When Timothy Pilgrim, Australian Privacy Commissioner appeared before Parliament’s Senate Estimate in February 2016, he announced a number of priority areas for the Office of the Australian Information Commissioner (OAIC). In light of the trial of the opt-in system with My Health Record (an electronic health record also known as an eHealth record), a focus of the OAIC will include their continued oversight in the eHealth sector. 

Discussions around eHealth, the My Health Records Act 2012 (formerly the Personally Controlled Electronic Health Records (PCEHR) Act 2012) (referred to in this article as the My Health Records Act), the benefits and risks of an eHealth system have been ongoing since its proposition.

Although the My Health Records Act creates a framework protecting against the mishandling of eHealth records, its obligations are separate from and exist in tandem with, the obligation not to interfere with an individual’s privacy under the Privacy Act 1988 (Privacy Act) and the Australian Privacy Principles (APPs). This article will identify the types of information that may be included in an eHealth record as well as what is personal, sensitive and health information under the Australian Privacy Act and the APPs. It will then briefly examine their impact on both individuals the service providers in the private sector that collect, use, hold or disclose such information.

What is eHealth?

Generally, eHealth is a term associated with the developing practice by healthcare providers who use electronic means to: provide health services; record health information; and provide access to an individual’s clinical information. As that definition suggests, eHealth can exist in different forms including:

  • Providing remote health and clinical support and monitoring;
  • Patient and practice management such as appointment scheduling and of course, recording; and
  • Creating a centralised record and providing access to an individual’s information including their medical history, test results from blood test results to X-ray images to MRI videos and other related information in electronic form.

The aim of the Australian eHealth system is to facilitate quick and centralised access to key health information about an individual – whether individual owners access such information, their authorised representative or health service provider. However, it’s still to be seen what the Australian eHealth system will develop into and how it will ultimately compare with those implemented by governments in other countries. Australia is not the only country undertaking government supported eHealth Projects.

Types of Information Stored in an eHealth Record

An eHealth record will contain a mixture of personal, sensitive, health and, in some circumstances, genetic information. Each is a defined term under the Privacy Act and the APPs, imposing different levels of obligations on the entity that collects, uses or discloses the information.

Personal, sensitive, health information are common terms used throughout the Privacy Act and the APPs. The guidelines published by the OAIC explains these terms, how they are inter-related and the varying levels of privacy protection required depending on the types of information collected.

If you’re not interested in perusing through the 13 chapters of the APPs, below we highlight one way to think about these terms and the associated level of obligations:

  • Generally, the category of information with which the Privacy Act and the APPs are concerned is personal information.
  • Personal Information is a term defined broadly to mean information or an opinion about an identified individual or an individual who is reasonably identifiable.
  • Sensitive Information is a subset of personal information. The definition of sensitive information includes, amongst other items, health and genetic information (meaning health and genetic information is also a subset of personal information). Information that is sensitive information receives a greater level of protection.
  • The definition of health information is more extensive and also broad. It includes, amongst other items, information or an opinion that is also personal information about the health or disability of an individual; information collected to provide or in the course of providing a health service; and genetic information.
  • Genetic information is information that can be used to predict the health of an individual or their genetic relative. It also includes any information that is not health information but within the definition of sensitive information.

The different degree of privacy and protection afforded to an individual over each category of information and its requirement for compliance is outside the scope of this article. The key takeaway is that these different degrees of protection and obligation are subject to the sensitivity of the information (i.e. the more sensitive it is, the greater level of care and protection on the entity using or disclosing such information). It is also important to note that some types of personal information such as health and genetic information may be governed by other legislation and regulations (both Commonwealth and State). For example in New South Wales: Health Records and Information Privacy Act 2002 and the Commonwealth legislation: Gene Technology Act 2000.

Different Treatment of Personal Information

The Privacy Act and the APPs also distinguish between different acts of handling personal information. These include ‘use’, ‘disclosure’, ‘hold’ and ‘collect’. ‘Use’ is an act separate and distinct from ‘disclosing’ personal information. Although both terms are construed broadly, neither are defined in the Privacy Act. The guidelines issued by the OAIC provide some guidance to indicate that these terms go towards the degree of control over the personal information handled by an entity. ‘Use’ relates to how an entity handles or manages information, or do other such acts to the information within their control. ‘Disclosure’ goes to the act where the entity with that information make it accessible or otherwise available to other entities and loses some control over how recipients of the disclosure will treat that information.

Other actions considered by the Privacy Act and the APPs are how an entity:

  • ‘Collects’ personal information – going to the act of acquiring, gathering or obtaining personal information; and
  • ‘Holds’ personal information – going to the physical possession and right of control over a record of personal information

My Health Records Act

The My Health Records Act sets out a privacy framework that gives healthcare providers permission to collect, use and disclose information about a healthcare recipient and contribute to the individual’s My Health Record. 

Currently, it is a voluntary national system giving individuals throughout most parts of Australia the option to register and opt-in to the My Health Record system. Individuals who have a registered Medicare address in Northern Queensland and Nepean Blue Mountains in NSW have a My Health Record automatically created for them by the Department of Health unless they inform the Department otherwise. 

Recent amendments to the My Health Records Act also introduced civil and criminal penalties to protect the sensitive information that a My Health Record can contain. These changes also made available enforceable undertaking and injunctions in both the civil and criminal systems.

Know Your Rights and Obligations

Individuals have rights to their personal information as set out in the Privacy Act and the APPs. This right extends to the information contained within their My Health Records and is also enforced by the My Health Records Act. Before opting into the My Health Records system, or supplying personal information to any organisation, an individual should check such organisation’s privacy policy and understand the details about the use and disclosure to which they are consenting. If unsure, the individual can always choose not to disclose their personal information, or contact the relevant organisation for details.

Organisations providing services that use or disclose personal information, in particular, sensitive information, should be across their obligations under the Privacy Act, the APPs and other related legislation and regulation. While the APPs usually do not apply to small businesses with an annual turnover of $3 million or less, this exception does not apply in some circumstances, including where the business provides a health service or is a contracted service provider for a Commonwealth contract. In such situations, the organisation should have a privacy policy available, as well as an internal policy regarding:

  1. How personal information is used, collected, stored and disclosed;
  2. What mechanisms are in place to protect such personal information and data associated with the personal information;
  3. Policy and procedure in the event of a data breach*; and
  4. Policy and procedure in the event of a privacy complaint or when an individual requires access or correction of their personal information.

Key Takeaways on Electronic Health Records

The obligations under the Privacy Act has far-reaching effects as the definition of key terms under the Act, and APPs suggest. Organisations collecting, disclosing, holding or using personal information should understand their obligations under the Privacy Act. Particularly if they use or disclose information afforded a higher level of protection such as health and genetic information, and ensure they are compliant. Such organisations should also have a Privacy Policy in place to notify individuals from whom they collect personal information including notice about the kind of information collected and the extent of use and disclosure they are consenting to when supplying personal information. Where possible, organisations should have in place an internal policy to ensure the security of collected personal information.

If you would like to understand your organisation’s obligations under the Privacy Act and the APPs, the impact of the exposure draft to the Notification of Serious Data Breaches Bill or require a Privacy Policy, get in touch with LegalVision’s IT lawyers on 1300 544 755.

***

*We note that at the time of this article, the Australian Government has introduced the exposure draft to the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 which requires government agencies and businesses subject to the Privacy Act to notify the regulator and affected individuals following a “serious data breach”. The Government invited public comment to the Bill and submissions closed on 4 March 2016.

Lisa Lee

Ask Lisa a Question

If you would like further information on any of the topics mentioned in this article, please get in touch using the form on this page.