Health Information Privacy and Access
The Privacy Act (C’lth) incorporates the Australian Privacy Principles which set out requirements for the handling of personal and sensitive information, which includes health information (see definitions below). They govern information collection, storage and maintenance, and use and disclosure; as well as access by an individual to his/her information and openness about how it is managed by the institution.
The APPs do not apply to de-identified information or statistical data sets, which would not allow individuals to be identified.
Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:
(a) whether the information or opinion is true or not; and
(b) whether the information or opinion is recorded in a material form or not
Sensitive information is a subset of personal information. It means information or an opinion about an individual’s racial or ethnic origin, political opinions, membership of a political organisation, religious beliefs or affiliations; philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preferences or practices, and criminal record or health information about an individual.
Health information is one kind of sensitive information and includes information or an opinion:
about an individual’s health or disability at any time (that is, past, present or future)
about an individual’s expressed wishes regarding future health services
about health services provided, or to be provided, to the individual
collected while providing a health service
collected in connection with the donation or intended donation of body parts and substances.
This means that personal details related to a patient’s attendance (e.g. name, address, Medicare number, billing information, admission/discharge dates), medical information, notes made by healthcare personnel, identifiable biological specimens or samples, or genetic information all constitute “health information”.
Collection of information
The Hospital must:
Only collect health information necessary for its functions or activities.
Use fair and lawful ways, that are not unreasonably intrusive, to collect health information.
Collect health information directly from an individual if it is reasonable and practicable to do so (there is an exception where it is necessary to obtain an individual’s family, social or medical history, which may contain information relating to other persons).
Take reasonable steps, at the time of collecting health information or as soon as practicable afterwards, to make an individual aware of why the information is being collected, who it may be disclosed to, how it can be accessed etc.
Take reasonable steps to ensure the individual is aware of the above points even if the information is collected from someone else.
Only collect health information with the express or implied consent of the individual concerned, unless collection is required by law or it is necessary to prevent a serious threat to the life or health of any person.
Use and disclosure of information
The Hospital may use or disclose an individual’s health information where use or disclosure is:
for the primary purpose for which it was collected (eg provision of medical care and treatment; health fund claims)
for a directly-related secondary purpose that would have been within the reasonable expectations of the patient at the time (eg quality improvement activities)
with the consent of the individual (see Consent to Use Information below)
required or authorised by law
necessary to prevent serious and imminent threat to an individual or to public health.
Access to and correction of information
Patients have the right to access health information held about them, unless:
It would pose a serious threat to the life or health of any individual.
It would have an unreasonable impact on the privacy of others.
The request for access is frivolous or vexatious.
Denying access is required or authorised by law.
Access may be provided in a number of different ways. For example the patient (or his/her authorised representative) may view and discuss their records with a health service provider and/or obtain a copy of the information or a summarised report.
Access requests or related queries should be directed to the Privacy Coordinator who can also provide the appropriate form (ie Request to Access a Patient Record).
Access requests must be processed within 30 days and reasonable fees may be charged.
If a person requests a correction to their health information, the Hospital must either make the correction, where appropriate, or add a note to the records with details of the request. Requests for correction shall be directed to the Privacy Coordinator.
Storage and maintenance of information
The Hospital must take reasonable steps to:
Ensure that the health information it collects, uses or discloses is relevant, accurate, complete and up-to-date.
Protect the health information it holds from misuse and loss, and from unauthorised access, modification or disclosure.
Destroy or permanently de-identify health information when it is no longer needed or required to be kept.
The hospital must not adopt Commonwealth identifiers, such as Medicare or DVA numbers, for its own identification systems (eg hospital medical record number).
Transfer outside of Australia
The hospital may only transfer a person’s health information overseas when:
The individual has given consent.
The transfer is necessary for the fulfilment of a contract between the individual and the Hospital.
Obligations are imposed on the external party requiring compliance with Australian Privacy Principles
It is believed that the information will be protected by a privacy scheme or legal provisions comparable to what exists in this country.
Enquiries and complaints
Complaints by individuals who believe that the Hospital has breached their privacy. (Any unresolved complaint is dealt with by the Office of the Australian Information Commissioner).
Mater Health Services
Raymond Terrace, South Brisbane 4101
Tel: 07 3163 2666 Fax: 07 3163 8104
The Office is located on Level 2 of the Mater Hospital Brisbane
Mater Patient Representative,
Mater Health Services
Raymond Terrace, South Brisbane 4101
Tel: 07 3163 8303 Fax: 07 3163 8753
Office of the Australian Information Commissioner
Tel: 1300 363 992. If calling from outside Australia call: + 61 2 9284 9749.
If you are deaf, or have a hearing or speech impairment, contact is through the National Relay Service:
Teletypewriter (TTY) users phone 133 677 then ask for 1300 363 992.
Speak and Listen users phone 1300 555 727 then ask for 1300 363 992.
Internet relay users connect to the National Relay Service then ask for 1300 363 992.
If you do not speak English, or English is your second language, and you need assistance to communicate, call the Translating and Interpreting Service on 131 450 then ask for 1300 363 992.
Note: These calls can be made for a local call cost from fixed residential landlines anywhere in Australia, but calls from mobile and pay phones may incur higher charges.
firstname.lastname@example.orgPatient Request to Access Clinical Records
+61 2 9284 9666
GPO Box 5218 Sydney NSW 2001
GPO Box 2999 Canberra ACT 2601
Clinical records request form
The following form has been made available for patients seeking access to clinical records.
Web Site Privacy
Collection of Information
When you access Mater Web site Mater may record your server address, domain name, the date and time of your visit, the pages viewed, the information downloaded and the frequency of visits.
Mater may also record information about the types of browsers that are being used to visit Mater site. Mater uses this information for Web site and system administration, including monitoring to prevent security breaches, to assist Mater in further development and to improve the functionality of the site.