WorldLII Home | Databases | WorldLII | Search | Feedback

Privacy Law Resources
You are here:  WorldLII >> Databases >> Privacy Law Resources >> 2001 >> [2001] PrivLRes 5

Database Search | Name Search | Recent Documents | Noteup | LawCite | Help

Lim, Liong --- "Electronic Health Records and Medical Privacy" [2001] PrivLRes 5; [2001] CyberLRes 15 (14 March 2001)

WorldLII [Home] [Databases] [Search] [Feedback] [Help]
You are here: WorldLII >> WorldLII Databases >> PrivLRes >> 2001 >> [2001] PrivLRes 5

[Global Search] [PrivLRes Search] [Help]

'Electronic Health Records and Medical Privacy' ([2001] CyberLRes 15) - [2001] PrivLRes 5

Liong Lim (2001)

Electronic Health Records and Medical Privacy
Presentation Outline

by

Liong Lim
Baker & McKenzie


A. Introduction

Health records and medical privacy is undoubtedly one of the most controversial, most complicated and at the same time most important of the privacy issues currently facing Australian society. In order to impart a proper understanding of the scope and complexity of the issues surrounding health records, this paper will address each of the following points in turn:

  1. Why is the privacy of health records so critical?
  2. What are the existing laws that govern medical privacy?
  3. How will the new amendments to the Privacy Act 1988 (Cth) impact the health sector?
  4. Are there any problems with the new legislation?
  5. Do we need specific legislation addressing health records?
What will become clear is that the use of medical patient information has concerns which are quite unique to the health sector. The new privacy laws contained in the Privacy Amendment (Private Sector) Act (the "Private Sector Act") go some way toward recognising those concerns but leave several issues unaddressed.

B. Why is the privacy of health records so critical?

An individual's health record could contain information regarding any aspect of their lives. Imagine, for example, what a typical patient record would contain  name, address, age, next of kin, marital status, social history, family history, treatments, medications, pregnancies, genetic disorders, drug abuse, depression, physical abnormalities, disabilities or mental illness. Unwanted disclosure of this kind of information leads not just to embarrassment but often discrimination.

The issue of privacy of health records has become much more acute in recent times for two reasons. The first is due to the huge advances that have taken place in gene technology. Increasingly, medical professionals are able to predict with greater accuracy a patient's tendency toward a particular illness. Accordingly, there is an escalating danger that patients will be stigmatised and prejudiced by their own genetic makeup.

The second reason for health records becoming a greater concern is the internet. Consumers are turning to the internet for health information in increasing numbers. A survey conducted at the end of last year showed that in the year 2000:


These results show an emerging trend towards eHealth as an industry. Recent growing concerns about privacy in cyberspace coupled with the increased use of the internet as a source of health information has led to a real concern by members of the public in relation to electronic health records. The internet is perceived as an inherently unsafe and privacy-invasive medium. The prospect, therefore, of health records being stored online conjures up fears of employers, family members and insurers accessing detailed personal health information by simply conducting a search on the internet. Of all the people polled in the survey 85% felt that employers should not be given access to health records while 63% opposed the storage of medical records online in any form  even in a password-protected site.

Finally, the privacy of health information is critical because without it, medical services will be compromised. If patients do not have confidence in the security and privacy of electronic health records, they will simply start withholding information, jeopardising their own treatment. There are indications that this is already occurring. The Australian Medical Association has published findings that the patient participation in medical research has been declining in recent years due to privacy concerns. The Medical Consumers Association has also released similar findings.

C. What are the existing laws that govern medical privacy?

The health sector is one of the most heavily regulated industries in Australia. In NSW alone, the following pieces of legislation, codes and guidelines all affect health information:

  1. The Privacy Act 1988 (Cth).
  2. Guidelines for the protection of privacy in the conduct of medical research issued by National Health and Medical Research Council (NHMRC).
  3. Guidelines for the collection use and security of HIV-Aids related personal information.
  4. Medical and Pharmaceutical Benefits Programs Privacy Guidelines.
  5. National Statement on Ethical Conduct in Research Involving Humans issued by the NHMRC.
  6. National Health Act 1953 (Cth).
  7. Health Insurance Act 1973 (Cth).
  8. NSW Health Information Privacy Code of Practice.
  9. NSW Privacy and Personal Information Protection Act 1988.
  10. NSW Mental Health Act 1990.
  11. NSW Public Health Act 1991.
  12. NSW Health Administration Act 1982.
  13. Common Law duties.
Ascertaining legal and equitable obligations in this environment of regulation can be very challenging.

D. How will the new amendments to the Privacy Act 1988 (Cth) impact the health sector?

As you know, the Private Sector Act was passed by Parliament on 6 December 2000, received Royal Assent on 21 December 2000 and is due to commence on 21 December 2001. The Private Sector Act proposes to apply a set of National Privacy Principles to private sector organisations generally. As we shall see, in adopting that approach, the legislation fails to account for the practical and legal concerns particular to the health sector.

The NPPs which form a part of the Private Sector Act will apply to health information just like any other type of personal information. There are, however, specific provisions which deal with health information in particular:

Collection

  1. An organisation is not permitted to collect "sensitive information" unless:
The definition of "sensitive information" covers health information.[*]

  1. Despite the obligations set out above, an organisation may collect health information if:
In both situations, the collection must be conducted in accordance with any applicable law or rules of a competent health or medical body.

Disclosure

  1. There are special rules for disclosure of health information which is necessary for research, or the compilation or analysis of statistics, or is relevant to public health or public safety. In such cases, disclosure will be permitted if:
  1. An organisation which provides health services to an individual may disclose health information about the individual to a person responsible if the individual is incapable of giving or communicating consent, and if disclosure is necessary for the care of the individual and is not contrary to an expressed wish of the individual about which the carer ought to be aware. The person "responsible" is broadly defined to include next of kin, guardians, powers of attorney and persons nominated by the individual or with whom the individual has an intimate relationship.
Exemptions

  1. Mention has also been made of the infamous exemption for small businesses. Under the Private Sector Act, small business which deal in health information will not be able to take the benefit of the exemption unless:
These special provisions for health information indicate an awareness on the part of Parliament of the specific issues that pertain to the privacy of health and medical records. Unfortunately, despite these specific provisions, the NPPs under the Private Sector Act do fall short in a few key areas.

E. Are there any problems with the new legislation?

Some of the issues that arise out of the Private Sector Act in the context of health information are as follows:

  1. Overlapping Obligations  The Private Sector Act adds yet another layer of privacy and confidentiality obligations to existing duties.
  2. Consent  Any scheme for the management of health information should take into account a patient's ability to make specific consents of their health information to specific persons and, where relevant, to provide conditional consents for the future. The Private Sector Act doesn't really address this.
  3. Therapeutic privilege  What about a doctor's therapeutic privilege to withhold information where it would be in the patient's best interest?
  4. Public interest  Disclosure in the public interest is a well-established but controversial exception to medical duties of confidentiality. The Private Sector Act preserves the exception but does not clarify its operation.
  5. Ownership of patient records  Should the NPPs clarify the ownership of a health record?
  6. Duties to Explain  Should there be an obligation on holders of health records to explain the contents of those records when requested by patients?
These are just some of the problems that arise out of the application of the Private Sector Act to the health industry. Admittedly, some of these issues  such as disclosure in the public interest  will always be controversial whether or not there is specific medical privacy legislation. Nonetheless, it appears the legislation which has been passed fails to consider some of the unique challenges posed by the health industry.

F. Do we need specific legislation addressing health records?

One solution may be to introduce legislation which deals specifically with health records. Various industry and governmental groups such as the Australian Medical Association and the NSW Ministerial Advisory Committee on Privacy and Health Information have endorsed the passing of health specific privacy legislation.

Overseas, the EU has issued specific recommendations on the Protection of Medical Data 1997. New Zealand and the United Kingdom have both chosen to establish specific health sector privacy guidelines. The US has also enacted specific legislation in the form of the Health Insurance Portability and Accountability Act 1996 which aims to establish national health data standards. Under that legislation the Secretary of Health and Human Services has prepared regulations on the privacy of health information which went into force earlier this year.

Within Australia, Victoria has drafted a Health Records Bill which applies to health information held in both the public and private sectors. Some important elements of that legislation are as follows:

  1. The Victorian legislation establishes 11 Health Privacy Principles which specifically deal with health information.
  2. The legislation applies to health service providers as well as organisations which simply collect, hold or use health information.
  3. Patients have comprehensive control over the use of their health information, including controlling disclosure to family members.
  4. The legislation recognises common law duties by accepting that some health information may already be under duties of confidentiality.
  5. The legislation allows an organisation to refuse access to medical information on the grounds of therapeutic privilege  that is where disclosure would be harmful to the individual.
  6. An organisation holding medical information can offer to discuss the information with a patient requesting access.
Certainly, the Victorian legislation is not perfect. It does, however, indicate an awareness of privacy concerns specific to the health sector. It certainly represents a more sensitive approach than the federal Private Sector Act.

G. Conclusion

In his play The Doctor's Dilemma, George Bernard Shaw took a very cynical view of patient privacy:

Remember that illness is a misdemeanour; and treat the doctor as an accessory unless he notifies every case to the Public Health Authority.
George Bernard Shaw  "The Doctor's Dilemma"

The Australian privacy landscape is not so bleak as Shaw's vision. Nonetheless, if Australia does not ensure it has effective sector-sensitive legislation for health and medical records, it will be in danger of compromising patient privacy and health services.

[*] "Health information" is also defined in the Act as:

that is also personal information; or

WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback
URL: http://www.worldlii.org/int/other/PrivLRes/2001/5.html