290 likes | 470 Views
Health Privacy It’s My Business. Health Records Act 2001 (Vic) & Victorian privacy framework Workshop: Streamlining Ethical Review of Multi-Site Clinical Trials Angela Palombo Legal & Policy Officer. Privacy protection is a balancing act :.
E N D
Health Privacy It’s My Business Health Records Act 2001 (Vic)& Victorian privacy framework Workshop: Streamlining Ethical Review of Multi-Site Clinical Trials Angela Palombo Legal & Policy Officer
Privacy protection is a balancing act: Maximising the level of control that individuals have over their personal information while ensuring that the rightinformation is available to the right people at the right time in the right way to enable necessary operations and services.
Privacy for Victorians Victorian : • Information Privacy Act 2000 • Health Records Act 2001 Commonwealth: • Privacy Act 1988
Information Privacy Act application • applies to all personal information (except health information) that is collected or held by – • the Victorian public sector; and • organisations funded by the public sector.
Key Elements of Health Records Act • Health Privacy Principles (HPPs) - applicable to the public and private sectors in Victoria. The HPPs regulate their handling of health information • Right of access to personal health information in the private sector
Federal Privacy Act application • Extended to private sector from21 Dec 2001 • Applies to: (a) all private sector health service providers in Australia, and (b) other private sector organisations with an annual turnover of more than $3 million. • Above private sector organisations in Victoria are subject to both HRA and Fed Privacy Act in relation to health information- largely consistent.
Office of the Australian Information Commissioner • Began operation 1 November 2010 • The Australian Information Commissioner is the head of the Office, supported by the Privacy Commissioner and the FOI Commissioner • Independent oversight of privacy and FOI & advising Government on broader government information management
Harmonisation of privacy laws- Impact on HRA • ALRC recommended the state and territory laws dealing with the handling of personal information by private sector organisations be excluded. Therefore HRA (Vic) and HRIPA (NSW) would not apply. • Government supported national consistency but only accepted this recommendation “in principle”
Harmonisation of privacy laws- Impact on HRA (cont) • It is expected HRA will continue to operate in relation to the Victorian public sector after Australian privacy law reforms • HRA likely to continue to operate re private sector organisations in Victoria, but are awaiting Government second stage response re health privacy
Who is covered by the Health Records Act? Most organisations hold health information about individuals. The Act covers: • health service providers in Victoria (public and private sector); • any other person/organisation that collects/handles personal health information in Victoria. (e.g. schools, employers, insurers)
What is health information? • For health service providers it is all identifying personal information collected to provide a health service; • For non health service providers it is all identifying personal information about the health or disability of an individual.
Personal information means: • Information or opinion about an individual whose identity is apparent, or can be reasonably ascertained • Does not have to be true • Does not have to be recorded • Includes that forming part of a database
Deceased individuals • The Health Records Act applies in relation to the health information of a deceased individual who has been dead for 30 years or less in the same way it applies to the health information of a living person. • Federal Privacy Act does not apply to deceased individuals. Unlikely to change with the reforms.
Impact of other legislation • The Health Records Act does not override other legislation. • Existing provisions in other statutes governing the confidentiality, use and disclosure of health information and those that regulate access to certain kinds of personal information continue to apply.
Interaction with other legislation • Statutory requirements of disclosure, eg– (a) notifiable diseases under the Public Health & Wellbeing Regulations 2009 (some in coded form), (b) mandatory reporting- child protection, health professionals (c) auditing of records by WorkSafe, Transport Accident Commission
s.141 Health Services Act 1988 • Confidentiality provision existing prior to HRA, creating criminal offence for breach • Governs disclosure (not use) of patient information for public and private hospitals & community health centres. • Patient information can be disclosed in absence of consent:(a) If communicated in general terms; (b) If communicated to next of kin in accordance with the recognised customs of medical practice; (c) In connection with further treatment of the patient.
S.120A Mental Health Act 1986 • Confidentiality provision for patients of mental health services, creating criminal offence for breach • Governs disclosure (not use) of patient information for public and private hospitals & community mental health services. • Patient information can be disclosed in absence of consent:(a) If communicated in general terms; (b) If communicated to guardian or family member involved in the on-going care of the person; (c) In connection with further treatment of the patient.
Collection Use & Disclosure Data Quality Data Security &Retention 5.Openness Access & Correction Identifiers Anonymity Trans border Data Flows Transfer / closure ofpractice of health service provider Making information available to another health service provider Health Privacy Principles
HPP 6: Access & Correction • Individuals have a right to seek access to heath information about them held in the private sector. • They also have a right to correct it if it is inaccurate, incomplete, misleading or not up-to-date. • The FOI Act continues to give individuals a right of access to health information about themselves held by public sector organisations.
Section 22 Health Records Act 2001 Statutory Guidelines on Research
Statutory Guidelines on Research • Set additional processes or requirements under HPPs 1.1(e)(iii) & 2.2(g)(iii) • Apply where an organisation proposes to collect, use or disclose personal health information for the purpose of research or the compilation or analysis of statistics. • Not just medical research or institutional settings
Interaction of s.22 Research Guidelines with other guidelines • Privacy Act 1988 (Cth) operates in conjunction with other Acts • Cth Act specifically states that it does not affect the operation of a State law that “is capable of operating concurrently with this Act.” • The s.22 research guidelines apply in addition to research guidelines under the Privacy Act 1988 (Cth) in some circumstances
Prerequisites for applying the guidelines: • Do not apply to every research proposal • Application of the Guidelines: (a) Necessary to collect, use or disclose health information for the purposes of research or compilation or analysis of statistics in the public interest (b) Purpose can’t be achieved by de-identified information
Prerequisites for applying guidelines (cont.): (c) Impracticable to seek consent • Needs to be more than mere inconvenience or involving some expense • May be essential to integrity and success of some research to have a complete sample
Mandatory requirements if guidelines apply: • Application and approval by Human Research Ethics Committee (HREC) • Require public interest in research to be weighed against the public interest in protection of privacy : The public interest in the research activity must substantially outweigh the public interest in maintaining level of privacy protection afforded by the HPPs
Respect for personal dignity & personal privacy • Overriding obligation for those who seek to collect, use or disclose health information is at all times to respect the dignity and personal privacy of the individual
HREC Recording, Monitoring & Reporting Obligations • Records must be kept of decisions made under the guidelines. • Proposals approved under the guidelines must be monitored in accordance with the monitoring requirements of the National Statement. • A HREC must report annually to the HSC only where decisions have been made applying the s. 22 guidelines to a research application.
Non-compliance with the s.22 Research Guidelines • A failure to comply with the research guidelines could result in a breach of the HPPs and be “an interference in the privacy of an individual”
Health Services Commissioner Contact Details: Level 30 570 Bourke Street Melbourne Tel: 03 8601 5222 Toll free: 1800 136 066 Website: www.health.vic.gov.au/hsc Email: hra@dhs.vic.gov.au Fax: (03) 8601 5219 TTY: 1300 550 275 DX: 210182