The Health Records and Information Privacy Act 2002 (HRIPA) is a comprehensive legislation established to protect the privacy and security of health information in New South Wales (NSW), Australia. This legislative framework shares many similarities with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule in the United States in their goals to ensure data privacy, security, and handling of health information in the healthcare sector.
HRIPA is significant because the act plays a critical role in the evolving landscape of Australian healthcare information security and data privacy. Especially as healthcare entities move toward the digitisation of health records and patient information and as healthcare delivery systems grow more complex, HRIPA addresses many of the heightened concerns over public safety, data privacy, and data security.
Find out how UpGuard helps healthcare organizations stay compliant with industry regulations >
What is the purpose of HRIPA?
The primary purpose of HRIPA is to safeguard the use of health information for NSW residents and to guard their information privacy. HRIPA also establishes an operational framework as listed in the Health Privacy Principles (HPPs) within the healthcare system.
HRIPA regulates the accessibility and the sharing of health information for the delivery, research, and management of public health while ensuring that patients have rights over their health information, including the right to access and correct their data, and setting clear obligations for organisations handling such information.
HRIPA is also complementary to the Privacy Act 1988 (Privacy Act), which is a broader piece of legislation in Australia related to the handling of personal information across all sectors. Additionally, HRIPA also works pursuant to The Privacy and Personal Information Protection Act 1998 (PPIP Act), which outlines the responsibilities of the Privacy Commissioner and how public sector entities manage the handling of personal information.
Healthcare entities subject to HRIPA typically must also comply with the Privacy Act and the PPIP Act together. However, many of the principles remain similar in function, allowing organisations to achieve most guidelines and requirements by adhering to HRIPA.
HRIPA overview
The following is an overview of the key points listed in HRIPA, with details on its key provisions, enforcements, compliance standards, and guidelines:
Key provisions of HRIPA
HRIPA includes several key provisions designed to protect patient health information:
- Access to information: HRIPA details clear requirements for organisations providing clear and unobstructed access to individual personal information. HRIPA also details exemptions to such cases, such as situations where demands for information may cause a serious threat to another individual, be denied by law, or place unreasonable demands on the entity.
- Consent: The act emphasizes the need for patient consent to collect, use, or disclose their health information, with some exceptions of instances where consent is not required.
- Collection: HRIPA specifies that health information can only be collected for legitimate purposes directly related to the healthcare provider's functions or activities and must be done in a lawful and ethical manner.
- Use and Disclosure: The act outlines the conditions under which health information can be used or disclosed, including for the provision of healthcare, with consent, or for legally mandated purposes.
- Security: Entities must take reasonable steps to protect health information from misuse, loss of information, unauthorised access, data modification, or illegal disclosure.
- Exemptions:
Statutory guidelines of HRIPA
The NSW Office of the Privacy Commissioner has developed four main statutory guidelines under HRIPA. These statutory guidelines expand on the Health Privacy Principles (HPPs) and provide guidance on how healthcare organisations should handle sensitive information and provide clarity on the scope of HRIPA.
They relate to the following:
- Use or disclosure of health information for the management of health services: Organisations seeking to use or disclose health information for the purposes of funding, management, planning, or evaluation of health services to submit proposals, which will subsequently be reviewed by the Human Research Ethics Committee in accordance with the Statutory Guideline on Research.
- Use or disclosure of health information for training purposes: Organisations seeking to use or disclose health information (without the individual’s consent) require that employees being trained or those that work within the organisation and the people who will access health information during the training activity, sign an agreement stating that they are aware of the HPPs and that they agree to comply with those principles.
- Use or disclosure of health information for research purposes: Organisations seeking to use or disclose health information (without the individual’s consent) must submit research proposals to be reviewed by the Human Research Ethics Committee. Proposals will only be approved once the ethics committee determines whether the public interest in the research substantially outweighs the public interest in maintaining the level of privacy otherwise afforded by the HPPs.
- Collection of health information from a third party: Organisations may only collect health information about an individual from a third party (rather than directly from the individual themselves) when it is unreasonable or impracticable to collect it directly from the individual. As such, this guideline provides examples of instances where it is unreasonable or impractical and other exemptions of this guideline.
Health Privacy Codes of Practice
The Health Privacy Codes of Practice in HRIPA outline the specific requirements and best practices for handling health information.
- Consent procedures: Detailed guidance on obtaining consent for the collection, use, and disclosure of health information, including situations where consent is not required or can be implied.
- Information management: Best practices for the secure management of health records, including electronic health records (EHRs), to ensure data integrity, confidentiality, and access controls.
- Data security: Specific security measures tailored to the healthcare sector, including data encryption, secure data storage solutions, and protocols for the secure transmission of health information.
- Data access and correction: Procedures for facilitating patient access to their health records, including timelines, fees, and the process for correcting inaccurate or incomplete information.
- Use and disclosure for care coordination: Guidelines on sharing health information for the purpose of care coordination and treatment, outlining scenarios where information sharing is essential for patient care.
- De-identification and anonymization: Standards and methods for de-identifying health information for research or statistical purposes, ensuring individuals cannot be reasonably identified.
- Training requirements: Requirements for regular security training for all staff members who handle health information, ensuring they are aware of their obligations under HRIPA and the specific Codes of Practice.
- Breach notification and response: Protocols for identifying, reporting, and responding to data breaches, including notification procedures to relevant authorities and affected individuals.
- Compliance management: Requirements for regular audits, compliance monitoring, and reporting to ensure adherence to the Codes of Practice and HPPs.
- Handling complaints: Established processes for receiving and resolving complaints from individuals regarding the handling of their health information.
Key definitions of terms in HRIPA
HRIPA defines the following key terms as such:
- Authorised representative: An individual who can act on behalf of another individual who is incapable of performing an act as permitted or required by HRIPA, such as providing consent, due to reasons such as age (in the case of children), injury, illness, or impairment
- Health information: Information relating to an individual's physical or mental health, health services provided, or other information collected in the healthcare context.
- Health service: Services provided by either public or private providers, including but not limited to services of the following: general medical, mental health, dental, pharmaceutical, ambulance, medical education, community health, welfare, alternative health, optical, therapeutical, occupational therapy, psychology, and more.
- Health service provider: Entities or individuals who provide health services and are responsible for maintaining health records.
- Personal information: Information or an opinion about an identified individual or an individual who is reasonably identifiable.
- Public sector agency: Any organisation, person, or body appointed under the government that handle or process personal health information, or receives funding from any such body to perform health services.
Who does HRIPA apply to?
HRIPA applies to all persons or organisations that are considered health service providers or other entities that collect, hold, process, or use health information. These bodies typically include doctors, health practitioners, hospitals, and private practices. This includes all of the following:
- Public sector organisations, government agencies or related government department that provide a health service or handle and process health information
- Private sector organisations that provide a health service or handle and process health information
- Public or private sector persons that provide a health service or handle and process health information
How is HRIPA enforced?
The NSW Privacy Commissioner is mainly tasked with enforcing HRIPA, overseeing compliance, investigating complaints, and enforcing the Act. The Privacy Commissioner has many responsibilities, including:
- Audits and inspections: Conduct audits of healthcare entities to ensure compliance with privacy and security standards.
- Investigating complaints: Look into complaints filed by patients regarding mishandling of health information.
- Enforcement actions: Take action against non-compliant entities, which can include handing out monetary penalties, requiring corrective measures, initiating legal proceedings, or imposing legal sanctions.
- Providing guidance and information: Assist organisations looking to adopt and comply with the HPPs.
- Conduct research: To collect any and all research related to the handling and protection of health information
- Publishing guidelines: To continually prepare, update, and publish necessary guidelines related to the handling of health information
Examples of non-compliance
Non-compliance with HRIPA can manifest in various ways, reflecting the breadth of the act's requirements. Examples include:
- Unauthorised disclosure: Illegal disclosure of the information without proper consent or legal justification.
- Inadequate security measures: Failing to implement sufficient security protocols to protect health information from unauthorised access, theft, or breaches.
- Improper access: Employees or third parties accessing health records without a legitimate reason or beyond their authorisation
- Failure to provide access: Failing to allow patients to access their health records within the accepted time frame or refusing information correction requests.
Penalties for non-compliance
Penalties under HRIPA can vary based on the nature and severity of the breach. These might include:
- Monetary penalties: Imposed on entities or individuals for breaches. The exact amounts vary based on the severity of the violation and whether it was a first-time offense or a repeated violation.
- Corrective actions: Entities may be required to take specific actions to fix non-compliance issues.
- Legal proceedings: Courts may issue orders preventing an entity from continuing practices that violate HRIPA until compliance standards are met.
How healthcare entities can comply with HRIPA
Compliance with HRIPA involves a multi-faceted approach:
- Establishing privacy policies and procedures: Developing comprehensive privacy policies and procedures that align with HRIPA requirements.
- Conducting employee training: Providing regular training for employees on their obligations under HRIPA and the responsibility of protecting health information.
- Implementing adequate security measures: Implementing sufficient physical, administrative, and technical security measures to protect sensitive data.
- Performing regular audits: Conducting regular self-audits to ensure ongoing compliance and identify areas for improvement.
Learn how UpGuard helps healthcare entities stay compliant with relevant regulations >
Public vs. private sector healthcare entities
The HRIPA distinguishes between public and private sector entities in terms of specific obligations, exemptions, or compliance requirements. For example, the following outlines the differences in each type of entity:
- Reporting requirements: Public sector entities have additional reporting obligations to government bodies compared to private entities.
- Oversight and accountability: Oversight and accountability can differ, with public entities possibly subject to more stringent review processes under the Privacy Commissioner.
- Funding and resources: Public entities may have additional access to government resources and support for compliance that private entities do not.
