Health Information Privacy and Access
The Privacy Act (C’lth) incorporates the Australian Privacy Principles which set out requirements for the handling of personal and sensitive information, which includes health information (see definitions below). They govern information collection, storage and maintenance, and use and disclosure; as well as access by an individual to his/her information and openness about how it is managed by the institution.
The APPs do not apply to de-identified information or statistical data sets, which would not allow individuals to be identified.
Definitions
Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:
(a) whether the information or opinion is true or not; and
(b) whether the information or opinion is recorded in a material form or not
Sensitive information is a subset of personal information. It means information or an opinion about an individual’s racial or ethnic origin, political opinions, membership of a political organisation, religious beliefs or affiliations; philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preferences or practices, and criminal record or health information about an individual.
Health information is one kind of sensitive information and includes information or an opinion:
- about an individual’s health or disability at any time (that is, past, present or future)
- about an individual’s expressed wishes regarding future health services
- about health services provided, or to be provided, to the individual
- collected while providing a health service
This means that personal details related to a patient’s attendance (e.g. name, address, Medicare number, billing information, admission/discharge dates), medical information, notes made by healthcare personnel, identifiable biological specimens or samples, or genetic information all constitute “health information”.
Collection of information
The Hospital must:
- Only collect health information necessary for its functions or activities.
- Use fair and lawful ways, that are not unreasonably intrusive, to collect health information.
- Collect health information directly from an individual if it is reasonable and practicable to do so (there is an exception where it is necessary to obtain an individual’s family, social or medical history, which may contain information relating to other persons).
- Take reasonable steps, at the time of collecting health information or as soon as practicable afterwards, to make an individual aware of why the information is being collected, who it may be disclosed to, how it can be accessed etc.
- Take reasonable steps to ensure the individual is aware of the above points even if the information is collected from someone else.
- Only collect health information with the express or implied consent of the individual concerned, unless collection is required by law or it is necessary to prevent a serious threat to the life or health of any person.
Information Privacy Policy
The Hospital will provide on request its Information Privacy Policy, which outlines what personal information is held by the Hospital, and how it is used, stored, accessed or corrected. A copy of the policy is available here.
Use and disclosure of information
The Hospital may use or disclose an individual’s health information where use or disclosure is:
- for the primary purpose for which it was collected (eg provision of medical care and treatment; health fund claims)
- for a directly-related secondary purpose that would have been within the reasonable expectations of the patient at the time (eg quality improvement activities)
- with the consent of the individual
- required or authorised by law
- necessary to prevent serious and imminent threat to an individual or to public health.
Access to and correction of information
Patients have the right to access health information held about them, unless:
- It would pose a serious threat to the life or health of any individual
- It would have an unreasonable impact on the privacy of others
- The request for access is frivolous or vexatious
- Denying access is required or authorised by law
Access requests or related queries should be directed to the Executive Director of Nursing.
Storage and maintenance of information
The Hospital must take reasonable steps to:
- Ensure that the health information it collects, uses or discloses is relevant, accurate, complete and up-to-date
- Protect the health information it holds from misuse and loss, and from unauthorised access, modification or disclosure
- Destroy or permanently de-identify health information when it is no longer needed or required to be kept
Other issues
Identifiers
The hospital must not adopt Commonwealth identifiers, such as Medicare or DVA numbers, for its own identification systems (eg hospital medical record number).
Transfer outside of Australia
The hospital does not generally transfer a person’s health information overseas. Special arrangements would be necessary to enable this to happen with consent.
Enquiries and complaints
Enquiries and complaints should in the first instance be directed to the Executive Director of Nursing or the Chief Executive Officer.
If unresolved, you can contact the Office of the Australian Information Commissioner can be contacted on Tel: 1300 363 992. If calling from outside Australia call: + 61 2 9284 9749.
If you are deaf, or have a hearing or speech impairment, contact is through the National Relay Service:
- Teletypewriter (TTY) users phone 133 677 then ask for 1300 363 992.
- Speak and Listen users phone 1300 555 727 then ask for 1300 363 992.
- Internet relay users connect to the National Relay Service then ask for 1300 363 992.
If you do not speak English, or English is your second language, and you need assistance to communicate, call the Translating and Interpreting Service on 131 450 then ask for 1300 363 992.
Email enquiries@oaic.gov.auPatient Request to Access Clinical Records
Web Site Privacy
Our website may have links to other websites from time to time. Once you go to another site you are subject to the privacy policy of the new site.