For the first time in Australia, there is comprehensive privacy law covering the private sector. The Privacy Act 1988 has been amended to cover most private sector organisations, including all health service providers in Australia regardless of size. The new law operates from 21 December 2001.

Privacy and Health Care

Most people consider their health information to be highly personal, and want their privacy respected whenever they use a health service. The Privacy Act offers privacy protection and choice to patients, while balancing this with the need for health service providers to share information, where necessary, for the provision of quality health care.

In the health care context, the essential step for providers is to seek alignment between their expectations of what will happen to the patient's health information, and the expectations of that patient. Good privacy involves no surprises.

The Privacy Amendment (Private Sector) Act 2000

The legislation delivers 10 National Privacy Principles, which form the core of the private sector provisions and set the minimum standards for privacy in the private health sector. The NPPs aim to deliver amongst other things promotion of greater openness between health service providers and patients regarding the handling of health information. The NPPs cover the whole information lifecycle - from collecting health information, to its storage and maintenance, and including its use and disclosure for a wide range of purposes.

The National Privacy Principles

NPP1: Collection & NPP10: Sensitive Information - set out providers' obligations when collecting health information from patients. These include collecting health information only with consent, and collecting only the information necessary to provide the service.

NPP2: Use and Disclosure - set out how health information, once collected, can be used within the organisation or disclosed to third parties outside the organisation.

NPP3: Data Quality & NPP4: Data Security - set standards for keeping information up-to-date, accurate and complete, as well as for protecting and securing it from loss, misuse and unauthorised access.

NPP5: Openness - requires providers to be open about how they handle health information, including the need to develop a document (such as a privacy policy) to clearly explain how they handle health information.

NPP6: Access & Correction - gives patients a general right of access to their own health records, and a right to have information corrected, if it is inaccurate, incomplete or out of date.

NPP7: Identifiers - limits the use of Commonwealth government identifiers (such as the Medicare number or the Veterans Affairs number) by providers to the purposes for which they were issued.

NPP8: Anonymity - where lawful and practicable, patients must have the option of using health services without identifying themselves.

NPP9: Transborder data flows - sets out obligations for providers regarding the transfer of health information out of Australia.

Consent when collecting health information

Generally, providers may only collect health information about a patient if they consent. Where a provider collects the information directly from the patient during a consultation, usually it will be reasonable to consider that consent is implied - as long as it is clear to the patient what information is being recorded and why.

Advising patients about why their information is being collected

An important aspect of privacy is advising the patient about how the information will be handled. If possible, this should occur at the time of collecting the health information. Often, when a patient sees their doctor, the advice can be given during usual communications. This will generally occur on a first visit. The advice may be given verbally during a consultation, or set out in a brochure.

Access

The general right of access a patient has to their information relates only to their own health records. Access can occur in a number of different ways. A patient may:

• look at the information and talk though the contents with their provider
• obtain a copy of the information (for example, a photocopy of paper records, or a copy of an x-ray) or take notes about the content
• listen to an audio recording or watch a video recording, or
• obtain a print-out or get an electronic copy of information stored on a computer system or database.

Sharing information with other providers: the treating team

The multi-disciplinary team approach to health care is common to the Australian health system. Practitioners work together and share necessary information, usually in accordance with professional codes of practice, to deliver optimum health care.

When collecting information, it may be advisable to discuss with the patient how this approach to treatment will affect the handling of their health information.

Complaints

Complaints about alleged breaches of privacy can be made to the Federal Privacy Commissioner. The Commissioner can investigate, conciliate and, if necessary, make determinations about complaints.

Need more information…?

The Office of the Federal Privacy Commissioner has developed a number of resources to assist health service providers. These include:

• a privacy booklet
• 'Guidelines on Privacy in the Private Health Sector', and
• a range of Information Sheets.

For more information on privacy, go to the Office of the Federal Privacy Commissioner's website at www.privacy.gov.au or contact our Hotline on 1300 363 992.

www.privacy.gov.auor 1300 363 992