Health privacy principles (HPPs) for agencies

Fact sheet - Health Privacy Principles (HPPs) for agencies (PDF, 65kb)

The 15 Health Privacy Principles are the key to the Health Records and Information Privacy Act, 2002 (HRIP Act).

General Information

There are legal obligations with which NSW public sector agencies and private sector organisations must comply when they collect, hold, use and disclose a person’s health information.

Exemptions may apply, therefore it is suggested you seek further advice from the Privacy Contact Officer or the Health Information Manager in your agency or organisation in the first instance, or contact our Office for further advice.

Collection

1. Lawful

Only collect health information for a lawful purpose that is directly related to the agency ororganisation’s activities and necessary for that purpose.

2. Relevant

Ensure health information is relevant, accurate, up-to-date and not excessive, and that the collection does not unreasonably intrude into the personal affairs of a person.

3. Direct

Only collect health information from the person concerned, unless it is unreasonable or impracticable to do so. See the Handbook to Health Privacy 1 for an explanation of “unreasonable” and “impracticable”.

4. Open
Inform a person as to why you are collecting health information, what you will do with it, and who else may see it. Tell the person how they can view and correct their health information and any consequences that will occur if they decide not to provide their information to you. If you collect health information about a person from a third party you must still take reasonable steps to notify the person that this has occurred.

Storage

5. Secure

Ensure the health information is stored securely, not kept any longer than necessary, and disposed of appropriately. Health information should be protected from unauthorised access, use or disclosure. (Note: private sector organisations should also refer tosection 25 of the HRIP Act for further provisions relating to retention.)

Access and Accuracy

6. Transparent

Explain to the person what health information is being stored, the reasons it is being used and any rights they have to access it.

7. Accessible

Allow a person to access their health information without unreasonable delay or expense. (Note: private sector organisations should also refer to sections 26-32 of the HRIP Act for further provisions relating to access.)

8. Correct

Allow a person to update, correct or amend their personal information where necessary. (Note: private sector organisations should also refer to sections 33-37 of the HRIP Act for further provisions relating to amendment.)

9. Accurate

Ensure that the health information is relevant and accurate before using it.

Use

10. Limited

Only use health information for the purpose for which it was collected or for a directly related purpose, which a person would expect. Otherwise, you would generally need their consent to use the health information for a secondary purpose.

Disclosure

11. Limited

Only disclose health information for the purpose for which it was collected, or for a directly related purpose that a person would expect. Otherwise, you would generally need their consent. (Note: see HPP 10.)

Identifiers and anonymity

12. Not identified

Only identify people by using unique identifiers if it is reasonably necessary to carry out your functions efficiently.

13. Anonymous

Give the person the option of receiving services from you anonymously, where this is lawful and practicable.

Transferrals and linkage

14. Controlled

Only transfer health information outside NSW in accordance with HPP 14.

15. Authorised

Only use health records linkage with the person’s express consent in accordance with the provisions of HPP 15(2).

For a full list of the NSW Health Privacy Principles, see Schedule 1 of the Health Records and Information Privacy Act, 2002 on the NSW Consolidated Acts page: www.austlii.edu.au.

For more information

To discuss the principles, or for more information, please contact the Information and Privacy Commission NSW.

NOTE: The information in this fact sheet is to be used as a guide only.
Legal advice should be sought in relation to individual circumstances.
Full text of the Health Privacy Principles can be found under Schedule 1 of the Health Records and Information Privacy Act 2002 on the NSW Consolidated Acts page: www.austlii.edu.au.

Page Updated: May 2017. 

Rating: 
3 out of 5 star rating
Average: 3 (1 vote)
Tags: 
Keywords: 
Fact sheet - Health Privacy Principles for agencies
Archive: 
0