De-identification and medical records in NSW
Are health service providers in New South Wales obliged by the Health Records and Information Privacy Act 2002 (NSW) to de-identify medical records on the request of a patient? Not according to this recent decision of the NSW Civil and Administrative Tribunal.
On 20 October 2014 the Tribunal dismissed a claim against a local health district in which the applicant sought orders requiring the health district to de-identify her health records so that documents containing personal health information would only contain a medical record number as an identifier and not any personal identifying details.
The applicant was both a patient and employee of the local health district, and asserted that her health records contained especially sensitive information.
The Tribunal dismissed the claim on a basis that some would say was a legal technicality, finding that it had no jurisdiction because the applicant had not alleged a breach of a health privacy principle by the local health district. The Tribunal considered whether the local health district might have contravened HPP 2 (the collection principle) by collecting unnecessary information, HPP 8 (amendment/correction) by failing to amend the records in the manner requested and HPP 13 (anonymity principle). In each case the Tribunal found that no allegation of breach had been made by the applicant.
I was surprised that neither the local health district nor the Tribunal appeared to consider that the applicant’s request was, by implication, an allegation that the local health district had failed to comply with HPP 5 (the security principle) by taking such security safeguards as are reasonable in the circumstances to protect the information against loss, unauthorised access, use, modification or disclosure, and against all other misuse. It seems to me that the essence of the applicant’s argument was that given her dual status as patient and employee, combined with the sensitivity of the information, HPP 5 obliged the local health district to take security measures over and above those it would usually take when storing health records. If the case had been approached in this way, the Tribunal could then have considered the merits of the proposition that it would have been reasonable in the circumstances to go so far as to protect the information against misuse by de-identifying it in the manner requested by the applicant. It may have transpired that the measures proposed by the applicant went too far and would not have been found by the Tribunal to have been reasonable in the circumstances. However, the Tribunal did not consider this argument at all.
Although the applicant was legally represented before the Tribunal, the applicant made no submission to the Tribunal on the question of the Tribunal’s jurisdiction. In hindsight that was clearly an unfortunate forensic decision. This looks like a matter in which an appeal on a question of law may have reasonable prospects of success. However, as the security principle was not considered at first instance, an appeal panel would be unlikely to explore the merits of that argument and would probably remit the case for a hearing on the merits.
Since the local health district is a NSW government agency, it need only comply with the Health Records and Information Privacy Act 2002 (NSW) when dealing with health information. Private sector health service providers operating in NSW are also bound by the federal Privacy Act 1988 (Cth), which requires compliance with the Australian Privacy Principles (APPs). Unlike the NSW health privacy principles, the APPs deal specifically with the question of de-identification as part of the overall security principle. APP 11 requires de-identification of personal information, but only when the information is no longer needed for a legitimate purpose and provided that the regulated entity is not required by law to retain the information. Given the express treatment of de-identification by APP 11, my view is that it is very unlikely that a court would ever find that the general security provisions of APP 11 (found in APP 11.1) require de-identification as a measure to protect against misuse etc.