Overseas Privacy Regimes
Internal research paper comparing New Zealand’s Health Information Privacy Code 1994 with the health privacy laws of Victoria, Ontario and the United States
Prepared by
Sebastian Morgan-Lynch
Policy Adviser (Health)
October 2006
Table of Contents
A. Introduction 4
Health Records Act 2001, Victoria, Australia (“HRA, Victoria”) 5
Personal Health Information Protection Act 2004, Ontario, Canada (“PHIPA”) 6
Health Insurance Portability and Accountability Act, United States of America (Federal) (“HIPAA”) 6
B. Transparency 8
HRA, Victoria 8
PHIPA, Ontario 9
HIPAA, USA 9
C. Collection 12
HRA, Victoria 12
PHIPA, Ontario 13
HIPAA, USA 15
D. Use and Disclosure 16
HRA, Victoria 16
PHIPA, Ontario 17
HIPAA, USA 19
E. Access 22
HRA, Victoria 22
PHIPA, Ontario 23
HIPAA, USA 24
F. Accuracy and Correction 26
HRA, Victoria 26
PHIPA, Ontario 26
HIPAA, USA 27
G. Security 29
HRA, Victoria 29
PHIPA, Ontario 29
HIPAA, USA 29
H. Retention and Disposal 31
HRA, Victoria 31
PHIPA, Ontario 31
HIPAA, USA 32
I. Complaints 34
HRA, Victoria 34
PHIPA, Ontario 35
HIPAA, USA 36
J. Adverse Consequences 37
HRA, Victoria 37
PHIPA, Ontario 37
HIPAA, USA 37
K. Penalties and Enforcement 38
HRA, Victoria 38
PHIPA, Ontario 38
HIPAA, USA 38
A. Introduction
This research report considers the health information privacy regime in three overseas jurisdictions, having regard to differences between the relevant legislation and the Health Information Privacy Code 1994 (NZHIPC). It was prepared by the Policy Advisor (Health) to the Privacy Commissioner, a position created with funding from the Ministry of Health.
As might be anticipated, there are areas of similarity between the New Zealand health privacy regime and those of the other jurisdictions I have examined. I have highlighted areas where there is a notable difference and made recommendations for possible changes to the NZHIPC, having regard to the need for, pros and cons of the possible change and whether the scope of the change would be permissible under section 46 of the Privacy Act 1993.
In considering the pros and cons of any change we need to consider a number of things – the current law, its goals, practical problems in achieving the goals, whether a change is necessary and whether the suggested change would be desirable. As this report is intended to be an overview, these considerations have been abbreviated, with a view to providing suggestions for further discussion.
Nothing in this report should be taken as indicating that the Privacy Commissioner favours or does not favour a particular proposed change to the NZHIPC.
Section 46
Section 46(2) sets out what may be accomplished by a code of practice issued under the Privacy Act, namely that:
(2) A code of practice may—
(a) Modify the application of any one or more of the information privacy principles by—
(i) Prescribing standards that are more stringent or less stringent than the standards that are prescribed by any such principle:
(ii) Exempting any action from any such principle, either unconditionally or subject to such conditions as are prescribed in the code:
(aa) Apply any one or more of the information privacy principles (but not all of those principles) without modification:
(b) Prescribe how any one or more of the information privacy principles are to be applied, or are to be complied with.
Accordingly any amendment to the NZHIPC which purports to have an effect beyond that allowed in section 46(2) risks being disallowed by the Regulations Review Committee as being out of scope.
The three pieces of legislation considered below are from:
· Victoria, Australia;
· Ontario, Canada; and
· The United States.
I have examined these three overseas health information statutes in relation to how they address:
1. Transparency
2. Collection
3. Use and Disclosure
4. Access
5. Accuracy and Correction
6. Security
7. Retention and Disposal
8. Complaints
9. Adverse Consequences
10. Penalties and Enforcement
Ontario and Victoria and the USA all have some form of non-health specific privacy legislation at the Federal level. The focus of this paper is examining different methods of regulating health information rather than comparing overall information privacy frameworks. Accordingly, I have not considered the interaction between different levels of government or between health-specific and non-health-specific enactments.
Health Records Act 2001, Victoria, Australia (“HRA, Victoria”)
The Health Records Act (HRA), which regulates health information privacy in Victoria and is administered by the Health Services Commissioner, came into force on 1 July 2002. The HRA regulates ‘organisations’, which are the effective equivalent of the NZHIPC ‘agencies’. The HRA has 11 health information privacy principles.
Victorians are subject to two other privacy laws, the Information Privacy Act 2000 (Vic) and the Commonwealth Privacy Act 1998.
The Information Privacy Act 2000 (Vic), administered by the Victorian Privacy Commissioner, came into force on 1 September 2002. This Act covers personal information (other than health information) held in the Victorian public sector and organisations funded by the public sector.
The Commonwealth Privacy Act 1998 is a Federal act that was amended to cover the private sector in 21 December 2001. It covers many private sector organisations that hold personal information, and all health service providers, and is administered by the Federal Privacy Commissioner.
Personal Health Information Protection Act 2004, Ontario, Canada (“PHIPA”)
PHIPA came into effect on 1 November 2004 and sets out the rules that “health information custodians” in Ontario must follow when collecting, using and disclosing personal health information.
Health information custodians include healthcare providers (e.g., doctors, nurses, etc.), hospitals, long-term care homes, homes for special care, community care access centres, pharmacies, medical laboratories, local medical officers of health, ambulance services, community mental health programs, and the Ministry of Health and Long-Term Care.
A key difference between Canada’s Federal privacy statute, the Personal Information Protection and Electronic Documents Act (PIPEDA), and PHIPA is that PIPEDA only applies to organizations that collect, use and disclose personal information in the course of commercial activities. PHIPA applies to health information custodians that collect, use and disclose personal health information, whether or not in the course of commercial activities, and does not incorporate information privacy principles.
Health Insurance Portability and Accountability Act, United States of America (Federal) (“HIPAA”)
HIPAA was enacted in 1996 and amended the Internal Revenue Service Code of 1986 to improve and simplify the regulation of health insurance schemes. Title II of the Act, Administrative Simplification, requires:
1. Improved efficiency in healthcare delivery by standardizing electronic data interchange, and
2. Protection of confidentiality and security of health data through setting and enforcing standards.
More specifically, HIPAA required the Department of Health and Human Services (HHS) to publish rules ensuring:
1. Standardization of electronic patient health, administrative and financial data
2. Unique health identifiers for individuals, employers, health plans and health care providers
3. Security standards protecting the confidentiality and integrity of "individually identifiable health information”.
The Department of Health and Human Services (DHHS) issued final modifications to the Standards For Privacy Of Individually Identifiable Health Information, the "Privacy Rule," on August 14, 2002. The Privacy Rule regulates the activities of ‘covered entities’. References to HIPAA in this paper mean the Privacy Rule except where otherwise noted.
Covered entities are, broadly:
· health plans (a “health plan” is a generic package of health benefits provided by agencies such as insurance companies, Medicare and Medicaid contractors, or the government);
· clearinghouses (entities that convert electronic health care data from one format to another for billing or other purposes); and
· health care providers who electronically transmit health information in connection with certain transactions (including claims for payment, benefit eligibility inquiries, and referral authorisation requests).
B. Transparency
There is a potential tension between an individual having control over his or her information and an agency’s ability to carry out its functions. One way of resolving that tension is to oblige the agency to be transparent about the use it intends to make of the information. This can be brought about by requiring the agency to formalise its information handling procedures.
Rule 3 of the NZHIPC requires agencies to take reasonable steps to ensure individuals are aware of what is to be done with their information before the act of collection, or during it. This can be effective, but does not impose any general obligation of transparency; transparency is tied to the rule 2 obligation to collect directly from the individual, which has a number of broad exceptions. If information is collected indirectly, or received unsolicited, there is no obligation to inform the individual
Each of the three overseas privacy regimes considered has a general transparency provision requiring agencies to make available to the public a statement of their policies in relation to the management of personal health information. This is not an obligation under the NZHIPC. While, as a matter of best practice, many agencies will have such a document and may choose to make it available on request it is worth considering whether this obligation should be incorporated into the NZHIPC.
HRA, Victoria
Principle 5.1 of the HRA requires an organisation to set out in a document, available to anyone who asks for it:
· Clearly expressed policies on its management of health information and
· The steps that an individual must take in order to obtain access to their health information.
Larger health agencies in New Zealand would probably have this information available and provide it on request, but there is no legal obligation to do so under the NZHIPC.
There is also an obligation under this principle of the HRA to let an individual know, on request and in general terms, what information is held about them, for what purpose and how it is collected, held and disclosed.
Principle 1.4 provides that, when collecting information about an individual directly from that individual, he or she should be advised of why the information is to be collected, who is doing the collecting, who will see it and so on. This obligation is closely analogous to that in rule 3 of the NZHIPC, but without the explicit exceptions found in that rule. There is also an obligation, where collecting information about an individual from a third party, to take reasonable steps to ensure that the individual is or has been informed of the matters in principle 1.4.
PHIPA, Ontario
If a health information custodian becomes aware that information it is disclosing is inaccurate, incomplete or out-of-date it is obliged to clearly set this out for the recipient of the information[1]. Also, section 12(2) obliges agencies to notify the individual if personal health information about him or her is lost, stolen or accessed by unauthorised persons. There is no counterpart to these obligations in New Zealand legislation, though information about inaccuracy or a breach of security would probably be personal information and, as such, obtainable by way of an access request.
The obligation to inform the individual where information is used or disclosed outside the information privacy practices of the organisation is a potent one. To incorporate this obligation into the NZHIPC would improve transparency and be a strong encouragement to agencies to adhere to their own policies. However, it may be that such a change would amount to too great a departure from the principles as laid out in the Privacy Act. It is also dependent, to extent, on the implementation of the general obligation of transparency as mentioned above.
Transparency is also the goal of section 16(1), which obliges agencies to make available to the public a written statement that provides a general statement of the health information custodian’s information practice, contact details, how access and correction requests may be made and how a complaint may be made to the health information custodian and/or the Commissioner. This has a parallel in rule 3 of the NZHIPC, with the difference that in the case of PHIPA no collection needs to have taken place.
Section 16(2) imposes an even stronger obligation of transparency on the health information custodian holding personal health information. If the health information custodian uses or discloses health information about an individual, without his or her consent, and in a manner that is outside the scope of its own description of its practices, it is obliged to make a note of these uses or disclosure and advise the individual of them at the first reasonable opportunity. This last obligation, to notify the individual, does not apply if the individual would not have a right of access in respect of the information used or disclosed.
HIPAA, USA
Covered entities must provide a notice of their privacy practices describing the ways in which they may use and disclose protected health information. The notice must state the covered entity’s duties to protect privacy, provide a notice of privacy practices, and abide by the terms of the current notice. The notice must describe individuals’ rights, including the right to complain to HHS and to the covered entity if they believe their privacy rights have been violated. The notice must include a point of contact for further information and for making complaints to the covered entity. Covered entities must act in accordance with their notices. The Rule also contains specific distribution requirements for direct treatment providers, all other health care providers, and health plans, requiring the notice to be delivered:
· Not later than the first service encounter by personal delivery (for patient visits), by automatic and contemporaneous electronic response (for electronic service delivery), and by prompt mailing (for telephonic service delivery);
· By posting the notice at each service delivery site in a clear and prominent place where people seeking service may reasonably be expected to be able to read the notice;
· In emergency treatment situations, as soon as practicable after the emergency abates.
A covered entity must also make its notice electronically available on any web site it maintains for customer service or benefits information.
A health plan must distribute its privacy practices notice to each of its clients, or ‘enrollees’. Thereafter, the health plan must give its notice to each new enrollee at enrollment, and send a reminder to every enrollee at least once every three years that the notice is available upon request.