21 September 2005
Key Points:
The NSW Act is intended to complement other privacy regimes but it must be approached with care because there are some substantial differences in its approach.
The Health Records and Information Privacy Act 2002 (NSW) ("NSW HRIPA") came into effect on 1 September 2004 and subjects the NSW public and private sectors to new privacy obligations in relation to the collection and use of health information.
The NSW HRIPA adds another layer of privacy protection to an already cluttered field. While it is intended to complement other privacy regimes, in particular the Federal Privacy Act, it must be approached with care because there are some substantial differences in its approach.
This article provides a summary of the NSW HRIPA, including a comparison with the federal privacy regime. The last part of the article looks specifically at the research exemption under the NSW HRIPA and its application to clinical trials.
The NSW HRIPA
Before the NSW HRIPA there was no NSW privacy legislation specific to the health sector.
The Federal Privacy Act 1988 already imposes specific obligations on the private health sector above and beyond its general privacy regime. However, bearing in mind the sensitive nature of health information and the fact that it is regularly exchanged between public and private sectors, it was felt necessary to pass specific legislation to provide a consistent privacy scheme across the public and private health sectors in NSW.
What is health information?
Health information is information or an opinion about an individual's physical or mental health or disability, from which his or her identity is apparent or can reasonably be ascertained.[1] It includes information collected in relation to organ donation, genetic information, and information about a health service provided to an individual. Importantly, all personal information collected while providing a health service is deemed to be health information under the NSW HRIPA.
Interaction with other privacy regimes
The NSW HRIPA and the Federal Privacy Act will both apply to health information held in the private sector. The private health sector needs to be aware of the potential for different obligations to arise under the two Acts.
In the event of an irreconcilable inconsistency between the two, the general legal principle is that the Federal Privacy Act will trump the NSW HRIPA. However, one needs to examine carefully whether the inconsistency is such as to prevent the NSW HRIPA from operating.
For example, most of the National Privacy Principles in the Federal Privacy Act do not apply to information collected in the private sector before 21 December 2001. By way of contrast, most of the Health Privacy Principles in the NSW HRIPA apply regardless of when information was collected. While this may, at first blush, seem to be an inconsistency, the better view is probably that NSW HRIPA will apply to pre-21 December 2001 information.
Health Privacy Principles and National Privacy Principles
Given that the intention of the NSW HRIPA is to impose privacy obligations largely consistent with existing privacy regimes, it is surprising to see that those obligations are drafted in a markedly different way from the NPPs in the Federal Privacy Act and the closely related HPPs in the Victorian Health Records Act 2001. It remains to be seen whether the differences in approach will lead to differences in application.
The following table summarises the relationship between the National Privacy Principles ("NPPs") and the NSW Health Privacy Principles ("HPPs") and highlights the key differences:
| Federal NPP | NSW HPP | Subject | Differences |
| 1 & 10 | 1 to 4 | Collection of health information | The NSW HPPs contain a number of additional obligations/exceptions, namely:
|
| 2 | 2 | Use and disclosure of information | The general principle relating to use is identical, namely that information must only be used for the primary purpose for which it was collected or a secondary purpose directly related to that purpose. However, the balance of HPPs 10 and 11 are drafted very differently to NPP 2. The HPPs contain two exemptions not found in the NPPs, namely the use of information for the secondary purpose of:
|
| 3 | 9 | Accuracy | Substantially the same. HPP 9 adds that information must be "relevant" and "not misleading". |
| 4 | 5 | Data security | HPP 5 includes the following additional obligations:
|
| 5 | 5 | Openness | HPP 6 contains an additional requirement to take reasonable steps to allow individuals to ascertain whether an organisation holds information specific to that individual. |
| 6 | 7 | Access to information | HPP 7 is much less detailed than NPP 6, but is supplemented by the information access regime for the private sector contained in Division 3 of Part 4 of the NSW HRIPA. |
| 6.5 | 8 | Amendment | Again, HPP is much less detailed but is supplemented by the detailed private sector regime for the amendment of information in Division 4 of Part 4 of the NSW HRIPA. |
| 7 | 12 | The use of identifiers | Substantially the same. |
| 8 | 13 | Anonymity | Substantially the same. |
| 9 | 14 | Cross-border data flow | Substantially the same. |
| - | 15 | Electronic linkage | Unique to the HPPs. HPP 15 requires an organisation, whether public or private, to obtain an express consent from a person before they can be added to a linked system of health records, subject to three specific exemptions. This is an important provision given recent efforts to developed national databases of electronic health records. |
Other key differences between the Federal and NSW legislation include the following:
Exemptions and statutory guidelines
HPPs 10 and 11 create a number of exemptions to the usual limits on the use or disclosure of health information. Those exemptions include all of the exemptions found in the Federal Privacy Act, as well as two new exemptions detailed in the table above.
The NSW Privacy Commissioner has issued four sets of statutory guidelines which deal with the operation of specific exemptions.[2] These guidelines form part of the law.
The NSW HRIPA research exemption and clinical trials
There is an exemption available in certain circumstances for the disclosure for health information for research purposes. The research exemption will be particularly important for persons who rely on health records to obtain information for the purposes of epidemiological analysis. While persons conducting prospective clinical trials will generally obtain appropriate consents from patients and thereby avoid the need to rely on the exemption, any person who wishes to conduct a retrospective analysis of records may need to comply with it. Re-analysis of clinical trial data may also raise issues about the scope of the original consent.
The research exemption (HPPs 10(1)(f) and 11(1)(f)) allows researchers to use and disclose health information where it is reasonably necessary for research, or the compilation or analysis of statistics, in the public interest and:
(i) that purpose cannot be served by the use of information that does not identify the individual or from which the individual's identity cannot be reasonably ascertained and it is impracticable for the organisation to seek the consent of the individual for the use, or
(ii) reasonable steps are taken to de-identify the information, and
In order to satisfy the "public interest" test, the public interest in the research must substantially outweigh the public interest in maintaining privacy. The considerations to be taken into account when weighing the public interest are listed in section 4.4 of the guidelines.
The research guidelines require a HREC to approve a research proposal before the health information can be used or disclosed. The guidelines make it clear that an organisation that is already bound by and operating under the existing Federal NHMRC guidelines may continue to do so and will be taken to have complied with the NSW guidelines. The NSW HRIPA guidelines generally replicate the NHMRC guidelines, but there are some differences reflecting the language and scope of the Acts under which they were written.
Conclusion
While the NSW HRIPA is designed to be largely consistent with other federal and state privacy regimes, it is a more specific and more detailed piece of legislation. There are a number of substantive differences between the NSW HRIPA and the Federal Privacy Act. It remains to be seen whether these differences will ultimately result in differences in its application or inconsistencies with the Federal scheme.
Resources on the NSW HRIPA
Privacy NSW has issued a Handbook on health privacy.
The statutory guidelines on research are available here.
[1] Health information that does not identify any person is not “personal information” and does not attract the protection of the NSW HRIPA.
[2] They are guidelines relating to: 1. use or disclosure of health information for the management of health services; 2. use or disclosure of health information for training purposes; 3. use or disclosure of health information for research purposes; 4. notification when collecting health information about a person from someone else.
For further information, please contact Greg Williams.
