Tuesday, October 06, 2015

The Office Of The Information Commissioner Updates On Health Information Policy And Seeks Comments.

These two commentaries appeared last week. First we have:

Draft health privacy resources released for consultation

Australia October 1 2015
The Office of the Australian Information Commissioner (OAIC) has released for consultation a series of draft health privacy resources for health service providers and consumers (Resources).  The Resources will replace the OAIC’s existing health privacy guidance materials, which were released prior to the 2014 reforms to thePrivacy Act 1988 (Cth).
The Resources will supplement the OAIC's Australian Privacy Principle guidelines, providing more detailed guidance on the APPs in the health and research context.
The Resources comprise of 11 business resources for health service providers and 2 fact sheets for consumers.  They cover a number of topics relevant to the handling of health information by health service providers as follows:
  1. key concepts, such as the meaning of 'health service provider' and 'health information';
  2. collection, such as consent requirements (and exemptions) and how health information should be collected;
  3. use and disclosure, such as examples of directly related secondary purposes for the use and disclosure of health information;
  4. access and correction, such as examples of excess access charges and when access can be refused;
  5. business closure or change of circumstances, such as consent and notice requirements when a health service provider is sold or merged with another; and
  6. when permitted health situations exist for the collection, use or disclosure of personal information, with particular guidance on the following permitted health situations:
    a) management, funding or monitoring of a health service;
    b) research;
    c) serious threat to the life, health or safety of genetic relatives (in relation to genetic information); and
    d) impaired capacity.
The OAIC acknowledges that health service providers' privacy obligations extend beyond the APPs and provides some limited guidance in the Resources as to the interaction between these obligations.  For example, the Resources point out when additional obligations may apply to the private sector under health privacy laws in NSW, Victoria and the ACT. Although much of the interaction is left to the health service provider to investigate further, this guidance is welcomed in an area involving a complex web of legislation.
More here:
Second we have this here:

Health privacy in Australia – new OAIC guidance will help health providers navigate the legal landscape

Australia October 1 2015
Understandably most people are sensitive about protecting their personal health information. For this reason, Australia’s privacy laws give heath information a higher level of protection than other types of personal data.
However, the myriad of privacy laws that apply to health information make it challenging for health providers to know and comply with their obligations.  
This week’s release of new health privacy guidance by the Australian Privacy Commissioner is a welcome move, as is the recent guidance issued by the Australian Medical Association on taking clinical images with personal devices.
‘Health information’ is defined in the Privacy Act 1988 (Cth) to mean:
  • information or an opinion about an individual’s health or disability, an individual’s expressed wishes about future health services provided to them, or a health service provided or to be provided to that individual
  • other personal information collected to provide or in providing a health service, or in connection with organ donation
  • genetic information about an individual in a form that could be predictive of their health.
Examples include medical and dental records, notes of symptoms or diagnosis and treatment provided, records about an individual held by a fitness club or gym, and photos taken of a patient’s injury or symptom.
This is particularly so for health service providers operating in multiple jurisdictions across Australia.
The Privacy Act protects health information and imposes obligations on all private sector ‘health service providers’. If you provide a health service (even if that’s not your primary activity) and hold health information, you will be a ‘health service provider’.
The Personally Controlled Electronic Health Records Act 2012 (Cth) regulates the collection, use and disclosure of health information included in an individual’s e-health record, and the Healthcare Identifiers Act 2010 (Cth) regulates the use and disclosure of health care identifiers used in the e-health record system.
State and Territory government health departments (and other public health networks, districts and services) must comply with their local privacy legislation when handling health information, as well as other types of personal information[1].
Some States even have their own legislation that private sector providers must also comply with[2]. Confusingly, laws vary between States and Territories and there is also significant overlap between the Federal and State/Territory laws.
More here:
Here is the key link:
and here are the papers to be reviewed:

List of guidance

Health service provider business resources

Health service consumer fact sheets

The consultation period ends October 20, 2015 so time to browse and see if you think the OAIC has made things clear. Remember this is not about changing the laws - it is about making sure the recently revised law is well explained.
Very useful as an educational and awareness raising activity.

No comments: