12 March 1991 - Current
HEALTH RECORDS BILL Second reading Mr THWAITES (Minister for Health) -- I move: That this bill be now read a second time. This important bill is a significant step forward in strengthening the rights of users of health services. It will -- give individuals a legally enforceable right of access to their own health information which is contained in records held in the private sector; and establish health privacy principles that will apply to personal health information collected, used and held in both the public and private sectors. This bill is a companion to the Information Privacy bill, which the government introduced into Parliament in autumn 2000. That bill applies to all personal information other than health information. Through both of these bills the government has introduced a comprehensive legislative package to apply across the public sector. In addition, whereas the government decided to confine the operation of the Information Privacy Bill to the public sector and funded agencies, it has taken the view that in the case of health information broader legislation is required. A key reason for the broader scope of the bill is the need to ensure uniformity of standards across the public and private sectors. The health industry consists of a vast array of health service providers, with many different kinds of organisations, professions and specialities within professions. One patient may attend a public hospital for treatment of a particular condition, whereas another may attend a private hospital for the same treatment. Similarly, both private practitioners and community health centres provide general practitioner services. Further, many patients move between the two sectors in relation to the ongoing treatment of a chronic condition. For example, a cancer patient may receive treatment at a public hospital, attend a specialist for follow-up monitoring who may be a private practitioner, and have tests performed by a private pathology laboratory for tests. The same information may be held by a number of providers, and in principle should generally be subject to the same kind of privacy protections. It is also the view of the government that in the case of health information the legislative standards must be tailored to health information, and they should not be capable of variation through codes of practice. In essence, the modification of general privacy principles has already been undertaken in the drafting of the health privacy principles contained in this bill. As such, further modification should not be required. This broad application of these principles will give consumers certainty about the manner in which their health information is collected, used, disclosed and stored. Health information is arguably the most sensitive category of personal information that exists about an individual. The government considers that regulation of the private sector in this particular area is warranted, especially in light of the failure of the commonwealth government to take action to adequately protect health information to date. In sponsoring this bill and the Information Privacy Bill, the government recognises, and is responding to, community concerns about the threat to privacy posed by the exponentially increasing capacity of modern technology. While new technology brings many benefits for individuals and the community as a whole, the potential exists for technology to be misused, and for people to suffer discrimination or other kinds of harm as a result. Nowhere is this more evident than in the case of health information, particularly in light of the increase in the use of genetic tests to predict the likelihood of future illness. While the bill provides strong legal rights of access to, and privacy of, health information, such rights of access and privacy are not, and cannot be, absolute. These rights must be balanced against other important public policy considerations. The bill endeavours to strike an appropriate balance between the desire of consumers for privacy on one hand, and the need to safeguard the health and safety of individuals and the public, and promote safe and effective health service delivery, on the other. For instance, in circumstances where providing a person with unfettered access to his or her health records would pose a serious threat to his or her life or health, or the life or health of another person, or where granting access to certain information would have an unreasonable impact on the privacy of another person, the bill permits access to be denied in order to protect the person at risk.
Although the consent of an individual to whom information relates is generally the basis on which the bill enables health information to be collected, used and disclosed to another organisation, the bill also recognises that there are situations in which it is not practicable to obtain specific consent in each case. I will now provide a general overview of the bill. Scope of the bill The bill applies to health information held by organisations in Victoria. It covers: all personal information collected to provide a health service by a health service provider, be they a public or private sector organisation; and all health information held by other organisations, both public and private. The bill applies to health information, which is a subset of personal information. Personal information is information about an individual whose identity is apparent or can reasonably be ascertained from that information. The bill applies to a number of different kinds of personal information relating to health. It applies to traditional medical records including information about a person's physical, mental and psychological health. It also extends to information about donation of body parts, and genetic information that is in a form that is, or could be, predictive of the health of an individual or their descendants. The bill refers to the holder or collector of health information as an 'organisation'. This includes natural persons as well as incorporated and unincorporated bodies. Most of the obligations in the bill apply to an organisation, regardless of whether or not that organisation is a health service provider. However, where appropriate the bill includes additional standards in relation to health service providers. For example, the bill applies to all personal information collected about an individual by a health service provider in the course of providing a health service. The term 'health service' is broadly defined and includes activities claimed to assess, maintain or improve the individual's health. It also includes diagnosis or treatment of illness, injury or disability, the provision of disability, aged care or palliative care services, and the dispensing of prescriptions. Examples of non-health service providers include health insurers with insured persons' records, employers with health information of their employees, schools with vaccination records and fitness gymnasiums with health charts about their customers. Health privacy principles Under the bill, health information that is collected, held or used by organisations must be handled in accordance with the health privacy principles in schedule 1. The principles cover many different aspects of information handling. They are binding and a contravention of the principles is 'an interference with the privacy of an individual'. Principle 1 sets out the framework for collection of health information. It requires collection to be an accountable and transparent process. Organisations are generally required to obtain the individual's consent for collection or to be covered by one of the public interest grounds that permit collection. Principle 2 regulates the use and disclosure of health information. In general, use or disclosure is permitted for the purpose for which the health information was collected or, otherwise, with the consent of the person to whom it relates. Secondary use or disclosure is also permitted in cases where there is a strong public interest in doing so (for instance, where there is a serious threat to life or health, where disclosure is required by law, or for the purposes of research which is in the public interest and complies with guidelines developed by the Health Services Commissioner). Principle 3 is about ensuring data quality. It requires health information to be accurate, complete, up to date and relevant to the functions of the organisation that holds the information. Principle 4 sets out general requirements to ensure appropriate security and retention of data. It generally requires health information held by a health service provider to be stored for at least seven years subject to any specific legislation to the contrary. This reflects current good practice. Principle 5 encourages transparency by requiring organisations to document clearly their policies on management of health information and to make those policies available to the public. Principle 6 provides individuals with a right to access their health information and to make corrections to it, where necessary. This principle applies to health information held by the private sector, while the
Freedom of Information Act will continue to apply to health information held by public sector organisations. Limited grounds for refusal of access are set out in the bill. If only part of the health information is covered by a legitimate ground for refusal, the organisation is required to provide the rest of the health information to the applicant. Principle 7 imposes limits on the assignment of identifiers that are intended to uniquely identify individuals in relation to their health information. It also restricts the adoption, use or disclosure of identifiers assigned by a public sector organisation. Principle 8 preserves, where lawful and practicable, the right of individuals to remain anonymous in transactions with an organisation. Principle 9 puts certain limits on the flow of health information outside Victoria. Principle 10 regulates what a health service provider must do with its stock of health records when the practice or business is sold, closed or amalgamated. Principle 11 provides individuals with a right to have their health information that is held by one health service provider made available to other providers. Since the disclosure is from one health service provider to another, the grounds to refuse access that apply under part 5 and principle 6 do not apply. Interaction with other legislation The health privacy principles do not override other legislation. Existing provisions in other statutes governing the confidentiality, use and disclosure of health information, as well as those that regulate access to certain kinds of personal information, have been preserved. Specific statutory provisions that were designed with particular circumstances in mind will override the general standards in the Health Records Bill to the extent of any inconsistency. The bill also makes consequential amendments to certain provisions of other legislation to ensure that those statutes will operate consistently with the bill, and to clarify that certain disclosures of information will not constitute an offence. For instance, section 141 of the Health Services Act and section 120A of the Mental Health Act make it an offence for certain health service providers to disclose information that could identify a patient except where this is specifically permitted by one or more of the exceptions specified in those sections. Those provisions currently enable health information to be used for the purposes of research where this is permitted by an institutional ethics committee and does not conflict with any prescribed requirements. In contrast, the bill only enables research to be carried out where more detailed criteria are met, including compliance with guidelines for research issued or approved by the Health Services Commissioner. The bill therefore makes a consequential amendment to sections 141 and 120A in order to ensure that these additional standards in the health privacy principles relating to research also apply under these provisions. The bill also amends section 141 of the Health Services Act to ensure that it is not an offence for public hospitals to share information through an electronic system for the purposes of the treatment of a patient, whenever that patient presents for treatment. A similar amendment is made to section 120A of the Mental Health Act in relation to the sharing of information between approved mental health services. These amendments also authorise the making of regulations that could impose conditions and additional requirements regarding the way in which this may occur. This will assist the legislation to keep pace with developments in technology, and will allow additional controls to be introduced as appropriate. The Freedom of Information Act will continue to regulate individuals' access to their own health information where it is held by public sector agencies such as public hospitals and government departments. However, the draft bill contains amendments to that act that have the effect of enhancing the right of access available under that act. These additions are modelled on key elements of the right of access in relation to private sector organisations under the bill. For instance, under the Freedom of Information Act an individual currently has a right to receive a copy of their health information or to view their file. The bill will amend that act to also enable an individual to request an explanation of his or her health record from a health service provider, in addition to the rights that currently exist. The bill will also amend the Freedom of Information Act to provide that, where there is a concern that access to certain health information poses a serious threat to the life or health of the applicant, the relevant procedure in division 3 of part 5 of the bill applies. An individual may seek a second opinion about the merits of that decision from a registered health service provider of their own nomination.
The internal review mechanisms and the VCAT appeal rights under the Freedom of Information Act continue to apply. The bill adds to these by providing that where an applicant wishes to challenge a decision to refuse access to health information under the Freedom of Information Act, that person may in some circumstances elect to seek conciliation by the Health Services Commissioner instead of seeking internal review by the public sector agency. If conciliation is successful, the agreement can be enforced as provided for in the Health Records Bill. If conciliation fails, then the complainant may apply to the VCAT under the Freedom of Information Act. In this way the bill preserves the application of the Freedom of Information Act, but also supplements the rights under that act by incorporating into it a number of the elements of the Health Records Bill. This enables a greater level of uniformity to be achieved in relation to the access rights across the public and private sectors. The bill is also designed to operate concurrently with any relevant commonwealth laws. Right of access to information By giving individuals an enforceable right of access to their own health information held in the private sector, the bill will enhance the ability of consumers to make informed health care decisions. It will also enable individuals to check the accuracy of health information held about them if they wish, and ensure that their current treating practitioner has their complete medical history. This will assist health practitioners to provide safe and effective treatment and care. The right of access of individuals to their health information applies to all such information collected after the commencement of the bill. A more limited right of access also applies to certain health information that is collected prior to the commencement of the bill, including: the individual's health or disability history; the results of an examination or investigation; a diagnosis or speculative diagnosis; a plan or proposed plan of management; services provided or action taken; genetic information that is or could be predictive of health; or other personal information about a donation of body parts. This recognises that, to date, the law has treated health records as practitioners' own notes, and that existing records were prepared on the understanding that individuals would not be able to access them as of right. The bill enables an individual to request health information collected after commencement in a number of ways. Access can be by way of inspection, the provision of a copy (or a summary if the individual agrees), or an opportunity to view the record accompanied by an explanation by the health service provider. Access may also be granted in one of these forms to information collected prior to the commencement of the bill where the provider agrees to this. In the absence of any agreement, the bill entitles the individual to receive an accurate summary of the information. The bill requires a request for access to be refused where information has been provided in strict confidence or where it poses a serious threat to the life or health of the applicant or any other person. There are several other grounds for legitimate refusal of an access request set out in principle 6. An organisation is not able to refuse access on the grounds that another person or organisation has copyright in the health information. The bill operates to make it an implied term of a contract to provide health services that an individual may have access in accordance with the bill. Fees The bill permits organisations to charge a fee for providing access, so they may recover costs associated with complying with a request for access such as photocopying. The fee charged must not exceed the maximum fee, which will be prescribed in regulations. The regulations will also set out the kind of charges that may be imposed. A health service provider who explains a health record to the individual in a special consultation will be able to charge their usual fee for a consultation of comparable duration. Exemptions Division 3 of part 2 sets out the general exemptions from the bill. As media freedom is widely recognised as an important aspect of democratic societies, an exemption has been provided for 'news activities' as defined in clause 3. The exemption is confined to genuine 'news activities' where these are conducted by organisations whose dominant function is disseminating news.
In recognition of the importance of judicial independence, the judiciary and quasi-judicial bodies are also exempt when exercising their judicial or quasi-judicial powers. However, the employee records of court and tribunal staff will come within the scope of the bill. An exemption also applies so that family discussions and records that are genuinely private, family matters can continue without the risk that they would be in breach of the bill. The bill does not provide an exemption for employee records held by employers, or health information disseminated between related corporate entities or for political parties, members of Parliament or their contractors. Given the particular sensitivity of health information, such exemptions are not considered to be appropriate. Enforcement The Health Services Commissioner will have principal responsibility for monitoring compliance with the Health Records Bill and for resolving complaints about interferences with privacy. The commissioner's functions and powers for dispute resolution are modelled on those that currently exist under the Health Services (Conciliation and Review) Act 1987, and on the comparable powers of the Victorian Privacy Commissioner under the Information Privacy bill 2000. The Health Services Commissioner may conciliate a complaint under the bill. The commissioner can also investigate a complaint, and if appropriate, may make a ruling. A ruling would be appropriate if the commissioner finds that there has been interference with privacy. In such a case, the commissioner can recommend the course of action that should be taken by the organisation to remedy the breach. A ruling is not binding, although the organisation must inform the commissioner as to whether it intends to comply with the ruling. If the complaint is not resolved to the complainant's satisfaction, he or she will be able to seek a binding decision from the Victorian Civil and Administrative Tribunal (VCAT). VCAT will be able to make a variety of orders to rectify or remedy an interference with privacy. Organisations may also appeal to VCAT against rulings and compliance notices imposed by the commissioner. Other enforcement mechanisms include criminal penalties for serious breaches of the Act. Like the Victorian Privacy Commissioner, the Health Services Commissioner will be able to serve a compliance notice on an organisation that has performed an act or practice that is a serious or flagrant contravention of the act, or is a breach which is of a kind that has been done or engaged in by the organisation on at least five separate occasions within the previous two years. A failure to comply with a compliance notice is an indictable offence. A respondent can apply to VCAT to have the decision to serve the notice reviewed. A key aim of the legislation is to ensure that complaints are resolved informally, wherever practicable. The alternative dispute resolution mechanisms set out in the bill are designed to minimise the risk of escalation of disputes, for example, by encouraging conciliation. However, the VCAT appeals procedure and the compliance notice process are available to address situations where these mechanisms are not adequate. The commissioner will also have the function of issuing or approving binding guidelines as required under the health privacy principles, and will have an important role in educating the community about the operation of the legislation. Section 85 statement Clause 99 of the bill states that it is the intention of clause 8 to alter or vary section 85 of the Constitution Act 1975. I therefore wish to make a statement pursuant to section 85 of the Constitution Act 1975 of the reasons why that section is to be altered or varied by the bill. Clause 8 provides that the bill does not give rise to any civil cause of action or create any legal right enforceable in a court or tribunal other than as specifically provided in the bill. Similarly, nothing in the bill is to be construed as giving rise to criminal liability except to the extent expressly provided for. The bill is intended to create specific rights and obligations in relation to the privacy of health information, which can be enforced through the dispute resolution mechanisms set out in the bill, including through conciliation, investigation and rulings by the Health Services Commissioner and review by the Victorian Civil and Administrative Tribunal. The bill is not intended to give rise to broader rights and obligations outside those expressly provided in the bill. It is not intended to create any other legal means of enforcing those rights. The reason for the alteration or variation to section 85 of the Constitution Act 1975 is
to ensure that the scope of the bill meets these expectations. Conclusion A draft of the Health Records Bill was released for public consultation earlier this year, to give consumers, organisations and other interested persons an opportunity to comment on the proposals. I would like to take this opportunity to thank all of those who contributed by making submissions on the bill. The feedback received as part of the community consultation process has confirmed the need for the legislation, and has assisted in refining the operation of the provisions contained in the bill. The access rights and principles in the bill are designed to protect privacy and promote patient autonomy, whilst also ensuring safe and effective service delivery, and the continued improvement of health services. I commend the bill to the house. Debate adjourned on motion of Mr DOYLE (Malvern). Debate adjourned until Thursday, 7 December.