The immediate background to this paper was the release in December 2001 of an
Exposure Draft of a Health Records and Information Privacy Bill [
the Draft
Health Records Bill]. This was followed on 26 February 2002 by an
announcement, in the Governor's Speech, foreshadowing the introduction of
legislation to 'protect the privacy of electronic health records'. The issues
involved in the proposed legislation are encapsulated in the three 'purposes'
of the Draft Health Records Bill: (a) protecting the privacy of an individual's
health information that is held in the public and private sectors; (b) enabling
individuals to gain access to their health information; and (c) providing an
accessible framework for the resolution of complaints regarding the handling of
health information. The main findings of this paper are as follows:
- As in other privacy information areas, these issues belong to
the larger picture of technological innovation which facilitates the sharing
and accessing of data. In the specific context of health information, these
developments include Telemedicine and health smart card proposals which may
result in information being stored and collected in new ways (p 1).
- A particular concern is the development of a linked Electronic
Health Record (EHR), as proposed in the March 2000 Report of the NSW Health
Council titled, A Better Health System for NSW. Responding to this
recommendation, the NSW Health Minister appointed an Advisory Committee to
address privacy issues in relation to health information (p 1).
- The Advisory Committee's report titled, Panacea or Placebo?
Linked Electronic Health Records and Improvements in Health Outcomes, was
released on 2 February 2001. Among other things, it recommended that a 'system
of linked electronic health records across the State' be developed and that the
system be governed by a new Act, the Health Records and Information Privacy Act
(p 8).
- Developments at the Commonwealth level include the
establishment of a National Electronic Health Records Taskforce. In September
2001 it was reported that the Taskforce had recommended the development of a
national health information network to be called HealthConnect. The
recommendation was endorsed by the Australian Health Ministers in July 2000 (pp
9-10).
- The Health Ministers have also established a Health Information
Privacy Working Group under the Australian Health Ministers' Advisory Council
(AHMAC). Its task is to develop a nationally integrated privacy framework for
health information. Comprising Commonwealth, State and Territory
representatives, the Working Group is said to be developing a draft National
Health Privacy Code with the aim of delivering consistent privacy arrangements
across the public and private sectors. The draft Code was due to be distributed
for public consultation in January 2002 but, as at 10 April 2002, it is still
to be released (p 10).
- A particular area of concern is genetic information privacy. An
inquiry into genetic testing and information, to be conducted jointly by the
Australian Law Reform Commission and the Australian Health Ethics Committee,
was announced in August 2000. An Issues Paper, published in October 2001, posed
the question, 'Should genetic information be treated as being so unique or more
powerful than other forms of health information that it requires special legal
protection or other exceptional measures? Under the Draft Health Records Bill
genetic information would be treated as a subset of health information (pp
3-5).
- At present, there is no single, comprehensive piece of health
information privacy legislation in NSW applying to the private and public
sectors. What exists, instead, is a plethora of relevant State and Federal
laws. These include: (a) the Federal Privacy Act 1998, which now applies
to both the Commonwealth public sector as well as to the private sector
generally; (b) the NSW Privacy and Personal Information Protection Act
1998, which applies to NSW public sector agencies; (c) the NSW Freedom
of Information Act 1989 which also applies to State public sector agencies;
(d) such health related regulations as the Private Hospitals Regulation 1996
which provides a patient's right of access to clinical records and for the
secure retention of such records by private sector hospitals; (e) health
related legislation which contain specific provisions on confidentiality; (f)
statutes requiring mandatory reporting, such as section 27 of the Children
and Young Persons (Care and Protection) Act 1998 (NSW); (g) common law
medical confidentiality requirements; (h) plus codes and guidelines, such as
the NSW Department of Health's Information Privacy Code of Practice and
the Federal Privacy Commissioner's Guidelines on Privacy in the Private
Health Sector (pp 13-15).
- The extension of the Federal privacy regime to cover the
private sector was achieved by the Privacy Amendment (Private Sector) Act
2000 (Cth), which commenced on 21 December 2001. In its June 2000 report,
the House of Representatives Legal and Constitutional Affairs Committee
commented that the Act's coverage of health information proved a particularly
controversial issue. Of particular concern to the Committee were the exemptions
applying to access to health records in the private sector (pp 18-19).
- In an anomalous position are NSW State owned corporations.
These are not covered under the Privacy and Personal Information Act
1998 (NSW) and would only be covered under the Federal scheme if expressly
prescribed by regulation at the request of the State (p 21).
- The Federal Privacy Commissioner has indicated that the Federal
privacy regime for the private sector is intended to 'cover the field'. Even if
that is not the case, issues of constitutional consistency are raised by the
operation of concurrent State and Federal legislation in this field (pp
19-20).
- The ACT and Victoria have already introduced comprehensive
legislation dealing with health records and information privacy in the private
and public spheres, along the lines proposed under the Draft Health Records Bill
(p 1).
- It is said that the aim of the Draft Health Records Bill is 'to
provide a single State-based scheme for the management of health privacy
obligations, imposing the same set of Privacy Principles on information holders
in both the public and private sector. The Bill will also provide a readily
accessible complaints process and recognise the special issues which arise in
the handling of health information' (p 31).
- Unlike the Federal privacy regime, the Draft Bill would extend
privacy protection to the health information held on employees' records. This
is one area where, it is understood, the Bill may be amended before it is
introduced into Parliament (p 33 and p 46).
- There are sure to be differing perspectives on the Draft Health
Records Bill. From one standpoint, it could be seen as yet another level of
duplication and complexity in a field of law already busy with regulation. From
another, it could be argued that it demonstrates the value of bringing public
and private health sector privacy regulation under a single piece of
legislation (p 45).