In September 2019, the Office of the Australian Information Commissioner (OAIC) released a “Guide to health privacy” document, which provides a useful summary of “key concepts” in this area and clarifies a number of relevant privacy issues for our members.
The aim of the guide is to assist health service providers to understand their existing obligations pursuant to the Privacy Act 1988 (Cth). The guide should also be read in conjunction with the Australian Privacy Principles Guidelines.
The key concepts covered in the guide include:
- Key steps to embedding privacy in your health practice
- Collecting health information
- Using or disclosing health information
- Giving access to health information
- Correcting health information
- Health management activities
- Disclosing information about patients with impaired capacity
- Using and disclosing genetic information in the case of a serious threat
As highlighted in the guide, the Privacy Act 1988 (Cth) requires health practitioners to be proactive in establishing, implementing and maintaining privacy processes in their practice. Therefore, we consider it would be prudent for our members to review the guide at this time and ensure you have a current and up to date understanding of the key concepts.
This is an area that continues to be scrutinised and focused on nationally. The Notifiable Data Breaches Statistics Report released on 27 August 2019 confirmed that 245 notifications were made in the period 1 April 2019 to 30 June 2019. Of those notifications, 34% were attributed to human error, 62% to malicious or criminal attack and 4% to system faults. In terms of the kinds of personal information involved in the data breaches across all sectors, 67 notifications related to health information.
A GP contacted MIGA for advice in relation to a patient who had requested a complete copy of their medical records within 24 hours. A reason was not given for the short timeframe. The GP was concerned about whether the patient had an entitlement to access a complete copy. The GP was also concerned about whether letters written by specialists formed part of the patient’s medical records and if these could be released. In particular, some of the specialist letters had been marked “not to be released for medico-legal purposes”.
The GP was advised that a patient does have a right to access the information in their medical records unless an exception applies, and that the information should be provided in the manner in which it has been requested unless it is impractical or unreasonable to do so.
In these circumstances, it was determined that an exception to access did not apply and the GP was comfortable for the patient to see the information in their medical records. The GP was able to print a complete copy of all consultation notes, specialist letters and test results for the patient to collect. Upon attending at reception, the patient was asked to provide identification to verify their identity.
The GP was advised that a reasonable timeframe to respond to a request for access to medical records was 30 calendar days, and that a timeframe of 24 hours without any further information as to urgency was unreasonable.
The GP was also advised that the patient has a right to access the information in specialist letters, even if the letter has been marked “not to be released for medico-legal purposes” or “not to be released without the permission of the specialist”.
Although an exception did not apply in this case, it was discussed that there are 10 grounds on which the GP could have refused access to health information pursuant to the Privacy Act 1988 (Cth), the most common being if it is reasonably believed that giving access would pose a serious threat to the life, health or safety of any individual, or to public health or public safety, or giving access would have an unreasonable impact on the privacy of other individuals.
The GP was aware that there are certain processes to follow in the event that access to information is refused.
If you require further information about your privacy obligations or a patient request for health records, please contact the Claims & Legal Services department at MIGA.