The Health Records Act 2001 (the Act) created a framework to protect the privacy of individuals’ health information. It regulates the collection and handling of health information. The Act:
- gives individuals a legally enforceable right of access to health information about them that is contained in records held in Victoria by the private sector; and
- establishes Health Privacy Principles (HPPs) that will apply to health information collected and handled in Victoria by the Victorian public sector and the private sector.
The access regime and the HPPs are designed to protect privacy and promote patient autonomy, whilst also ensuring safe and effective service delivery, and the continued improvement of health services. The HPPs generally apply to:
- all personal information collected in providing a health, mental health, disability, aged care or palliative care service; and
- all health information held by other organisations.
Complaints about interferences with privacy (breaches of Part 5 of the Act or an HPP) are handled by the Health Services Commissioner.
Health information held by Victorian private sector health providers is also covered by the federal National Privacy Principles. In the unlikely event that a problem arises from an inconsistency between federal and state laws, the federal principles take precedence over the Victorian ones.
1. Collecting your health information
When health service providers collect health information about you, they must
- only collect health information that is necessary for them to carry out their functions or activities. In other words, they must have a justifiable reason for collecting the health information and the reason must be related to their function or activity: they cannot collect information for the sake of it.
- obtain your consent (except in the circumstances noted below).
In the case of a child, they must obtain consent from the child’s parent or guardian.
In the case of a person with an intellectual or mental health disability who is unable to make their own decisions, they must obtain consent from an authorised person, such as a guardian.
There are some situations where consent is not required, including when
- the information is required by law, for example, to obtain a sample for a blood alcohol reading
- you are not capable of giving consent, for example, because you are unconscious
- the information is being collected for public health and safety research, in which case the researchers will have to comply with specific guidelines that apply to such research (see last paragraph of next section).
Your consent does not have to be in writing to be legal: verbal or implied consent is acceptable. However, from the service provider’s perspective, written consent is preferable. To be legal, your consent must also be voluntary, informed and specific to the situation.
- only collect health information about you from you unless it is impractical or unreasonable to do so, for example, because you are unconscious.
If the information was collected from someone else, the health provider must take reasonable steps to tell you
- who collected the information and their contact details
- what information was collected
- why the information was collected
- how you can access the information
- not collect the information in an unlawful, unfair or unreasonably intrusive manner, for example, a doctor should not talk to you about your health in a waiting room where others might overhear the conversation.
2. Using and disclosing your health information
Health service providers can use your health information only for the primary purpose for which it was collected unless you give your consent for it to be used for another purpose.
Health service providers can share your information with other health service providers only if they will be using the information for the same primary purpose. For example, your surgeon can share your health information with your anaesthetist, because both will be using the information to facilitate your operation. However, your GP cannot pass on information about you to a health foundation for a fundraising drive, because the health foundation’s fundraising drive is not related to the primary purpose of providing you with medical care.
Health service providers can use your health information for other purposes without your consent only if
- the information is required or authorised by law, for example, for mandatory reporting of child abuse
- a crime has been committed and the information is required by the police
- the information is needed for legal proceedings
- you are incapable of giving consent, for example, if you were unconscious, a doctor may need to discuss your health with a family member in order to give you appropriate treatment
- the information is necessary to lessen or prevent a serious and imminent threat to yours or another person’s life, health or safety, for example, if you were diagnosed with AIDS, it may be necessary to notify your sexual partners of the diagnosis
- the information is necessary to lessen or prevent a serious threat to public health or safety, for example, if you were diagnosed with a notifiable infectious disease such as typhoid, smallpox or SARS, the hospital would be obliged to notify health authorities
- the information is being collected for public health and safety research, in which case the researchers will have to comply with specific guidelines that apply to such research.
3. Health information for research
Health information is used or disclosed to researchers for public health and safety research only occasionally. Such research is subject to stringent rules about the way it is conducted and the way the information is stored. For further information, visit the relevant pages of the websites of the National Health and Medical Research Council and the Victoria Health Services Commissioner
4. Ensuring accuracy (data quality) of your health information
Health service providers must take reasonable steps to ensure that your health information is accurate, complete and up-to-date.
5. Ensuring security of your health information
Health service providers must take reasonable steps to ensure that your health information is not
- disclosed to an unauthorised person
- accessed by an unauthorised person
- modified by an unauthorised person.
Health service providers can delete (destroy) health information about you only if
- the deletion is permitted by law
- the health information was collected when you were a child and you are now 25 years of age or older
- more than seven years have elapsed since you last consulted the health service provider.
If a health service provider deletes your health information, they must keep a record of the deletion.
If a health service provider transfers your health information, they must keep a record of the name and address of the individual or organisation to whom it was sent.
Non-health service providers must take reasonable steps to destroy or permanently de-identify your health information if it is no longer needed.
6. Maintaining openness of your health information
- You have the right to ask a health service provider if they hold health information about you, and, if so, what steps you can take to access that information.
7. Accessing and correcting your health information
- Accessing Health service providers must allow you access to any health information they hold about you.
However, access can be denied if
- providing access would pose a serious threat to the life or health of any person, including you
- providing access would have an unreasonable impact on the privacy of others
- the information relates to legal proceedings between you and the health service provider
- there is a legal impediment to doing so, for example, if providing access would prejudice the investigation of a possible crime
- the request is unreasonable, for example, if you have repeatedly made similar requests for the same information.
Some Victorian public health organisations, such as public hospitals and local councils, may allow you access to your health information if you approach them informally.
However, for the request to be enforceable, you must apply for access under Freedom of Information (FoI) legislation. Every public health organisation has a Freedom of Information Officer who handles FoI requests, so you should contact that person if you want access to your health information.
Health service providers can a charge ‘reasonable’ fee for giving you access to your health information. The fee may cover the cost to the organisation of
- photocopying all or some of your health information
- reproducing all or some of your Xrays, etc
- the staff time spent dealing with your request.
Generally, health service providers cannot charge you for the cost of obtaining legal advice about the legality of releasing your information. Also, they cannot demand that you pay for the costs of preparing a medical report if you only want a copy of your file.
If you think any of your health information is incorrect, and you want the information corrected, you should inform the health service provider of your request, preferably in writing. The provider is obliged to respond to your request within 30 days.
If the health service provider agrees that the information is incorrect, they must take every reasonable step to correct it.
If the health service provider does not agree that the information is incorrect, they must take reasonable steps to link the record with the letter requesting the correction, and provide written reasons for refusing the request.
If the health service provider agrees that the record should be changed but the correction cannot be done easily, they must restrict access to the incorrect record and ensure that only the correct record is available to those providing you with health services.
When a health service provider corrects your health information, they must record with the correction the name of the person who made the correction and the date on which it was made.
The health service provider must also take reasonable steps to notify any other health service providers who may have seen and be using the incorrect information now or in the future.
8. Assigning identifiers
Health service providers can assign you an identifier (a unique number or code that identifies you) only if doing so is essential for them to carry out their functions.
Generally, they cannot adopt, use or disclose an identifier that has been given to you by a government agency, for example, they cannot use your tax file number, Medicare number or pension card number to identify you.
9. Requesting anonymity
You can ask your health service provider not to disclose your true identity in your dealings with them. For example, if you were seeking counselling for illicit drug use, you might not want your true identity revealed. However, your request may not be practical or legal, particularly if you require a prescription for a medicine, or you want to claim a Medicare rebate for the service.
10. Transferring your health information beyond Victoria
Your health information can be transferred to a health service provider outside Victoria only if
- the recipient health service provider is subject to similar privacy rules as those applying in Victoria, or they have given their assurance that the information will be subject to similar rules
- you consent to the transfer, or, if that is impractical, you would probably have given your consent and the transfer is in your interests
- the transfer is required or authorised by law.
11. What happens to my health information if my doctor or dentist sells their practice?
If your health service provider stops providing a service because they close, sell, amalgamate or transfer their practice, your health information can be
- given to you
- passed on to the provider to whom the practice has been sold or transferred
- passed on to a provider nominated by you.
The previous provider must also
- put a notice in a local newspaper stating what they intend doing with the health information. The newspaper must be in a language(s) appropriate for the practice’s clients
- if practical, notify current clients of what they intend doing with the health information
- display a notice at the practice explaining the proposed change to the practice and what they intend doing with the health information.
12. What happens to my health information if I change doctors?
If you change health service providers, and you want your health information transferred to the new provider, you can
- ask the old provider to forward your information to the new provider
- ask the new provider to write to the old provider on your behalf requesting that the information be transferred to the new provider.
Next Section: How can I make a complaint?