Health Data and it’s Collection, Use, Protection and Disclosure

They say that ‘an apple a day keeps the doctor away’, but ‘when your apple does fail, a doctor will prevail’.  Okay, maybe people don’t say that last part, but it’s nonetheless true.  Generally, you might take a visit to the doctors for granted (unless you live in a country without universal healthcare), however as commercial lawyers we do sometimes wonder how well our health data and privacy is protected and what our rights are in the event that these are breached.

For health service providers and practice managers, we recommend that you stay up to date with health data protection legislation and guidelines.  This is the case not only for doctors and private hospitals but also extends to pharmacists, dentists, gyms and childcare centres.

Health Data Help

The Office of the Australian Information Commissioners (‘OAIC’) released their Guide to Health Privacy (‘the Guide’) earlier this year.[1]  It sets out a handy explanation for health service providers, including doctors and other health professionals, as to what their obligations under the Privacy Act 1988 (‘the Privacy Act’) are as well as tips to ensure they are able to meet those obligations.  The Guide has been introduced in the wake of high number of both privacy complaints to the OAIC and notifiable data breaches suffered by health service providers.  Since mandatory reporting was introduced in February 2018, the health service provider sector has seen the highest cases of notifiable data breaches.  Often, information that health service providers hold about individuals and families are extremely sensitive and could be misused if it falls into the wrong hands.

The OAIC Guide

The type of information that the Guide covers includes information about an individual’s physical or mental health, notes on their symptoms, diagnosis and any treatments given, physical or biological samples and their results, prescriptions and other pharmaceutical purchases, and any other personal information that identifies the individual (e.g. name, address, date of birth, Medicare and private health provider numbers, gender, race, sexuality or religion) that is collected for the purpose of providing a health service.

The Guide provides an ‘eight-step plan for better privacy practice’, which includes developing and implementing a privacy management plan and a method of accountability for privacy management, creating a privacy policy, implementing a regime of recording and protecting personal information and developing a data breach response plan.  The Guide also recommends holding training sessions for staff in relation to their privacy obligations.

The Guide covers what the privacy obligations under the Privacy Act are in relation to:

  • Collection of an individual’s personal information;
  • Consent of the patient to how the health service provider will be handling their personal information;
  • Disclosure to another health provider or individual, including de-identification of the information;
  • Use and handling of the personal information, including accessing and reading a patient’s medical file, searching patient records, and passing information from part of the organisation to another; and
  • How health service providers can set up a privacy management framework[2] and prepare a data breach response plan.[3]

OAIC Powers

The OAIC has various powers to regulate health service providers and how they collect, store, use and disclose personal information.  The extent to which these powers work does depend on the breach, but includes the ability to:

  1. audit privacy practices of health service providers;
  2. award compensation to individuals who have had their privacy breached by poor privacy practices; and
  3. seek penalties through the Federal Court of up to $2.1 million per privacy breach.

So, enjoy your apples and rest assured that your personal information will be in good hands if health service providers implement these guidelines.

If you’re a health practitioner and need help with drafting or re-drafting your privacy policy or perhaps someone who is concerned about how your health data is being protected, contact our business team for more information about your rights and obligations under the Privacy Act.

Written by Jecinta Neumann

[1] https://www.oaic.gov.au/privacy/guidance-and-advice/guide-to-health-privacy/

[2] https://oaic.gov.au/privacy/guidance-and-advice/privacy-management-framework-enabling-compliance-and-encouraging-good-practice/

[3] https://www.oaic.gov.au/privacy/guidance-and-advice/data-breach-preparation-and-response/part-2-preparing-a-data-breach-response-plan/