Health Records Act
The Health Records Act 2001 (Vic) (“HR Act”) commenced operation on 1 July 2002. The HR Act protects the privacy of individuals’ health information held by the public and private sectors in Victoria. It also provides individuals with an enforceable right to access their health information held in the private sector. The objects of the HR Act are:
•to require responsible handling of health information in the public and private sectors;
•to balance the public interest in protecting the privacy of health information with the public interest in the legitimate use of that information;
•to enhance the ability of individuals to be informed about their health care and/or disability services;
•to promote the provision of quality health services, disability services and aged-care services.
Under the HR Act, health information that is collected, held or used by organisations must be handled in accordance with 11 Health Privacy Principles (HPPs). Note that unlike personal information regulated by the PDP Act, health information does not have to be recorded. These HPPs are legally binding and apply to:
•all personal information collected in providing a health, mental health, disability, aged-care or palliative care service, including:
– information about an individual’s expressed wishes about the future provision of health services;
– personal information about an individual collected in connection with the donation or future donation of human tissue;
– genetic information that is, or could be, predictive of an individual’s health or that of their descendants;
•all health information held by other organisations subject to the HR Act listed in section 10 (public sector) and section 11 (private sector).
The following is a short summary of the HPPs, which are set out in full in schedule 1 of the HR Act:
•HPP 1: Collection
An organisation can only collect health information if it is necessary for one or more of its functions and the individual consents (unless the organisation is a law enforcement agency), or it is necessary to provide a health service and the individual is incapable of giving consent; for research purposes if in accordance with guidelines approved by the Health Services Commissioner; if it is necessary to prevent a serious and imminent threat to the individual or a serious threat to the public, or if it is required or authorised by law. HPP 1 also prescribes how the information is to be collected.
•HPP 2: Use and disclosure
An organisation can use and disclose health information for the primary purpose of collection or a directly related secondary purpose that an individual would reasonably expect. Otherwise, use and disclosure must be by consent, if authorised or required by law, and for other public purposes (e.g. to prevent serious or imminent harm). Disclosure to immediate family is permitted where an individual is incapable of giving consent, has no authorised representative and hasn’t expressed a prohibition when not incapable. Organisations are also permitted to disclose health information if the individual is known or believed to be dead, missing or incapable of giving consent and the information is needed to identify the person or immediate family.
•HPP 3: Data quality
An organisation must take reasonable steps to ensure individuals’ health information is accurate, complete, up-to-date and relevant to the organisation’s functions.
•HPP 4: Data security and data retention
An organisation must take reasonable steps to protect the health information it holds from misuse, loss, unauthorised access, modification or disclosure. Health service providers must not delete health information (even when later found to be inaccurate), except in the limited circumstances listed in the HPP. A health service provider that transfers health information to another individual or organisation, and does not keep a copy, must record the name and address of where the information was transferred. An organisation other than a health service provider must take reasonable steps to permanently de-identify or destroy health information that is no longer needed for any purpose. For public sector organisations, this is subject to the Public Records Act 1973 (Vic).
•HPP 5: Openness
An organisation must have a written policy about how it manages health information and how individuals can access their health information. On request, the organisation must take reasonable steps to tell an individual whether it holds health information about them, and if so, the kind of information, what it is needed for, and how the organisation handles the information.
•HPP 6: Access and correction
An organisation must provide access to an individual’s health information on request in accordance with part 5 of the HR Act. There are exceptions, including where:
– access would pose a serious threat to the health or safety of a person;
– access would have an unreasonable impact on the privacy of others;
– the information is confidential under section 27 of the HR Act.
Note that HPP 6 does not apply to public sector organisations subject to the Freedom of Information Act 1982 (Vic) (“FOI Act (Vic)”) (see “Exemptions from the HRA and HPPs”).
If an individual establishes that health information held by an organisation is not accurate, complete or up-to-date, the organisation must take reasonable steps to correct that information – but cannot delete it unless in accordance with HPP 4. If the organisation is unwilling to correct the information, it must take reasonable steps to attach a written statement to the information about its inaccuracy. If the organisation accepts the need to correct the information, there are provisions that guide the organisation on how to address this where there are difficulties in correcting the information.
If an organisation refuses a request to access and correct information, it must provide written reasons for its refusal.
•HPP 7: Identifiers
An organisation can only give an individual an identifier if it is reasonably necessary to enable the organisation to carry out its functions efficiently. If a public sector organisation has assigned an identifier, private sector organisations are only allowed to use and disclose the same identifier in limited circumstances.
•HPP 8: Anonymity
If lawful and practicable, organisations must give individuals the option of remaining anonymous when engaging with the organisation.
•HPP 9: Transborder data flows
An organisation can only transfer health information outside Victoria in limited circumstances, including with the individual’s consent, and where there are safeguards (in the territory to which the information is being transferred) around the privacy of the information that are similar to the HR Act.
•HPP 10: Transfer or closure of a health service provider
This HPP applies where a health service provider sells or otherwise transfers the business, or the business closes down. It details how individuals whose health information is held must be informed of both the business’ transfer or closure and how their information will be transferred. If individuals request their information to be transferred to them, this is treated as a request for access under part 5 of the HR Act or HPP 6. If an individual asks for their information to be transferred to another health service provider, then HPP 11 applies.
•HPP 11: Making information available to another health service provider
A health service provider must make health information available to another health service provider on request with the authority of the individual who the information is about.
The following are exempt from needing to comply with the HR Act and the Health Privacy Principles:
•individuals who hold health information in connection with their personal, family or household affairs (s 13);
•courts and tribunals in carrying out their judicial and quasi-judicial functions – this exemption also applies to court registrars and other court/tribunal staff carrying out tasks relating to the judicial and quasi-judicial functions of the court (s 14);
•royal commissions, board of inquiries and formal reviews – this exemption only applies when health information is collected in connection with the function of the Royal commission, board, or review (s 14A);
•publically available information – this mirrors the exemption under the PDP Act (see above). Note that the exemption does not apply where the organisation knows that the publically available health information has been obtained in breach of the HR Act (s 15);
•organisations subject to the FoI Act (Vic) are not required to comply with any of the access and correction provisions under part 5 of the HR Act, nor HPP 5.2 or HPP 6 (s 16);
•news media are exempt from HPP 1, 2 and 9 (the collection, use, disclosure and transfer of health information) in relation to news activities. Unless the health information is published, they are not required to comply with part 5 of the HR Act, nor HPP 5.2 or HPP 6 (s 17). “News media” are defined as organisations whose principal business consists of news activities. “News activities” include gathering news, and preparing articles or programs about news or current affairs that are intended to be, or are actually, published.
The Health Services Commissioner (HS Commissioner) administers the HR Act and accepts complaints about interference with privacy related to health, including access to health information (see “Complaints, rulings and investigations”).
The HS Commissioner has the power to issue guidelines in relation to certain parts of HPP 1, 2, 6 and 10; or to approve guidelines prepared by a public sector organisation (or other person or body); and to vary any guidelines. The guidelines can lessen the protections provided by a Health Privacy Principle but only if it is substantially in the public interest to do so. The Governor in Council can disallow guidelines. The HS Commissioner published two statutory guidelines in February 2002: one set of guidelines on research (HPP 1.21(iii), 2.2(g)(iii)); and one set of guidelines on the transfer and closure of a practice (HPP 11).
The HS Commissioner has other functions, including auditing records of health information, researching, developing educational programs, and issuing rulings and compliance notices (for the list of the HS Commissioner’s functions, see s 87 HR Act.)
The HS Commissioner can receive complaints about an act or practice that breaches one of the Health Privacy Principles, or breaches the access and correction provisions in part 5 of the HR Act. The complaint can be about the interference with the privacy of a deceased individual up to 30 years after death – whether or not the interference occurred before or after death. The HS Commissioner can also investigate complaints referred by the Victorian Ombudsman, the Victorian Freedom of Information Commissioner, and the Victorian Commissioner for Privacy and Data Protection. Provision is made in the HR Act (s 47) for complaints to be made on behalf of children, and on behalf of those with a physical or mental disability that makes them incapable of making a complaint.
The HS Commissioner can decline to entertain a complaint on a number of grounds, including:
•the complainant failed to complain to the respondent before complaining to the HS Commissioner;
•the complaint is made more than 12 months after the complainant became aware of the matter being complained of;
•the complaint is being dealt with adequately by another body;
•the complaint is frivolous, vexatious or lacking in substance (for full list, see s 51 HR Act).
The HS Commissioner can refer a complaint to the Victorian Commissioner for Privacy and Data Protection, the Australian Information Commissioner, or the Victorian Disability Services Commissioner. If the complaint is about a registered health practitioner, the HS Commissioner can refer any part of the complaint to the appropriate registration board (if the board has the power to deal with the matter).
If the complaint is accepted, the HS Commissioner can attempt to conciliate the complaint, or make a ruling, or (if neither are appropriate) decide to not entertain the complaint any further. If the HS Commissioner declines to entertain a complaint, or conciliation or a ruling are not appropriate, or conciliation is attempted and fails, the complainant can require the HS Commissioner to refer the complaint to VCAT.
The HS Commissioner can investigate a complaint that has not been declined or conciliated and make a ruling about whether the complainant’s privacy has been breached. The HS Commissioner must give a written notice of the ruling to the complainant and respondent. The notice must include reasons for the ruling, specify any action, and state the date (not exceeding a month) in which the complaint must be remedied. The respondent has to report back within a specified time and failure to do so attracts a penalty. The complainant and respondent both have rights to have the complaint referred to VCAT following a ruling by the HS Commissioner.
The HS Commissioner also has the power to investigate and serve a compliance notice (whether or not a complaint has been made) if there has been a serious or flagrant contravention of the HR Act. A notice can also be served if the same type of contravention (whether or not serious or flagrant) has occurred five times or more in the last two years.
In conducting an investigation, the HS Commissioner has enforceable powers to obtain information and documents and take evidence under oath.
Failure to comply with a compliance notice attracts penalties; failure to comply is an indictable offence. A recipient of a compliance notice, or any individual or organisation affected by the notice, can refer the matter to VCAT for review.
Under the Health Complaints Act 2016 (Vic), the Health Services Commissioner will be replaced by the Health Complaints Commissioner. At the time of writing (30 June 2016), this change had not been implemented.
Charter of Human Rights and Responsibilities Act
Under the Charter of Human Rights and Responsibilities Act 2006 (Vic) (“Charter Act”), individuals’ privacy, family, home and correspondence cannot be unlawfully or arbitrarily interfered with (s 13). The wording of section 13 mirrors that of Article 17 of the United Nations International Covenant on Civil and Political Rights (1966).
The Charter Act does not provide a new avenue of redress for individuals who believe their privacy has been breached. Rather, it imposes an obligation on all Victorian public sector organisations to act in a way that is compatible with the human rights protected by the Charter Act.
The Victorian Ombudsman can investigate complaints about a public authority’s administrative action that breaches the Charter Act. The Charter Act also allows a complainant to raise a human rights argument along with existing remedies or legal proceedings involving public authorities. There are a number of examples of proceedings before VCAT where a breach of the right to privacy under the Charter Act has been raised.
The Charter Act requires that all legislation, whether enacted before or after the Charter Act, are as far as possible interpreted in a way that is compatible with human rights. It also provides that all new legislation introduced into the Victorian Parliament must be accompanied by a statement of compatibility with the Charter Act (see Discrimination and human rights).