Summary of the ‘Health Services and Research', Part ‘H' on the ALRC discussion paper #72, pp- 1557-1712

Section 56 Regulatory Framework for health information - 5 proposals to include:

• delegating health privacy complaints to state/territory levels
• health information should be handled by the general privacy act with specific health ‘regulations' where applicable
• a set of unified ‘privacy principals' as they relate to health information to be published
• ‘Guidelines' to be developed by Privacy Commissioner in consultation with DoHA, etc.
• Unique Health Identifiers and Shared EHRs to be established under specific legislation  

Section 57 Privacy act and health information - 10 proposals:

• define ‘health' to clarify interpretations between physical, mental or psychological, etc.
• amend act to define ‘health service'
• to cover when health service providers are permitted to access third party information without consumer's consent
• move the current Privacy Principal on ‘health info disclosure' to the health regulations
• as above for ‘genetic' information and applied to both agencies and organizations
• how a nominated medical practitioner can access information that has been denied to a consumer on the grounds of being a serious threat to their life
• how consumers must be informed about the transfer of information following the termination of a provider (i.e. provider dies, business sold/amalgamated, etc.) 
• regulations should state that consumers can request transfer of health information to another provider although original provider may just give a summary
• the proposed rules in the regulations regarding ‘non-consented' information for the purpose of funding, planning and quality management, etc.
• empower the Privacy Commissioner in regards to the above proposal.

Question - Should the regulations allow health information collection without consent when a consumer would consider it reasonable?

Section 58 Research - 13 proposals:

• current 95 and 95A guidelines on ‘Collection' and ‘Use and Disclosure' be replaced with a unified set of rules
• act should extend existing arrangements regarding research exception of ‘non-consent' with medical/health research to cover ‘human research' in general
• ‘research' to be defined as any activity subject to review by Human Research Ethics Committee (HERC) as per the National Statement on Ethical conduct in Human Research 
• HERC's to determine the public interest issue verses privacy concerns
• Privacy Commissioner to ensure rules are compatible with National Ethics Statement
• National Statement to be amended to ensure HERC are consulted on any ‘exceptions'
• Ensure new ‘exception' rules don't add to administrative burden with HERC applications
• the research ‘exception' in proposed ‘Collection' principal, defining the specific condition where organizations can collect sensitive information
• as above in the proposed ‘Use and Disclosure' principal defining the specific condition that permit organizations to use or disclose personal information
• Privacy Commissioner guidelines on the meaning of ‘non reasonably identifiable'
• research exception rules to guide HERC on establishing and using research databases
• as above to include who should be able to participate and public interest issue
• developers of systems that link personal information for research need to consult Privacy Commissioner 

• 56-1The Privacy Commissioner should consider delegating the power to handle complaints under the Privacy Act in relation to interferences with health information privacy by organisations to state and territory health complaint agencies.
• 56-2Health information should continue to be regulated under the general provisions of the Privacy Act and the proposed Unified Privacy Principles (UPPs). Amendments to the proposed UPPs that relate specifically to the handling of health information should be promulgated in regulations under the Privacy Act-the Privacy (Health Information) Regulations.
• 56-3The Office of the Privacy Commissioner should publish a document bringing together the proposed UPPs and the amendments set out in the Privacy (Health Information) Regulations. This document will contain a complete set of the proposed UPPs as they relate to health information.
• 56-4The Office of the Privacy Commissioner-in consultation with the Australian Government Department of Health and Ageing and other relevant stakeholders-should develop guidelines on the handling of health information under the Privacy Act and the Privacy (Health Information) Regulations.
• 56-5The national Unique Healthcare Identifiers (UHIs) scheme and the national Shared Electronic Health Records (SEHR) scheme should be established under specific enabling legislation. The legislation should address information privacy issues, such as:

(a) the nomination of an agency or organisation with clear responsibility for managing the respective systems, including the personal information contained in the systems;

(b) the eligibility criteria, rights and requirements for participation in the UHI scheme and the SEHR scheme by health consumers and health service providers, including consent requirements;

(c) permitted and prohibited uses and linkages of the personal information held in the systems;

(d) permitted and prohibited uses of UHIs and sanctions in relation to misuse; and

(e) safeguards in relation to the use of UHIs; for example, that it is not necessary to use a UHI in order to access health services.

57-1      The definition of ‘health information' in the Privacy Act should be amended to make express reference to information or an opinion about the physical, mental or psychological health or disability of an individual.

33 Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

57-2 The Privacy Act should be amended to define a ‘health service' as:

(a) an activity performed in relation to an individual that is intended or claimed (expressly or otherwise) by the individual or the service provider to:

(i) assess, record, maintain or improve the individual's health;

(ii) diagnose the individual's illness, injury or disability; or

(iii) treat the individual's illness, injury or disability or suspected illness, injury or disability; or

(b) a disability service, palliative care service or aged care service; or

(c) the dispensing on prescription of a drug or medicinal preparation by a pharmacist.

57-3   The Privacy (Health Information) Regulations should provide that a health service provider may collect health information from a health consumer, or a person responsible for the health consumer, about third parties without consent when:

(a) the collection of the third party's information into a health consumer's social, family or medical history is necessary to enable health service providers to provide a health service directly to the consumer; and

(b) the third party's information is relevant to the family, social or medical history of that consumer.

• 57-4 The provisions of National Privacy Principle 2 dealing with the disclosure of health information in the health services context to a person responsible for an individual should be moved to the Privacy (Health Information) Regulations. The proposed regulation should:

(a) be expressed to apply to both agencies and organisations;

(b) provide that an agency or organisation that provides a health service to an individual may disclose health information about the individual to a person who is responsible for the individual if the individual is ‘incapable of giving consent' to the disclosure and all the other circumstances currently set out in NPP 2.4 are met;

(c) include a definition of a person ‘responsible' for an individual amended to incorporate the term ‘authorised representative'; and

(d) refer to ‘de facto partner' rather than ‘de facto spouse'.

• 57-5 National Privacy Principle 2.1(ea) on the use and disclosure of genetic information should be moved to the Privacy (Health Information) Regulations and amended to apply to both agencies and organisations. Any use or disclosure under the proposed regulation should be in accordance with binding rules issued by the Privacy Commissioner.

57-6  The Privacy (Health Information) Regulations should provide that, if an organisation denies an individual access to his or her own health information on the ground that providing access would be reasonably likely to pose a serious threat to the life or health of any individual, the:

(a) organisation must advise the individual that he or she may nominate a registered medical practitioner to be given access to the health information;

(b) individual may nominate a registered medical practitioner and request that the organisation provide access to the information to the nominated medical practitioner;

(c) organisation must provide access to the health information to the nominated medical practitioner; and

(d) nominated medical practitioner may assess the grounds for denying access to the health information and may provide the individual with sufficient access to the information to meet the individual's needs if he or she is satisfied that to do so would not be likely to pose a serious threat to the life or health of any individual.

57-7 The Privacy (Health Information) Regulations should provide that where a health service practice or business is sold, amalgamated or closed down and a health service provider will not be providing health services in the new practice or business, or the provider dies, the provider, or the legal representative of the provider, must take all reasonable and appropriate steps to:

(a) make individual users of the health service aware of the sale, amalgamation or closure of the health service or the death of the health service provider; and

(b) inform them about proposed arrangements for the transfer or storage of individuals' health information.

 57-8 The Privacy (Health Information) Regulations should provide that if an individual:

(a) requests that a health service provider, or the health service provider's legal representative, make the individual's health information available to another health service provider; or

(b) authorises a health service provider to request that another health service provider transfers the individual's health information to the requesting health service provider,

the health service provider must transfer the individual's health information as requested. The health information may be provided in summary form.

57-9 The Privacy (Health Information) Regulations should make express provision for the collection, use and disclosure of health information without consent where necessary for the funding, management, planning, monitoring, improvement or evaluation of a health service where:

(a) the purpose cannot be achieved by the collection, use or disclosure of information that does not identify the individual;

(b) it is impracticable for the agency or organisation to seek the individual's consent before the collection, use or disclosure; and

(c) the collection, use or disclosure is conducted in accordance with rules issued by the Privacy Commissioner.

57-10 The Privacy Act should be amended to empower the Privacy Commissioner to issue rules in relation to the handling of personal information for the funding, management, planning, monitoring, improvement or evaluation of a health service.

• 58-1 The Privacy Commissioner should issue one set of rules under the proposed exceptions to the ‘Collection' principle and the ‘Use and Disclosure' principle in the Unified Privacy Principles (UPPs) to replace the Guidelines Under Section 95 of the Privacy Act 1988 and the Guidelines Approved Under Section 95A of the Privacy Act 1988.
• 58-2The Privacy Act should be amended to extend the existing arrangements relating to the collection, use or disclosure of personal information without consent in the area of health and medical research to cover the collection, use or disclosure of personal information without consent in human research more generally.
• 58-3The Privacy Act should be amended to provide that ‘research' is any activity, including the compilation or analysis of statistics, subject to review by a Human Research Ethics Committee under the National Statement on Ethical Conduct in Human Research (2007).
• 58-4The research exceptions to the proposed ‘Collection' principle and the proposed ‘Use and Disclosure' principle should provide that before approving an activity that involves the collection, use or disclosure of sensitive information or the use or disclosure of other personal information without consent, Human Research Ethics Committees must be satisfied that the public interest in the activity outweighs the public interest in maintaining the level of privacy protection provided by the proposed UPPs.
• 58-5The Privacy Commissioner should consult with relevant stakeholders in developing the rules to be issued under the research exceptions to the proposed ‘Collection' principle and the proposed ‘Use and Disclosure' principle, to ensure that the approaches adopted in the rules and the National Statement on Ethical Conduct in Human Research (2007) are compatible.
• 58-6The National Statement on Ethical Conduct in Human Research (2007) should be amended to require that, where a research proposal seeks to rely on the research exceptions in the Privacy Act, it must be reviewed and approved by a Human Research Ethics Committee.
• 58-7In developing the rules to be issued in relation to research under the proposed ‘Collection' principle and the proposed ‘Use and Disclosure' principle, the Privacy Commissioner, in consultation with relevant stakeholders, should review the reporting requirements currently imposed on the Australian Health Ethics Committee and Human Research Ethics Committees. Any new reporting mechanism should aim to promote the objects of the Privacy Act, have clear goals and impose the minimum possible administrative burden to achieve those goals.

58-8 The research exception to the proposed ‘Collection' principle should state that, despite subclause 2.6, an agency or organisation may collect sensitive information about an individual where:

(a) the collection is necessary for research;

(b) the purpose cannot be served by the collection of information that does not identify the individual;

(c) it is impracticable for the agency or organisation to seek the individual's consent to the collection;

(d) a Human Research Ethics Committee has reviewed the proposed activity and is satisfied that the public interest in the activity outweighs the public interest in maintaining the level of privacy protection provided by the UPPs; and

(e) the information is collected in accordance with rules issued by the Privacy Commissioner.

Where an agency or organisation collects sensitive information about an individual in accordance with this provision, it must take reasonable steps to ensure that the information is not disclosed in a form that would identify the individual or from which the individual would be reasonably identifiable.

58-9 The research exception to the proposed ‘Use and Disclosure' principle should state that despite the other provisions of the Use and Disclosure principle, an agency or organisation may use or disclose personal information where:

(a) the use or disclosure is necessary for research;

(b) it is impracticable for the agency or organisation to seek the individual's consent to the use or disclosure;

(c) a Human Research Ethics Committee has reviewed the proposed activity and is satisfied that the public interest in the activity outweighs the public interest in maintaining the level of privacy protection provided by the UPPs;

(d) the information is used or disclosed in accordance with rules issued by the Privacy Commissioner; and

(e) in the case of disclosure-the agency or organisation reasonably believes that the recipient of the personal information will not disclose the personal information in a form that would identify the individual or from which the individual would be reasonably identifiable.

• 58-10 The Privacy Commissioner should provide guidance on the meaning of ‘not reasonably identifiable'.

58-11 The Privacy Commissioner should address the following matters in the rules to be issued under the research exceptions to the proposed ‘Collection' principle and the proposed ‘Use and Disclosure' principle:

(a) the process by which a Human Research Ethics Committee should review a proposal to establish a health information database or register for research purposes;

(b) the matters a Human Research Ethics Committee should take into account in considering whether the public interest in establishing the health information database or register outweighs the public interest in maintaining the level of privacy protection provided by the UPPs; and

(c) the fact that, where a database or register is established on the basis of Human Research Ethics Committee approval, that approval does not extend to future unspecified uses. Any future proposed use of the database or register for research would require separate review by a Human Research Ethics Committee.

58-12 The Privacy Commissioner should address the following matters in the rules to be issued under the research exceptions to the proposed ‘Collection' principle and the proposed ‘Use and Disclosure' principle:

(a) the process by which a Human Research Ethics Committee should review a proposal to examine a health information database or register to identify potential participants in research; and

(b) the matters a Human Research Ethics Committee should take into account in considering whether the public interest in allowing the examination of the health information database or register outweighs the public interest in maintaining the level of privacy protection provided by the proposed UPPs.

58-13 Agencies or organisations developing systems or infrastructure to allow the linkage of personal information for research purposes should consult the Office of the Privacy Commissioner to ensure that the systems or infrastructure they are developing meet the requirements of the Privacy Act.