Health agencies - use or disclosure of health information

Overview 

Health agencies are required to comply with the National Privacy Principles (NPPs) set out in the Information Privacy Act 2009 (Qld) (IP Act). 

NPP 2 provides that personal information may only be used for the purpose for which it was obtained and not for any other purpose, unless one of the exceptions applies. NPP 2 also provides that personal information must not be disclosed outside the health agency unless one of the exceptions applies. 

Definitions for NPP 2

NPP 2 (6) In this section—

child, of an individual, includes an adopted child, a stepchild and a foster-child, of the individual.

enforcement body means an enforcement body within the meaning of the Privacy Act 1988 (Cth).

parent, of an individual, includes a step-parent, adoptive parent and a foster-parent, of the individual.

relative, of an individual, means a grandchild, uncle, aunt, nephew or niece, of the individual.

sibling, of an individual, includes a half-brother, half-sister, adoptive brother, adoptive sister, stepbrother, stepsister, foster-brother and foster-sister, of the individual.

Use and disclosure of health information

There is a high degree of statutory regulation of the use and disclosure of public sector health information in Queensland, in particular under Part 7 of the Hospital and Health Boards Act 2011.

The Hospital and Health Boards Act 2011 imposes a strict duty of confidentiality on all employees, officers and agents of health agencies. This duty prohibits the giving of any information to another person (including another health agency employee) if the information would enable a person who is receiving, or has received, a public sector health service to be identified. It also sets out exceptions to the duty, that is, the circumstances where the duty does not apply. 

The Hospital and Health Boards Act 2011 relates to giving information to another person. If information is used without being given to another person, it does not apply. For example, a health practitioner may collect personal information for the purpose of health service delivery and then decide at a later date to contact the person themselves and invite them to be part of a discussion group for the condition. However, the requirements in NPP 2 relating to use will still apply. 

In summary, the following rules apply to the use and disclosure of health information.

  • Where health information has been collected in the context of providing a health service use and disclosure is governed by the duty of confidentiality in the Hospital and Health Boards Act 2011. However, this does not govern situations where information is used without being given to any other person, but note that NPP 2 still applies.
  • Where health information has been collected through a statutory provision (for example, information provided to the Pap Smear Registry) then it will be subject to any statutory requirements relating to use and disclosure. 
  • Where the Hospital and Health Boards Act 2011 does not apply and there are no statutory requirements relating to use and disclosure, NPP 2 will apply. For example, NPP2 applies to information provided in a medical certificate provided by a departmental officer. 
  • Where there is any doubt surrounding whether or not health information can or should be used or disclosed, advice should be sought from senior management in the first instance.  

Consent to disclose health information when dealing with children and young people

Parents do not have an automatic right to their child’s personal health information. A key consideration in deciding whether to disclose information to a parent is the child’s capacity or competence to consent to the disclosure of information. 

Determining competence can be complex. Health agency officers will need to carefully assess the young person’s maturity and their understanding of the relevant issues. There will be younger persons, in certain circumstances, who have sufficient maturity and understanding to make their own decisions. Conversely, there may be older teenagers who lack such competence. The proposed use or disclosure of the child’s information is also relevant. For example, further treatment of the child where the family is moving interstate or overseas versus for the purpose of family court proceedings. 

Further, it is important to consider whether the disclosure of the child’s information is in the best interests of the child. For example, if a parent is abusive toward a child or other family members, departmental officers may decide there are reasonable grounds to believe a disclosure of the child’s health information would be harmful or contrary to the child’s interests.

Child or young person assessed as not competent to consent to disclosure

Where a child or young person is not competent to make their own privacy decisions a departmental officer can discuss the young person’s health information with a parent or legal guardian. The information given should be limited to that which is necessary. Other information about the child that is not relevant should not be divulged.  Where the parent or legal guardian (or any third party) wishes to access the child or young person’s health record, an application should be made under the IP Act or the RTI Act. 

Even if the young person is not competent, their views should still be considered, as should, the risks and benefits of disclosure in the circumstances. 

Child or young person assessed as competent to consent to disclosure

In circumstances where a young person is capable of making their own decisions regarding their privacy, their wishes should be followed.

Current as at: August 26, 2014