Checklist - Checklist for private sector staff: responding to a request to access health information

Read the document below or download it here: Checklist - Checklist for private sector staff: responding to a request to access health information June 2023

Under Schedule 1 Health Privacy Principle 7 of the NSW Health Records and Information Privacy Act 2002 (HRIP Act), individuals have a right to access health information about themselves from public sector agencies, including public hospitals, local councils and universities who hold health information.

ORGANISATIONAL CONSIDERATIONS:

  • My agency has a Privacy Contact Officer.
  • Can I process this access request? Do I have the authority?*
    • Yes
    • No – I need to refer this to the Privacy Contact Officer.
  • I have reviewed the Health Privacy Principles (HPPs) in Schedule 1 of the HRIP Act and other laws applicable to my agency.

A REQUEST FOR ACCESS TO HEALTH INFORMATION IS TO (as per HPP 7 of HRIP Act):

  • Be in writing (optional)
  • Include name, address and date of birth (optional)
  • Identify the health information being requested
  • Specify the form in which the applicant wishes to access the health information
  • (If applicable) provide third party authorisation in writing.

WHEN RESPONDING TO THE REQUEST FOR ACCESS (as per HPP 7 of HRIP Act):

  • Explain the requirements of the HRIP Act.
If access is approved:
  • Respond without excessive delay or expense (state the fee to be charged for accessing the information)
  • Provide access to the information in the requested format (copy, access to inspect) OR
  • Provide access in a different format and include the reasons as to why a different format was used.
If access is refused:
  • Provide a written response refusing access to the information with reasons for declining access (in part or in full) that complies with the HRIP Act:
    • It would be unlawful; or denying access is required/authorised by another law
    • The information has already been provided
    • It would pose a serious threat to the life or health of an individual
    • It would have an unreasonable impact on the privacy of other individuals
    • It is a repeated request that has been reasonably declined previously.

IF THE APPLICANT IS DISSATISFIED WITH THE OUTCOME (E.G. ACCESS REFUSED, RECORDS NOT PROVIDED, NO RESPONSE) THEY CAN REQUEST AN INTERNAL REVIEW (as per s21 of HRIP ACT):

Provide information about the internal review by including:

  • Details of how they request an internal review
  • Contact details to where the internal review is to be sent
  • Explain if there is a form that it available that may help them make their request.

* Public sector agencies should check their agency’s delegations. If you work in a NSW public hospital, requests to access health information should be sent to the Medical Records Department.

NOTE: In providing access in accordance with HPP 7 public sector agencies’ best practice would be guided by the more specific requirements in Division 3 Access to Health Information of the HRIP Act applicable to private sector organisations.

How easy did you find it to understand this resource?
Have you used the information in this resource to assist you?