Australia: Health privacy in Australia – New OAIC guidance will help health providers navigate the legal landscape

Understandably most people are sensitive about protecting their personal health information. For this reason, Australia's privacy laws give heath information a higher level of protection than other types of personal data.

However, the myriad of privacy laws that apply to health information make it challenging for health providers to know and comply with their obligations.

This week's release of new health privacy guidance by the Australian Privacy Commissioner is a welcome move, as is the recent guidance issued by the Australian Medical Association on taking clinical images with personal devices.

WHAT IS 'HEALTH INFORMATION'?

'Health information' is defined in the Privacy Act 1988 (Cth) to mean:

• information or an opinion about an individual's health or disability, an individual's expressed wishes about future health services provided to them, or a health service provided or to be provided to that individual
• other personal information collected to provide or in providing a health service, or in connection with organ donation
• genetic information about an individual in a form that could be predictive of their health.

Examples include medical and dental records, notes of symptoms or diagnosis and treatment provided, records about an individual held by a fitness club or gym, and photos taken of a patient's injury or symptom.

NAVIGATING HEALTH PRIVACY LAWS IS FRAUGHT

This is particularly so for health service providers operating in multiple jurisdictions across Australia.

The Privacy Act protects health information and imposes obligations on all private sector 'health service providers'. If you provide a health service (even if that's not your primary activity) and hold health information, you will be a 'health service provider'.

The Personally Controlled Electronic Health Records Act 2012 (Cth) regulates the collection, use and disclosure of health information included in an individual's e-health record, and the Healthcare Identifiers Act 2010 (Cth) regulates the use and disclosure of health care identifiers used in the e-health record system.

State and Territory government health departments (and other public health networks, districts and services) must comply with their local privacy legislation when handling health information, as well as other types of personal information¹.

Some States even have their own legislation that private sector providers must also comply with². Confusingly, laws vary between States and Territories and there is also significant overlap between the Federal and State/Territory laws.

NEW DRAFT HEALTH PRIVACY GUIDANCE

This week the Office of the Australian Information Commissioner (OAIC) released a new series of draft health privacy resources for health service providers and consumers.

The consultation drafts, released for public comment, follow on from last year's reforms to the Privacy Act, and the publication of the OAIC's Australian Privacy Principles (APP) Guidelines. When finalised, they will replace all existing health privacy guidelines of the OAIC.

The new draft health privacy resources provide much more detailed guidance for health service providers than is currently available in the APPs.

They include information on privacy issues that arise most frequently for the health sector and guides for collecting, handling, using, disclosing and providing access to patients' health information (including for health management and research purposes).

The closing date for comments on the draft resources is 20 October 2015.

AMA GUIDE ON CLINICAL IMAGES AND THE USE OF PERSONAL MOBILE DEVICES

The new wave of medical apps is making it increasingly easy for medical practitioners to take and circulate images of their patients' injuries and symptoms, whether for professional (or other) collaboration with colleagues.

However, mobile health apps raise privacy concerns and potential Therapeutic Goods Administration (TGA) issues. See our recent article Mobile apps that collect health data: Will they be put under the privacy spotlight? for more on this.

Studies³ show that an increasing number of doctors use their personal devices to take and transmit clinical images, and then store the images personally including using offshore cloud email services such as Gmail and Hotmail.

Clinical images – whether a photo, video or audio recording – will generally be 'health information' which is protected under Australian privacy laws. Clinical images are part of a patient's medical record, and the same confidentiality and privacy obligations apply.

Recognising these issues, the Australian Medical Association (AMA) last year released a guide for doctors and medical students in the proper use of personal mobile devices such as smart phones and tablets when taking and transmitting clinical images.

It highlights the legal and ethical issues that medical practitioners must be alert to, when using a personal device to take and store clinical images and sending them to others.

The guide suggests processes for obtaining patients' informed consent before taking clinical images, and for documenting, capturing, storing securely, disclosing, sending, deleting and de-identifying clinical images. The processes align with the requirements of privacy legislation for the handling of health and other personal information.

The guide also highlights that the doctor or medical student's place of work may well have its own policies and contractual requirements relating to clinical images and the use of personal devices.

While "digital health" is empowering people to better manage, track and improve their own health and live longer, and offers enormous benefits and cost savings for providers, it remains a minefield for privacy and data security.

Health service providers must be alert to the privacy implications that attach to their business and operations – the consequences of not complying with privacy laws are significant and expensive!

Footnotes

¹ For example, the Information Privacy Act 2009 (Qld) and Part 7 (Confidentiality) of the Hospital and Health Boards Act 2011 (Qld) in Queensland, the Privacy and Personal Information Protection Act 1998 (NSW) in New South Wales, the Privacy and Data Protection Act 2014 (Vic) in Victoria and the Information Act in the Northern Territory.

² For example, the Health Records Act 2001 (Vic) in Victoria, and the Health Records and Information Privacy Act 2002 (NSW) in New South Wales.

³ For example, see the study published in the open access Journal of Mobile Technology in Medicine.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Most awarded firm and Australian deal of the year Australasian Legal Business Awards	Employer of Choice for Women Equal Opportunity for Women in the Workplace (EOWA)