New health information sharing legislation could compromise Victorians’ privacy rights

Recently, the upper house of the Victorian Parliament passed the Health Legislation Amendment (Information Sharing) Bill 2023. The Bill introduces an electronic patient health information sharing system to enable public hospitals and other specified health services to share Victorians’ health information. However, the new legislation has been contentious as it doesn’t provide people with the choice to opt out of information sharing and doesn’t require consent from people before their health information data is shared.

President of the Law Institute of Victoria, Tania Wolff, raised concerns that it would create a

risk that individuals will disengage from health services or not seek medical treatment because they are afraid their information will be shared.

President of Liberty Victoria, Michael Stanton, said that

if a person does not feel that they have control over their private health data, they may be unwilling to disclose vital information, and this could have tragic consequences.

This is particularly concerning for vulnerable groups who often experience stigma or discrimination in healthcare settings, such as people with hepatitis C, people who use illicit drugs, and people with HIV.

In response to these concerns, the Bill was amended to mandate a ‘Privacy Management Framework’ for the electronic patient health information sharing system that will specify what categories of health information are sensitive in nature. This will include a process to safeguard that information, as well as a process that enables patients to obtain reports on who has accessed their health information.

Concerningly, however, the Bill has made the electronic patient health information sharing system exempt from some of the Health Privacy Principles that protect the privacy of an individual’s health information. These include the principles that an organisation should collect health information about an individual directly from the individual and that, if an organisation collects health information about an individual from someone else (including a participating health service), the individual should be made aware of their right to gain access to that information. Under the new legislation, an individual won’t have a right to access and correct information on the electronic patient health information sharing system. In addition, the Health Complaints Commissioner has not issued guidelines on the other Health Privacy Principles that do apply, such as those around use and disclosure of health information, which may increase the risk of privacy breaches.

The Bill will now return to the lower house, which will consider the amendments for a new Privacy Management Framework. However, Wolff has said that while

Victorians deserve a choice in how their sensitive health information is used and disclosed [and] while… these amendments aim to strengthen privacy protections for Victorian patients, the reality is it still falls short of what is required.

With this in mind, we recommend that the Health Complaints Commissioner issue guidelines on the Health Privacy Principles that apply to electronic patient health information – and to health information more generally – so that privacy is properly protected when it comes to the use and disclosure of people’s health information. We also suggest that the Government simplify the process for individuals to access and correct their health records, given many currently have to resort to freedom of information requests to access their own information. It is important that individuals can access their own health records, and that their privacy is protected in the collection of this information.