You are here:
WorldLII >>
Databases >>
Privacy Law Resources >>
2001 >>
[2001] PrivLRes 5
Database Search
| Name Search
| Recent Documents
| Noteup
| LawCite
| Help
Lim, Liong --- "Electronic Health Records and Medical Privacy" [2001] PrivLRes 5; [2001] CyberLRes 15 (14 March 2001)
You are here:
WorldLII >>
WorldLII Databases >>
PrivLRes >>
2001 >>
[2001] PrivLRes 5
[Global Search]
[PrivLRes Search]
[Help]
'Electronic Health Records and Medical Privacy' ([2001] CyberLRes 15) - [2001] PrivLRes 5
Liong Lim (2001)
Electronic Health Records and
Medical Privacy
Presentation Outline
by
Liong Lim
Baker & McKenzie
A. Introduction
Health records and medical privacy is undoubtedly one of the most controversial,
most complicated and at the same time most
important of the privacy issues currently
facing Australian society. In order to impart a proper understanding of the
scope
and complexity of the issues surrounding health records, this paper will
address each of the following points in turn:
- Why is the privacy of health records so critical?
- What are the existing laws that govern medical privacy?
- How will the new amendments to the Privacy Act 1988 (Cth) impact
the health sector?
- Are there any problems with the new legislation?
- Do we need specific legislation addressing health records?
What will become clear is that the use of medical patient information has
concerns which are quite unique to the health sector.
The new privacy laws contained
in the Privacy Amendment (Private Sector) Act (the "Private Sector Act")
go some way toward recognising those concerns but leave several issues unaddressed.
B. Why is the privacy of health records so critical?
An individual's health record could contain information regarding any aspect
of their lives. Imagine, for example, what a typical
patient record would contain
name, address, age, next of kin, marital status, social history, family history,
treatments,
medications, pregnancies, genetic disorders, drug abuse, depression,
physical abnormalities, disabilities or mental illness. Unwanted
disclosure
of this kind of information leads not just to embarrassment but often discrimination.
The issue of privacy of health records has become much more acute in recent
times for two reasons. The first is due to the huge
advances that have taken
place in gene technology. Increasingly, medical professionals are able to predict
with greater accuracy
a patient's tendency toward a particular illness. Accordingly,
there is an escalating danger that patients will be stigmatised
and prejudiced
by their own genetic makeup.
The second reason for health records becoming a greater concern is the internet.
Consumers are turning to the internet for health
information in increasing numbers.
A survey conducted at the end of last year showed that in the year 2000:
- more people in the US use the internet for health information than for sport
scores, stock quotes or shopping figures suggest
about 55% of internet users
have sought health information (the next highest category is online shopping
with a 47% response
rate);
- approximately 52 million people used the internet to obtain information
about diseases and treatment; and
- of those 52 million people, most sought health-related information at least
once a month.
These results show an emerging trend towards eHealth as an industry. Recent
growing concerns about privacy in cyberspace coupled
with the increased use
of the internet as a source of health information has led to a real concern
by members of the public
in relation to electronic health records. The internet
is perceived as an inherently unsafe and privacy-invasive medium. The prospect,
therefore, of health records being stored online conjures up fears of employers,
family members and insurers accessing detailed
personal health information by
simply conducting a search on the internet. Of all the people polled in the
survey 85% felt
that employers should not be given access to health records
while 63% opposed the storage of medical records online in any form
even in
a password-protected site.
Finally, the privacy of health information is critical because without it, medical
services will be compromised. If patients
do not have confidence in the security
and privacy of electronic health records, they will simply start withholding
information,
jeopardising their own treatment. There are indications that this
is already occurring. The Australian Medical Association has
published findings
that the patient participation in medical research has been declining in recent
years due to privacy concerns.
The Medical Consumers Association has also released
similar findings.
C. What are the existing laws that govern medical privacy?
The health sector is one of the most heavily regulated industries in Australia.
In NSW alone, the following pieces of legislation,
codes and guidelines all
affect health information:
- The Privacy Act 1988 (Cth).
- Guidelines for the protection of privacy in the conduct of medical research
issued by National Health and Medical Research Council
(NHMRC).
- Guidelines for the collection use and security of HIV-Aids related personal
information.
- Medical and Pharmaceutical Benefits Programs Privacy Guidelines.
- National Statement on Ethical Conduct in Research Involving Humans issued
by the NHMRC.
- National Health Act 1953 (Cth).
- Health Insurance Act 1973 (Cth).
- NSW Health Information Privacy Code of Practice.
- NSW Privacy and Personal Information Protection Act 1988.
- NSW Mental Health Act 1990.
- NSW Public Health Act 1991.
- NSW Health Administration Act 1982.
- Common Law duties.
Ascertaining legal and equitable obligations in this environment of regulation
can be very challenging.
D. How will the new amendments to the Privacy Act 1988
(Cth) impact the health sector?
As you know, the Private Sector Act was passed by Parliament on 6 December 2000,
received Royal Assent on 21 December 2000 and
is due to commence on 21 December
2001. The Private Sector Act proposes to apply a set of National Privacy Principles
to private
sector organisations generally. As we shall see, in adopting that
approach, the legislation fails to account for the practical
and legal concerns
particular to the health sector.
The NPPs which form a part of the Private Sector Act will apply to health information
just like any other type of personal information.
There are, however, specific
provisions which deal with health information in particular:
Collection
- An organisation is not permitted to collect "sensitive information" unless:
- the data subject has consented; or
- collection is required by law; or
- the collection is necessary to prevent a serious and imminent threat to
the life or health of any individual, where the individual
is unable to give
consent; or
- in certain circumstances where the collection is by a non-profit organisation;
or
- the collection is necessary for the establishment , exercise or defence
of a legal or equitable claim.
The definition of "sensitive information" covers health information.
[*]
- Despite the obligations set out above, an organisation may collect health
information if:
- the collection is necessary for the provision or management of a health
service; or
- the collection is necessary for research or the compilation of statistics
relevant to public health or safety where identified
personal information
is necessary and it is impractical to obtain consent.
In both situations, the collection must be conducted in accordance with any
applicable law or rules of a competent health or medical
body.
Disclosure
- There are special rules for disclosure of health information which is necessary
for research, or the compilation or analysis
of statistics, or is relevant
to public health or public safety. In such cases, disclosure will be permitted
if:
- it is impractical for consent to be obtained;
- disclosure is conducted in accordance with any medical research guidelines
approved by the Privacy Commissioner; and
- the organisation reasonably believes the recipient of the health information
will not disclose the information.
- An organisation which provides health services to an individual may disclose
health information about the individual to a person
responsible if the individual
is incapable of giving or communicating consent, and if disclosure is necessary
for the care
of the individual and is not contrary to an expressed wish of
the individual about which the carer ought to be aware. The person
"responsible"
is broadly defined to include next of kin, guardians, powers of attorney and
persons nominated by the individual
or with whom the individual has an intimate
relationship.
Exemptions
- Mention has also been made of the infamous exemption for small businesses.
Under the Private Sector Act, small business which
deal in health information
will not be able to take the benefit of the exemption unless:
- the health information forms part of an employee record; or
- the health information is held otherwise than in the course of business,
for example for personal purposes.
These special provisions for health information indicate an awareness on
the part of Parliament of the specific issues that pertain
to the privacy of
health and medical records. Unfortunately, despite these specific provisions,
the NPPs under the Private
Sector Act do fall short in a few key areas.
E. Are there any problems with the new legislation?
Some of the issues that arise out of the Private Sector Act in the context of
health information are as follows:
- Overlapping Obligations The Private Sector Act adds yet another
layer of privacy and confidentiality obligations to existing duties.
- Consent Any scheme for the management of health information should
take into account a patient's ability to make specific consents
of their health
information to specific persons and, where relevant, to provide conditional
consents for the future. The
Private Sector Act doesn't really address this.
- Therapeutic privilege What about a doctor's therapeutic privilege
to withhold information where it would be in the patient's best interest?
- Public interest Disclosure in the public interest is a well-established
but controversial exception to medical duties of confidentiality.
The Private
Sector Act preserves the exception but does not clarify its operation.
- Ownership of patient records Should the NPPs clarify the ownership
of a health record?
- Duties to Explain Should there be an obligation on holders of
health records to explain the contents of those records when requested by
patients?
These are just some of the problems that arise out of the application of
the Private Sector Act to the health industry. Admittedly,
some of these issues
such as disclosure in the public interest will always be controversial whether
or not there is specific
medical privacy legislation. Nonetheless, it appears
the legislation which has been passed fails to consider some of the unique
challenges
posed by the health industry.
F. Do we need specific legislation addressing health records?
One solution may be to introduce legislation which deals specifically with health
records. Various industry and governmental
groups such as the Australian Medical
Association and the NSW Ministerial Advisory Committee on Privacy and Health
Information
have endorsed the passing of health specific privacy legislation.
Overseas, the EU has issued specific recommendations on the Protection of Medical
Data 1997. New Zealand and the United Kingdom
have both chosen to establish
specific health sector privacy guidelines. The US has also enacted specific
legislation in the
form of the Health Insurance Portability and Accountability
Act 1996 which aims to establish national health data standards. Under that
legislation the Secretary of Health and Human Services has prepared
regulations
on the privacy of health information which went into force earlier this year.
Within Australia, Victoria has drafted a Health Records Bill which applies to
health information held in both the public and
private sectors. Some important
elements of that legislation are as follows:
- The Victorian legislation establishes 11 Health Privacy Principles which
specifically deal with health information.
- The legislation applies to health service providers as well as organisations
which simply collect, hold or use health information.
- Patients have comprehensive control over the use of their health information,
including controlling disclosure to family members.
- The legislation recognises common law duties by accepting that some health
information may already be under duties of confidentiality.
- The legislation allows an organisation to refuse access to medical information
on the grounds of therapeutic privilege that
is where disclosure would be
harmful to the individual.
- An organisation holding medical information can offer to discuss the information
with a patient requesting access.
Certainly, the Victorian legislation is not perfect. It does, however, indicate
an awareness of privacy concerns specific to the
health sector. It certainly
represents a more sensitive approach than the federal Private Sector Act.
G. Conclusion
In his play The Doctor's Dilemma, George Bernard Shaw took a very cynical
view of patient privacy:
Remember that illness is a misdemeanour; and treat the doctor as an accessory
unless he notifies every case to the Public Health
Authority.
George Bernard Shaw "The Doctor's Dilemma"
The Australian privacy landscape is not so bleak as Shaw's vision. Nonetheless,
if Australia does not ensure it has effective
sector-sensitive legislation for
health and medical records, it will be in danger of compromising patient privacy
and health
services.
[*]
"Health information" is also defined in the Act as:
- [any] information or opinion about:
- the health or disability (at any time) of an individual;
or
- an individual's expressed wishes about the future provision
of health services to him or her; or
- the health service provided or to be provided, to an individual;
that is also personal information; or
- other personal information collected to provide, or in providing,
a health service; or
- other personal information about an individual collected
in connection with the donation, or intended donation, by the individual
of
his or her body parts, organs or body substances.
WorldLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.worldlii.org/int/other/PrivLRes/2001/5.html