17.08.2010
60. Regulatory Framework for Health Information
Recommendation 60–1 Health information should be regulated under the general provisions of the Privacy Act, the model Unified Privacy Principles (UPPs), and regulations under the Privacy Act—the new Privacy (Health Information) Regulations. The new Privacy (Health Information) Regulations should be drafted to contain only those requirements that are different or more specific than provided for in the model UPPs.
Recommendation 60–2 The Office of the Privacy Commissioner should publish a document bringing together the model Unified Privacy Principles (UPPs) and the additions set out in the new Privacy (Health Information) Regulations. This document should contain a complete set of the model UPPs as they relate to health information.
Recommendation 60–3 The Office of the Privacy Commissioner—in consultation with the Department of Health and Ageing and other relevant stakeholders—should develop and publish guidelines on the handling of health information under the Privacy Act and the new Privacy (Health Information) Regulations.
61. Electronic Health Information Systems
Recommendation 61–1 If a national Unique Healthcare Identifiers (UHIs) or a national Shared Electronic Health Records (SEHR) scheme goes forward, it should be established under specific enabling legislation. This legislation should address information privacy issues, such as:
(a) the nomination of an agency or organisation with clear responsibility for managing the respective systems, including the personal information contained in the systems;
(b) the eligibility criteria, rights and requirements for participation in the UHI and SEHR schemes by health consumers and health service providers, including consent requirements;
(c) permitted and prohibited uses and linkages of the personal information held in the systems;
(d) permitted and prohibited uses of UHIs and sanctions in relation to misuse; and
(e) safeguards in relation to the use of UHIs, including providing that it is not necessary to use a UHI in order to access health services.
62. The Privacy Act and Health Information
Recommendation 62–1 The definition of ‘health information’ in the Privacy Act should be amended to make express reference to the physical, mental or psychological health or disability of an individual.
Recommendation 62–2 The Privacy Act should be amended to define a ‘health service’ as:
(a) an activity performed in relation to an individual that is intended or claimed (expressly or otherwise) by the individual or the service provider to:
(i) assess, predict, maintain or improve the individual’s physical, mental or psychological health or status;
(ii) diagnose the individual’s illness, injury or disability; or
(iii) prevent or treat the individual’s illness, injury or disability or suspected illness, injury or disability;
(b) a health-related disability, palliative care or aged care service;
(c) a surgical or related service; or
(d) the dispensing on prescription of a drug or medicinal preparation by a pharmacist.
63. Privacy (Health Information) Regulations
Recommendation 63–1 The new Privacy (Health Information) Regulations should provide that, in addition to the other provisions of the ‘Collection’ principle, an agency or organisation that provides a health service may collect health information from an individual, or a person responsible for the individual, about third parties when:
(a) the collection of the third party’s information is necessary to enable the health service provider to provide a health service directly to the individual; and
(b) the third party’s information is relevant to the family, social or medical history of that individual.
Recommendation 63–2 The new Privacy (Health Information) Regulations should provide that, in addition to the other provisions of the ‘Collection’ principle, an agency or organisation that is a health service provider may collect health information about an individual if the information is necessary to provide a health service to the individual and the individual would reasonably expect the agency or organisation to collect the information for that purpose.
Recommendation 63–3 National Privacy Principles (NPPs) 2.4 to 2.6—dealing with the disclosure of health information by a health service provider to a person who is responsible for an individual—should be moved to the new Privacy (Health Information) Regulations. The new regulations should provide that, in addition to the other provisions of the ‘Use and Disclosure’ principle, an agency or organisation that provides a health service to an individual may disclose health information about the individual to a person who is responsible for the individual, if the individual is incapable of giving consent to the disclosure and all the other circumstances currently set out in NPP 2.4 are met. In addition, the new regulations should:
(a) be expressed to apply to both agencies and organisations;
(b) not refer to a health service provider who may make a disclosure under these provisions as a ‘carer’; and
(c) define ‘a person who is responsible for an individual’ as:
(i) a parent, child or sibling of the individual;
(ii) a spouse or de facto partner of the individual;
(iii) a relative of the individual who is a member of the individual’s household;
(iv) a substitute decision maker authorised by a federal, state or territory law to make decisions about the individual’s health;
(v) a person who has an intimate personal relationship with the individual;
(vi) a person nominated by the individual to be contacted in case of emergency; or
(vii) a person who is primarily responsible for providing support or care to the individual.
In considering whether to disclose an individual’s health information to a person who is responsible for an individual and who is under the age of 18, a health service provider should consider, on a case-by-case basis, that person’s maturity and capacity to understand the information.
Recommendation 63–4 The Privacy Act should be amended to provide a definition of ‘de facto partner’ in the following terms: ‘de facto partner’ means a person in a relationship as a couple with another person to whom he or she is not married.
Recommendation 63–5 The new Privacy (Health Information) Regulations should include provisions similar to those set out in National Privacy Principle 2.1(ea) on the use and disclosure of genetic information where necessary to lessen or prevent a serious threat to the life, health or safety of a genetic relative. These regulations should apply to both agencies and organisations. Any use or disclosure under the new regulations should be in accordance with rules issued by the Privacy Commissioner.
Recommendation 63–6 The new Privacy (Health Information) Regulations should provide that, in addition to the other provisions of the ‘Access and Correction’ principle, if an individual is denied access to his or her own health information by an agency on the basis that providing access would, or could reasonably be expected to, endanger the life or physical safety of any person, or by an organisation on the basis that providing access would be reasonably likely to pose a serious threat to the life or health of any individual:
(a) the agency or organisation must advise the individual that he or she may nominate a suitably qualified health service provider (‘nominated health service provider’) to be given access to the health information;
(b) the individual may nominate a health service provider and request that the agency or organisation provide the nominated health service provider with access to the information;
(c) if the agency or organisation does not object to the nominated health service provider, it must provide the nominated health service provider with access to the health information within a reasonable period of time; and
(d) the nominated health service provider may assess the grounds for denying access to the health information and may provide the individual with access to the information to the extent that the nominated health service provider is satisfied that to do so, in the case of an agency, would not, or could not be reasonably expected to, endanger the life or physical safety of any person and, in the case of an organisation, would not be reasonably likely to pose a serious threat to the life or health of any individual.
If the agency or organisation objects to the nominated health service provider and refuses to provide the nominated health service provider with access to the information, the individual may nominate another suitably qualified health service provider, or may lodge a complaint with the Privacy Commissioner alleging an interference with privacy.
Recommendation 63–7 The new Privacy (Health Information) Regulations should provide that, in addition to the other provisions of the ‘Data Security’ principle, where an agency or organisation that provides a health service is sold, amalgamated or closed down, and an individual health service provider will not be providing health services in the new agency or organisation, or an individual health service provider dies, the provider, or the legal representative of the provider, must take reasonable steps to:
(a) make individual users of the health service aware of the sale, amalgamation or closure of the health service, or the death of the health service provider; and
(b) inform individual users of the health service about proposed arrangements for the transfer or storage of individuals’ health information.
Recommendation 63–8 (a) The new Privacy (Health Information) Regulations should provide that, in addition to the other provisions of the ‘Access and Correction’ principle, where an individual requests that an agency or organisation that is a health service provider transfers the individual’s health information to another health service provider, the agency or organisation must respond within a reasonable time and transfer the information.
(b) Other elements of the ‘Access and Correction’ principle relating to access should apply to a request for transfer from one health service provider to another, amended as necessary.
Recommendation 63–9 The new Privacy (Health Information) Regulations should provide that, in addition to the other provisions of the ‘Collection’ principle and the ‘Use and Disclosure’ principle, an agency or organisation may collect, use or disclose health information where necessary for the funding, management, planning, monitoring, or evaluation of a health service where:
(a) the purpose cannot be achieved by the collection, use or disclosure of information that does not identify the individual or from which the individual would not be reasonably identifiable;
(b) it is unreasonable or impracticable for the agency or organisation to seek the individual’s consent before the collection, use or disclosure; and
(c) the collection, use or disclosure is conducted in accordance with rules issued by the Privacy Commissioner.
Recommendation 63–10 The Privacy Act should be amended to empower the Privacy Commissioner to issue rules in relation to the handling of personal information for the funding, management, planning, monitoring, or evaluation of a health service.
65. Research: Recommendations for Reform
Recommendation 65–1 (a) The Privacy Commissioner should issue one set of rules under the research exceptions to the ‘Collection’ principle and the ‘Use and Disclosure’ principle to replace the Guidelines under Section 95 of the Privacy Act 1988 and the Guidelines Approved under Section 95A of the Privacy Act 1988.
(b) The Privacy Commissioner should consult with relevant stakeholders in developing the rules to be issued under the research exceptions to the ‘Collection’ and ‘Use and Disclosure’ principles—that is, the ‘Research Rules’.
(c) Those elements of the National Statement on Ethical Conduct in Human Research dealing with privacy should be aligned with the Privacy Act and the Research Rules to minimise confusion for institutions, researchers and Human Research Ethics Committees.
Recommendation 65–2 The Privacy Act should be amended to extend the arrangements relating to the collection, use or disclosure of personal information without consent in the area of health and medical research to cover the collection, use or disclosure of personal information without consent in human research more generally.
Recommendation 65–3 The Privacy Act should be amended to provide that ‘research’ includes the compilation or analysis of statistics.
Recommendation 65–4 The research exceptions to the ‘Collection’ principle and the ‘Use and Disclosure’ principle should provide that, before approving an activity that involves the collection, use or disclosure of sensitive information or the use or disclosure of other personal information without consent, Human Research Ethics Committees must be satisfied that the public interest in the activity outweighs the public interest in maintaining the level of privacy protection provided by the Privacy Act.
Recommendation 65–5 The research exceptions to the ‘Collection’ principle and the ‘Use and Disclosure’ principle should include a provision stating that it must be ‘unreasonable or impracticable’ to seek consent from individuals to the collection, use or disclosure of their personal information before that information may be used without consent for the purposes of research.
Recommendation 65–6 The National Health and Medical Research Council, the Australian Research Council and Universities Australia should amend the National Statement on Ethical Conduct in Human Research to state that, where a research proposal seeks to rely on the research exceptions in the Privacy Act, it must be reviewed and approved by a Human Research Ethics Committee.
Recommendation 65–7 The Privacy Commissioner, in consultation with relevant stakeholders, should review the reporting requirements imposed under the Privacy Act on the Australian Health Ethics Committee and Human Research Ethics Committees. Any new reporting mechanism should aim to promote the objects of the Privacy Act, have clear goals and impose the minimum possible administrative burden to achieve those goals.
Recommendation 65–8 The research exception to the ‘Collection’ principle should provide that an agency or organisation may collect personal information, including sensitive information, about an individual where all of the following conditions are met:
(a) the collection is necessary for research;
(b) the purpose cannot be served by the collection of information that does not identify the individual;
(c) it is unreasonable or impracticable for the agency or organisation to seek the individual’s consent to the collection;
(d) a Human Research Ethics Committee—constituted in accordance with, and acting in compliance with, the National Statement on Ethical Conduct in Human Research as in force from time to time—has reviewed the proposed activity and is satisfied that the public interest in the activity outweighs the public interest in maintaining the level of privacy protection provided by the Privacy Act; and
(e) the information is collected in accordance with the Research Rules, to be issued by the Privacy Commissioner.
Where an agency or organisation collects personal information about an individual under this exception, it must take reasonable steps to ensure that the information is not disclosed in a form that would identify the individual or from which the individual would be reasonably identifiable.
Recommendation 65–9 The research exception to the ‘Use and Disclosure’ principle should provide that an agency or organisation may use or disclose personal information where all of the following conditions are met:
(a) the use or disclosure is necessary for research;
(b) it is unreasonable or impracticable for the agency or organisation to seek the individual’s consent to the use or disclosure;
(c) a Human Research Ethics Committee—constituted in accordance with, and acting in compliance with, the National Statement on Ethical Conduct in Human Research as in force from time to time—has reviewed the proposed activity and is satisfied that the public interest in the activity outweighs the public interest in maintaining the level of privacy protection provided by the Privacy Act;
(d) the information is used or disclosed in accordance with the Research Rules, to be issued by the Privacy Commissioner; and
(e) in the case of disclosure—the agency or organisation reasonably believes that the recipient of the personal information will not disclose the information in a form that would identify the individual or from which the individual would be reasonably identifiable.
66. Research: Databases and Data Linkage
Recommendation 66–1 The Privacy Commissioner should address the following matters in the Research Rules:
(a) in what circumstances and under what conditions it is appropriate to collect, use or disclose personal information without consent for inclusion in a database or register for research purposes; and
(b) the fact that, where a database or register is established on the basis of Human Research Ethics Committee approval, that approval does not extend to future unspecified uses. Any future proposed use of the database or register for research would require separate review by a Human Research Ethics Committee.
Recommendation 66–2 Agencies or organisations developing systems or infrastructure to allow the linkage of personal information for research purposes should conduct a Privacy Impact Assessment to ensure that the privacy risks involved are assessed and adequately managed in the design and implementation of the project.
Recommendation 66–3 The Research Rules, to be issued by the Privacy Commissioner, should address the circumstances in which, and the conditions under which, it is appropriate to collect, use or disclose personal information without consent in order to identify potential participants in research.