Pharmacies must comply with strict laws aimed at maintaining the privacy of the information in their control, say Jayr Teng, solicitor and Kellie Dell’Oro, principal at Meridian Lawyers.
A pharmacy’s obligation to maintain the privacy of sensitive information is set out in legislation, namely the Privacy Act 1988 (Cth).
An additional layer of complexity is added because the scope of the legal obligation depends on the type of information held, the circumstances around the proposed use, collection and disclosure and the jurisdiction the pharmacy operates in.
With these complexities in mind, we have outlined some of the basic obligations.
Privacy and pharmacy records: the basics
Pharmacy records are considered to belong to the health practitioner who created them. Patients and other individuals however are given a statutory right through the Act and state based health records laws to access to their health records and to expect that organisations holding their health records do not breach their obligations under the privacy laws.
Pharmacies are subject to the privacy laws because (amongst other matters) they provide health services to their customers. The Act provides that a “health service” includes an activity performed to assess, record, maintain or improve an individual’s health, to diagnose an illness or disability, or to treat an individual.
A pharmacy’s main obligations include:
- to take reasonable steps to make individuals aware that it is collecting “personal”, “sensitive” or “health” information about them (Australian Privacy Principle (APP) 1, 3, 13)
- to notify those individuals about the purpose/s for which it is collecting the information and who it may share that information with (among other things) (APP 5)
- if the personal information is sensitive information to ensure that consent for such collection, use or disclosure is obtained (expressly or impliedly) (APP 5)
- to comply with restrictions on how personal information can be used and to whom it can be disclosed, including the offshore location to which the information may be disclosed (APP 6)
- to give individuals the right to access the information held about them and to have that information corrected or modified. (APP 12 and APP 13)
Health information – a special class of information
Health information is deemed under the Act to belong to class of information called “sensitive information”. Sensitive information is afforded higher levels of protection under the privacy laws and health information in particular may be concurrently subject to both the Privacy Act 1988 (Cth) and state based health records legislation.
Use and disclosure of health information
Compliance with all Acts with respect health information is mandatory and therefore pharmacies and pharmacists may find themselves in a position of having to decide in what circumstances access and/or disclosure should be allowed when its records are requested to be produced.
APP 6 – Use or Disclosure
APP 6 deals with the use or disclosure of personal information. It sets out that a pharmacy must not use or disclose personal information about a customer and/or patient other than in specified circumstances including:
- for the primary purpose for which it was collected (APP 6.1); or
- with consent (APP 6.1(b));
- for a secondary purpose which is related to the primary purpose of collection (or directly related in the case of sensitive information), and which the individual would reasonably expect (APP 6.2(a));
- where required or authorised by or under law (APP 6.2(b));
- where the pharmacy reasonably believes that the use or disclosure is necessary to prevent threats to life, health or public safety (APP 6.2(c));
- where the pharmacy has reason to suspect that unlawful activity or misconduct of a serious nature relating to its functions or activities has been engaged in and the use or disclosure is necessary in order for it to take appropriate action (APP 6.2(c)); and
- where the pharmacy reasonably believes the use or disclosure is reasonably necessary to assist with locating a person reported as missing (APP 6.2(c)).
Consequences of a breach of privacy
Where there has been a breach of privacy it is open for the affected person to make a complaint to the Privacy Commissioner about the breach. The Privacy Commissioner may:
- Conduct assessments of privacy compliance for both Australian Government agencies and some private sector organisations (including own motion investigations);
- Impose an enforceable undertaking;
- Seek civil penalties in the case of serious or repeated breaches of privacy, including fines; and
- Refer the practitioner to Australian Health Practitioner Regulation Agency (AHPRA).
It is relevant to note that previously the Privacy Commissioner did not have coercive powers or the ability to fine corporations or individuals for breaches of the Privacy Act. This is no longer the case.
Fines of up to $340,000 can be imposed on individuals and fines of up to $1.7m can be imposed for corporations.
PDL has developed procedures and resources to assist pharmacists and pharmacies in meeting their obligations around privacy. Find these resources here.
If you have a question about privacy laws call our support service for professional advice and confidential guidance on 1300 854 838.