Change in Business Circumstances for a Health Service Provider

1.Change in business circumstances for a health service provider Month 2015 This business resource explains how health service providers facing a change in business circumstances should handle personal information under the Australian Privacy Principles (APPs) in the Privacy Act 1988 (Cth) (Privacy Act). This resource is part of a series that outlines what private sector health service providers need to know about handling their patients’ health information. Some of the key health privacy terms used are explained in Business resource: Key health privacy concepts, while other terms are explained in the Australian Privacy Principles Guidelines.

A health service provider’s business circumstances could change in a number of ways. A provider may amalgamate with, or expand to encompass, other health service providers, it may be sold, or its services may cease.1

Legal entity holding the personal information changes When a health service provider has a change in business circumstances, the relevant privacy obligations will depend in part on whether there will be a change in the legal entity holding the personal information. It is common for the legal entity holding the personal information to change, including in cases of the sale, takeover or merger of health service providers. The alternative situation where there is no change in the legal entity holding the personal information is discussed later in this resource under ‘Legal entity holding the personal information remains unchanged’.

Where there is a transfer of personal information to a new legal entity, for the purposes of the Privacy Act that personal information is being ‘disclosed’ by the old health service provider to the new health service provider. In addition, the new health service provider is ‘collecting’ that information. In this scenario, both the old health service provider and new health service provider have obligations under the APPs.

Disclosure of personal information by the old health service provider The old health service provider will need to consider whether APP 6 allows it to disclose health information to the new health service provider. APP 6 allows health service providers to disclose a patient’s health information with their consent. In many cases, seeking consent for the disclosure may be the most practical option as the new health service provider will need the patient’s consent before collecting the health information, and may need to notify them of certain matters (see below). The old and the new health service provider may decide between them how to handle these obligations.

1 When practices are sold, transferred, closed, amalgamated or relocated in Victoria or the ACT, specific obligations under local legislation may apply, such as a requirement to publish a notice in a newspaper and notify patients. The Office of the Health Services Commissioner Victoria has issued Statutory guidelines on the transfer or closure of the practice or business of a health service provider for practices that are sold, transferred, amalgamated or closed. In the ACT you may be required to keep a register of records which have been transferred for 7 years. And in NSW, specific obligations apply in relation to the retention of health information. Contact your state or territory regulator to find out more about any additional requirements.

Business resource X: Change in business circumstances for a health service provider 1 [Type text] If a patient does not consent to the disclosure, the old health service provider should discuss with the patient their preferred option, such as giving the information to the patient or transferring it to a different health service provider. Alternatively, the old health service provider may be permitted to disclose the information without consent where the disclosure is for the primary purpose for which the information was originally collected. If the old health service provider is satisfied the new health service provider will continue to provide essentially the same service, in very similar circumstances, it could disclose its customer records to the new health service provider on the basis that this is consistent with the primary purpose for which it originally collected the information. An example is where the legal entity holding the personal information changes, but the same health practitioner will be providing the service to the patient. Whether the disclosure is for the primary purpose of collection depends on the circumstances and should be determined on a case-by-case basis. The old health service provider must disclose its health records to the new health service provider in a secure manner and will be responsible for the security of the information until possession is taken by the new health service provider. Under APP 11 it must take steps that are reasonable in the circumstances to protect its records of personal information from misuse, interference and loss and from unauthorised access, modification or disclosure.2

Collection of personal information by the new health service provider Before collecting the information from the old health service provider, the new health service provider is required under APP 3.3 to:

 obtain each patient’s consent to collecting the information (regardless of whether or not the new health service provider will use or disclose the information for new purposes)  ensure that all the information it collects from the old health service provider organisation is reasonably necessary for one or more of the new health service provider’s functions or activities.

Consent has four key elements:  the individual is adequately informed before giving consent  the individual gives consent voluntarily  the consent is current and specific, and  the individual has the capacity to understand and communicate their consent. As discussed, the old and the new health service provider may like to decide between them how to handle patient contact for the purposes of obtaining consent.

If an individual does not consent to the new health service provider collecting their health information, it must not collect the information. While consent can be express or implied, health service providers should generally seek express consent from patients before handling their health information, given the greater privacy impact this could have.

For more information see the APP guidelines, Chapter B: Key concepts, consent and reasonably necessary, and Chapter 3: APP 3 — Collection of solicited personal information.

2 For more information see APP guidelines Chapter 11: APP 11 — Security of personal information and the Guide to securing personal information. Notice When collecting health information from the old health service provider, the new health service provider must take reasonable steps to notify or ensure patients are aware of certain matters under APP 5. 3 These include:  the new health service provider’s identity and contact details  the fact that the health service provider will collect the information and the circumstances of the collection  whether the collection is required or authorised by law  the purposes of collection  the consequences if personal information is not collected  anyone the health service provider usually discloses personal information to  information about the health service provider’s APP 1 privacy policy4 (including information about how the individual can access their personal information, seek correction of information, make a privacy complaint and how the health service provider will deal with complaints), and  whether the health service provider is likely to disclose personal information to overseas recipients, and if practical, the countries where those recipients are located.5 This information could be covered through the patient consent process, otherwise the new health service provider should ensure patients are notified in another way. It could do this separately or in collaboration with the old health service provider.

The notice must be given at or before the time the health service provider collects the personal information, or it that is not practicable, as soon as practicable after that.

For more information see Chapter 5: APP 5 — Notification of the collection of personal information.

Data quality APP 10 requires a health service provider to take reasonable steps to ensure that the personal information it collects is accurate, up-to-date and complete. In addition, APP 10 requires a health service provider to take reasonable steps to ensure that personal information it uses or discloses is, having regard to the purpose of the disclosure, accurate, up to date, complete and relevant (APP 10.2).6 More rigorous steps are generally required when collecting, using and disclosing health information, and where there is a risk of adverse consequences for the individual if information is not of good quality.

Before disclosing personal information, the old health service provider should review its patient records to ensure the information it discloses is accurate, up to date, complete and relevant. This will assist the new organisation to provide patients with ongoing healthcare. The health service provider may also consider

3 This can occur at or before the time or, if that is not practical, as soon as practical after the collection. In some cases no steps will be ‘reasonable steps’, for example where the old organisation has already notified patients. You do not need to notify them of these matters if this is not reasonable in the circumstances, for example where this information is obvious or already known to the patient.

4 For details see APP guidelines Chapter 1: APP 1 — Open and transparent management of personal information

5 For details see APP guidelines Chapter 5: APP 5 — Notification of the collection of personal information.

6 For more information see the APP guidelines, Chapter 10: APP 10 — Quality of personal information.

Business resource X: Change in business circumstances for a health service provider 3 [Type text] talking to patients about what information will be disclosed and, if any information is unlikely to be relevant to their ongoing healthcare, whether the patient nevertheless would like to have this information transferred.

The new organisation should take reasonable steps to ensure the information it collects is accurate, up to date and complete, for the purpose of the patients’ ongoing healthcare. This may mean that the new organisation needs to check the accuracy of the information before using it, for example the first time it treats the patient.

Patients who cannot be contacted If the old health service provider is unable to disclose the personal information of some patients to the new health service provider (for example, if the new health service provider is unable to meet its collection obligations under APP 3), and the patients cannot be contacted, the old health service provider will need to consider its APP 11 obligations relating to the security and destruction of information.

Generally, destroying health information in this circumstance is not good practice. In addition, some State and Territory laws, or guidelines issued by health professional organisations, require or recommend that health service providers retain health information for varying periods of time. The old health service provider may need to make appropriate arrangements to secure the records for future access by those individuals, or for other permitted uses and disclosures.7 In this case, to avoid breaching APP 11, the old health service provider must take reasonable steps to ensure the information is stored securely. Given the sensitivity of the information, more stringent steps are required to protect the information than would be required for an organisation that does not handle health or other sensitive information.8

Legal entity holding the personal information remains unchanged In some cases the nature or ownership of a health service provider may change but the legal entity that holds the personal information does not change. For example, this may occur where there is a sale of shares in a health service provider and the personal information continues to be held by the provider which has been acquired. Where there is no change in the legal entity holding the personal information, there is no disclosure of that information.

The applicable privacy obligations in this scenario depend on whether or not the proposed uses and disclosures of the personal information will change. If the health service provider does not propose to change the purposes for which it uses or discloses personal information, it is not required to inform patients of the change in ownership or obtain their consent under the APPs. Nevertheless, informing customers would be good privacy practice if it is practical to do so.

If the health service provider does intend to use or disclose personal information for new purposes, it will need to ensure it meets its obligations for using and disclosing personal information under APP 6. If the new purposes are directly related to the purpose for which the information was originally collected, and patients would reasonably expect their information to be handled for these purposes, the uses or disclosures will be allowed under APP 6.2(a). Otherwise the health service provider may need to inform patients and obtain their consent in order to comply with APP 6. For more information about APP 6 see the APP guidelines, Chapter 6: APP 6 — use or disclosure of personal information.

7 This could include any uses or disclosures that are permitted under APP 6. For further information see the APP guidelines, Chapter 6: APP 6 — use or disclosure of personal information.

8 See www.oaic.gov.au/news-and-events/media-releases/privacy-media-releases/privacy-breach-medical-records- kept-in-garden-shed Example: Consent to view health information

A general practice expands, creating a medical centre with pathology, radiology, counselling, nutrition and other services. The legal entity which owns the practice remains unchanged. A long-standing patient consults the new practice nutritionist, who wants to view parts of the patient’s medical record. The purpose of the nutritionist viewing some of this information may not be for the primary purpose for which the information was collected or directly relate to the purposes for which this information was originally collected by the general practitioner and may not be within the patient’s reasonable expectations. APP 6 may therefore require the nutritionist to obtain the patient’s consent, unless one of the other exceptions to APP 6 applies.

Health service provider ceases Where a health service provider’s services cease, for example it shuts down or a sole practitioner retires or dies, and no other provider is taking over, arrangements will need to be made for the appropriate storage and transfer of patients’ health information.

Transfer of records Where it is practical, the health service provider (or their representative) should notify patients of the cessation of its operations. If the patient records will be transferred to another provider, then consent for the disclosure and collection may need to be obtained (see ‘Disclosure of personal information by the old health service provider’ and ‘Collection of personal information by the new health service provider’ above).

The health service provider must also take steps that are reasonable in the circumstances to protect its records of personal information from misuse, interference and loss and from unauthorised access, modification or disclosure (APP 11). It must take reasonable steps to ensure that the personal information it discloses is, having regard to the purpose of the disclosure, accurate, up to date, complete and relevant (APP 10.2). See ‘Disclosure of personal information by the old health service provider’ and ‘Data quality’ above.

Patients who cannot be contacted If any patients cannot be contacted, appropriate arrangements may need to be made to secure their health records for future access by those individuals.

Generally, destroying health information in this circumstance is not good practice. Health information is highly valuable for many reasons, most importantly for a patient's on-going health care, but sometimes also for wider public health and safety reasons. Some State and Territory laws, or guidelines issued by health professional organisations, have requirements or recommendations relating to the retention of health information. The information provided in this resource is of a general nature. It is not a substitute for legal advice.

For further information

telephone: 1300 363 992 email: [email protected] write: GPO Box 5218, Sydney NSW 2001 Or visit our website at www.oaic.gov.au

Business resource X: Change in business circumstances for a health service provider 5