For the first time in Australia, there is comprehensive privacy law covering the private sector. The Privacy Act 1988 has been amended to cover most private sector organisations, including all health service providers in Australia regardless of size. The new law operates from 21 December 2001.

Privacy and Health Care

Most people consider their health information to be highly personal, and want their privacy respected whenever they use a health service. The Privacy Act offers privacy protection and choice to patients, while balancing this with the need for health service providers to share information, where necessary, for the provision of quality health care.

In the health care context, the essential step for providers is to seek alignment between their expectations of what will happen to the patient's health information, and the expectations of that consumer. Good privacy involves no surprises.

The Privacy Amendment (Private Sector) Act 2000

The legislation delivers 10 National Privacy Principles, which form the core of the private sector provisions and set the minimum standards for privacy in the private health sector. The NPPs aim to deliver amongst other things promotion of greater openness between health service providers and patients regarding the handling of health information.

The NPPs cover the whole information lifecycle - from collecting health information, to its storage and maintenance, and including its use and disclosure for a wide range of purposes.

The National Privacy Principles

NPP1: Collection & NPP10: Sensitive Information - set out providers' obligations when collecting health information from patients. These include collecting health information only with consent, and collecting only the information necessary to provide the service.

NPP2: Use and Disclosure - set out how health information, once collected, can be used within the organisation or disclosed to third parties outside the organisation.

NPP3: Data Quality & NPP4: Data Security - set standards for keeping information up-todate, accurate and complete, as well as for protecting and securing it from loss, misuse and unauthorised access.

NPP5: Openness - requires providers to be open about how they handle health information, including the need to develop a document (such as a privacy policy) to clearly explain how they handle health information.

NPP6: Access & Correction - gives patients a general right of access to their own health records, and a right to have information corrected, if it is inaccurate, incomplete or out of date.

NPP7: Identifiers - limits the use of Commonwealth government identifiers (such as the Medicare number or the Veterans Affairs number) by providers to the purposes for which they were issued.

NPP8: Anonymity - where lawful and practicable, patients must have the option of using health services without identifying themselves.

NPP9: Transborder data flows - sets out obligations for providers regarding the transfer of health information out of Australia.

Collecting health information, dispensing medication and discussing symptoms in a public space

When a pharmacist collects health information from a patient in a place where they may be overheard, this should be done in a manner sensitive to the surroundings - as some individuals may be particularly concerned about discussing health issues in an open area. In some circumstances, the pharmacist may wish to take additional steps to protect privacy, such as taking the patient to one side.

Change of business circumstances and pharmacies

When a pharmacy's business circumstances change, some privacy-related steps may be needed. If the new arrangements lead to delivering services in the same way as before, but under new ownership, patients should be advised of the change, perhaps via a notice in the pharmacy or in a local newspaper.

If the new arrangements change the way services are delivered, including the way health records are used and disclosed, then the consent of patients will usually be needed.

This might occur, for instance, if a pharmacy becomes newly co-located with other clinical services and shared record handling is introduced, or where a large corporation buys a pharmacy, and the corporation wants to transfer health information within the organisation.

Access to health records

From 21 December, patients have a general right of access to their own health records and can ask for a copy. Patients also have a right to seek the correction of information held about them, if this is shown to be inaccurate, incomplete or not up-to-date.

Children's privacy

The Privacy Act does not set an age limit at which a child or young person can exercise their own privacy rights - this occurs when the individual becomes competent to make such decisions. Where a child or young person is competent they should make their own decisions; if they are not competent to do so, a pharmacist may discuss their health record with a parent.

If a parent seeks information about their child, but the child explicitly asks that certain health information not be disclosed to that parent, the pharmacist may consider it appropriate to keep such information confidential.

Providing personal information to others - the collection of medication by friends, neighbours or relatives

A patient's consent to the disclosure of their personal information can be expressed or implied. In many instances, implied consent may reasonably be inferred from the actions of the patient. Depending on the circumstances, it may be inferred that a patient has consented to someone else collecting medication on their behalf (and thereby receiving some of their personal information), if they have given a friend or relative their prescription for that reason.

Complaints

Complaints about alleged breaches of privacy can be made to the Federal Privacy Commissioner. The Commissioner can investigate, conciliate and, if necessary, make determinations about complaints.

Need more information...?

Other resources include:

• a privacy booklet
• 'Guidelines on Privacy in the Private Health Sector', and
• a range of Information Sheets.

www.privacy.gov.au or 1300 363 992