[Previous] [Next] [Title]

14. Health privacy issues


Chris Connolly and Graham Greenleaf, 31 May 2001

Note: this Reading Guide only covers Australian issues as yet.

14.1. General resources

14.2. Legislation

The Privacy Act 1988, s3 provides that:
It is the intention of the Parliament that this Act is not to affect the operation of a law of a State or of a Territory that makes provision with respect to the collection, holding, use, correction, disclosure or transfer of personal information (including such a law relating to credit reporting or the use of information held in connection with credit reporting) and is capable of operating concurrently with this Act.
Constitutional issues may easily arise concerning health privacy legislation, such as:

14.2.1. Federal public sector

14.2.2. Private sector

The principles applying to health are generally the same as those applying to other personal information, with small exceptions scattered throughout both the NPPs (eg NPP 2.1 (d) which allows limited disclosure of health information) and the Act (eg Section 6D which excludes health providers from the small business exemption if they hold health information).

The Federal Privacy Commissioner's Draft National Privacy Principle Guidelines (May 2001) contain Chapter 13 - Health Research, Health Management and the NPPs .

These state that where de-identified information is not suitable for the research or management purpose, and it is impracticable to seek the individual's consent, then so long as certain procedures and guidelines are followed, identifiable health information may be collected, used and disclosed for research, and collected for management purposes. Usually this will be with consent, and the Guidelines advise:

"The Commissioner strongly advises organisations to consider all possible (non-coercive) ways of asking for consent, before proceeding with collecting health information without consent for research or statistical purposes relevant to public health or safety or collecting information to manage, fund or monitor a health service."
However, consent may not always be necessary. NPP 10.3 allows an organisation to collect health information without the consent of the individual where it is collecting the information for research relevant to public health or public safety or the compilation and analysis of statistics relevant to public health or public safety or the management, funding or monitoring of a health service.

This exception only applies if the organisation cannot achieve its purpose with de-identified information and it is impracticable for the organisation to get the individual's consent. An example of a circumstance in which de-identified health information might not achieve the purposes is where a project involves linking information about individuals from two or more sources and identified information might be needed to correctly link records from each data source.

Even then the collection must be required by law, or "in accordance with rules established by a competent health or medical body that deals with obligations of professional confidentiality which bind the organisation" or in accordance with guidelines approved by the Commissioner under section 95A.

To date no Section 95A Guidelines have been developed. However, it is anticipated that the Guidelines might be similar to existing Guidelines which apply to Commonwealth agencies under Section 95.

One other interesting aspect of the treatment of health information in the Act is that the exemptions to the access provisions in NPP 6 differ if health information is involved:

"6.1 If an organisation holds personal information about an individual, it must provide the individual with access to the information on request by the individual, except to the extent that:
(a) in the case of personal information other than health information--providing access would pose a serious and imminent threat to the life or health of any individual; or
(b) in the case of health information--providing access would pose a serious threat to the life or health of any individual..."

14.2.3. ACT

In 1997 the ACT Legislative Assembly passed the Health Records (Privacy and Access) Act 1997. The Act contains a set of modified privacy principles and complaints can be made to the ACT Health Complaints Commissioner. The Act covers both the public and private sector.

One of the modifications is the inclusion of principles dealing with the issue of misinterpretation of medical records by the data subject where they are exercising their access rights, especially where misinterpretation may cause harm. Under the legislation a record keeper may offer to discuss a record if concerned about misinterpretation. If the offer is refused the record keeper might refuse access on the ground of likely harm to the patient, and in that case the patient can ask that the record go to another practitioner from the same profession (presumably a current treating practitioner) and that practitioner can discuss the record with the patient, after which serious misinterpretation is much less likely to occur. That practitioner can then review the matter and decide whether to provide the record or maintain the exemption.

14.2.4. Victoria

On 3 April 2001, the Victorian Parliament passed the Health Records Act 2001. The law will come into effect from 1 July 2002 and covers the Victorian public sector (and the private sector where the Federal Act does not apply). It establishes a framework to protect the privacy of individuals' health information and provides individuals with an enforceable right of access to their health information when it is held by private sector organisations.

The Health Privacy Principles (based closely on the ACT legislation) contained in the Act will generally apply to all personal information collected in providing a health, mental health, disability, aged care or palliative care service; and all health information held by other organisations.

For background, see:

14.2.5. New South Wales

No legislation yet, but see:

14.3. Electronic health records

The development of systems able to electronically link and integrate personal health records should promote more comprehensive, co-ordinated and safer health care for individuals and promote better health monitoring and planning for the community. However, along with the potential for improved health care, such developments also carry significant privacy risks for consumers. ( Carter)

The main developments in electronic health records are:

Amanda Cornwall 'NSW electronic health records get serious' (2000) 7 PLPR 80 describes the recent developments in NSW, which are part of a growing national trend towards centralised electronic health records based around UPIs.

14.4. Genetic testing

That paper noted that privacy protection was available for individuals who had been subject to tests, in that the results would be personal information and therefore subject to the Act. However, it noted some key complicating factors, especially where the information revealed certain things about other parties. These issues included: An alternative legislative solution for dealing with these issues was proposed by Senator Natasha Stott Despoja in the Genetic Privacy and Non-discrimination Bill 1998 - a Private Members' Bill which did not gain Parliamentary support. See Dr Charles Lawson Genetic privacy: a predisposition to inconsistency - [1999] PLPR 25; (1999) 5 PLPR 185, for more details.

One recent development which has brought the genetics and privacy issue to a head has been the proposal by the Investments and Financial Services Association ( IFSA) to set an industry wide benchmark for when life insurers might use genetic information to set insurance premiums or exclude insurance. The proposed benchmark would allow insurers to obtain copies of any genetic test results which were already in existence, but would prohibit insurers from requiring genetic tests to be undertaken for any purpose.

The proposal was the subject of enormous controversy and resulted in a public interest determination being made by the Australian Competition and Consumer Commission in November 2000. That determination allowed the proposal to proceed, with the standard authorised for two years only. The ACCC noted:

"The ACCC considers that there is benefit in authorising for two years the proposed agreement to provide a 'breathing space' during which the issues surrounding testing can be debated and government policy developed".
At the same time an investigation into policy and legal issues in genetic testing was referred to (jointly) the National Health and Medical Research Council and the Australian Law Reform Commission.


[Previous] [Next] [Title]