Our clinic adheres to the federal Privacy Act and have comprehensive policies to protect your health information.

From 21 December 2001 health service providers covered by the federal Privacy Act have needed to comply with ten National Privacy Principles that allow for individuals to exercise new rights and choices about how their personal and health information is handled in the private health sector. The Act also gives people these rights over personal information held by other private sector organisations.

Health information

‘Health information’ is defined in both Federal and State Acts as information or opinion about a client regarding such things as wellbeing, disabilities, health services provided or to be provided, and can include personal information. ‘Personal information’ includes details such as name, address, account details, Medicare number and health service appointments.

Privacy principles

The Federal Act encompasses ten National Privacy Principles which govern the management of client’s health information. The legislation promotes greater openness between health service providers and clients regarding the handling of health information. For example, the legislation gives clients a general right of access to their own client health records and requires health service providers to develop a privacy policy that sets out how they manage health information. To assist health service providers in the private sector to understand their new obligations the Office of the Privacy Commissioner has produced Guidelines on Privacy in the Private Health Sector and a Short Guide for the Private Health Sector, available at www.oaic.gov.au

Collection

In general, a health service provider is required to:

• collect only the information necessary to deliver the health service;

• collect lawfully, fairly and not intrusively; and

• obtain a person’s consent to collect health information about them. This consent may be express or explicit.

Our practice needs to ensure that consumers are informed about why their health information is being collected, who is collecting it, and how it will be used, to whom it may be given and that they can access it if they wish. Privacy legislation stipulates that a practice should only collect health information that is necessary for its ‘functions or activities’. The practice uses fair and lawful ways to collect health information and, where reasonable and practicable, collects health information directly from an individual. The practice takes reasonable steps to make a client understand why information is being collected and who else it might be given to. The practice is deemed to be collecting information if it gathers, acquires or obtains information from any source and by any means. Collection covers information kept by the practice even where the practice has not asked for the information or has come across it by accident.

Consent

In general, the practice should obtain an individual’s consent to collect health information. This consent may be implied or express/explicit. Implied consent refers to circumstances where it is reasonable for the health professional to infer that consent has been given by the client. For example, if a client presents to a physiotherapist and discloses health information which is written down by the physiotherapist during the consultation, this will generally be regarded as the client giving implied consent to the physiotherapist to collect health information for certain purposes. The extent of the purposes will usually be evident from the discussion between the physiotherapist and the client during the consultation. Express consent refers to consent that is clearly and unmistakably stated (either in writing, orally, or in another fashion where consent is clearly communicated). Consent to the collection and handling of health information and consent to treatment are two separate authorities provided by the client.

Use and Disclosure

Use of health information refers to the handling of client information within a practice. Disclosure refers to the transfer of information outside the practice.

A health service provider may use or disclose health information:

• for the main reason it was collected (the primary purpose); or

• for directly-related secondary purposes, if the client would reasonably expect these; or

• if the client gives express written consent to the proposed use or disclosure; or

• if one of the other provisions under this principle applies.

Directly-related secondary purposes may include:

• Necessary information sharing for referral to another health provider

• Billing or debt recovery

• Reporting an adverse event to an insurer

• Disclosure to a lawyer for the defence of legal proceedings

Other purposes for use or disclosure of health information

The practice should only use and disclose health information for other than primary or directly related secondary purposes, if the client gives consent or if an exception applies. Exceptions include uses or disclosures required or authorised by law; uses or disclosures necessary to manage a threat to someone’s life, health or safety; and uses or disclosures for research provided certain conditions are met.

Mandatory Reporting

Health professionals in the practice must use or disclose health information if the law requires them to do so. For example, health professionals are required to report child abuse (under care and protection laws) and notify the diagnosis of certain communicable diseases (under public health laws).

Legal proceedings

If a health professional is served with a subpoena or other form of Court order requiring the production of documents to the Court, they are generally required to supply the documents. If a health professional is concerned about how to proceed, they can seek advice from the Registrar of the Court or Tribunal which issued the order or from a lawyer.

Training and education

The use of health information for training and education will usually require the client’s consent. Where consent is sought, the individual should have a genuine choice and not be pressured to agree. If the practice uses de-identified health information for training, client consent is not required.

Public health and safety research and statistics

The practice may use or disclose health information without consent for research or statistics that are relevant to public health or safety. The health information may be used or disclosed only if:

• the activities cannot be undertaken with de-identified data

• seeking consent is impracticable

• the activities are carried out in accordance with guidelines of the National Health and Medical Research Council

• the practice reasonably believes the organisation to which the health information is disclosed will not further disclose it.

Transfer of information to another health service provider

If a client wants to transfer to a physiotherapist in another practice, they can authorise the disclosure of health information from the original practice to a new practice. A copy of the health information could be transferred in this way. For medico-legal reasons, our practice retains the original record and provides the new physiotherapist with a summary or a copy. If a summary of the client’s health record is provided to the new physiotherapist, a copy of the summary should be kept on file for record purposes. Our practice charges a reasonable fee to the practice or the client for transferring the client’s health record to another practice.