Health Records and Information Privacy Act 2002
The HRIP Act has commenced on 1 September 2004.
Brief introduction to the HRIP Act
The Health Records and Information Privacy Act 2002 (or HRIP Act) protects the privacy of health information in NSW.
The HRIP Act governs the handling of health information in both the public and private sectors in NSW. This includes hospitals whether public or private, doctors, and other health care organisations. It also includes other organisations that have any type of health information. This can be as varied as a university that undertakes research, or a gymnasium that records information about a person’s health and injuries.
The HRIP Act contains 15 health privacy principles (HPPs) outlining how health information must be collected, stored, used and disclosed. The health privacy principles can be grouped into seven main headings - collection, storage, access & accuracy, use, disclosure, identifiers & anonymity, and transferrals & linkage. These are legal obligations that must be followed although the HRIP Act provides for a number of legal exemptions from these principles.
The HRIP Act also sets out how complaints regarding the handling of health information can be dealt with.
Definitions
What is health information?
‘Health information’ is a specific type of personal information. Health information includes personal information that is information or an opinion about the physical or mental health or a disability of an individual.
Health information also includes personal information that is information or an opinion about:
- a health service provided, or to be provided, to an individual
- an individual’s express wishes about the future provision of health services to him or her
- other personal information collected in connection with the donation of human tissue
- genetic information that is or could be predictive of the health of an individual or their relatives or descendants.
If your organisation is a health service provider, ‘health information’ includes all of the above plus any other personal information collected to provide, or in providing a health service.
‘Health information’ is defined in section 6 of the HRIP Act.
What is a health service provider?
A "health service provider" means an organisation that provides a health service. According to the definitions outlined in the HRIP Act, a "health service" includes the following services, whether provided as public or private services:
(a) medical, hospital and nursing services,
(b) dental services,
(c) mental health services,
(d) pharmaceutical services,
(e) ambulance services,
(f) community health services,
(g) health education services,
(h) welfare services necessary to implement any services referred to in paragraphs (a)–(g),
(i) services provided by podiatrists, chiropractors, osteopaths, optometrists, physiotherapists, psychologists and optical dispensers in the course of providing health care,
(j) services provided by dietitians, masseurs, naturopaths, acupuncturists, occupational therapists, speech therapists, audiologists, audiometrists and radiographers in the course of providing health care,
(k) services provided in other alternative health care fields in the course of providing health care,
(l) a service prescribed by the regulations as a health service for the purposes of this Act.
For more information see the definitions in Part 1 of the HRIP Act.
What is a private sector person or organisation?
The HRIP Act applies to both individual people and organisations in the private sector. The types of organisations covered are body corporates, partnerships, trusts and unincorporated associations.
Individuals and organisations that will be regulated by the HRIP Act are:
- health service providers of any size (for example, an individual GP, a partnership of physiotherapists or a large private hospital), and
- organisations that handle health information and have a turnover of more than $3 million per annum (for example, an insurance company).
Health privacy principles at a glance
The 15 health privacy principles (HPPs) are the key to the Health Records and Information Privacy Act (HRIP Act). They are legal obligations describing what organisations (NSW public and private sector) must do when they collect, hold, use and disclose health information.
However, in some cases, organisations do not have to follow one or more of the HPPs. For more information about exemptions, see our Exemptions Matrix or contact the Privacy Contact Officer in the organisation or Privacy NSW.
Collection
1. Lawful – when an organisation collects your health information, the information must be collected for a lawful purpose. It must also be directly related to the organisation’s activities and necessary for that purpose.
2. Relevant – the organisation must ensure that your health information is relevant, accurate, up to date and not excessive. The collection should not unreasonably intrude into your personal affairs.
3. Direct – your health information must be collected directly from you, unless it is unreasonable or impracticable for the organisation to do so.
4. Open – you must be told why your health information is being collected, what will be done with it, and who else might see it. You must also be told how you can see and correct your health information, and any consequences if you decide not to provide it.
Even if an organisation collects health information about you from someone else, they must still take reasonable steps to ensure that you are aware of the above points.
Storage
5. Secure – your health information must be stored securely, not kept any longer than necessary, and disposed of appropriately. It should be protected from unauthorised access, use or disclosure.
Access & Accuracy
6. Transparent – the organisation must provide you with details about what health information they are storing about you, why they are storing it and what rights you have to access it.
7. Accessible – the organisation must allow you to access your health information without unreasonable delay or expense.
8. Correct –the organisation must allow you to update, correct or amend your health information where necessary.
9. Accurate – the organisation must make sure that your health information is relevant and accurate before using it.
Use
10. Limited – the organisation can only use your health information for the purpose for which it was collected, or a directly related purpose that you would expect. Otherwise they can only use it with your consent (unless one of the exemptions in HPP 10 applies).
Disclosure
11. Limited - the organisation can only disclose your health information for the purpose for which it was collected, or a directly related purpose that you would expect. Otherwise they can only disclose it with your consent (unless one of the exemptions in HPP 11 applies).
Identifiers & Anonymity
12. Not identified – an organisation can only give you an identification number if it is reasonably necessary to carry out their functions efficiently.
13. Anonymous – you are entitled to receive health services anonymously, where this is lawful and practicable.
Transferrals & Linkage
14. Controlled – your health information can only be transferred outside New South Wales in accordance with HPP 14.
15. Authorised – your health information can only be included in a system to link health records across more than one organisation if you expressly consent to this.
Enforcement of the HRIP Act
Under the HRIP Act, both public sector agencies and private sector persons and organisations must comply with the 15 HPPs. There are also special rules for private sector individuals and organisations on keeping and giving access to health information.
Where a person believes that a public sector agency, private sector individual or private sector organisation has not complied with the HRIP Act in terms of the handling of their health information, they may make a complaint. The process followed for complaints about the privacy of health information will depend on who the complaint is about.
Complaints against a public sector agency
If a complaint is against a NSW public sector agency, it should be dealt with as an internal review by the agency. After the internal review, the complainant can take their complaint to the Administrative Decisions Tribunal if they want an enforceable decision. See here for more about this process.
Complaints against a private sector person or organisation
If the complaint is against a private sector person or organisation, the complainant should lodge the complaint with Privacy NSW.
How to prepare for the HRIP Act
Privacy NSW has identified seven basic steps on how organisations can get ready for the commencement of the HRIP Act. Download How to prepare for the NSW Health Records and Information Privacy Act 2002. This document outlines the seven recommended steps and has useful tips for both private and public sector organisations.
Statutory guidelines
Privacy NSW has developed four statutory guidelines under the Health Records and Information Privacy Act 2002. The statutory guidelines are not a plain English guide to the HRIP Act. They are legally binding documents that define the scope of particular exemptions in the health privacy principles. They describe how the exemption applies and what you need to do in order to comply with the exemption. They are as important as the exemption itself. They relate to the:
- use or disclosure of health information for the management of health services [PDF] or [Word],
- use or disclosure of health information for training purposes [PDF] or [Word],
- use or disclosure of health information for research purposes [PDF] or [Word] [HREC Form], and
- notification when collecting health information about a person from someone else [PDF] or [Word].
A Fact Sheet is available which explains the statutory guidelines in more detail.
Training on the HRIP Act
The training and education program has been created around four broad stakeholder groups:
- Private sector, health providers;
- Private sector, non-health organisations;
- Public sector, non-health agencies; and
- Advocates, lawyers and other interest groups
The separation of training sessions into these individual groups allowed us to tailor the training content to participants’ specific interests. This was done through a practical learning approach to the subject matter that utilised numerous case studies and open discussions.
The training that was offered focused around a Train the Trainer module and also half-day sessions comprised of three distinct modules. The three modules provided an introduction / overview of the Act and then drilled down into more specific content depending on the needs of the stakeholder audience.
Please note that the Train the Trainer module incorporated the same content as the Full half day session, however it equipped the participant to take their new knowledge on the HRIP Act back to their organisation, to educate other staff. As part of this module we provided you with more detailed case studies and additional resources.
To date Privacy NSW has trained over 1,100 people through this program and has undertaken more than 75 training sessions.
Agencies within the public health system (such as area health services) will be trained by NSW Health; contact Victoria Davison on 02 9391 9092.
Please note that HRIP Act Training has (unfortunately) been deferred. We hope to resume it as soon as Privacy NSW has sufficient staff. Please contact Privacy NSW at privacy_nsw@agd.nsw.gov.au to put your name down for training when it becomes available.
If you require privacy training in the near future, the Federal Office of the Privacy Commissioner provides a list of training providers on their website.
Case law
There is no case law available yet under the HRIP Act.
History of the Act
In December 2000 the NSW Ministerial Advisory Committee on Privacy and Health Information presented a report entitled Panacea or Placebo to the NSW Government. The Report's central recommendation was that personal health information needed specific and precise statutory protection. This recommendation was accepted and in September 2002 Parliament passed the Health Records and Information Privacy Act 2002 (HRIP Act).
The Health Records and Information Privacy Act 2002 will commence on 1 September 2004.
Publications
Privacy NSW has prepared a series of publications about the HRIP Act.
For a basic presentation of the HRIP Act, download the following:
- Information sheet for the NSW public sector [PDF]
- Information sheet for the NSW private sector [PDF]
See the Publications section of this website for a comprehensive list of all Privacy NSW publications.
Frequently asked questions
|
|
