This document has been archived and is no
longer in use by the Office.
On 21 December 2001, new privacy law comes into effect across Australia that will regulate the way private sector organisations handle personal information. The new law, which will be part of the Privacy Act 1988 (Cth), (the Privacy Act), includes ten National Privacy Principles (NPPs) that set standards for the way organisations, including health providers, handle personal information.
The new privacy laws will give individuals new privacy rights including the right to have access to the personal information an organisation holds about them. Individuals will also have the right to complain if they think an organisation has breached their privacy rights and to get redress if the breach is proven.
The Federal Privacy Commissioner, under s.27 of the Privacy Act, has the power to make guidelines about the NPPs. This document is a draft of one of those sets of guidelines.
For more information about the new privacy laws see the Office of the Federal Privacy Commissioner’s website at http://www.privacy.gov.au or ring our hotline on 1300 363 992.
The Health Privacy Guidelines are one of three sets of guidelines the Privacy Commissioner is developing this year on the operation of the new legislation. These are
The Privacy Commissioner places great importance on consulting the Australian community to get the broadest range of views about these guidelines. For each set of guidelines, the Office is undertaking a two-month period of wide public consultation. In each case, the Privacy Commissioner has developed a consultation document that includes draft guidelines that identify issues on which it would like community and stakeholder views.
This paper is a consultation document for the Health Privacy Guidelines. The first chapter provides an introduction to the guidelines and the new privacy law. The following chapters set out the draft guidelines themselves, in some places asking specific questions for consultation. The appendices include the NPPs and other relevant information, to which you can refer as you read the draft guidelines.
The NPPs are the starting point for developing these guidelines. The principles form the core of the changes to the Privacy Act. Therefore, policy underlying the NPPs is now settled and is part of the law. The NPPs set out Federal Parliament’s decision about the balance to be found between the protection of privacy and the protection of other important human rights and social interests that relate to privacy,
"...including the general desirability of a free flow of information (through the media and otherwise) and the recognition of the right of government and business to achieve their objectives in an efficient way." (Section 29, Privacy Act)
The role of this paper is to seek views on the guidance developed by the Privacy Commissioner for operating within the framework that Federal Parliament has settled on.
The Government has announced that the new provisions of the Privacy Act will be reviewed two years after they commence. During this period the Privacy Commissioner expects to examine closely a number of areas of the new legislation to assess whether the right balance between interests has been struck. These areas include, the various exemptions in the Privacy Act and the provisions in the NPPs for direct marketing.
However, there are a number of areas where Parliament has deliberately chosen to leave flexibility in the NPPs. Examples include where the principles use words such as “reasonably expect” and “practicable”. In these draft guidelines, the Privacy Commissioner has developed preliminary views on the things organisations, and in this case health providers, should consider when applying the principles in the health sector.
The Privacy Commissioner seeks the views of all stakeholders, including members of the public, health service organisations, private health professionals, other businesses, non-profit associations, peak industry bodies, consumer bodies and other community agencies and relevant State and Federal government agencies about:
It will help the Office to collate and analyse your views if submissions follow the structure of the guidelines in making comments.
This paper is available in a range of formats. It is available in hard copy and on the Privacy Commissioner’s website at http://www.privacy.gov.au . We can also make it available on disk by request.
We will issue the final guidelines in a range of formats including html with hotlinks, as well as in an easily accessible hard copy and through various legal and other publications.
You can make a written submission either in electronic form by email, or in hard copy. You can also call us on TTY 1800 620 241.
E-mail address for submissions is: consultation@privacy.gov.au
Postal address for submissions is:
(Consultation on draft Health
Privacy Guidelines)
Office of the Federal Privacy
Commissioner
GPO Box 5218,
Sydney NSW 1042
Closing date for submissions is Friday, 20 July 2001
The Office will accept submissions after this date. However, because of the necessary deadline for publishing the final guidelines before 21 December, we will have an increasingly limited ability to take submissions into account the later they are received after July 20.
The Office will publish the final guidelines in October 2001.
The Office will use the submissions it receives for the purpose of preparing the Health Privacy Guidelines. The Office may publish a list of those who have made submissions. We may also make submissions public.
If you wish your submission to be treated as confidential, please either write this on your submission or tell us at the time you make your submission.
New private sector provisions in the Privacy Act 1988
Health Privacy Guidelines: one of three sets of guidelines
Review of private sector provisions
Draft guidelines available in a range of formats
Collection statement – what we will do with your submission
1.3 Status of these guidelines
1.4 Relationship to general guidelines on the NPPs
1.5 Relationship to professional and ethical codes and standards
1.6 Relationship to other legislation on health and privacy
1.7 Relationship to codes approved under the Privacy Act
1.9 Who are these guidelines for?
1.10 Organisations not covered by these guidelines
1.11 Health providers that operate in both public and private sectors
1.12 What information do these guidelines apply to?
1.13 Does the Privacy Act apply to information already held?
2.1 Personal information, consent and medical treatment
2.3 Express or implied consent
2.5 Consent on behalf of an individual
2.6 Providing individuals with a chance to opt-out
3.2 Collect only necessary information
3.3 Collecting information with consent
3.4 Collecting information without consent
3.5 Collecting information lawfully and fairly
3.6 Advising individuals about information collected
3.7 Collect from the individual where possible
4.1 An individual wishes to access a health service anonymously
4.2 Where not lawful to provide an anonymous service
4.3 Where not practicable to provide an anonymous service
5.1 Key concepts relating to use and disclosure
7.2 Destruction of health information
8.1 Information to be made available
8.2 What should the document cover?
8.3 Providing more general information on request
9.1 Meaning of access and forms of access
9.3 Processing a request for access
9.4 Access where a service is contracted out or provided on behalf of another organisation
9.6 Circumstances in which information may be withheld
9.8 What to tell the individual if information is withheld
9.9 An individual wishes to transfer to another health provider
9.10 Amendments to individual’s health information10 Change in business circumstances, or closure of a health service
10.1 Change in business circumstances
10.2 Health provider business ceases
11.2 What limitations apply to use of identifiers?
Examples of the advice provided in these guidelines:
Is my organisation covered by these guidelines: Section 1.9
As a health professional, I already work within an existing legal and ethical framework. How does the new privacy legislation fit in with my responsibilities under other laws and professional codes of practice?: Section 1.5
When and how should I provide an individual with access to his or her records?: Section 9
An individual asks for a copy of his or her health records and I am concerned that this may present a risk to their health. Do I need to provide access to records in this situation?: Section 9.6
I would like to discuss an individual’s health information with their closest relatives. When would this be considered appropriate?: Section 5.5 “Relatives, friends & guardians”
The media has asked after an individual’s health status following an accident. What can I tell them?: Section 5.5 “Media”
The police have requested information about one of my patients because they are investigating a crime. Do I need to provide information? What information can I disclose?: Section 5.5 “Police and law enforcement”
A research body has asked for health information to assist in a research project. Under what circumstances can I respond, and what safeguards are needed to protect the individual’s privacy?: Appendix 5: “Health Research, Health Management and the NPPs”
|
Question for consultation: H1 Are there any other common scenarios to which it would be helpful to provide a quick reference? |
In Australia, for the first time, there is now a comprehensive privacy law covering the private sector. In an amendment to the Privacy Act 1988 (the “Privacy Act”) private sector organisations now have an obligation to protect the privacy of individuals’ personal information. This amendment applies to all health service providers in the private sector, regardless of size, from 21 December 2001.
Most people consider health information to be highly personal. People therefore need to be confident that their privacy will be protected whenever they access a health service. Where privacy can be assured, an individual can entrust his or her health information to a health provider knowing that it will be handled appropriately. Without this assurance, an individual may be hesitant to give the information a health provider needs to offer appropriate treatment and care. Protecting the privacy of health information is therefore an integral part of providing quality health care.
Because health providers already practice within a framework that recognises the importance of keeping individual health information confidential, many requirements under the new legislation will be familiar and will in fact reinforce what is already current practice. One main difference is that many of these established standards will be enforceable in law.
Another difference is that the privacy legislation covers a much wider range of information handling practices than the traditional confidentiality framework, and so there may be a number of new issues and requirements for health providers to consider.
For example, the privacy legislation covers:
The provisions in the Privacy Act are very broad. They are based around 10 National Privacy Principles (NPPs) that represent the minimum privacy standards for handling information about individuals.
The aim of these guidelines is to explain how the NPPs apply in practice to all health service providers working in the private sector.
The full text of the NPPs can be found in Appendix 2. In summary, the principles cover the following subject areas:
NPP1 - Collection of information
NPP2 - Use and Disclosure
NPP 3 - Data quality
NPP 4 - Data security
NPP 5 - Openness
NPP 6 - Access and Correction
NPP 7 - Identifiers
NPP 8 - Anonymity
NPP 9 - Transborder data flows
NPP 10 - Sensitive information
These guidelines provide an explanation of how the legislation operates in specific circumstances and gives advice on the practical steps an organisation can take to ensure individual health information is properly protected.
These guidelines apply equally to electronic and paper health records. Health providers should recognise, however, that electronic health record keeping systems can bring particular privacy risks as well advantages and efficiencies. The ease with which large amounts of information may be moved around, for example, can mean that small mistakes (even a single keystroke) may have serious consequences.
|
Question for consultation H2 What further guidance could be given on how the NPPs apply to electronic health records? |
Under the Privacy Act, the Privacy Commissioner has power to issue guidelines. These guidelines are advisory guidelines issued under section 27(1)(e) of the Privacy Act.
The guidelines are not legally binding, but they indicate how the Privacy Commissioner would interpret and apply the NPPs in relation to personal health information. This would be relevant, for example, when the Privacy Commissioner handles complaints under the Privacy Act.
The Privacy Commissioner has also developed “Draft National Privacy Principle Guidelines” (the “NPP Guidelines”) explaining how the NPPs apply to those private sector organisations covered by the Privacy Act, not just health service providers.
The reason for developing these health-specific guidelines is that the Privacy Act contains a number of different provisions that apply to the handling of health information. In addition, there are some privacy issues that are specific to the health environment. These guidelines have therefore been developed to advise on health related issues.
Most health providers should find the information they need on the privacy legislation in these guidelines.
The NPP Guidelines, however, provide more comprehensive guidance to the Privacy Act, including detailed consideration of many important terms that appear in the legislation, such as “reasonable” and “impracticable.” Where a particular circumstance is not discussed in these health guidelines, it may be that more information can be found in the general guidelines.
The NPP Guidelines should also be consulted where you wish to know more about how the legislation applies outside the health sector. You can obtain a copy of the NPP Guidelines from the Privacy Commissioner’s office or website (see Appendix 4 for details).
Chapter 13 of the NPP Guidelines concerns the use of personal health information for research, statistical analysis and management. That chapter is reprinted in Appendix 5 of this document for convenience, although for completeness it should be read in conjunction with the rest of the NPP Guidelines.
The confidentiality of individuals’ health information is already strongly protected by the obligations health providers have under professional and ethical codes of practice. These ethical standards continue to apply.
The NPPs and these guidelines are intended to support and operate alongside the existing professional, ethical and legal obligations of health professionals. What the privacy legislation achieves is a set of minimum privacy standards that are enforceable in law and that apply to all private sector health providers, including those that do not belong to a professional body or association.
In some instances the privacy legislation specifically refers to obligations of professional confidentiality that arise from binding rules issued by competent health or medical bodies. (This issue is discussed in detail at Appendix 5.)
In other areas the privacy legislation contains additional requirements to those in existing professional codes of practice, and will broaden the legal obligations of health providers. For example, the legislation provides individuals with a general right of access to their own records.
Ethical and professional codes of practice are discussed further in these guidelines where they interact directly with the privacy legislation.
|
Question for consultation H3 Are there any other issues to be addressed concerning how obligations under professional codes of ethics will operate alongside these guidelines? H4 Are there any professional standards established in legislation (not just codes) that should be mentioned? |
In every Australian State and Territory there are a number of other laws applying to health service providers that regulate how individual health information must be handled.
In some States and territories there is specific health privacy legislation, for example in Victoria and in the ACT.
A summary of some of the relevant legislation is included at Appendix 3. This list is not comprehensive, and in any given situation a health provider should consider whether there are any other legal obligations that may apply. Such obligations form an important part of the legal framework that needs to be considered when making decisions about how to handle an individual’s health information.
For example, there are statutory obligations in some States that require health providers to report information to government authorities in the case of notifiable diseases.
The Privacy Act allows the Privacy Commissioner to approve codes to replace the NPPs, so long as they are at least as good as the NPPs at protecting individual privacy. Organisations can subscribe to these codes and so be bound by them.
In deciding whether a proposed code meets the necessary standard, the Privacy Commissioner will interpret the NPPs in conjunction with all the guidelines issued on the NPPs.
These health guidelines therefore directly apply to the NPPs but are relevant for any organisation drafting a health privacy code for the Privacy Commissioner’s approval.
As greater technological developments occur across the Australian health sector, so more information is being held in electronic form. The NPPs are high-level principles that are robust in a range of situations. They are not designed to be specific to a particular technical or administrative environment. Therefore, whilst the principles and these guidelines may not refer directly to examples involving electronic health information, or other key issues such as data linkage, they apply equally to information held and used in those ways.
However, the NPPs may not resolve all of the issues that might arise in the health environment. Where there are specific developments or initiatives in these areas, the Privacy Commissioner expects that privacy issues will be carefully considered, particular in the context of any legislative proposals.
There is broad recognition of the existing and new challenges facing health providers in managing increasing amounts of electronic information. These may be challenges of secure data storage, safe transfer or the maintenance of data integrity. As the complexity of data collection, storage and linkage becomes greater, so the risks associated with failures to ensure the privacy of individuals' electronic health information become more serious.
The guidance provided in this document is intended for use in relation to electronic health information, with the aim of assisting health providers to develop workable privacy solutions in the electronic health environment.
These guidelines are intended to apply to most health service providers in the private sector.
The term “health service provider” is defined very broadly in the Privacy Act. (See Appendix 1 for definition.) For example, health service providers range from hospitals and general practitioners to organisations that may not traditionally have been considered part of the health care system such as gyms and weight loss clinics.
These guidelines are not targeted at the full range of health service providers covered by the Privacy Act. Rather, they have been developed primarily for those health service providers who operate within the health care system. These organisations are referred to as “health providers” throughout this document.
The types of health provider these guidelines cover include (but are not limited to):
The Privacy Act applies to organisations rather than individuals, however an individual who is self-employed or a sole trader would be considered an “organisation” for the purposes of the Privacy Act.
Actions of employees, contractors and subcontractors in the course of their duties are considered to be actions of the organisation for which they are working.
Any employee of a private or non-government health service provider organisation who handles health information (including doctors, nurses, allied health professionals, counsellors, community health workers, volunteers and administrative staff) will need to be aware of his or her organisation’s legal obligations under the Privacy Act, and these guidelines.
|
Question for consultation H5 Are there any other private or non-government sector health providers that should be mentioned in the list above? |
There are a number of other organisations that handle health information and who are advised to refer to the general NPP guidelines as their primary source of advice on the new legislation. These include:
Public sector health providers are not covered by the new provisions in the Privacy Act and therefore do not need to apply these guidelines. These include:
A list of the privacy legislation that applies to public sector agencies is included at Appendix 3. These laws are generally based on privacy principles similar to the NPPs.
There are a number of health providers who provide services in both the public and private sectors. For example, medical practitioners who work in both public and private hospital systems, and organisations contracted by government for some of their work, but which otherwise operate privately.
There are also situations where, for the purposes of handling health data, it may be difficult to distinguish between services provided by the public and private sectors. For example, there are a number of hospitals where public and private services are co-located. Also, initiatives such as co-ordinated care projects often involve collaboration between organisations from both public and private sectors.
As this legislation applies to the private sector only, and slightly different standards may apply in the public sector, it is important to try to distinguish between activities conducted by public and private sector organisations where possible. In situations where this is not straight forward, it is suggested the following criteria be used as a guide.
If the Privacy Commissioner receives a complaint about an alleged breach of privacy, one of the first considerations will be to determine whether or not the complaint falls within the jurisdiction of the Privacy Act. For example, the Privacy Commissioner will determine whether the complaint is about the actions of a private sector organisation, or whether a private sector organisation has any responsibility for safeguarding the individual’s personal information in the circumstances.
A surgeon uses public hospital facilities to treat a private patient. Is the individual’s health information, collected in the course of providing this treatment, covered by the NPPs, even though it is stored by the public hospital? Who is responsible for protecting the information?
Health information collected by the surgeon in this situation would be subject to the Privacy Act, regardless of where it is stored, because the surgeon is working in his or her capacity as a private sector health provider. (Note, however, that if a hospital employs or contracts a private health provider, then the provider is subject to public sector privacy standards.)
The records kept by the hospital may also be subject to State privacy laws where these apply.
In this situation, the surgeon would need to be satisfied that the information stored by the hospital was appropriately safeguarded. If the individual requests access to his or her records (see Chapter 9), the surgeon and the hospital would need to provide access to the records, as explained in Chapter 9.
Hospitals and private practitioners may need to include privacy provisions in any agreements they enter into when private patients are treated in public hospitals. The agreement should clarify the parties’ responsibilities for handling and storing health information.
|
Questions for consultation H6 Does this adequately explain how to deal with situations where the distinction between public or private sector activity is blurred? Are there any further examples that would be useful to consider? H7 Are there any other guidelines that could apply to help minimise potential complexity and confusion in this area? |
The NPPs only apply to “personal information”. That is, information about an individual who can be identified, or whose identity could be reasonably ascertained, from the information. The principles do not apply to statistical data sets that would not allow individuals to be identified. (See section 5.5 “Research and statistics” for discussion on “de-identified” data.)
Under the Privacy Act, health information is one of the types of personal information considered to be “sensitive information”. (See definition at Appendix 1.) This recognises the sensitive nature of information relating to health care.
“Health information” includes any information or opinion about an individual’s:
“Health information” also includes any other information collected by a health provider in the course of providing treatment and care to an individual. For example, in addition to medical information, it also includes details such as an individual’s name, address, billing information and Medicare number.
Information generated by a health provider, such as notes or an opinion about an individual, is also “health information”.
The Privacy Act is also covers physical or biological samples where these are or can be linked to any individual (for example where they have a name or identifier attached). “Health information” also includes genetic information about an individual.
In addition to health information, there are other types of information that Privacy Act defines as “sensitive information”.
This includes information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, professional or trade association membership, union membership, sexual preferences or practices, or criminal record.
For non-health providers, the distinction between what information is sensitive or not is an important one, as higher privacy standards apply to the handling of sensitive information.
This distinction is not so critical, however, in the health context, as all information collected in the course of providing a health service (including the types of sensitive information listed above) is “health information”. Therefore the higher privacy standards apply to all information collected by health providers.
The new provisions in the Privacy Act are effective from 21 December 2001. However, not all of the NPPs will apply to information already held by health providers on that date.
In general, the principles on how information is collected, used or disclosed only apply to information collected after the commencement of the new legislation.
Some principles apply to information already held, if that information is still in use, but not to information that a health provider no longer uses. This includes principles on access to records and on maintaining the quality of those records.
Other principles, such as those relating to security of data, apply regardless of when the information was collected.
In practical terms, when using or disclosing information it may not be straightforward for a health provider to distinguish between information already held on 21 December 2001 and information collected after that date. To make the implementation process more straightforward, a health provider may decide to apply the principles on use and disclosure to all information, regardless of when it may have been collected.
The partial introduction of some of the principles allows organisations to introduce the privacy standards only as they collect and use information. For example, a health provider is required to maintain the quality of data in records still being used, but there is no expectation that a health provider will update older records, held in archives or storage, that are no longer used.
A full summary of the NPPs that apply to health information already held on 21 December 2001 may be found at the end of Appendix 2.
|
Questions for consultation H8 Are there any other issues to address on how and when the Privacy Act applies retrospectively? |
There are some circumstances in which the Privacy Act does not apply to information held about employees.
Generally, the Privacy Act does not apply to how a health provider handles the records of its own employees. This includes information relating to the individual’s employment including health information about the employee, so long as the information is only used for a purpose directly related to a current or former employment relationship.
The handling of employee records for purposes not directly related to a current or former employment relationship is not exempt from the Privacy Act (section 7(B)(3)).
If an employee attends a health service in a personal capacity (and that health service is his or her employer), this information would not be considered part of his or her employee record. The Privacy Act and these guidelines would cover any health information collected about the individual in this situation.
The Privacy Act applies to the records of employees of other organisations when they are handled by health providers, for example in relation to workers compensation claims.
Example – Employee records or personal records?
An individual works for private hospital, PH. He is injured at work, and attends PH for treatment. Is the individual’s health information collected in relation to this injury considered part of his “employee record” and therefore outside the scope of the Privacy Act, or is he considered to have attended PH in a personal capacity?
To the extent that the individual attended PH for treatment of his injury, he would be considered to have attended in a personal capacity, similar to any non-health worker attending a hospital for treatment in this situation. The fact that the individual works for the health provider is irrelevant. The Privacy Act would cover the health information collected.
If PH wishes to access the health information for purposes beyond treating the patient, it would need to do so either with the consent of the individual or through any avenues provided for by other legislation (such as Occupational Health and Safety legislation).
Example – Pre-employment medical checks
An individual is required to undertake a medical check for a prospective employer. Is the health information collected in this situation covered by the legislation?
Only records of past and current employees are exempt from the provisions in the Privacy Act. Therefore any health information about prospective employees is still covered by the NPPs.
In this situation, the Privacy Act will apply to the health information collected for as long as that individual is not an employee of the organisation. Once the individual is employed, information in the medical check held by the employer would be considered part of the employee record, and would be exempt from the NPPs. However, the Privacy Act, including the access provisions of the legislation, would still cover any information retained by the health provider.
The guidelines that follow provide advice about applying each of the NPPs, though not necessarily in the order in which they appear in the Privacy Act. The principle relevant to each section is quoted under the section heading. For the full text of any principle, refer to Appendix 2.
Examples are used throughout the guidelines to illustrate how the principles might apply in certain situations. However, as health providers face a wide range of differing and complex situations in daily practice, it is not possible to provide a definitive answer for every possible situation. Professional judgement and sound ethical decision-making will, of course, play an important role in determining the most appropriate course of action.
The Quick Reference Guide at the beginning of the guidelines offers a way for health providers easily to look up advice on common questions without having to fully read the guidelines.
The notion of “consent” is discussed first (see Chapter 2). Consent is a key concept that is referred to in many of the NPPs. Consent will often form the basis for decisions on how to handle individual health information. The discussion in Chapter 2 looks at the notion of consent and ways of seeking individuals’ consent, and provides a necessary context for the chapters that follow.
|
Questions for consultation H9 Are there any other issues that need to be addressed in the Introduction? |
NPP 2 and NPP 10
A key concept that guides many decisions about how to handle an individual’s health information is whether or not the individual gives consent for his or her information to be collected, used or disclosed in certain situations.
If a health provider has the consent of an individual to collect, use or disclose his or her health information, then the health provider is free to work with the information within the limits of that consent. Consent is relevant for health information in all its forms, including electronic records and data.
Breaches of privacy often occur in circumstances where personal information is collected, used or disclosed without an individual’s knowledge or permission. To respect privacy a health provider should keep an individual informed about their information handling practices and give the individual as much choice as possible about the handling of his or her health information.
Deciding what “consent” is can sometimes be complex. This chapter explains:
Important note: the NPPs formally require a health provider to seek consent to collect health information, rather than for its use and disclosure. However, in relation to the primary purpose, consent to collect and consent to use and disclose amount to the same thing. This is because valid consent requires that the individual know and understand how his or her information will be used or disclosed.
There are some exceptional circumstances when a health provider does not need to seek an individual’s consent in order to collect, use or disclose his or her health information. These situations are explained later in the guidelines.
Consent, as discussed in the Privacy Act and within these guidelines, applies only to decisions about how an individual’s health information is handled. Consent in this context does not extend to giving consent to medical or dental treatment. These are distinct decisions.
Discussions between a health provider and an individual during which health information is gathered will often result in an informed decision by the individual about the collection, use and disclosure of their information for certain purposes. Further steps are required for the health provider to seek consent for the treatment itself.
The NPPs allow a health provider, in some cases, to disclose health information about an individual (who is incapable of giving consent) to a person responsible for them. This can be done to ensure appropriate care or treatment, or for compassionate reasons. (See section 5.5 on “Relatives and Friends”). However, disclosure of this information does not necessarily mean the responsible person then has the authority to give or withhold consent to the treatment itself. (See section 2.5, “Consent provided on behalf of an individual”).
There are four key elements involved in seeking consent. Unless all the elements are addressed, the individual cannot be considered to be providing consent. The key elements are:
Consent must be voluntary. The individual must have a genuine opportunity to provide or withhold consent. That is, they must be able to say “yes” or “no”.
Consent must be informed. The individual needs to understand what it is they are giving or withholding consent to. It is important that the health provider ensures the individual is aware of the implications of providing or withholding consent.
For example, simply asking an individual to sign a form may not constitute consent, if they do not have a chance to read the form and ask questions about it. The form should indicate what would be done with the individual’s health information.
The consent sought must not be too broad. The consent should relate to a specific situation.
For example, a health provider simply asks an individual whether they agree to some of his or her electronic health information being disclosed. This does not give the individual enough information on which to base a decision. The health provider should be specific about what particular health information they are intending to disclose, to whom and for what purposes.
The individual must have the capacity to provide consent; otherwise the consent is not valid. The individual must be capable of: understanding the issues relating to the decision and how it will affect them; forming a view based on reasoned judgment; and communicating his or her decision.
The definition of “consent” under the Privacy Act includes “express or implied” consent.
However, it is the Privacy Commissioner’s view that health providers should seek express consent where consent is required by the NPPs. Moreover, the principles generally refer to the “seeking” of consent; suggesting that a health provider should actively seek consent from an individual.
Implied consent is only acceptable where it is clear, in the circumstances, that the individual is making an informed and voluntary decision. An individual’s failure to object to a proposal does not constitute giving consent, except in extremely limited circumstances.
Open communication and information sharing between health providers and individuals will usually address consent issues. This approach will often ensure that health providers do not need to go to additional lengths to seek consent. Such communication itself promotes discussion and understanding by the individual about the implications for how his or her health information may be used. This kind of communication will often result in an informed decision by the individual regarding the collection and use of his or her information.
As a general rule, if a health provider is in doubt about whether an individual is giving their consent or not, it is preferable to seek the individual’s express consent. Express consent refers to consent that is clearly and unmistakably stated, either in writing or orally. This approach overcomes many of the risks in relying on implied consent and later finding out that the individual’s intentions were misunderstood.
Consent can be given either verbally or in writing. In some situations it is preferable to seek confirmation of consent in writing, particularly when it involves non-routine uses or disclosures of information (for example, in the case of medical research).
Written confirmation of consent may give the health provider and the individual greater protection if there is a later disagreement regarding what consent was given. In situations where it is not practical to seek written confirmation of consent, a health provider may decide to make notes in the individual’s file regarding whether consent was given or refused.
When dealing with consent in relation to electronic information, the health provider may want to ensure that the individual can see the computer screen while consent details are being entered. The health provider may want to give the individual a print copy of the consent-related screen.
As an individual’s wishes may change over time, particularly in relation to longer-term health issues, a health provider may need to check that the consent remains up to date and relevant in current the situation.
An individual cannot give valid consent in relation to privacy issues if they lack the capacity to make an informed decision. The general law about competence and incapacity applies, here, to the issue of consent.
An individual may not be able to give consent for a number reasons, including:
As noted previously, the NPPs allow for the disclosure of an individual’s health information to a person who is “responsible” for them to ensure appropriate treatment and care, or for compassionate reasons.
It is the Privacy Commissioner’s view, however, that people with a disability who lack decision-making capacity should not miss out on necessary health care, support and other services because of privacy-related consent issues. Yet, neither should an individual’s privacy rights be undermined by virtue of his or her inability to give consent.
Therefore, if the NPPs require a health provider to seek consent before using or releasing information about an individual who lacks capacity, it may be necessary for the health provider to contact their local Guardianship Tribunal or Board for advice under State guardianship law.
Health providers must not assume that a person with a disability is necessarily incapable of giving consent to the handling of his or her personal information. Most people with disabilities are able to make their own privacy decisions and have the legal right to do so. Health providers will need to ensure that privacy issues are discussed with the individual in a way that is appropriate to their ability to understand and comprehend the information.
Many individuals who have a guardian or other person assisting them with certain matters may still have capacity to provide consent in other instances. Even if an individual lacks legal capacity, they should be involved as far as is practical, in decision-making processes that affect them.
In emergencies, the NPPs recognise that it may not be appropriate to seek consent from an individual about privacy issues as their health needs take immediate priority. The Privacy Act allows for these situations. (See sections 3.3 and 5.5 on “Serious threats to life or health”.)
In some, limited, non-urgent situations (for example, where health information is required to provide ongoing health care and there are complex ethical issues regarding that information), a health provider may need to seek consent from someone acting on behalf of an individual. Consent will not be required in all circumstances, but where consent is required a health provider must consider who can act on the individual’s behalf.
Where a person has a guardian appointed with appropriate decision-making functions, the health provider should discuss the proposed use or disclosure with the guardian. In the absence of a guardian, there may be other appropriate people who can act for the individual. (See the sections below on “Guardian or other representative” and “Consent from a person nominated by the individual”.)
A nursing home provides ongoing care for a person with dementia and wants to disclose health information to an allied health worker to assist with the individual’s care. What steps need to be taken if the individual is unable to give consent?
If the additional care is related to the individual’s overall treatment plan, is in their interests, and is something that both the individual and their family do not object to, then it is unlikely consent will be required.
If, on the other hand, this is a new care initiative that the individual or family might not be aware of or might not agree to, and there are complex privacy or other ethical issues, then the nursing home may need to seek consent to disclose information for this purpose. If the individual is unable to give consent, the nursing home may need to seek consent from someone acting on the individual’s behalf.
Consent could be sought from either a person legally appointed to represent the individual, a person previously informally nominated by the individual to act on his or her behalf, or, where there is no nominated person, someone the health provider judges to be an appropriate representative for the individual.
A suitable representative for an individual would be a guardian appointed to act on his or her behalf, where the guardian has been given specific authority to act on health matters. However, it is not necessary for an individual to have a guardian to deal with privacy issues, as they may have another suitable representative.
Another representative who could act on the individual’s behalf maybe someone with an enduring power of attorney that can be used in relation to decisions about the individual’s health (see NPP 2.5(f)). Alternately, the representative may be a person recognised by other relevant laws, such as a “person responsible” (as in the meaning of the NSW Guardianship Act). State laws on guardianship may be relevant in deciding who is an appropriate person to represent an individual who lacks legal capacity.
Note: “other representative” here does not mean an individual’s legal representative, such as a solicitor or barrister.
Where there is no one with legal authority to act on an individual’s behalf, a health provider could rely on consent from a person who has been informally nominated (in writing) by the individual. This would only be appropriate if the individual was previously capable of giving consent, and had nominated the person at that time.
For example, a person may have left a “living will” to take effect in the event of circumstances such as, being left in a coma following an accident and requiring ongoing care.
The health provider must be satisfied that there are no reasons to believe that following the individual’s written request would be to act against his or her current wishes.
If there is no one with legal authority, or no one informally nominated to act on an individual’s behalf, the health provider will need to make a professional judgement about who is most appropriate to act on the individual’s behalf, taking into account the individual’s interests.
In many situations where there is no-one at all available to act for an individual, the health provider may still make decisions about appropriate handling of the individual’s health information, provided this occurs in accordance with current laws and practices.
A parent (or guardian) may act on behalf of a child or young person where the child or young person is not of sufficient age and maturity to give consent.
Existing laws covering health providers’ obligations in relation to young people and confidentiality vary from State to State. Health providers will need to consider their obligations under these laws.
It is for the health provider to make a professional judgement, or form an opinion in accordance with any relevant legislation, regarding whether a young person is capable of providing consent in a particular situation.
Significant issues arise when there is disagreement between the wishes of a young person and the wishes of a parent. In general, where the young person is capable of providing consent, then he or she should be approached for consent not his or her parent. The health provider’s judgement will vary depending on the circumstances of the case.
For example, a young person, aged 14, may be judged to have sufficient maturity to give consent, because they are able to understand what will happen if they either give or withhold consent. Whereas, another young person of the same age may not have sufficient understanding to make an informed decision.
In general, most individuals who are over 16 years of age would be considered sufficiently mature to act on his or her own behalf.
(See also, the section 5.5 on “Parents and younger persons)
Health providers that work mainly with young people should state in their information policy, who may give consent for, and who has a right of access to information concerning, a person under the age of 18 years. Such a policy should have general guidelines about how the health provider will make decisions relating to a young person’s health information (whether held on paper or electronically). The policy should deal with parental (or guardian) involvement, particularly indicating when a parent (or guardian) would be involved in the decision-making process.
|
Questions for consultation H10 Regarding consent in relation to people with a disability who lack legal capacity, does our description draw out the issues as far as possible within the framework of the NPPs? If not, what other guidance would be helpful here? H11 Are there additional issues relating to consent that should be addressed? |
Except in the most limited of circumstances, it is questionable whether implied consent can be inferred from a failure to opt-out, or object to, a particular way of handling an individual’s health information.
An example is where a hospital includes a box on a form, and the individual must tick the box if they do not wish his or her health information to be passed on for other purposes.
In most cases, a health provider could not infer consent from this approach, because it is not clear the individual had the relevant knowledge to exercise the necessary informed choice.
The Privacy Commissioner strongly recommends against relying on this approach to consent where health information is involved, because of the sensitivity of health information, and the risk that an individual may not be aware of the need to, or know how to, opt-out. For instance, in the above example, the individual may not be aware that by not ticking the box he or she is agreeing to disclosures of his or her health information. If this is the case, the health provider cannot be sure the individual has given valid consent and risks breaching the Privacy Act.
Question for consultation:H12 Are there any situations in the health sector, involving health information, where seeking consent using the opt-out method is necessary? Alternately, in what other situations is using the opt-out method desirable? Is our approach to the limits for opt-out consent appropriate in the health context?
NPPs 1 and 10
Health providers collect health information about individuals from a number of sources, though most commonly from individuals themselves. Information is collected for a range of purposes including:
By applying appropriate privacy safeguards when health information is collected, health providers can often minimise any future privacy concerns relating to the handling of that information.
Both NPP 1 and NPP 10 apply to any situation that involves the collection of health information. NPP 10 in particular outlines some requirements specific to the health sector.
In general, these principles state that:
An organisation collects personal information if it gathers, acquires, or obtains it. Collection includes information the organisation receives directly from the individual as well as information about an individual an organisation receives from somebody else. It also includes information that an organisation comes across by accident or has not asked for but nevertheless keeps.
Examples of collection include where an organisation:
NPP 1.1, NPP 10.1(c) & (e) NPP 10.2(a), NPP 10.3(a)
Information collected should be limited to what is necessary for a particular purpose. This is of particular importance where information is collected without the individual’s consent. For example, information may be limited to that which is required to provide a health service.
If certain information is not needed or is irrelevant for a particular purpose then it should not be collected.
This does not prevent a health provider from taking all the medical history he or she requires in order to provide a quality health service and to cover any legal liability obligations a health provider may need to take into account.
It does however aim to limit situations where unnecessary information is collected unintentionally or where too much information is collected because an information system is not flexible enough to suit individual situations.
Collecting unnecessary information can sometimes happen inadvertently on forms used by health providers.
For example, a hospital may have a form with spaces to collect a lot of standard information, particularly where the form serves a number of purposes. Most people feel they have to fill in all fields unless they are informed otherwise. By letting people know what fields are compulsory or voluntary and which fields are most relevant to their situation, it is possible to minimise the collection of unnecessary information.
Also, it may be unnecessary for certain staff of an organisation to collect all the types of information asked for on forms.
For example, a health provider may have a form that asks questions about an individual’s HIV or Hepatitis C status. It may be more appropriate for the health worker directly responsible for providing care to the individual to collect this information, rather than have administrative staff request these details.
NPP 10.2(a)
A health provider may collect health information about an individual where they have that individual’s consent to do so. Chapter 2 contains an extended discussion of consent in the context of personal information privacy.
If consent is given to collect information for a particular purpose, it is thereby given to use and disclose the information for that purpose. by the same token, concerns about how the information is to be used or disclosed may lead the individual to withhold consent for collection. (see also chapter 2.)
In situations where health information is collected directly from the individual, it could generally be assumed that the individual is giving implied consent to the collection of that information as long as it is clear to them what information is being recorded about them and for what purposes.
Where a health provider needs to collect information about an individual from another source (for example, another health provider, or the individual’s family), in some situations it may be possible to assume the individual has given his or her implied consent, but in most situations this should not be assumed.
For example, if a test is sent to a pathology laboratory by a general practitioner, it would be reasonable to assume that the individual has given implied consent for the general practitioner to then collect the results from that laboratory.
If a health provider wishes to ask an individual’s family for details about the individual’s compliance with a particular medication, it may be unreasonable to assume the individual has consented to this unless express consent had been provided.
See also section 3.7 “Collect from the individual where possible”.
There are a limited number of situations where NPP 10 allows a health provider to collect information about an individual without his or her consent.
Chapter 2 contains an extended discussion of consent in the context of personal information privacy.
NPP 10.2
A health provider may collect health information without an individual’s consent when the collection is necessary to provide a health service, and collection is carried out according to certain professional rules of confidentiality.
Two key elements of this requirement are that the rules dealing with obligations of professional confidentiality are binding and that they are issued by competent health and medical bodies
A body that is referred to in Federal, State or Territory health law as a decision making body on registration and regulation of health professionals would meet the test of “competent”. The Privacy Commissioner is unlikely to accept other bodies as “competent”.
|
Question for consultation H13 Are there other or additional criteria that should be used for determining what is a competent health or medical body? |
In considering whether rules are binding, the Privacy Commissioner would in the first instance be looking to see if there are any sanctions or penalties for organisations that do not comply with the rules. Sanctions or penalties would include powers to de-register a professional or prevent them from practicing in their professional capacity.
The RACGP’s “Code of Practice for the Management of Health Information in General Practice” contains the sort of rules required by NPP 10.2. However, the Privacy Commissioner understands that these rules are not binding on General Practitioners and consequently they would not satisfy all the requirements.
The Privacy Commissioner is unaware of any existing rules that would satisfy all the requirements of NPP 10.2.
|
Question for consultation H14 Are there any existing “rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation”? |
Question for consultation
NPP 10.1(b), 10.2(b)(i)
A health provider can collect information without an individual’s consent if there is a law requiring them to collect that information.
For example, under a number of State Public Health Acts, health professionals are required to keep a record of certain details about an individual who they believe has a disease that is a notifiable disease. There are a range of notifiable diseases including tuberculosis, Legionnaires’ Disease and HIV/AIDS.
There are also other events where a health professional may be required to record certain details, such as if there is an adverse event following immunisation.
A health provider will need to be aware of the laws that apply in their relevant State or Territory, as requirements vary between jurisdictions. See Appendix 3 for a list of some of the relevant legislation.
NPP 10.1(c)
In situations where there may be a serious and imminent threat to the life or health of any individual, a health provider does not need to seek consent from the individual before collecting the information necessary to lessen or remove the threat.
This provision applies to situations where an individual is unable to provide or communicate his or her consent to collection of information about them. Such situations include an emergency in which an individual may be unconscious, or in pain or otherwise unable to provide consent, but where urgent treatment is required.
For example, an individual is in hospital and unconscious as a result of a stroke. The hospital may wish to contact the individual’s GP for advice about his or her medical history and medication regime. Where this information is necessary to lessen the threat to the individual’s health or life, a hospital may collect the information.
This does not apply to situations where the threat to the individual’s health is not “serious and imminent”. That is, where the risk is considered more remote and not about to happen in the near future, or where the threat to a person’s health is likely to be of a minor nature.
(Also see sections 5.5 “Serious threats to health or safety” and 9.6 “A serious threat to the life or health of any individual”.)
NPP 10.3
There are limited situations relating to research and statistics where a health provider may collect information even though it is impracticable to seek an individual’s consent.
This applies where information is collected for research or statistical purposes relating to public health or public safety, the compilation or analysis of statistics relevant to public health or public safety, or the management, funding or monitoring of a health service.
Health information may only be collected without consent for these purposes if obtaining consent is impracticable, de-identified information would not be suitable, and the collection is carried out according to special guidelines.
The Privacy Commissioner may approve guidelines under section 95A of the Privacy Act for the conduct of research using health information. This will only occur whether the Privacy Commissioner is satisfied that the interest in collection, use or disclosure of the health information “substantially outweighs” the public interest in protecting privacy in accordance with the other provisions in the NPPs.
Appendix 5, which reprints chapter 13 of the NPP Guidelines, contains an extended discussion of this aspect of the NPPs.
A psychiatrist wishes to collect information from a mental health institution about a particular treatment used on patients 20 years ago for the purposes of conducting research. Can information be collected without the consent of the individuals involved?
In this scenario, if it is impracticable to seek consent from the individuals involved, the psychiatrist must comply with the criteria in NPP10.3.
The research would be for the purposes relating to public health, and it is likely that the level of detail required for the research may mean that it would not be very meaningful to only collect statistical data.
Individual level information could be collected provided that the psychiatrist had met the requirements of the section 95A guidelines. In either case, it is likely that the research would need to be approved by an ethics committee, and that strict privacy safeguards be observed. If the psychiatrist wishes to publish the research findings, steps must first be taken to ensure the data is de-identified so that no individuals can be traced or identified from the report.
A non-government counselling service collects information from individuals in order to monitor the level of funding the organisation needs to sustain the service. Can this information be collected without the individual’s consent?
Provided that the information is collected in a de-identified form, it is possible to collect this information without individual consent, as this would not be affected by this principle.
It is unlikely that the organisation would meet all of the above criteria to allow the organisation to collect identified health information for this purpose. In particular, it is not clear that there is a legal requirement to collect the information, or that the collection would meet the standards of the section 95A guidelines.
Therefore, if the organisation wishes to collect identifiable data for this purpose, then the consent of individuals would be required.
NPP 1.2
One of the requirements of NPP 1 is that information must be collected by lawful and fair means and that it must not be done in an unreasonably intrusive way.
The principle reinforces a good practice approach to how information should be collected.
Essentially, for collection to be considered lawful, the manner in which information is collected must not breach of any State, Territory or Commonwealth law.
For example, it would not be “lawful” to tape record a conversation or consultation without the individual’s knowledge as this is against the law in most States in Australia. Under the NPPs the provider would require the individual’s knowledge and consent.
Collection of information is considered to be “fair” if the approach taken is open and not misleading, and if the individual is not coerced into providing information against his or her will.
Example – Collecting information in a fair manner
An individual is videoed as part of the health service they are receiving. Would it appropriate for the health provider to use the video for training purposes in future?
To collect information in a manner that is fair, an organisation would need to tell the individual that the video might also be used for training purposes, and seek his or her consent to this. The provision of the health service should not be contingent upon the individual consenting to this further use of the information.
There are a number of practical steps a health provider can take to ensure information is not collected in an unreasonably intrusive manner.
Providing an environment that enhances privacy and minimises any embarrassment that may be experienced by the individual can help address an individual’s need for physical privacy.
Where possible, a health provider should avoid collecting sensitive information in a waiting room or other public space where the conversation may be easily overheard.
For example, in a pharmacy, an individual may feel uncomfortable discussing personal health details when there are other people around. This is particularly an issue where the individual may know other people who are also attending the same pharmacy. The pharmacist should take steps to ensure the individual can discuss his or her health information in confidence.
If an individual indicates they would like a more confidential space to discuss the matter reasonable steps should be taken to accommodate this.
See also chapter 7, “Storing and handling information securely”.
NPP 1.3 and NPP 1.5
It is possible to reduce the risk of privacy concerns arising by informing the individual at the time health information is collected about how the organisation will handle his or her information.
Under NPP 1, when collecting health information, a health provider needs to inform the individual of the following:
The time at which information is collected is often the ideal time to seek consent from the individual about future uses of his or her information.
NPP 1.3
A health provider is required to take “reasonable steps” to bring the above matters to the attention of an individual at the time information is collected.
If a health provider has limited time with an individual, they may choose (on balance with other health priorities) to only notify them at the time of the points most relevant to the individual, as this may be all that is reasonable in the situation.
There may be situations where additional efforts are necessary in order to inform the individual about how his or her information will be handled.
For example, if an individual requires an interpreter, then steps should be taken to obtain one. Language barriers should not be cited as a reason not to provide information to the individual.
Some of these matters may be obvious given the context. For example, the name and address of the doctor collecting the information may be clear to the individual when the information is being collected by the doctor in person at his or her practice.
When considering what steps are reasonable in the circumstance, the organisation should consider how the situation looks from the individual’s perspective. In the previous example, if the doctor is an employee of a large organisation, the identity of the organisation collecting the information may not be obvious to the individual.
In many situations, a health provider can inform the individual about how his or her information will be handled by discussing this with them in person.
Another helpful method is to have a brochure or handout that provides general information on the health provider’s practices for handling and protecting health information.
For example, a health provider could develop a brochure for its clients on privacy and confidentiality. This could include information about how the organisation handles health information and how an individual can access his or her information. It could also advise on any laws that require information to be disclosed to government authorities.
Care is needed to ensure that any such brochure is clear and readable by the intended audience and relevant to the circumstances.
NPP 1.3
There are situations where it may not be practicable to make the individual aware of all the matters listed earlier. If this is the case, the individual should be notified as soon as practicable after the collection.
For example, in an emergency situation there simply may not be time, or the individual may not be in a fit state to comprehend advice on how his or her information will be handled. As soon as it is practical after the event, the individual should be given advice on what medical information was collected (eg blood samples, details of any health information obtained from other providers), what the information may be used for and to whom it may be disclosed.
NPP 1.4
Where it is reasonable and practicable to do so a health provider should collect information about an individual only from that individual.
There are a number of situations where this may not be reasonable or practical, and the health provider may need to collect information from another source.
For example, in an emergency situation, a health provider may need to ask an individual’s relatives for any background health information that may be relevant to how the individual is treated.
A health provider may have no choice about from whom they collect information if it arrives unsolicited. Where information is unsolicited (that is, where someone passes the information to a health provider that was not requested), the information is still considered to have been “collected” if the health provider either records or make use of the information.
A person informs a health provider that they suspect a particular individual of child abuse. The individual is a patient of the health provider. Is the health provider permitted to collect information in this situation? Can the information be disclosed if the health provider wishes to act on the information?
The health provider is permitted to collect this information, even though the health provider did not request the information, and it arrived unsolicited.
The information may be disclosed in the following situations.
The health provider may discuss the information with the individual if they believe this would not exacerbate possible harm to the young person. Depending on what the health provider judges to be appropriate, it may be possible to discuss the subject matter without revealing the fact that information had been received. Whatever approach is taken, the source of the information should not be disclosed.
If the health provider believes the young person to be at risk, they may have an obligation to notify relevant authorities under mandatory reporting legislation.
A health provider may also disclose information to another person if the health provider believes this is necessary to avert a threat to the health or safety of any person, for example the young person.
NPP 1.5
In situations where information is not collected directly from the individual involved, he or she still needs to be given advice about the information collected. (See section 3.6 above)
This is not required if it would pose a serious threat to the life or health of any individual. That is, if a health provider receives information about an individual who may pose a threat to his or her own life or health, or the lives or health of others, it is reasonable to weigh up whether providing this advice would exacerbate the situation. If there is a risk that the situation would be exacerbated, the individual need not be informed.
In the example immediately above, does the health provider have to advise the individual who is suspected of child abuse that information about them has been received and the nature of that information?
If the health provider believes that alerting the individual to the fact that the information has been received may present a risk to any person’s health, life or safety, then the health provider does not need to tell the individual about the information received.
NPP 8
NPP 8 provides individuals with a right to access a service anonymously if they wish, wherever this is lawful and practicable.
There are a number of situations where an individual may wish to remain anonymous or use an alias when accessing a health service. In some cases, an individual may be hesitant to seek health care or treatment unless they know that they will be able to do so anonymously. It is therefore in the interests of the health of the individual, and maybe the health of others, that this option is available.
Some situations where people may not wish to identify themselves include:
There are some situations where it may not be “lawful” to provide a service anonymously. Generally this is because there may be a legal requirement stating a health provider must collect identifying information from the individual.
For example, mandatory reporting laws may require health providers to notify authorities about a suspected child at risk, and therefore the health provider may need to collect identifying details if the individual discloses such information to the health provider.
Similarly laws on notifiable diseases may require a health provider to collect identifying information. This requirement is not always mandatory, and some States only require health providers to collect “coded” information in certain situations. Health providers will need to consult the relevant legislation on requirements in this area. (See Appendix 3.)
In other situations, an individual may have to provide identifying information in order to have a prescription filled.
There are a number of situations where it might not be “practicable” to allow an individual to access a service anonymously.
For example, if may be difficult to obtain health information from another provider about the individual if his or her identity cannot be verified. This may make it impracticable for the individual to access the service anonymously and at the same time receive timely treatment.The Privacy Commissioner strongly emphasises that the option of anonymity not be denied to individuals simply because it is inconvenient or does not fit in with an organisation’s current administrative requirements. An inflexible administrative set up would not be sufficient reason to refuse an individual this option.
Any new systems or practices developed should ideally allow for individuals to access the service without having to be identified. Organisations should consider allowing the use of an alias for a particular health service where a system requires some data to be entered.
|
Questions for consultation H15 Are there any other limits, issues or barriers to providing a health service anonymously? H16 Are there issues relating to using identifiers, such as Medicare numbers, that need to be mentioned? |
NPP 2
Health providers need to use and disclose health information for a range of purposes to fulfil their obligations as health professionals and to provide the best possible health care to the individual.
At the same time, the privacy of individual health information needs to be respected so that health providers can maintain a relationship of trust and openness with people who access health services. Problems can arise if information is disclosed against the wishes, or without the knowledge of the individual. In some instances, balancing the individual’s right to privacy with what is in their best health interests is an ethical issue that health providers face.
The purposes for which a health provider may wish to use or disclose health information includes disclosure to other health providers to assist in assessing, diagnosing or treating a particular health or suspected health condition. However, if further use of health information is made for statistical or research purposes, this requires the individual’s consent.
Where an individual has already provided consent to the collection of health information, and been properly informed of possible uses and disclosures of their health information, the individual has given consent to the health provider using and disclosing the information for those purposes. By the same token, if the individual has concerns over how their information may be used or disclosed then they may decide to withhold consent to collection.
If the individual has provided consent for their health information to be used or disclosed in a particular situation, then a health provider is free to use or disclose the information accordingly.
However, there are situations where it may not always be possible or practical to seek consent from the individual to use or disclose their health information. NPP 2 clarifies where consent is required and the privacy standards that apply where consent cannot be obtained.
This principle aims to assist health providers to offer a quality health service within a commonsense privacy framework. Individuals have an expectation that when they use a health service for a particular reason, the information they provide will be used to diagnose, assess and treat their particular condition or concerns. This principle recognises that health services are provided in this way and sets out privacy standards correspondingly. The principle protects the privacy of health information by placing stronger privacy rules on any use or disclosure beyond that original purpose.
While the NPPs make provision for disclosure of health information without consent in particular circumstances, it is important to note that in the absence of a legal requirement that information be disclosed, nothing in the NPPs obliges a health provider to disclose health information. As continues to be the case, health providers should consider their professional and ethical obligations before disclosing information under any circumstances, without the consent of the individual.
There are a number of key concepts that form the basis of how NPP 2 distinguishes between the situations where it may be appropriate for a health provider to use or disclose information without the consent of the individual, and situations where consent is required.
These concepts are explained very briefly here, and expanded on further in the discussion below. (See also the NPP Guidelines for more extended discussion of these issues).
The NPPs make a distinction between what is considered a “use” and a “disclosure” of personal information. Although in general the same privacy standards apply to both, it is useful to note the distinction:
The “primary purpose” of collection is the main reason an individual attends or makes use of a health service. What is considered to be the “primary purpose” of collection should be interpreted carefully.
As a guide, the Privacy Commissioner would consider a reasonable interpretation of “primary purpose” in the health context to be, for example, the assessment or treatment of a particular condition.
This would include the initial assessment, diagnosis or treatment of an individual for a particular condition and further treatment and care, beyond the initial consultation, where this forms part of the treatment for the original condition.
The Privacy Act recognises that there may be other purposes for which a health provider needs to use or disclose health information.
These are all considered to be secondary purposes of collection, and may include the use of information for research, management of health services, quality assurance, follow up with individuals after a particular course of treatment, or consulting with other health providers to seek a second opinion.
Of all the possible secondary purposes, some are recognised as being more closely related to the primary purpose th