The Office of the Australian Information Commissioner (OAIC) has recently released two new privacy fact sheets concerning health information:

The fact sheets are intended to provide guidance for consumers of health services about how they should expect their health information to be managed. While the fact sheets provide a handy “snapshot” reference for health service providers, the OAIC has also provided a more detailed business-focussed resource “Handling health information under the Privacy Act: A general overview for health service providers”.

In any case, the new fact sheets provide a useful reminder of the importance of having strong privacy compliance practices in place whenever dealing with health-related information. This is relevant not only to providers of core health services (like doctors, pharmacists, dentists etc) but also to others who may collect health information (like counsellors, gyms, weight loss clinics, child care services and the like). While the fact sheets themselves are not binding, they do give an insight into the OAIC’s expectations and the approach they may take when enforcing privacy laws dealing with health information.

Fact sheet 49: Health information and your privacy

This fact sheet provides an overview of the types of information that may constitute “health information” under the Privacy Act 1988 (Cth) (Privacy Act), which will extend to cover any personal information collected by a health service provider to provide, or in providing, a health service. This is an expansive definition that may capture not only the specifics about your health, but also information that may not strictly have a direct bearing on your health but may be required by the health service provider to deliver their services (such as your name and address), and may include other types of “sensitive information” such as your ethnicity or sexual preferences.

Fact sheet 49 also provides information about:

  • entities that may be treated as health service providers;
  • when a health service provider can collect your health information;
  • what the provider needs to tell you about your privacy;
  • how the provider can use or disclose your health information; and
  • what other rights you have - such your right to complain to the health service provider, and failing that, the OAIC, if you are not satisfied with the way in which the health service provider has handled your health information.

The fact sheet deals only with the Federal Privacy Act, and does not cover state and territory privacy laws that govern state and territory public health agencies which are not subject to the Privacy Act. Generally, the state and territory laws follow similar principles in relation to the management of health information. However there may be differences in the way that you can request and obtain access to your information from those health services. We discuss this further below.

Privacy fact sheet 50: Accessing and correcting your health information

This fact sheet provides an overview of the way in which individuals can request access to their health information, such as by requesting access to health records in order to view or take copies of them, or to request that their records be transferred to a new provider.

Fact sheet 50 also provides information about:

  • when providers can refuse to grant access to health information;
  • when you can ask for your health information to be corrected;
  • the fact that health service providers can charge fees for access to your information (being the actual cost to the health service provider to provide the information to you); and
  • your right to complain to the health service provider, and failing that, the OAIC, if you are not satisfied with the health service provider’s response to your access request.

As flagged above, the Federal Privacy Act will not apply to state and territory public health service providers, meaning that the relevant state or territory law will apply to requests for access to health records from those providers. Generally, state and territory laws are broadly consistent with the Privacy Act with respect to the way in which agencies must handle health information. However, there can be substantial differences in the way in which these laws deal with information access requests. For example, the New South Wales regime broadly aligns with the Privacy Act, whereas in Victoria an individual must make a request under freedom of information legislation, and in Queensland a combination of administrative orders and freedom of information legislation governs this area.