100Regulations

100 Regulations (1) The Governor in Council may make regulations for or with respect to— 1. prescribing maximum fees for providing access to health information under this Act; and (b) prescribing maximum fees for performing functions under section 42; and (c) prescribing maximum fees for transfers of health information under HPP 11; and (d) prescribing retention periods, whether greater or less than the periods specified in HPP 4.2, for the preservation of health information or classes of health information for the purposes of HPP 4.2; and (e) generally prescribing any other matter or thing required or permitted by this Act to be prescribed or necessary to be prescribed to give effect to this Act. (2) The regulations— (a) may be of general or limited application; and (b) may differ according to differences in time, place or circumstance; and (c) may apply, adopt or incorporate any matter contained in any document, whether— (i) wholly or partially or as amended by the regulations; or (ii) as in force at the time the regulations are made or at any time before then; or (iii) as in force from time to time; and (d) may confer a discretionary authority or impose a duty on a specified person or body or a specified class of person or body. (3) A power conferred by this Act to make regulations prescribing maximum fees for providing access to health information by way of a summary may be exercised by reference to the time taken to prepare the summary based on the usual fee of the health service provider for a consultation of a comparable duration. Pt 9 (Headings and ss 101–137) amended by No. 110/2003 s. 57, repealed by No. 28/2007 s. 3(Sch. item 30). Schedule 1––The Health Privacy Principles 1 Principle 1—Collection ***When health information may be collected*** 1.1 An organisation must not collect health information about an individual unless the information is necessary for one or more of its functions or activities and at least one of the following applies— (a) the individual has consented; (b) the collection is required, authorised or permitted, whether expressly or impliedly, by or under law (other than a prescribed law); (c) the information is necessary to provide a health service to the individual and the individual is incapable of giving consent within the meaning of section 85(3) and— (i) it is not reasonably practicable to obtain the consent of an authorised representative of the individual within the meaning of section 85; or (ii) the individual does not have such an authorised representative; (d) the information is disclosed to the organisation in accordance with HPP 2.2(a), (f), (i) or (l) or HPP 2.5; (e) if the collection is necessary for research, or the compilation or analysis of statistics, in the public interest— (i) that purpose cannot be served by the collection of information that does not identify the individual or from which the individual's identity cannot reasonably be ascertained; and (ii) it is impracticable for the organisation to seek the individual's consent to the collection; and Sch. 1 cl. 1.1(e)(iii) amended by No. 22/2016 s. 232(a). (iii) the information is collected in accordance with guidelines issued or approved by the Health Complaints Commissioner under section 22 for the purposes of this subparagraph; Sch. 1 cl. 1.1(f) amended by No. 22/2016 s. 232(b). (f) the collection is necessary to prevent or lessen— Sch. 1 cl. 1.1(f)(i) amended by No. 23/2017 s. 19(1). (i) a serious threat to the life, health, safety or welfare of any individual; or (ii) a serious threat to public health, public safety or public welfare— and the information is collected in accordance with guidelines, if any, issued or approved by the Health Complaints Commissioner under section 22 for the purposes of this paragraph; (g) the collection is by or on behalf of a law enforcement agency and the organisation reasonably believes that the collection is necessary for a law enforcement function; (h) the collection is necessary for the establishment, exercise or defence of a legal or equitable claim; (i) the collection is in the prescribed circumstances. ***How health information is to be collected*** 1.2 An organisation must collect health information only by lawful and fair means and not in an unreasonably intrusive way. 1.3 If it is reasonable and practicable to do so, an organisation must collect health information about an individual only from that individual. 1.4 At or before the time (or, if that is not practicable, as soon as practicable thereafter) an organisation collects health information about an individual from the individual, the organisation must take steps that are reasonable in the circumstances to ensure that the individual is generally aware of— (a) the identity of the organisation and how to contact it; and (b) the fact that he or she is able to gain access to the information; and (c) the purposes for which the information is collected; and (d) to whom (or the types of individuals or organisations to which) the organisation usually discloses information of that kind; and (e) any law that requires the particular information to be collected; and (f) the main consequences (if any) for the individual if all or part of the information is not provided. 1.5 If an organisation collects health information about an individual from someone else, it must take any steps that are reasonable in the circumstances to ensure that the individual is or has been made aware of the matters listed in HPP 1.4 except to the extent that making the individual aware of the matters would pose a serious threat to the life or health of any individual or would involve the disclosure of information given in confidence[[7]](#endnote-7). 1.6 An organisation is not required to notify the individual of the identity of persons, or classes of persons, to whom health information may be disclosed in accordance with HPP 2.2(f). ***Information given in confidence***[[8]](#endnote-8) 1.7 If personal information is given in confidence to a health service provider about an individual by a person other than— (a) the individual; or (b) a health service provider in the course of, or otherwise in relation to, the provision of health services to the individual— with a request that the information not be communicated to the individual to whom it relates, the provider must— (c) confirm with the person that the information is to remain confidential; and (d) if the information remains confidential— (i) record the information only if it is relevant to the provision of health services to, or the care of, the individual; and (ii) take reasonable steps to ensure that the information is accurate and not misleading; and (e) take reasonable steps to record that the information is given in confidence and is to remain confidential. 2 Principle 2—Use and Disclosure[[9]](#endnote-9) 2.1 An organisation may use or disclose health information about an individual for the primary purpose for which the information was collected in accordance with HPP 1.1. 2.2 An organisation must not use or disclose health information about an individual for a purpose (the ***secondary purpose***) other than the primary purpose for which the information was collected unless at least one of the following paragraphs applies[[10]](#endnote-10)— (a) both of the following apply— (i) the secondary purpose is directly related to the primary purpose; and (ii) the individual would reasonably expect the organisation to use or disclose the information for the secondary purpose; or (b) the individual has consented to the use or disclosure; or (c) the use or disclosure is required, authorised or permitted, whether expressly or impliedly, by or under law (other than a prescribed law); or (d) all of the following apply— (i) the organisation is a health service provider providing a health service to the individual; and (ii) the use or disclosure for the secondary purpose is reasonably necessary for the provision of the health service; and (iii) the individual is incapable of giving consent within the meaning of section 85(3) and— (A) it is not reasonably practicable to obtain the consent of an authorised representative of the individual within the meaning of section 85; or (B) the individual does not have such an authorised representative; or (e) all of the following apply— (i) the organisation is a health service provider providing a health service to the individual; and (ii) the use is for the purpose of the provision of further health services to the individual by the organisation; and (iii) the organisation reasonably believes that the use is necessary to ensure that the further health services are provided safely and effectively; and Sch. 1 cl. 2.2(e)(iv) amended by No. 22/2016 s. 232(c). (iv) the information is used in accordance with guidelines, if any, issued or approved by the Health Complaints Commissioner under section 22 for the purposes of this paragraph; or (f) the use or disclosure is for the purpose of— (i) funding, management, planning, monitoring, improvement or evaluation of health services; or (ii) training provided by a health service provider to employees or persons working with the organisation— and— (iii) that purpose cannot be served by the use or disclosure of information that does not identify the individual or from which the individual's identity cannot reasonably be ascertained and it is impracticable for the organisation to seek the individual's consent to the use or disclosure; or (iv) reasonable steps are taken to de‑identify the information— and— (v) if the information is in a form that could reasonably be expected to identify individuals, the information is not published in a generally available publication; and Sch. 1 cl. 2.2(f)(vi) amended by No. 22/2016 s. 232(d). (vi) the information is used or disclosed in accordance with guidelines, if any, issued or approved by the Health Complaints Commissioner under section 22 for the purposes of this subparagraph; or (g) if the use or disclosure is necessary for research, or the compilation or analysis of statistics, in the public interest— (i) it is impracticable for the organisation to seek the individual's consent before the use or disclosure; and (ii) that purpose cannot be served by the use or disclosure of information that does not identify the individual or from which the individual's identity cannot reasonably be ascertained; and Sch. 1 cl. 2.2(g)(iii) amended by No. 22/2016 s. 232(e). (iii) the use or disclosure is in accordance with guidelines issued or approved by the Health Complaints Commissioner under section 22 for the purposes of this subparagraph; and (iv) in the case of disclosure— (A) the organisation reasonably believes that the recipient of the health information will not disclose the health information; and (B) the disclosure will not be published in a form that identifies particular individuals or from which an individual's identity can reasonably be ascertained; or Sch. 1 cl. 2.2(h) amended by No. 22/2016 s. 232(f). (h) the organisation reasonably believes that the use or disclosure is necessary to lessen or prevent— Sch. 1 cl. 2.2(h)(i) amended by No. 23/2017 s. 19(2). (i) a serious threat to an individual's life, health, safety or welfare; or (ii) a serious threat to public health, public safety or public welfare— and the information is used or disclosed in accordance with guidelines, if any, issued or approved by the Health Complaints Commissioner under section 22 for the purposes of this paragraph; or Sch. 1 cl. 2.2(i) amended by No. 22/2016 s. 232(g). (i) [[11]](#endnote-11)the organisation has reason to suspect that unlawful activity has been, is being or may be engaged in, and uses or discloses the health information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities and, if the organisation is a registered health practitioner, the use or disclosure would not be a breach of confidence; or Sch. 1 cl. 2.2(j) amended by No. 22/2016 s. 232(h). (j) [[12]](#endnote-12)the organisation reasonably believes that the use or disclosure is reasonably necessary for a law enforcement function by or on behalf of a law enforcement agency and, if the organisation is a registered health practitioner, the use or disclosure would not be a breach of confidence; or (k) the use or disclosure is necessary for the establishment, exercise or defence of a legal or equitable claim; or (l) the use or disclosure is in the prescribed circumstances. Nothing in HPP 2 requires an organisation to disclose health information about an individual. An organisation is always entitled not to disclose health information in the absence of a legal obligation to disclose it. 2.3 If an organisation discloses health information under paragraph (i) or (j) of HPP 2.2, it must make a written note of the disclosure. 2.4 Despite HPP 2.2, a health service provider may disclose health information about an individual to an immediate family member of the individual if— (a) either— (i) the disclosure is necessary to provide appropriate health services to or care of the individual; or (ii) the disclosure is made for compassionate reasons; and (b) the disclosure is limited to the extent reasonable and necessary for the purposes mentioned in paragraph (a); and (c) the individual is incapable of giving consent to the disclosure within the meaning of section 85(3); and (d) the disclosure is not contrary to any wish— (i) expressed by the individual before the individual became incapable of giving consent and not changed or withdrawn by the individual before then; and (ii) of which the organisation is aware or could be made aware by taking reasonable steps; and (e) in the case of an immediate family member who is under the age of 18 years, considering the circumstances of the disclosure, the immediate family member has sufficient maturity to receive the information. 2.5 Despite HPP 2.2, an organisation may use or disclose health information about an individual where— (a) it is known or suspected that the individual is dead; or (b) it is known or suspected that the individual is missing; or (c) the individual has been involved in an accident or other misadventure and is incapable of consenting to the use or disclosure— and the use or disclosure is to the extent reasonably necessary— (d) to identify the individual; or (e) to ascertain the identity and location of an immediate family member or other relative of the individual for the purpose of— Sch. 1 cl. 2.5(e)(i) amended by No. 37/2014 s. 10(Sch. item 77.4). (i) enabling a police officer, a coroner or other prescribed organisation to contact the immediate family member or other relative for compassionate reasons; or (ii) to assist in the identification of the individual— and, in the circumstances referred to in paragraph (b) or (c)— (f) the use or disclosure is not contrary to any wish— (i) expressed by the individual before he or she went missing or became incapable of consenting and not withdrawn by the individual; and (ii) of which the organisation is aware or could have become aware by taking reasonable steps; and Sch. 1 cl. 2.5(g) amended by No. 22/2016 s. 232(i). (g) the information is used or disclosed in accordance with guidelines, if any, issued or approved by the Health Complaints Commissioner under section 22 for the purposes of this paragraph. 3 Principle 3—Data Quality 3.1 An organisation must take steps that are reasonable in the circumstances to make sure that, having regard to the purpose for which the information is to be used, the health information it collects, uses, holds or discloses is accurate, complete, up to date and relevant to its functions or activities. 4 Principle 4—Data Security and Data Retention 4.1 An organisation must take reasonable steps to protect the health information it holds from misuse and loss and from unauthorised access, modification or disclosure. 4.2 A health service provider must not delete health information relating to an individual, even if it is later found or claimed to be inaccurate, unless— (a) the deletion is permitted, authorised or required by the regulations or any other law; or (b) the deletion is not contrary to the regulations or any other law and occurs— (i) in the case of health information collected while the individual was a child, after the individual attains the age of 25 years; or (ii) in any case, more than 7 years after the last occasion on which a health service was provided to the individual by the provider— whichever is the later. 4.3 A health service provider who deletes health information in accordance with HPP 4.2 must make a written note of the name of the individual to whom the health information related, the period covered by it and the date on which it was deleted. 4.4 A health service provider who transfers health information to another individual or organisation and does not continue to hold a record of that information must make a written note of the name and address of the individual or organisation to whom it was transferred. 4.5 An organisation other than a health service provider must take reasonable steps to destroy or permanently de-identify health information if it is no longer needed for the purpose for which it was collected or any other purpose authorised by this Act, the regulations made under this Act or any other law. 5 Principle 5—Openness 5.1 An organisation must set out in a document— (a) clearly expressed policies on its management of health information; and (b) the steps that an individual must take in order to obtain access to their health information. The organisation must make the document available to anyone who asks for it. 5.2 On request by an individual, an organisation must take reasonable steps— (a) to let the individual know— (i) whether the organisation holds health information relating to the individual; and (ii) the steps that the individual should take if the individual wishes to obtain access to the information; and (b) if the organisation holds health information relating to the individual, to let the individual know in general terms— (i) the nature of the information; and (ii) the purposes for which the information is used; and (iii) how the organisation collects, holds, uses and discloses the information. 6 Principle 6—Access and Correction ***Access[[13]](#endnote-13)*** 6.1 If an organisation holds health information about an individual, it must provide the individual with access to the information on request by the individual in accordance with Part 5, unless— Sch. 1 cl. 6.1(a) amended by No. 22/2016 s. 232(j). (a) providing access would pose a serious threat to the life or health of any person under section 26 and refusing access is in accordance with guidelines, if any, issued or approved by the Health Complaints Commissioner under section 22 for the purposes of this paragraph; or Sch. 1 cl. 6.1(b) amended by No. 22/2016 s. 232(k). (b) providing access would have an unreasonable impact on the privacy of other individuals and refusing access is in accordance with guidelines, if any, issued or approved by the Health Complaints Commissioner under section 22 for the purposes of this paragraph; or Sch. 1 cl. 6.1(c) amended by No. 69/2009 s. 54(Sch. Pt 1 item 29.3). (c) the information relates to existing legal proceedings between the organisation and the individual and the information would not be accessible by the process of discovery in those proceedings[[14]](#endnote-14)or is subject to legal professional privilege or client legal privilege; or (d) providing access would reveal the intentions of the organisation in relation to negotiations, other than about the provision of a health service, with the individual in such a way as to expose the organisation unreasonably to disadvantage; or (e) the information is subject to confidentiality under section 27; or (f) providing access would be unlawful; or (g) denying access is required or authorised by or under law; or (h) providing access would be likely to prejudice an investigation of possible unlawful activity; or (i) providing access would be likely to prejudice a law enforcement function by or on behalf of a law enforcement agency; or (j) a law enforcement agency performing a lawful security function asks the organisation not to provide access to the information on the basis that providing access would be likely to cause damage to the security of Australia; or (k) the request for access is of a kind that has been made unsuccessfully on at least one previous occasion and there are no reasonable grounds for making the request again; or (l) the individual has been provided with access to the health information in accordance with Part 5 and is making an unreasonable, repeated request for access to the same information in the same way. 6.2 However, where providing access would reveal evaluative information generated within the organisation in connection with a commercially sensitive decision-making process, the organisation may give the individual an explanation for the commercially sensitive decision rather than access to the information. An organisation breaches HPP 6.1 if it relies on HPP 6.2 to give an individual an explanation for a commercially sensitive decision in circumstances where HPP 6.2 does not apply. 6.3 If access is refused on the ground that it would pose a serious threat to the life or health of the individual, the procedure in Division 3 of Part 5 applies. 6.4 Without limiting sections 26 and 27, nothing in this Principle compels an organisation to refuse to provide an individual with access to his or her health information. ***Correction*** 6.5 [[15]](#endnote-15)If an organisation holds health information about an individual and the individual is able to establish that the information is inaccurate, incomplete, misleading or not up to date, the organisation must take reasonable steps to correct the information so that it is accurate, complete and up to date but must not delete the information otherwise than in accordance with HPP 4.2. 6.6 If— (a) the organisation is not willing to correct the health information in accordance with a request by the individual; and (b) no decision or recommendation to the effect that the information should be corrected wholly or partly in accordance with the request, is pending or has been made under this Act or any other law; and (c) the individual gives to the organisation a written statement concerning the requested correction— the organisation must take reasonable steps to associate the statement with the information. 6.7 If the organisation accepts the need to correct the health information but— (a) the organisation considers it likely that leaving incorrect information, even if corrected, could cause harm to the individual or result in inappropriate health services or care being provided; or (b) the form in which the health information is held makes correction impossible; or (c) the corrections required are sufficiently complex or numerous for a real possibility of confusion or error to arise in relation to interpreting or reading the record if it were to be so corrected— the organisation must place the incorrect information on a record which is not generally available to anyone involved in providing health services to the individual, and to which access is restricted, and take reasonable steps to ensure that only the corrected information is generally available to anyone who may provide health services to the individual. 6.8 If an organisation corrects health information about an individual, it must— (a) if practicable, record with the correction the name of the person who made the correction and the date on which the correction is made; and (b) take reasonable steps to notify any health service providers to whom the organisation disclosed the health information before its correction and who may reasonably be expected to rely on that information in the future. 6.9 If an individual requests an organisation to correct health information about the individual, the organisation must take reasonable steps to notify the individual of a decision on the request as soon as practicable but in any case not later than 30 days after the request is received by the organisation. ***Written reasons*** 6.10 An organisation must provide written reasons for refusal of access[[16]](#endnote-16) or a refusal to correct health information. 7 Principle 7—Identifiers 7.1 An organisation may only assign identifiers to individuals if the assignment of identifiers is reasonably necessary to enable the organisation to carry out any of its functions efficiently. 7.2 Subject to HPP 7.4, a private sector organisation may only adopt as its own identifier of an individual an identifier of an individual that has been assigned by a public sector organisation (or by an agent of, or contractor to, a public sector organisation acting in its capacity as agent or contractor) if— (a) the individual has consented to the adoption of the same identifier; or (b) the use or disclosure of the identifier is required or authorised by or under law. 7.3 Subject to HPP 7.4, a private sector organisation may only use or disclose an identifier assigned to an individual by a public sector organisation (or by an agent of, or contractor to, a public sector organisation acting in its capacity as agent or contractor) if— (a) the use or disclosure is required for the purpose for which it was assigned or for a secondary purpose referred to in one or more of paragraphs (c) to (l) of HPP 2.2; or (b) the individual has consented to the use or disclosure; or (c) the disclosure is to the public sector organisation which assigned the identifier to enable the public sector organisation to identify the individual for its own purposes. 7.4 If the use or disclosure of an identifier assigned to an individual by a public sector organisation is necessary for a private sector organisation to fulfil its obligations to, or requirements of, the public sector organisation, a private sector organisation may either— (a) adopt as its own identifier of an individual an identifier of the individual that has been assigned by the public sector organisation; or (b) use or disclose an identifier of the individual that has been assigned by the public sector organisation. 8 Principle 8—Anonymity 8.1 Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation. 9 Principle 9—Transborder Data Flows 9.1 An organisation may transfer health information about an individual to someone (other than the organisation or the individual) who is outside Victoria only if— (a) the organisation reasonably believes that the recipient of the information is subject to a law, binding scheme or contract which effectively upholds principles for fair handling of the information that are substantially similar to the Health Privacy Principles; or (b) the individual consents to the transfer; or (c) the transfer is necessary for the performance of a contract between the individual and the organisation, or for the implementation of pre-contractual measures taken in response to the individual's request; or (d) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between the organisation and a third party; or (e) all of the following apply— (i) the transfer is for the benefit of the individual; (ii) it is impracticable to obtain the consent of the individual to that transfer; (iii) if it were practicable to obtain that consent, the individual would be likely to give it; or (f) the organisation has taken reasonable steps to ensure that the information which it has transferred will not be held, used or disclosed by the recipient of the information inconsistently with the Health Privacy Principles; or (g) the transfer is authorised or required by any other law.