Hansard Search

12 March 1991 - Current

Page 1906
23 November 2000
                              HEALTH RECORDS BILL
                                 Second reading

  Mr THWAITES (Minister for Health) -- I move:
That this bill be now read a second time.
This important bill is a significant step forward in strengthening the rights of
users of health services. It will --
        give  individuals  a legally  enforceable  right of access  to their own
        health information which  is contained in  records held in  the  private
        sector; and

        establish health privacy principles that will  apply  to personal health
        information  collected,  used and held  in both the  public  and private
This bill is a companion to the Information Privacy bill,  which  the government
introduced  into Parliament in  autumn 2000. That bill  applies to all  personal
information other than health information.
Through both  of  these bills  the  government has  introduced  a  comprehensive
legislative package to apply across the public sector.
In  addition, whereas the  government  decided to confine  the operation of  the
Information Privacy Bill to  the public sector and funded agencies, it has taken
the view that in the case of health information broader legislation is required.

A key reason for the broader scope of the bill is the need to  ensure uniformity
of standards across the public and private sectors. The health industry consists
of a vast array of health  service  providers,  with  many  different  kinds  of
organisations,  professions and specialities within professions. One patient may
attend a  public  hospital  for treatment  of  a particular  condition,  whereas
another may attend a  private hospital for the  same treatment. Similarly,  both
private practitioners and community health centres provide general  practitioner
Further,  many  patients move between the two sectors in relation to the ongoing
treatment of  a  chronic condition. For  example,  a cancer patient  may receive
treatment at a public hospital, attend a specialist for follow-up monitoring who
may be a private practitioner, and have tests  performed  by a private pathology
laboratory for tests.

The  same information  may be  held by a number of  providers, and  in principle
should generally be subject to the same kind of privacy protections.
It is also the view of the government that in the case of health information the
legislative  standards must be  tailored to health  information, and they should
not  be  capable of  variation  through  codes  of  practice.  In  essence,  the
modification of  general privacy principles  has already been  undertaken in the
drafting  of  the health  privacy  principles contained in  this  bill. As such,
further modification should not be required.
This  broad application of these principles will give  consumers certainty about
the manner in  which their health information  is collected, used, disclosed and

Health  information   is  arguably  the  most  sensitive  category  of  personal
information that exists  about  an  individual.  The  government  considers that
regulation  of  the  private  sector  in  this  particular  area  is  warranted,
especially in light of the failure of the commonwealth government to take action
to adequately protect health information to date.
In  sponsoring  this  bill and  the  Information Privacy  Bill,  the  government
recognises, and is responding to, community concerns about the threat to privacy
posed by the exponentially  increasing capacity of  modern technology. While new
technology  brings many benefits for  individuals and the community  as a whole,
the potential exists for technology to be misused,  and  for  people  to  suffer
discrimination or other kinds of harm as a result.

Nowhere  is  this  more   evident  than  in  the  case  of  health  information,
particularly in light of the increase in the use of genetic tests to predict the
likelihood of future illness.
While the bill provides strong legal rights of access to, and privacy of, health
information, such rights of access and privacy are not, and cannot be, absolute.
These   rights  must  be  balanced  against  other   important   public   policy
considerations. The bill endeavours to strike an appropriate balance between the
desire of  consumers for privacy  on one  hand, and  the need  to safeguard  the
health and safety of individuals and the public,  and promote safe and effective
health service delivery, on the other.

For instance, in  circumstances where providing a person with unfettered  access
to his or  her health records would pose  a serious threat to his or her life or
health, or the life or  health of  another person,  or where  granting access to
certain information would have  an unreasonable impact on the privacy of another
person, the bill permits access to be denied in  order to protect the person  at

Page 1907
Although the consent of an individual to whom information relates is generally the basis on which the bill enables health information to be collected, used and disclosed to another organisation, the bill also recognises that there are situations in which it is not practicable to obtain specific consent in each case. I will now provide a general overview of the bill. Scope of the bill The bill applies to health information held by organisations in Victoria. It covers: all personal information collected to provide a health service by a health service provider, be they a public or private sector organisation; and all health information held by other organisations, both public and private. The bill applies to health information, which is a subset of personal information. Personal information is information about an individual whose identity is apparent or can reasonably be ascertained from that information. The bill applies to a number of different kinds of personal information relating to health. It applies to traditional medical records including information about a person's physical, mental and psychological health. It also extends to information about donation of body parts, and genetic information that is in a form that is, or could be, predictive of the health of an individual or their descendants. The bill refers to the holder or collector of health information as an 'organisation'. This includes natural persons as well as incorporated and unincorporated bodies. Most of the obligations in the bill apply to an organisation, regardless of whether or not that organisation is a health service provider. However, where appropriate the bill includes additional standards in relation to health service providers. For example, the bill applies to all personal information collected about an individual by a health service provider in the course of providing a health service. The term 'health service' is broadly defined and includes activities claimed to assess, maintain or improve the individual's health. It also includes diagnosis or treatment of illness, injury or disability, the provision of disability, aged care or palliative care services, and the dispensing of prescriptions. Examples of non-health service providers include health insurers with insured persons' records, employers with health information of their employees, schools with vaccination records and fitness gymnasiums with health charts about their customers. Health privacy principles Under the bill, health information that is collected, held or used by organisations must be handled in accordance with the health privacy principles in schedule 1. The principles cover many different aspects of information handling. They are binding and a contravention of the principles is 'an interference with the privacy of an individual'. Principle 1 sets out the framework for collection of health information. It requires collection to be an accountable and transparent process. Organisations are generally required to obtain the individual's consent for collection or to be covered by one of the public interest grounds that permit collection. Principle 2 regulates the use and disclosure of health information. In general, use or disclosure is permitted for the purpose for which the health information was collected or, otherwise, with the consent of the person to whom it relates. Secondary use or disclosure is also permitted in cases where there is a strong public interest in doing so (for instance, where there is a serious threat to life or health, where disclosure is required by law, or for the purposes of research which is in the public interest and complies with guidelines developed by the Health Services Commissioner). Principle 3 is about ensuring data quality. It requires health information to be accurate, complete, up to date and relevant to the functions of the organisation that holds the information. Principle 4 sets out general requirements to ensure appropriate security and retention of data. It generally requires health information held by a health service provider to be stored for at least seven years subject to any specific legislation to the contrary. This reflects current good practice. Principle 5 encourages transparency by requiring organisations to document clearly their policies on management of health information and to make those policies available to the public. Principle 6 provides individuals with a right to access their health information and to make corrections to it, where necessary. This principle applies to health information held by the private sector, while the
Page 1908
Freedom of Information Act will continue to apply to health information held by public sector organisations. Limited grounds for refusal of access are set out in the bill. If only part of the health information is covered by a legitimate ground for refusal, the organisation is required to provide the rest of the health information to the applicant. Principle 7 imposes limits on the assignment of identifiers that are intended to uniquely identify individuals in relation to their health information. It also restricts the adoption, use or disclosure of identifiers assigned by a public sector organisation. Principle 8 preserves, where lawful and practicable, the right of individuals to remain anonymous in transactions with an organisation. Principle 9 puts certain limits on the flow of health information outside Victoria. Principle 10 regulates what a health service provider must do with its stock of health records when the practice or business is sold, closed or amalgamated. Principle 11 provides individuals with a right to have their health information that is held by one health service provider made available to other providers. Since the disclosure is from one health service provider to another, the grounds to refuse access that apply under part 5 and principle 6 do not apply. Interaction with other legislation The health privacy principles do not override other legislation. Existing provisions in other statutes governing the confidentiality, use and disclosure of health information, as well as those that regulate access to certain kinds of personal information, have been preserved. Specific statutory provisions that were designed with particular circumstances in mind will override the general standards in the Health Records Bill to the extent of any inconsistency. The bill also makes consequential amendments to certain provisions of other legislation to ensure that those statutes will operate consistently with the bill, and to clarify that certain disclosures of information will not constitute an offence. For instance, section 141 of the Health Services Act and section 120A of the Mental Health Act make it an offence for certain health service providers to disclose information that could identify a patient except where this is specifically permitted by one or more of the exceptions specified in those sections. Those provisions currently enable health information to be used for the purposes of research where this is permitted by an institutional ethics committee and does not conflict with any prescribed requirements. In contrast, the bill only enables research to be carried out where more detailed criteria are met, including compliance with guidelines for research issued or approved by the Health Services Commissioner. The bill therefore makes a consequential amendment to sections 141 and 120A in order to ensure that these additional standards in the health privacy principles relating to research also apply under these provisions. The bill also amends section 141 of the Health Services Act to ensure that it is not an offence for public hospitals to share information through an electronic system for the purposes of the treatment of a patient, whenever that patient presents for treatment. A similar amendment is made to section 120A of the Mental Health Act in relation to the sharing of information between approved mental health services. These amendments also authorise the making of regulations that could impose conditions and additional requirements regarding the way in which this may occur. This will assist the legislation to keep pace with developments in technology, and will allow additional controls to be introduced as appropriate. The Freedom of Information Act will continue to regulate individuals' access to their own health information where it is held by public sector agencies such as public hospitals and government departments. However, the draft bill contains amendments to that act that have the effect of enhancing the right of access available under that act. These additions are modelled on key elements of the right of access in relation to private sector organisations under the bill. For instance, under the Freedom of Information Act an individual currently has a right to receive a copy of their health information or to view their file. The bill will amend that act to also enable an individual to request an explanation of his or her health record from a health service provider, in addition to the rights that currently exist. The bill will also amend the Freedom of Information Act to provide that, where there is a concern that access to certain health information poses a serious threat to the life or health of the applicant, the relevant procedure in division 3 of part 5 of the bill applies. An individual may seek a second opinion about the merits of that decision from a registered health service provider of their own nomination.
Page 1909
The internal review mechanisms and the VCAT appeal rights under the Freedom of Information Act continue to apply. The bill adds to these by providing that where an applicant wishes to challenge a decision to refuse access to health information under the Freedom of Information Act, that person may in some circumstances elect to seek conciliation by the Health Services Commissioner instead of seeking internal review by the public sector agency. If conciliation is successful, the agreement can be enforced as provided for in the Health Records Bill. If conciliation fails, then the complainant may apply to the VCAT under the Freedom of Information Act. In this way the bill preserves the application of the Freedom of Information Act, but also supplements the rights under that act by incorporating into it a number of the elements of the Health Records Bill. This enables a greater level of uniformity to be achieved in relation to the access rights across the public and private sectors. The bill is also designed to operate concurrently with any relevant commonwealth laws. Right of access to information By giving individuals an enforceable right of access to their own health information held in the private sector, the bill will enhance the ability of consumers to make informed health care decisions. It will also enable individuals to check the accuracy of health information held about them if they wish, and ensure that their current treating practitioner has their complete medical history. This will assist health practitioners to provide safe and effective treatment and care. The right of access of individuals to their health information applies to all such information collected after the commencement of the bill. A more limited right of access also applies to certain health information that is collected prior to the commencement of the bill, including: the individual's health or disability history; the results of an examination or investigation; a diagnosis or speculative diagnosis; a plan or proposed plan of management; services provided or action taken; genetic information that is or could be predictive of health; or other personal information about a donation of body parts. This recognises that, to date, the law has treated health records as practitioners' own notes, and that existing records were prepared on the understanding that individuals would not be able to access them as of right. The bill enables an individual to request health information collected after commencement in a number of ways. Access can be by way of inspection, the provision of a copy (or a summary if the individual agrees), or an opportunity to view the record accompanied by an explanation by the health service provider. Access may also be granted in one of these forms to information collected prior to the commencement of the bill where the provider agrees to this. In the absence of any agreement, the bill entitles the individual to receive an accurate summary of the information. The bill requires a request for access to be refused where information has been provided in strict confidence or where it poses a serious threat to the life or health of the applicant or any other person. There are several other grounds for legitimate refusal of an access request set out in principle 6. An organisation is not able to refuse access on the grounds that another person or organisation has copyright in the health information. The bill operates to make it an implied term of a contract to provide health services that an individual may have access in accordance with the bill. Fees The bill permits organisations to charge a fee for providing access, so they may recover costs associated with complying with a request for access such as photocopying. The fee charged must not exceed the maximum fee, which will be prescribed in regulations. The regulations will also set out the kind of charges that may be imposed. A health service provider who explains a health record to the individual in a special consultation will be able to charge their usual fee for a consultation of comparable duration. Exemptions Division 3 of part 2 sets out the general exemptions from the bill. As media freedom is widely recognised as an important aspect of democratic societies, an exemption has been provided for 'news activities' as defined in clause 3. The exemption is confined to genuine 'news activities' where these are conducted by organisations whose dominant function is disseminating news.
Page 1910
In recognition of the importance of judicial independence, the judiciary and quasi-judicial bodies are also exempt when exercising their judicial or quasi-judicial powers. However, the employee records of court and tribunal staff will come within the scope of the bill. An exemption also applies so that family discussions and records that are genuinely private, family matters can continue without the risk that they would be in breach of the bill. The bill does not provide an exemption for employee records held by employers, or health information disseminated between related corporate entities or for political parties, members of Parliament or their contractors. Given the particular sensitivity of health information, such exemptions are not considered to be appropriate. Enforcement The Health Services Commissioner will have principal responsibility for monitoring compliance with the Health Records Bill and for resolving complaints about interferences with privacy. The commissioner's functions and powers for dispute resolution are modelled on those that currently exist under the Health Services (Conciliation and Review) Act 1987, and on the comparable powers of the Victorian Privacy Commissioner under the Information Privacy bill 2000. The Health Services Commissioner may conciliate a complaint under the bill. The commissioner can also investigate a complaint, and if appropriate, may make a ruling. A ruling would be appropriate if the commissioner finds that there has been interference with privacy. In such a case, the commissioner can recommend the course of action that should be taken by the organisation to remedy the breach. A ruling is not binding, although the organisation must inform the commissioner as to whether it intends to comply with the ruling. If the complaint is not resolved to the complainant's satisfaction, he or she will be able to seek a binding decision from the Victorian Civil and Administrative Tribunal (VCAT). VCAT will be able to make a variety of orders to rectify or remedy an interference with privacy. Organisations may also appeal to VCAT against rulings and compliance notices imposed by the commissioner. Other enforcement mechanisms include criminal penalties for serious breaches of the Act. Like the Victorian Privacy Commissioner, the Health Services Commissioner will be able to serve a compliance notice on an organisation that has performed an act or practice that is a serious or flagrant contravention of the act, or is a breach which is of a kind that has been done or engaged in by the organisation on at least five separate occasions within the previous two years. A failure to comply with a compliance notice is an indictable offence. A respondent can apply to VCAT to have the decision to serve the notice reviewed. A key aim of the legislation is to ensure that complaints are resolved informally, wherever practicable. The alternative dispute resolution mechanisms set out in the bill are designed to minimise the risk of escalation of disputes, for example, by encouraging conciliation. However, the VCAT appeals procedure and the compliance notice process are available to address situations where these mechanisms are not adequate. The commissioner will also have the function of issuing or approving binding guidelines as required under the health privacy principles, and will have an important role in educating the community about the operation of the legislation. Section 85 statement Clause 99 of the bill states that it is the intention of clause 8 to alter or vary section 85 of the Constitution Act 1975. I therefore wish to make a statement pursuant to section 85 of the Constitution Act 1975 of the reasons why that section is to be altered or varied by the bill. Clause 8 provides that the bill does not give rise to any civil cause of action or create any legal right enforceable in a court or tribunal other than as specifically provided in the bill. Similarly, nothing in the bill is to be construed as giving rise to criminal liability except to the extent expressly provided for. The bill is intended to create specific rights and obligations in relation to the privacy of health information, which can be enforced through the dispute resolution mechanisms set out in the bill, including through conciliation, investigation and rulings by the Health Services Commissioner and review by the Victorian Civil and Administrative Tribunal. The bill is not intended to give rise to broader rights and obligations outside those expressly provided in the bill. It is not intended to create any other legal means of enforcing those rights. The reason for the alteration or variation to section 85 of the Constitution Act 1975 is
Page 1911
to ensure that the scope of the bill meets these expectations. Conclusion A draft of the Health Records Bill was released for public consultation earlier this year, to give consumers, organisations and other interested persons an opportunity to comment on the proposals. I would like to take this opportunity to thank all of those who contributed by making submissions on the bill. The feedback received as part of the community consultation process has confirmed the need for the legislation, and has assisted in refining the operation of the provisions contained in the bill. The access rights and principles in the bill are designed to protect privacy and promote patient autonomy, whilst also ensuring safe and effective service delivery, and the continued improvement of health services. I commend the bill to the house. Debate adjourned on motion of Mr DOYLE (Malvern). Debate adjourned until Thursday, 7 December.