The Law Handbook 2024

1120 Section 12: Government and the individual accordance with 11 HPPs. Note that unlike personal information regulated by the PDP Act, health information does not have to be recorded. The HPPs are legally binding and apply to: • all personal information collected in providing a health, mental health, disability, aged-care or palliative care service, including: – information about an individual’s expressed wishes about the future provision of health services; – personal information about an individual collected in connection with the donation or future donation of human tissue; and – genetic information that is, or could be, predictive of an individual’s health or that of their descendants; and • all health information held by other organisations subject to the HR Act listed in section 10 (public sector) and section 11 (private sector). Note that the Family Violence Protection Amendment (Information Sharing) Act 2017 (Vic) made key changes to the HPPs and introduced HR Act exemptions. The following is a short summary of the HPPs, which are set out in full in schedule 1 of the HR Act: • HPP 1: Collection An organisation can only collect health information: – if it is necessary for one or more of its functions and the individual consents (unless the organisation is a law enforcement agency); – if it is necessary to provide a health service and the individual is incapable of giving consent; – for research purposes if in accordance with guidelines approved by the Victorian Health Complaints Commissioner; – if it is necessary to prevent a serious and imminent threat to the individual or the public; or – if it is required or authorised by law. HPP 1 also prescribes how the information is to be collected. • HPP 2: Use and disclosure An organisation can use and disclose health information for the primary purpose of collection or a directly related secondary purpose that an individual would reasonably expect. Otherwise, use and disclosure must be by consent, if authorised or required by law, and for other public purposes (e.g. to prevent serious or imminent harm). Disclosure to immediate family is permitted where an individual is incapable of giving consent, has no authorised representative and hasn’t expressed a prohibition when not incapable. Organisations are also permitted to disclose health information if the individual is known or believed to be dead, missing or incapable of giving consent and the information is needed to identify the person or immediate family. • HPP 3: Data quality Organisations must take reasonable steps to ensure individuals’ health information is accurate, complete, up-to-date, and relevant to the organisation’s functions. • HPP 4: Data security and data retention An organisation must take reasonable steps to protect the health information it holds from misuse, loss, unauthorised access, modification or disclosure. Health service providers must not delete health information (even when later found to be inaccurate), except in the limited circumstances listed in the HPP. A health service provider that transfers health information to another individual or organisation, and does not keep a copy, must record the name and address of where the information was transferred. An organisation other than a health service providermust take reasonable steps topermanently de-identify or destroy health information that is no longer needed for any purpose. For public sector organisations, this is subject to the Public Records Act 1973 (Vic). • HPP 5: Openness An organisation must have a written policy about how it manages health information and how individuals can access their health information. On request, the organisation must take reasonable steps to tell an individual whether it holds health information about them, and, if so, the kind of information, what it is needed for, and how the organisation handles the information. • HPP 6: Access and correction An organisation must provide access to an individual’s health information on request in accordance with the HR Act (pt 5), except where: – access would pose a serious threat to the health or safety of a person; – access would have an unreasonable impact on the privacy of others; or