Speech by Andrew Solomon, Director, Policy, to the Health Privacy Futures 2008 Conference, Brisbane, 10 November 2008.

Introduction

This year can be seen as both a milestone and an opportunity for Australian privacy law.  It's a milestone because 2008 marks 20 years since the Privacy Actwas passed by the Australian Parliament.[1]  It's also an opportunity because - as we've just heard from Professor McCrimmon - the Australian Law Reform Commission has handed down its final report on privacy law reform.  Importantly, the Australian Government has already signalled its intention to respond to that report in two stages, with the first tranche of changes to be made over the next few years. This first tranche of changes will include looking at health information privacy. 

Beyond this, we are now in an era of tremendous advances in information technology that many would not have thought possible 20 or 30 years ago.  Provided we make good policy choices, we have the opportunity to employ these technologies in a privacy-enhancing way.  The very fact that we're all here today to listen and to speak about health privacy reform demonstrates an impressive willingness in the health, technology and government sectors to embrace this once-in-a-generation opportunity.

There are two main issues I'd like to outline today to advance this discussion.  Firstly, I'll give an overview of the Office of the Privacy Commissioner's positions on health privacy reform.  Secondly, I'll outline some of the Privacy Commissioner's key priorities for electronic health records systems in Australia. 

Health services and the Privacy Act

For a moment though, a few words on the Privacy Commissioner's role in health privacy.

Since 2001, the 10 National Privacy Principlesunder the Privacy Act have regulated the way all private sector health service providers handle personal information.  If someone believes a health service provider has breached a National Privacy Principle in handling their personal information, they can complain to the Privacy Commissioner. 

In 2007-08 the Commissioner received 82 complaints about health service providers, down from 113 the previous year.  About half of all health-related complaints concerned patients requesting access to their health records.  Another one third complained about improper use or disclosure of health information.  Complaints aside, the Office's public enquiries line fielded almost 1500 calls relating to health service providers in 2007-08.  This made 'health' the most asked-about sector, ahead of real estate agents and the finance industry.[2]

So how does the community view its health service providers?

According to community attitude research conducted for the Office last year, 91% of respondents said they trusted the health sector when it came to handling their personal information - more than any other sector.[3]  The Office tries to reinforce this trust by producing guidance for the sector, and giving advice on good privacy practice.  In March this year the Office released five new health privacy information sheets and a set of associated Frequently Asked Questions and Answers for consumers. 

I'll now move on to... The push for privacy law reform

The Office made comprehensive submissions to the Australian Law Reform Commission's privacy inquiry issue and discussion papers in February and December 2007. Those submissions included detailed responses on health privacy.[4]  

Fostering national consistency in health privacy regulation

In the Commissioner's view, an overarching goal of privacy reform is fostering national consistency across jurisdictions.  There is significant uncertainty in the community about how the Privacy Act and other health privacy laws interact, particularly given the increase in the collocation of public and private service provision.  Also regulatory overlap in the private health sector is responsible for much of the current inconsistency.  To address this, the ALRC and the Privacy Commissioner's Office agree that the Privacy Act should 'cover the field' for the private health sector - that is, be the sole source of privacy regulation in that sector - to the exclusion of state and territory laws. 

At present Victoria, NSW and the ACT have separate privacy laws that purport to regulate aspects of private sector health service providers, as well as their own public sectors.  Western Australia is currently considering a Bill which, if enacted, would do the same.[5]  Clarifying that the Privacy Act 'covers the field' would not remove the states' abilities to regulate their own public health sectors.  Ideally though, the states would enact consistent legislation in due course. This would certainly make it much easier and more efficient for service providers to understand and address their privacy obligations. It would also allow consumers to know that whether they are engaging with a public or private sector service provider the privacy principles are the same. 

Submissions to the Office's review of the National Privacy Principles in 2005 gave several examples of complexity as a result of regulatory overlap.[6]  In some situations, both providers and patients may have difficulty knowing what principles should apply, or who should handle a complaint - the Australian Privacy Commissioner, or state-based health privacy regulators. 

Without adequate policy and legislative reform, the emergence of e-health records could also meet with jurisdictional complications.  In the e-health arena, clearly it would make sense to have the same information-handling requirements for records stored in, or transmitted/received by a computer system, wherever it is within Australia and whoever owns of manages that system.

The need for a single set of principles

Another important step for privacy law reform is to combine the Privacy Act's two sets of existing principles into one.  There is no longer any compelling rationale for the Australian public sector and businesses to operate under different privacy standards.  The Privacy Commissioner and the ALRC agree that a unified set of privacy principles would make things simpler for organisations and agencies.  It would also empower individuals to better understand and exercise their privacy rights.

In addition to the principles, the ALRC has recommended a separate set of health-specific regulations under the Privacy Act.  In the Office's view, a simpler solution would be to incorporate those health-specific aspects into the framework of the principles themselves.  This would avoid health service providers having to understand and comply with two legislative 'instruments'.

Health-specific reforms to the privacy principles

So what sort of health-specific reforms does the Office support?

The Privacy Commissioner views this area of reform as one of refinement, not reinvention, because the NPPs are generally working well in protecting health information. In its submissions to the ALRC, the Office proposed a number of health-specific measures, which could easily be adopted into a unified set of privacy principles.  

First, the Office supports an express right for patients to have their health records transferred to another provider if requested.  This would complement patients' existing rights to access those records themselves.[7]

Second, the Office agrees that where a provider sells their practice, retires or dies, the provider or their legal representative should have to:

(a) make patients aware of the change in circumstances; and

(b) inform patients about proposed arrangements for handling their health records.

These measures would improve certainty for all parties.[8]

Third, the Office supports clearer rights for patients to access their health information through an agreed intermediary, such as another health service provider.[9]  

Fourth, the Office has proposed that limited privacy protections should apply to the health information of deceased people (though not other personal information).  At present, the Privacy Act doesn't cover deceased people's information at all. 

 Fifth, the Office supports express acknowledgement of 'authorised representatives' to act on behalf of incapacitated individuals under the Privacy Act.  The Office also suggested appropriate limits where incapacity is intermittent or temporary. [10] 

In relation to research the Office proposed a range of measures to reduce complexity in the use of personal information for health and medical research under the Privacy Act. This includes harmonising the two existing sets of binding privacy guidelines on research, to create a single set for the public and private sectors. 

The Office has also put forward that research related to public health and safety should continue to be afforded special procedures where seeking individual consent isn't practicable.  However, in viewing health research as a special case, the Office did not support the ALRC's recommendation to open these procedures to non-health research.  

Finally, the Office believes that the public interest in using personal information for health research should clearly or substantially outweigh individuals' privacy interests, before that information can be released without consent.

Towards a robust, coordinated and participatory model of e-Health

I'd now like to move on to discuss some of the Privacy Commissioner's main priorities for e-health developments in Australia.

The Office recognises the potential benefits of an electronic health records system for individuals and the broader community.  These include clinical benefits through sharing relevant information between providers and the consumer; financial savings and less duplication within the health sector; and improved linkages for important health research.  In getting the model right, we need the kind of shared electronic health records system that the vast majority of Australians will want to be part of.  

Earlier I referred to our 2007 community attitudes research, which revealed a very high level of community trust in health service providers to respect the privacy of their patients' information.  It's very important that this trust is built upon, and not diminished, in establishing an individual electronic health records system. 

As the Privacy Commissioner has noted in her response to the National E-Health Transition Authority's (NEHTA) privacy blueprint NeHTA has identified some valuable privacy considerations for the proposed individual electronic health records system. For example, the suggestion that individuals should be able to opt-in to that system will promote genuine choice, and accords with widespread community expectations.[11] 

In the Office's view there may be considerable community apprehension about an individual electronic health records system that says "if you want e-health advantages A, B and C, you have to let us use your information for X, Y and Z."  Of course, there will be a range of administrative uses that are necessary just as there are with health information today.  There may also be some limited secondary uses that are acceptable to the community.  However, the decision to participate in a shared electronic health record system should not be made out of concern about being left behind in a paper world, or that the patient's care might be suboptimal. Rather, a patient's choice to have an individual electronic health record should ultimately be made out of confidence in the system - that it will be convenient, flexible, and properly protect their most sensitive personal details.

Fundamental protections for a national e-health system

There are a number of fundamental protections that the Office of the Privacy Commissioner supports, to establish a robust, flexible and highly participatory e-health system.[12]  These include:

Firstly, specific enabling legislation - a suggestion supported by the ALRC[13]. An essential means of providing enforceable protections and greater public confidence is to enact dedicated legislation to protect Unique Health Identifiers (UHIs) and the individual electronic health records system.  This legislation could detail:

• o the governance arrangements for the system, and the terms and conditions of participating in it;
• o authorised and prohibited purposes for handling identifiers, and personal information held in the system; as well as
• o complaint-handling arrangements and specific penalties for privacy breaches, in addition to Privacy Act protections.

Secondly, voluntary participation with 'no surprises'.  If patients do opt-in, there needs to be sufficient convenience and choice as to how their individual e-health record is shared.  This should include mechanisms that limit access to particularly sensitive information (sometimes known as 'sealed envelopes' or 'privileged care'). 

Thirdly, providing further detail on secondary uses. The research by the Office in 2007 showed considerable community differences on whether even de-identified health information should be used for research without an individual's consent.[14]  This concern needs to be addressed through public education, and providing adequate choices to individuals about their e-health records. Other potential uses beyond medical research also need to be spelt out, and their merits openly debated.

To round out this discussion, I'd emphasise the importance of all jurisdictions working together to develop a clear, coordinated approach to get the e-health basics right.  This would ensure the agenda is not dominated by a plethora of models and trials;  but rather, that investments are based on sound policy, good privacy protections and a shared vision of what a national e-health system should look like. 

Good privacy protections will continue to support good healthcare

Overall, the Office of the Privacy Commissioner agrees with many stakeholders that health privacy regulations need to be simpler and clearer than the current scenario of several sets of principles and regulatory overlap.  Some key steps are to clarify that the Privacy Act 'covers the field' in the private sector, and to adopt a single set of privacy principles that incorporate health-specific protections.  These reforms will ensure that the Privacy Act remains consistent with professional ethical standards, and reinforces the collaborative relationship of trust between patients and providers.

We should bear these broader objectives in mind as we move to establish a national e-health system with its own fundamental protections.  Such a system should be robust, convenient and flexible - a system that the vast majority of Australians will want to be a part of.  

If we can seize these opportunities presented to us today, then there is much to look forward to for the future of health privacy protection - in a way that supports quality health outcomes for all Australians.

Thank you.

[1] For more information see the Office's webpage, "Privacy Act 1988 - Celebrating 20 Years", at www.privacy.gov.au/aboutprivacy/history/20years/.

[2] Figures are based on the Office of the Privacy Commissioner's Annual Report 2007-08, The Operation of the Privacy Act (available at www.privacy.gov.au/publications/08annrep.pdf, see pp 41-45) and internal statistics.

[3] See the Office of the Privacy Commissioner, Community Attitudes to Privacy 2007, p 17, available at www.privacy.gov.au/materials/types/download/8820/6616.

[4] The ALRC's inquiry followed the Office's own review of the 10 National Privacy Principles in 2005.  Amongst its 85 recommendations, that review recommended that the Government conduct an analysis of the Privacy Act as a whole..

[5] Information Privacy Bill 2007 (WA), available at www.slp.wa.gov.au/legislation/statutes.nsf/default.html.

[6] See Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988, March 2005, at 2.5, available at www.privacy.gov.au/materials/types/reports/view/6049#2_5. 

[7] See the Office's response to the ALRC's DP 72, Proposal 57-8, available at www.privacy.gov.au/publications/submissions/alrc_72/PartH.html#apr24.

[8] This obligation could be expressed in terms of 'reasonable steps'. See the Office's response to the ALRC DP 72, Proposal 57-8, available at www.privacy.gov.au/publications/submissions/alrc_72/PartH.html#apr22.

[9] See the Office's response to the ALRC's DP 72, Proposal 57-6 , available at www.privacy.gov.au/publications/submissions/alrc_72/PartH.html#apr20.

[10] See the Office's response to the ALRC's DP 72, Proposals 61-1 and 61-2, available at www.privacy.gov.au/publications/submissions/alrc_72/PartH.html#apr22.

[11] 76% of those surveyed in the Office's Community Attitudes to Privacy 2007 said participation in an electronic health records system should be voluntary (p 45, available at www.privacy.gov.au/materials/types/download/8820/6616).

[12] See, e.g. the Office of the Privacy Commissioner, 'Consultation on the Privacy Blueprint for the Individual Electronic Health Record - Submission to the National E-Health Transition Authority' (August 2008), pp 4-10.

[13] See ALRC, Report 108, Recommendation 61-1.

[14] 53% of women surveyed said consent should be sought, as did 43% of men surveyed.  See the Office of the Privacy Commissioner, Community Attitudes to Privacy 2007, p 46, available at www.privacy.gov.au/materials/types/download/8820/6616.