Home | Databases | WorldLII | Search | Feedback Precedent (Australian Lawyers Alliance)

Cusack, Karen --- "Handling of health records in Victoria" [2021] PrecedentAULA 55; (2021) 166 Precedent 30

HANDLING OF HEALTH RECORDS IN VICTORIA

By Karen Cusack

THE ROLE OF THE HEALTH COMPLAINTS COMMISSIONER

In February 2017 the Health Complaints Act 2016 (Vic) (HC Act) commenced in Victoria to establish the role of Health Complaints Commissioner as an independent statutory officer. The HC Act also introduced powers and functions enabling the office of the Health Complaints Commissioner to play a role in supporting the delivery of safe and ethical healthcare in Victoria. It did this by strengthening the powers of the office to deal with complaints about the provision of health services in Victoria and introduced new powers to investigate unsafe and unethical health service providers.

The HC Act includes a code of conduct for general health services. The general code of conduct in respect of general health services (Schedule 2) prescribes minimum legal standards that apply to all general health service providers in Victoria.^[1]

The office of the Health Complaints Commissioner also administers the Health Records Act 2001 (Vic) (HR Act), which promotes the fair and responsible handling of health information in Victoria by protecting the privacy of health information; providing individuals with a right of access to their health information; and providing a complaints resolution framework for issues with handling health information.^[2]

Under the HR Act, the Health Complaints Commissioner can also accept complaints about the handling of health information by organisations that are providing health services in Victoria and by non-health service providers such as schools and insurance companies.^[3] The most common complaints relate to access, use and disclosure, and data security and retention, with access relating to almost half the complaints finalised in the last financial year.^[4]

The office may also receive notifications from an organisation if a privacy breach has been identified by the organisation itself. Where this occurs, the office will work with the organisation to address the issues that led to the breach and ensure that all affected individuals have been notified.

Further, the office will sometimes receive notifications from members of the public where records have been found or received incorrectly, for example if health records have been found in the street or a person has received an email that was not meant for them.

In either case where a breach of privacy has been identified by an organisation or members of the public other than the person to whom the records relate, we will work closely with organisations to educate and assist them to understand their obligations and to ensure their systems and processes are secure.

APPLYING THE HEALTH RECORDS ACT

Health information jurisdiction

The Health Complaints Commissioner is a state-based regulator; the following information therefore relates only to the application of the health information framework and the role of the Commissioner in Victoria.

In Victoria, there is overlap between the different Acts of Parliament and different settings in which information is held. Obligations with respect to the release of health records vary depending on the setting and the applicable legislative framework. The HR Act applies not only to all health service providers in Victoria (for example public and private hospitals, medical clinics, all other health professionals, alternative therapists and massage therapists) but also to organisations that are not health service providers but hold health information, such as schools and insurance companies.

Purpose of the HR Act

Section 1 of the HR Act sets out its purpose, which is to:

‘promote fair and responsible handling of health information by:

(a) protecting the privacy of an individual’s health information that is held in the public and private sectors; and

(b) providing individuals with a right of access to their health information ... [in both] the public and private sectors; and

(c) providing an accessible framework for the resolution of complaints regarding the handling of health information.’

It should be noted that the HR Act does not override other legislation, so existing provisions in other statutes governing the confidentiality, use and disclosure of health information and those that regulate access to certain kinds of personal information continue to apply, such as the Health Services Act 1988 (Vic), the Children, Youth and Families Act 2005 (Vic), and the Public Health and Wellbeing Regulations 2009 (Vic). Further, the HR Act specifically provides that nothing in the Act affects the operation of the Freedom of Information Act 1982 (Vic).^[5]

MANAGING HEALTH INFORMATION

Many organisations hold information about individuals which is personal information but also goes further than this. Personal information means:

‘information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion’.^[6]

Health information is:

‘information or an opinion about –

(i) the physical, mental or psychological health (at any time) of an individual; or

(ii) a disability (at any time) of an individual; or

(iii) an individual's expressed wishes about the future provision of health services to him or her; or

(iv) a health service provided, or to be provided, to an individual –

that is also personal information.’^[7]

Health information is of itself often highly sensitive and personal in nature, and it therefore requires a specific framework for its management.

The health privacy principles

The HR Act establishes 11 ‘health privacy principles’ (HPPs) that apply to health information collected and handled in Victoria by health service providers and other agencies which hold health information in both the public and private sectors.^[8] There are similarities between the HPPs and the Information Privacy Principles under the Privacy and Data Protection Act 2014 (Vic) and the Australian Privacy Principles under the Privacy Act 1988 (Cth). The HPPs under the HR Act regulate, among other things, the collection, use, disclosure, correction and security of, and access to, health records, and the transfer or closure of a health practice.

Privacy protection is a balancing act between maximising the level of control people have over their personal information, including their health information, and ensuring that the right information is available to the right people, at the right time, and in the right way, to enable necessary operations and services. Since the onset of the global pandemic in March 2020 there has never been a greater need to balance the level of control that individuals have over their health information with the need for certain information to be available.

A contravention of the HR Act or the HPPs is an interference with the privacy of an individual and may be subject to a complaint to the Health Complaints Commissioner. The HR Act does not give rise to a civil cause of action and there is no criminal liability that attaches to a contravention except as set out in the Act itself.^[9]

Collecting, using and disclosing health information

Under the HR Act, health information should only be collected with consent and used or disclosed for the primary purpose for which it was collected, or for a directly related and reasonable secondary purpose.^[10] Health information can only be used or disclosed for a non-related purpose in limited circumstances, such as when there is a serious risk to someone or if the information is needed to evaluate the service received.^[11] A decision of the High Court of Australia in 1996, known as the ‘medical records access case’,^[12] looked at the right of a patient to access their medical records held by a private practitioner. None of the High Court justices in that case accepted the argument that there was a generally accepted right to access medical records at common law, but held that any requirement for such a right was a decision for Parliament. The HR Act does provide that legislative right in Victoria.

Any organisation collecting health information must ensure that the information is up to date and relevant. They must also store, transfer and dispose of health information securely to protect privacy.^[13] If a health service provider moves or closes down, it must post a public notice about what will happen with its patient records and how patients can access their records.^[14]

An organisation holds health information if the information is contained in a document that is in the possession or under the control of the organisation, even if the document is situated outside of Victoria.^[15]

An organisation is only permitted to use or disclose information for the primary purpose for which it was collected or for a related secondary purpose.^[16] A related secondary purpose will arise only if it is directly related to the primary purpose and the person providing the information would reasonably expect that the organisation would use or disclose the information in that way.^[17] So, for example, if a person is referred to a hospital for surgery and the hospital collects health information about the person in the lead up to the surgery, it would be reasonably expected that the hospital would disclose information to the GP who referred the person, including a discharge summary and any follow-up treatment required. However, contact for fundraising would not be a related secondary purpose. The primary purpose for which the information was collected would be for the surgery the person was to undergo. If the hospital used the person’s information as part of a mailout for fundraising, that would be an interference with the person’s privacy in the absence of specific consent to be contacted for fundraising. An individual has a right to make a complaint to the Health Complaints Commissioner where there has been an interference with the person’s privacy.^[18]

There are other permitted circumstances where health information may be used or disclosed, such as where a health service provider is authorised, permitted or required to disclose the information under law, whether expressly or by implication. Disclosure is also authorised under the HR Act where it is necessary for the establishment, exercise or defence of a legal or equitable claim.^[19]

In most cases, consent from the individual will permit the use or disclosure of or access to their health information by a specified health service. However, a person who seeks access to their own health information may be denied access if there is a serious threat to the life or health of that individual or any other person.^[20] In that case, the health service may refuse to give access to the health information or part of the health information, but instead may arrange or offer to discuss the health information. This will be done by a suitably qualified health service provider who will discuss the health information with the person.

Use or disclosure may also be permitted where it is in the public interest. The organisation must form a reasonable belief that the use or disclosure is necessary to lessen or prevent:

‘

(i) a serious threat to an individual’s life, health, safety or welfare, or

(ii) a serious threat to public health, public safety or public welfare.’^[21]

The law provides little guidance regarding when it may be in the public interest for a health practitioner to disclose information. This has been highlighted in the context of issues such as HIV/AIDS. For example, in the case Harvey v PD,^[22] the Court said that a doctor breached his duty of care to a female patient whose husband, who was also his patient, was HIV positive when the doctor failed to notify the female patient of her partner’s test results showing his HIV status. However, Australian courts have been reluctant to impose a positive duty on doctors to warn third parties in order to prevent serious harm occurring to them.

More recently, the emergence of COVID-19 has created a situation where information, particularly health information, has been used and disclosed in ways not contemplated previously. The exceptions in the HPPs have allowed this use and disclosure. However, organisations relying on any of the exceptions under the HPPs to use or disclose health information must do so in a privacy-enhancing way.^[23] This means that organisations should not use or disclose health information under the exceptions unless it is necessary to do so, and if it is necessary, organisations must use and disclose only the minimum amount of information required. Organisations will need to reassess this position once the spread of COVID-19 has subsided, as the threat may no longer meet the ‘serious’ threshold required to share health information under this exception after the emergency has passed.

In the absence of a legal obligation to disclose health information, organisations are entitled to not disclose the information. Accordingly, where a third party is seeking access to health information, rights of access are limited. An application may be made under the Freedom of Information Act 1982 (Vic), but there are exemptions which may apply.^[24] A valid subpoena or summons will override any obligation of confidentiality or duty to not use or disclose health information. In both an application under the Victorian Freedom of Information Act and a subpoena, the scope of the health information that is sought should be clear.

CONCLUSION

Privacy laws are important as they provide people with more control over how organisations handle their personal information and help to promote openness and transparency. However, the right to privacy must be balanced against the necessary flow of information for provision of services. Privacy laws should not stop the flow of information, but may change the way that health information is handled. The current privacy framework in Victoria through the HR Act and the Privacy and Data Protection Act 2014 provides a legal framework to support the appropriate balance between the free flow of information for the public good and the protection of privacy of health and personal information.

Interferences with the privacy of health information are often intertwined with complaints about the provision of health services more broadly, and so having both the HC Act and the HR Act overseen by the same regulator means the managing of health records is appropriate. There is an important, ongoing role for the Health Complaints Commissioner to educate health service providers and other agencies that hold health information about how the privacy laws apply in relation to what information they can collect and how they can share information.

The HR Act was enacted in 2001 and has not been reviewed since that time. The new digital environment in which information is held and shared gives rise to a need for the Act to be modernised in order to keep pace.

See www.hcc.vic.gov.au for more information.

Karen Cusack (She/Her) is Victoria’s inaugural Health Complaints Commissioner, appointed in 2017. She was previously Corporate Counsel at The Royal Women’s Hospital, Melbourne. With over 20 years’ experience as a senior lawyer, Karen is passionate about her role in the Victorian health sector. She is a Director on the Accident Conciliation Compensation Service Board and the Disability Services Board. PHONE 1300 582 113.

^[1] General health service providers are providers not required to be registered with the Australian Health Practitioner Regulation Agency (AHPRA), including massage therapists, cosmetic treatment providers, counsellors and psychoanalysts. AHPRA deals with the registration and accreditation, as well as the health, performance and professional conduct, of individual health practitioners across Australia. AHPRA can also prosecute offences under the Health Practitioner Regulation National Law Act 2009 (Qld), such as falsely claiming to be a doctor or performing certain types of procedures without a licence. The Health Practitioner Regulation National Law Act 2009 has been adopted in all states and territories, and collectively is known as the National Law.

^[2] Health Records Act 2001 (Vic) (HR Act), s1.

^[3] Ibid, s10.

^[4] Health Complaints Commissioner, Annual Report 2019–20 (Report) 23, <https://hcc.vic.gov.au/sites/default/files/media-document/Health%20Complaints%20Commissioner%20Annual%20Report%202019-20_web.pdf>.

^[5] HR Act, above note 2, s7(2).

^[6] Ibid, s3.

^[7] Ibid.

^[8] Ibid, ss10, 11.

^[9] Ibid, s8.

^[10] Ibid, sch 1, Health Privacy Principle 1 – Collection.

^[11] Ibid, sch 1, Health Privacy Principle 2 – Use and Disclosure.

^[12] Breen v Williams (1996) 186 CLR 71.

^[13] HR Act, above note 2, sch 1, Health Privacy Principle 4 – Data Security and Data Retention.

^[14] Ibid, sch 1, Health Privacy Principle 10 – Transfer or closure of the practice of a health service provider.

^[15] Ibid, s5.

^[16] Ibid, sch 1, Health Privacy Principle 2 – Use and Disclosure.

^[17] Ibid, sch 1, Health Privacy Principle 1 – Collection.

^[18] Ibid, s45.

^[19] Ibid, sch 1, Health Privacy Principle 2 – Use and Disclosure.

^[20] Ibid.

^[21] Ibid, sch 1, Health Privacy Principle 2 – Use and Disclosure, [2.2(h)].

^[22] [2004] NSWCA 97; (2004) 59 NSWLR 639.

^[23] Assistance is available through jointly published guidance by the Victorian Information Commissioner and the Health Complaints Commissioner, to help Victorian public sector organisations and health providers that handle health information understand their privacy obligations while dealing with COVID-19. See <https://ovic.vic.gov.au/privacy/covid-19-and-privacy-considerations/>.

^[24] The Freedom of Information Act 1982 (Vic) is administered by the Office of the Victorian Information Commissioner.