1. Overcoming the challenges of sharing information and records in the health industry
Presentation to the Electronic Documents & Records Management 2004 Conference
Natasha Mann, Legal & Policy Officer
26 February 2004
2. After 40 minutes you will know: What health information is, & why it has recently been given specific protection in NSW
What constitutes acceptable collection, use & disclosure of health information in NSW, and whether your organisation complies with the new NSW standards
How the new law applies to health information held on employee records
How the new law is enforced, and the remedies available
3. Why protect the privacy of ‘health information’?
The privacy protection landscape
Advances in technology and legislative responses
4. Health Records & Information Privacy Act 2002 (‘HRIPA’) When does HRIPA commence?
1 July 2004 �
Who is covered by HRIPA?
Health service providers
Organisations that collect, hold or use health information �
5. Purpose of HRIPA (s. 3) To promote the fair and responsible handling of health information by:
Protecting the privacy of an individual’s health information that is held in the public and private sectors,
Enabling individuals to gain access to their health information,
Providing an accessible framework for the resolution of complaints regarding the handling of health information.
6. Information or an opinion about an individual whose identity is apparent or can reasonably be ascertained
Can be in any format (paper, electronic, visual, audio)
Does not have to be recorded in a material form
‘Personal information’ means:
7. For non health service providers:
the physical or mental health or disability of an individual
an individual’s express wishes regarding future health services
a health service provided, or to be provided to an individual
collected in connection with the donation or intended of body parts, organs
including genetic information
For health service providers:
All of the above plus all other personal information collected to provide a health service
‘Health information’ differs depending on what you do:
8. Collect only for a lawful purpose that is directly related to your function
Collect only where reasonably necessary
Do not collect by unlawful means
Information must be relevant, not excessive, accurate and not intrusive
Collect directly from the individual concerned
Health Privacy Principles 1-3:�Collection
9. Health Privacy Principle 4:�Notification When collecting health information, tell the person:
Who you are
How the person can get access to the information
What it will be used for
Who else usually has access to the information
Whether the collection is required by law
What the main consequences, if any, are for the person if they do not provide the information
10. Health Privacy Principles 10 & 11:�Use & Disclosure Use and disclose health information only for the primary purpose for which it was collected
However some secondary purposes are permitted:
Where the individual has consented
Directly related secondary purpose within the reasonable expectations of the individual
Serious threat to health or welfare
Certain other circumstances
11. Employee Records exemption The following information is not covered by HRIPA:
Private sector:
“information about an individual that forms part of an employee record”
Public sector:
“information or an opinion about an individual’s suitability for appointment or employment as a public sector official”
12. Enforcement & remedies Public sector agencies the same as the PPIP Act : Internal Review, then review by the Administrative Decisions Tribunal
Private sector organisations : Investigation and conciliation by the Privacy Commissioner, then review by the Administrative Decisions Tribunal
Maximum compensation generally $40,000, or $10,000 if against an individual practitioner
