Access to health information held by health service providers
Month 2015
This business resource explains the requirements under Australian Privacy Principle (APP) 12 in the Privacy Act 1988 (Cth) (Privacy Act) to give patients access to their health information.[1] APP 12 requires you to give access on request, unless an exception applies. This resource is part of a series that outlines what private sector health service providers need to know about handling their patients’ health information. Some of the key health privacy terms used are explained in Business resource: Key health privacy concepts, while other terms are explained in the Australian Privacy Principles Guidelines.
Processing and responding to access requests
Access requests could range from a request for a single document or piece of information to a request for a copy of the patient’s entire record.
When responding to an access request, you should try to provide access in a manner that is as prompt, easy and inexpensive as possible. You can decide how you will process access requests, however, any procedures must meet the minimum access requirements in APP 12, and should facilitate access.
APP 12 requires you to give a patient access to their personal information ‘on request’. The APPs do not require access requests to be made in writing. Your organisation’s APP 1 privacy policy[2] must state how patients can access their personal information. When you collect a patient’s health information[3], you must take reasonable steps to ensure they are aware of this (APP 5.2(g)).[4]
Responding to access requests
You must address access requests within a reasonable period.[5] What is reasonable depends on factors such as the scope and clarity of the request, whether the information can be readily located and assembled, and whether consultation with the patient or other parties is required.[6] However, in most cases a reasonable period will be 30 calendar days or less.
Identifying the individual
You must ensure the access request has been made by that patient or by someone who is authorised to request access on their behalf,[7] such as a legal guardian or another authorised person.[8]
Your organisation should implement robust identity verification procedures when giving access to health information. What steps are appropriate depends on the circumstances. For example if a patient who is well known to you requests access during a consultation, it will be unnecessary to further verify their identity. If you do not know the patient or there is any doubt as to their identity, you should verify it. See the APP guidelines ‘Verifying an individual’s identity’.
Giving access
Access to personal information can be provided in a variety of ways, such as:
· providing a copy of the information as an electronic record or hard copy, such as an electronic copy of an x-ray or a photocopy of a paper record
· letting the patient view the information and letting them take notes
· giving the information over the phone, for example test results
· giving the patient an accurate summary of the information, if this may be helpful[9]
· allowing the patient to listen to or view the contents of an audio or video recording
Where a patient requests access in a particular form, you must provide access in the manner requested, if this is reasonable and practicable.[10] Whether a particular form of access is reasonable and practicable would depend on factors such as:
· The volume of information requested: for example, if a patient wants access to a large report you could consider providing an electronic copy.
· Any special needs of the patient: for example, it may be reasonable to give information in a form that can be accessed via assistive technology where the patient has a visual impairment. You should also consider the level of understanding, language or literacy skills of the patient when providing access.
If the patient’s preferred form of access is unreasonable or impracticable, you should consider other ways of giving access. See ‘Take reasonable steps to give access by other means’ below.
If a patient wants a copy of their entire record, for example if they are relocating, they may be happy for you to simply transfer the record to another provider. However if they prefer to receive a copy of the information directly, they have the right to access this, unless an exception under APP 12 applies.
Compliance tip
For providers in NSW, Victoria or the ACT, local legislation may contain specific requirements relating to the form of access. For example, ACT and Victorian legislation gives patients express rights to request to have the information explained, and, when moving to a new provider, to ask their former provider to give their new provider a copy or written summary of their health record. Contact the NSW Information and Privacy Commission, Office of the Health Services Commissioner Victoria, or ACT Health Services Commissioner to find out more about any additional requirements.
Access charges
You can charge patients a reasonable fee for providing access to their personal information. Access charges should not discourage patients from requesting access. At the same time, the cost of giving access should not create an unreasonable burden on your organisation. You can help minimise fees by implementing systems and processes to make access easy for both parties.
You are not required to charge for giving access, and you should consider waiving or reducing any charge. Consider offering cheaper ways of granting access, such as letting the patient view the information, providing an electronic copy or providing a summary (if this is a cheaper option).
Any fee must not be ‘excessive’, that is, it should simply recover reasonable costs, and you must not charge the patient for the making of the request (APP 12.8). What is an ‘excessive charge’ depends on the nature of your organisation, including its size, resources and functions, and the nature of the personal information requested. Examples of charges that may be considered excessive are:
· a charge that exceeds the actual cost incurred by your organisation in giving access
· a charge associated with obtaining legal or other advice regarding the patient’s request
· a charge for consulting with the patient about how access is to be given
· a charge that reflects shortcomings in your organisation’s information management systems
· a charge that has not taken into account the patient’s circumstances (for example, not obtaining access will impact their on-going healthcare) and capacity to pay.
You may charge patients for reasonable costs incurred for giving access to their personal information. The fee could include costs of resources, time and labour, but should not exceed the actual costs. For example, you could charge for:
· staff costs in searching for, locating and retrieving the requested personal information, and deciding what information to provide to the patient
· staff costs in reproducing and sending the personal information
· costs of postage or materials involved in giving access
· professional costs, for example if it is necessary for you to review a file before releasing the information or costs involved in having you explain information to a patient
· costs associated with using an intermediary.
When charging fees for time and labour, patients should be charged at a clerical rate for labour that clerical staff can perform (such as photocopying, printing, collating and posting documents). To the extent that a health professional needs to play a role, it may be reasonable to charge for time at their professional rate (or a proportion of it).
When providing access you should:
· clearly explain any likely fees before access is given. The patient is not required to give reasons for requesting access. However, discussing the type of information the patient seeks and any likely charges with them can help to minimise costs and meet their needs. You should also invite the patient to discuss options for altering the request to minimise any charge.
· not include any outstanding bills, such as consultation fees in the access charges.
Compliance tip
For providers in Victoria and the ACT, the Health Records Regulations 2012 (Vic) and Health Records (Privacy and Access) Act 1997 (ACT) prescribe maximum fees for providing access and for transferring information to another health service provider. Contact your state or territory regulator to find out more about any additional requirements.
Situations where access can be refused
Under APP 12, a patient has the right to access all the personal information you hold about them unless an exception applies. APP 12.3 lists ten exceptions where you can refuse to give access to personal information. Nevertheless, if one of these exceptions applies, you can still choose to provide access unless disclosure is prohibited. When relying on any of these exceptions you must take reasonable steps to give the patient access by other means and give them a written notice (see below).
A patient’s right to access their personal information applies regardless of who authored particular documents or who ‘owns’ the record (unless giving access to that information is unlawful, or one of the other exceptions below applies). This means that you are generally required to provide a patient with access, on request, to information about them that you receive from other health service providers, such as specialist reports.
Giving access would pose a serious threat to the life, health or safety of any individual or to public health or public safety (APP 12.3(a))
You can refuse to give a patient access to their personal information if you have reasonable grounds for believing that doing so would pose a serious threat to the life, health or safety of that patient or another person[11], or to public health or safety.[12]
What is a serious threat?
A ‘serious’ threat to life, health or safety is one that poses a significant danger to an individual, individuals or the public. It could involve harm to physical or mental health and safety, and could include a potentially life threatening situation or one that might reasonably result in other serious injury or illness.
When deciding whether a threat is serious, you should consider both the likelihood of it occurring and the severity of the resulting harm if it eventuates. A threat that may have dire consequences but is highly unlikely to occur would not normally be a serious threat. However, a potentially harmful threat that is likely to occur, but at an uncertain time, may be a serious threat.
Example: History of self-harm or violent behaviour
You may have reasonable grounds to believe that giving a patient access to their personal information would pose a serious threat to their safety or the safety of others, if the patient has a history of self-harm or violent behaviour, or where a diagnosed condition is known to have a higher probability of such behaviour, and accessing the information could be expected to provoke such a response.
Compliance tip
Where you are denying access on the basis of the serious threat exception, you may be able to provide access through the use of a mutually agreed intermediary if you decide this does not pose a similar threat (see ‘Using an intermediary’ below). If you practice in NSW, Victoria or the ACT, you may be required under local legislation to provide access through an intermediary if requested by a patient, or to allow an intermediary to consider whether access should be provided. Contact your state or territory regulator to find out more about any additional requirements.
What if access would threaten the therapeutic relationship?
Under APP 12.3(a) you could deny access that would threaten the therapeutic relationship, if you had reasonable grounds to believe that the relationship breakdown itself would pose a serious threat to someone’s life or health.
Example: Psychiatric care
A psychiatrist reasonably believes that a patient with severe mental illness would be so distressed if they saw the information in their record, that they would leave the psychiatrist’s care and discontinue treatment altogether. The withdrawal from treatment could seriously threaten the patient’s life, health or safety, and potentially that of their family. The psychiatrist could therefore refuse to provide access under APP 12.3(a).
However the psychiatrist could not deny access if they were simply concerned that the patient may be somewhat distressed by or unhappy with the information, which could cause them to seek treatment elsewhere. Alternatively they may discontinue treatment but the psychiatrist has no or little reason to believe that this may pose a serious threat to anyone.
Giving access would have an unreasonable impact on the privacy of other individuals (APP 12.3(b))
You should not give a patient access to their personal information if the information contains personal information about another individual(s), and disclosing this information would have an unreasonable impact on the privacy of the other individual(s). This could include a record of the patient’s opinions or views. The following factors may be relevant:
· the nature of the other individual’s personal information, for example if it is of a confidential nature
· the other individual’s reasonable expectations about how their personal information will be handled. For example, if both individuals were present when the information was collected, there may be a reasonable expectation that each individual could later access it (however there may not be a reasonable expectation if you are aware that there is now conflict between those individuals)
· the source of the personal information, for example if the patient requesting access gave you the information about the other individual.
If you deny access under APP 12.3(b), it is a good idea to take steps such as:
· considering whether you can remove the personal information of the other individual so you can still give the patient access to the rest of their record. If you do so, take care to ensure the remaining context does not reveal the other person’s identity
· asking the other individual whether they consent to some or all of the information being released. Their view may be relevant but not necessarily determinative. However, before consulting them, think about whether this in itself may impact on the privacy of the patient seeking access