Hansard debates
Search Hansard|
Search help
|
|
|
|||||||
|
HEALTH RECORDS BILL
|
|||||||
|
|
|||||||
|
23 November 2000
Second Reading
THWAITES
|
|||||||
|
|
|||||||
HEALTH RECORDS BILL
Second reading
Mr THWAITES (Minister for Health) -- I move:
That this bill be now read a second time.
This important bill is a significant step forward in strengthening the rights of
users of health services. It will --
give individuals a legally enforceable right of access to their own
health information which is contained in records held in the private
sector; and
establish health privacy principles that will apply to personal health
information collected, used and held in both the public and private
sectors.
This bill is a companion to the Information Privacy bill, which the government
introduced into Parliament in autumn 2000. That bill applies to all personal
information other than health information.
Through both of these bills the government has introduced a comprehensive
legislative package to apply across the public sector.
In addition, whereas the government decided to confine the operation of the
Information Privacy Bill to the public sector and funded agencies, it has taken
the view that in the case of health information broader legislation is required.
A key reason for the broader scope of the bill is the need to ensure uniformity
of standards across the public and private sectors. The health industry consists
of a vast array of health service providers, with many different kinds of
organisations, professions and specialities within professions. One patient may
attend a public hospital for treatment of a particular condition, whereas
another may attend a private hospital for the same treatment. Similarly, both
private practitioners and community health centres provide general practitioner
services.
Further, many patients move between the two sectors in relation to the ongoing
treatment of a chronic condition. For example, a cancer patient may receive
treatment at a public hospital, attend a specialist for follow-up monitoring who
may be a private practitioner, and have tests performed by a private pathology
laboratory for tests.
The same information may be held by a number of providers, and in principle
should generally be subject to the same kind of privacy protections.
It is also the view of the government that in the case of health information the
legislative standards must be tailored to health information, and they should
not be capable of variation through codes of practice. In essence, the
modification of general privacy principles has already been undertaken in the
drafting of the health privacy principles contained in this bill. As such,
further modification should not be required.
This broad application of these principles will give consumers certainty about
the manner in which their health information is collected, used, disclosed and
stored.
Health information is arguably the most sensitive category of personal
information that exists about an individual. The government considers that
regulation of the private sector in this particular area is warranted,
especially in light of the failure of the commonwealth government to take action
to adequately protect health information to date.
In sponsoring this bill and the Information Privacy Bill, the government
recognises, and is responding to, community concerns about the threat to privacy
posed by the exponentially increasing capacity of modern technology. While new
technology brings many benefits for individuals and the community as a whole,
the potential exists for technology to be misused, and for people to suffer
discrimination or other kinds of harm as a result.
Nowhere is this more evident than in the case of health information,
particularly in light of the increase in the use of genetic tests to predict the
likelihood of future illness.
While the bill provides strong legal rights of access to, and privacy of, health
information, such rights of access and privacy are not, and cannot be, absolute.
These rights must be balanced against other important public policy
considerations. The bill endeavours to strike an appropriate balance between the
desire of consumers for privacy on one hand, and the need to safeguard the
health and safety of individuals and the public, and promote safe and effective
health service delivery, on the other.
For instance, in circumstances where providing a person with unfettered access
to his or her health records would pose a serious threat to his or her life or
health, or the life or health of another person, or where granting access to
certain information would have an unreasonable impact on the privacy of another
person, the bill permits access to be denied in order to protect the person at
risk.
Page 1907
Although the consent of an individual to whom information relates is generally
the basis on which the bill enables health information to be collected, used and
disclosed to another organisation, the bill also recognises that there are
situations in which it is not practicable to obtain specific consent in each
case.
I will now provide a general overview of the bill.
Scope of the bill
The bill applies to health information held by organisations in Victoria. It
covers:
all personal information collected to provide a health service by a
health service provider, be they a public or private sector
organisation; and
all health information held by other organisations, both public and
private.
The bill applies to health information, which is a subset of personal
information. Personal information is information about an individual whose
identity is apparent or can reasonably be ascertained from that information.
The bill applies to a number of different kinds of personal information relating
to health.
It applies to traditional medical records including information about a person's
physical, mental and psychological health. It also extends to information about
donation of body parts, and genetic information that is in a form that is, or
could be, predictive of the health of an individual or their descendants.
The bill refers to the holder or collector of health information as an
'organisation'. This includes natural persons as well as incorporated and
unincorporated bodies. Most of the obligations in the bill apply to an
organisation, regardless of whether or not that organisation is a health service
provider.
However, where appropriate the bill includes additional standards in relation to
health service providers. For example, the bill applies to all personal
information collected about an individual by a health service provider in the
course of providing a health service.
The term 'health service' is broadly defined and includes activities claimed to
assess, maintain or improve the individual's health. It also includes diagnosis
or treatment of illness, injury or disability, the provision of disability, aged
care or palliative care services, and the dispensing of prescriptions.
Examples of non-health service providers include health insurers with insured
persons' records, employers with health information of their employees, schools
with vaccination records and fitness gymnasiums with health charts about their
customers.
Health privacy principles
Under the bill, health information that is collected, held or used by
organisations must be handled in accordance with the health privacy principles
in schedule 1.
The principles cover many different aspects of information handling. They are
binding and a contravention of the principles is 'an interference with the
privacy of an individual'.
Principle 1 sets out the framework for collection of health information. It
requires collection to be an accountable and transparent process. Organisations
are generally required to obtain the individual's consent for collection or to
be covered by one of the public interest grounds that permit collection.
Principle 2 regulates the use and disclosure of health information. In general,
use or disclosure is permitted for the purpose for which the health information
was collected or, otherwise, with the consent of the person to whom it relates.
Secondary use or disclosure is also permitted in cases where there is a strong
public interest in doing so (for instance, where there is a serious threat to
life or health, where disclosure is required by law, or for the purposes of
research which is in the public interest and complies with guidelines developed
by the Health Services Commissioner).
Principle 3 is about ensuring data quality. It requires health information to be
accurate, complete, up to date and relevant to the functions of the organisation
that holds the information.
Principle 4 sets out general requirements to ensure appropriate security and
retention of data. It generally requires health information held by a health
service provider to be stored for at least seven years subject to any specific
legislation to the contrary. This reflects current good practice.
Principle 5 encourages transparency by requiring organisations to document
clearly their policies on management of health information and to make those
policies available to the public.
Principle 6 provides individuals with a right to access their health information
and to make corrections to it, where necessary. This principle applies to health
information held by the private sector, while the
Page 1908
Freedom of Information Act will continue to apply to health information held by
public sector organisations.
Limited grounds for refusal of access are set out in the bill. If only part of
the health information is covered by a legitimate ground for refusal, the
organisation is required to provide the rest of the health information to the
applicant.
Principle 7 imposes limits on the assignment of identifiers that are intended to
uniquely identify individuals in relation to their health information. It also
restricts the adoption, use or disclosure of identifiers assigned by a public
sector organisation.
Principle 8 preserves, where lawful and practicable, the right of individuals to
remain anonymous in transactions with an organisation.
Principle 9 puts certain limits on the flow of health information outside
Victoria.
Principle 10 regulates what a health service provider must do with its stock of
health records when the practice or business is sold, closed or amalgamated.
Principle 11 provides individuals with a right to have their health information
that is held by one health service provider made available to other providers.
Since the disclosure is from one health service provider to another, the grounds
to refuse access that apply under part 5 and principle 6 do not apply.
Interaction with other legislation
The health privacy principles do not override other legislation.
Existing provisions in other statutes governing the confidentiality, use and
disclosure of health information, as well as those that regulate access to
certain kinds of personal information, have been preserved. Specific statutory
provisions that were designed with particular circumstances in mind will
override the general standards in the Health Records Bill to the extent of any
inconsistency.
The bill also makes consequential amendments to certain provisions of other
legislation to ensure that those statutes will operate consistently with the
bill, and to clarify that certain disclosures of information will not constitute
an offence.
For instance, section 141 of the Health Services Act and section 120A of the
Mental Health Act make it an offence for certain health service providers to
disclose information that could identify a patient except where this is
specifically permitted by one or more of the exceptions specified in those
sections. Those provisions currently enable health information to be used for
the purposes of research where this is permitted by an institutional ethics
committee and does not conflict with any prescribed requirements.
In contrast, the bill only enables research to be carried out where more
detailed criteria are met, including compliance with guidelines for research
issued or approved by the Health Services Commissioner. The bill therefore makes
a consequential amendment to sections 141 and 120A in order to ensure that these
additional standards in the health privacy principles relating to research also
apply under these provisions.
The bill also amends section 141 of the Health Services Act to ensure that it is
not an offence for public hospitals to share information through an electronic
system for the purposes of the treatment of a patient, whenever that patient
presents for treatment. A similar amendment is made to section 120A of the
Mental Health Act in relation to the sharing of information between approved
mental health services. These amendments also authorise the making of
regulations that could impose conditions and additional requirements regarding
the way in which this may occur. This will assist the legislation to keep pace
with developments in technology, and will allow additional controls to be
introduced as appropriate.
The Freedom of Information Act will continue to regulate individuals' access to
their own health information where it is held by public sector agencies such as
public hospitals and government departments.
However, the draft bill contains amendments to that act that have the effect of
enhancing the right of access available under that act. These additions are
modelled on key elements of the right of access in relation to private sector
organisations under the bill.
For instance, under the Freedom of Information Act an individual currently has a
right to receive a copy of their health information or to view their file. The
bill will amend that act to also enable an individual to request an explanation
of his or her health record from a health service provider, in addition to the
rights that currently exist.
The bill will also amend the Freedom of Information Act to provide that, where
there is a concern that access to certain health information poses a serious
threat to the life or health of the applicant, the relevant procedure in
division 3 of part 5 of the bill applies.
An individual may seek a second opinion about the merits of that decision from a
registered health service provider of their own nomination.
Page 1909
The internal review mechanisms and the VCAT appeal rights under the Freedom of
Information Act continue to apply. The bill adds to these by providing that
where an applicant wishes to challenge a decision to refuse access to health
information under the Freedom of Information Act, that person may in some
circumstances elect to seek conciliation by the Health Services Commissioner
instead of seeking internal review by the public sector agency. If conciliation
is successful, the agreement can be enforced as provided for in the Health
Records Bill. If conciliation fails, then the complainant may apply to the VCAT
under the Freedom of Information Act.
In this way the bill preserves the application of the Freedom of Information
Act, but also supplements the rights under that act by incorporating into it a
number of the elements of the Health Records Bill. This enables a greater level
of uniformity to be achieved in relation to the access rights across the public
and private sectors.
The bill is also designed to operate concurrently with any relevant commonwealth
laws.
Right of access to information
By giving individuals an enforceable right of access to their own health
information held in the private sector, the bill will enhance the ability of
consumers to make informed health care decisions. It will also enable
individuals to check the accuracy of health information held about them if they
wish, and ensure that their current treating practitioner has their complete
medical history. This will assist health practitioners to provide safe and
effective treatment and care.
The right of access of individuals to their health information applies to all
such information collected after the commencement of the bill.
A more limited right of access also applies to certain health information that
is collected prior to the commencement of the bill, including:
the individual's health or disability history;
the results of an examination or investigation;
a diagnosis or speculative diagnosis;
a plan or proposed plan of management;
services provided or action taken;
genetic information that is or could be predictive of health; or
other personal information about a donation of body parts.
This recognises that, to date, the law has treated health records as
practitioners' own notes, and that existing records were prepared on the
understanding that individuals would not be able to access them as of right.
The bill enables an individual to request health information collected after
commencement in a number of ways. Access can be by way of inspection, the
provision of a copy (or a summary if the individual agrees), or an opportunity
to view the record accompanied by an explanation by the health service provider.
Access may also be granted in one of these forms to information collected prior
to the commencement of the bill where the provider agrees to this. In the
absence of any agreement, the bill entitles the individual to receive an
accurate summary of the information.
The bill requires a request for access to be refused where information has been
provided in strict confidence or where it poses a serious threat to the life or
health of the applicant or any other person. There are several other grounds for
legitimate refusal of an access request set out in principle 6.
An organisation is not able to refuse access on the grounds that another person
or organisation has copyright in the health information. The bill operates to
make it an implied term of a contract to provide health services that an
individual may have access in accordance with the bill.
Fees
The bill permits organisations to charge a fee for providing access, so they may
recover costs associated with complying with a request for access such as
photocopying.
The fee charged must not exceed the maximum fee, which will be prescribed in
regulations. The regulations will also set out the kind of charges that may be
imposed. A health service provider who explains a health record to the
individual in a special consultation will be able to charge their usual fee for
a consultation of comparable duration.
Exemptions
Division 3 of part 2 sets out the general exemptions from the bill. As media
freedom is widely recognised as an important aspect of democratic societies, an
exemption has been provided for 'news activities' as defined in clause 3. The
exemption is confined to genuine 'news activities' where these are conducted by
organisations whose dominant function is disseminating news.
Page 1910
In recognition of the importance of judicial independence, the judiciary and
quasi-judicial bodies are also exempt when exercising their judicial or
quasi-judicial powers. However, the employee records of court and tribunal staff
will come within the scope of the bill.
An exemption also applies so that family discussions and records that are
genuinely private, family matters can continue without the risk that they would
be in breach of the bill.
The bill does not provide an exemption for employee records held by employers,
or health information disseminated between related corporate entities or for
political parties, members of Parliament or their contractors. Given the
particular sensitivity of health information, such exemptions are not considered
to be appropriate.
Enforcement
The Health Services Commissioner will have principal responsibility for
monitoring compliance with the Health Records Bill and for resolving complaints
about interferences with privacy.
The commissioner's functions and powers for dispute resolution are modelled on
those that currently exist under the Health Services (Conciliation and Review)
Act 1987, and on the comparable powers of the Victorian Privacy Commissioner
under the Information Privacy bill 2000.
The Health Services Commissioner may conciliate a complaint under the bill. The
commissioner can also investigate a complaint, and if appropriate, may make a
ruling. A ruling would be appropriate if the commissioner finds that there has
been interference with privacy.
In such a case, the commissioner can recommend the course of action that should
be taken by the organisation to remedy the breach. A ruling is not binding,
although the organisation must inform the commissioner as to whether it intends
to comply with the ruling.
If the complaint is not resolved to the complainant's satisfaction, he or she
will be able to seek a binding decision from the Victorian Civil and
Administrative Tribunal (VCAT). VCAT will be able to make a variety of orders to
rectify or remedy an interference with privacy. Organisations may also appeal to
VCAT against rulings and compliance notices imposed by the commissioner.
Other enforcement mechanisms include criminal penalties for serious breaches of
the Act.
Like the Victorian Privacy Commissioner, the Health Services Commissioner will
be able to serve a compliance notice on an organisation that has performed an
act or practice that is a serious or flagrant contravention of the act, or is a
breach which is of a kind that has been done or engaged in by the organisation
on at least five separate occasions within the previous two years. A failure to
comply with a compliance notice is an indictable offence. A respondent can apply
to VCAT to have the decision to serve the notice reviewed.
A key aim of the legislation is to ensure that complaints are resolved
informally, wherever practicable. The alternative dispute resolution mechanisms
set out in the bill are designed to minimise the risk of escalation of disputes,
for example, by encouraging conciliation. However, the VCAT appeals procedure
and the compliance notice process are available to address situations where
these mechanisms are not adequate.
The commissioner will also have the function of issuing or approving binding
guidelines as required under the health privacy principles, and will have an
important role in educating the community about the operation of the
legislation.
Section 85 statement
Clause 99 of the bill states that it is the intention of clause 8 to alter or
vary section 85 of the Constitution Act 1975.
I therefore wish to make a statement pursuant to section 85 of the Constitution
Act 1975 of the reasons why that section is to be altered or varied by the bill.
Clause 8 provides that the bill does not give rise to any civil cause of action
or create any legal right enforceable in a court or tribunal other than as
specifically provided in the bill. Similarly, nothing in the bill is to be
construed as giving rise to criminal liability except to the extent expressly
provided for.
The bill is intended to create specific rights and obligations in relation to
the privacy of health information, which can be enforced through the dispute
resolution mechanisms set out in the bill, including through conciliation,
investigation and rulings by the Health Services Commissioner and review by the
Victorian Civil and Administrative Tribunal.
The bill is not intended to give rise to broader rights and obligations outside
those expressly provided in the bill. It is not intended to create any other
legal means of enforcing those rights.
The reason for the alteration or variation to section 85 of the Constitution Act
1975 is
Page 1911
to ensure that the scope of the bill meets these expectations.
Conclusion
A draft of the Health Records Bill was released for public consultation earlier
this year, to give consumers, organisations and other interested persons an
opportunity to comment on the proposals. I would like to take this opportunity
to thank all of those who contributed by making submissions on the bill.
The feedback received as part of the community consultation process has
confirmed the need for the legislation, and has assisted in refining the
operation of the provisions contained in the bill.
The access rights and principles in the bill are designed to protect privacy and
promote patient autonomy, whilst also ensuring safe and effective service
delivery, and the continued improvement of health services.
I commend the bill to the house.
Debate adjourned on motion of Mr DOYLE (Malvern).
Debate adjourned until Thursday, 7 December.