It is the intention of the Parliament that this Act is not to affect the operation of a law of a State or of a Territory that makes provision with respect to the collection, holding, use, correction, disclosure or transfer of personal information (including such a law relating to credit reporting or the use of information held in connection with credit reporting) and is capable of operating concurrently with this Act.Constitutional issues may easily arise concerning health privacy legislation, such as:
The Federal Privacy Commissioner's Draft National Privacy Principle Guidelines (May 2001) contain Chapter 13 - Health Research, Health Management and the NPPs .
These state that where de-identified information is not suitable for the research or management purpose, and it is impracticable to seek the individual's consent, then so long as certain procedures and guidelines are followed, identifiable health information may be collected, used and disclosed for research, and collected for management purposes. Usually this will be with consent, and the Guidelines advise:
"The Commissioner strongly advises organisations to consider all possible (non-coercive) ways of asking for consent, before proceeding with collecting health information without consent for research or statistical purposes relevant to public health or safety or collecting information to manage, fund or monitor a health service."However, consent may not always be necessary. NPP 10.3 allows an organisation to collect health information without the consent of the individual where it is collecting the information for research relevant to public health or public safety or the compilation and analysis of statistics relevant to public health or public safety or the management, funding or monitoring of a health service.
This exception only applies if the organisation cannot achieve its purpose with de-identified information and it is impracticable for the organisation to get the individual's consent. An example of a circumstance in which de-identified health information might not achieve the purposes is where a project involves linking information about individuals from two or more sources and identified information might be needed to correctly link records from each data source.
Even then the collection must be required by law, or "in accordance with rules established by a competent health or medical body that deals with obligations of professional confidentiality which bind the organisation" or in accordance with guidelines approved by the Commissioner under section 95A.
To date no Section 95A Guidelines have been developed. However, it is anticipated that the Guidelines might be similar to existing Guidelines which apply to Commonwealth agencies under Section 95.
One other interesting aspect of the treatment of health information in the Act is that the exemptions to the access provisions in NPP 6 differ if health information is involved:
"6.1 If an organisation holds personal information about an individual, it must provide the individual with access to the information on request by the individual, except to the extent that:
(a) in the case of personal information other than health information--providing access would pose a serious and imminent threat to the life or health of any individual; or
(b) in the case of health information--providing access would pose a serious threat to the life or health of any individual..."
One of the modifications is the inclusion of principles dealing with the issue of misinterpretation of medical records by the data subject where they are exercising their access rights, especially where misinterpretation may cause harm. Under the legislation a record keeper may offer to discuss a record if concerned about misinterpretation. If the offer is refused the record keeper might refuse access on the ground of likely harm to the patient, and in that case the patient can ask that the record go to another practitioner from the same profession (presumably a current treating practitioner) and that practitioner can discuss the record with the patient, after which serious misinterpretation is much less likely to occur. That practitioner can then review the matter and decide whether to provide the record or maintain the exemption.
The Health Privacy Principles (based closely on the ACT legislation) contained in the Act will generally apply to all personal information collected in providing a health, mental health, disability, aged care or palliative care service; and all health information held by other organisations.
For background, see:
The main developments in electronic health records are:
One recent development which has brought the genetics and privacy issue to a head has been the proposal by the Investments and Financial Services Association ( IFSA) to set an industry wide benchmark for when life insurers might use genetic information to set insurance premiums or exclude insurance. The proposed benchmark would allow insurers to obtain copies of any genetic test results which were already in existence, but would prohibit insurers from requiring genetic tests to be undertaken for any purpose.
The proposal was the subject of enormous controversy and resulted in a public interest determination being made by the Australian Competition and Consumer Commission in November 2000. That determination allowed the proposal to proceed, with the standard authorised for two years only. The ACCC noted:
"The ACCC considers that there is benefit in authorising for two years the proposed agreement to provide a 'breathing space' during which the issues surrounding testing can be debated and government policy developed".At the same time an investigation into policy and legal issues in genetic testing was referred to (jointly) the National Health and Medical Research Council and the Australian Law Reform Commission.