The Health Records and Information Privacy Act
The University must comply with the Health Records and Information Privacy Act 2002 (NSW) (HRIPA). Controlled entities of the University, such as U@MQ Ltd and Access Macquarie Ltd are also bound by the HRIPA.
Overview of the Act
HRIPA applies to every organisation that is a health service provider or that collects, holds or uses health information. The purpose of the Act is to promote fair and responsible handling of health information by protecting the privacy of an individual's health information that is held in the public and private sectors, enabling individuals to gain access to their health information and providing an accessible framework for the resolution of complains regarding the handling of health information.
15 health privacy principles (HPPs) form the central part of HRIPA. The HPPs are set out in schedule 1 of the HRIPA and are described more fully below under the heading Health Privacy Principles.
What is health information?
The Act only applies to health information which the University or its controlled entities collects and holds. Health information is defined as:
- "personal information that is information or an opinion about:
- the physical or mental health or a disability (at any time) of an individual; or
- an individual's express wishes about the future provision of health services to him or her, or
- a health service provided or to be provided to an individual; or
- other personal information collected to provide, or in providing a health service, or
- other personal information about an individual collected in connection with the donation, or intended donation, of an individual's body parts, organs or body substances, or
- other personal information that is genetic information about an individual arising from a health service provided to the individual that is or could be predictive of the health (at any time) of the individual or of any sibling, relative or descendant of the individual, or
- healthcare identifiers,
but does not include health information, or a class of health information or health information contained in a class of documents, that is prescribed as exempt health information for the purposes of this Act generally or for the purposes of specified provisions of this Act."
Privacy Management Plan
The Office of the Privacy Commissioner has developed four statutory guidelines under HRIPA. The statutory guidelines are legally binding documents that define the scope of particular exemptions in the health privacy principles. They describe how the exemption applies and what an agency needs to do in order to comply with the exemption. They are as important as the exemption itself. They relate to the:
- use or disclosure of health information for the management of health services (PDF, 274kb)
- use or disclosure of health information for training purposes (PDF, 272kb)
- use or disclosure of health information for research purposes (PDF, 343kb) See appendix C for HREC report form - Webform (PDF) (Word version)
- use or disclosure of health information from a third party (PDF, 267kb)
Formal application for review of conduct
The University will endeavour to resolve any health privacy complaint informally with the applicant without the need for a formal review in the first instance.
However, any person who is aggrieved by conduct of the University in relation to their health information is entitled to a formal review of that conduct by the University in accordance with Part 5 of PPIPA (pursuant to section 21 of HRIPA).
This means that an application for internal review of conduct must be provided in accordance with Part 5 of PPIPA. It must be addressed to the University in writing with a return address, within 6 months of the time when the applicant first became aware of the offending conduct. The University must inform the Privacy Commissioner of the application and keep the Privacy Commissioner informed as to the progress and findings of the University.
The University will appoint a person who is suitably qualified (such as the privacy officer) to conduct a review of the application as soon as reasonably practicable. If the review is not completed within 60 days, the applicant is entitled to make an application to the Administrative Decisions Tribunal.
Within 14 days after the completion of the review, the University must notify the applicant in writing of the:
- findings of the review (and the reasons);
- the action proposed to be taken; and
- the right of the person to have those findings and the University's proposed action, reviewed by the Administrative Decisions Tribunal.
A person dissatisfied with the findings of the review or the action of the University may apply to the Administrative Decisions Tribunal (ADT) for a review of the conduct of the University. If the applicant is not satisfied with the findings of the ADT and orders made (if any), he/she may appeal to the Appeal Panel of the ADT.
15 Health Privacy Principles
15 health privacy principles (HPPs) form the central part of HRIPA and are set out in schedule 1 to the Act. The HPPs are grouped under seven main headings - collection, storage, access and accuracy, use, disclosure, identifiers and anonymity, and transborder data and linkage. These are set out below.
- HPP 1 - Purposes of collection of health information
- HPP 2 - Information must be relevant, not excessive, accurate and not intrusive
- HPP 3 - Collection to be from individual concerned
- HPP 4 - Individual to be made aware of certain matters
- HPP 5 - Retention and security
- HPP 6 - Information about health information held by organisations
- HPP 7- Access to health information
- HPP 8 - Amendment to health information
- HPP 9 - Accuracy
- HPP 10 - Limits on use of health information
- HPP 11 - Limits on disclosure of health information
- HPP 12 - Identifiers
- HPP 13 - Anonymity
- HPP 14 - Transborder data flows and data flow to Commonwealth agencies
- HPP 15 - Linkage of Health Records
Health information that the University collects about you must be for a lawful purpose which is directly related to the University's activities and the information is reasonably necessary for that purpose.
The University must ensure that the information it collects is relevant, and not excessive, accurate, up-to-date and complete. The collection should not unreasonably intrude into your personal affairs.
The University must only collect health information directly from the person concerned, unless it is unreasonable or impractical to do so. For example, if a person lacks capacity to provide their health information, the University may collect it from an authorised representative such as a carer or guardian. The statutory guideline on "use or disclosure of health information from a third party" provides more detail in relation to this HPP.
At or before the time when the health information is collected, or as soon as practicable after collection, the University must take reasonable steps to ensure that you are aware of the following:
- our contact details;
- your right to request access to your information;
- the purposes for which your information is collected;
- the persons to whom (or the types of persons to whom) the organisation usually discloses information of that kind;
- any law that requires that information to be collected; and
- the main consequences (if any) for the individual if all or part of the information is not provided.
The University does this by providing you with or publishing a collection notice, where appropriate.
Health information must be stored securely, not kept any longer than necessary, and disposed of appropriately. It should be protected from loss, unauthorised access, use, modification or disclosure and any other misuse. This means that the University should have appropriate access restrictions in place.
The University endeavours to ensure that:
- Access to information is restricted according to level of responsibility within the University;
- Computer passwords are regularly changed;
- Entry to buildings where important information is stored is by card access;
- Sensitive information is securely stored and locked;
- Offices unattended are locked;
- Health information is stored away and not left exposed; and
- Staff are aware of their privacy obligations.
The University's records and archives department (Macquarie Memory) stores information for so long as it is required to do so pursuant to the State Records Act 1998 (NSW) and other legislation.
The University must provide you with enough details about what health information it is storing, why it is storing it and what rights you have to access it.
The University must allow you access to your health information without unreasonable delay and expense, subject to any applicable exemptions. The University may require that your application is provided in writing and that it state your name or the name of the person whose information is sought and (if relevant) the authorisation of the person on whose behalf the application is made. To make a formal application, please write to our privacy officer at firstname.lastname@example.org.
The University must allow you to update, correct or amend your health information where necessary upon your reasonable request.
The University must ensure, before using health information that it holds, that it is relevant, accurate up to date and not misleading before using it.
Generally, the University can only use your health information for the purpose for which it was collected. The purpose for which your information was collected should have been communicated to you at the time when your information was collected, or as soon as practicable thereafter, in accordance with HPP 3.
The University may use your health information for other purposes where you:
- consent to that use; or
- where it is for a purpose directly related to the purpose for which it was collected and you would expect the organization to use the information for that secondary purpose; or
- where it is reasonably believed by the organization to be necessary to prevent or lessen a serious and imminent threat to the life, health or safety of an individual or serious threat to public health or safety.
There are also other uses of health information which are permissible under the Act. For instance, where the use of the health information is reasonably necessary for the management of health services, training, or research, by a law enforcement agency to find a missing person or for their law enforcement functions where there are reasonable grounds to believe an offence may have been committed or where the organisation has reasonable grounds to suspect that unlawful activity may have been engaged in.
Further explanation and examples of these provisions are set out in the Handbook to Health Privacy.
In the absence of consent from you, the University may only disclose your health information to third parties where:
- the disclosure is directly related to the purpose for which the information was collected and you would reasonably expect that the University would disclose that information for that purpose; or
- where the University reasonably believes that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life, health or safety of you or another person or to lessen or prevent a serious threat to public health or public safety.
If the University has informed you at or around the time when your health information is collected of the likely third parties to whom your information may be disclosed, in accordance with HPP 3, you would reasonably expect that your information will be disclosed to those types of parties.
The circumstances pursuant to which your information will be disclosed to a third party because of a serious and imminent threat to your life or health or to others will be rare and uncommon. The University will only disclose your health information to others when the circumstances are serious and impending, such as in a life threatening situation in which you are involved where you could be seriously injured or others might be injured as a result of your actions. Some likely parties to whom your information might be disclosed include the ambulance services or the police.
There are also other permissible disclosures of health information under the Act. For instance, where the disclosure of the health information is reasonably necessary for the management of health services, training, research, for compassionate reasons, and by a law enforcement agency to find a missing person or for their law enforcement functions where there are reasonable grounds to believe an offence may have been committed or where the organisation has reasonable grounds to suspect that unlawful activity may have been engaged in.
Further explanation and examples of these provisions are set out in the Handbook to Health Privacy.
If the University discloses health information under this HPP to another public sector agency, then the receiving agency must not use the information for a purpose other than the purpose for which it was given. For example, if the University disclosed personal details to the NSW police or ambulance service, and if they are a public sector agency, they cannot use the information for any other purpose other than to provide the response required for that situation.
The University may assign a health identifier to you if it is reasonably necessary to enable it to carry out is functions of providing the service to you.
Wherever it is lawful and practicable, the University must allow you the opportunity not to identify yourself when entering into transactions or receiving health services from the University or its controlled entities.
The University must not transfer health information about you to any person outside of NSW or to a commonwealth agency, unless the University reasonably believes that the recipient has laws in place similar to the HPP's or you provide your consent to that transfer, or the transfer is necessary for the performance of a contract between you and us or in other circumstances listed in that HPP.
The University will not link your health records with health records of other organisations unless you have provided your consent.
Exemptions from compliance with the HPPs
The University is not required to comply with HPPs 4, 5, 6, 7, 8, 10, 11 or 15 where it is lawfully authorised or required not to comply or where non compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998).
Examples of where this exemption might apply to the University are:
- where the University is issued with a subpoena or a search warrant for certain information;
- where a government department requests by formal notice certain health information held by the University, pursuant to its governing legislation; or
- where legislation requires that the University provide certain information in relation to its students or staff for the purposes of compiling statistics about the University, for example under the Tertiary Education and Quality Standards Agency Act 2011 (Cth).