The Office of the Australian Information Commissioner (OAIC) has issued a new set of draft resources for the health industry, setting out proposed standards and processes around the handling of health information.
If finalised in their current form, they provide important clarification and updates to the expected standards of information handling practices in the health industry.
The draft resources are designed to replace the existing health privacy guidance in light of the 2014 reforms to the Privacy Act 1988 (Cth), to provide guidance for businesses operating in the health sector, and individuals whose information is processed through that sector.
Specifically, the draft resources set out guidance on:
- organisations that will be ‘health service providers’
- the standards expected in relation to day to day collection, use, storage and disclosure of health information, and
- issues to consider when buying or selling health service provider businesses.
Importantly, the guidance clarifies that the definition of ‘health service providers’ can include ‘traditional’ health service providers like hospitals, but also other businesses whose focus is not on health services, but whose activities involve the collection of health information. Examples include private schools, gyms, weight loss clinics, drug and alcohol services and child care centres. In practical terms, this means that a broader range of businesses should consider these guidelines when handling health information.
There is also new guidance for vendors and purchasers of health service provider businesses. The guidance clearly indicates that, consistent with APP 3, when an entity acquires the business collects of another health service provider that involves the collection of patient health information from the existing health service provider, the acquirer must obtain each individual’s consent to the collection, and only collect information that is reasonably necessary for the ‘postacquisition’ activities. This would mean that rigorous privacy processes would be required in corporate transactions in the sector.
The OAIC will now assess any public comments on the resources, and we await clarification on any consequent changes to the resources and the timetable for implementation of the draft resources.