliminary view that this provision would be useful in the context of providing access to personal information held by agencies, and, should apply to agencies.[124]

63.131 In addition, in relation to health information, the ALRC proposed more stringent requirements for the use of intermediaries in certain circumstances. The ALRC noted that almost half of the complaints lodged with the OPC against health service providers were in relation to access to health information, and that there appeared to be some resistance among health service providers to allowing health consumers access to their health information. In the ALRC’s view, this situation would improve if health service providers were required to refer the requested health information to a registered medical practitioner for a second opinion in relation to the question of access.

63.132 The proposed provisions—to be included in the new Privacy (Health Information) Regulations—stated that where an organisation denied an individual access to his or her own health information on the ground that providing access would be reasonably likely to pose a serious threat to the life or health of any individual, the organisation was required to advise the individual that he or she could nominate a registered medical practitioner to be given access to the health information. Once the individual had nominated a registered medical practitioner, the organisation would be required to provide the medical practitioner with access to the individual’s health information. The medical practitioner would then assess the grounds for denying access to the health information and could provide the individual with access to the information if he or she was satisfied that to do so would not be likely to pose a serious threat to the life or health of any individual.[125]

63.133 The proposed regulation did not require that the nominated medical practitioner be mutually agreed upon. The ALRC asked whether an organisation should have the opportunity to object to the individual’s choice of nominated medical practitioner before providing access to the individual’s health information.[126]

Submissions and consultations

63.134 A number of stakeholders supported the proposed intermediary provisions.[127] The Victorian Office of the Health Services Commissioner expressed support for the provisions, but suggested that any such intermediary should be ‘a suitably qualified health service provider’, rather than a ‘registered medical practitioner’.[128] The NHMRC also suggested that the intermediary might need to be a health care professional other than a medical practitioner.[129] The OPC was of the view that:

In some circumstances, an appropriate intermediary might be a person that is not registered by a medical board, but who has sufficient clinical knowledge of a condition, as well as the individual’s circumstances, to adequately and appropriately serve in that role. For example, a counsellor in a support group for a specific condition might be a suitable intermediary.[130]

63.135 The OPC stated that the Office could develop guidance on what amounted to a suitable intermediary.[131] The Victorian Office of the Health Services Commissioner also suggested that the health service provider be required to provide the intermediary with the health information within a set period—suggesting 14 days would be appropriate—and that there was a need to address the question of fees.[132] Medicare Australia suggested that there should be an avenue of review available where there were concerns about the assessment made by the nominated medical practitioner.[133]

63.136 A number of stakeholders stated that the nominated medical practitioner should be mutually agreed upon and, in the event of a disagreement, that the Privacy Commissioner or another body should be given power to nominate an intermediary.[134] Avant Mutual Group Ltd stated that a provision along these lines was necessary to ensure that a medical practitioner with appropriate expertise was involved as an intermediary.[135] The OPC suggested that:

If a provider did not reasonably believe that a nominated intermediary was appropriate in the circumstances, then it could refuse to provide access through the intermediary mechanism. In such a case, the individual could nominate an alternative intermediary, or have the option to complain to the Office. In assessing such a complaint, the Office would ask the provider to provide its reasons as to why the nominated intermediary was not appropriate. The Office would determine the merits of the provider’s assessment of the nominated intermediary and whether there were valid grounds to deny allowing the individual to use that nominee as an intermediary. In many instances, the Office would likely seek expert clinical advice in resolving such disputes.[136]

63.137 Other stakeholders did not think that the nominated intermediary had to be mutually agreed upon.[137] The Victorian Office of the Health Services Commissioner, for example, was concerned that:

If there was an opportunity for the organisation to object to a nominated practitioner who was agreeable to performing the role, then there would be little prospect of the consumer finding another practitioner who was willing to assume the role. Therefore the HSC does not support allowing an organisation to object to the individual’s choice of nominated practitioner, provided the intermediary is registered with the same registration board.[138]

ALRC’s view

63.138 In Chapter 29, the ALRC considers the general right of access to personal information provided by the ‘Access and Correction’ principle. The ALRC recommends that the principle should provide that, where an agency or organisation is not required to provide an individual with access to his or her personal information, the agency or organisation must take such steps, if any, as are reasonable to provide the individual with as much of the information as possible, including through the use of a mutually agreed intermediary.[139] This provision should apply to both agencies and organisations.

63.139 The more stringent intermediary provisions, dealing with denial of access to health information, should apply to both agencies and organisations. The provisions operate in limited circumstances where access to health information is denied on the basis that, in the case of an agency, providing access would, or could reasonably be expected to, endanger the life or physical safety of any person and, in the case of an organisation, providing access would be reasonably likely to pose a serious threat to the life or health of any individual. This formulation is based on the relevant exceptions in the FOI Act and the ‘Access and Correction’ principle.

63.140 The ALRC accepts that the proposal to allow only a ‘registered medical practitioner’ to act as an intermediary was too narrow. The recommendation has been amended to allow any suitably qualified health service provider to play this role. The ALRC notes that the OPC has offered to provide guidance on the qualifications necessary to fulfil this role. The ALRC has also provided a mechanism to resolve any dispute over the nomination of the intermediary. If an agency or organisation objects to the nominated health service provider and continues to refuse to provide access to the information, the individual may nominate another suitably qualified health service provider, or may lodge a complaint with the Privacy Commissioner. This provision is intended to allow the Privacy Commissioner to resolve those situations in which agreement cannot be reached.

63.141 The regulation recommended below is intended to operate in addition to the other provisions of the ‘Access and Correction’ principle. It is unnecessary, therefore, to address the issue of fees in the regulation as this matter is addressed in other provisions of the ‘Access and Correction’ principle.

Recommendation 63-6 The new Privacy (Health Information) Regulations should provide that, in addition to the other provisions of the ‘Access and Correction’ principle, if an individual is denied access to his or her own health information by an agency on the basis that providing access would, or could reasonably be expected to, endanger the life or physical safety of any person, or by an organisation on the basis that providing access would be reasonably likely to pose a serious threat to the life or health of any individual:

(a) the agency or organisation must advise the individual that he or she may nominate a suitably qualified health service provider (‘nominated health service provider’) to be given access to the health information;

(b) the individual may nominate a health service provider and request that the agency or organisation provide the nominated health service provider with access to the information;

(c) if the agency or organisation does not object to the nominated health service provider, it must provide the nominated health service provider with access to the health information within a reasonable period of time; and

(d) the nominated health service provider may assess the grounds for denying access to the health information and may provide the individual with access to the information to the extent that the nominated health service provider is satisfied that to do so, in the case of an agency, would not, or could not be reasonably expected to, endanger the life or physical safety of any person and, in the case of an organisation, would not be reasonably likely to pose a serious threat to the life or health of any individual.

If the agency or organisation objects to the nominated health service provider and refuses to provide the nominated health service provider with access to the information, the individual may nominate another suitably qualified health service provider, or may lodge a complaint with the Privacy Commissioner alleging an interference with privacy.

Health service is sold, transferred or closed

63.142 The OPC Review also considered the issue of access to personal health information where an organisation providing health services is sold or ceases to operate; for example, where a medical practitioner dies or retires or a practice closes.[140] In some jurisdictions, specific provision is made for the retention of medical records in these circumstances. In New South Wales, for example, outgoing medical practitioners must make reasonable efforts to ensure that medical records are kept by the medical practitioner taking over the practice or that they are provided to the patient to whom they relate.[141]

63.143 In Victoria, HPP 10 imposes express obligations on health service providers when the organisation providing the health service is to be sold, transferred or closed. These obligations include advertising in local newspapers indicating that the organisation is to be sold, transferred or closed and what the organisation proposes to do with the health information it holds.[142]

63.144 The draft National Health Privacy Code includes detailed provisions for dealing with health information on the transfer or closure of the practice of a health service provider. NHPP 10 requires health service providers to take reasonable steps to let health consumers know about the transfer or closure and to inform consumers about the proposed arrangements for the transfer or storage of consumers’ health information.

63.145 The OPC Review noted that where a health service ceases to operate, this may raise issues relating to data security under NPP 4. There is a risk that ‘abandoned’ records may not be afforded adequate levels of storage and security.[143] It is also important to ensure that health information is available to health consumers seeking health services in the future.

63.146 The OPC considered that this was an important issue that should be addressed and made the following recommendations:

The Australian Government should consider adopting the AHMAC code as a schedule to the Privacy Act. This will address the issue of access to health records when a health service ceases to operate. …

The Australian Government should consider, if the AHMAC Code is not adopted into the Privacy Act, amending the NPPs to include a new principle along the lines of National Health Privacy Principle 10 in the AHMAC Code.[144]

63.147 In IP 31, the ALRC asked whether the Privacy Act should be amended to deal with the situation in which a health service provider ceases to operate and whether NHPP 10 of the draft National Health Privacy Code provided an appropriate and effective framework.[145]

Submissions and consultations

63.148 The Victorian Office of the Health Services Commissioner supported a provision dealing expressly with the transfer or closure of health service practices and noted that:

Distressed consumers have contacted [the Health Services Commissioner] advising they rang their doctor to find they had closed their practice and left no forwarding contact number. Some consumers have advised [the Health Services Commissioner] they last saw their doctor two or three weeks earlier, and had no notice of the closure.[146]

63.149 The OPC reiterated its view that:

Amendment to the Privacy Act to introduce a privacy principle with a similar purpose as NHPP 10, would usefully clarify the obligations of health service providers and establish reasonable expectations for individuals on the handling of their health information in these circumstances.[147]

63.150 The NHMRC stated that:

We strongly endorse the provisions in the draft National Health Privacy Code which address the management of health information on the transfer or closure of the practice of a health service provider. We understand that consumers are particularly concerned about the privacy of their health information when health care practices are acquired by larger corporate providers.

We consider that maintenance of health care records is vital for the future quality health care of individuals and we also are cognisant of the risk to security of records if they are ‘abandoned’.[148]

63.151 Other stakeholders agreed that the provisions of NHPP 10 dealing with the transfer or closure of a health service practice would be a useful addition to the Privacy Act.[149]

Discussion Paper proposal

63.152 In DP 72, the ALRC proposed that where a health service practice or business is sold, amalgamated or closed down and a health service provider will not be providing health services in the new practice or business, or the provider dies, the provider, or the legal representative of the provider, should be required to take all reasonable and appropriate steps to:

(a) make individual users of the health service aware of the sale, amalgamation or closure of the health service or the death of the health service provider; and

(b) inform them about proposed arrangements for the transfer or storage of individuals’ health information.

Submissions and consultations

63.153 In its submission to DP 72, the AMA acknowledged the importance of ensuring that health information is handled correctly when a health service closes, is sold or amalgamated, or when a health service provider dies. The AMA was aware that some health consumers had experienced difficulties accessing records in these circumstances and had issued guidance:

The AMA Privacy Handbook states that where a practitioner retires and another doctor takes over the responsibility for the patient’s records, it is appropriate for a circular to be sent out notifying patients of the doctor’s retirement and advising that the nominated doctor in the practice will hold the records. If this is not feasible then the AMA considers it appropriate for the practice to inform the patient and provide the patient with the opportunity of having the records transferred to another doctor.

The AMA also advises medical practitioners that if no arrangements can be made to transfer the records to another doctor, then suitable arrangements should be made so that they can be easily accessed if required and steps taken to ensure that patients are informed of the new arrangements.[150]

63.154 The AMA noted, however, that it might be logistically impossible to contact all health consumers, particularly where the practice involved is small, with limited resources. The AMA emphasised the importance of including the ‘all reasonable and appropriate steps’ element of the proposal.[151] Avant Mutual Group Ltd did not support this proposal, stating that, in the absence of evidence that there was a real problem in this area, it would impose an unjustified administrative burden on health service providers and their legal representatives.[152]

63.155 Dr Kerry Breen submitted that specialists often see health consumers on only one or two occasions. Detailed health information, including the specialist’s assessment, investigation and opinion, is provided to the health consumer or referring health service provider. In these circumstances, Dr Breen was of the view that the obligation to contact health consumers should be limited to those seen in the previous twelve months, or likely to attend again. Dr Breen also suggested contacting all health service providers that had made a referral to the specialist in the last twelve months. In addition, a specialist might place an ad in the relevant state or territory AMA newsletter announcing the specialist’s retirement and contact details for health information. Dr Breen noted the importance of drawing a distinction between current and past patients.[153]

63.156 A number of other stakeholders also supported this proposal.[154] The Victorian Office of the Health Services Commissioner suggested, however, that the provision should be more prescriptive and provide greater guidance on what are reasonable and appropriate steps.[155] The NHMRC submitted:

We consider that simply placing an advertisement in a locally-circulating newspaper is unlikely to constitute effective notification of many consumers, particularly if a practice is to be closed. We prefer the NSW approach which requires outgoing medical practitioners to make reasonable efforts to ensure that medical records are kept by the medical practitioner taking over the practice or that they are provided to the patient to whom they relate. We suggest that further guidance be given as to the steps that would be reasonable in different circumstances.[156]

63.157 The OPC stated that:

The ALRC may wish to consider whether, in the interests of consistency, a test of ‘reasonable steps’ provides an appropriate threshold for these provisions, compared with ‘all reasonable and appropriate steps’.[157]

ALRC’s view

63.158 The ALRC recognises the importance of ensuring that health information is handled appropriately when a health service is sold, amalgamated or closed, or a health service provider dies. Health consumers should be notified when an event of this nature occurs so that they continue to have access to their information and the information is not lost or left with insufficient protection.

63.159 The regulation recommended below is based on NHPP 10 and requires health service providers, or their legal representatives, to take reasonable steps to ensure that individuals are aware of the sale, amalgamation or closure of the health service, or the death of the health service provider, and that they are informed about the proposed arrangements for the transfer or storage of their health information. In line with the ALRC’s preference for principles-based regulation,[158] the ALRC has not included detailed rules about how this might occur—what amounts to ‘reasonable steps’ will depend on the circumstances of each case.

63.160 The ALRC has adopted the ‘reasonable steps’ test because it provides an appropriate framework within which to ensure that health consumers are kept informed of what has happened to their health information, while recognising that, in some circumstances, it may not be possible to make contact with all individuals who have had dealings with a particular health service provider. It is also consistent with language used in other principles including the ‘Access and Correction’ principle, the research exceptions to the ‘Collection’ principle and the ‘Use and Disclosure’ principle and the ‘Openness’ principle.

Recommendation 63-7 The new Privacy (Health Information) Regulations should provide that, in addition to the other provisions of the ‘Data Security’ principle, where an agency or organisation that provides a health service is sold, amalgamated or closed down, and an individual health service provider will not be providing health services in the new agency or organisation, or an individual health service provider dies, the provider, or the legal representative of the provider, must take reasonable steps to:

(a) make individual users of the health service aware of the sale, amalgamation or closure of the health service, or the death of the health service provider; and

(b) inform individual users of the health service about proposed arrangements for the transfer or storage of individuals’ health information.

Health consumer changes health service provider

63.161 The Privacy Act does not deal specifically with the transfer of health information when a consumer changes health service providers. In Victoria, HPP 11 in the Health Records Act imposes an obligation on health service providers to provide ‘a copy or written summary of the individual’s health information’ to another provider, if requested to do so by the individual or by the new provider on behalf of the individual. NHPP 11 of the draft National Health Privacy Code is in similar terms. Providing a mechanism of this sort ensures that the new health service provider has access to the health consumer’s health information history.

63.162 The OPC Review recommended that the NPPs be amended to include a new principle along the lines of NHPP 11.[159]

Submissions and consultations

63.163 The Victorian Office of the Health Services Commissioner noted that:

Situations often occur where a medical practitioner or other health provider leaves a practice and their patients or clients follow them to their new practice. This can sometimes result in hundreds of requests for transfer of records made to the provider’s old practice, and hostility between the two practices can emerge. [The Health Services Commissioner] attempts to assist providers to deal with these situations, and sometimes negotiates between two practices to resolve difficulties that arise. Therefore specific provisions in relation to the transfer of health information are very important and assist in the continuity of care of the health consumer.[160]

63.164 The OPC submitted that introducing a provision into the Privacy Act along the lines of NHPP 11 would be appropriate, as it would meet community expectations and would be consistent with good clinical care and continuity of treatment.[161] The NHMRC and other stakeholders also expressed support for including a provision in the Privacy Act dealing with the transfer of health information from one health service provider to another.[162]

63.165 DOHA agreed, noting that:

The transfer of information from one health service provider to another, where an individual changes provider, is an important issue in the healthcare sector. It is consistent with good professional practice for a health service provider to respond positively to an individual’s request to supply the individual’s new provider with their original records (or a copy) or with a summary of the information in their records. This practice facilitates the continued availability of important health information when an individual changes health service provider, subject to the choices the individual exercises, thereby helping to ensure safe and effective healthcare for the individual.[163]

Discussion Paper proposal

63.166 In DP 72, the ALRC proposed that health service providers be required to transfer the individual’s health information to another health service provider when requested to do so by the individual, or when requested to do so by the other health service provider acting with the authority of the individual. The health information could be provided in summary form.[164]

Submissions and consultations

63.167 A number of stakeholders expressed support for the ALRC’s proposal in relation to the transfer of health information from one health service provider to another.[165] The AMA stated that it encourages doctors to follow best clinical practice and relevant codes of ethics to ensure that all medical records required by a new practitioner are provided.[166]

63.168 Some stakeholders were of the view that the provision should deal expressly or in more detail with issues such as: the evidence required of health consumer consent to transfer; recovering the costs of such transfers; the content and form of the records to be transferred; and the timeframe within which they should be transferred.[167] Dr Breen stated that:

The biggest issues for patients wanting to have their records transferred are the attitude of the practice staff and the doctor (some of whom seem to take offence at any such request) and the fees charged. Unfortunately the AMA advice regarding fees for this service can be readily interpreted as ‘open slather’ and some fees are thus set as an obstacle. I suggest that consideration be given to advice about what constitutes a reasonable fee. Perhaps the ALRC could even suggest that Medical Boards inform the medical profession that actions designed to obstruct the ready transfer of health information upon request will be deemed to be unprofessional conduct?[168]

63.169 PIAC did not agree with the proposal that the health information could be provided in summary form.[169] The OPC suggested that

greater specificity could be provided around the ability to transfer the information ‘in summary form’. In the Office’s view, it is important that a summarised version contains sufficient detail from the original records to be of assistance to the patient and provider. The ALRC and Australian Government may wish to consider whether the proposed provision on transfer of records should provide for relevant exceptions (similar to NPP 6.1), and requirements around permissible charges (similar to NPP 6.4).[170]

ALRC’s view

63.170 Difficulties can arise in relation to the transfer of health information from one health service provider to another when a health consumer changes provider. Health consumers should have a right to have their health information transferred in these circumstances in a manner that ensures continuity of care. The new Privacy (Health Information) Regulations shouldprovide that, in addition to the other elements of the ‘Access and Correction’ principle, where an individual requests that his or her health information be transferred from one health service provider to another, the information must be transferred.

63.171 The regulation recommended below does not refer expressly to the situation in which an individual asks a health service provider to make the request on his or her behalf. Although the request is being made through the health service provider, the individual is still the requesting party. Ensuring valid consent will depend on the circumstances of the case. Where the request comes to the original health service provider from the new health service provider, for example, a signed consent to transfer may be appropriate. Where the request is made in person by the health consumer to the original health service provider, there may be no need to have anything in writing indicating consent.

63.172 The ALRC notes the OPC’s suggestion that the requirement to transfer health information should be subject to exceptions similar to those currently set out in NPP 6.1 relating to access to personal information. The ALRC’s intention is that the regulation recommended below will operate as part of, and in addition to, the other elements of the ‘Access and Correction’ principle. All the exceptions in that principle should apply to a request to transfer health information to a new provider, with any necessary amendments—for example, where the principle refers to ‘providing access to information’ it will need to be amended to refer to ‘transferring the information’.

63.173 Requiring a health service provider to transfer health information to another health service provider can raise similar issues to providing the individual personally with access to the information. For example, the original health service provider may not be able to transfer the information, or may not wish to transfer the information, because the information relates to existing or anticipated legal proceedings between the health service provider and the individual, and the information would not be accessible by the process of discovery in those proceedings.[171]

63.174 In addition, the health service provider may consider that: the individual should not be provided with access to the information because this would be reasonably likely to pose a serious threat to the life or health of the individual; and that the health service provider the individual has nominated for transfer is unlikely to handle the information appropriately. In these circumstances, the original health service provider may wish to take advantage of the exception in the ‘Access and Correction’ principle that ‘providing access would be reasonably likely to pose a serious threat to the life or health of any individual’ and the new intermediary provisions recommended above.

63.175 Other elements of the ‘Access and Correction’ principle will also apply to transfer between health service providers. For example, if an organisation charges to transfer the information, the charges may not be excessive and must not apply to lodging a request for transfer. In addition, the provision in the ‘Access and Correction’ principle requiring that information be provided in the manner requested by the individual, where reasonable and practicable, should apply to the transfer of health information. This general statement allows scope for health information to be transferred in summary form, if all the parties to the arrangement agree. Where it is not reasonable and practicable to transfer the information in the manner requested by the individual, it will not be necessary to do so.

Recommendation 63-8 (a) The new Privacy (Health Information) Regulations should provide that, in addition to the other provisions of the ‘Access and Correction’ principle, where an individual requests that an agency or organisation that is a health service provider transfers the individual’s health information to another health service provider, the agency or organisation must respond within a reasonable time and transfer the information.

(b) Other elements of the ‘Access and Correction’ principle relating to access should apply to a request for transfer from one health service provider to another, amended as necessary.

[98]Breen v Williams (1996) 186 CLR 71.

[99]Privacy Act 1988 (Cth) sch 3, NPP 6.1(b).

[100] Ibid sch 3, NPP 6.1(c).

[101] Ibid sch 3, NPP 6.1(e).

[102] Ibid sch 3, NPP 6.1(h).

[103] National Health Privacy Working Group of the Australian Health Ministers’ Advisory Council, Draft National Health Privacy Code (2003), NHPP 6.1.

[104] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 112.

[105] Ibid, 115.

[106] Ibid, 117.

[107] Ibid, rec 30.

[108] Office of the Privacy Commissioner, Denial of Access to Health Information Due to a Serious Threat to Life or Health, Private Sector Information Sheet 21 (2008).

[109] Australian Law Reform Commission, Review of Privacy, IP 31 (2006), Question 8–20.

[110] Australian Government Department of Health and Ageing, Submission PR 273, 30 March 2007; Australian Privacy Foundation, Submission PR 167, 2 February 2007; Office of the Health Services Commissioner (Victoria), Submission PR 153, 30 January 2007; Department of Health Western Australia, Submission PR 139, 23 January 2006; Centre for Law and Genetics, Submission PR 127, 16 January 2007; National Health and Medical Research Council, Submission PR 114, 15 January 2007; Office of the Information Commissioner (Northern Territory), Submission PR 103, 15 January 2007; Caroline Chisholm Centre for Health Ethics, Submission PR 69, 24 December 2006.

[111] Australian Nursing Federation, Submission PR 205, 22 February 2007.

[112] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

[113]Freedom of Information Act 1982 (Cth) s 37(1).

[114] Recs 29–2, 29–3.

[115]Freedom of Information Act 1982 (Cth) s 41.

[116] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 117.

[117] National Health Privacy Working Group of the Australian Health Ministers’ Advisory Council, Draft National Health Privacy Code (2003) pt 5 div 3.

[118] Australian Law Reform Commission, Review of Privacy, IP 31 (2006), Question 8–21.

[119] Australian Nursing Federation, Submission PR 205, 22 February 2007.

[120] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

[121] National Health and Medical Research Council, Submission PR 114, 15 January 2007.

[122] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 26–2.

[123]Ibid, Proposal 26–2.

[124]Ibid, Proposal 12–8(c).

[125] Ibid, Proposal 57–6.

[126] Ibid, [57.177].

[127] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Australian Government Department of Human Services, Submission PR 541, 21 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007.

[128] Office of the Health Services Commissioner (Victoria), Submission PR 518, 21 December 2007.

[129] National Health and Medical Research Council, Submission PR 397, 7 December 2007.

[130] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[131] Ibid.

[132] Office of the Health Services Commissioner (Victoria), Submission PR 518, 21 December 2007.

[133] Medicare Australia, Submission PR 534, 21 December 2007.

[134] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Avant Mutual Group Ltd, Submission PR 421, 7 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007.

[135] Avant Mutual Group Ltd, Submission PR 421, 7 December 2007.

[136] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[137] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Office of the Health Services Commissioner (Victoria), Submission PR 518, 21 December 2007.

[138] Office of the Health Services Commissioner (Victoria), Submission PR 518, 21 December 2007.

[139] Rec 29–4.

[140] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 123.

[141]Medical Practice Regulation 2003 (NSW) reg 8.

[142]Health Records Act 2001 (Vic) s 19, HPP 10.

[143] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 123.

[144] Ibid, rec 36.

[145] Australian Law Reform Commission, Review of Privacy, IP 31 (2006), Question 8–22.

[146] Office of the Health Services Commissioner (Victoria), Submission PR 153, 30 January 2007.

[147] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

[148] National Health and Medical Research Council, Submission PR 114, 15 January 2007.

[149] Australian Government Department of Health and Ageing, Submission PR 273, 30 March 2007; Australian Nursing Federation, Submission PR 205, 22 February 2007; Centre for Law and Genetics, Submission PR 127, 16 January 2007.

[150] Australian Medical Association, Submission PR 524, 21 December 2007.

[151] Ibid.

[152] Avant Mutual Group Ltd, Submission PR 421, 7 December 2007.

[153] K Breen, Submission PR 578, 13 March 2008.

[154] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007.

[155] Office of the Health Services Commissioner (Victoria), Submission PR 518, 21 December 2007.

[156] National Health and Medical Research Council, Submission PR 397, 7 December 2007.

[157] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[158] See Ch 4.

[159] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), rec 34.

[160] Office of the Health Services Commissioner (Victoria), Submission PR 153, 30 January 2007.

[161] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

[162] Centre for Law and Genetics, Submission PR 127, 16 January 2007; National Health and Medical Research Council, Submission PR 114, 15 January 2007.

[163] Australian Government Department of Health and Ageing, Submission PR 273, 30 March 2007.

[164] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 57–8.

[165] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007.

[166] Australian Medical Association, Submission PR 524, 21 December 2007.

[167] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Office of the Health Services Commissioner (Victoria), Submission PR 518, 21 December 2007; Avant Mutual Group Ltd, Submission PR 421, 7 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007.

[168] K Breen, Submission PR 578, 13 March 2008.

[169] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[170] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[171] This exception is set out in NPP 6.1(e) and is included in the ‘Access and Correction’ principle.