Docstoc

trainingpac0303

Document Sample
trainingpac0303 Powered By Docstoc
					                Training Package




The Health Services Commissioner wishes to acknowledge this train
the trainer package is based on the work of Privacy Victoria. The
support and assistance of the Privacy Commissioner, Paul Chadwick
and his staff Carole Fleeman and David Taylor provided the impetus
for the completion of this document. This co-operative working
arrangement supports both offices in the aim of delivering the
‘Privacy’ message to the community and is appreciated by this office.

The cartoons used in this package are the work of Chris Slane,
cartoonist from New Zealand. His email address is www.slane.co.nz
                                   Introduction

Welcome to the Training Package for the Health Records Act 2001.


The Office of the Health Services Commissioner is an independent statutory authority
established to provide an accessible complaint mechanism for users of health services
to resolve any differences they may have with health service providers. The office is
impartial and places a high emphasis on conciliation and quality improvements.


In April 2001 the Victorian Government passed the Health Records Act 2001 (the
Act) which:
      Establishes health privacy principles that apply to personal health information
       collected, used and held in the public and private sectors; and
    Gives individuals a legally enforceable right of access to their own health
       information contained in records held in the private sector.


This training package has been compiled to help organisations train their staff to be
compliant with the legislation governing the handling of health information and to
assist organisations process any requests for access to health information they receive.
Objectives:
   •   To give organisations enough information about the legislation to enable the
       organisation to train their staff in how to comply with their obligations under
       the Act.
   •   To provide organisations with information about the Act for use at orientation
       sessions for new staff, so all staff are aware of their obligations.
Benefits:
Obligations under the Act apply to all organisations, private and public sector, large
and small, which handle health information. Therefore there are benefits in having all
staff educated regarding their obligations, and those of the organisation, under the Act
including:
   •   Proper handling of health information so there is no interference with the
   privacy of individuals.
   •   Good privacy policy development so that staff have an understanding about
   their obligations and feel confident when dealing with health information and
   clients.
   •   Reduce the risk of complaints to the Health Services Commissioner about the
   organisation because there will be no or fewer alleged breaches of the Act.
   •   Compliance with best practice so that organisations are offering the best
   service possible to their clients – privacy compliance enhances service delivery.


My staff are available to help you with any additional issues that may arise following
your sessions. Please contact them on 8601 5222 as the need arises.




BETH WILSON
Health Services Commissioner
.
                                        CONTENTS

Printed pages

   Introduction
   About the Training Package
   How to use this training package
   Session outline
   Slides
   Trainer background information for slides
   Activities
   Explanation of activities
   Reference materials for participants
   Suggested references for trainers
   Sample training session documents
             • Suggested checklist for trainers
             • Flyer to promote training sessions
             • Pre-training information for participants
             • Evaluation form


CD-ROM

   Electronic read-only version of the contents on the printed pages – to facilitate
    printing of slides, activities and reference materials for participants.
   Electronic version of the sample checklist for trainers, flyer, pre-training
    information and evaluation form, which may be edited.
                    About The Training Package

The material in this training package is designed to give general guidance

only. It should not be relied on as legal advice. Material is compressed

and simplified for training purposes and should not create expectations

about how the Health Services Commissioner may deal with any specific

complaint or matter in particular circumstances under the Health Records

Act 2001 (Vic)(the Act).         The Office of the Health Services

Commissioner accepts no liability for loss or damage that may be suffered

by any person or entity that relies on information in this training package.



The Office of the Health Services Commissioner holds copyright on this

material unless otherwise indicated.    Permission to reproduce work of

others should be separately sought.



The purpose of the training materials is to increase understanding and

awareness in Victoria about the Act and compliance with the Act. The

contents of the training package can be copied for non-commercial use

but should be used fairly and accurately and the Office of the Health

Services Commissioner should be acknowledged as the source.
                 HOW TO USE THIS TRAINING PACKAGE


Office of the Health Services Commissioner training materials


This generic training package aims to inform staff of organisations holding health
information about the requirements of the Health Records Act 2001 (the Act) and to
assist organisations to comply with the Act.


The design of the package is flexible to allow for different audiences and the needs of
the organisation. Parts of the package will be relevant to some organisations and not
others depending whether the organisation is public or private sector, or a health
service pro. There is detailed information aimed at privacy officers and managers
who are responsible for ensuring that the organisation is compliant with the Act, and
also information to provide for basic awareness training of staff who handle personal
health information.


Contents of the training package

The training package has been developed for use in presenting information sessions
and providing training sessions to staff in the public and private sectors. It is a
training package to facilitate the delivery of training on the Act not a self-paced
training module for learners to work through individually. Some parts of the package
can be copied and handed to staff who are unable to attend an information session or
training.


The content of the training materials is necessarily generic to meet the needs of the
diverse range of private and public sector organisations. There are however
opportunities in the training for participants to consider the application of the Act and
the Health Privacy Principles to their specific work context and examples of personal
health information handling in their organisation. Trainers may also wish to include
information specific to their organisations in the training, such as the organisation’s
privacy policy or revised procedures.
The training package includes the following components:


    Slides
    Trainers notes for slides
    Reference materials for participants which provide further information on a
      topic or act as a ready-reference
    Suggested references for trainers
    Suggested checklist for trainers
    Sample flyer to promote training sessions
    Sample pre-training information for participants
    Sample evaluation form.
                  Session outline for the Health Records Act Training Package

          Topic                                 Slides                             Activities            Reference materials for participants

1. Introduction               Slide 1: Title slide                         Activity 1: Icebreaker        Provide a copy of the slides and other
                              Slide 2: Cartoon                                                           reference materials to participants
                              Slide 3: Learning objectives
                              Slide 4: Key elements
                              Slide 5: Privacy for Victorians
                              Slide 6: Three important aspects of
                              privacy

2. Key elements and           Slide 7: Objects of the Act                  Activity 2: Activity for      Information sheet: Minors, privacy
definitions                   Slide 8: Who is covered by the Act           participants to explore       laws and consent
                              Slide 9: Cartoon                             their own experiences and
                              Slide 10: Health Service Providers are       feelings relevant to health
                              those who engage in…                         information privacy –
                              Slide 11: “Health Information” differs       ‘Imagine…’
                              depending on what you do
                              Slide 12: Personal information means
                              Slide 13: Minors
                              Slide 14: Deceased individuals
                              Slide 15: Health Privacy Principles
                              (HPPs): Interaction with other legislation
                              Slide 16: Recap
         Topic                               Slides                            Activities           Reference materials for participants

3. The Health Records Act   Slide 17: HPPs                             Activity 3: Review HPPs      Brochures
2001                        Slide 18: Scope                            by getting participants to   Extract of Health Privacy Principles
                            Slide 19: A contravention of the HPPs is   match the name, number       Frequently asked questions
                            Slide 20: Health Privacy Principles        and explanation of HPPs      Scenarios
                            Slide 21: HPPs apply regardless of the     in their groups.
                            time of collection
                            Slide 22: HPP 1 Collection
                            Slide 23: Cartoon
                            Slide 24: HPP 2 Use & Disclosure
                            Slide 25: Cartoon
                            Slide 26: HPP 3 Data Quality
                            Slide 27: HPP 4 Security & Retention
                            Slide 28: Cartoon
                            Slide 29: HPP 5 Openness
                            Slide 30: HPP 6 Access & Correction
                            Slide 31: HPP 7 Identifiers
                            Slide 32: HPP 8 Anonymity
                            HPP 9 Transborder Data Flows
                            Slide 33: HPP 10 Transfer/closure of
                            practice of a health service provider
                            Slide 34: HPP 11 Making information
                            available to another health service
                            provider
                            Slide 35: Recap
          Topic                              Slides                          Activities           Reference materials for participants

4. Making decisions about                                            Activity 4: Making
collecting, using and                                                decisions about collection
disclosing health                                                    of health information
information
                                                                     Activity 5: Making
                                                                     decisions about disclosure
                                                                     of health information
5. Access and correction of Slide 36: Access                                                      Information sheet: Refusal of access
health information          Slide 37: Application                                                 on ground of threat to life or health of
                            Slide 38: How access is to be provided                                individual requesting access
                            Slide 39: How access is to be provided                                Health Records Regulations 2002
                            Slide 40: Mandatory limits to access
                            Slide 41: Other limits to access
                            Slide 42: Fees
                            Slide 43: Recap
                            Slide 44: Correction
                            Slide 45: Cartoon

6. Exemptions and           Slide 46: Exemptions
complaints processes        Slide 47: Cartoon
                            Slide 48: HSC Complaints Process
                            Slide 49: HSC Complaints Process (2)
                            Slide 50: Offences
                            Slide 51: Results of non-compliance
                            Slide 52: Recap
          Topic                             Slides                           Activities        Reference materials for participants

7. What do you need to do                                            Activity 6: Action plan   Complying with the Health Records
now?                                                                                           Act 2001
8. Review and close         Slide 53: Health Services Commissioner   Activity 7: Quiz to
                            Contact Details                          summarise key content
               TRAINER BACKGROUND INFORMATION

Slide 1: Title slide
   Introduce the topic and trainer.


   Explain any housekeeping e.g. breaks, tea/coffee arrangements, location of toilets.
    Request that participants turn off mobile phones.


   Provide participants with a copy of the slides so they can add notes throughout the
    session if they choose.


   Provide participants with copies of the other reference materials. These include a
    list of answers to frequently asked questions and information sheets on specific
    topics.   The reference materials can also be found on the Health Services
    Commissioner website at www.health.vic.gov.au/hsc.


Slide 2: Cartoon


Slide 3: Learning objectives
   This slide lists the learning outcomes which the session aims to achieve.
    Although the information is generic, the activities will provide opportunities for
    participants to apply the privacy principles to their specific work context.


Slide 4: Key elements
   The Health Privacy Principles (HPPs) set minimum standards for the way personal
    health information is handled and protected, and they apply to the public and
    private sectors (A copy of the HPPs is provided in the reference materials).


   There has been a right of access to personal health information in the public
    sector, such as public hospitals, schools or government departments, under the
    Freedom of Information Act 1982 (FOI Act). However, until now, there has not
    been a corresponding right to access personal health information in the private
    sector.

Office of the Health Services Commissioner
HRA Train the trainer package 2003
   In 1996 the High Court held, in the case of Breen v Williams (1996) 186 CLR 71
    that there was no common law right to the medical records of a medical
    practitioner in the private sector, and it was up to governments to legislate if a
    different outcome was desired.


   Victoria is not the only State to enact legislation to create a legal entitlement to
    access to health information. The ACT was first with health records legislation in
    1997. The Commonwealth amended its existing Privacy Act 1988, which covers
    Commonwealth public sector agencies (such as Centrelink and the Australian
    Taxation Office) to cover the private sector from December 2001. Victoria has the
    Health Records Act 2001 (the Act). Other States are in the process of legislating
    for health information privacy.


Slide 5: Privacy for Victorians
   Victorians are subject to three different privacy laws.


   There is the Health Records Act 2001(Vic), which regulates health information
    privacy and is administered by the Health Services Commissioner Beth Wilson.
    The Act came into force on 1 July 2002.


   The Information Privacy Act 2000 (Vic), administered by the Victorian Privacy
    Commissioner, Paul Chadwick came into force on 1 September 2002. This Act
    covers personal information (other than health information) held in the Victorian
    public sector and organisations funded by the public sector. This means that the
    Information Privacy Act may cover private sector organisations that have service
    agreements with a government department, such as DHS, depending upon the
    terms of the agreement.


   The Commonwealth Privacy Act 1998 was amended to cover the private sector
    from 21 December 2001. It covers many private sector organisations that hold
    personal information, and all health service providers.      The Federal Privacy
    Commissioner is Malcolm Crompton.


Office of the Health Services Commissioner
HRA Train the trainer package 2003
   It is possible for organisations to be subject to more than one law and to comply
    with all at once, without duplication. For example under each Act an organisation
    is required to have a privacy policy. There is no requirement to have 3 separate
    privacy policies if you are subject to the 3 Acts, so long as all requirements of
    each Act are addressed in one policy.


Slide 6: Three important aspects of Privacy

   Privacy is a broad concept, encompassing confidentiality but not limited to it.
    Confidentiality has been part of common law and legislation for many years, and
    governs to whom an organisation can give information. However, the HPPs also
    enshrine in law the protection of data held by an organisation by setting minimum
    standards of how it is to be managed. An organisation can set higher standards
    than those required by the Act if they wish, but they must meet the minimum
    standards.


   Another important concept in the Act is consumer choice. One of the important
    protections available is contained in HPP 11.            It states that a health service
    provider must transfer a copy of an individual’s personal health information to
    another health service provider on request. This gives an individual the right to
    choose their provider, but also the right to have their medical history follow them.


   Privacy is important. A study of Australian's perceptions of privacy issued by the
    Federal Privacy Commissioner1 shows people prefer to deal with organisations
    that manage personal information well. Sixty per cent of Australians are more
    inclined to trust an organisation that gives them control over use of their
    information. Fifty-five say organisations with privacy policies are most likely to
    gain their trust. More than 40% said they refused to deal with organisations
    because of privacy concerns.


Slide 7: Objects of the Act
   When applying the HPPs you must bear in mind what the Act is trying to achieve.

1
 Privacy and the Community, Privacy and Government and Privacy and Business, Office of the
Federal Privacy Commissioner, July 2001. (www.privacy.gov.au)

Office of the Health Services Commissioner
HRA Train the trainer package 2003
   Responsible handling of health information is something everyone should already
    be doing as part of best practice. The HPPs provide a minimum standard.


   Privacy protection is about balancing competing public interests.         It is not
    intended to prevent the legitimate use of health information, for provision of
    services and other purposes such as research. It is unlikely the general public
    would wish for cessation of research that leads to increased options for medical
    treatment. It does not mean you can no longer collect or use any health
    information. It does require you to review the way you collect and use health
    information and to do so according to the Act.


   Enough information should be provided to individuals so that they understand
    their health care, and what happens to their health information. It is about being
    open and transparent with what the organisation does with the health information,
    and how it uses and discloses that information.


   One of the objects of the Act is to promote provision of quality health services. If
    the HPPs are applied in a manner that decreases the quality of the service
    provided, then they are being applied incorrectly. Compliance should enhance the
    delivery of health services.


Slide 8: Who is covered by the act?
   The Act covers any organisation that holds personal health information about an
    individual in any identifiable form. It can be paper based, on computer, video, x-
    ray or audiotape or any other form. An organisation means a person or body,
    private or public sector.


   All health service providers are covered by the Act, including doctors, dentists,
    counsellors, nurses, pharmacists and alternative therapists. Organisations such as
    schools, childcare centres, employers, banks, insurance companies, weight loss
    centres and gymnasiums may not be aware they hold health information. If an
    organisation holds personal health information then the management of that
    information is governed by the Act.

Office of the Health Services Commissioner
HRA Train the trainer package 2003
   Health service providers are subject to additional standards as they hold more
    health information than non-health service providers, and have a special
    relationship with consumers.


Slide 9: Cartoon


Slide 10: Health Service providers are those who engage in
   A health service is an activity performed in relation to an individual that is
    intended or claimed (expressly or otherwise) by the individual or the organisation
    to assess, maintain, improve, diagnose or treat an individual’s illness, injury or
    disability.


   Organisations providing disability, aged or palliative care services are included as
    health service providers in relation to all aspects of their service delivery. An
    organisation can also be a health service provider to the extent that they provide a
    health service (s3). For example, a job agency that specifically caters for people
    with a disability, or a school that has a special program for children with a
    disability, would be considered a health service provider under the Act to the
    extent of that program. A job agency or school that deals with people without a
    disability, but has disabled clients or students as part of its general population,
    would not be considered a health service provider for the purposes of the Act.


   For pharmacists, it is only the dispensing of medication on prescription that is the
    health service. They are not health service providers in regard to products sold
    over the counter not on prescription.


   There are no exempt health service providers under the Act.


   Whether or not an organisation is a health service provider is significant for
    identifying what information held by the organisation is health information, and
    therefore subject to the Act.




Office of the Health Services Commissioner
HRA Train the trainer package 2003
Slide 11: “Health Information” differs depending on what you do
   Health information is information or opinion about the physical, mental or
    psychological health (at any time) of an individual; or about an individual’s
    disability or expressed wishes about provision of future health services that is also
    personal information.


   It covers personal information about an individual collected in connection with
    donation, or intended donation of his or her body parts, organs or body substances.


   Genetic information is also considered health information under the Act.


   If an organisation is a health service provider all personal information it collects
    about an individual while providing a health service is considered health
    information. This includes contact details, such as address and phone number,
    next of kin details, account details such as debts owed or health insurance details,
    or any other personal information collected by the organisation in order to
    provide a health service.


   For a non-health service provider it is only identifying information about the
    health or disability of the individual. For example, in a school it would cover
    medical details, and health forms filled in for excursions etc. but not personal
    information, name and address, academic or financial records. For employers,
    health information relating to employees may be sick leave, maternity leave, work
    cover claims but not recreation leave details or payroll. This is the case even if the
    employer is a health service provider because they hold the information in their
    capacity as employer, not in their capacity as health service provider.


Slide 12: Personal information means
   If the identity of the individual is not apparent, or cannot be reasonably worked
    out from the personal health information then it is not subject to the Act. For
    example de-identified information about an individual is not health information.




Office of the Health Services Commissioner
HRA Train the trainer package 2003
   Care must be taken where health information is to be used or disclosed in a de-
    identified form to ensure it is properly de-identified. What will suffice, as adequate
    de-identification, will depend on the context such as the nature and size of the
    community. What is reasonable depends upon the circumstances of the case, and
    should be assessed carefully.


   The Act also covers information that may not be true, such as provisional
    diagnosis.


   Unlike the Information Privacy Act, the Health Records Act covers personal
    health information whether it is recorded or not. This means a conversation
    detailing identifiable personal health information that can be overheard by a third
    party may be an interference with the privacy of an individual.


   The Act covers health information wherever it is located, even if held separately
    from a medical file, such as that held on databases, hospital theatre registers or
    card index systems.


Slide 13: Minors
   A minor is capable of giving informed consent when he or she achieves a
    sufficient understanding and intelligence to enable him or her to understand fully
    what is proposed. This test is called the “Gillick’s test” because it comes from the
    English case of Gillick v West Norfolk AHA (1986) 1 AC 150 and has been
    applied for many years when providing health services to minors.


   The Act defines “child” as a person under the age of 18 years. If a person is under
    18 years they are considered to be a child for the purposes of the Act and Gillick’s
    test must be the basis for assessing whether they can consent for themselves,
    and/or access their own health information. A parent’s right to make decisions in
    respect of health information for a child ceases when the child reaches the age of
    18 years. After that age, children are legally entitled to make their own decisions
    and parents have no legal authority to countermand them.
See also Information Sheet 5 in the reference materials.



Office of the Health Services Commissioner
HRA Train the trainer package 2003
Slide 14: Deceased individuals
   The health information of deceased individuals, who has been dead for 30 years or
    less, is also protected under the Act. Their health information must be managed in
    the same manner as if the individual were alive. Retention periods are the same
    whether the individual is alive or deceased.


   A legal representative can request access to health information about the deceased
    individual held by the organisation, and can exercise other rights, such as making
    a complaint if there has been an interference with the privacy of the deceased
    individual.
   An organisation has the right to request proof of identity of the legal
    representative, and evidence of the authority of that person to act for the deceased
    individual.


   If there is a situation where the legal representative knows they are acting against
    the expressed wishes of the deceased individual before they died, then any consent
    given by the legal representative is void.


Slide 15: Health Privacy Principles: Interaction with together legislation
   Specific statutory provisions in other legislation override the general standards in
    the Health Records Act to the extent of the inconsistency. This means that the Act
    fills gaps where there is no other legislation governing these issues. If specific
    legislation exists dealing with one or more aspects of health information
    management then it must be complied with, and not the more general
    corresponding principle under the Health Records Act.


   In circumstances where a specific provision like s.141 of the Health Services Act
    or s. 120A of the Mental Health Act applies, the organisation must “disclose”
    health information only in a way that complies with those sections. “Use” of
    health information within the organisation is still governed by HPP 2, and all other
    HPPs continue to apply.




Office of the Health Services Commissioner
HRA Train the trainer package 2003
       It is the responsibility of the organisation to be aware of any legislation affecting it
        that would be inconsistent with the HRA.


    Slide 16: Recap
       This slide lists a summary of the key points discussed and provides an opportunity
        for participants to review the first section of the training and to query points that
        they do not understand. Frequently summarising key points keeps participants
        fully aware of the direction and progress of their learning.


    Slide 17: HPPs
       The HPPs were not developed in isolation, but reflect worldwide trends in
        protecting personal information.


        The International Developments in Privacy include:
•       Article 12: Universal Declaration of Human Rights – 1948
•       Article 17: International Covenant on Civil and Political Rights - 1980
•       OECD Guidelines on the Protection of Privacy and Transborder Data Flows of
        Personal Data – 1980
•       European Union Directive on protection of individuals with regard to processing
        of data and on the free movement of data - 1995


    However the HPPs differ from the privacy principles in other legislation because they
    are designed specifically for health information.


       The Victorian Parliament considered health information to be such a sensitive type
    of information that it enacted a specific Act to deal with the privacy of health
    information. The Health Records Act regulates management of health information in
    the public and private sectors.


    Slide 18: Scope
       The HPPs do not compel organisations to collect personal health information.
        However, if collection is necessary they govern how the information should be
        collected, and cover the management of that information through to its ultimate
        destruction.

    Office of the Health Services Commissioner
    HRA Train the trainer package 2003
   The HPPs are law, and as such are legally binding on all organisations that hold
    personal health information. It does not matter whether the organisation is a
    health service provider holding vast amounts of personal health information or a
    small organisation only holding the health information relating to one employee
    – if an organisation holds any health information relating to an individual they
    need to manage that information in accordance with the Act.


   Everyone within an organisation should understand the HPPs to ensure they are
    not inadvertently breaching the Act.


Slide 19: A contravention of the HPPs is
   The Act sets up a complaints mechanism and encourages individuals to attempt to
    resolve their complaint with the organisation prior to complaining to the Health
    Services Commissioner.


If an organisation has contravened the provisions of the Act, one or more of the
following may occur:
    •   Complaint to the organisation/HSC
    •   Service of a compliance notice.
    •   Prosecution (depending upon nature of breach)


Slide 20: Health Privacy Principles
   There are 11 HPPs. The first 9 deal with aspects of the information management
    lifecycle found in all privacy legislation, but the last two are very specific to and
    only apply to health service providers.


   Although the headings of the principles may be similar to other Australian privacy
    legislation, the content of the HPPs has been modified specifically to deal with
    health information.




Office of the Health Services Commissioner
HRA Train the trainer package 2003
Slide 21: HPPs apply regardless of the time of collection
   All the HPPs (apart from HPP 1) apply regardless of when the information was
    collected.    The manner in which information is collected (HPP1) applies to
    information collected after the commencement of the Act, i.e. 1 July 2002.


   The provisions relating to the rights of individuals to have access to health
    information about them apply differently depending upon the date upon which it
    was collected (pre or post 1 July 2002, when the Act commenced).


   All health information is covered by the Act regardless of when it was collected.
    Complaints about breaches of privacy to the Health Services Commissioner must
    relate to events that occurred after 1 July 2002.


Slide 22: HPP 1: Collection
   The information collected must be necessary for the functions or activities of the
    organisation. There must be an immediate need for the information, rather than
    anticipating it may be needed, for instance, in 6 months time. Health information
    cannot be collected just in case it is needed later.
   An organisation must take reasonable steps to make the individual generally aware
    of certain information. This should be provided at or before the time health
    information is collected. In the Office of the Health Services Commissioner we
    refer to this information as the ‘collection statement’. It should include:


    •   Who the organisation is and how to contact it
    •   That the individual is able to gain access to the information
    •   The purposes for which the information is collected
    •   To whom (the types of individuals or organisations to which) you usually
        disclose information of that kind
    •   Any law that requires the particular information to be collected
    •   The main consequences (if any) for the individual if all or part of the
        information is not provided.


   If the health information is collected from someone other than the individual then
    the organisation must take reasonable steps to ensure the individual is aware of the

Office of the Health Services Commissioner
HRA Train the trainer package 2003
    above matters except where it would pose a serious threat to life or health, or
    involve the disclosure of information given in confidence.


   Collection should only occur if one of the paragraphs in HPP 1.1 applies, which
    includes health information collected with consent, but is not limited to it.


   Consent under the Act can be either express or implied. Express consent can be
    either verbal or written, and occurs when an individual specifically agrees to
    something. Implied consent is when it can be inferred by the action or inaction of
    the individual. Consent should be voluntary and specific.


   HPP 1.7 includes specific procedures to deal with information given in confidence
    by a third party, (not the individual and not another health service provider).


   There are prescribed circumstances in the Health Records Act Regulations 2002
    (see reference materials) for collection of health information to allow for family
    history information to be collected where necessary in providing a health service
    to an individual.


   Statutory guidelines issued by the Health Services Commissioner deal with
    additional requirements when an organisation is collecting health information for
    the purpose of research in accordance with HPP 1.1(e).


Slide 23: Cartoon

Slide 24: HPP 2: Use & Disclosure
   The terms ‘use’, ‘disclosure’ and ‘access’ have very specific meanings under the
    Act. ‘Use’ of health information is where health information is communicated
    within an organisation, ‘disclosure’ is the giving of health information to another
    organisation, and ‘access’ is giving an individual (in one of the forms specified in
    HPP 6) the health information about them.


   An organisation can use or disclose the information for the primary purpose for
    which it was collected, in which case further consent is not required. For example,

Office of the Health Services Commissioner
HRA Train the trainer package 2003
    an individual gives consent for the collection of health information for the primary
    purpose of an operative procedure in hospital.            The hospital can use that
    information to inform the anaesthetist, pharmacy and nursing staff etc. related to
    that procedure without getting further specific consent from the patient.


   Organisations can use/disclose health information for a purpose other than the
    primary purpose if one of the paragraphs in HPP 2.2 applies, which includes with
    the consent of the individual.


   The Act also provides for information to be used/disclosed to an immediate family
    member in certain circumstances e.g. for compassionate reasons, or to locate or
    identify a person suspected as missing or dead.


   A written note must be made if a disclosure is made because of suspected
    unlawful activity or to a law enforcement agency, in accordance with HPP 2.3.


   An organisation is not compelled to disclose information under the Act. Although
    it may be lawful to disclose health information, an organisation is always entitled
    to not disclose it in the absence of a legal obligation to disclose it.


Slide 25: Cartoon


Slide 26: Data Quality
   An organisation does not need to go back over health information that has been
    collected prior to 1 July 2002 in order to comply with this Principle. However,
    health information collected after this date should be checked for accuracy when
    appropriate.


   Organisations will need to have procedures in place to update information
    regularly.


Slide 27: HPP 4: Security & Retention




Office of the Health Services Commissioner
HRA Train the trainer package 2003
Security
   What is required to secure sensitive health information held by the organisation
    will depend on several factors.          The organisation needs to consider how the
    information is held e.g. paper or electronic, and the physical environment in the
    organisation.


The types of matters that may need to be considered include:
    •   Levels of computer access – ‘the need to know’, have screen savers on
        personal computers protected by passwords, screens in public access areas
        turned away so they are difficult to read as people walk past.
    •   Security of paper files – are they left unattended where others can read them?
        Where are they stored? Are other individual’s records on the desk during a
        consultation or meeting? Is the filing cabinet locked when no one is in the
        office? Are doors shut and labelled so members of the public don’t get lost
        when moving around the facility?
    •   How is data transferred? Are there procedures and policies in place to deal
        with faxing or emailing of personal information? If it is necessary to take
        records out of the facility e.g. for home visits, to attend court or meetings, are
        there     policies    and     procedures     in   place   to   ensure   security?
The decisions a health service provider makes about securing health information
should be reflected in the policy document it develops and its procedures so staff
understands how to handle the health information.


Retention
   A health service provider who deletes health information in accordance with HPP
    4.2 must make a written note of: the name of the individual, period covered by the
    information and date it was deleted.


   A health service provider must make a written note of the name and address where
    they have sent the health information transferred in accordance with HPP 11 if
    they do not retain a copy.


   A non health service provider must take reasonable steps to destroy or
    permanently de-identify health information if it is no longer needed for the

Office of the Health Services Commissioner
HRA Train the trainer package 2003
    purpose for which it was collected or any other purpose authorised by law. HPP 4
    does not apply to public sector organisations subject to the Public Records Act
    1973, as they may have specific legal obligations for retention of health
    information.


Slide 28: Cartoon



Slide 29: HPP 5: Openness
   The Act contains very general obligations on how an organisation manages health
    information. Each organisation subject to the Act is required by HPP 5 to tailor
    the general management requirements to the specific activities of their own
    organisation.     More details on writing a privacy policy can be found in
    “Complying with the Health Records Act 2001” in the reference materials.


   If an organisation is subject to other privacy legislation they should ensure the
    requirements of all the privacy statutes they are subject to are met within the one
    privacy policy document.


   If an individual asks, the organisation must take reasonable steps to let them know
    if they hold health information about that individual. If they do hold information
    then the organisation must also tell the individual how to gain access to the health
    information about them if the individual wishes to do so.


   On request they must also let the individual know in general terms the nature of
    the information, the purposes for which the information is used and how they
    collect, hold, use and disclose the information.


   Anyone who asks for a copy of the privacy policy is entitled to it, not just people
    connected to the organisation such as clients, customers or staff etc.


Slide 30: HPP Access & Correction
   Ownership of the health information is not changed by the Act. The individual
    has a right of access, to see what has been written, but ownership and all the

Office of the Health Services Commissioner
HRA Train the trainer package 2003
    attendant property rights remain with the organisation that holds the health
    information or the professional who created it.


   Individuals have had a right of access to information in the public sector since the
    1982 FOI Act, and this is unchanged by the Health Records Act.


Slide 31: HPP 7: Identifers
   Unique identifiers, other than a person’s name, should only be used if necessary to
    carry out the functions of the organisation efficiently. Unique identifiers include
    employee numbers, student numbers, licence numbers, Medicare numbers or unit
    record numbers.


   Organisations using a unique identifier should not use a public sector identifier
    unless it is necessary to fulfil its obligations to the public sector organisation. This
    is to avoid the linking of databases, whereby if information collected by different
    organisations for different reasons can be joined because it is all filed on a
    database with the same unique identifier, such as licence number.


Slide 32: HPP : Anonymity
Anonymity
   An organisation should give individuals the option of entering into transactions
    anonymously. For example, this can be done by use of an alias, or not requiring
    individuals to identify themselves.


   The decision of whether it is lawful and practicable for you to enter into
    transactions anonymously with is the organisations.


Transborder Data Flows:

   An organisation can transfer information to an organisation outside Victoria with
    the consent of the individual.           It can also be transferred outside Victoria in
    situations listed in HPP 9. These include where the organisation receiving the
    health information is subject to laws or principles substantially similar to the
    HPPs, or where any other law requires the transfer.

Office of the Health Services Commissioner
HRA Train the trainer package 2003
   If the transfer is within Australia then the transferring organisation needs to be
    aware of laws operating in the area of the recipient organisation, such as the
    Federal Privacy Act or other State legislation. If there is no privacy law that
    applies to the recipient organisation, e.g. South Australia public sector then the
    organisations would need to establish a binding scheme or contract to ensure
    protection of the health information in the hands of the recipient organisation.


   Health information can be transferred to the individual even if they are outside
    Victoria, as this would be considered a request for access.


Slide 33: HPP 10 Transfer/closure of practice of a health service provider

   HPP 10 only applies to health service providers.


   There are guidelines available from the Office of the Health Services
    Commissioner for anyone thinking of transferring or closing their practice.


   In addition to HPP 10 there are statutory guidelines that apply.


See also information sheet Number 3 in the reference materials.


Slide 34: HPP 11 Making information available to another health service
provider

HPP 11 only applies to health service providers.
   A health service provider to whom a request is made for transfer of health
    information and who holds health information about the individual must, on
    payment of a fee not exceeding the prescribed maximum fee and subject to the
    regulations, provide a copy or written summary of that health information to the
    health service provider nominated by the individual.


   A copy of the regulations setting out the fees is contained in the reference supplied
    with these materials. There is no requirement for organisations to charge a fee.


Office of the Health Services Commissioner
HRA Train the trainer package 2003
   There are no legal reasons for a health service provider to refuse to transfer
    information to another health service provider if requested to do so by the
    individual.


   At a minimum the health service provider is required to provide a copy or written
    summary of the health information; they can provide the original if they choose.
    A record of the transfer must be kept if the organisation no longer holds a record
    of that information (HPP 4.4).


   A legal representative of a deceased health service provider must comply with
    HPP 11 on behalf of the health service provider.


Slide 35: Recap
   This slide lists a summary of the key points discussed and provides an opportunity
    for participants to review the second section of the training and to query points
    that they do not understand.


Slide 36: Access
(Trainers working in the public sector may decide to leave these particular slides out
of their presentation, and just give a copy to their employees for general information).


   The following slides relating to providing access do not apply to any organisation
    subject to the FOI Act.       The FOI Act sets out the process by which public sector
    organisations provide access to health information of an individual.


   An individual cannot choose which legislation they apply for access under, if the
    health information is held by a public sector organisation it has no choice except
    to apply the FOI Act.


   The word “access” in the Health Records Act has a narrow legal meaning: it is
    the process of the individual, (or someone they authorise to represent them),
    looking at, or receiving a copy of, the health information about them.


Office of the Health Services Commissioner
HRA Train the trainer package 2003
   Information provided to a third party is “use” or “disclosure”(depending upon
    whether they are inside or outside the organisation) and HPP 2 applies. An
    individual does not need a reason to seek access to information about them. An
    organisation should not ask for one.


   An organisation cannot set conditions about what the individual may do with the
    information once they have a copy. A refusal to give the information until the
    individual agrees to such conditions is contrary to the Act and may be subject to a
    complaint. Requiring an individual to pay other outstanding accounts before being
    able to access information about them is similarly inappropriate.


   An individual can authorise another person to be given access on their behalf.
    This can be anyone the individual chooses, including a solicitor, but the
    authorisation must be in writing.


   The right to access does not alter ownership of the records, which remains with
    the organisation that holds it.


Slide 37: Application
   All personal health information collected by an organisation after 1 July 2002 is
    available for access by the individual to whom it relates. This includes formal
    records, entries in a register such as a hospital theatre register, “post it” sticky
    notes, rough notes, information on databases and identifiable health information in
    management meeting minutes.


   There are more limited rights of access regarding information collected prior to 1
    July 2002. This reflects the fact that practitioners and other organisations compiled
    the records containing health information on the understanding that they would not
    be available to be viewed as of right by consumers.


Slide 38: How access is to be provided
   For ‘new' health information, collected after 1 July 2002, the person requesting
    access can choose the manner of access.


Office of the Health Services Commissioner
HRA Train the trainer package 2003
   An organisation may assist an individual in making a request by giving advice
    about the different ways in which a right of access may be exercised.


   A request for access must be in writing if it is by an authorised representative
    where a person is incapable of acting on his or her own behalf within the meaning
    of s. 85(6), or if it is by the authorised representative of a deceased individual.
    Otherwise, if the request is made orally the organisation can ask the individual
    making the request to put it in writing, but does not have to do so.


   Organisations do not have to provide immediate access to an individual requesting
    access. There is a 45-day limit for an organisation to respond to a request, either
    by giving access or written reasons for refusal of access.


   It is feasible that an individual may want access in more than one way e.g. they
    come in for an inspection and then ask for certain pages to be copied, or they find
    they don’t understand what has been written and request to view the health
    information accompanied by an explanation. In this situation it is suggested the
    organisation assist the individual as much as possible. If it is not possible to
    photocopy on the spot then arrange for it to be posted to the person as soon as
    possible. Make an appointment for the individual to have a consultation at a
    mutually convenient time if they wish to have an explanation. The organisation
    must inform them of any costs involved, so they can choose not to go ahead if they
    don’t wish to pay.


Slide 39: How access is to be provided
   For ‘old’ health information, collected prior to 1 July 2002, the holder of the
    health information chooses the method of access. If the organisation agrees then
    access can be given in full as for new information. Organisations should have a
    policy on how they will deal with these situations administratively.


   An accurate summary must contain the following information, which is required
    by s. 25(3):
(a) a history of the health, illness or a disability of the individual; or


Office of the Health Services Commissioner
HRA Train the trainer package 2003
(b) any findings on an examination of the individual in relation to the health, an
illness or a disability of the individual; or
(c) the results of an investigation into the health, an illness or a disability of the
individual; or
(d) a diagnosis, or preliminary diagnosis, of an illness or disability of the individual;
or
(e) a plan of management, or proposed plan of management, of the treatment or care
of an illness or disability of the individual; or
(f) action taken or services provided (whether or not in accordance with a plan of
management) by or under the direction or referral of a health service provider in
relation to the individual; or
(g) personal information about the individual collected in connection with the
donation, or intended donation, by the individual of his or her body parts, organs or
body substances; or
(h) genetic information about an individual in a form which is or could be predictive
of the health, at any time, of the individual or of any of his or her descendants.


Slide 40: Mandatory limits to access
    “Reasonable grounds” is a subjective test. It is what the organisation, having
     knowledge of the individual, believes is reasonable in the particular circumstances
     of the case.


    An organisation must review the health information relating to the individual
     before granting access, to ensure that none of the exceptions to access apply.


    There is no definition of “serious threat to life or health”, it is up to the
     organisation to use it’s discretion, taking into account that written reasons for any
     refusal must be given, and the decision can be reviewed. The procedure for
     dealing with refusal of access on these grounds is outlined in Division 3 of Part 5
     of the Act, and the organisation must comply with this procedure.


    The exception for information given in confidence applies only to information
     given to a health service provider, by a person other than the individual or another
     health service provider.

Office of the Health Services Commissioner
HRA Train the trainer package 2003
   HPP 1.7 details the steps a health service provider must take when dealing with
    information given in confidence.
   If an organisation receives a request for access to health information from an
    individual they hold a legal obligation to grant access unless one of the exceptions
    applies. It is not relevant to an organisation’s consideration of a request for access
    that the information is accessible in the hands of another organisation.


Slide 41: Other limits to access
   HPP 6.1 gives more detail on the circumstances in which an organisation can
    refuse access to health information. All staff dealing with individuals requesting
    access should be familiar with HPP 6 and their organisation’s administrative
    procedures.


   Without limiting the mandatory refusal of access requirements already covered,
    nothing compels an organisation to refuse an individual access to health
    information about them.


Slide 42: Fees
   There is no requirement to charge a fee for access, and organisations are
    encouraged for to waive a fee where imposing one would cause financial hardship.


   An individual must be told what charge will be incurred before a consultation to
    have the contents of the health information explained. They may then decide not
    to go ahead with the consultation.


   No Medicare rebate is available for this type of consultation.


   Maximum fees have been set by regulations – a copy of the regulations is included
    in the reference materials.
FEES:
    •   Preparing Summary by HSP - up to $80
    •   Reasonable costs for collation & assessing - up to $20
    •   A4 black & white photocopy - 20c per page

Office of the Health Services Commissioner
HRA Train the trainer package 2003
    •   Recalling document from another location - $10
    •   Inspection - $5 per 15mins for supervision
    •   Explanation by HSP – usual consultation fee


Slide 43
   This slide lists a summary of the key points discussed and provides an opportunity
    for participants to review the third section of the training and to query points that
    they do not understand.


Slide 44: Correction
   Where practicable the organisation must record the name of the person making the
    correction and the date it occurred.


   It is up to the individual to establish that the information is inaccurate, incomplete,
    misleading or not up to date.


   Health information, even if incorrect, must not be deleted prior to 7 years since the
    last occasion a health service was provided, or until a child attains the age of 25
    years.


   Written reasons must be given for refusal to correct health information.


   Reasonable steps must be taken to notify any health service providers to whom the
    organisation disclosed incorrect health information and who may reasonably be
    expected to rely on that information in the future.


Slide 45: Cartoon


Slide 46: Exemptions
   Includes for example Family Court and Coroners Court. The exemption does not
    apply to health information held in Court employee records.




Office of the Health Services Commissioner
HRA Train the trainer package 2003
   An organisation would be in breach of the Act by disclosing information to a news
    organisation. However, if they obtain the health information by other means then
    the news organisation would not be in breach by publishing the information.


   Individuals may discuss their personal affairs with whomsoever they choose.
Slide 47: Cartoon


Slide 48: HSC Complaints Process
   An individual may only complain about an act or practice that may be an
    interference with his or her own privacy.


   A person with sufficient interest may make a complaint on behalf of a child or a
    person who is unable to complain by reason of injury, illness, senility, disease,
    disability, physical impairment or mental disorder.


Slide 49: HSC Complaints Process
   In general, complaints in conciliation fall into two categories. One is the desire
    for an explanation as to what happened, when, why and so forth. The other is the
    claim for a refund of fees, compensation, or remedial treatment. Often complaints
    involve elements of both.


   An individual making a complaint may also be interested in the organisation
    making a change to procedures or policies so the same thing does not happen
    again.


Slide 50: Offences


Slide 51: Results of non-compliance


Slide 52: Recap
   This slide lists a summary of the key points discussed and provides an opportunity
    for participants to review the fourth section of the training and to query points that
    they do not understand.


Office of the Health Services Commissioner
HRA Train the trainer package 2003
Slide 53: Health Services Commissioner Contact Details




Office of the Health Services Commissioner
HRA Train the trainer package 2003
Activity 1: Icebreaker

When participants are strangers, have them:

1.      Meet in pairs.

2.      Interview each other for five minutes or so.

3.      Each pair joins another pair (i.e. meeting in quartets) and partners introduce
        one another, stating to the quartet the partner’s name, job, something
        interesting or different about the person, and the partner’s expectation from the
        training.




Office of the Health Services Commissioner
HRA Train the trainer package 2003
Activity 2

Answer the following questions individually and then compare your experiences with
others in your group.


Imagine ..

        You are moving suburbs and you ask your GP to forward your health
    information to a GP in your new suburb, but she refuses.

        You have just been to see your chiropractor, and you are waiting at the
    receptionist’s desk to pay your account, but the desk is unattended. You notice
    that there are medical records sitting on the desk, and you realise that one of the
    records bears the name of your friend.

        You are in hospital and you overhear a nurse disclosing your personal
    information to family members without your consent.

        You are visiting a new dentist and need to complete a medical form, and you
    come across a question and wonder why the dentist needs to collect such
    information.

        You join a fitness centre where the instructors are aware that you intend to
    lose weight. In the coming weeks you receive mail from weight loss organisations
    and you realise that the centre has passed some of your personal information onto
    other health organisations without your consent.

How did you feel?

        How would you feel about each of these experiences?

        Which, if any, of these experiences concerned you?




Office of the Health Services Commissioner
HRA Train the trainer package 2003
Activity 3

                                         Only collect health information if necessary
                                         for the performance of a function or activity
HPP 1              Collection             and with consent. Notify individuals about
                                           what you do with the information and that
                                                     they can gain access to it.
                                        Only use or disclose health information for the
                                        primary purpose for which it was collected or
HPP 2          Use & Disclosure              a directly related secondary purpose the
                                         person would reasonably expect. Otherwise,
                                                   you generally need consent.
                                              Take reasonable steps to ensure health
HPP 3             Data Quality            information you hold is accurate, complete,
                                          up-to-date and relevant to the functions you
                                                              perform.
                                           Safeguard the health information you hold
HPP 4      Data Security & Retention against misuse, loss, unauthorised access and
                                          modification. Only destroy or delete health
                                              information in accordance with HPPs.
                                         Document clearly expressed policies on your
HPP 5               Openness             management of health information and make
                                          this statement available to anyone who asks
                                                                for it.
                                            Individuals have a right to seek access to
                                           health information about them held in the
HPP 6         Access & Correction       private sector, and to correct if it is inaccurate,
                                           incomplete, misleading or not up-to-date.
                                         Only assign a number to identify a person if
HPP 7               Identifiers            the assignment is reasonably necessary to
                                               carry out your functions efficiently.
                                        Give individuals the option of not identifying
HPP 8              Anonymity              themselves when entering transactions with
                                              organisations where this is lawful and
                                                             practicable.
                                            Only transfer health information outside
HPP 9       Transborder Data Flows         Victoria if the organisation receiving it is
                                           subject to laws substantially similar to the
                                                                HPPs.
                                         If you’re a health service provider, and your
HPP 10       Transfer/closure of the     business or practice is being sold, transferred
           practice of a health service    or closed down, without you continuing to
                     provider            provide services, you must give notice of the
                                             transfer or closure to past service users.
                                         If you’re a health service provider, you must
HPP 11        Making information              make health information relating to an
           available to another health individual available to another health service
                service provider             provider if requested by the individual.

Office of the Health Services Commissioner
HRA Train the trainer package 2003
Activity 4: Making decisions about collection of health information

        Think of an example in your work context where health information
        is collected. Using this example, consider the following questions.

1. Which of the HPPs relate to collection of health information?




2. In the case of your example, what does the organisation need the information for?
What function does it help you fulfill?




3. HPP 1 requires that when collecting health information from an individual, you
provide that person with certain information. Using your example, what information
would you tell the person to meet this requirement?




4. How would you provide this information (for example, in person, on a form, on a
notice board)?




Office of the Health Services Commissioner
HRA Train the trainer package 2003
Activity 5: Making decisions about disclosure of health information

Think of an example in your work context where health information is
disclosed to other parts of your organisation or to someone outside your
organisation. Using this example, consider the following questions.

1. Is this use or disclosure consistent with HPP 2?

Refer to the following page for a summary of the types of use and disclosure which
are consistent with HPP 2. A number of initial questions are suggested to assist you
to consider whether or not your example fits with these categories.




2. If the person who the information related to asked you to explain why you are able
to use or disclose their information in this way, how would you answer them?




3. Are there any ways the protection of the person’s privacy could be increased in this
example?




Office of the Health Services Commissioner
HRA Train the trainer package 2003
                                 HPP 2 Use & Disclosure

   HPP 2 allows for the           Some initial questions to ask in considering whether
following types of use and          your example fits this type of use or disclosure:
        disclosure:
Use or disclosure for the        •    What was the purpose the information was collected
primary purpose for                   for in the first place (i.e. the primary purpose)?
which the information
was collected                    •    Is this example of use or disclosure the primary or
                                      secondary purpose that the information was
                                      collected?

Use or disclosure for a          •    Is the secondary purpose related to the primary
related secondary                     purpose?
purpose which the person
would reasonably expect          •    Would any person in the situation reasonably expect
                                      the information to be used or disclosed in this way?

Use or disclosure for a          •    Has the person provided consent for the information
secondary purpose with                to be used for the secondary purpose?
consent
                                 •    Is the consent still current?

                                 •    Was the consent for this specific type of use or
                                      disclosure?
Use for a secondary              •    Is the use reasonably necessary for the provision of
purpose when the                      the health service?
organisation is a health
service provider                 •    Is the use necessary to ensure that the further health
providing a health service            services are provided safely and effectively?
to the individual
Use or disclosure for            •    Can the health information be used in a de-identified
secondary purpose for                 form?
the funding, managing,
planning, monitoring,            •    Have you taken reasonable steps to de-identify the
improving or evaluating               information?
a health service, or
training the employees
Use or disclosure for a          •    Is the information needed because of an imminent
secondary purpose                     threat to life, health, safety or welfare?
warranted because of
public interest (e.g.            •    Is the information needed to investigate suspected
research, statistics)                 unlawful activity?

                                 •    Can you ensure that the individual’s identity cannot
                                      be reasonably ascertained?
Use or disclosure for a          •    Is the use or disclosure required or authorised by
secondary purpose                     law?
required by law
Disclosure of health             •    Is the disclosure necessary for the provision of

Office of the Health Services Commissioner
HRA Train the trainer package 2003
information to an                     appropriate health services or for the care of the
immediate family                      individual?
member
                                 •    Is the disclosure made for compassionate reasons?

                                 •    Is the disclosure contrary to the wishes of the
                                      individual?

                                 •    Is the immediate family member mature enough to
                                      receive the information?




Office of the Health Services Commissioner
HRA Train the trainer package 2003
Activity 6: What do you need to do now?

            How does the Health Records Act impact on your work?

What types of health information do you handle in your work?
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________

What current information handling practices may need to be reviewed due to the
introduction of the Health Records Act?
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________

What ideas do you have for how issues surrounding privacy and access of health
information may be maximised for your clients?
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________

What information do you need?

     Obtain a copy of your organisation’s privacy policy

     Find out who your organisation’s privacy officer is

     Find out your organisation’s procedure for receiving and responding to
      complaints in relation to privacy

     Find out what the procedures are for the public to access or correct their health
      information




Office of the Health Services Commissioner
HRA Train the trainer package 2003
Activity 7: Quiz

        1. There are 11 Health Privacy Principles included in the     True / False
           Health Records Act.
        2. The Health Records Act only affects health service         True / False
           providers.

        3. For health service providers health information means      True / False
           only identifying personal information about the health
           or disability of an individual.

        4. Personal information only includes information that is     True / False
           recorded in writing.
        5. If another law requires that health information be         True / False
           collected, used or disclosed in a particular way, that
           requirement overrides the requirements of the Health
           Records Act on that issue, if the two laws are
           inconsistent.

        6. The Health Records Act commenced on 1 July 2002.           True / False

        7. Health information that was collected before the Act       True / False
           commenced is not covered by the Act.

        8. If the health information is held by a public sector       True / False
           organisation an individual seeking access can apply
           under the Health Records Act.

        9. When individuals apply for access to their health          True / False
           information they must give a valid reason for doing
           so.

        10. For health information collected after 1 July 2002, the   True / False
            individual seeking access can choose the manner of
            access.




Office of the Health Services Commissioner
HRA Train the trainer package 2003
                                 Explanation of activities



Many of the activities included in this package involve participants discussing issues,
case examples etc. with other participants. If the group is small, participants can work
in one group however, if there are more than 12 participants, the activities may be
more effective when completed in small groups.


Activity 1 – Icebreaker
This activity allows participants to become acquainted with one another in a more
meaningful way; that is, glimpses into attitudes, values, aspects of personality, and
concerns become possible. Icebreakers can also help participants relax and
importantly, can energise the group. This activity can be linked to the Health Records
Act by asking participants to not only share personal information, but also to discuss
their knowledge about the Act, and questions that they want answered from the
training.


Activity 2 – Imagine …
This activity should take about 5 minutes. It is designed to get participants thinking
about health information privacy and to consider how they feel about privacy issues.


Ask participants to complete the sheet individually and then to compare their
experiences with other participants in their small group. Trainers may wish to ask a
couple of the participants to share their discussions with the larger group.


This activity should highlight that we all have different opinions about the way our
health information is handled, and that the Health Records Act aims to increase the
amount of control that people have over the handling of their health information.




Office of the Health Services Commissioner
HRA Train the trainer package 2003
Activity 3 – Match the HPPs to their names and meanings
This activity should take about 10 minutes. It is designed to sum up the overview of
the HPPs and to reinforce the requirements of each principle.


To prepare this activity, cut up the squares on the activity sheet into cards. You will
need one activity sheet per small group of participants. Mix up each set of cards and
ask the group members to match the number, name and explanation for each Health
Privacy Principle. This activity can be run as a competition with the first group to
correctly match all of the cards declared as the winner.


Activity 4 – Making decisions about collection of health information

Activity 5 – Making decisions about disclosure of health information
These two activities are similar and should take about 15 minutes each. They are
designed to give participants the opportunity to apply the Health Privacy Principles to
examples of collection and use or disclosure of health information from their work
context.


Ask participants to choose one example to work on in their group. If there is
sufficient time, the group could then look at additional examples. Participants will
need to match the requirements of the health privacy principles to their specific
context taking account of, for example, other relevant legislation and the functions of
the organisation.


Activity 6 – What do you need to do now?
This activity should take about 5 minutes. It involves participants completing a basic
action plan to consider how they can integrate the content covered in the training into
their work context. It may be completed individually or in small groups. Trainers
may then want to invite some discussion in the large group about the areas covered on
the action plan.


Activity 7 – Quiz
This activity should take about 5 minutes. The quiz is designed to be used at the end
of the training session to review the content covered. Participants can be asked to

Office of the Health Services Commissioner
HRA Train the trainer package 2003
complete it individually or in small groups. Alternatively, it could be run as a game
with the trainer reading out the questions and the groups competing. The answers to
the quiz questions are included on the following page.
Answers to quiz


        1. There are 11 Health Privacy           True
           Principles included in the
           Health Records Act.

        2. The Health Records Act only           False – it also affects any other
           affects health service                person/organisation that
           providers.                            collects/handles personal health
                                                 information (e.g. schools, fitness
                                                 centres).
        3. For health service providers          False – for health service
           health information means only         providers health information
           identifying personal                  means all identifying personal
           information about the health or       information collected to provide a
           disability of an individual.          health service e.g. includes next of
                                                 kin information.
        4. Personal information only             False – personal information does
           includes information that is          not have to be recorded in material
           recorded in writing.                  form. It includes health
                                                 information on computers,
                                                 databases, videos, audio, a
                                                 conversation detailing identifiable
                                                 health information etc.
        5. If another law requires that          True
           health information be
           collected, used or disclosed in
           a particular way, that
           requirement overrides the
           requirements of the Health
           Records Act on that issue, if
           the two laws are inconsistent.

        6. The Health Records Act                True
           commenced on 1 July 2002.

        7. Health information that was           False – all health information is
           collected before the Act              covered by the Act regardless of
           commenced is not covered by           when it was collected.
           the Act.

        8. If the health information is          False - if the health information is
           held by a public sector               held by a public sector
           organisation an individual            organisation an individual seeking

Office of the Health Services Commissioner
HRA Train the trainer package 2003
            seeking access can apply under     access must apply under the
            the Health Records Act.            Freedom of Information Act.

        9. When individuals apply for          False – an individual does not
           access to their health              need to give a reason for seeking
           information they must give a        access to information about them.
           valid reason for doing so.

        10. For health information             True
            collected after 1 July 2002, the
            individual seeking access can
            choose the manner of access.




Office of the Health Services Commissioner
HRA Train the trainer package 2003
                                Reference Materials


   Brochures (in front pocket of folder):
                Health Privacy it’s my business
                Problem with a health service or concerns about your health privacy?
                Health Records Act – Right of Access
   Extract of Health Privacy Principles
   Information sheets:
            1. Use and Disclosure of Health Information
            2. Unlawful Activity and Law Enforcement
            3. Transfer/Closure of a Practice or Business of a Health Service Provider
            4. Employment Related Health Information
            5. Minors, Privacy Laws and Consent
            6. Refusal of Access on Ground of Threat to Life of Health of the
                 Individual requesting Access
            7. Use of Health Information for the Purpose of Obtaining Consent to
                 Participate in Research (Screening)
       Health Records Act 2001 article
       Health Records Regulations 2002
       Complying with the Health Records Act 2001
       Frequently asked questions
       Scenarios
       Useful References




Office of the Health Services Commissioner
HRA Train the trainer package 2003
             Extracted from the Health Records Act 2001
                                        Act No. 2/2001




The following Victorian Health Privacy Principles are extracted from the Health
Records Act 2001 (Vic).

Prepared by
Office of the Health Services Commissioner
30/570 Bourke Street
Melbourne Vic 3000
Tel: (03) 8601 5222
Fax: (03) 8601 5219
Email: hsc@dhs.vic.gov.au
Website: www.health.vic.gov.au/hsc




Office of the Health Services Commissioner
HRA Train the trainer package 2003
Contents

  SCHEDULE 1- THE HEALTH PRIVACY PRINCIPLES
             53
    1. Principle 1--Collection ..................................................................................... 53
    2. Principle 2--Use and Disclosure ...................................................................... 55
    3. Principle 3--Data Quality ................................................................................. 59
    4. Principle 4--Data Security and Data Retention ................................................ 60
    5. Principle 5--Openness ...................................................................................... 60
    6. Principle 6--Access and Correction ................................................................. 61
    7. Principle 7--Identifiers ..................................................................................... 63
    8. Principle 8--Anonymity ................................................................................... 64
    9. Principle 9--Transborder Data Flows............................................................... 64
    10. Principle 10--Transfer or closure of the practice of a health service provider
    .............................................................................................................................. 65
    11. Principle 11--Making information available to another health service
    provider ................................................................................................................ 67


SCHEDULE 1- THE HEALTH PRIVACY PRINCIPLES
Section 19


1. Principle 1--Collection

When health information may be collected
1.1      An organisation must not collect health information about an individual unless
         the information is necessary for one or more of its functions or activities and at
         least one of the following applies--
         (a)         the individual has consented;
         (b)         the collection is required, authorised or permitted, whether expressly or
                     impliedly, by or under law (other than a prescribed law);
         (c)         the information is necessary to provide a health service to the
                     individual and the individual is incapable of giving consent within the
                     meaning of section 85(3) and--
                     (i)         it is not reasonably practicable to obtain the consent of an
                                 authorised representative of the individual within the meaning
                                 of section 85; or
                     (ii)        the individual does not have such an authorised representative;
         (d)         the information is disclosed to the organisation in accordance with
                     HPP 2.2(a), (f), (i) or (l) or HPP 2.5;
         (e)         if the collection is necessary for research, or the compilation or
                     analysis of statistics, in the public interest--


Office of the Health Services Commissioner
HRA Train the trainer package 2003
                 (i)     that purpose cannot be served by the collection of information
                         that does not identify the individual or from which the
                         individual's identity cannot reasonably be ascertained; and
                 (ii)    it is impracticable for the organisation to seek the individual's
                         consent to the collection; and
                 (iii)   the information is collected in accordance with guidelines
                         issued or approved by the Health Services Commissioner under
                         section 22 for the purposes of this sub-paragraph;
        (f)      the collection is necessary to prevent or lessen--
                 (i)     a serious and imminent threat to the life, health, safety or
                         welfare of any individual; or
                 (ii)    a serious threat to public health, public safety or public welfare-
                 -
                 and the information is collected in accordance with guidelines, if any,
                 issued or approved by the Health Services Commissioner under section
                 22 for the purposes of this paragraph;
        (g)      the collection is by or on behalf of a law enforcement agency and the
                 organisation reasonably believes that the collection is necessary for a
                 law enforcement function;
        (h)      the collection is necessary for the establishment, exercise or defence of
                 a legal or equitable claim;
        (i)      the collection is in the prescribed circumstances.

How health information is to be collected
1.2     An organisation must collect health information only by lawful and fair means
        and not in an unreasonably intrusive way.
1.3     If it is reasonable and practicable to do so, an organisation must collect health
        information about an individual only from that individual.
1.4     At or before the time (or, if that is not practicable, as soon as practicable
        thereafter) an organisation collects health information about an individual
        from the individual, the organisation must take steps that are reasonable in the
        circumstances to ensure that the individual is generally aware of--
        (a)      the identity of the organisation and how to contact it; and
        (b)      the fact that he or she is able to gain access to the information; and
        (c)      the purposes for which the information is collected; and
        (d)      to whom (or the types of individuals or organisations to which) the
                 organisation usually discloses information of that kind; and
        (e)      any law that requires the particular information to be collected; and

Office of the Health Services Commissioner
HRA Train the trainer package 2003
        (f)      the main consequences (if any) for the individual if all or part of the
                 information is not provided.
1.5     If an organisation collects health information about an individual from
        someone else, it must take any steps that are reasonable in the circumstances
        to ensure that the individual is or has been made aware of the matters listed in
        HPP 1.4 except to the extent that making the individual aware of the matters
        would pose a serious threat to the life or health of any individual or would
        involve the disclosure of information given in confidence.
1.6     An organisation is not required to notify the individual of the identity of
        persons, or classes of persons, to whom health information may be disclosed
        in accordance with HPP 2.2(f).

Information given in confidence
1.7     If personal information is given in confidence to a health service provider
        about an individual by a person other than--
        (a)      the individual; or
        (b)      a health service provider in the course of, or otherwise in relation to,
                 the provision of health services to the individual--
        with a request that the information not be communicated to the individual to
        whom it relates, the provider must--
        (c)      confirm with the person that the information is to remain confidential;
        and
        (d)      if the information remains confidential--
                 (i)     record the information only if it is relevant to the provision of
                         health services to, or the care of, the individual; and
                 (ii)    take reasonable steps to ensure that the information is accurate
                         and not misleading; and
        (e) take reasonable steps to record that the information is given in confidence
            and is to remain confidential.


2. Principle 2--Use and Disclosure

2.1     An organisation may use or disclose health information about an individual for
        the primary purpose for which the information was collected in accordance
        with HPP 1.1.
2.2     An organisation must not use or disclose health information about an
        individual for a purpose (the "secondary purpose") other than the primary
        purpose for which the information was collected unless at least one of the
        following paragraphs applies:
        (a)      both of the following apply--

Office of the Health Services Commissioner
HRA Train the trainer package 2003
                 (i)     the secondary purpose is directly related to the primary
                         purpose; and
                 (ii)    the individual would reasonably expect the organisation to use
                         or disclose the information for the secondary purpose; or
        (b)      the individual has consented to the use or disclosure; or
        (c)      the use or disclosure is required, authorised or permitted, whether
                 expressly or impliedly, by or under law (other than a prescribed law);
                 or
        (d)      all of the following apply--
                 (i)     the organisation is a health service provider providing a health
                         service to the individual; and
                 (ii)    the use or disclosure for the secondary purpose is reasonably
                         necessary for the provision of the health service; and
                 (iii)   the individual is incapable of giving consent within the
                         meaning of section 85(3) and--
                         (A)      it is not reasonably practicable to obtain the consent of
                                  an authorised representative of the individual within the
                                  meaning of section 85; or
                         (B)       the individual does not have such an authorised
                               representative; or
        (e)              all of the following apply--
                 (i)     the organisation is a health service provider providing a health
                         service to the individual; and
                 (ii)    the use is for the purpose of the provision of further health
                         services to the individual by the organisation; and
                 (iii)   the organisation reasonably believes that the use is necessary to
                         ensure that the further health services are provided safely and
                         effectively; and
                 (iv)    the information is used in accordance with guidelines, if any,
                         issued or approved by the Health Services Commissioner under
                         section 22 for the purposes of this paragraph; or
        (f)              the use or disclosure is for the purpose of—
                 (i)     funding, management, planning, monitoring, improvement or
                         evaluation of health services; or
                 (ii)    training provided by a health service provider to employees or
                         persons working with the organisation--
                         and--

Office of the Health Services Commissioner
HRA Train the trainer package 2003
                 (iii)   that purpose cannot be served by the use or disclosure of
                         information that does not identify the individual or from which
                         the individual's identity cannot reasonably be ascertained and it
                         is impracticable for the organisation to seek the individual's
                         consent to the use or disclosure; or
                 (iv)    reasonable steps are taken to de-identify the information--
                         and--
                 (v)     if the information is in a form that could reasonably be
                         expected to identify individuals, the information is not
                         published in a generally available publication; and
                 (vi)    the information is used or disclosed in accordance with
                         guidelines, if any, issued or approved by the Health Services
                         Commissioner under section 22 for the purposes of this sub-
                         paragraph; or
        (g)      if the use or disclosure is necessary for research, or the compilation or
                 analysis of statistics, in the public interest--
                 (i)     it is impracticable for the organisation to seek the individual's
                         consent before the use or disclosure; and
                 (ii)    that purpose cannot be served by the use or disclosure of
                         information that does not identify the individual or from which
                         the individual's identity cannot reasonably be ascertained; and
                 (iii)   the use or disclosure is in accordance with guidelines issued or
                         approved by the Health Services Commissioner under section
                         22 for the purposes of this sub-paragraph; and
                 (iv)    in the case of disclosure—
                         (A)      the organisation reasonably believes that the recipient of
                                  the health information will not disclose the health
                                  information; and
                         (B)      the disclosure will not be published in a form that
                                  identifies particular individuals or from which an
                                  individual's identity can reasonably be ascertained; or
        (h)      the organisation reasonably believes that the use or disclosure is
                 necessary to lessen or prevent--
                 (i)     a serious and imminent threat to an individual's life, health,
                         safety or welfare; or
                 (ii)    a serious threat to public health, public safety or public welfare-
                 -




Office of the Health Services Commissioner
HRA Train the trainer package 2003
                 and the information is used or disclosed in accordance with guidelines,
                 if any, issued or approved by the Health Services Commissioner under
                 section 22 for the purposes of this paragraph; or
        (i)      the organisation has reason to suspect that unlawful activity has been,
                 is being or may be engaged in, and uses or discloses the health
                 information as a necessary part of its investigation of the matter or in
                 reporting its concerns to relevant persons or authorities and, if the
                 organisation is a registered health service provider, the use or
                 disclosure would not be a breach of confidence; or
        (j)      the organisation reasonably believes that the use or disclosure is
                 reasonably necessary for a law enforcement function by or on behalf of
                 a law enforcement agency and, if the organisation is a registered health
                 service provider, the use or disclosure would not be a breach of
                 confidence; or
        (k)      the use or disclosure is necessary for the establishment, exercise or
                 defence of a legal or equitable claim; or
        (l)      the use or disclosure is in the prescribed circumstances.
        Note: Nothing in HPP 2 requires an organisation to disclose health
              information about an individual. An organisation is always entitled not
              to disclose health information in the absence of a legal obligation to
              disclose it.
2.3     If an organisation discloses health information under paragraph (i) or (j) of
        HPP 2.2, it must make a written note of the disclosure.
2.4     Despite HPP 2.2, a health service provider may disclose health information
        about an individual to an immediate family member of the individual if—
        (a)      either--
                 (i)        the disclosure is necessary to provide appropriate health
                            services to or care of the individual; or
                 (ii)       the disclosure is made for compassionate reasons; and
        (b)      the disclosure is limited to the extent reasonable and necessary for the
                 purposes mentioned in paragraph (a); and
        (c)      the individual is incapable of giving consent to the disclosure within
                 the meaning of section 85(3); and
        (d)      the disclosure is not contrary to any wish--
                 (i)        expressed by the individual before the individual became
                            incapable of giving consent and not changed or withdrawn by
                            the individual before then; and
                 (ii)       of which the organisation is aware or could be made aware by
                            taking reasonable steps; and

Office of the Health Services Commissioner
HRA Train the trainer package 2003
        (e)      in the case of an immediate family member who is under the age of 18
                 years, considering the circumstances of the disclosure, the immediate
                 family member has sufficient maturity to receive the information.
2.5     Despite HPP 2.2, an organisation may use or disclose health information about
        an individual where—
        (a)      it is known or suspected that the individual is dead; or
        (b)      it is known or suspected that the individual is missing; or
        (c)      the individual has been involved in an accident or other misadventure
                 and is incapable of consenting to the use or disclosure--
        and the use or disclosure is to the extent reasonably necessary--
        (d)      to identify the individual; or
        (e)      to ascertain the identity and location of an immediate family member
                 or other relative of the individual for the purpose of--
                 (i)     enabling a member of the police force, a coroner or other
                         prescribed organisation to contact the immediate family
                         member or other relative for compassionate reasons; or
                 (ii)    to assist in the identification of the individual--
                        and, in the circumstances referred to in paragraph (b) or (c)--
                 (f)     the use or disclosure is not contrary to any wish--
                 (i)     expressed by the individual before he or she went missing or
                         became incapable of consenting and not withdrawn by the
                         individual; and
                 (ii)    of which the organisation is aware or could have become aware
                         by taking reasonable steps; and
        (g)      the information is used or disclosed in accordance with guidelines, if
                 any, issued or approved by the Health Services Commissioner under
                 section 22 for the purposes of this paragraph.


3. Principle 3--Data Quality

3.1     An organisation must take steps that are reasonable in the circumstances to
        make sure that, having regard to the purpose for which the information is to be
        used, the health information it collects, uses, holds or discloses is accurate,
        complete, up to date and relevant to its functions or activities.




Office of the Health Services Commissioner
HRA Train the trainer package 2003
4. Principle 4--Data Security and Data Retention

4.1     An organisation must take reasonable steps to protect the health information it
        holds from misuse and loss and from unauthorised access, modification or
        disclosure.
4.2     A health service provider must not delete health information relating to an
        individual, even if it is later found or claimed to be inaccurate, unless--
        (a)      the deletion is permitted, authorised or required by the regulations or
                 any other law;
                                             or
        (b)      the deletion is not contrary to the regulations or any other law and
                 occurs--
                 (i)     in the case of health information collected while the individual
                         was a child, after the individual attains the age of 25 years; or
                 (ii)    in any case, more than 7 years after the last occasion on which
                         a health service was provided to the individual by the provider-
                         whichever is the later.
4.3     A health service provider who deletes health information in accordance with
        HPP 4.2 must make a written note of the name of the individual to whom the
        health information related, the period covered by it and the date on which it
        was deleted.
4.4     A health service provider who transfers health information to another
        individual or organisation and does not continue to hold a record of that
        information must make a written note of the name and address of the
        individual or organisation to whom it was transferred.
4.5     An organisation other than a health service provider must take reasonable
        steps to destroy or permanently de-identify health information if it is no longer
        needed for the purpose for which it was collected or any other purpose
        authorised by this Act, the regulations made under this Act or any other law.


5. Principle 5--Openness

5.1     An organisation must set out in a document--
        (a)      clearly expressed policies on its management of health information;
                 and
        (b)     the steps that an individual must take in order to obtain access to their
                health information.
        The organisation must make the document available to anyone who asks for it.




Office of the Health Services Commissioner
HRA Train the trainer package 2003
5.2      On request by an individual, an organisation must take reasonable steps--
         (a)     to let the individual know--
                 (i)     whether the organisation holds health information relating to
                         the individual;
                         and
                 (ii)    the steps that the individual should take if the individual wishes
                         to obtain access to the information; and
         (b)     if the organisation holds health information relating to the individual,
                 to let the individual know in general terms--
                 (i)     the nature of the information; and
                 (ii)    the purposes for which the information is used; and
                 (iii)   how the organisation collects, holds, uses and discloses the
                         information.


6. Principle 6--Access and Correction

Access
6.1      If an organisation holds health information about an individual, it must
         provide the individual with access to the information on request by the
         individual in accordance with Part 5, unless--
         (a)     providing access would pose a serious threat to the life or health of any
                 person under section 26 and refusing access is in accordance with
                 guidelines, if any, issued or approved by the Health Services
                 Commissioner under section 22 for the purposes of this paragraph; or
         (b)     providing access would have an unreasonable impact on the privacy of
                 other individuals and refusing access is in accordance with guidelines,
                 if any, issued or approved by the Health Services Commissioner under
                 section 22 for the purposes of this paragraph; or
         (c)     the information relates to existing legal proceedings between the
                 organisation and the individual and the information would not be
                 accessible by the process of discovery in those proceedings or is
                 subject to legal professional privilege; or
         (d)     providing access would reveal the intentions of the organisation in
                 relation to negotiations, other than about the provision of a health
                 service, with the individual in such a way as to expose the organisation
                 unreasonably to disadvantage; or
         (e)     the information is subject to confidentiality under section 27; or
         (f)     providing access would be unlawful; or


Office of the Health Services Commissioner
HRA Train the trainer package 2003
        (g)      denying access is required or authorised by or under law; or
        (h)      providing access would be likely to prejudice an investigation of
                 possible unlawful activity; or
        (i)      providing access would be likely to prejudice a law enforcement
                 function by or on behalf of a law enforcement agency; or
        (j)      a law enforcement agency performing a lawful security function asks
                 the organisation not to provide access to the information on the basis
                 that providing access would be likely to cause damage to the security
                 of Australia; or
        (k)      the request for access is of a kind that has been made unsuccessfully on
                 at least one previous occasion and there are no reasonable grounds for
                 making the request again; or
        (l)      the individual has been provided with access to the health information
                 in accordance with Part 5 and is making an unreasonable, repeated
                 request for access to the same information in the same way.
6.2     However, where providing access would reveal evaluative information
        generated within the organisation in connection with a commercially sensitive
        decision-making process, the organisation may give the individual an
        explanation for the commercially sensitive decision rather than access to the
        information.
        Note: An organisation breaches HPP 6.1 if it relies on HPP 6.2 to give an
              individual an explanation for a commercially sensitive decision in
              circumstances where HPP 6.2 does not apply.
6.3     If access is refused on the ground that it would pose a serious threat to the life
        or health of the individual, the procedure in Division 3 of Part 5 applies.
6.4     Without limiting sections 26 and 27, nothing in this Principle compels an
        organisation to refuse to provide an individual with access to his or her health
        information.

Correction
6.5     If an organisation holds health information about an individual and the
        individual is able to establish that the information is inaccurate, incomplete,
        misleading or not up to date, the organisation must take reasonable steps to
        correct the information so that it is accurate, complete and up to date but must
        not delete the information otherwise than in accordance with HPP 4.2.
6.6     If--
        (a)      the organisation is not willing to correct the health information in
                 accordance with a request by the individual; and
        (b)      no decision or recommendation to the effect that the information
                 should be corrected wholly or partly in accordance with the request, is
                 pending or has been made under this Act or any other law; and

Office of the Health Services Commissioner
HRA Train the trainer package 2003
        (c)      the individual gives to the organisation a written statement concerning
                 the requested correction--
        the organisation must take reasonable steps to associate the statement with the
        information.
6.7     If the organisation accepts the need to correct the health information but—
        (a)      the organisation considers it likely that leaving incorrect information,
                 even if corrected, could cause harm to the individual or result in
                 inappropriate health services or care being provided; or
        (b)      the form in which the health information is held makes correction
                 impossible; or
        (c)      the corrections required are sufficiently complex or numerous for a real
                 possibility of confusion or error to arise in relation to interpreting or
                 reading the record if it were to be so corrected—
        the organisation must place the incorrect information on a record which is not
        generally available to anyone involved in providing health services to the
        individual, and to which access is restricted, and take reasonable steps to
        ensure that only the corrected information is generally available to anyone
        who may provide health services to the individual.
6.8     If an organisation corrects health information about an individual, it must--
        (a)      if practicable, record with the correction the name of the person who
                 made the correction and the date on which the correction is made; and
        (b)      take reasonable steps to notify any health service providers to whom
                 the organisation disclosed the health information before its correction
                 and who may reasonably be expected to rely on that information in the
                 future.
6.9     If an individual requests an organisation to correct health information about
        the individual, the organisation must take reasonable steps to notify the
        individual of a decision on the request as soon as practicable but in any case
        not later than 30 days after the request is received by the organisation.

Written reasons
6.10    An organisation must provide written reasons for refusal of access or a refusal
        to correct health information.


7. Principle 7--Identifiers

7.1     An organisation may only assign identifiers to individuals if the assignment of
        identifiers is reasonably necessary to enable the organisation to carry out any
        of its functions efficiently.
7.2     Subject to HPP 7.4, a private sector organisation may only adopt as its own
        identifier of an individual an identifier of an individual that has been assigned

Office of the Health Services Commissioner
HRA Train the trainer package 2003
        by a public sector organisation (or by an agent of, or contractor to, a public
        sector organisation acting in its capacity as agent or contractor) if--
        (a)      the individual has consented to the adoption of the same identifier; or
        (b)      the use or disclosure of the identifier is required or authorised by or
                 under law.
7.3     Subject to HPP 7.4, a private sector organisation may only use or disclose an
        identifier assigned to an individual by a public sector organisation (or by an
        agent of, or contractor to, a public sector organisation acting in its capacity as
        agent or contractor) if--
        (a)      the use or disclosure is required for the purpose for which it was
                 assigned or for a secondary purpose referred to in one or more of
                 paragraphs (c) to (l) of HPP 2.2; or
        (b)      the individual has consented to the use or disclosure; or
        (c)      the disclosure is to the public sector organisation which assigned the
                 identifier to enable the public sector organisation to identify the
                 individual for its own purposes.
7.4     If the use or disclosure of an identifier assigned to an individual by a public
        sector organisation is necessary for a private sector organisation to fulfil its
        obligations to, or requirements of, the public sector organisation, a private
        sector organisation may either--
        (a)      adopt as its own identifier of an individual an identifier of the
                 individual that has been assigned by the public sector organisation; or
        (b)      use or disclose an identifier of the individual that has been assigned by
                 the public sector organisation.


8. Principle 8--Anonymity

8.1     Wherever it is lawful and practicable, individuals must have the option of not
        identifying themselves when entering transactions with an organisation.


9. Principle 9--Transborder Data Flows

9.1     An organisation may transfer health information about an individual to
        someone (other than the organisation or the individual) who is outside Victoria
        only if--
        (a)      the organisation reasonably believes that the recipient of the
                 information is subject to a law, binding scheme or contract which
                 effectively upholds principles for fair handling of the information that
                 are substantially similar to the Health Privacy Principles; or
        (b)      the individual consents to the transfer; or

Office of the Health Services Commissioner
HRA Train the trainer package 2003
        (c)      the transfer is necessary for the performance of a contract between the
                 individual and the organisation, or for the implementation of pre-
                 contractual measures taken in response to the individual's request; or
        (d)      the transfer is necessary for the conclusion or performance of a
                 contract concluded in the interest of the individual between the
                 organisation and a third party; or
        (e)      all of the following apply--
                 (i)     the transfer is for the benefit of the individual;
                 (ii)    it is impracticable to obtain the consent of the individual to that
                         transfer;
                 (iii)   if it were practicable to obtain that consent, the individual
                         would be likely to give it; or
        (f)      the organisation has taken reasonable steps to ensure that the
                 information which it has transferred will not be held, used or disclosed
                 by the recipient of the information inconsistently with the Health
                 Privacy Principles; or
        (g)      the transfer is authorised or required by any other law.


10. Principle 10--Transfer or closure of the practice of a health service provider

10.1    This Principle applies if the practice or business of a health service provider
        ("the provider") is to be--
        (a)      sold or otherwise transferred and the provider will not be providing
                 health services in the new practice or business; or
        (b)      closed down.
10.2    The provider or, if the provider is deceased, the legal representatives of the
        provider, must--
        (a)      publish a notice in a newspaper circulating in the locality of the
                 practice or business stating--
                 (i)     that the practice or business has been, or is about to be, sold,
                         transferred or closed down, as the case may be; and
                 (ii)    the manner in which the provider proposes to deal with the
                         health information held by the practice or business about
                         individuals who have received health services from the
                         provider, including whether the provider proposes to retain the
                         information or make it available for transfer to those
                         individuals or their health service providers; and
        (b)      take any other steps to notify individuals who have received a health
                 service from the provider in accordance with guidelines issued or

Office of the Health Services Commissioner
HRA Train the trainer package 2003
                 approved by the Health Services Commissioner under section 22 for
                 the purposes of this paragraph.
10.3    Not earlier than 21 days after giving notice in accordance with HPP 10.2, the
        person giving the notice must, in relation to health information about an
        individual held by, or on behalf of, the practice or business, elect to retain that
        information or transfer it to--
        (a)      the health service provider, if any, who takes over the practice or
                 business; or
        (b)      the individual or a health service provider nominated by him or her.
10.4    A person who elects to retain health information must continue to hold it or
        transfer it to a competent organisation for safe storage in Victoria, until the
        time, if any, when the health information is destroyed in accordance with HPP
        4.
10.5    Subject to HPP 10.2, a person must comply with the requirements of this
        Principle as soon as practicable.
10.6    Despite any other provision of the Health Privacy Principles, a person who
        transfers health information in accordance with this Principle does not, by so
        doing, contravene the Health Privacy Principles.
10.7    If—
        (a)      an individual, in response to a notice published under HPP 10.2,
                 requests that health information be transferred to him or her or to a
                 health service provider nominated by him or her; and
        (b)      the person who published the notice elects to retain the health
                 information-
        the request must be taken to be--
        (c)      in the case of a request that the health information be transferred to him
                 or her, a request for access to that health information in accordance
                 with Part 5 or HPP 6; and
        (d)      in the case of a request that the health information be transferred to a
                 health service provider nominated by him or her, a request for the
                 transfer of that health information in accordance with HPP 11--
        and it must be dealt with in accordance with this Act.
10.8 This Principle operates subject to any other law, including the Public Records
Act 1973.
10.9 For the purposes of HPP 10.1(a), a business or practice of a provider is
transferred if--
        (a)      it is amalgamated with another organisation; and



Office of the Health Services Commissioner
HRA Train the trainer package 2003
        (b)      the successor organisation which is the result of the amalgamation is a
                 private sector organisation.


11. Principle 11--Making information available to another health service
provider

11.1    If an individual--
        (a)      requests a health service provider to make health information relating
                 to the individual held by the provider available to another health
                 service provider; or
        (b)      authorises another health service provider to request a health service
                 provider to make health information relating to the individual held by
                 that provider available to the requesting health service provider--
        a health service provider to whom the request is made and who holds health
        information about the individual must, on payment of a fee not exceeding the
        prescribed maximum fee and subject to the regulations, provide a copy or
        written summary of that health information to that other health service
        provider.
11.2    A health service provider must comply with the requirements of this Principle
        as soon as practicable.
11.3    Nothing in Part 5 or HPP 6 limits the operation of this Principle.
11.4    For the purposes of HPP 10.7, this Principle applies to a legal representative of
        a deceased health service provider in the same way that it applies to a health
        service provider.




Office of the Health Services Commissioner
HRA Train the trainer package 2003
              Victoria’s Health Records Act: Privacy Protection and

                             Access to Health Information
                                         By

                    Beth Wilson, Health Services Commissioner


The Office of the Health Services Commissioner is an independent statutory authority
established to provide an accessible complaint mechanism for users of health services
to resolve any differences they may have with health service providers. The office is
impartial and places a high emphasis on conciliation and quality improvements.


In April 2001 the Victorian Government passed the Health Records Act 2001 (the
Act) which:
       Gives individuals a legally enforceable right of access to their own health
        information contained in records held in the private sector; and
       Establishes health privacy principles that will apply to personal health
        information collected, used and held in the public and private sectors.

For health service providers, the Act applies to all identifying personal information
collected to provide a health service; this includes all health as well as all other
personal information, including financial information, names of relatives, etc. For
non-health service providers, the Act applies to all identifying information about the
health or disability of an individual. Such information would include, for example,
health status, medical and treatment details about employees and customers.

Under the Act, a “health service” is defined as an activity to assess, maintain or
improve an individual’s health, and to diagnose and treat illness, injury or disability.
It includes disability, aged or palliative care services, including nursing homes and
hostels and also the dispensing of prescriptions. A “health service provider” includes
an organisation to the extent that it provides a health service.


The Act is a companion to the Information Privacy Act, which applies to all personal
information other than health information held in the public sector, while the Health
Records Act is a health specific piece of legislation.

Office of the Health Services Commissioner
HRA Train the trainer package 2003
The Government took the view that health information is so sensitive as to require
broader and more specific legislation. It is also wanted to ensure uniformity of
standards across the public and private sectors. It recognised that the health industry
consists of a vast array of providers and organisations, professions and specialties
within professions and that patients move in and out of the public and private systems.


The Government also considered the privacy of health information to be so important
that it should not be capable of variation through codes of practice (as will be the case
with the Commonwealth Privacy Act). The principles set out in the Health Records
Act do not require further modification and are designed to give consumers certainty
about the manner in which their health information is collected, used, disclosed and
stored.    The Act recognises the possible threat posed to privacy by modern
technology. Genetic testing is included because of its potential to predict the
likelihood of future illness. The Act received the support of the Opposition, which
will be helpful in gaining the co-operation of all stakeholders.


In the 1996 case of Breen v Williams the High Court of Australia said there was no
common law right of access to medical records. The records are the property of the
professional who created them. The High Court went on to say if the community
wanted patients to have a legal right of access to their medical information this should
be done through legislation rather than by the Court.          The ACT took up this
“invitation” in 1997 and the Victorian Act follows that model with some significant
improvements.

The Act gives individuals the right of access to health information about themselves
held by private sector organisations. It does not override existing legislation such as
the Freedom of Information Act (FOI), which will continue to give individuals access
to health information about them held by public sector organisations. The Act makes
some amendments to the FOI Act to supplement access rights under that Act and
make access rights broadly consistent between the public and the private sectors.


The right of access applies in full to information collected after the commencement of
the Act, which was on 1 July 2002.           More limited rights apply in respect of

Office of the Health Services Commissioner
HRA Train the trainer package 2003
information collected prior to the Act’s commencement. This reflects the fact that
practitioners and other organisations have compiled records on the understanding they
would not be available to be viewed as a right by consumers.


Access to “new records” (created after the Act’s commencement) can occur by way of
inspection, provision of a copy or a summary (if the individual agrees), or an
opportunity to view the record accompanied by an explanation by the health service
provider. Where the provider agrees, access to “old records” may be granted in one of
the forms outlined above. If there is no agreement, the person is entitled to receive an
accurate summary of the information. There is no right of access to non-factual or
diagnostic information in “old records” (such as practitioner’s comments).


Reasonable fees can be charged to recover the costs of providing access.            No
“lodgement fee” may be charged but health service providers can charge a fee for
explaining the contents of records to patients or clients that does not exceed the
amount of their usual fee for a consultation that takes a similar amount of time.


The health privacy principles also clarify what health service providers need to do in
terms of informing their patients or clients about what will happen to their health
records when a facility is sold or closed. In this and other instances, the introduction
of the Act can be seen as an opportunity to build on existing good practice as regards
health information management across both private and public sectors.


The role of the Health Services Commissioner will be to educate consumers and
providers about the requirements under the legislation.        The Commissioner will
handle inquiries from them about their rights and responsibilities and, in consultation
with the stakeholders, the Commissioner will develop statutory guidelines where these
are contemplated by the Act. The Commissioner will have a role in monitoring
compliance with the legislation and will resolve complaints about interferences with
privacy. The complaints process emphasises conciliation, which is consistent with the
existing approach of the Commissioner. Where conciliation fails investigations can
be carried out and the Commissioner will be able to serve compliance notices where
serious breaches occur. The Victorian Civil and Administrative Tribunal may make


Office of the Health Services Commissioner
HRA Train the trainer package 2003
binding orders but it is anticipated there will be informal resolution in the majority of
cases.


The Commissioner’s activities in implementing the Act will focus on compliance. In
other words, I want to help you to understand and work with the Act so complaints
will be minimised. If anyone would like more information please call my office on
8601 5222 or visit our Website at www.health.vic.gov.au/hsc.




Office of the Health Services Commissioner
HRA Train the trainer package 2003
            Health Records Regulations 2002
                             Health Records Regulations 2002
                                       S.R. No. 42/2002
                                TABLE OF PROVISIONS
Regulation Page
                                    __________________
                                             ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
                                STATUTORY RULES 2002
                                       S.R. No. 42/2002
                                  Health Records Act 2001
                             Health Records Regulations 2002
The Governor in Council makes the following Regulations:
Dated: 12 June 2002
Responsible Minister:
JOHN THWAITES
Minister for Health
HELEN DOYE
Clerk of the Executive Council


1. Objectives
The objectives of these Regulations are--
(a) to prescribe the maximum fees that may be charged by an organisation when
providing individuals with access to health information under Part 5 of the Health
Records Act 2001 and HPP 6 and HPP 11 of that Act and by a nominated health
service provider when performing functions set out in section 42 of that Act, in a
manner that--
        (i) ensures that any fee charged does not unfairly preclude an individual from
        requesting access to health information; and
        (ii) allows reasonable cost recovery for organisations; and
        (iii) recognises current practice regarding the transfer of health information
        between health service providers at the request of an individual for the
        purposes of continuity of care; and

Office of the Health Services Commissioner
HRA Train the trainer package 2003
(b) to prescribe the circumstances in which an organisation may collect health
information about an individual under HPP 1.1(i) of the Health Records Act 2001.


2. Authorising provision
These Regulations are made under section 100 of the Health Records Act 2001.


3. Commencement
These Regulations come into operation on 1 July 2002.


4. Definition
In these Regulations--
"the Act" means the Health Records Act 2001.


5. Maximum fee for granting an individual access to health information
For the purposes of section 32 of the Act, the prescribed maximum fee for providing
access to health information is the relevant fee set out in Schedule 1.


6. Maximum fee for nominated health service provider performing functions
For the purposes of section 42(3) of the Act, the prescribed maximum fee is the
reasonable cost incurred by the nominated health service provider in performing the
functions set out in section 42(1) of the Act, not exceeding--
        (a) $40 per quarter hour or part of a quarter hour spent performing those
        functions; or
        (b) $200--
whichever is the lesser.


7. Maximum fee for making health information available to another health
service provider
For the purposes of HPP 11.1, the prescribed maximum fee for providing a copy or a
written summary of requested health information is the relevant fee set out in
Schedule 2.
8. Prescribed circumstances for collection of health information
(1) For the purposes of HPP 1.1(i), the prescribed circumstances are the collection of
health information by an organisation that is a health service provider from a person

Office of the Health Services Commissioner
HRA Train the trainer package 2003
or, if the person is incapable of providing the information, from an authorised
representative, immediate family member or primary carer of the person, being
information that--
        (a) is about an individual (whether living or deceased); and
        (b) does not contain any more identifying information about the individual
        referred to in paragraph (a) than is reasonably necessary to ensure that health
        services are provided safely and effectively to the person.
(2) For the purposes of sub-section (1), a person is incapable of providing the
information if he or she is incapable by reason of age, injury, disease, senility, illness,
disability, physical impairment or mental disorder.
(3) Information collected in accordance with sub-regulation (1) is exempt health
information for the purposes of HPP 1.5.
(4) In this regulation--
"authorised representative" has the same meaning as in section 85(6) of the Act;
"primary carer" means any person who is primarily responsible for providing
support or care to a person.
9. GST payable
        (1) A maximum fee prescribed by these Regulations may be increased by an
        amount not exceeding the amount of GST payable on the supply to which the
        fee relates.
        (2) In this regulation--
"GST" has the same meaning as it has in the A New Tax System (Goods and
Services Tax) Act 1999 of the Commonwealth except that it includes notional GST of
the kind for which payment may be made under Part 3 of the National Taxation
Reform (Consequential Provisions) Act 2000 by a person that is a State entity
within the meaning of that Act.
                                    __________________




Office of the Health Services Commissioner
HRA Train the trainer package 2003
                                        SCHEDULES
SCHEDULE 1
Regulation 5
MAXIMUM FEE FOR GRANTING AN INDIVIDUAL ACCESS TO HEALTH
                          INFORMATION
Item No. Manner of access under       Maximum fee
           Part 5 of the Act
                                              The total of the following amounts-

                                              (a) $5 per quarter hour (or part of a quarter
                                              hour) in respect of supervision time of
                                              inspection; and

                                              (b) the organisation's reasonable costs
              Inspecting health information
                                              incurred in assessing and collating the
              or print out of health
                                              health information, not exceeding $20;
              information stored in
1.                                            and
              electronic form, with
              opportunity to take notes of
                                              (c) if it is necessary to use equipment that
              contents
                                              is not in the organisation's possession to
                                              inspect the health information, the
                                              organisation's reasonable costs incurred in
                                              obtaining the equipment; and

                                              (d) if the health information is contained
                                              in a document not stored at the
                                              organisation's usual place of business,
                                              $10.
                                              The total of the following amounts-

                                              (a) $5 per quarter hour (or part of a quarter
                                              hour) in respect of supervision time of
                                              inspection; and

                                          (b) the organisation's reasonable costs
                                          incurred in assessing and collating the
              Viewing health information,
                                          health information, not exceeding $20;
2.            with no explanation of
                                          and
              contents
                                              (c) if it is necessary to use equipment that
                                              is not in the organisation's possession to
                                              inspect the health information, the
                                              organisation's reasonable costs incurred in
                                              obtaining the equipment; and

                                              (d) if the health information is contained
                                              in a document not stored at the
                                              organisation's usual place of business,

Office of the Health Services Commissioner
HRA Train the trainer package 2003
                                             $10.

 Note: Section 32(4) of the Act provides that a person who gives an explanation of
health information under section 29(1)(d) of the Act may charge a fee for the service
that does not exceed the amount of the person's usual fee for a consultation of a
comparable duration.


 Item No.       Manner of access under                      Maximum fee
                  Part 5 of the Act
                                             The total of the following amounts--

                                             (a) if a copy is in the form of black and
                                             white A4 pages, 20 cents per page; and

                                             (b) if a copy is in a form other than a black
                                             and white A4 page, the organisation's
              Receiving a copy of health
3.                                           reasonable costs incurred in providing the
              information
                                             copy; and

                                             (c) the organisation's reasonable costs
                                             incurred in assessing and collating the
                                             health information, not exceeding $20; and

                                             (d) if the health information is contained
                                             in a document not stored at the
                                             organisation's usual place of business, $10.
                                             The total of the following amounts--

                                             (a) if the organisation is a health service
                                             provider and an accurate summary does
                                             not exist before the request is made, an
                                             amount (not exceeding $80) that is
                                             calculated by reference to the time taken
                                             to prepare the accurate summary--
              Receiving an accurate
4.            summary of health              (i) based on the usual fee of the health
              information                    service provider for a consultation of a
                                             comparable duration; or
                                              (ii) at the rate of $25 per quarter hour (or
                                             part of a quarter hour)--
                                             whichever is the greater; and

                                             (b) if the organisation is not a health
                                             service provider and an accurate summary
                                             does not exist before the request is made,
                                             the organisation's reasonable costs
                                             incurred calculated by reference to the


Office of the Health Services Commissioner
HRA Train the trainer package 2003
                                                 time taken to prepare the accurate
                                                 summary, not exceeding--

                                                 (i) $25 per quarter hour (or part of a
                                                 quarter hour); or

                                                 (ii) $80--

                                                 whichever is the lesser; and

                                                 (c) if the health information is contained
                                                 in a document not stored at the
                                                 organisation's usual place of business,
                                                 $10.


                                        ------------------

SCHEDULE 2
Regulation 7
     MAXIMUM FEE FOR MAKING HEALTH INFORMATION AVAILABLE
                  TO ANOTHER HEALTH SERVICE PROVIDER

                      Manner of access under
     Item No.                                                       Maximum fee
                           HPP 11.1

                                                        (a) If the copy consists of at least
                                                        20 black and white A4 pages,
                   Provision by a health service        20 cents per page.
                   provider of a copy of health
1.
                   information to another health        (b) If the copy is in a form other than
                   service provider                     a black and white A4 page, the
                                                        health service provider's reasonable
                                                        costs incurred in providing the copy.


                                                        If--

                   Provision by a health service        (a) an accurate summary does not
                   provider of an accurate              exist before the request is made; and
2.                 summary of health information
                   to another health service            (b) it takes the health service
                   provider                             provider at least 30 minutes to
                                                        prepare an accurate summary--

                                                        an amount (not exceeding $80) that
                                                        is calculated by reference to the time


Office of the Health Services Commissioner
HRA Train the trainer package 2003
                                                           taken to prepare the accurate
                                                           summary at the rate of $25 per
                                                           quarter hour (or part of a quarter
                                                           hour) or based on the usual fee of the
                                                           health service provider for a
                                                           consultation of a comparable
                                                           duration, whichever is the greater.


                                             ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ




Office of the Health Services Commissioner
HRA Train the trainer package 2003
Complying with the Health Records Act 2001

Complying with the Health Records Act 2001...................................................................79
  Appoint a privacy officer................................................................................................79
    Suggested responsibilities of the Privacy Officer: ........................................................80
  Establish a privacy committee .......................................................................................80
  Conduct regular privacy audits .....................................................................................81
    Questions to ask when looking at the flow of information include: .............................82
  Notify individuals about the information required by HPP 1.4 .................................86
  Document the organisation’s privacy policy ................................................................87
    Privacy Policy-content ................................................................................................87
  Develop administrative processes for access to health information ...........................89
  Privacy Training .............................................................................................................89
    Networking ..................................................................................................................90
    Complaints Handling ..................................................................................................90



                     COMPLYING WITH THE HEALTH RECORDS ACT 2001


There are a range of strategies organisations can implement to assist compliance with
the Health Records Act 2001 (“the Act”). The suggested strategies include:
         appointing a privacy officer
         establishing a privacy committee
         conducting privacy audits
         conducting privacy training.


Appoint a privacy officer

Although there is no legal requirement for organisations to have a privacy officer,
having an identified person responsible for implementing the organisation’s privacy
obligations under the Act (and any other privacy laws that apply) will assist the
organisation. Ideally this person would have training in privacy legislation and an
understanding of the specific requirements of the Act to guide the organisation in
relation to its handling and management of health information.


If the organisation holds health information about individuals everyone in the
organisation should be familiar with the legal requirements of the Act. The privacy
officer can provide training and assistance to workers within the organisation on the
requirements of the Act.

Office of the Health Services Commissioner
HRA Train the trainer package 2003
Suggested responsibilities of the Privacy Officer:
    •   encourage and assist the organisation to comply with the 11 Health Privacy
        Principles;
    •   undertake external privacy training offered by professional bodies,
        government departments and privacy commissioners;
    •   conduct privacy audits of the organisation to ensure compliance with the Act;
    •   maintain privacy resources within the organisation (e.g. privacy information,
        training information);
    •   provide guidance to workers within the organisation about their legal
        obligations under the Act;
    •   provide privacy perspectives on new initiatives and/or information technology
        advances or changes within the organisation;
    •   take a lead role in the development of the organisation’s privacy policy
        dealing with the management of health information, and access to health
        information for individuals, as required by the Act;
    •   initiate regular reviews of the organisation’s privacy policy;
    •   establish a complaints handling process;
    •   liaise with the office of the Health Services Commissioner regarding
        complaints made under the Act about the organisation.
Organisations with a number of sites may elect to have more than one privacy officer.


Establish a privacy committee

The privacy officer may require a committee to support and advise them in their work
and/or to enable the flow of privacy information from the privacy officer back into the
organisation. The committee should represent a cross section of the organisation, and
be comprised of people who are able to identify the privacy needs of the organisation.
They should have the authority to action decisions in relation to privacy. The
committee may include representatives from management, information technology,
records/information management, legal, security/office management, customer
service, human resources and a union or staff representative.




Office of the Health Services Commissioner
HRA Train the trainer package 2003
Conduct regular privacy audits

A “privacy audit” is a process that tracks the flow of information through an
organisation. This requires an examination of the whole “life cycle” of information
handling by the organisation. It includes reviewing what, why and how health
information is collected, how it is used and by whom, to whom it is disclosed outside
the organisation, where it is held, what security measures are in place to protect it,
how long it is retained, and how and when it is destroyed.


The results of this examination can be considered against the legal requirements of the
Health Privacy Principles and other legal obligations under the Act. Practices not
meeting the requirements may need to be changed or ceased. The organisation may
need to obtain legal advice in relation to its information management and privacy
laws. The information obtained in this audit process is also invaluable in the process
of drafting or reviewing the organisation’s privacy policy.


A Privacy Committee can conduct the examination itself or it may be appropriate to
send a questionnaire or survey to various managers within the organisation to have
them conduct the examination.


An organisation should analyse its answers to the above questions to highlight any
areas of difficulty in complying with the Health Privacy Principles. Ideally, the
analysis should not be limited to compliance issues but should also consider the
benefits and risks of retaining, amending or developing new practices around the
collection, use and disclosure, management and transfer of personal health
information.


The answers might prompt changes to current practices or the development of new
practices. This may include the redesign of forms, changes in policy, changes to
existing IT systems or the adoption of new technologies, and staff training to ensure
policies are put into practice.




Office of the Health Services Commissioner
HRA Train the trainer package 2003
Questions to ask when looking at the flow of information include:

    HPP 1 – Collection
•    What personal information does the organisation collect?
•    Is any of this personal information health information?
•    How and when does the organisation collect this information?
•    Why does the organisation collect the information? (Which functions or activities
     of the organisation require the collection of this information?)
•    What law authorises or requires the collection?
Are individuals advised about:
            •    how to contact the organisation;
            •    the right to request access to their personal health information;
            •    the purposes for which the information is collected;
            •    to whom the organisation usually discloses their personal information;
            •    whether the collection is required by law; and
             •   the main consequences (if any) for the individual if all or part of the
                 information is not provided?
The provision of this information is required by the Act at or before the time health
information is collected from an individual
•    Does the organisation collect personal health information from a source other than
     the individual who is the subject of the personal information? If so, does the
     organisation advise the individual of the information set out above?


    HPP 2 – Use and disclosure
•    How is the health information relating to individuals used or disclosed?
•    Is the information disclosed to anyone outside the organisation?
•    Is the organisation subject to other legislative provisions on confidentiality?
•    What was the purpose for collecting the information in the first place?
•    Was collection voluntary or mandatory?
•    Was the subject of the information informed, at the time of collection or since,
     that the information might be disclosed?
•    Is the usual use or disclosure the primary purpose of collection? If not, what are
     the secondary purposes and how do they relate to the primary purpose?



Office of the Health Services Commissioner
HRA Train the trainer package 2003
•    Have the subjects been asked if they consent to the usual use or disclosure? How
     specific was the consent? How recent was it? How informed was it? Did the
     person have a choice, in the circumstances?
Depending on the answers, the organisation might need to adapt the way it seeks
consent. Consent has a “use-by date” which will vary depending upon the
circumstances and the specific detail of the consent. Old consent may need to be
renewed.
•    Is there some other practical common sense way to meet the legitimate needs of
     the requester without disclosing personal health information?
•    How is personal health information disclosed to third parties?
•    Has the personal health information been assessed to ensure it meets the criteria
     for use or disclosure?


    HPP 3 – Data Quality
What measures does the organisation use to check personal health information is
accurate, complete and up-to-date when it comes to its use or disclosure? The most
important feature will be the in-built measures that limit the risk of harm resulting
from use or disclosure of personal health information that is inaccurate, incomplete or
out of date. Much of this is standard records management.


    HPP 4 – Data Security and Data Retention
•    Think about paper and electronic records.
•    Where and how does the organisation store personal health information?
•    Who can use or look at the personal health information held by the organisation?
•    Who actually needs to have a look at or use the information?
•    What measures protect personal health information from unauthorised access,
     modification, misuse, loss or disclosure? Do they need to be improved?
•    Is training provided to employees and temporary employees on protection of
     personal health information? Is the training periodically refreshed?
•    When documents containing personal health information are no longer required
     can they be destroyed? Is the organisation subject to the Public Records Act 1973
     and/or any other legislation that impacts upon retention or destruction of
     documents/information?
•    How secure is health information when it is in the process of being destroyed?

Office of the Health Services Commissioner
HRA Train the trainer package 2003
•    Where organisations have a mandatory retention period, where are the records
     kept? Are staff aware of where and how to find old records when necessary?
•    Do health service providers, after deleting or transferring personal health
     information, keep a written note?
    HPP 5 – Openness
•    Does the organisation have a privacy policy?
•    Is it reviewed regularly?
•    Are the staff aware of the privacy policy?
•    Does it assist staff to understand how they should manage/handle health
     information held by the organisation and how access to health information is
     provided to individuals (or is it only a restatement of the Health Privacy
     Principles)?
•    Is it used in induction training?
•    Are staff aware it must be made available to anyone who asks?


    HPP 6 – Access and Correction
•    Are administrative procedures in place to deal with requests for access?
•    Is staff aware of who is entitled to request access to personal health information
     (whether subject to Freedom Of Information or Health Records Act)?
•    Are there circumstances when the organisation is willing to make health
     information available without requiring a request through formal channels?
•    Who is responsible for dealing with access requests?
•    If the organisation is a health service provider are procedures in place to deal with
     information communicated in confidence?
•    How does the organisation deal with a refusal of access? Who prepares the
     written reasons if access is refused to some of the health information?
•    Are procedures in place to deal with correction of health information?
•    Are individuals notified of decisions regarding access or correction within the
     specified time frame?


    HPP 7 – Identifiers
•    Is it necessary for the organisation to manage the personal health information of
     individuals by use of unique identifiers? Are the unique identifiers assigned by
     the organisation or does it use the identifiers of another organisations?

Office of the Health Services Commissioner
HRA Train the trainer package 2003
•    If an identifier assigned by a public sector organisation is used by the organisation
     is it necessary to do so in order to fulfil obligations to that public sector
     organisation? (If yes, it may be permissible).


    HPP 8 – Anonymity
•    Is it lawful and practicable for any of the organisation’s transactions with
     individuals to be conducted anonymously?


    HPP 9 – Transborder Data Flows
    Data held by Victorian organisations is sometimes housed on servers located
    interstate or even overseas. Ensure the organisation is aware of its data storage and
    transmission arrangements, whether undertaken by agency staff, or contracted
    service providers. By knowing about information technology architecture, the
    organisation can identify potential weaknesses and address them as appropriate.
•    Does the organisation transfer personal health information outside Victoria? If so,
     to whom? Is it necessary, or just convention or habit?
•    Are recipients of health information in other states, territories or countries
     accountable under any privacy protection scheme? If not, and the transfer is
     necessary, what does the organisation do to ensure privacy protection by the
     recipient organisation? Is there relevant law? Should an enforceable agreement
     be entered into? Consider the application of the expanded Commonwealth
     Privacy Act 1988 and other privacy laws to the recipients.
•    Does the organisation have the consent of the individual to transfer the personal
     health information?


    HPP 10 – Transfer or closure of the practice of a health service provider
•    Is the organisation a health service provider in accordance with the definition of
     the Act? If the organisation does not fit the definition of health service provider
     then HPP 10 does not apply.
•    Has the health service provider made plans on how the health information it holds
     relating to individuals is to be managed in the event of an unexpected closure (e.g.
     as a result of death or breakdown of business arrangement) or planned closure?
•    Health service providers considering transfer or closure of a practice need to be
     aware that HPP 10 applies and take steps to comply. Copies of the Health Records

Office of the Health Services Commissioner
HRA Train the trainer package 2003
     Act Regulations 2002 on transfer/closure of a practice, which require further steps
     to be taken by the health service provider, are available from the website
     www.health.vic.gov.au/hsc.


    HPP 11 – Making information available to another health service provider
•    Is the organisation a health service provider in accordance with the definition of
     the Act? If the organisation does not fit the definition of health service provider
     then HPP 11 does not apply.
•    Is a procedure in place to deal with requests for transfer of health information to
     another health service provider in a timely manner?
•    How does the organisation deal with requests for transfer of health information by
     a legal representative or other authorised person?


Notify individuals about the information required by HPP 1.4

HPP 1 requires organisations to provide a certain amount of information to
individuals at or before, or as soon as practicable after, they collect health information
about them. What is required is set out in HPP 1.4. If the organisation collects it
from a third person then HPP 1.5 applies, which requires the organisation to take
reasonable steps in the circumstances to ensure the individual is generally aware of
the relevant matters. This information does not have to be in writing, although many
organisations choose to provide it in this form to ensure the provision of consistent,
high quality information. Regardless of whether the information is provided in
written form or otherwise, it must include:
     •   the identity of the organisation and how to contact it;
     •   the fact that the individual can obtain access to their health information;
     •   the purposes for which the health information is collected;
     •   to whom health information of that type is usually disclosed (the types of
         organisations to which it is disclosed);
     •   any law that requires the particular health information to be collected;
     •   and the main consequences of not providing some or all the health information
         (if there are any).




Office of the Health Services Commissioner
HRA Train the trainer package 2003
Depending upon the nature of the transaction between the organisation and the
individual, the details of the information an organisation needs to include in the
information they notify individuals about may change and so it may not be adequate
just to have it in written form. Organisations choosing to provide the information in
writing should be aware of the need for it to be provided as the circumstances require.
This means individuals who are sight impaired, illiterate or cannot read/understand
English may require the information to be provided in another form.


Document the organisation’s privacy policy

Under HPP 5 every organisation in Victoria holding health information relating to an
individual must have a written policy that sets out:
    •   its management of health information about individuals; and
    •   the steps an individual needs to take to gain access to health information about
        them.


The aim of HPP 5 is to ensure organisations are open and transparent in their dealings
with the health information they obtain about individuals. Having well considered
privacy policies that lead to competent information handling will enhance the
activities of the organisation.


Organisations also have an obligation under HPP 5 to take reasonable steps, if
requested by an individual, to let the individual know:
    •    whether it holds health information about them;
    •    the nature of such information, the management of it; and
    •    the purpose for which it is used.



Privacy Policy-content

•   An organisation’s policies should provide guidelines which outline how it
    operates and, if it provides a service, how this will be provided.         Policy is
    determined by management to reflect the aims and underlying culture and
    philosophy of the organisation. In addition to providing guidelines to staff and
    management about how the organisation conducts its activities, a publicly



Office of the Health Services Commissioner
HRA Train the trainer package 2003
    available policy can provide individuals outside the organisation with information
    about what to expect from the organisation.
•   The privacy policy of an organisation needs to deal with the complexity of the
    organisation’s transactions that impact upon the privacy of individuals. For
    example, an employer of a small number of employees who holds a minimal
    amount of health information in personnel files and an accident and injury book
    will have a privacy policy that is very different from that of a large multi-campus
    teaching hospital holding health information about consumers and employees
    (which may have a number of privacy policies).
•   The key to writing a policy is to keep the statements simple and concise. Policies
    should be dated to ensure currency and facilitate regular reviews. Clear policy
    documents are the foundation of good practices within the organisation and are
    directed primarily at communicating the necessary information regarding the
    organisation’s requirements of staff and the organisation as a whole.
•   A privacy policy under the Act documents how the organisation and its employees
    handle health information relating to individuals. Such a policy will, at a
    minimum, cover collecting/receiving information, using and disclosing
    information, storing and destroying information. The health information practices
    documented in the policy may influence an individual’s decision when they are
    considering whether or not to enter into a transaction with the organisation. If the
    organisation is subject to other privacy legislation requiring privacy policies it is
    not necessary to have separate privacy policies for each Act as long as the one
    policy document satisfies the requirements of each Act. The policy must also set
    out how individuals can gain access to their health information. It could include
    details of the person or position responsible for processing a request for health
    information.
•   The Act requires the policy be made available to anyone who asks for it, so plain
    language should be used, and it should be worded in a way that can be understood
    by people from outside the organisation.
•   Simply adapting another organisation’s privacy policy will not necessarily result
    in your organisation meeting its obligations under the Act. Organisations are
    involved in different activities and vary in their health information handling
    practices. Privacy policies need to be specific to each organisation.


Office of the Health Services Commissioner
HRA Train the trainer package 2003
•   Organisations should regularly review their privacy policies in the same way it
    would any other policies.


Develop administrative processes for access to health information

Public sector organisations already provide individuals with the means to access and
correction of health information about them under the Freedom of Information Act
1982. These organisations have developed administrative processes to facilitate
access requests. Private sector organisations also need to establish administrative
processes to enable responses to access and correction requests to be handled
smoothly and efficiently.
These may include:
                appointing a person to process access requests (which may be the
                 privacy officer)
                developing application forms individuals can use to apply for access
                deciding who in the organisation is responsible for processing the
                 request
                deciding who will prepare written reasons for refusal of access or
                 correction where appropriate.
Organisations’ policies and training around providing access should require workers
to be courteous and considerate. Individuals requesting access to health information
are exercising their statutory right to do so.


Privacy Training

Training of new and existing workers about the organisation’s privacy policy, legal
obligations imposed by the Act and any other privacy laws the organisation is subject
to is good practice. New developments and information about changes to privacy
practices within the organisation and the law should be communicated to workers as
they occur. If the organisation uses the services of volunteer workers (including
students), and they handle personal health information, then volunteers should also
receive this information and training. Training should cover the legal requirements of
the Act and the privacy policy of the organisation.



Office of the Health Services Commissioner
HRA Train the trainer package 2003
Networking
People within organisations who have primary responsibility for ensuring the
organisation’s compliance with the Act can benefit from meeting with others who
have similar responsibilities. In addition, there are forums and meetings organised by
the two commissioners in Victoria responsible for privacy or meetings which can
provide this opportunity.


Complaints Handling
Some individuals may have complaints about an organisation’s handling of their
health information or the organisation’s response to a request for access or correction
to their health information. They may complain directly to the organisation.
Organisations should develop mechanisms to handle such complaints if they do not
already have them.
Standards Australia has developed a standard for complaints handling. This standard
may assist organisations to develop their complaints handling process.


The Health Services Commissioner may decline to entertain a complaint about
privacy in certain circumstances including where the complaint has not first been
made to the organisation that is the subject of the complaint. Where this has not taken
place the Health Services Commissioner may provide the organisation with an
opportunity to respond to the complaint to see whether the complaint can be resolved
without intervention of the Health Services Commissioner. In either event
organisations will need to have the resources and skills to resolve privacy complaints.


For further assistance with meeting your obligations under the Health Records Act
you can contact the office of the Health Services Commissioner at:


                         Office of the Health Services Commissioner
                         Level 30
                         570 Bourke St
                         Melbourne 3000
                         www.health.vic.gov.au/hsc
                         hra@dhs.vic.gov.au


Office of the Health Services Commissioner
HRA Train the trainer package 2003
                         Tel: (03) 8601 5222
                         Toll Free: 1800 136 066
                         Fax: (03) 8601 5219
                         TTY: 1300 550 275
                         DX: 210182




Office of the Health Services Commissioner
HRA Train the trainer package 2003
                    FREQUENTLY ASKED QUESTIONS


General                                          2
Consent                                          7
Collection                                       10
Use & Disclosure                                 10
Access                                           11
Transborder Data Flows                           15
School related issues                            16
Interaction with other legislation               16
Openness                                         17




Office of the Health Services Commissioner
HRA Train the trainer package 2003
General:

1. Can a fee be charged for access to information?
    The regulations setting a maximum fee for access, set by the Department of
    Human Services, can be found at
    http://www.dms.dpc.vic.gov.au/sb/2002_SR/S01908.html.


2. To what extent do organisations need to be aware of records legislation and
    other provisions concerning privacy, use, disclosure and access in other
    jurisdictions, such as the ACT and NSW?
    Under Health Privacy Principle (HPP) 9, Transborder data flows, an organisation
    must reasonably believe that the recipient of the health information is subject to a
    law, binding scheme or contract that effectively upholds principles for fair
    handling of the information that are substantially similar to the HPPs.
    Alternatively consent from the individual to transfer the information is required.


3. Who owns the health information if a health service provider is employed by
    a non-health service provider e.g. a school? - the employer or the provider?
    The Health Records Act (the Act) does not affect ownership of health information,
    but gives the individual about whom the information relates the right to access that
    information. Therefore ownership of the health information would be decided by
    the contractual arrangements between the employer and the employee, but
    whoever holds the information would need to make it available for access if
    requested and ensure that the information is held in a manner compliant with the
    HPPs.


4. Does ownership of information imply rights regarding the information? E.g.
    school principal inspecting records that are in the custody of a provider.
    The organisation holding the health information must itself comply with the HPPs
    relating to the use and disclosure of the information. If the information was
    collected for a particular purpose (e.g. to enable the health care service to be
    delivered effectively) then HPP 2 requires it to be used only for that purpose, or
    for a directly related secondary purpose which the person would expect, or falling
    into one of the exceptions in HPP 2. There are no implied rights under the Act.

Office of the Health Services Commissioner
HRA Train the trainer package 2003
    If the use or disclosure were permitted by the HPPs then it is allowed, otherwise it
    would be a contravention of the Principles.


5. Residents in aged care facilities have their own doctors to attend to them,
    with the doctors’ records often kept at the facility for convenience. Does the
    facility have any rights to these records?
    Health service providers providing a health service to nursing homes, hostels or
    retirement villages need to comply with the Act regarding the health information
    they hold, even if it is held on behalf of another health service provider. They
    have an obligation to ensure compliance with the HPPs regarding good record
    keeping in areas such as security of health information. It is up to the individual
    health service provider and the facility concerned to make arrangements that suit
    them to ensure that their obligations under the Act are met, and this would include
    what rights the facility has to the records. The client has a right to request access
    to health information held about them, preferably through the health service
    provider rather than the facility.


6. Where health information has been commissioned/paid for by a third party,
    e.g. insurance industry, who has responsibility for the record?
    If an organisation holds health information about an individual then they are
    obligated under the Act to provide access to the individual if requested, provided
    the information does not fall into one of the exemptions. If the health service
    provider who made the report keeps a copy of the report commissioned by a third
    party, then the individual about whom the information relates can request access
    to that information from either the health service provider or the third party.


7. Does the Health Records Act apply to scanned records?
    The Health Records Act applies to health information held by an organisation in a
    document in possession or under the control of an organisation. A document is
    defined in the Interpretation of Legislation Act 1984 (Vic) as:
    "document" includes, in addition to a document in writing—
    (a) any book, map, plan, graph or drawing;
    (b) any photograph;


Office of the Health Services Commissioner
HRA Train the trainer package 2003
    (c) any label, marking or other writing which identifies or describes anything of
    which it forms part, or to which it is attached by any means whatsoever;
    (d) any disc, tape, sound track or other device in which sounds or other data (not
    being visual images) are embodied so as to be capable (with or without the aid of
    some other equipment) of being reproduced there from;
    (e) any film (including microfilm), negative, tape or other device in which one or
    more visual images are embodied so as to be capable (with or without the aid of
    some other equipment) of being reproduced there from; and
    (f) anything whatsoever on which is marked any words, figures, letters or symbols
    which are capable of carrying a definite meaning to persons conversant with them;
    Therefore the Health Records Act would apply to scanned records in the same
    manner as to paper records.


8. What belongs to the health service provider and not to the individual?
    The Health Records Act is about access, not ownership – it all belongs to the
    holder of the information, but the individual to whom the information relates is
    able to access the information under the Act.


9. Are the notes made by medical students to be included in the history? The
    sequel to their seeing patients is that their notes are part of the record
    whether or not they are filed in the history. Are they able to be removed?
    Student notes should be included in the record, as they form part of the patient
    care. They are health information made by the organisation or under its
    supervision, with a notation that the notes were made by a student, signed and if
    necessary amended by the supervisor. This should be no different than current
    practice.


10. Does the Act give people a new right to sue in court over a breach of privacy?
    Section 8 of the Act says “nothing in this Act gives rise to any civil cause of
    action” other than in accordance with the procedures in the Act. This means only
    those processes to deal with complaints as set out in the Act can be followed and
    these are limited to conciliation and investigation by the Health Services
    Commissioner, with the possibility of a complaint being dealt with at the
    Victorian Civil and Administrative Tribunal.

Office of the Health Services Commissioner
HRA Train the trainer package 2003
11. What is the status of any existing professional and ethical codes and
    standards now the Health Records Act is operational?
    Existing professional and ethical codes and standards still operate, as long as they
    don’t conflict with the Act. The Act sets a minimum standard and is legally
    binding, all organisations that collect, hold or use health information must comply
    with it. However, if a profession wishes to maintain an existing code that is in
    accordance with the Act they are able to do so.


12. To what extent does the legislation interact with the various requirements set
    by accreditation bodies?
    Accreditation processes usually require the person or organisation in question
    comply with any relevant Commonwealth, State or Territory laws, such as the
    Health Records Act. Compliance with the Act would therefore be part of an
    accreditation process.


13. Are the working notes of a health service provider considered health
    information for the purpose of the Act?
    If the working notes fall within the definition of health information, and they are
    held by the organisation then they are subject to the Act.


14. How does the Health Records Act apply to locum health service providers?
    The Act applies to health information held by locum health service providers in
    the same way as it does to other health service providers, with the individual able
    to apply for access to that information. If the locum kept separate records from
    those of the practice then when the information is collected the patient would need
    to be made aware of how they can contact the locum to access the information if
    they wish. All the health privacy principles would apply to the health information
    held by the locum health service provider.




Office of the Health Services Commissioner
HRA Train the trainer package 2003
15. How does the Health Records Act apply to health service providers employed
    by organisations that provide a health service to their staff? Is it the health
    service provider or the employer with the obligation to comply with the
    legislation? Is this different if the health service provider is not an employee
    but an independent contractor?
    The Act applies to all organisations that hold health information, with an
    obligation to comply with the Act. If the employer holds the records with the
    health information then they must provide access and ensure compliance with the
    health privacy principles. If it is the health service provider who controls the
    records that hold the health information then the health service provider must
    comply with the legislation. If the health service provider is an independent
    contractor and keeps separate records from the employer then the individuals must
    be made aware of how to contact that health service provider and access the health
    information if desired. In this situation the health service provider must also
    comply with HPP 10 on transfer or closure of a practice when the health service
    provider leaves the employer and does not provide a health service elsewhere.


16. How does the Health Records Act apply in respect of deceased health service
    providers?
    HPP 10 provides that the legal representative of the deceased provider must
    publish a notice in a newspaper circulating in the locality of the practice stating
    that the practice has been, or is about to be, sold, transferred or closed down and
    the manner in which they propose to deal with the health information held by the
    practice. The legal representative must also take any steps to notify individuals of
    these matters as set out in the guidelines issued by the Health Services
    Commissioner.


17. Hospital archives contain photographs of patients and staff going back many
    years. Researchers request access to the photographs, as they want to use
    them for publication in books. Is this still allowed?
    The information about a person, which can be derived from a photograph, may be
    able to be regarded as ‘health information’ as defined by the Act, if it reveals
    identifying information about a person’s health. Section 15 of the Act exempts
    certain types of ‘publicly available health information’ from the operation of the

Office of the Health Services Commissioner
HRA Train the trainer package 2003
    Act. If the information in question is kept in a library, art gallery or museum for
    the purposes of reference, study or exhibition, then it would be exempt under
    section 15 (1)(b) of the Act. It would also appear to be exempt under section
    15(1)(b) if the document is “archives within the meaning of the Copyright Act
    1968 of the Commonwealth.”


18. Should an organisation establish an internal complaints handling process?
    Many organisations may find they need only adapt an established complaints
    handling process, such as those used to deal with complaints about non-privacy
    matters. Being in a position to deal adequately with complaints should minimise
    the number of times the Health Services Commissioner will become involved.
    Swift, effective complaints handling saves time and cost all round.


Consent:

19. What is the age of consent for collection, access, use and disclosure of health
    information?
    No specific age is set by the Act. The same factors as currently apply when
    deciding on whether a child can consent to treatment apply with issues of consent
    under the Act. Consent for collection, access, use or disclosure of health
    information involves assessing a child’s competency to consent in accordance
    with the current Common Law test of competency.


    See Information Sheet 5 for further information.


20. Do you need consent to use information for fundraising purposes?
    An organisation must not use or disclose health information about an individual
    for a purpose other than the primary purpose for which it was collected without
    consent, unless one of the circumstances in HPP 2.2 applies. If the primary
    purpose for which the information was collected was other than to allow the
    organisation to approach the person for money, then it would be a secondary
    purpose for which consent would be needed. It may be that the circumstances are
    such that you might be able to characterise fundraising as a directly related



Office of the Health Services Commissioner
HRA Train the trainer package 2003
    secondary purpose, which the person would reasonably expect the organisation to
    use it for. If so, then that would be allowed under the Act.


21. How specific does consent need to be?
    Consent means the voluntary agreement of the individual or of the individual’s
    authorised representative about a proposed action, and should be informed, freely
    given and current. Under the Act it can be express or implied. Express consent is
    provided explicitly, either orally or in writing, it is unequivocal and does not
    require any inference on the part of the organisation seeking consent. Implied
    consent arises when consent may be reasonably conferred from the action or
    inaction of the individual.


22. What if an individual is incapable of giving consent to collection, use or
    disclosure of health information?
    The power to give consent may be exercised on behalf of an individual who is
    incapable of giving consent by an authorised representative of that individual. An
    individual is considered incapable of giving consent by reason of age, injury,
    disease, senility, illness, disability, physical impairment or mental disorder if they
    are incapable of understanding the general nature and effect of giving the consent,
    or communicating the consent (or refusal) despite the provision of reasonable
    assistance by another person.
    An authorised representative means a person who is:
        (a) a guardian of the individual; or
        (b) an attorney for the individual under an enduring power of attorney; or
        (c) an agent for the individual within the meaning of the Medical Treatment
        Act 1988; or
        (d) an administrator or a person responsible within the meaning of the
        Guardianship and Administration Act 1986; or
        (e) a parent of an individual, if the individual is a child; or
        (f) otherwise empowered under law to perform any functions or duties or
        exercise powers as an agent of or in the best interests of the individual--
        except to the extent that acting as an authorised representative of the
        individual is inconsistent with an order made by a court or tribunal.


Office of the Health Services Commissioner
HRA Train the trainer package 2003
23. Should a health service provider be more specific when obtaining consent in
    respect of electronic information?
    Consent should at all times be informed and current, regardless of the manner of
    collection, use or disclosure, whether electronic or paper based. The organisation
    handling the information should make it clear to the individual how they manage
    the information and how they use and disclose it.


24. In relation to children with divorced or separated parents, which parent is
    able to consent for collection, use and disclosure?
    Under current law both parents have equal rights to a child who is a minor, unless
    the right has legally been removed from one parent. If an organisation is unsure
    whether there are orders against one parent they can contact the Family Court for
    assistance.


25. Is consent needed when information is to be used in new ways within the
    organisation, particularly if the organisation has expanded?
    Health information must be used by an organisation in a manner consistent with
    HPP 2. If a use of health information does not fit within any of the paragraphs of
    HPP 2 then consent would be required to use it in that manner.


26. Is consent needed when information is to be placed in temporary storage?
    An organisation has an obligation to take reasonable steps to protect the
    information it holds from misuse, loss, unauthorised access, modification or
    disclosure. There is no obligation to get consent for to the manner by which an
    organisation maintains the information it holds, but the privacy policy should
    contain this information.


27. Do we need to get consent before taking photos of an individual?
    Taking a photo is collection of personal information, and so all the HPPs relating
    to collection of health information apply. There would be circumstances where
    consent is not required, in accordance with HPP 1.1, but generally it is best
    practice to get consent if taking a photo.




Office of the Health Services Commissioner
HRA Train the trainer package 2003
Collection:

28. What if there are communication difficulties (eg language barriers) in
    ensuring that an individual is generally aware of the matters outlined in HPP
    1? What steps must an organisation take to overcome this?
    The Act requires an organisation take steps that are reasonable in the
    ccircumstances to ensure the individual is generally aware of the matters outlined
    in HPP 1. If an organisation deals with individuals with communication problems
    on a regular basis then it may be considered a reasonable step to have brochures in
    languages other than English, or Braille where appropriate etc. The steps that the
    organisation must take would depend on the individual circumstances of the
    organisation, and what they consider is reasonable in those particular
    circumstances.


29. Must HPP 1 be complied with where information is collected from an
    unsolicited source?
    HPP 1 applies where an organisation collects health information, whether solicited
    or not. However, where the information is unsolicited there may be implied
    consent for the organisation to have it, otherwise the individual would not have
    supplied the information. If a third party supplied the information the organisation
    needs to comply with HPP 1.5 about making the individual aware that the
    information has been collected.


Use & Disclosure:

30. What constitutes a serious threat to a person’s safety? What happens where
    the threat is more general in nature and not so imminent? Can the
    information be disclosed in those circumstances?
    Under HPP 2.2(h) an organisation can disclose information if they believe there is
    a serious and imminent threat to an individual’s life, health, safety or welfare.
    There are no definitions about what is serious and imminent, but it would need to
    be fairly immediate, not a possibility in the future.




Office of the Health Services Commissioner
HRA Train the trainer package 2003
31. Does HPP 2 oblige disclosure?
    Nothing in HPP 2 requires an organisation to disclose health information about an
    individual. An organisation is always entitled not to disclose health information in
    the absence of a legal obligation to disclose it.


32. Under what circumstance can a health service provider disclose health
    information about an individual to a family member?
    Health information can always be disclosed with the consent of the individual
    concerned. HPP 2.4 also allows a health service provider to disclose health
    information about an individual to an immediate family member if it is either
    necessary for the care of the individual or the disclosure is made for
    compassionate reasons, where the individual is incapable of consenting to the
    disclosure.


Access:

33. Can access to information be given to a patient if it comes from a health
    service provider and is marked ‘confidential’?
    The Act states that an organisation holds health information if it is in a document
    which is in the possession or under the control of the organisation, whether alone
    or jointly with other persons. The fact that another person created the information
    is not relevant to the question of access. A claim of confidentiality would not
    prevent the information from being accessible of itself, as s27(2) specifically does
    not exempt information given in confidence by a health service provider. Access
    could only be denied to it if one of the exceptions under HPP 6.1 Act applied to
    the information.


34. Will a plaintiff lawyer (through the client) be able to access a copy of a report
    about the client compiled at the request of the insurer?
    An individual has the right of access to information about himself or herself,
    regardless of where it is held, or who owns the information. The Act allows an
    individual to authorise someone else to represent him or her by having access to
    the information on his or her behalf and that authorised representative may be a
    lawyer. If the information was collected before 1 July 2002 then the individual

Office of the Health Services Commissioner
HRA Train the trainer package 2003
    may receive a summary of the information, not a copy of the report itself, and
    would not be entitled to any opinions in that information, merely facts as listed in
    s 25 of the Act. For information collected after 1 July 2002 the individual is able
    to obtain a full copy of the information.


35. There are times when a consultant or GP sees a patient and there are some
    aspects of his thinking that he does not want to be available at any stage to
    the patient, the law, or the relatives. How do you retain that information?
    You can’t – if the information is written in the record and it is not exempt under
    HPP 6.1 because of situations such as a serious threat to life or health, privacy of
    others or given in confidence with no consent for disclosure, then the person to
    whom the information relates would be able to get access. This information
    would also be required to be produced in a court if a subpoena is issued for it.


36. If a case is a pending medico-legal matter, do you have to release the record
    to the patient or the solicitor?
    If the information relates to existing legal proceedings between the organisation
    and the individual and it is not accessible by process of discovery or is subject to
    legal professional privilege then access can be withheld under HPP 6.1(c). It
    would need to be assessed on a case-by-case basis to see if the legal proceedings
    are ‘existing’. Current laws about subpoenas etc still stand.


37. Not all patient information is in the medical record. Does all information
    need to be collected when patient requires access - eg. Allied Health, Catheter
    Laboratory records?
    An individual is entitled to access all health information held about them collected
    after the commencement of the Act. It is the responsibility of the organisation to
    collate the information and know where all the information is kept so that it is
    available to be assessed and where appropriate, released for access if requested.


38. Who can access medical records of deceased patients? Is it only next of kin?
    The legal representative has the right of access to the records of a deceased patient
    in the same way as it applies in relation to an individual who is not deceased,
    under s 95 of the Act. This is not necessarily the next of kin. It is conceivable

Office of the Health Services Commissioner
HRA Train the trainer package 2003
    that the family would want access to a record when there is no legal representative
    e.g. once the estate is wound up and the executor is discharged. In these
    circumstances there would be no right of access under HPP 6, however, the
    organisation could grant access under HPP 2.4, which allows for access to an
    immediate family member where the individual is incapable of giving consent.
    This would be voluntary; there is no statutory right of access in this situation.
    Section 141 of the Health Services Act would also apply in this situation for
    hospitals, community health services and day procedure centres.


39. Are we required to provide statistics at the end of the year on the number of
    access requests, time taken to respond etc (similar to FOI stats. provided to
    Department of Justice)?
    At this stage at there is no requirement for the reporting of statistics. However, it
    would probably be beneficial for organisations to keep a record for their own
    auditing purposes.


40. How long does the health provider have to deal with each access request?
    An organisation must deal with a written request for access within 45 days of
    receipt of request or 7 days after payment of fee, whichever is later.


41. What responsibility is there to disclose/summarise the records of historical
    consultations made by other health professionals who have since left the
    practice?
    If an organisation holds health information that is subject to an access request they
    may agree to give the individual access to the information in full in the manner set
    out in the Act. If they do not agree to give access in this manner, they must, at a
    minimum, give the individual an accurate summary of the health information even
    if the provider who wrote it is no longer part of the organisation.


42. Does an individual have a right to request health information collected before
    1 July 2002 to be corrected if they feel it is inaccurate, incomplete, misleading
    or not up to date?
    Yes, if the individual is able to establish that the information is inaccurate,
    incomplete, misleading or not up to date, the organisation must take reasonable

Office of the Health Services Commissioner
HRA Train the trainer package 2003
    steps to correct the information. It is not relevant as to when the information was
    collected, but it would not be necessary to alter every page of a record that had a
    wrong address as long as the current address was on any page that is still be used.


43. Is it the Health Records Act or the FOI Act that applies to the records of
    health service providers employed in a public hospital that carry on a private
    practice on the same premises?
    If the health service provider within the public hospital sees the individual, and the
    record belongs to the hospital, then the FOI Act applies for requests to access that
    record. If the health service provider carries out private practice in rooms on the
    same premises, but keeps separate records, then the Health Records Act applies
    for requests for access to those records.


44. In record keeping and obligations under the Health Records Act and the FOI
    Act, what should a health service provider do in order to distinguish between
    services given to public patients and to those to private patients?
    Compliance with the HPPs under the Health Records Act extends to both the
    public and private sector, therefore there is no need to distinguish between a
    private and public patient. The difference between private and public sector under
    the Act is access to health information for the public sector is through the FOI Act
    rather than the Health Records Act. However, the FOI Act has been amended by
    the Health Records Act to give similar modes of access as that under the Health
    Records Act, so from the provider’s perspective the record keeping and
    obligations for both private and public sector records will be the same.


45. Does the Health Records Act abrogate copyright ownership in documents?
    Claiming copyright on a document would not protect it from access by the
    individual that it is about, in view of the statutory duty to provide access and it
    being a term of the contract. The Act states that an organisation holds health
    information if it is in a document which is in the possession or under the control of
    the organisation, whether alone or jointly with others. The Act does allow, under
    s 98, an organisation to obtain and act on expert advice in order to perform a
    function under the Act. There is a need to examine the information before
    granting access to ensure that there is not requirement for it to be withheld

Office of the Health Services Commissioner
HRA Train the trainer package 2003
    because of serious threat to the life or health of the person seeking access or any
    other person. If a GP file contained specialist letters/reports the Act would allow
    the GP to talk to the specialist about the request and discuss whether there is any
    need to exempt it.


46. Can access to the health information be refused?
    Holders of health information can and in some circumstances must refuse access
    to health information. These situations are listed in Health Privacy Principle 6.1
    of the HRA. If an organisation denies access, it must provide reasons for doing so.


47. Can a health service provider still charge a fee after rejecting access?
    An organisation is not required to charge a fee for providing access and must not
    charge a fee for the lodgement of a request for access. If access were refused
    there would be no fee, because no service has been provided.


48. What happens when there are couples or groups in counselling and one party
    requests access?
    Individuals are only entitled to access health information about themselves. If a
    service were being provided in a group setting then there would be either implied
    consent to sharing of the information within the group, or the implications of the
    group session should be discussed at the beginning. If information is obtained
    about an individual outside the group setting then the other members of the group
    are not entitled to access that information.


Transborder Data Flows:

49. Can an organisation transfer health information about an individual to
    someone outside Victoria?
    Information can be transferred outside Victoria with consent of the individual to
    whom the information is about. Otherwise the organisation transferring the health
    information must reasonably believe that the recipient of the organisation is
    subject to a law or binding scheme that is substantially similar to the HPPs.




Office of the Health Services Commissioner
HRA Train the trainer package 2003
50. If a health service provider has offices in Victoria and interstate, with the
    interstate office treating a Victorian, can they access their records interstate?
    The Act only applies to an organisation that collects, or holds health, information
    in Victoria. Organisations that operate in Victoria and interstate are only bound
    by the Act to the extent that they do things relevant to the Act in Victoria. If an
    organisation’s Sydney office is treating a Victorian patient while they are in
    Sydney, then they can access the records held in Victoria, subject to any
    Commonwealth or NSW laws regulating this collection.


School related issues:

51. Are schools considered health service providers?
    Schools are considered as a health service provider to the extent that they provide
    a health service. There will be some persons within the school that are health
    service providers, e.g. school nurses, counsellors, and the provisions in the Act
    applicable to health service providers would apply to the information collected,
    used and held by these people.


Interaction with other legislation:

52. How will the Health Records Act interact with the Commonwealth Privacy
    Act?
    The Victorian Health Records Act and the Commonwealth Privacy Act are both
    valid legislation, which co-exist, and apply to health information. The Health
    Records Act is health specific, whereas the Commonwealth Act is more general,
    but covers health information as ‘sensitive information’. Those organisations
    working in the private sector will need to comply with both Acts and the
    consumer can choose which Act they prefer to seek remedy for a breach of their
    privacy.


53. The Commonwealth Privacy Act differs to the Health Records Act concerning
    some issues that are specifically addressed by the Health Records Act, which
    Act will apply?
    Both Acts will apply and providers will need to comply with both. Complying


Office of the Health Services Commissioner
HRA Train the trainer package 2003
    with a specific provision within one Act, such as access to health information,
    should not be a breach of the more general provisions in the other Act.


54. With the commencement of the Health Records Act does the Federal Privacy
    Commissioner (FPC) have any powers relating to health service providers
    and other health service providers in Victoria?
    The FPC has jurisdiction over Victorian health service providers if a complaint is
    made against the health service provider under the Commonwealth Privacy
    (Private Sector) Amendment Act. If the complaint against a health service
    provider is made under the Health Records Act then the Health Services
    Commissioner has jurisdiction to resolve the complaint.


55. How does the Health Records Act interact with other existing Commonwealth
    and State legislation concerning privacy, confidentiality, secrecy, access and
    disclosure?
    The HPPs do not override other legislation – existing provisions in other statutes
    governing the confidentiality, use and disclosure of health information and those
    that regulate access to certain kinds of personal information (e.g. adoption
    information) are preserved. Specific statutory provisions will override the general
    standards in the Health Records Act to the extent of any inconsistency.


56. What is the relationship between the Health Records Act and the Victorian
    FOI Act?
    The Health Records Act gives individuals access to health information about them
    held in the private sector, whereas the FOI Act will continue to give individuals
    access to health information about them held by the public sector.
Openness:

57. What details should be included in an organisation’s privacy policy?
    An organisation’s privacy policy may have a similar structure to others, but its
    contents are likely to be different. Using a good model from elsewhere can save
    time and resources but it is important that privacy policies are tailored to
    individual organisations because every organisation collects and handles personal
    health information differently. Also, if the organisation focuses on its own,

Office of the Health Services Commissioner
HRA Train the trainer package 2003
    distinct privacy policy it comes to understand the privacy standards in the
    practical context of its day-to-day operation.
    The policy should detail how the organisation manages the health information it
    holds and the steps the individual must take in order to obtain access to their
    information.




Office of the Health Services Commissioner
HRA Train the trainer package 2003
                                         Scenarios



General                                                           2
Access                                                            3
Collection                                                        5
Use and disclosure                                                7
Data security & retention                                         11
Openness                                                          12
Identifiers                                                       13
Data quality                                                      13
Anonymity                                                         14
Transborder Data Flows                                            14
Transfer/closure of the practice of a health service provider     14
Making Information available to another health service provider   15




Office of the Health Services Commissioner
HRA Train the trainer package 2003
You may wish to select different scenarios you consider appropriate to
your organisation to discuss with staff, so they can see in a practical way
how the Health Records Act applies to your organisation. The answers
may vary according to circumstances, but we have outlined the issues to
be considered when working through these scenarios.



General:

1. A non-government organisation in Victoria providing disability services for DHS
    is subject to which privacy legislation?
    Answer: All 3 – Health Records Act because it is a health service provider,
    Commonwealth privacy Act because it is private sector and possibly Information
    Privacy Act because of service agreement.


2. A non-denominational school in Victoria is subject to which privacy legislation?
    Answer: Health Records Act for the health information held, and Commonwealth
    Privacy Act because it is a private sector organisation.


3. I am a physiotherapist in a public hospital. Should access to the health
    information I hold be provided to the individuals under the Health Records Act or
    FOI Act?
    Answer: FOI – there should be an FOI officer in the hospital responsible for
    processing access requests.


4. I am a physiotherapist in private practice in Victoria. Should the health
    information I hold about individuals be provided under FOI or Health Records
    Act?
    Answer: Health Records Act – persons or organisations in the private sector will
    need to establish administrative systems to handle requests for access to health
    information.


Office of the Health Services Commissioner
HRA Train the trainer package 2003
Access:

5. A mother attends a practice with her 10-year-old child. We are aware that the
    child's parents are divorced/separated. Some time later the father requests access
    to the child's record. Can access be given? Can the child access their records?
    Issues to consider:
       Both parents have equal rights
       What age are minors able to make their own decisions and access information
        on their own behalf (See Information Sheet 6)?


6. A man dies at home after a home visit from a doctor. The domestic partner
    suspects negligence on the part of the doctor and requests access to the deceased’s
    health information in the medical file. Can he/she be given it?
    Issues to consider:
       Section 95 and rights of deceased individuals
       HPP 2.4 - Disclosure to immediate family member
       No reasons need to be given for requesting right of access


7. A 95-year-old woman is admitted to hospital, and her daughter reads her mother’s
    medical records, which were in the room at the end of bed. The daughter
    complains that her mother was not capable of making decisions regarding her
    health information, and that she should be able to read her mother’s file because
    she cannot otherwise find out what is happening to her mother. What issues
    relating to capacity to consent and access are raised by this example?
    Issues to consider:
       Section 85 and capacity to consent by mother
       Section 141 - Health Services Act and disclosure of information to next of kin
       HPP 4 - Protection of health information from unauthorised access




Office of the Health Services Commissioner
HRA Train the trainer package 2003
8. A mother with limited English speaking skills is admitted to hospital, and she
    wants to make her own decisions regarding her care. Her daughter insists on
    being involved and to be kept fully informed, against her mother’s wishes. What
    should the hospital do in this situation?
        Issues to consider:
        Section 85 and capacity to consent
        Is lack of language skills considered a disability to the extent of being unable
         to make decisions?
        Capacity of mother to make her own decisions on other grounds
        Section 141 - Health Services Act and disclosure of information to next of kin


9. A 17-year-old child is diagnosed with form of preventable familial cancer, and the
    parents suspect that the child has a serious illness. Can the parents have access to
    the records? Can the organisation contact other family members who they
    consider may be at risk if the family don’t want them to?
        Issues to consider:
        What age are minors able to make their own decisions and access information
         on their own behalf (See Information Sheet 6)?
        HPP 2.2 - Disclosure of information in certain circumstances without consent
        Genetic implications with family information


10. A husband rings his wife’s psychologist and tells the psychologist he is having an
    affair, which he believes, is affecting his wife even though he thinks she doesn’t
    know about it. He asks the psychologist not to let the patient know because she
    will only be upset. He just thought the psychologist should know, so he can take
    it into consideration whilst treating the wife. Later the wife requests access to the
    information held by the psychologist. Is she entitled to the information provided
    by the husband? If the psychologist does not provide access does he have to tell
    her why?
    Issues to consider:
        HPP 6 - Access
        Assessment of information before access is given


Office of the Health Services Commissioner
HRA Train the trainer package 2003
       Information given in confidence by person other than individual or health
        service provider
       Provision of reasons for refusal of access


11. A GP refers a patient to a specialist. The specialist sends a report about the patient
    to the GP. The patient requests a copy of their medical file. Does the GP have to
    release the specialist’s report that he/she has on a patient’s file (this occurred after
    1 July 2002)?
    Issues to consider:
       HPP 6 - Access
       Holder of health information has an obligation to provide access even if
        information is held jointly by another organisation


12. An employee asks to have a look at their holiday leave entitlement and pay details
    under the HRA. Has the employer an obligation to give access to the information?
    Issues to consider:
       HRA covers health information only, and entitlement to look at health
        information only. If you are a public sector organisation or funded by the
        public sector, the employer may have an obligation under the Information
        Privacy Act and FOI. If the organisation is part of the private sector, the
        employer does not have an obligation to give access, although they may
        choose to do so.


Collection:

13. A GP refers a patient to a psychiatrist with consent. After visiting the psychiatrist,
    the patient visits the GP and realises that the psychiatrist has revealed all her
    conversation with him in a letter to the GP. The patient is upset because she
    didn’t realise this would happen and did not want the GP to know some of the
    information. Did any breach of the Health Records Act occur?
    Issues to consider:
       HPP 1.4 - Information given at the time of collection
       HPP 2.2 - Use and disclosure of health information



Office of the Health Services Commissioner
HRA Train the trainer package 2003
14. A new client visits a psychologist for consultation. The client states that it is the
    health issues of living with her friend that is causing her the distress, and then
    goes into detail about what those health issues are. The psychologist now has
    health information about an individual that was collected from a third party. Do
    they have an obligation to tell that person about the information they have?
    Issues to consider:
       HPP 1.5 - Collection of health information from a third party
       Health Records Regulations 2002 – collection of family information


15. A patient comes into an alternative therapy clinic, and is given a brochure to read
    outlining information required in a collection statement. The patient decided that
    they didn’t want to be bothered reading it, had a bit of a discussion with the
    therapist at time of consultation about how information would be used and
    disclosed. Afterwards, the patient complains that they “didn’t know that was
    going to happen”. What should the therapist have done?
    Issues to consider:
       HPP 1.4 - Information given to individual at the time of collection
       Good record keeping – records showing consultation reflect conversation


16. A patient attends a massage therapist for the first time and is given a document to
    complete that asks for information which the patient thinks is irrelevant. She
    questions the therapist as to why they need to collect such information. What
    information should the therapist collect?
    Issues to consider:
       Collection of information that is necessary for providing health service
       Decision by the therapist as to what is necessary, can explain to the client why
        this is so




Office of the Health Services Commissioner
HRA Train the trainer package 2003
Use and disclosure:

17. A pathology service contacted a referring doctor, as address details were incorrect
    on the patient referral and no billing could occur. The doctor refused to give the
    information because of privacy. Is this correct?
    Issues to consider:
       HPP 2.2(a) - Disclosure of health information for a secondary purpose directly
        related to the primary purpose that the individual would reasonably expect
       HPP 3 - Health information should be kept accurate, complete and up to date


18. A friend of a hospital employee was given their home phone number by the HR
    department. Is this a breach of the Health Records Act?
    Issues to consider:
       Not health information under the HRA, but personal information. If the
        employee works in a public hospital then there is a potential breach of the
        Information Privacy Act, otherwise no privacy legislation applies. However,
        this is not best practice.
       Think about what you would want to happen if it was you


19. A patient rings her local doctor and asks for a prescription to be written up, which
    she will come in later to collect. The patient is unable to collect the script, but her
    husband comes in to get it. What should the receptionist do?
    Possible options:
       Getting consent of patient in advance for this to happen, especially if it is a
        common occurrence
       Should the husband bring a note from the wife asking for him to be given the
        script? (Giving consent)
       Can the wife be contacted to give consent after the husband arrives?
       Is there possibility for implied consent?


20. A patient is admitted to hospital for surgery. Does the hospital need to get
    separate consent to use the information to provide surgical care such as
    anaesthetist, drugs, and physiotherapy? What about when the patient goes home
    and the hospital wishes to organise home help for the patient?

Office of the Health Services Commissioner
HRA Train the trainer package 2003
    Issues to consider:
       HPP 2.1 – Use of health information for the primary purpose for which it was
        collected, therefore if admitted for surgery separate consent for each part of
        that admission to occur is not required
       Discussed home help with patient, if patient agrees then they would
        reasonably expect the information to be provided to the home help service for
        it to occur
       Disclosure is limited to that necessary for the purpose
       Consent is an alternative not a necessity for some transactions


21. A patient refuses to pay monies outstanding for services provided by his/her
    doctor. Can the doctor provide information to a debt-collecting agency to recover
    money owed?
    Issues to consider:
       HPP 2.2(a) - Disclosure of health information for a secondary purpose directly
        related to the primary purpose that the individual would reasonably expect
       Disclosure limited to that necessary for the purpose of collecting the
        outstanding money


22. The Occupational Health & Safety Regulation 1977 states that “the employer has
    the responsibility to notify Work Safe Victoria if a person is killed, injured or
    exposed to serious immediate risk regardless of whether that person is an
    employee or not”. A child is injured at school - Is it a breach of the Health
    Records Act to notify Work Safe Victoria? Does the school need the consent of
    the parent?
    Issues to consider:
       If a provision in the HRA is inconsistent with a specific provision made by or
        under any other Act, that other provision prevails to the extent of the
        inconsistency
       HPP 2.2(c) - Use or disclosure required, authorised or permitted by another
        law, consent is not required


23. A hospital is using health information for the training of staff. Does it need to let
    the patients know this is happening and who is receiving the actual training?

Office of the Health Services Commissioner
HRA Train the trainer package 2003
    Issues to consider:
       Use of health information falls under HRA not Health Services Act
       At the time of collection let individual know that this may happen
       HPP 2.2(f) - Use of health information for training purposes
       HPP 1.6 - States you don’t need to specify identity or classes of persons to
        whom information may be disclosed for this purpose


24. An employee has recently been diagnosed with a form of depression and has just
    started taking medication to stabilise it. Prior to their return to work, the employer
    will be requesting a letter from their Doctor/Psychiatrist stating they are now
    stable and ready to return to work. Additionally, the psychiatrist will be providing
    this employee with a list of "coping mechanisms" for them to refer to when they
    think they have lost control of a situation or need time-out. The employer would
    like to make it a stipulation that this person's medical condition is disclosed to his
    immediate work group members, so they can also be advised of what signs to look
    for when this person is not coping and what mechanism should be followed to
    alleviate the stress load. They believe it would be negligent not to inform the staff
    on how to look out for this employee's welfare and safety in addition to their own.
    The employee in question however, does not want this medical information to be
    disclosed to anyone else. Has the employer the right to stipulate that a condition
    of the employee’s return to work is to inform his immediate work group of his
    medical condition and what the coping mechanisms are?
    Issues to consider:
       Would there be sufficient grounds to disclose information under HPP 2.2(h) -
        serious and imminent threat to life & health? There has been specific refusal
        of consent and the threat to life or health does not appear to be serious or
        imminent. If there should be a disclosure in these circumstances then it would
        be to a specialist services type organisation, not necessarily to workplace
        colleagues. However because the employee has said they did not want the
        disclosure the organisation should not disclose the information.


25. A pharmacist believes a client has been ‘doctor shopping’. Should they tell other
    pharmacists and local doctors to be aware of this particular person?
    Issues to consider:

Office of the Health Services Commissioner
HRA Train the trainer package 2003
       Serious and imminent threat to life or health, serious threat to public health or
        safety
       Suspect that unlawful activity has been, is being or may be engaged in and not
        a breach of confidence to disclose information
       Disclosure would be reasonably necessary for law enforcement functions by or
        on behalf of law enforcement agency, such as the police


26. Police attend an emergency department to ask if there have been any patients
    admitted with an open wound as they have reason to believe a suspect has been
    injured. Can the nurse or admission staff give them any information? If they do
    tell the police, is there any further action they should take? (HPP 2.3)
    Issues to consider:
       Section 141 Health Services Act – Confidentiality and release of information
        to third parties
       Other legal obligations to disclose information to police, such as warrants
       See Information Sheet 2
27. An intellectually disabled child is sick in a residential facility. The child’s parents
    have no authority under law (are not legal guardians or legal representatives).
    They approach the facility to find out the circumstances of their child’s illness.
    Should the facility tell them anything about the circumstances of the child?
    Issues to consider:
       HPP 2.4 - Disclosure of health information to immediate family member for
        compassionate reasons


28. A skeleton is found buried in bushland. Police suspect it may be a certain missing
    person, but they need confirmation from dental records. Can the dentist give the
    dental records (health information) to the police?
    Issues to consider:
       HPP 2.5 - Use or disclose health information where it is known or suspected
        an individual is dead or missing for purposes of identifying that individual


29. A man is very distressed that the details of his child's illness were in the
    newspaper, and wanted to complain about the hospital that had disclosed the
    information. It was discovered that the next-door neighbour had told the


Office of the Health Services Commissioner
HRA Train the trainer package 2003
    newspaper, and that the hospital had not breached the Act. Has the next-door
    neighbour or the newspaper breached the Act?
    Issues to consider:
       Exemptions: news activities, personal, family or household affairs


Data security & retention:

30. A health service provider transfers health information to another
    individual/organisation and does not continue to hold any record of that
    information. What does the provider need to do?
    Issues to consider:
       HPP 4.4 - Make a written note of the name and address of the individual or
        organisation to which it was transferred
31. When is an organisation other than a health service provider permitted to take
    reasonable steps to destroy or permanently de-identify health information?
    Issues to consider:
       HPP 4.5 - When it is no longer needed for the purpose for which it was
        collected or any other purpose authorised by law?
       What was the purpose for which it was collected? Are there any other laws
        that require the organisation to keep the information for a longer period?


32. A 15 year old attends a GP. How many years must the GP retain the information
    relating to this individual from their last consultation? What happens in the case
    of her 37 year old mother?
    Issues to consider:
       Health service providers must keep health information collected when an
        individual was a child until
            o after the individual attains the age of 25;
            o or until more than 7 years after the last occasion on which the provider
                 provided a health service to the individual, whichever is the latest.
       For adults it must be kept for the 7 years


33. A health service provider’s filing cabinet of patient records is accessible to
    patients when the receptionist leaves the front desk. What should the health

Office of the Health Services Commissioner
HRA Train the trainer package 2003
    service provider do to protect the health information it holds from misuse, loss,
    unauthorised access, modification and/or disclosure?
    Issues to consider:
       Locks on the cabinet
       Never leaving the area unattended
       Moving the cabinet to another location where it would be more secure



Openness:


34. Children seeking a nursing home for their parents decide they would like to
    compare and contrast the facilities they are inspecting. How can they find out
    how the health information is managed at each organisation?
    Issues to consider:
       Each organisation has a document expressing policies on how it manages
        health information, which should be made available to anyone that asks, not
        just clients
       HPP 5


35. What should an organisation set out in a document regarding their management of
    health information? Who should this document be made available to?
    Issues to consider:
       The document should contain clearly expressed policies on how the
        organisation manages the health information it holds
       It contains the steps the individual must take in order to obtain access to health
        information about them
       The document should be made available to anyone that asks
       HPP 5


36. A patient, who is concerned about health privacy, is very wary of choosing a new
    health service provider. How can they be confident that their health information
    will be protected and know how it will be managed once collected?
    Issues to consider:




Office of the Health Services Commissioner
HRA Train the trainer package 2003
       Each organisation has document with expressed policies on how it manages
        health information
       It should be made available to anyone that asks not just clients
       HPP 5
Identifiers:

37. A radiology service has their entire patient health information filed under the
    Medicare number - Is this permissible?
    Issues to consider:
       HPP 7
       Public sector identifiers such as Medicare number or drivers licence cannot be
        used for a purpose not required by law or the purpose for which it was
        assigned


Data Quality:

38. A medical clinic observed that its patients were moving house without notifying
    them. What could you suggest the clinic do to try and keep their data more
    accurate and to note these types of changes?
    Issues to consider:
       When you have patient contact, ask them if they are still at the same address
       Have a notice in waiting room reminding patients to notify if change address
       When you receive notification of change, update database immediately
       If sending information to patient, always send from the database that is known
        to have the most up to date information (address recorded in record may not
        have changes noted)


Anonymity:

39. A patient rang an organisation and did not want to give his name. If this is lawful
    and practicable for this organisation? Is he permitted to remain anonymous?
    Issues to consider:
       Organisation needs to consider if it is able to comply with the request –
        depends on type of organisation and legal requirements of the organisation


Office of the Health Services Commissioner
HRA Train the trainer package 2003
       Individual should be told any possible implications for example, cannot claim
        Medicare if name and number are not given
       Ways to be anonymous – use an alias


Transborder Data Flows:

40. A patient is moving to NSW and has requested a copy of the health information
    about him be forwarded to a GP in NSW. What must the current GP ensure
    before sending the information?
    Issues to consider:
       Has the patient consented to the disclosure interstate? Or does NSW have
        similar laws as the HPPs regarding privacy?


41. A patient is moving to New Zealand and requests that his health information be
    sent to a psychologist in Auckland. How should the current treating psychologist
    react to this request?
    Issues to consider:
       Has the patient consented to the disclosure overseas? Or does New Zealand
        have similar laws as the HPPs regarding privacy?


Transfer/closure of the practice of a health service provider

42. A patient discovers that their local medical clinic has been bought and taken over
    by a new set of health service providers. The patient does not want to attend the
    practice anymore and rings to ask about accessing their health information. The
    patient is told they can have their health information for a flat fee of $25. Is this
    permissible and what may have been a better outcome?
    Issues to consider:
       Should be treated as request for access, and Health Record Regulations 2002
        apply
       Could ask for information to be transferred to new HPS under HPP 11


Making Information available to another health service provider:




Office of the Health Services Commissioner
HRA Train the trainer package 2003
43. A patient moves house and asks her previous chiropractor to send the health
    information about her to a new chiropractor closer to her new home. What is the
    chiropractor required to do?
    Issues to consider:
       Only required to send a copy not the original
       Must send the health information as soon as practicable
       No exemptions apply for transferring health information from one health
        service provider to another at the request of the patient
       May charge a fee but not exceeding the maximum specified in the Regulations
       See HPP 11


44. A woman requests a copy of health information about her be sent to a new health
    service provider by her current GP who she has been seeing for 10 years. The GP
    charges her $40. Is this permissible?
    Issues to consider:
       May charge a fee but not exceeding the maximum specified in the Regulations
        (see copy of Regulations in the Reference materials)




Office of the Health Services Commissioner
HRA Train the trainer package 2003
                                  Useful References


Health Services Commissioner                    Federal Privacy Commissioner
Level 30                                        GPO Box 5218
570 Bourke Street                               Sydney NSW 1042
Melbourne 3000                                  www.privacy.gov.au
www.health.vic.gov.au/hsc                       privacy@privacy.gov.au
hsc@dhs.vic.gov.au                              Local call: 1300 363 992
Tel: (03) 8601 5200                             Facsimile: (02) 9284 9666
Toll Free: 1800 136 066                         TTY: 1800 620 241
Facsimile: (03) 8601 5219
TTY: 1300 550 275


Victorian Privacy Commissioner                  The Ombudsman Victoria
GPO Pox 5057                                    Level 22,
Melbourne 3001                                  459 Collins Street
www.privacy.vic.gov.au                          Melbourne Victoria 3000
enquiries@privacy.vic.gov.au                    www.ombudsman.vic.gov.au
Tel: (03) 8619 8719                             Telephone: (03) 9613 6222
Local Call: 1300 666 444                        Toll Free: 1800 806 314
Facsimile: 8619 8700                            Facsimile: (03) 9614 0246




Office of the Health Services Commissioner
HRA Train the trainer package 2003
                 SUGGESTED REFERENCES FOR TRAINERS




The following useful references can be found on the Health Services Commissioner
website at www.health.vic.gov.au/hsc


   The Health Records Act 2001
   Consumer Views on Implementation of the Health Records Act
   Multi-lingual Patient Information Brochures
   Statutory Guidelines issued by the Health Services Commissioner on Transfer or
    Closure of a Practice or Business of a Health Service Provider
   Statutory Guidelines issued by the Health Services Commissioner on Research
   Links to related legislation such as Freedom of Information Act 1982


Information concerning the Commonwealth Privacy Act can be found on the Office of
the Federal Privacy Commissioner’s website at www.privacy.gov.au


Information concerning the Victorian Information Privacy Act can be found on the
Privacy Victoria website at www.privacy.vic.gov.au


All these websites are continually being updated with additional reference materials
so keep an eye on these sites for updated information that may be relevant for your
organisation.




Office of the Health Services Commissioner
HRA Train the trainer package 2003
                       Suggested checklist for trainers




       Clarify which staff in the organisation need to attend training.

       Determine the process for receiving nominations to attend training. For
        example, managers may nominate staff or the sessions may be advertised for
        staff to nominate themselves.

       Determine how many training sessions will be required.

       Determine who will be delivering each session and any additional speakers,
        for example CEO, who you may wish to invite.

       Determine dates for the training sessions.

       Arrange venues for the training sessions.

       Arrange catering if required.

       Ensure availability of training equipment, for example projection equipment,
        whiteboard, and microphone.

       Promote the training sessions to managers and staff and advise of nomination
        process. (See the sample flyer included in this package.)

       Receive nominations.

       Send pre-training information to participants to confirm the date, time and
        location for the session and to inform participants about what they can expect
        from the training. (See the sample pre-training information in this package.)

       Read through the slides and speakers notes and add your own notes regarding
        how you will present the information, anecdotes you wish to add etc. Add in
        information specific to privacy and your organisation. Consider the types of
        questions and issues that are likely to arise.

       Read through the activities and consider the types of issues which might arise
        in discussions and how you will respond to these. Consider points that you
        could suggest if the participants have difficulty starting an activity. Make sure
        that you know the correct answers to activities such as the quiz.

       Read the suggested references for trainers for background information.

       Print out the reference materials for participants and prepare a copy for each
        participant.


Office of the Health Services Commissioner
HRA Train the trainer package 2003
       Print out the activity sheets and prepare a copy for each participant.

       Cut up the cards for use in Activity 3 and ensure that you have one set for each
        small group of participants in the session.

       Consider whether you want to ask participants to provide written feedback on
        the training and the type of questions to include on the feedback form. (See
        the sample evaluation form in this package.)




Office of the Health Services Commissioner
HRA Train the trainer package 2003
Why?
     The Health Records Act 2001 regulates the way
      organisations handle personal health information.

     From 1 July 2002, the public have had a right to complain
      to the Victorian Health Services Commissioner if they
      feel that their privacy has been breached by a Victorian
      public or private sector organisation.

     All staff that handle personal health information need to
      be familiar with the requirements of the Health Records
        Act.



When?


Where?


How to nominate




Office of the Health Services Commissioner
HRA Train the trainer package 2003
Your place in the training session “Health Privacy in Victoria –
what you need to know” has been confirmed. The session will
take place

on (insert time and date)

at (insert venue details)

Please contact (insert contact name) on (insert phone number
or email) if you are no longer able to attend.


The session will provide:

 An outline of the different privacy laws affecting Victorians

 A general overview of the requirements of the Health
  Records Act 2001

 An opportunity to consider how the Health Records Act will
  impact on handling of personal health information in your
  work context.




Office of the Health Services Commissioner
HRA Train the trainer package 2003
                      Office of the Health Services Commissioner
                       Health Records Act Awareness Training
                                    Evaluation Form
Date of session:
_________________________________________________________________


What did you find most helpful about this training session?
_____________________________________________________________________
_____________________________________________________________
_________________________________________________________________
_________________________________________________________________

What did you find least helpful about this training session?
_________________________________________________________________
_________________________________________________________________
_________________________________________________________________

Was there anything you wanted to know about and were not told?
_____________________________________________________________________
_____________________________________________________________
_________________________________________________________________

Do you feel you have sufficient training and/or resources to train others on the Health
Records Act? What could be included or changed to improve the training session?
_________________________________________________________________
_________________________________________________________________
_____________________________________________________________________
_____________________________________________________________
_____________________________________________________________________
_____________________________________________________________

What level of information did you have about the Health Records Act 2001 prior to
attending this training session? (circle: 1 = no knowledge and 10 = extensive
knowledge)

1       2        3       4        5          6   7   8         9    10

What level of information do you have after attending this training?
(circle: 1 = no knowledge and 10 = extensive knowledge)

1       2        3       4        5          6   7   8         9    10

Thank you for participating in the session and providing feedback.




Office of the Health Services Commissioner
HRA Train the trainer package 2003

				
DOCUMENT INFO
Shared By:
Stats:
views:2
posted:9/20/2012
language:
pages:131
Description: For your health