The invitation reflects an application from Dr Steve Hambleton, President of the Australian Medical Association (AMA) for a public interest determination under s.73 of the Act. That application concerns collection by health service providers of third party health information that is relevant to a patient's family or social medical histories, without the third party's consent. In the absence of a determination, such acts or practices may be in breach of the Privacy Act.
Public Interest Determinations 10 (Collection of Family, Social and Medical Histories) and 10A (giving general effect to Public Interest Determination No. 10) currently permit the collection by health service providers of third party health information that is relevant to a patient's family or social medical histories, without the third party's consent.
In essence, the PID covers collection by practitioners of health information from an individual or from a person responsible for the health consumer regarding another individual (a 'third party') in circumstances where:
a) the collection of the third party’s information into the health consumer’s family, social or medical history [sic] is necessary for the applicant to provide a health service directly to the health consumer; andThe PID is thus narrower than the PID 11 and 11A, highlighted in this blog and in a Privacy Law Bulletin article, that empowers practitioners to embark on a genetic fishing expedition.
b) the third party’s information is relevant to the health consumer’s family, social or medical history; and
c) the applicant collects the third party’s information without obtaining the consent of the third party; and
d) the third party’s information is only collected from a person responsible for the health consumer if the health consumer is physically or legally incapable of providing the information themselves.
The Commissioner's consultation paper outlines the issues raised in the application, provides brief background information and suggests matters that could be addressed in submissions.
PIDs 10 and 10A expire on 10 December 2011. New PIDs will have to be made before this date in order for health service providers to continue to lawfully collect third party health information that is relevant to a patient's family or social medical histories.
The ALRC's 2008 For your Information: Australian Privacy Law and Practice report recommended that new health regulations should include provisions based upon PIDs 10 and 10A. The Australian Government' 'First Stage Response' to the ALRC Report accepted that an amendment should be made to overcome the need to issue PIDs in relation to this matter, although it indicated this should be achieved by way of amending the Privacy Act.
The Commissioner comments that -
Dr Hambleton notes that without a PID on this issue health service providers would be required to obtain the consent of third parties to collect personal and health information on these persons, and notify third parties of the collection of their information. Dr Hambleton asserts this is clearly impractical and could compromise the health care of patients. In addition, if a patient's social, family or medical history is not sought, this could require increased investigation procedures and possibly result in litigation in relation to medical negligence claims. Further, Dr Hambleton is of the view, as stated by ACHA Health in its application, the absence of a PID to exempt health care providers from NPP 10, would result in significant inefficiencies and impracticalities, which would have a detrimental effect on the provision of quality health care.The Commissioner states that in considering the application it looked at factors such as -
Dr Hambleton states that he considers it important to highlight the comments made in submissions during the previous consultation process, which noted that standards for the accreditation of general practitioners include the collection of current and accurate health summaries, including pertinent medical or social history information for patient care. Indeed, this practice is considered best-practice clinical care. He submits a patient's social, family or medical history information is collected in an environment of maximum consumer privacy (governed by professional codes of privacy and confidentiality) and clinicians are bound to treat personal information collected in the course of providing a health service as confidential, regardless of the person to whom the particular facts or opinions relate.
Dr Hambleton asserts the collection of a patient's full medical history, including social and family history, is considered best practice and in his experience the majority of patients have an expectation that questions of this nature will be asked. There is also a level of understanding among the general public of the importance of this history in informing their diagnosis and treatment. ...
If the determination sought by the applicant is granted health service providers will be allowed to collect third party health information from an individual, without the third party's consent, for inclusion in the individual's family, social or medical history where that information is necessary to provide a health service to the individual. It will also clarify that third party health information can also be collected from ‘a person responsible' for an individual where the individual lacks the capacity to provide that informational themselves. In the absence of the determination, health service providers engaging in this practice could be in breach of NPP 10.1. Accordingly, the likely effect of the determination will be to permit the established and widely supported healthcare practice of medical history-taking to continue.
* the important role the collection of social, family or medical histories from health consumers across all clinical settings and by all clinicians plays in delivering best practice health care;
* the extent to which the practice of collecting health consumers' family, social and medical histories for diagnosis, treatment and care - without the need to obtain third parties' consent - is widespread, considered best clinical practice and generally known and accepted in the community;
* the way in which the risk of harm to individuals through inappropriate use or disclosure of their sensitive information is reduced through the confidential setting and existing ethical protocols which exist for the collection of relevant information about both health consumers themselves and other relevant third parties; and
* the fact that third parties' information, once collected, will continue to be protected under NPPs 1 to 9 and 10.2 to 10.3. For example, NPPs 1.1 and 1.2 ensure that information that is collected should be confined to that necessary to an organisation's functions or activities, be collected only by lawful and fair means and in a way that is not unreasonably intrusive. Further, NPP 4.1 protects the security of personal information by providing that an organisation ‘must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure'.