The collection of clients’ private information is an important everyday task for many businesses.
Private information helps businesses across a range of industries to give their clients the best possible service. However, in particular, providers of health services use personal information to tailor treatment and exercise regimes to the specific needs of clients and patients.
The owners of these businesses are often unaware of the strict privacy rules which operate within Australia. These rules restrict the way health services providers are permitted to use the personal information that they collect.
This article will give you some guidance as to whether or not your business is a ‘health services provider’ for the purposes of Australian privacy law, what happens if you do not comply, and how you can comply in the future.
What is the law and who needs to comply?
The rules governing privacy are set out in the Privacy Act 1988 (Cth) and the Australian Privacy Principles, which are in Schedule 1 to the Privacy Act (the Privacy Rules). Without getting too technical, these rules ensure that, for certain types of businesses, the collection and management of personal information is done in an open and transparent way.
Subject to a few exceptions, only organisations with an annual turnover of more than $3 million need to comply with the Australian Privacy Principles. One of these exceptions is any organisation that is deemed to be a ‘health service provider’, irrespective of annual turnover.
Is my business a Health Service Provider?
Health service providers are organisations that provide services in relation to physical, emotional, psychological and mental health.
Entities providing health services to individuals and holding any health information (except employee records) must follow the Privacy Rules.
A health service is an activity performed in relation to an individual that is intended or claimed to:
- assess, record, maintain or improve an individual’s health;
- diagnose an individual’s illness or disability;
- treat an individual’s illness or disability or suspected illness or disability; or
- dispense on prescribe a drug or medicinal preparation by a pharmacist.
The Office of the Australian Information Commissioner (OAIC) gives an overview of the types of organisations, which are generally accepted to provide health services. These are:
- traditional health service providers, such as private hospitals, day surgeries, medical practitioners, pharmacists and allied health professionals;
- complementary therapists, such as naturopaths and chiropractors;
- gyms and weight loss clinics; and
- child care centres, private schools and private tertiary educational institutions.
As health information is a particularly sensitive category of personal information, any person or organisation, which collects health information must abide by strict rules when dealing with it. The types of health information, which a health service provider will hold are:
- information or opinions about:
- the health or disability of an individual;
- an individual’s expressed wishes about the future provision of health services to him or her;
- a health service provided or to be provided to an individual;
- other information collected in the course of providing health services;
- information about a person’s intention to donate organs; or
- genetic information about a person.
What are the penalties for non-compliance?
If your business is required to comply with the Privacy Rules and fails to do so, it may be investigated by the OAIC. An OAIC investigation can be instigated either by a complaint from any individual, or by the Commissioner, on his or her own accord.
If the Commissioner finds your business to be in breach, he or she has broad powers, including:
- Conciliate any dispute between your business and a complainant; and/or
- Other enforcement powers, including civil penalty orders.
How can I ensure that my business is operating within the law?