OAIC releases draft health privacy guidelines
The Office of the Australian Information Commissioner (OAIC), the body responsible for overseeing compliance with federal privacy law, has released a series of draft guidelines (Guidelines) aimed at assisting private health service providers comply with their obligations under the Australian Privacy Principles (APPs) and the Privacy Act 1988 (Cth) (Privacy Act).
Comments on the new health-focused Guidelines, which consist of 11 factsheets examining different parts of the APPs, are due by 20 October 2015.
Application of the APPs to health service providers
The Guidelines are useful in that they disentangle the privacy obligations applicable to health service providers, in what is an area of law characterised by complex and overlapping State and Commonwealth legislation. While the Guidelines do not examine State health privacy legislation in detail, they flag when such legislation is likely to apply and encourage health service providers to seek additional information from State regulators.
Additionally, the Guidelines explain when an organisation is a health service provider and subject to the Privacy Act, and provide examples and compliance tips to assist health service providers.
Transfer of health service business, assets or shares
One area which the factsheets includes is guidance on a health service provider’s privacy obligations where it is acquired by another entity, either through the sale of shares or the sale of assets. This is an area where we are frequently asked to advise and can be unclear for health service providers.
Sale of assets/business
(a) Disclosure to new health provider
A health service provider can disclose patients’ information to an incoming provider (ie, purchaser) where either the consent of the patient is obtained or where disclosure is for the same purpose for which the information was initially collected. Where the outgoing health service provider is satisfied that the incoming provider will maintain essentially the same service and in similar circumstances, it can disclose information on that basis.
The Guidelines include an example of an acquisition of a health service provider in which the doctors that had worked for the old business begin to work for the purchaser. In such a scenario, the new holder of patients’ records is using them for the same purpose for which they were originally disclosed – indeed, the information is probably being used by the very same people to whom it was originally divulged. Disclosure can therefore occur.
Both the outgoing and the incoming health service providers must take reasonable steps to ensure that the information that is transferred is accurate, up to date, complete and relevant.
(b) Collection of personal information by new health provider
Under APP 3.3, a health service provider cannot collect health information about an individual unless:
- the individual has consented; and
- the information collected is reasonably necessary for one or more of the new health provider’s functions or activities.
Further, the incoming provider must take reasonable steps to notify the patients of:
- its identity and contact details;
- the fact that the provider will collect information, and the circumstances of collection;
- whether the collection is required or authorised by law;
- the purpose of collection and the consequences if information is not collected;
- the identity of anyone that the provider usually discloses personal information to;
- whether the information is to be disclosed overseas, and if so where.
This information must be given to patients before or at the time that the incoming provider collects the information, or, if that is not practicable, as soon as possible afterwards.
Entity holding health information stays the same – transfer of shares in health service provider
The Guidelines also explore the privacy obligations arising where there has been a change in control of the entity providing the health service, for example through the transfer of shares. In this scenario there is not considered to have been disclosure of health information.
The privacy obligations arising on a change in control of the entity holding health information depends on whether the information is going to be put to a different use after the transaction. Where the use will not change then patients do not need to be informed of the transfer and their consent is not required. Nevertheless, the Guidelines provide that the giving of information and the seeking of consent is good practice where convenient.
Where health information is used for a different purpose after the change in control then APP 6 applies. Where the use is for a purpose directly related to the purpose for which it was collected, and patients would reasonably expect their information to be handled in such a way, then the use will be allowed in accordance with APP 6.2(a).
The Guidelines include an example of a general practice expanding and establishing a new nutrition wing as part of its services to patients. If a nutritionist seeks a patient’s medical record from the existing database, it is unlikely that he or she will be using it for the purpose for which it was originally collected, given that the provider only recently began dispensing nutrition information. It is also unlikely that the patient would reasonably expect their information to be disclosed to the nutritionist without their consent. As such, APP 6 may require the consent of the patient unless an exception applies.
The Guidelines constitute a welcome aid to navigating the complex privacy obligations applying to health service providers in Australia. They will be published in finalised form following a review of the submissions and feedback due on 20 October 2015.
Daniel Zwi | Graduate Lawyer | +61 2 8248 5825 | firstname.lastname@example.org