In brief

  • The Office of the Australian Information Commissioner (OAIC) has issued a series of draft health industry resources regarding the handling of health information.
  • The draft documents provide guidance regarding the collection, use, storage and disclosure of health information, the types of organisations that will be considered health service providers and a wide range of other matters including guidance for vendors and purchasers of health service provider businesses.

New OAIC privacy guidance for health information

What has been released?

The Office of the Australian Information Commissioner (OAIC), which is the federal agency responsible for regulation of the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), has issued a series of draft health privacy guidance resources for public review and consultation (Health Information Resources).

The Health Information Resources comprise 11 resources for businesses that collect, use, store and disclose health information as well as 2 consumer-facing fact sheets that set out consumers’ rights in respect of the handling of health information by regulated entities.

The OAIC has stated that the draft Health Information Resources are intended to:

  • reflect the recent 2014 reforms to the Privacy Act 1988 (Cth) and the publication of the APP Guidelines,
  • replace the OAIC’s existing health privacy guidance for providers and consumers, and
  • provide information specifically tailored to the health sector covering matters which arise most frequently for health service providers.

New clarification and worked examples

The draft Health Information Resources, which are summarised and available via the hyperlinks below, provide important insights into how the Commissioner will approach issues regarding health information.

Definition of health service providers

The guidance makes clear that ‘health service providers’ may include not just organisations traditionally thought of as health service providers such as hospitals and pathologists but also organisations whose primary activities do not necessarily relate to the provision of traditional health services. The Commissioner lists private schools, gyms, weight loss clinics, drug and alcohol services and child care centres as examples of organisations that will be considered health service providers in certain circumstances.

Access to health information held by health service providers

Organisations are required under APP 12 to provide individuals with access to personal information held about them on request unless an exception applies. The situations in which access to health information may be refused is addressed in the ‘Access to health information held by health service providers’ resource. The guidance provides a number of worked examples to illustrate when refusal of access will be acceptable, for example in relation to threats to the therapeutic relationship and patients with histories of violence or self-harm.

Change of business circumstances or closure of a health service

There is also new guidance for vendors and purchasers of health service provider businesses. The guidance clearly indicates that, pursuant to APP 3.3, when an entity (the ‘new health service provider’) acquires the business collects of another health service provider that involves the collection of patient health information from the existing health service provider, the new health provider must:

  • obtain each patient’s consent to the collection of the information (regardless of whether or not the new health service provider will use or disclose the information for new purposes), and
  • ensure that all the information it collects from the old health service provider is reasonably necessary for one or more of the new health service provider’s functions or activities.

The guidance states that if an individual does not consent to the new health service provider collecting their health information, it must not collect the information. Critically, the guidance also indicates that, while consent can be express or implied, health service providers should generally seek express consent from patients before handling their health information – due to the greater privacy impact that unauthorised collection could have.

Feedback sought

The OAIC is seeking comments on the draft Health Information Resources from stakeholders. The closing date for public submissions is Tuesday 20 October 2015.  Further information about submitting feedback is available here.

The draft Health Information Resources

As noted above, the draft health privacy guidance comprises 11 resources for businesses that collect health information and 2 consumer fact sheets:

Click here to view table.