PRIVATE SECTOR INFORMATION SHEET 22 - Fees for access to health information under the Privacy Act

Key Messages

The Privacy Act and charging fees for access

The federal Privacy Act requires health service providers in the private sector to give a patient access to their health information if requested, unless a listed exception applies.

Under the Privacy Act:

providers are not required to charge a fee for giving access;

if they do, the charges must not be 'excessive'; and

charges must not apply to merely lodging a request for access.

Charging a reasonable fee for access

Ideally, fees charged for access should not prevent patients in financial hardship from exercising their right to access information held about them. At the same time, the cost of giving access should not create an unreasonable burden on health service providers.

No schedule of fees

There is no schedule of fees under the Privacy Act. Providers may charge for reasonable costs incurred for giving access to information, such as providing a copy of medical records. Some costs (such as legal fees) normally will be part of normal business running costs, and would not generally be passed on to an individual patient. The following points may help you to work out a reasonable access fee.

Recovery of reasonable costs

A fee for access, if any, may include:

Reasonable costs of resources (such as photocopying or reproducing records in other forms).
Reasonable costs for time and labour, including:
- (a) work performed by clerical staff; and
- (b) if necessary, professional costs (such as where a doctor needs to review the file before information is released, or provide access by way of an extra consultation).

Other relevant factors

Do not charge a fee for lodging an access request (the Privacy Act prohibits this).
Discuss with the patient what information they want access to, and the likely fees, before undertaking their request for access.
Do not include other outstanding bills (such as consultation fees) in a fee for access.
The cost of legal and other third-party advice shouldn't generally be passed on to a particular patient, even though you may have sought the advice to help assess their access request.
Consider the individual's capacity to pay. If possible, charge a reduced rate or waive fees where appropriate.
Consider other laws or health sector standards that may relate to fees for access.

All of these matters are discussed in detail in this information sheet. Some of this information may also be applicable for organisations outside of the health sector when dealing with requests for access to personal information.

Background

Who is this information sheet for?

This information sheet is relevant to all health service providers in the private sector ('providers'). They include sole practitioners, private hospitals, pharmacists, and allied and complementary healthcare providers.[1]

All providers need to comply with the 10 National Privacy Principles ('NPPs') under the Privacy Act 1988 (Cth) ('the Privacy Act').[2]

Health service providers in the state and territory public sectors (such as public hospitals and their staff) are not bound by the NPPs, but state and territory privacy laws may apply to them.[3]

What is this information sheet about?

This information sheet outlines some factors that providers should consider when deciding how much to charge a patient for access to their health information, in compliance with National Privacy Principle 6. This is generally referred to below as a 'reasonable access fee'.

Most complaints that the Privacy Commissioner receives about health service providers relate to requests for access to information. Providers can draw on this information sheet to reduce the risk of charging an 'excessive' access fee.

There is no schedule of access fees under the Privacy Act. Making such a schedule is not within the functions of the Privacy Commissioner. However, the Privacy Commissioner's Private Sector Review (2005) found that guidance on access fees would assist providers and other organisations.

An individual's right to access their personal information

If a provider holds personal information about a patient, the provider must provide access to the information if the patient requests it, unless a listed exception applies (NPP 6.1).[4] The provider

may charge a fee for giving the patient access, but under NPP 6.4, the fee:

must not be excessive, and
must not apply to merely making an application for access.

How should access be provided?

NPP 6 does not set out the manner in which access should be provided. The Privacy Commissioner's view is that access should generally be given in the form that the individual requests (such as a copy of an original record or an accurate summary), unless there are significant reasons for not doing so.[5]

An individual can request access, and an organisation may provide it, in a variety of forms.

These include:

providing a photocopy (or a secure electronic copy) of the information requested
providing a copy and explaining the information face-to-face
allowing the individual to inspect their personal information held by the organisation
allowing the individual to take notes about the contents of the record, or
providing access through a mutually agreed intermediary, if access could otherwise be denied under NPP 6.[6]

What if the patient's information was collected before the NPPs commenced in 2001?

The NPPs generally only apply to personal information collected since 21 December 2001 (the date when the NPPs took effect). However, access must also be provided to information collected before this date, if the organisation has used or disclosed the information after this date. Access to that old information can be denied though, where providing access to the information collected 'pre-NPPs' would be an unreasonable administrative burden or expense.[7]

How does the Privacy Commissioner determine if an access fee is excessive?

When a complaint about an 'excessive' access fee is received, the Privacy Commissioner will consider whether the proposed charges are both warranted and defensible.

The underlying intent of NPP 6 is that individuals have a general right to access information held about them.

While the Privacy Act does provide exceptions to this general right of access, an organisation must not prevent an individual from exercising their general right of access by imposing excessive fees for access. Charges for access should be on a cost-recovery basis, and should not be part of general revenue-raising.

At the same time, the Privacy Commissioner recognises that complying with the access provisions under NPP 6 should not place an unreasonable burden on businesses.

Providers can help to minimise this burden by ensuring that systems and processes are in place to make access easy, both for patients and providers.

On this basis, the Privacy Commissioner assesses whether an access fee is excessive by considering what a reasonable person might expect to pay in the circumstances. Whether an access fee is excessive in the circumstances will depend on a number of variables, such as the form and extent of access requested, the size of the organisation, and the circumstances of the individual. Providers may wish to discuss such variables with the patient.

Factors to consider in deciding on a reasonable access fee

Below are some factors that the Privacy Commissioner has taken into account when determining whether a fee for access is excessive. Considering these factors may help providers and others to comply with NPP 6.4. These factors have been grouped into recovery of reasonable costs and other relevant factors below. The list is not exhaustive and is intended as a guide only. The facts of the particular situation will determine whether these and any other factors would apply to a specific request for access.

Recovery of reasonable costs

While some of the costs of providing access may be recovered from the patient, part of these costs should be considered as an ordinary business expense (as with other legal, regulatory and quality assurance measures). The proportion of cost recovery may also be affected by the other relevant factors further below (such as capacity to pay).

The Privacy Commissioner generally assesses cost-related factors under two categories: cost of resources and costs for time and labour.

(i) Cost of resources:
Subject to the other relevant factors below, providers may include some costs for resources in a fee for access (such as for paper and toner, x-rays, dental moulds, ultrasound reproductions and other materials).

(ii) Costs for time and labour:
Providers should consider which staff within the organisation are appropriate to process an access request, and what proportion of costs for time and labour should be passed on to the patient. These costs may include:
- (a) Administrative: The cost of labour that clerical staff can perform, such as photocopying, printing, collating and posting documents, and collecting files from off-site archives. These tasks may be charged at a reasonable clerical rate, but should not be charged at a professional rate.
- (b) Professional: The cost where a health professional, such as a doctor, needs to play a role in providing access. It may be reasonable for the provider to charge for this time at their professional rate (or a proportion of it). For example:
  - where necessary, sitting with a patient and going through the record to explain its contents; or
  - reviewing records before giving access, in case an exception under NPP 6.1 permits denial of access to some or all of the information (such as where providing access would interfere with someone else's privacy, or pose a serious threat to any person's life or health).[8]

Example 1: Reasonable cost recovery[9]

A patient requests a photocopy of his medical record from his psychologist. The psychologist informs the patient that he will charge $20 to go towards the costs of archive retrieval, copying and postage. The patient complains to the psychologist, seeking clarification of the costs. The psychologist calculates that the actual cost of providing access amounts to $85, including time needed to review the file before providing access.

The patient maintains that the $20 fee is excessive, and complains to the Privacy Commissioner. After reviewing the case, the Commissioner is satisfied that the proposed access fee of $20 is not excessive in the circumstances, and declines to investigate the matter on the basis that there is no interference with privacy (that is, no breach of the NPPs).

Example 2: Administrative and Professional costs

A patient requests a copy of his health record held by his orthodontist, including an x-ray. Generally, it would not be reasonable to charge the individual at a professional consultation rate for administrative work, such as retrieving and copying the file. This work should generally be done by clerical staff and, if a fee is charged, it should be charged at an appropriate rate for clerical staff.

However, if the orthodontist needs to perform work themselves, such as to explain information face-to-face in a separate consultation, it may be reasonable for the orthodontist to charge for a proportion of this time at their professional rate.

If an access fee is charged for this request, it is unlikely to be excessive if it is calculated at a reasonable rate to cover:

the cost of resources (such as materials required to produce the x-ray); plus
appropriate costs for time and labour (time spent by clerical staff photocopying and collating, and the orthodontist's professional time if necessary); with
due regard to the nature of the request and other relevant factors such as those below.

Other relevant factors

A range of other factors may be helpful in arriving at a reasonable fee for access to health information (if any). The factors below reflect the intention that access fees should not generally prevent a patient from exercising their right of access to information held about them.

1. Do not charge a lodgement fee for access requests

NPP 6.4(b) states that any charges for an individual to access their personal information 'must not apply to lodging a request for access'.

2. Discuss the scope of the request and likely fees

The individual is not required to give reasons for requesting access. However, discussing the type of information the individual wants access to, and the likely charges they can expect, can help to align expectations, minimise costs, and assist the provider to best meet the patient's needs for obtaining access.

3. Calculate and charge fees for access separately to other outstanding bills

Fees for access should be calculated and charged separately from other fees and outstanding bills.

4. The cost of legal and other third-party advice should not generally be passed on to a particular patient

In most cases, the cost of obtaining legal or other third-party advice on complying with the Privacy Act should not be transferred to an individual seeking access, even though such advice may be obtained following an individual's request for access. Solicitors' charges and similar costs are an ordinary business expense that should generally not be passed on to an individual patient. Including these in an access fee could be considered excessive under NPP 6.4. Where necessary, the provider may be able to charge for a reasonable amount of time spent reviewing the file on which advice may be sought.

Example 3: Excessive fee including legal costs

A patient asks his GP for a copy of his medical record, amounting to 25 pages. The GP is uncertain whether she may include the notes of a specialist, and seeks the advice of a lawyer and a professional body. The GP is told that she may only deny access to information if an exception applies under NPP 6.1.

The GP also decides that it's necessary to ring a specialist who treated the patient to discuss whether there is any particular reason under NPP 6 why access should be withheld. The GP decides that no exceptions apply. She gives her patient a copy of the whole record, and charges an access fee of $275.

The patient complains to the GP and asks for a reduction in the fee, which the GP declines. The patient then complains to the Privacy Commissioner, who takes the matter up with the GP. The Privacy Commissioner suggests that the GP write to the patient with an itemised breakdown of costs for the access fee. The cost breakdown includes $200 for advice sought from legal and professional bodies.

In the course of the Privacy Commissioner's conciliation, the parties agree on a fee of $85. This is made up of 45 minutes in administrative time preparing the file ($22.50), 15 minutes of the GP's time spent reviewing the file ($50) and photocopying of 50 cents per page ($12.50).

5. Consider the individual's capacity to pay

In relevant circumstances, consider charging a reduced (concessional) rate, or waiving the cost of providing access. This may include where the individual receives a benefit or pension, or where the cost to the organisation is minimal or can be absorbed without charge.

Example 4: Considering individual capacity to pay

A local pharmacist is aware that one of her long term patients receives a single parent pension and works part-time to support her two children, aged 3 and 5. The patient is moving interstate, and for her own information, requests a print-out of her medication purchases (about 10 pages), and those of her two young children (which amount to only a few pages).

The local pharmacist normally charges $1.00 per page for access, up to a maximum of $20. Aware that the patient has financial difficulties, the pharmacist decides that it is reasonable to provide print-outs of the purchases of the children's medications without charge, and charges half the normal rate for the patient's own record ($5).

6. Consider other laws or health sector standards that relate to fees for access

When deciding on an access fee, providers may take into consideration what level of charges are specified in other laws or standards. Commonwealth Freedom of Information or State and Territory health records laws,[10] publications by professional associations or registration bodies, as well as professional health sector standards, may provide some guidance. Of course, whether a fee is 'excessive' under the Privacy Act will depend on the particular circumstances.

Further information

The following resources provide further guidance on access and correction more generally:

Private Sector Information Sheets

Information sheets are advisory only and are not legally binding. The National Privacy Principles in Schedule 3 of the Privacy Act do legally bind organisations.

Information sheets are based on the Office of the Privacy Commissioner's understanding of how the Privacy Act works. They provide explanations of some of the terms used in the NPPs and good practice or compliance tips. They are intended to help organisations apply the NPPs in ordinary circumstances. Organisations may need to seek separate legal advice on the application of the Privacy Act to their particular situation. Nothing in an information sheet limits the Privacy Commissioner's ability to investigate complaints under the Privacy Act or to apply the NPPs in the way that seems most appropriate to the facts of the case being dealt with. Organisations may also wish to consult the Commissioner's guidelines and other information sheets.

Office of the Privacy Commissioner

Privacy Enquiries Line 1300 363 992 - local call (calls from mobile and pay phones may incur higher charges)
TTY 1800 620 241 - no voice calls; Fax + 61 2 9284 9666; GPO Box 5218, Sydney NSW 2001.

Private Sector Information Sheet 22
Web HTML, Word and PDF published March 2008
ISBN 978-1-877079-55-9
© Commonwealth of Australia 2008

http://www.privacy.gov.au/

[1] More information on health service providers under the Privacy Act is at www.privacy.gov.au/publications/hg_01.html#a21.

[2] More information on the coverage of the Privacy Act can be found in Information Sheet 12, "Coverage of and Exemptions from the Private Sector Provisions", at www.privacy.gov.au/publications/IS12_01.html.

[3] For information on state and territory privacy laws see www.privacy.gov.au/privacy_rights/laws/index.html.

[4] The exceptions under NPP 6 are listed in full here: www.privacy.gov.au/publications/npps01.html#f.

[5] As expressed in the Case Note, B v Surgeon [2007] PrivCmrA 2, at www.privacy.gov.au/act/casenotes/ccn2_07.html.

[6] See NPP 6.3, which is explained in the Office's Guidelines to Privacy in the Private Health Sector, at www.privacy.gov.au/publications/hg_01.html#b68.

[7] This very limited exception is found in section 16C of the Privacy Act, available from www.privacy.gov.au/act/privacyact/.

[8] The list of exceptions under NPP 6.1 can be found here: www.privacy.gov.au/publications/npps01.html#f.

[9] Many of the examples used in this information sheet draw on real cases that the Office has investigated.

[10] A non-exhaustive list of state and territory health and privacy laws is available at: http://www.privacy.gov.au/privacy_rights/laws/index.html

Return