Health Records A written law made by parliament. Also called an ‘Act of parliament’, ‘statute’ or legislation. 2001 (Vic)
The Health Records Act 2001 (Vic) (‘HR Act’) commenced operation on 1 July 2002. The HR Act protects the privacy of individuals’ health information held by the public and private sectors in Victoria. It also provides individuals with an enforceable right to access their health information held in the private sector.
The objects of the HRAct are:
- to require responsible handling of health information in the public and private sectors;
- to balance the public interest in protecting the privacy of health information with the public interest in the legitimate use of that information;
- to enhance the ability of individuals to be informed about their healthcare and/or disability services;
- to promote the provision of quality health services, disability services and aged-care services.
Under the HR Act, health information that is collected, held or used by organisations must be handled in accordance with 11 Health Privacy Principles (HPPs). Note that unlike personal information regulated by the PDP Act, health information does not have to be recorded.
The HPPs are Able to be enforced by law. and apply to:
- all personal information collected in providing a health, mental health, disability, aged-care or palliative care Formal delivery of legal documents to a person to tell them there are court proceedings against them which they must defend, or to make sure a witness in a case knows when they have to go to court to give evidence., including:
- information about an individual’s expressed wishes about the future provision of health services
- personal information about an individual collected in connection with the donation or future donation of human tissue
- genetic information that is, or could be, predictive of an individual’s health or that of their descendants;
- all health information held by other organisations subject to the HR Act listed in section 10 (public sector) and section 11 (private sector).
Note that the Family Violence Protection A change made to a legal document or Act of parliament. (Information Sharing) Act 2017 (Vic) made key changes to the HPPs and introduced HR Act exemptions (see ‘Victorian Information Privacy Principles’, above).
The following is a short summary of the HPPs, which are set out in full in schedule 1 of the HR Act:
An organisation can only collect health information if it is necessary for one or more of its functions and the individual consents (unless the organisation is a law enforcement agency), or it is necessary to provide a health service and the individual is incapable of giving To agree to something being done, to approve an action or arrangement. See also informed consent.; for research purposes if in accordance with guidelines approved by the Victorian Health Complaints Commissioner; if it is necessary to prevent a serious and imminent threat to the individual or to the public, or if it is required or authorised by law. HPP 1 also prescribes how the information is to be collected.
HPP2: Use and Providing information to another person or institution as required by a contract or other legal process.
An organisation can use and disclose health information for the primary purpose of collection or a directly related secondary purpose that an individual would reasonably expect. Otherwise, use and disclosure must be by consent, if authorised or required by law, and for other public purposes (e.g. to prevent serious or imminent harm). Disclosure to immediate family is permitted where an individual is incapable of giving consent, has no authorised representative and hasn’t expressed a An order made by the Supreme Court of Victoria or the High Court of Australia prohibiting a body from acting outside its authority. See also jurisdiction; prerogative writ; ultra vires. when not incapable. Organisations are also permitted to disclose health information if the individual is known or believed to be dead, missing or incapable of giving consent and the information is needed to identify the person or immediate family.
HPP3: Data quality
An organisation must take reasonable steps to ensure individuals’ health information is accurate, complete, up-to-date, and relevant to the organisation’s functions.
HPP 4: Data Money or property promised to be handed over as a guarantee for repayment of a loan, or as a guarantee that a defendant will meet their bail conditions. and data retention
An organisation must take reasonable steps to protect the health information it holds from misuse, loss, unauthorised access, modification or disclosure. Health service providers must not delete health information (even when later found to be inaccurate), except in the limited circumstances listed in the HPP. A health service provider that transfers health information to another individual or organisation, and does not keep a copy, must record the name and address of where the information was transferred.
An organisation other than a health service provider must take reasonable steps to permanently de-identify or destroy health information that is no longer needed for any purpose. For public sector organisations, this is subject to the Public Records Act 1973 (Vic).
HPP 5: Openness
An organisation must have a written policy about how it manages health information and how individuals can access their health information. On request, the organisation must take reasonable steps to tell an individual whether it holds health information about them, and if so, the kind of information, what it is needed for, and how the organisation handles the information.
HPP 6: Access and correction
An organisation must provide access to an individual’s health information on request in accordance with the HR Act (pt 5), except where:
- access would pose a serious threat to the health or safety of a person;
- access would have an unreasonable impact on the privacy of others;
- the information is confidential under section 27 of the HR Act.
Note that HPP 6 does not apply to public sector organisations subject to the FoI Act (Vic) (see ‘Exemptions from the Health Records Act and the Health Privacy Principles’, below).
If an individual establishes that health information held by an organisation is not accurate, complete or up-to-date, the organisation must take reasonable steps to correct that information – but cannot delete it unless in accordance with HPP 4.
If the organisation is unwilling to correct the information, it must take reasonable steps to attach a written statement to the information about its inaccuracy.
If the organisation accepts the need to correct the information, there are provisions that guide the organisation on how to address this where there are difficulties in correcting the information.
If an organisation refuses a request to access and correct information, it must provide written reasons for its refusal.
An organisation can only give an individual an identifier if it is reasonably necessary to enable the organisation to carry out its functions efficiently. If a public sector organisation has assigned an identifier, private sector organisations are only allowed to use and disclose the same identifier in limited circumstances.
HPP 8: Anonymity
If lawful and practicable, organisations must give individuals the option of remaining anonymous when engaging with the organisation.
HPP 9: Transborder data flows
An organisation can only transfer health information outside Victoria in limited circumstances, including with the individual’s consent, and where there are safeguards (in the territory to which the information is being transferred) around the privacy of the information that are similar to the HR Act.
HPP 10: Transfer or closure of a health service provider
This HPP applies where a health service provider sells or otherwise transfers the business, or the business closes down. It details how individuals whose health information is held must be informed of both the business’ transfer or closure and how their information A document that sets out what a person wants to happen to their money and other property after they die. be transferred. If individuals request their information to be transferred to them, this is treated as a request for access under Part 5 of the HR Act or HPP 6. If an individual asks for their information to be transferred to another health service provider, then HPP 11 applies.
HPP 11: Making information available to another health service provider
A health service provider must make health information available to another health service provider on request with the authority of the individual who the information is about.
Exemptions from the Health Records Act and the Health Privacy Principles
The following are exempt from needing to comply with the HR Act and the Health Privacy Principles:
- individuals who hold health information in connection with their personal, family or household affairs (s 13);
- courts and tribunals in carrying out their judicial and quasi-judicial functions – this exemption also applies to An independent body that hears legal claims brought by parties and decides between them. Serious cases are heard by a judge and jury, or just a judge. Less-serious cases are heard by a magistrate. registrars and other court/tribunal staff carrying out tasks relating to the judicial and quasi-judicial functions of the court (s 14);
- Royal Commissions, board of inquiries and formal reviews – this exemption only applies when health information is collected in connection with the function of the Royal Commission, board, or review (s 14A);
- publicly available information – this mirrors the exemption under the PDP Act. Note that the exemption does not apply where the organisation knows that the publicly available health information has been obtained in breach of the HR Act (s 15);
- organisations subject to the FoI Act (Vic) are not required to comply with any of the access and correction provisions under Part 5 of the HR Act, nor HPP 5.2 or HPP 6 (s 16);
- news media are exempt from HPP 1, 2 and 9 (i.e. the collection, use, disclosure and transfer of health information) in relation to news activities.
Unless the health information is published, they are not required to comply with Part 5 of the HR Act, nor HPP 5.2 or HPP 6 (s 17). ‘News media’ is defined as organisations whose principal business is news activities. ‘News activities’ include gathering news and preparing articles or programs about news or current affairs that are intended to be, or are actually, published.
Victorian Health Complaints Commissioner
The Victorian Health Complaints Commissioner (‘HC Commissioner’) administers the HR Act and accepts complaints about interference with privacy related to health, including access to health information (see ‘Complaints, rulings and investigations’, below).
The HC Commissioner has the power to issue guidelines in relation to certain parts of HPP 1, 2, 6 and 10, and to approve guidelines prepared by a public sector organisation (or other person or body), and to vary any guidelines. The guidelines can lessen the protections provided by a HPP but only if it is substantially in the public interest to do so. The Governor in Council can disallow guidelines. The HC Commissioner published two Found in a statute of delegated legislation. For example, a statutory authority or body is aperson or organisation that has special powers given by parliament to do work for the public benefit. guidelines in February 2002: one set of guidelines on research (HPP 1.21(iii), 2.2(g)(iii)); and one set of guidelines on the transfer and closure of a practice (HPP 11).
The HC Commissioner has other functions, including auditing records of health information, researching, developing educational programs, and issuing rulings and compliance notices (for the list of the HC Commissioner’s functions, see s 87 HR Act.)
Complaints, rulings and investigations
The HC Commissioner can receive complaints about an act or practice that breaches one of the Health Privacy Principles or breaches the access and correction provisions in Part 5 of the HR Act. The complaint can be about the interference with the privacy of a deceased individual – whether or not the interference occurred before or after death.
The HCCommissioner can also investigate complaints referred by the Victorian A public official appointed to investigate citizens’ complaints against government departments and statutory authorities. A specialised ombudsman resolves consumer complaints in a particular industry, for example the banking ombudsman for the banking industry. See also statutory authority. and the Victorian Information Commissioner. Provision is made in the HRAct (s 47) for complaints to be made on behalf of children, and on behalf of those with a physical or mental disability that makes them incapable of making a complaint.
The HC Commissioner can decline to entertain a complaint on a number of grounds, including:
- the A person who begins a criminal prosecution against another in the Magistrates’ Court, or formally starts an action in a court or tribunal or makes a complaint to a complaint-handling body. In a civil action they could also be referred to as a plaintiff or an applicant. failed to complain to the (1) A defendant in a civil case that has been appealed to a higher court. (2) A person against whom some originating motion has been issued by an applicant. See also appellant. before going to the HC Commissioner;
- the complaint is made more than 12 months after the complainant became aware of the matter being complained of;
- the complaint is being dealt with adequately by another body;
- the complaint is frivolous, Causing trouble without good legal reason. A vexatious litigant repeatedly starts court cases that have no chance of succeeding. Vexatious litigation is a court action that is unnecessary or undertaken only to cause trouble, embarrassment or inconvenience for the other party. or lacking in substance (for full list, see s 51 HR Act).
The HC Commissioner can refer a complaint to the Victorian Information Commissioner, the Australian Information Commissioner, or the Victorian Disability Services Commissioner. If the complaint is about a registered health practitioner, the HC Commissioner can refer any part of the complaint to the appropriate registration board (if the board has the power to deal with the matter).
If the complaint is accepted, the HC Commissioner can attempt to conciliate the complaint, or make a ruling, or (if neither are appropriate) decide to not entertain the complaint any further. If the HC Commissioner declines to entertain a complaint, or A form of alternative dispute resolution. The parties negotiate with the help of an independent person called a conciliator. The aim is to sort out the dispute by mutual agreement, rather than having a decision made by a court or tribunal. See also arbitration; mediation; negotiation. or a ruling are not appropriate, or conciliation is attempted and fails, the complainant can require the HC Commissioner to refer the complaint to VCAT.
The HC Commissioner can investigate a complaint that has not been declined or conciliated and make a ruling about whether the complainant’s privacy has been breached.
The HC Commissioner must give a written notice of the ruling to the complainant and respondent. The notice must include reasons for the ruling, specify any action, and state the date (not exceeding a month) in which the complaint must be remedied. The respondent has to report back within a specified time and failure to do so attracts a penalty. The complainant and respondent both have rights to have the complaint referred to VCAT following a ruling by the HC Commissioner.
The HC Commissioner also has the power to investigate and serve a compliance notice (whether or not a complaint has been made) if there has been a serious or flagrant contravention of the HR Act.
A notice can also be served if the same type of contravention (whether or not serious or flagrant) has occurred five times or more in the last two years.
In conducting an investigation, the HC Commissioner has enforceable powers to obtain information and documents and take Material presented to a court to prove or disprove a fact. It can include what witnesses say as well as documents and other objects. under A person’s promise when they swear to tell the truth in court, or when signing an affidavit. A person taking an oath places one hand on the Bible or other holy book to demonstrate how seriously they take their promise. See also affirmation..
Failure to comply with a compliance notice attracts penalties; failure to comply is an A serious crime that is generally heard before a judge and jury in the County Court or the Supreme Court a criminal case. Examples of indictable offences include assault and armed robbery.. A recipient of a compliance notice, or any individual or organisation affected by the notice, can refer the matter to VCAT for review.
Under the The right of any person to access documents held by government agencies, except documents excluded by legislation. Amendment (Office of the Victorian Information Commissioner) Act 2017 (Vic), the Victorian Health Complaints Commissioner can refer complaints to the Victorian Information Commissioner.
On 1 September 2017, the Victorian Freedom of Information Commissioner and the Victorian Commissioner for Privacy and Data Protection merged into a single office, the Victorian Information Commissioner.
Charter of Human Rights and Responsibilities Act 2006 (Vic)
Under the Charter of Human Rights and Responsibilities Act 2006 (Vic) (‘Charter Act’), individuals’ privacy, family, home and correspondence cannot be unlawfully or arbitrarily interfered with (s 13).
The wording of section 13 mirrors that of Article 17 of the United Nations International A formal, written agreement that creates a legal obligation, in a deed or on a certificate of title. For example, a property developer might add a covenant to every block of land in a subdivision to stop anyone building a house there unless it is made of brick. on Civil and Political Rights (1966).
The Charter Act does not provide a new avenue of redress for individuals who believe their privacy has been breached. Rather, it imposes an obligation on all Victorian public sector organisations to act in a way that is compatible with the human rights protected by the Charter Act.
The Victorian Ombudsman can investigate complaints about a public authority’s administrative action that breaches the Charter Act. The Charter Act also allows a complainant to raise a human rights argument along with existing remedies or legal proceedings involving public authorities. There are a number of examples of proceedings before VCAT where a breach of the right to privacy under the Charter Act has been raised.
The Charter Act requires that all Statutory rules made by parliament or by bodies the parliament delegates power to, for example a local council or a registration authority. See delegated legislation; statute., whether enacted before or after the Charter Act, are as far as possible interpreted in a way that is compatible with human rights.
It also provides that all new legislation introduced into the Victorian Parliament must be accompanied by a statement of compatibility with the Charter Act (see Chapter 11.1: Discrimination and human rights).