Like the Commonwealth Privacy Act which established National Privacy Principles, the Health Records Act of each state establishes privacy standards for the handling of health information.
Health information is broadly defined to include information or an opinion about an individual’s health or disability, expressed wishes about health services, health services provided or sought, and information collected in providing the health services.
Each state’s Act provides a right of access to a patient’s own health information.
Health information is held if it is contained in a document. The purpose of each States Act is the specific protection of health records. Each state’s Act applies to not just health providers, but also any other organizations or entity which may not traditionally have been regarded as part of the health care system.
These other organisations include gymnasiums, weight loss centres, personal trainers and employers, to the extent that health information is collected or held or used by any such organization.
There are nine prescribed Health Privacy Principles (HPP). The HPPs are similar to the National Privacy Principles which may vary from state to state. The HPPs can be summarised as follows:
HPP1
Collection of health information – must be necessary for an organization’s activities and collected lawfully, fairly and non-intrusively – an individual must be told who is collecting and why.
HPP 2
Use and disclosure of health information – not to be used or disclosed other than for the purpose collected, without consent, except in prescribed circumstances.
HPP 3
Data quality – personal information collected, used or disclosed must be, as far as possible, accurate, complete and up-to-date.
HPP 4
Data security and retention – personal information must be protected from misuse or loss and destroyed or permanently de-identified when no longer needed.
HPP 5
Openness – policies and practices of organizations in relation to management of health information must be set out in a document to be made available to the public on request.
HPP 6
Access and correction of health information – on request, except in prescribed circumstances – out-of-date, incomplete and inaccurate information must be corrected.
HPP 7
Identifiers – only if necessary to organization’s activities – identifiers used by other agencies cannot be used or disclosed without the consent of the individual.
HPP 8
Anonymity – wherever lawful and practicable, individuals must be able to enter into a transaction with an organization without identifying themselves.
HPP 9
Trans-border data flows – personal information can only be transferred outside each state where the individual consents or the recipient organization is subject to similar privacy principles or in prescribed circumstances.
The Health Records Act of each state provides that complaints are dealt with by the Health Services Commissioner or equivalent. The Commissioner may make rulings and can refer matters to the Civil and Administrative Tribunal or equivalent for binding orders.
Compliance notices can also be issued in respect of contraventions of the Act and the failure to comply with such notices is a criminal offence.
Where enacted the States’ Privacy Acts are usually modelled on the ACT Health Records (Privacy and Access Act 1997). Please refer to:
www.privacy.gov.au
In the event of any conflict between the provisions of the Privacy Act Commonwealth and the States’ Privacy Acts, the provisions of the Commonwealth Act will take precedence and to the extent of the inconsistency. The relevant provisions of the states’ Act will not have effect. In many respects the states Act may overlap and duplicate the Commonwealth legislation.
DISCLAIMER:
It is essential that each ARM member obtain a copy of the state’s privacy act in which they reside or practise.
The information presented is not a legal document. The information is given in good faith as a summary, however the ARM, its Committees or Administration staff cannot be held legally responsible if you do not obtain and follow the relevant Privacy Policy or Privacy Act in the State or Territory in which you reside.