Privacy

The following can be found on this page:

Health information privacy and access

The Privacy Act (C’lth) incorporates ten National Privacy Principles (NPPs) which set out requirements for the handling of personal and sensitive information, which includes health information (see definitions below). They govern information collection, storage and maintenance, use and disclosure, as well as access by an individual to his/her information and openness about how it is managed by the institution.

The NPPs do not apply to de-identified information or statistical data sets, which would not allow individuals to be identified.

Definitions

Personal information means information or an opinion (including information or an opinion forming part of a database), whether true or not and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.

Sensitive information is a subset of personal information. It means information or an opinion about an individual’s racial or ethnic origin, political opinions, membership of a political organisation, religious beliefs or affiliations; philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preferences or practices, and criminal record or health information about an individual.

Health information is one kind of sensitive information and includes information or an opinion:

  • about an individual’s health or disability at any time (that is, past, present or future)
  • about an individual’s expressed wishes regarding future health services
  • about health services provided, or to be provided, to the individual
  • collected whilst providing a health service
  • collected in connection with the donation or intended donation of body parts and substances.

This means that personal details related to a patient’s attendance (eg name, address, Medicare number, billing information, admission/discharge dates), medical information, notes made by healthcare personnel, identifiable biological specimens or samples, or genetic information all constitute “health information”.

Collection of information

According to the NPPs the Hospital must:

  • Only collect health information necessary for its functions or activities.
  • Use fair and lawful ways, that are not unreasonably intrusive, to collect health information.
  • Collect health information directly from an individual if it is reasonable and practicable to do so; (there is an exception where it is necessary to obtain an individual’s family, social or medical history, which may contain information relating to other persons).
  • Take reasonable steps, at the time of collecting health information or as soon as practicable afterwards, to make an individual aware of why the information is being collected, who it may be disclosed to, how it can be accessed etc. (This is done by providing a copy of the Personal Information Management Policy – see below.)
  • Take reasonable steps to ensure the individual is aware of the above points even if the information is collected from someone else.
  • Only collect health information with the express or implied consent of the individual concerned, unless collection is required by law or it is necessary to prevent a serious threat to the life or health of any person.

Information Privacy Policy

The Hospital provides patients (or any member of the public, on request) with its Information Privacy Policy, which outlines what personal information is held by the Hospital, and how it is used, stored, accessed or corrected.

Use and disclosure of information

The Hospital may use or disclose an individual’s health information where use or disclosure is:

  • for the primary purpose for which it was collected (eg provision of medical care and treatment; health fund claims)
  • for a directly-related secondary purpose that would have been within the reasonable expectations of the patient at the time (eg quality improvement activities)
  • with the consent of the individual (see Consent to Use Information below)
  • required or authorised by law
  • necessary to prevent serious and imminent threat to an individual or to public health

Access to and correction of information

  • Patients have the right to access health information held about them, unless:
    • It would pose a serious threat to the life or health of any individual
    • It would have an unreasonable impact on the privacy of others
    • The request for access is frivolous or vexatious
    • Denying access is required or authorised by law
  • Access may be provided in a number of different ways. For example the patient (or his/her authorised representative) may view and discuss their records with a health service provider and/or obtain a copy of the information or a summarised report.
  • Access requests or related queries should be directed to the Privacy Coordinator who can also provide the appropriate form (ie Request to Access a Patient Record).
  • Access requests must be processed within 30 days and reasonable fees may be charged.
  • If a person requests a correction to their health information, the Hospital must either make the correction, where appropriate, or add a note to the records with details of the request. Requests for correction shall be directed to the Privacy Coordinator.

Storage and maintenance of information

The Hospital must take reasonable steps to:

  • Ensure that the health information it collects, uses or discloses is accurate, complete and up-to-date.
  • Protect the health information it holds from misuse and loss, and from unauthorised access, modification or disclosure.
  • Destroy or permanently de-identify health information when it is no longer needed or required to be kept.

Other issues

Identifiers

The Hospital must not adopt Commonwealth identifiers, such as Medicare or DVA numbers, for its own identification systems (e.g. hospital medical record number).

Transborder data flows

The Hospital may only transfer a person’s health information overseas when:

  • The individual has given consent.
  • The transfer is necessary for the fulfilment of a contract between the individual and the Hospital.
  • The transfer is for the benefit of the individual but it is impracticable to obtain consent.
  • It is believed that the information will be protected by a privacy scheme or legal provisions comparable to what exists in this country.

Enquiries and complaints

  • Requests from individuals to provide a copy of the Hospital’s Privacy Policy or any additional details they may need regarding its management of their health information.
  • Complaints by individuals who believe that the Hospital has breached their privacy. (Any unresolved complaint is dealt with by the Office of the Federal Privacy Commissioner).

Privacy Coordinator

Clinical records request form

The Clinical records request form has been made available for patients seeking access to clinical records.

Web Site Privacy

Mater Misericordiae Health Services Brisbane Limited ACN 096 708 922 (Mater) acknowledges and respects the privacy of individuals. This statement discloses our collection, use and disclosure of personal information practices in relation to Mater's websites.

Mater's websites may have links to other websites. Once you leave a Mater domain for another site you are subject to the privacy policy of the new site.

Collection of information

When you access Mater's websites, Mater may record your server address, domain name, the date and time of your visit, the pages viewed, the information downloaded and the frequency of visits.

Mater may also record information about the types of browsers that are being used to visit its sites. Mater uses this information for website and system administration, including monitoring to prevent security breaches, to assist in further development and to improve the functionality of its sites.

Mater will only collect sensitive information with your express consent.

Use of personal information

Internally, Mater has controls and procedures in place to ensure that the personal information Mater collects remains confidential to those Mater staff who may need to access the information for the primary purpose. All of the Mater staff are trained in privacy and are bound by duties of confidentiality.

Disclosure of personal information

Mater does not sell or trade in personal information, or allow third parties to use that personal information for their own purposes. The exception to this is where the Mater may be required by law to disclose certain information.

Security of personal information

Mater will take reasonable steps to ensure that all information the Mater collects, uses or discloses is accurate, complete, up to date, stored in a secure environment and accessed only by authorised persons. Mater aims to achieve best industry practice in the security of personal information which Mater holds.

It is Mater's policy to destroy personal information once there is no longer a legal or business need for Mater to retain such information.

Access, correction and concerns

Mater will provide access to personal information upon request by an individual, unless a request is unreasonable and the National Privacy Principles would permit us to decline that access (e.g. where granting access would infringe another person's privacy or where the request for access is frivolous or vexatious).

If you believe that the information Mater holds about you is incorrect, or if you have concerns about how Mater is handling your personal information, or you want to organise access to the information the Mater holds about you, please contact the Privacy Coordinator.

Office of the Privacy Commissioner

Further information on Mater's obligations under the Federal Privacy Act are available from the Office of the Privacy Commissioner.

Contact

Recent news

Subscribe to our RSS feed and get notified of new articles as they are added. What's RSS?

Upcoming events