Report of the NCOSS forum on Electronic health records and new health privacy laws

Transcription

1 Report of the NCOSS forum on Electronic health records and new health privacy laws 2 May, 2002 Masonic Centre, Sydney

2 The Council of Social Service of NSW (NCOSS) is a community organisation working to achieve social justice for disadvantaged individuals and communities. NCOSS provides an independent voice on welfare policy issues and social and economic reforms, and is the major coordinator for non-government organisations working on social justice issues in NSW. NCOSS receives funding from NSW Health for a Health Policy project, which promotes consumer/community participation in the NSW health system, advocates for disadvantaged communities and assists non-government organisations to play a more active role in health care delivery. Tim Goodwin, Senior Policy Officer at NCOSS, can be contacted on: tim@ncoss.org.au phone: ext 116 fax: The NCOSS Forum on Electronic health records and new health privacy laws was funded by NSW Health. This report is available on the NCOSS website at: Council of Social Service of NSW (NCOSS) 66 Albion Street Surry Hills NSW 2010 phone: fax: info@ncoss.org.au web: abn:

3 Contents 1. Introduction Common issues Agenda Guide to the Health Records and Information Privacy Exposure Draft Bill...8 Presentation by Leanne O'Shannessy, Deputy Director, Legal & Legislative Services, NSW Health 5. The complaints and investigation processes under the Health Records and Information Privacy Bill Presentation by Anna Johnston, Deputy Privacy Commissioner, Privacy NSW 6. The Electronic Health Record What does it mean for consumers?...18 Presentation by Peter Williams, Director, Information and Business Solutions, NSW Health 7. Workshop outcomes Population groups...27 Workshop 1: People from rural and regional communities...27 Workshop 2: People with a chronic illness...30 Workshop 3: Older people...32 Workshop 4: People from culturally and linguistically diverse backgrounds...35 Workshop 5: People with a mental illness NGOs, health consumers & carers...41 Workshop 6: Health NGOs...41 Workshop 7: Non-health NGOs...44 Workshops 8 & 9: Consumers and their carers NCOSS Briefing on the Health Records and Information Privacy Bill

4

5 1. Introduction Background Over the past year NCOSS has discussed with a range of community and consumer organisations the proposed NSW health privacy legislation and the development of linked Electronic Health Records ('the EHR'). Discussions consistently raised a number of issues of concern including the need for: effective protection of privacy, particularly for vulnerable groups; maximising the potential health outcomes; and the full participation of non-government organisations (NGOs) and health consumers in any implementation processes. There is a great deal of interest within the community sector concerning recent developments in health privacy and electronic health information. In November 2001, NSW Health released an exposure draft of the Health Records and Information Privacy Bill ('the Bill'). The draft Bill proposes a set of privacy principles that would govern the collection and use of health information in both the public and private sectors. Health privacy principles in the Bill would govern the implementation and administration of the EHR, which will bring together information held about a person by different parts of the state's health system. NSW Health is currently developing an outline of the EHR and planning pilot projects to test the design. Both the Bill and the EHR have significant implications for the community, particularly in relation to vulnerable people and health consumers with chronic and complex needs. They have the potential to enhance both the health consumer's privacy and the transparency of the health system. Implemented appropriately, the EHR could contribute towards addressing some current problems in the delivery of health and community care. At the same time they raise many concerns for health consumers. Therefore NCOSS held the view that there should be an opportunity for informed community input to NSW Health regarding the legislation and its practical application in the health system, and regarding the EHR. In January 2002 NCOSS proposed a Forum for health consumers and community organisations on privacy and health records, and in March NSW Health agreed to provide funding. The Forum was designed as an opportunity for a range of consumers and community groups across NSW to receive information about the EHR and its proposed legislative framework, and to contribute to NSW Health s implementation strategies. The Forum aimed to involve particular groups including people from rural and remote NSW, young people, people from culturally and linguistically diverse backgrounds, people with disabilities, indigenous communities, health consumers with chronic and complex needs, and vulnerable people such as those who have a mental illness. Given questions of information handling and continuity of care, it was important that both health and non-health NGOs were included in consultations. Electronic health records and new health privacy laws 1

6 The Forum Over 100 people attended the Forum, including representatives from self-help and chronic illness groups, health peak bodies, community-based health organisations, NSW Health participation structures, organisations representing older people and mental health consumers, community care organisations and individual health consumers. Regional representatives attended from the Hunter, Illawarra, Far West, Mid West, Northern Rivers, Southern NSW and Western Sydney. A series of presentations by representatives of NSW Health and Privacy NSW outlined the provisions in the exposure draft of the Health Records and Information Privacy Bill and the steps being taken to implement the EHR. Participants were given the opportunity in plenary to raise questions arising from the presentations. In the afternoon a series of nine workshops explored specific aspects of the implementation of the EHR. The first group of workshops examined issues relating to the EHR from the perspectives of particular population groups. The topics were: 1. Rural and regional health consumers 2. Chronic illness 3. Older people 4. People from culturally and linguistically diverse backgrounds 5. People with mental illness. The first three workshop topics were chosen to ensure that issues relating to relatively high service users were aired, and also to ensure an adequate balance of issues across the state. Forum participants nominated the fourth and fifth workshop topics as priorities for discussion. The second group of workshops considered issues relating to NGOs and health consumers generally. The topics were: 6. Health NGOs 7. Non-health NGOs 8. Consumers and their carers (two workshops). 2 Electronic health records and new health privacy laws

7 2. Common issues While the plenary sessions and the workshops considered different aspects of the proposed Health Records and Information Privacy Bill and the implementation of the EHR, a number of common themes emerged from the Forum. As expected, there was a degree of overlap in discussion of the Bill and the EHR, given the legislation will govern the collection and use of information on an EHR and specific provisions in the Bill relate to consent to participate in the EHR system. Benefits Many participants recognised the benefits they expected the EHR would deliver to the consumer and the health system, including improvement in the coordination of care and accurate and timely access to information regarding past treatment and medication. The rights provided by the new laws should also enhance a consumer's access to their own health information. The EHR should provide consumers with reliable information about who has had access to their records and how the information has been used. Participants emphasised the need to take this opportunity to address current problems with health records rather than entrenching them in new technology, for example, the use of respectful language in records, inclusion of both clinical and community care information and addressing paternalistic attitudes to mental illness. In many respects the health privacy laws and the EHR will require a significant culture change, both for health service providers in gaining the consumer's consent and providing access to records, and for consumers in having the choice about whether to have their health information held in an EHR. Workshop participants raised many concerns regarding the EHR that they felt must be addressed in the implementation process. Some of the key concerns included issues relating to: consent, the information kept on an EHR, access to records, complaints processes, concerns of NGOs and the need for consumer involvement in the EHR process. Consent There was significant concern that consumers have the information to provide fully informed consent to have their health records linked in an EHR. The consumer would need to be fully informed about the system and its safeguards, understand what is being asked of them (including the consequences of participating or choosing not to) and be free to be free from pressure when making their decision. These highlight the need for a process of consumer education, including providing plain English information in different formats and in appropriate community languages. There is a corresponding need for providers to be educated about the Electronic health records and new health privacy laws 3

8 EHR and the nature of informed consent, to equip them to discuss it appropriately with health consumers. Participants were concerned about potential discrimination against an individual if they chose not to opt in to the EHR or if they wished to block access to certain parts of their electronic record. It was argued that health privacy legislation and the rules governing the EHR should explicitly forbid participation in the EHR being used as a condition for providing treatment. The implementation of the EHR should include mechanisms to prevent discrimination against a health consumer on the basis of the person's decision not to participate. Information recorded on the EHR Many of the potential benefits of the EHR could only be delivered if there is scope to include the full range of pertinent health and non-health information on a record. This would include information generated by and accessible by allied health professionals, community care organisations and NGO service providers. There is a need for consistent data standards defining what is considered 'health information' and how it is recorded on an EHR, as well as determining what should be excluded from electronic records. It was agreed that consumers should have control over the information that is added to their record, including the option that certain information, or services delivered by certain providers, should not be added at all. Access - by providers Many consumers will be influenced in their decision regarding whether or not to participate in the EHR, by how much control they could expect to have over the information kept on the record. The Forum argued that consumers should have a high degree of control over who has access to their record. In principle, access should be provided on a need-to-know basis only, and access to certain information should be restricted. It was suggested that for some providers, access to a record should be limited to a particular period of time or for the duration of a specific course of treatment. The consumer should retain the option to remove particular information from their EHR at a later date. Consumer control over access was seen as particularly important in relation to information the consumer might consider to be, or others might perceive as, highly sensitive. There were concerns that both the legislation and the administrative systems for the EHR should prevent unauthorised access to records as well as unauthorised use of information. 4 Electronic health records and new health privacy laws

9 There needs to be a guarantee of complete transparency for the consumer and systems in place to monitor irregular access to records. It was suggested that any printing of electronic information be prohibited as a means of controlling unauthorised access. At the very least, the system should log what information is printed, by whom and for what purpose. Access - by consumers The Forum welcomed provisions in the draft Bill setting out the consumer's right of access to health information, although there was some scepticism as to whether the legislation would fully address current problems with access to information. Participants assumed the legislation would ensure their access to records created before its commencement. It was noted that some consumers will require assistance when accessing health information about them, including the provision of an available computer, assistance with jargon and appropriate support where required, for example when accessing information relating to mental health episodes or trauma. It was stressed repeatedly that access to records should not be provided only a computer-based system, given that many people are not comfortable with or skilled in using information technology. Additional means of access should be provided. Participants raised a number of concerns relating to potential refusal of access to information or barriers to effective access. In the event that an individual is denied access on the grounds of detriment to their health, it was questioned how this would be assessed appropriately, especially in cases of the records of mental health consumers. Some consumers at the Forum were concerned that providers may still use the legal ownership of a record as a means to deny the consumer access to information. This was particularly of concern for consumers with experience of current problems securing the release of information on health records. If charges are levied for providing access to information (as envisaged under the draft Bill) it was agreed that fees must not serve as a barrier to accessing information, particularly for consumers with limited financial means. Complaints and breaches of privacy It was agreed that effective and credible complaints processes are essential to encourage trust in the EHR and provide means of addressing breaches of privacy. The Forum raised repeated concerns about the inadequacy of the complaints regime under the draft health privacy Bill, particularly for vulnerable people. As set out in the draft Bill, a complaint could only be initiated by a person who knows their privacy has been breached and who was willing to make a complaint. Given the technology involved in the EHR, a consumer may not know their health privacy had been breached. A consumer may not be in a position to complain, due Electronic health records and new health privacy laws 5

10 to issues of language, mental illness, cultural difference, a fear of retribution or a lack of knowledge of the complaints system. In these instances, there would be no mechanism to ensure compliance with the legislation or to provide a remedy where privacy principles had been breached. There should therefore be an audit process established by legislation to monitor compliance with health privacy laws. Such audits would be an essential safeguard in the administration of the EHR. Implications for NGOs Participants representing both health NGOs and non-health NGOs questioned the planned relationship between the EHR and services provided in the community sector. NGOs sought information regarding whether they would be included in the EHR system, as sources of information for electronic records and as service providers requiring appropriate access to information. In any case, the EHR may place on NGOs additional demands for information, advice and support for clients in negotiating electronic health records in the health system. Health NGOs discussed whether they would have the choice to become involved with the EHR system or remain independent of it. Non-health NGOs questioned whether the system would acknowledge their role (and the importance of relevant non-health information to the provision of health services) or perpetuate current relationships through new technology. It was agued that the implementation of the EHR should assist in building trust and continuity between the health system and the community care system. It was agreed that NGOs should be recognised as having a legitimate role in the development and implementation of the EHR. Consumer involvement A consistent theme through the Forum was the need for ongoing involvement by consumers and community organisations in the EHR process. It was agreed that participation is required in the design and implementation of the EHR, and to build the consumer understanding and trust necessary for people to participate in the EHR. Consumers want to be involved at every step and many participants were concerned they had not been involved at an earlier stage in discussions about the legislation or the EHR. The development of the EHR must engage with a range of groups and key stakeholders, at both state-wide and local levels, providing information and seeking input before key decisions are taken. Regional participants stressed the need for information and consultation across NSW. 6 Electronic health records and new health privacy laws

11 3. Agenda NCOSS Forum on the Electronic Health Record and new health privacy laws Thursday, 2 May 2002, Masonic Centre, Sydney 8:45 Registrations 9:15 Welcome to country Allen Madden, Metropolitan Local Aboriginal Land Council 9:20 Introduction and welcome to the Forum Alan Kirkland, Director, NCOSS 9:30 The Health Records and Information Privacy Bill: Overview of the exposure draft Discussion and questions Leanne O Shannessy, Deputy Director, Legal and Legislative Services, NSW Health Complaints processes Anna Johnston, Deputy Privacy Commissioner NSW 10:30 Morning tea 11:00 The Electronic Health Record (EHR): What does it mean for consumers and community organisations? Peter Williams, Director, Information & Business Solutions, NSW Health 12:00 Lunch 1:00 Concurrent workshops: Workshop 1 Aspects of the EHR and its implementation by NSW Health 5 workshops population groups eg. chronic illness, rural and remote health consumers, older people, mental health, carers 2:15 Concurrent workshops: Workshop 2 4 workshops health NGOs, non-health NGOs, health consumers and the EHR (2) 3:15 Afternoon tea 3:45 Report back from the workshops 4:45 Close Supported by: Electronic health records and new health privacy laws 7

12 4. Guide to the Health Records and Information Privacy Exposure Draft Bill Presentation by Leanne O'Shannessy, Deputy Director, Legal & Legislative Services, NSW Health Background In June 2000 the Minister for Health appointed the NSW Privacy Commissioner, Mr Chris Puplick, to chair an independent NSW Ministerial Advisory Committee on Privacy and Health Information. The Minister requested the Committee investigate and advise on privacy issues relating to health information, particularly those raised by proposals for the development of a linked electronic health record. The Committee reported to the Minister in December 2000, after conducting extensive consultation with key stakeholder groups and the public, including two public forums on health privacy issues, and a workshop conducted as part of the Consumers Health Forum national consultation process on electronic health. A copy of the Committee s report to the Minister is available at While many of the Committee s findings were directed at the concept of electronic health records, one of the key recommendations was the enactment of a Health Records and Information Privacy Act to regulate the collection, use, storage and disclosure of health information in NSW. The Committee considered that a strong regulatory regime protecting health information and applying irrespective of the format in which the information is kept, was essential to address community concerns about the privacy risks associated with electronic records. Why an Exposure Draft Bill? Given the high level of public interest in privacy issues, the Government has determined to release these legislative proposals as an exposure draft Bill, to enable those affected by the proposals to have the opportunity to consider and comment on the content of the Bill. The Government wishes to ensure that the community has sufficient opportunity to properly consider and comment on the Bill prior to its introduction in Parliament which is proposed to occur in the Parliamentary Session commencing March This consultation process is directed at ensuring issues raised by stakeholders are considered and addressed before the Bill s passage through Parliament. How does the Bill relate to existing privacy laws? NSW already has privacy legislation regulating the way in which NSW public sector agencies deal with information. In addition, amendments to the Commonwealth Privacy Act, due to commence in December 2001, will expand privacy obligations established under federal law into the private sector (although that legislation will not apply to the NSW public sector). 8 Electronic health records and new health privacy laws

13 One of the founding principles of the Health Records and Information Privacy Bill is to build on what has already been achieved at the state and federal level, rather than duplicate it. As such, the Bill has been designed to maintain consistency with the Commonwealth National Privacy Principles, so that action undertaken in order to ensure an agency, organisation or individual is ready to comply with the Commonwealth Principles will ensure compliance with the principles established under this Bill. Most of the terms, definitions and principles created under the Bill reflect those used in the Commonwealth legislation. The aim of the Health Records and Information Privacy Bill is to provide a single state-based scheme for the management of health privacy obligations, imposing the same set of Privacy Principles on information holders in both the public and private sector. The Bill will also provide a readily accessible complaints process and recognise the special issues which arise in the handling of health information. Similar legislative approaches have already been adopted in both the ACT and Victoria. MAIN FEATURES OF THE BILL Who does the legislation cover? The Health Records and Information Privacy Bill covers any public or private sector organisation that holds health information as well as individual health service providers. What is health information? The Health Records and Information Privacy Bill will cover health information rather than defining and regulating specific categories of health service providers. Health information is defined in clause 6 to include information or opinions about a person s physical or mental health and information collected in relation to organ donation or genetic information. It also includes information about a health service provided to a person. Health service is defined to cover a broad range of services including medical, hospital, nursing and ambulance services, as well as services provided by both registered and unregistered health practitioners. The Bill has exemptions to ensure that it does not cover personal, family and household communications nor interfere with the activities of courts and tribunals, and that it recognises the role of the news media. Does the Bill cover electronically stored information? Yes. All the obligations imposed in the legislation on use and disclosure will apply equally to the use, disclosure (and consequently linkage) of electronically stored records. The Bill also includes a special provision in HPP15 to ensure patient information is not linked into a statewide health record unless they have expressly consented to participate in such a scheme. Electronic health records and new health privacy laws 9

14 What obligations are imposed on holders of health information? The Bill requires holders of health information to comply with 15 Health Privacy Principles. These principles, which are consistent with the Commonwealth National Privacy Principles, establish obligations in relation to the collection, retention, storage, use and disclosure of health information. They also establish a right for an individual to access health information which applies to them. The Health Privacy Principles (HPP s) cover: Collection HPP1 requires that information must not be collected unless it is for a lawful purpose directly related to a function or activity of the organisation or individual. HPP2 the collection of information should not intrude unreasonably on the personal affairs of an individual, and should be relevant and accurate. HPP3 states that information should, unless it is unreasonable and impracticable, be collected from the individual to whom it relates. HPP4 requires those collecting information to inform the person about certain things, including who is collecting the information, the purpose of the collection and the consequences if the information is not provided. Retention and Security HPP5 requires information be kept for a reasonable period of time and stored securely. Part 4 of the Bill also contains additional provision in relation to retention. Access and Alteration HPP6 requires holders of health information to allow people to find out if they hold information about them. HPP7 allows people the right to access health information held about them. HPP8 allows people to ensure the accuracy of information by providing them with a right to apply to have information amended. Part 4 of the Bill sets out additional provisions on access and amendment. Accuracy HPP9 requires holders of health information to ensure health information they propose to use is accurate, complete and up to date. Use and Disclosure HPP10 sets out the list of purposes for which holders of health information can use health information. HPP 11 sets out the list of purposes for which holders of health information can disclose health information. Identifiers HPP12 establishes limits on the use of identifiers. Anonymity HPP13 allows people to access health services anonymously. 10 Electronic health records and new health privacy laws

15 Transborder data flows HPP14 sets out specific circumstances and requirements for the cross-border flow of data. Linkage of health records HPP15 prevents the creation of linked electronic health records without the express consent of the individual to whom the information relates. How will organisations be required to retain records? Public sector agencies are already subject to regulation in relation to retention and storage of records under the State Records Act. Part 4 of the Bill will require health service providers to retain health records for 7 years after the last incidence of service, and to make a written note of when information is destroyed or transferred. Individuals will not be required to comply with these requirements if they are already bound by existing regulatory schemes for the retention and disposal of records (such as, for example, the Medical Practice Regulation 2000). Other organisations (who are not health service providers), will be required to destroy or permanently de-identify information if it is no longer needed for the purpose for which it was collected. The Privacy Commissioner of NSW will be able to issue guidelines to assist organisations in complying with these provisions. How will individuals be able to access health information? Public sector agencies are already obliged to provide access to information under the Freedom of Information Act. Under that Act, a public sector agency must make a determination on applications to access information within 21 days of receipt of the application. Part 4 of the Bill sets out provisions for applications to be made to private sector organisations. The main features of the private sector access scheme are: access is limited to health information about the person who has made the application; a response must be made to an application within 45 days of receipt; access must be given by inspecting the information or providing a copy; fees can be charged for granting access; organisations will be able to refuse access in certain specified circumstances; where access is sought to information collected before the Bill comes into effect, the organisation can comply with the provisions by providing a summary of the information. The Privacy Commissioner of NSW will be able to issue guidelines to assist organisations in complying with these provisions. Electronic health records and new health privacy laws 11

16 How will individuals be able to have health information amended? Individuals are already entitled to request public sector agencies to amend information under the Freedom of Information Act. Under that Act, a public sector agency must make a determination on applications to amend information within 21 days of receipt of the application. Part 4 of the Bill sets out provisions for applications to be made to private sector organisations to amend information. These are similar to those outlined above in relation to access. The Privacy Commissioner of NSW will be able to issue guidelines to assist organisations in complying with these provisions. How will complaints about breaches of the Health Privacy Principles be handled? Complaints about public sector agencies will be dealt with under the existing Privacy and Personal Information Protection Act. Under that Act, agencies are required to have processes in place to conduct internal reviews of the conduct complained of within set time frames. For example, if a public sector agency refuses access to health information, the person who made the request is entitled to request an internal review, and seek to have the agency reconsider its decision. Where a complainant is unhappy with the result of the internal review, they are entitled to take their complaint to the Administrative Decisions Tribunal, where the agency may be ordered to correct their conduct or pay compensation of up to $40,000. The complaints process for private sector organisations and individual service providers is set out in Part 6 of the Bill, and will operate through the Office of the NSW Privacy Commissioner. The Privacy Commissioner will have the power to review, investigate and attempt to conciliate the complaint. The Privacy Commissioner will also be able, where appropriate, to refer complaints to the Federal Privacy Commissioner. While complainants will also have access to the Administrative Decisions Tribunal, this access will be limited to matters which have been investigated by the Privacy Commissioner. Where a person considers a breach of the Privacy Principles has occurred, and makes an application to the Tribunal, it will be empowered to make the same range of orders as those available against public sector agencies. Will people who lack legal capacity be able to use the Act? Yes. The Bill contains provisions to ensure that where a person lacks capacity to make a decision or consent or exercise a right under the Act, a guardian, or person authorised to act on their behalf will be able to act for them. DEPARTMENT OF HEALTH NOVEMBER Electronic health records and new health privacy laws

17 5. The complaints and investigation processes under the Health Records and Information Privacy Bill 2002 Presentation by Anna Johnston, Deputy Privacy Commissioner Privacy NSW The complaints and investigation processes under the Health Records & Information Privacy Bill 2002 The existing situation - the PPIP Act While the PPIP Act only allows legal remedies in relation to breaches of the Act by public sector agencies, it also gives the Privacy Commissioner power to investigate and conciliate complaints about violations of, or interferences with, privacy by any organisation or individual. When our office receives a complaint, we have to decide how it can or should be dealt with. If it is a complaint that can be made under Part 5 of the PPIP Act (that is, by seeking internal review by a public sector agency), we usually recommend that course of action to the complainant. Otherwise we will investigate, unless we decline on one of the grounds specified in s.46 of the Act (such as if the subject matter of the complaint is required by law). Internal Reviews Under Part 5 of the PPIP Act, individuals have the right to seek a review by a public sector agency in cases where the individual believes the agency has breached one or more of the following: one of the 12 Information Protection Principles the public register provisions in the Act a Privacy Code of Practice The responsibility for dealing with internal reviews lies with the agencies, although the Privacy Commissioner can make submissions to the agency during the course of the review. The agency must keep our Office notified of the progress of each Internal Review. If an individual is not satisfied with the outcome of an internal review or the way in which the internal review was conducted, then they may take the matter to the Administrative Decisions Tribunal (ADT). Electronic health records and new health privacy laws 13

18 Remedies under the PPIP Act After reviewing a matter under the PPIP Act, the ADT may make orders requiring an agency to undertake certain remedies/action, including: to refrain from conduct or action which breaches an IPP or Code to correct information disclosed by an agency to take steps to remedy loss or damage The ADT may also make an order requiring an agency to pay damages up to $40,000 for loss or damage suffered where the applicant has suffered financial loss or psychological or physical harm as a result of the conduct, but only where the conduct occurred on or after 1 July The alternative: a Privacy Commissioner investigation Our powers under the PPIP Act are limited. We can only make a report on our investigation, and can make findings and/or recommendations. Any such recommendations are not binding on any party. Thus we can only seek to achieve a conciliated outcome. There is no appeal from our investigation / conciliation processes. The future situation - the HRIP Bill If the HRIP Bill passes Parliament without amendment, the complaints / investigation process will be as follows: Complaints against public sector agencies - same as now. That is: breaches of an HPP or a Health Code => internal review => ADT other allegations of a violation of or interference with privacy => conciliation by our Office 14 Electronic health records and new health privacy laws

19 Complaints against private sector individuals or organisations Stage One Preliminary assessment Complaint may be declined on one of the following grounds: frivolous or vexatious trivial lawfully permitted alternate means of redress referred to another body Stage Two Assessment is there a prima facie case that a breach occurred? Stage Three Dealing with the Complaint resolve by conciliation resolve to Commissioner s satisfaction investigate and report Stage Four Investigate and Report may make a finding may make a recommendation Stage Five The Administrative Decisions Tribunal Only matters which reach Stage Four can be taken to the Tribunal Only the complainant (not the Privacy Commissioner, not the respondent) can initiate an action Investigation Report is admissible in the proceedings ADT has same remedies available as under the PPIP Act Electronic health records and new health privacy laws 15

20 COMPLAINT TO NSW PRIVACY COMMISSIONER (under s.42 HRIP Bill) PRIVACY COMMISSIONER PRELIMINARY ASSESSMENT Is the complaint frivolous or vexation, or lacking good faith? Is the complaint trivial? Is the conduct authorised by law? Does the complainant have an alternate means of redress? Should the complaint be referred to another body? NO YES Commissioner may refuse to deal with the complaint further PRIVACY COMMISSIONER ASSESSMENT is there a prima facie case that a breach of the Health Privacy Principles or a Code has occurred? Commissioner must cease to deal with the complaint NO YES PRIVACY COMMISSIONER DEALS WITH COMPLAINT resolves to Commissioner s satisfaction endeavours to resolve through conciliation Investigates prepares a report which can include findings; and recommendations Matter finalised Matter finalised Complainant can seek relief in the ADT 16 Electronic health records and new health privacy laws