Victorian Consolidated Legislation
[Index]
[Table]
[Search]
[Notes]
[Noteup]
[Previous]
[Download]
[Help]
Health Records Act 2001 - SCHEDULE 1
Section 19 THE HEALTH PRIVACY PRINCIPLES
1. Principle 1-Collection
When health information may be collected
1.1. An organisation must not collect health information about an individual
unless the information is necessary for one or more of its functions or
activities and at least one of the following applies-
(a) the individual has consented;
(b) the collection is required, authorised or permitted, whether expressly
or impliedly, by or under law (other than a prescribed law);
(c) the information is necessary to provide a health service to the
individual and the individual is incapable of giving consent within
the meaning of section 85(3) and-
(i) it is not reasonably practicable to obtain the consent of an
authorised representative of the individual within the meaning of
section 85; or
(ii) the individual does not have such an authorised representative;
(d) the information is disclosed to the organisation in accordance with
HPP 2.2(a), (f), (i) or (l) or HPP 2.5;
(e) if the collection is necessary for research, or the compilation or
analysis of statistics, in the public interest-
(i) that purpose cannot be served by the collection of information that
does not identify the individual or from which the individual's
identity cannot reasonably be ascertained; and
(ii) it is impracticable for the organisation to seek the individual's
consent to the collection; and
(iii) the information is collected in accordance with guidelines issued or
approved by the Health Services Commissioner under section 22 for the
purposes of this subparagraph;
(f) the collection is necessary to prevent or lessen-
(i) a serious and imminent threat to the life, health, safety or welfare
of any individual; or
(ii) a serious threat to public health, public safety or public welfare-
and the information is collected in accordance with guidelines, if any, issued
or approved by the Health Services Commissioner under section 22 for the
purposes of this paragraph;
(g) the collection is by or on behalf of a law enforcement agency and the
organisation reasonably believes that the collection is necessary for
a law enforcement function;
(h) the collection is necessary for the establishment, exercise or defence
of a legal or equitable claim;
(i) the collection is in the prescribed circumstances.
How health information is to be collected
1.2. An organisation must collect health information only by lawful and fair
means and not in an unreasonably intrusive way.
1.3. If it is reasonable and practicable to do so, an organisation must
collect health information about an individual only from that individual.
1.4. At or before the time (or, if that is not practicable, as soon as
practicable thereafter) an organisation collects health information about an
individual from the individual, the organisation must take steps that are
reasonable in the circumstances to ensure that the individual is generally
aware of-
(a) the identity of the organisation and how to contact it; and
(b) the fact that he or she is able to gain access to the information; and
(c) the purposes for which the information is collected; and
(d) to whom (or the types of individuals or organisations to which) the
organisation usually discloses information of that kind; and
(e) any law that requires the particular information to be collected; and
(f) the main consequences (if any) for the individual if all or part of
the information is not provided.
1.5. If an organisation collects health information about an individual from
someone else, it must take any steps that are reasonable in the circumstances
to ensure that the individual is or has been made aware of the matters listed
in HPP 1.4 except to the extent that making the individual aware of the
matters would pose a serious threat to the life or health of any individual or
would involve the disclosure of information given in confidence7.
1.6. An organisation is not required to notify the individual of the identity
of persons, or classes of persons, to whom health information may be disclosed
in accordance with HPP 2.2(f).
Information given in confidence8
1.7. If personal information is given in confidence to a health service
provider about an individual by a person other than-
(a) the individual; or
(b) a health service provider in the course of, or otherwise in relation
to, the provision of health services to the individual-
with a request that the information not be communicated to the individual to
whom it relates, the provider must-
(c) confirm with the person that the information is to remain
confidential; and
(d) if the information remains confidential-
(i) record the information only if it is relevant to the provision of
health services to, or the care of, the individual; and
(ii) take reasonable steps to ensure that the information is accurate and
not misleading; and
(e) take reasonable steps to record that the information is given in
confidence and is to remain confidential.
2. Principle 2-Use and Disclosure9
2.1. An organisation may use or disclose health information about an
individual for the primary purpose for which the information was collected in
accordance with HPP 1.1.
2.2. An organisation must not use or disclose health information about an
individual for a purpose (the secondary purpose) other than the primary
purpose for which the information was collected unless at least one of the
following paragraphs applies10-
(a) both of the following apply-
(i) the secondary purpose is directly related to the primary purpose; and
(ii) the individual would reasonably expect the organisation to use or
disclose the information for the secondary purpose; or
(b) the individual has consented to the use or disclosure; or
(c) the use or disclosure is required, authorised or permitted, whether
expressly or impliedly, by or under law (other than a prescribed law);
or
(d) all of the following apply-
(i) the organisation is a health service provider providing a health
service to the individual; and
(ii) the use or disclosure for the secondary purpose is reasonably
necessary for the provision of the health service; and
(iii) the individual is incapable of giving consent within the meaning of
section 85(3) and-
(A) it is not reasonably practicable to obtain the consent of
an authorised representative of the individual within the
meaning of section 85; or
(B) the individual does not have such an authorised
representative; or
(e) all of the following apply-
(i) the organisation is a health service provider providing a health
service to the individual; and
(ii) the use is for the purpose of the provision of further health services
to the individual by the organisation; and
(iii) the organisation reasonably believes that the use is necessary to
ensure that the further health services are provided safely and
effectively; and
(iv) the information is used in accordance with guidelines, if any, issued
or approved by the Health Services Commissioner under section 22 for
the purposes of this paragraph; or
(f) the use or disclosure is for the purpose of-
(i) funding, management, planning, monitoring, improvement or evaluation
of health services; or
(ii) training provided by a health service provider to employees or persons
working with the organisation-
and-
(iii) that purpose cannot be served by the use or disclosure of information
that does not identify the individual or from which the individual's
identity cannot reasonably be ascertained and it is impracticable for
the organisation to seek the individual's consent to the use or
disclosure; or
(iv) reasonable steps are taken to de-identify the information-
and-
(v) if the information is in a form that could reasonably be expected to
identify individuals, the information is not published in a generally
available publication; and
(vi) the information is used or disclosed in accordance with guidelines, if
any, issued or approved by the Health Services Commissioner under
section 22 for the purposes of this subparagraph; or
(g) if the use or disclosure is necessary for research, or the compilation
or analysis of statistics, in the public interest-
(i) it is impracticable for the organisation to seek the individual's
consent before the use or disclosure; and
(ii) that purpose cannot be served by the use or disclosure of information
that does not identify the individual or from which the individual's
identity cannot reasonably be ascertained; and
(iii) the use or disclosure is in accordance with guidelines issued or
approved by the Health Services Commissioner under section 22 for the
purposes of this subparagraph; and
(iv) in the case of disclosure-
(A) the organisation reasonably believes that the recipient
of the health information will not disclose the health
information; and
(B) the disclosure will not be published in a form that
identifies particular individuals or from which an
individual's identity can reasonably be ascertained; or
(h) the organisation reasonably believes that the use or disclosure is
necessary to lessen or prevent-
(i) a serious and imminent threat to an individual's life, health, safety
or welfare; or
(ii) a serious threat to public health, public safety or public welfare-
and the information is used or disclosed in accordance with guidelines, if
any, issued or approved by the Health Services Commissioner under section 22
for the purposes of this paragraph; or
(i) 11the organisation has reason to suspect that unlawful activity
has been, is being or may be engaged in, and uses or discloses
the health information as a necessary part of its investigation
of the matter or in reporting its concerns to relevant persons
or authorities and, if the organisation is a registered health
service provider, the use or disclosure would not be a breach
of confidence; or
(j) 12the organisation reasonably believes that the use or disclosure is
reasonably necessary for a law enforcement function by or on behalf of
a law enforcement agency and, if the organisation is a registered
health service provider, the use or disclosure would not be a breach
of confidence; or
(k) the use or disclosure is necessary for the establishment, exercise or
defence of a legal or equitable claim; or
(l) the use or disclosure is in the prescribed circumstances.
Note Nothing in HPP 2 requires an organisation to disclose health information
about an individual. An organisation is always entitled not to disclose health
information in the absence of a legal obligation to disclose it.
2.3. If an organisation discloses health information under paragraph (i) or
(j) of HPP 2.2, it must make a written note of the disclosure.
2.4. Despite HPP 2.2, a health service provider may disclose health
information about an individual to an immediate family member of the
individual if-
(a) either-
(i) the disclosure is necessary to provide appropriate health services to
or care of the individual; or
(ii) the disclosure is made for compassionate reasons; and
(b) the disclosure is limited to the extent reasonable and necessary for
the purposes mentioned in paragraph (a); and
(c) the individual is incapable of giving consent to the disclosure within
the meaning of section 85(3); and
(d) the disclosure is not contrary to any wish-
(i) expressed by the individual before the individual became incapable of
giving consent and not changed or withdrawn by the individual before
then; and
(ii) of which the organisation is aware or could be made aware by taking
reasonable steps; and
(e) in the case of an immediate family member who is under the age of 18
years, considering the circumstances of the disclosure, the immediate
family member has sufficient maturity to receive the information.
2.5. Despite HPP 2.2, an organisation may use or disclose health information
about an individual where-
(a) it is known or suspected that the individual is dead; or
(b) it is known or suspected that the individual is missing; or
(c) the individual has been involved in an accident or other misadventure
and is incapable of consenting to the use or disclosure-
and the use or disclosure is to the extent reasonably necessary-
(d) to identify the individual; or
(e) to ascertain the identity and location of an immediate family member
or other relative of the individual for the purpose of-
(i) enabling a member of the police force, a coroner or other prescribed
organisation to contact the immediate family member or other relative
for compassionate reasons; or
(ii) to assist in the identification of the individual- and, in the
circumstances referred to in paragraph (b) or (c)-
(f) the use or disclosure is not contrary to any wish-
(i) expressed by the individual before he or she went missing or became
incapable of consenting and not withdrawn by the individual; and
(ii) of which the organisation is aware or could have become aware by
taking reasonable steps; and
(g) the information is used or disclosed in accordance with guidelines, if
any, issued or approved by the Health Services Commissioner under
section 22 for the purposes of this paragraph.
3. Principle 3-Data Quality
3.1. An organisation must take steps that are reasonable in the circumstances
to make sure that, having regard to the purpose for which the information is
to be used, the health information it collects, uses, holds or discloses is
accurate, complete, up to date and relevant to its functions or activities.
4. Principle 4-Data Security and Data Retention
4.1. An organisation must take reasonable steps to protect the health
information it holds from misuse and loss and from unauthorised access,
modification or disclosure.
4.2. A health service provider must not delete health information relating to
an individual, even if it is later found or claimed to be inaccurate, unless-
(a) the deletion is permitted, authorised or required by the regulations
or any other law; or
(b) the deletion is not contrary to the regulations or any other law and
occurs-
(i) in the case of health information collected while the individual was a
child, after the individual attains the age of 25 years; or
(ii) in any case, more than 7 years after the last occasion on which a
health service was provided to the individual by the provider-
whichever is the later.
4.3. A health service provider who deletes health information in accordance
with HPP 4.2 must make a written note of the name of the individual to whom
the health information related, the period covered by it and the date on which
it was deleted.
4.4. A health service provider who transfers health information to another
individual or organisation and does not continue to hold a record of that
information must make a written note of the name and address of the individual
or organisation to whom it was transferred.
4.5. An organisation other than a health service provider must take reasonable
steps to destroy or permanently de-identify health information if it is no
longer needed for the purpose for which it was collected or any other purpose
authorised by this Act, the regulations made under this Act or any other law.
5. Principle 5-Openness
5.1. An organisation must set out in a document-
(a) clearly expressed policies on its management of health information;
and
(b) the steps that an individual must take in order to obtain access to
their health information.
The organisation must make the document available to anyone who asks for it.
5.2. On request by an individual, an organisation must take reasonable steps-
(a) to let the individual know-
(i) whether the organisation holds health information relating to the
individual; and
(ii) the steps that the individual should take if the individual wishes to
obtain access to the information; and
(b) if the organisation holds health information relating to the
individual, to let the individual know in general terms-
(i) the nature of the information; and
(ii) the purposes for which the information is used; and
(iii) how the organisation collects, holds, uses and discloses the
information.
6. Principle 6-Access and Correction
Access13
6.1. If an organisation holds health information about an individual, it must
provide the individual with access to the information on request by the
individual in accordance with Part 5, unless-
(a) providing access would pose a serious threat to the life or health of
any person under section 26 and refusing access is in accordance with
guidelines, if any, issued or approved by the Health Services
Commissioner under section 22 for the purposes of this paragraph; or
(b) providing access would have an unreasonable impact on the privacy of
other individuals and refusing access is in accordance with
guidelines, if any, issued or approved by the Health Services
Commissioner under section 22 for the purposes of this paragraph; or
(c) the information relates to existing legal proceedings between the
organisation and the individual and the information would not be
accessible by the process of discovery in those proceedings14or is
subject to legal professional privilege or client legal privilege; or
(d) providing access would reveal the intentions of the organisation in
relation to negotiations, other than about the provision of a health
service, with the individual in such a way as to expose the
organisation unreasonably to disadvantage; or
(e) the information is subject to confidentiality under section 27; or
(f) providing access would be unlawful; or
(g) denying access is required or authorised by or under law; or
(h) providing access would be likely to prejudice an investigation of
possible unlawful activity; or
(i) providing access would be likely to prejudice a law enforcement
function by or on behalf of a law enforcement agency; or
(j) a law enforcement agency performing a lawful security function asks
the organisation not to provide access to the information on the basis
that providing access would be likely to cause damage to the security
of Australia; or
(k) the request for access is of a kind that has been made unsuccessfully
on at least one previous occasion and there are no reasonable grounds
for making the request again; or
(l) the individual has been provided with access to the health information
in accordance with Part 5 and is making an unreasonable, repeated
request for access to the same information in the same way.
6.2. However, where providing access would reveal evaluative information
generated within the organisation in connection with a commercially sensitive
decision-making process, the organisation may give the individual an
explanation for the commercially sensitive decision rather than access to the
information.
Note An organisation breaches HPP 6.1 if it relies on HPP 6.2 to give an
individual an explanation for a commercially sensitive decision in
circumstances where HPP 6.2 does not apply.
6.3. If access is refused on the ground that it would pose a serious threat to
the life or health of the individual, the procedure in Division 3 of Part 5
applies.
6.4. Without limiting sections 26 and 27, nothing in this Principle compels an
organisation to refuse to provide an individual with access to his or her
health information.
Correction
6.5. 15If an organisation holds health information about an individual and the
individual is able to establish that the information is inaccurate,
incomplete, misleading or not up to date, the organisation must take
reasonable steps to correct the information so that it is accurate, complete
and up to date but must not delete the information otherwise than in
accordance with HPP 4.2.
6.6. If-
(a) the organisation is not willing to correct the health information in
accordance with a request by the individual; and
(b) no decision or recommendation to the effect that the information
should be corrected wholly or partly in accordance with the request,
is pending or has been made under this Act or any other law; and
(c) the individual gives to the organisation a written statement
concerning the requested correction-
the organisation must take reasonable steps to associate the statement with
the information.
6.7. If the organisation accepts the need to correct the health information
but-
(a) the organisation considers it likely that leaving incorrect
information, even if corrected, could cause harm to the individual or
result in inappropriate health services or care being provided; or
(b) the form in which the health information is held makes correction
impossible; or
(c) the corrections required are sufficiently complex or numerous for a
real possibility of confusion or error to arise in relation to
interpreting or reading the record if it were to be so corrected-
the organisation must place the incorrect information on a record which is not
generally available to anyone involved in providing health services to the
individual, and to which access is restricted, and take reasonable steps to
ensure that only the corrected information is generally available to anyone
who may provide health services to the individual.
6.8. If an organisation corrects health information about an individual, it
must-
(a) if practicable, record with the correction the name of the person who
made the correction and the date on which the correction is made; and
(b) take reasonable steps to notify any health service providers to whom
the organisation disclosed the health information before its
correction and who may reasonably be expected to rely on that
information in the future.
6.9. If an individual requests an organisation to correct health information
about the individual, the organisation must take reasonable steps to notify
the individual of a decision on the request as soon as practicable but in any
case not later than 30 days after the request is received by the organisation.
Written reasons
6.10. An organisation must provide written reasons for refusal of access16 or
a refusal to correct health information.
7. Principle 7-Identifiers
7.1. An organisation may only assign identifiers to individuals if the
assignment of identifiers is reasonably necessary to enable the organisation
to carry out any of its functions efficiently.
7.2. Subject to HPP 7.4, a private sector organisation may only adopt as its
own identifier of an individual an identifier of an individual that has been
assigned by a public sector organisation (or by an agent of, or contractor to,
a public sector organisation acting in its capacity as agent or contractor)
if-
(a) the individual has consented to the adoption of the same identifier;
or
(b) the use or disclosure of the identifier is required or authorised by
or under law.
7.3. Subject to HPP 7.4, a private sector organisation may only use or
disclose an identifier assigned to an individual by a public sector
organisation (or by an agent of, or contractor to, a public sector
organisation acting in its capacity as agent or contractor) if-
(a) the use or disclosure is required for the purpose for which it was
assigned or for a secondary purpose referred to in one or more of
paragraphs (c) to (l) of HPP 2.2; or
(b) the individual has consented to the use or disclosure; or
(c) the disclosure is to the public sector organisation which assigned the
identifier to enable the public sector organisation to identify the
individual for its own purposes.
7.4. If the use or disclosure of an identifier assigned to an individual by a
public sector organisation is necessary for a private sector organisation to
fulfil its obligations to, or requirements of, the public sector organisation,
a private sector organisation may either-
(a) adopt as its own identifier of an individual an identifier of the
individual that has been assigned by the public sector organisation;
or
(b) use or disclose an identifier of the individual that has been assigned
by the public sector organisation.
8. Principle 8-Anonymity
8.1. Wherever it is lawful and practicable, individuals must have the option
of not identifying themselves when entering transactions with an organisation.
9. Principle 9-Transborder Data Flows
9.1. An organisation may transfer health information about an individual to
someone (other than the organisation or the individual) who is outside
Victoria only if-
(a) the organisation reasonably believes that the recipient of the
information is subject to a law, binding scheme or contract which
effectively upholds principles for fair handling of the information
that are substantially similar to the Health Privacy Principles; or
(b) the individual consents to the transfer; or
(c) the transfer is necessary for the performance of a contract between
the individual and the organisation, or for the implementation of
pre-contractual measures taken in response to the individual's
request; or
(d) the transfer is necessary for the conclusion or performance of a
contract concluded in the interest of the individual between the
organisation and a third party; or
(e) all of the following apply-
(i) the transfer is for the benefit of the individual;
(ii) it is impracticable to obtain the consent of the individual to that
transfer;
(iii) if it were practicable to obtain that consent, the individual would
be likely to give it; or
(f) the organisation has taken reasonable steps to ensure that the
information which it has transferred will not be held, used or
disclosed by the recipient of the information inconsistently with the
Health Privacy Principles; or
(g) the transfer is authorised or required by any other law.
10. Principle 10-Transfer or closure of the practice of a health service
provider
10.1. This Principle applies if the practice or business of a health service
provider (the provider) is to be-
(a) sold or otherwise transferred and the provider will not be providing
health services in the new practice or business; or
(b) closed down.
10.2. The provider or, if the provider is deceased, the legal representatives
of the provider, must-
(a) publish a notice in a newspaper circulating in the locality of the
practice or business stating-
(i) that the practice or business has been, or is about to be, sold,
transferred or closed down, as the case may be; and
(ii) the manner in which the provider proposes to deal with the health
information held by the practice or business about individuals who
have received health services from the provider, including whether the
provider proposes to retain the information or make it available for
transfer to those individuals or their health service providers; and
(b) take any other steps to notify individuals who have received a health
service from the provider in accordance with guidelines issued or
approved by the Health Services Commissioner under section 22 for the
purposes of this paragraph.
10.3. Not earlier than 21 days after giving notice in accordance with HPP
10.2, the person giving the notice must, in relation to health information
about an individual held by, or on behalf of, the practice or business, elect
to retain that information or transfer it to-
(a) the health service provider, if any, who takes over the practice or
business; or
(b) the individual or a health service provider nominated by him or her.
10.4. A person who elects to retain health information must continue to hold
it or transfer it to a competent organisation for safe storage in Victoria,
until the time, if any, when the health information is destroyed in accordance
with HPP 4.
10.5. Subject to HPP 10.2, a person must comply with the requirements of this
Principle as soon as practicable.
10.6. Despite any other provision of the Health Privacy Principles, a person
who transfers health information in accordance with this Principle does not,
by so doing, contravene the Health Privacy Principles.
10.7. If-
(a) an individual, in response to a notice published under HPP 10.2,
requests that health information be transferred to him or her or to a
health service provider nominated by him or her; and
(b) the person who published the notice elects to retain the health
information-
the request must be taken to be-
(c) in the case of a request that the health information be transferred to
him or her, a request for access to that health information in
accordance with Part 5 or HPP 6; and
(d) in the case of a request that the health information be transferred to
a health service provider nominated by him or her, a request for the
transfer of that health information in accordance with HPP 11-
and it must be dealt with in accordance with this Act.
10.8. This Principle operates subject to any other law, including the
Public Records Act 1973.
10.9. For the purposes of HPP 10.1(a), a business or practice of a provider is
transferred if-
(a) it is amalgamated with another organisation; and
(b) the successor organisation which is the result of the amalgamation is
a private sector organisation.
11. Principle 11-Making information available to another health service
provider
11.1. If an individual-
(a) requests a health service provider to make health information relating
to the individual held by the provider available to another health
service provider; or
(b) authorises another health service provider to request a health service
provider to make health information relating to the individual held by
that provider available to the requesting health service provider-
a health service provider to whom the request is made and who holds health
information about the individual must, on payment of a fee not exceeding the
prescribed maximum fee and subject to the regulations, provide a copy or
written summary of that health information to that other health service
provider.
11.2. A health service provider must comply with the requirements of this
Principle as soon as practicable.
11.3. Nothing in Part 5 or HPP 6 limits the operation of this Principle.
11.4. For the purposes of HPP 10.7, this Principle applies to a legal
representative of a deceased health service provider in the same way that it
applies to a health service provider.
---------------
[Index]
[Table]
[Search]
[Notes]
[Noteup]
[Previous]
[Download]
[Help]