Skip Ribbon Commands
Skip to main content

Information Privacy and Health Records

Information Privacy and Health Records

Advice on legislation or legal policy issues contained in this paper is provided for use in parliamentary debate and for related parliamentary purposes. This paper is not professional legal opinion.
Briefing Paper No. 06/2002 by Gareth Griffith

The immediate background to this paper was the release in December 2001 of an Exposure Draft of a Health Records and Information Privacy Bill [the Draft Health Records Bill]. This was followed on 26 February 2002 by an announcement, in the Governor's Speech, foreshadowing the introduction of legislation to 'protect the privacy of electronic health records'. The issues involved in the proposed legislation are encapsulated in the three 'purposes' of the Draft Health Records Bill: (a) protecting the privacy of an individual's health information that is held in the public and private sectors; (b) enabling individuals to gain access to their health information; and (c) providing an accessible framework for the resolution of complaints regarding the handling of health information. The main findings of this paper are as follows:

  • As in other privacy information areas, these issues belong to the larger picture of technological innovation which facilitates the sharing and accessing of data. In the specific context of health information, these developments include Telemedicine and health smart card proposals which may result in information being stored and collected in new ways (p 1).
  • A particular concern is the development of a linked Electronic Health Record (EHR), as proposed in the March 2000 Report of the NSW Health Council titled, A Better Health System for NSW. Responding to this recommendation, the NSW Health Minister appointed an Advisory Committee to address privacy issues in relation to health information (p 1).
  • The Advisory Committee's report titled, Panacea or Placebo? Linked Electronic Health Records and Improvements in Health Outcomes, was released on 2 February 2001. Among other things, it recommended that a 'system of linked electronic health records across the State' be developed and that the system be governed by a new Act, the Health Records and Information Privacy Act (p 8).
  • Developments at the Commonwealth level include the establishment of a National Electronic Health Records Taskforce. In September 2001 it was reported that the Taskforce had recommended the development of a national health information network to be called HealthConnect. The recommendation was endorsed by the Australian Health Ministers in July 2000 (pp 9-10).
  • The Health Ministers have also established a Health Information Privacy Working Group under the Australian Health Ministers' Advisory Council (AHMAC). Its task is to develop a nationally integrated privacy framework for health information. Comprising Commonwealth, State and Territory representatives, the Working Group is said to be developing a draft National Health Privacy Code with the aim of delivering consistent privacy arrangements across the public and private sectors. The draft Code was due to be distributed for public consultation in January 2002 but, as at 10 April 2002, it is still to be released (p 10).
  • A particular area of concern is genetic information privacy. An inquiry into genetic testing and information, to be conducted jointly by the Australian Law Reform Commission and the Australian Health Ethics Committee, was announced in August 2000. An Issues Paper, published in October 2001, posed the question, 'Should genetic information be treated as being so unique or more powerful than other forms of health information that it requires special legal protection or other exceptional measures? Under the Draft Health Records Bill genetic information would be treated as a subset of health information (pp 3-5).
  • At present, there is no single, comprehensive piece of health information privacy legislation in NSW applying to the private and public sectors. What exists, instead, is a plethora of relevant State and Federal laws. These include: (a) the Federal Privacy Act 1998, which now applies to both the Commonwealth public sector as well as to the private sector generally; (b) the NSW Privacy and Personal Information Protection Act 1998, which applies to NSW public sector agencies; (c) the NSW Freedom of Information Act 1989 which also applies to State public sector agencies; (d) such health related regulations as the Private Hospitals Regulation 1996 which provides a patient's right of access to clinical records and for the secure retention of such records by private sector hospitals; (e) health related legislation which contain specific provisions on confidentiality; (f) statutes requiring mandatory reporting, such as section 27 of the Children and Young Persons (Care and Protection) Act 1998 (NSW); (g) common law medical confidentiality requirements; (h) plus codes and guidelines, such as the NSW Department of Health's Information Privacy Code of Practice and the Federal Privacy Commissioner's Guidelines on Privacy in the Private Health Sector (pp 13-15).
  • The extension of the Federal privacy regime to cover the private sector was achieved by the Privacy Amendment (Private Sector) Act 2000 (Cth), which commenced on 21 December 2001. In its June 2000 report, the House of Representatives Legal and Constitutional Affairs Committee commented that the Act's coverage of health information proved a particularly controversial issue. Of particular concern to the Committee were the exemptions applying to access to health records in the private sector (pp 18-19).
  • In an anomalous position are NSW State owned corporations. These are not covered under the Privacy and Personal Information Act 1998 (NSW) and would only be covered under the Federal scheme if expressly prescribed by regulation at the request of the State (p 21).
  • The Federal Privacy Commissioner has indicated that the Federal privacy regime for the private sector is intended to 'cover the field'. Even if that is not the case, issues of constitutional consistency are raised by the operation of concurrent State and Federal legislation in this field (pp 19-20).
  • The ACT and Victoria have already introduced comprehensive legislation dealing with health records and information privacy in the private and pubic spheres, along the lines proposed under the Draft Health Records Bill (p 1).
  • It is said that the aim of the Draft Health Records Bill is 'to provide a single State-based scheme for the management of health privacy obligations, imposing the same set of Privacy Principles on information holders in both the public and private sector. The Bill will also provide a readily accessible complaints process and recognise the special issues which arise in the handling of health information' (p 31).
  • Unlike the Federal privacy regime, the Draft Bill would extend privacy protection to the health information held on employees' records. This is one area where, it is understood, the Bill may be amended before it is introduced into Parliament (p 33 and p 46).
  • There are sure to be differing perspectives on the Draft Health Records Bill. From one standpoint, it could be seen as yet another level of duplication and complexity in a field of law already busy with regulation. From another, it could be argued that it demonstrates the value of bringing public and private health sector privacy regulation under a single piece of legislation (p 45).