- Advice Summaries
- Case Notes
- Codes of Conduct
- Compliance Notes
- Fact Sheets
Information Sheet (Private Sector) 19 - 2007: The Prescription Shopping Information Service (PSIS) and The Privacy Act
In order to comply with Privacy Act obligations, the Office of the Privacy Commissioner advises practitioners that it is generally good privacy practice to seek the patient's consent before collecting health information from the Prescription Shopping Information Service (PSIS).
However, the Privacy Act also permits practitioners to collect a patient's information from the PSIS without consent, provided that the information is necessary to provide a health service to the individual (as provided for by National Privacy Principle 10).
That is, if a practitioner reasonably believes that a patient may be seeking medicines in excess of therapeutic need, but needs to confirm this in order to treat the patient safely, then NPP 10 will permit the practitioner to collect information from the PSIS without consent.
Practitioners should not routinely check a patient's PSIS status where they have no reason to believe the patient may be ''prescription shopping' (for example, by prospectively checking new patients before they attend a consultation). Practitioners should also bear in mind their other obligations under the NPPs when handling individuals' health information, including notice requirements under NPP 1.
Please read on for more detailed information about the PSIS and practitioners' obligations under the Privacy Act.
Medicare Australia's Prescription Shopping Information Service (PSIS) is designed to assist doctors in reducing the number of individuals who obtain PBS medicines in excess of their therapeutic need.
When registered medical practitioners make use of the PSIS, they also have to consider their obligations under the Privacy Act.
The National Privacy Principles
All private sector health service providers must comply with the 10 National Privacy Principles (NPPs) contained in the Privacy Act 1988 (Commonwealth), which regulate the collection, use and disclosure, access to and security of all personal information held.
The Office is of the view that any personal information held by medical practitioners, including patients' information relating to the PSIS, would be considered "health information" as defined by the Privacy Act (s 6).
Collecting health information from the PSIS
NPP 1 prescribes a range of general obligations that must be met when collecting any personal information, including health information. This includes a requirement that the information is necessary for a function or activity of the practitioner, and a requirement to inform patients of how their information will be handled.
NPP 10 provides additional obligations when collecting health information. Generally, NPP 10 prohibits the collection of health information, although certain exceptions apply, such as where the individual consents to the collection (NPP 10.1(a)).
Following amendments to the Privacy Act in 2006, NPP 10.2 permits practitioners to collect health information from the PSIS without consent where:
- the information is necessary to provide a health service to the individual; and
- the information is collected: (i) as required or authorised by or under law... .
A recent amendment to the National Health Act 1953 provides the necessary legal authorisation to satisfy (b) above. In relation to (a), information from the PSIS may be necessary in managing an individual's treatment, as discussed below.
Collection in compliance with NPP 10
An inability to access the PSIS may prevent the practitioner receiving vital information to assess and treat the patient. This may result in individuals getting PBS medicines in excess of their therapeutic needs.
Tip for compliance
In most cases, the Office of the Privacy Commissioner suggests that it is good privacy practice for practitioners to seek the patient's consent before collecting health information from the PSIS (which would satisfy NPP 10.1(a)). However, some patients may be unwilling to give consent, including where they believe they may be identified on the PSIS.
Practitioners are permitted to collect health information from the PSIS without consent, provided that the information is necessary to provide a health service to the individual (under NPP 10.2). That is, if a practitioner reasonably believes that a patient may be seeking to obtain medicines in excess of their therapeutic needs, but needs to confirm this in order to treat the patient safely, then NPP 10.2 permits the practitioner to collect information from the PSIS without gaining the individual's consent.
If the information on the PSIS is not necessary to provide a health service to the patient, then collecting from the PSIS is unlikely to satisfy the requirements of ''necessity' under NPP 1 and NPP 10 (even with consent).
For example, practitioners should not routinely check an individual's PSIS status where they have no reason to believe the patient may be ''prescription shopping', such as by prospectively checking new patients before they attend a consultation.
Relevant changes to the law
Previously, Temporary Public Interest Determinations (TPIDs) issued by the Privacy Commissioner allowed practitioners to collect patients' health information from the PSIS without consent, and without breaching NPP 10. Those TPIDs expired on 23 December 2006.
Amendments to the Privacy Act in 2006 removed the need for further TPIDs. As noted, NPP 10.2 now permits practitioners to collect from the PSIS without consent where:
- the information is necessary to provide a health service to the individual; and
- the information is collected: (i) as required or authorised by or under law... . [emphasis added]
Prior to the 2006 amendments, NPP 10.2(b)(i) only allowed collection ''as required by law'. The National Health Act 1953 now provides the necessary legal authorisation.
Other privacy obligations
Practitioners should always be mindful of their other NPP obligations when handling patients' health information. These include:
- Giving notice to patients about how their information will be handled (including information collected or used for PSIS purposes). This must occur either before collection, or as soon as practicable after, unless such notice would pose a serious risk to any person's life or health (see NPPs 1.3 and 1.5). Patient awareness may be fostered through direct communication, signage and other information.
- Using or disclosing health information only for the purpose it was collected - an exception must apply before the information may be used or disclosed for any other purpose (NPP 2).
- Taking reasonable steps to secure the information held (NPP 4). Patient information from the PSIS should be treated as securely as other clinical information. Generally speaking, ''reasonable steps' in relation to health information means a higher degree of security than might be expected for less sensitive information.
- Providing a patient with access to their information if requested, unless an exception applies (NPP 6).
Enquiries, complaints and access to information
If a patient has an enquiry about the PSIS, they can contact Medicare Australia. Individuals with a privacy-related complaint about Medicare Australia or a private health service provider should write to that agency or provider in the first instance. If the privacy complaint is not adequately resolved at that level, then an individual can complain to the Privacy Commissioner.
- Office of the Privacy Commissioner
- Medicare Australia
- Home page: www.medicareaustralia.gov.au/
- Complaints and Feedback line: freecall 1800 465 717
About Information Sheets
Information sheets are advisory only and are not legally binding. (The NPPs in Schedule 3 of the Privacy Act do legally bind organisations.)
Information sheets are based on the Office's understanding of how the Privacy Act works. They provide explanations of some of the terms used in the NPPs and good practice or compliance tips. They are intended to help organisations apply the NPPs in ordinary circumstances. Organisations may need to seek separate legal advice on the application of the Privacy Act to their particular situation.
Nothing in an information sheet limits the Privacy Commissioner's freedom to investigate complaints under the Privacy Act or to apply the NPPs in the way that seems most appropriate to the facts of the case being dealt with.
Organisations may also wish to consult the Commissioner's guidelines and other information sheets.
Office of the Privacy Commissioner
Privacy Enquiries Line 1300 363 992 (local call charge)
 For further information on NPP 4 data security requirements, see the Office's Guidelines on Privacy in the Private Health Sector (2001), at http://www.privacy.gov.au/materials/types/guidelines/view/6517#b4.