Victorian Health Records Act 2001: 11 HPPs for Public and Private Health Providers

Scope of the Health Records Act 2001 (Vic)

The Health Records Act 2001 (Vic) (HR Act) governs the management of health information in Victoria. It commenced on 1 July 2002 for the private sector and 1 January 2003 for the public sector. The Act applies to all ‘health service providers’ in Victoria, encompassing both public and private entities such as hospitals, general practitioners, allied health professionals, pharmacies, and complementary therapists. My Health Records Act 2012 explained

The HR Act defines ‘health information’ in broad terms. This includes information relating to a person’s physical, mental, or psychological health, disability, or their expressed wishes regarding future health services. It also covers other personal information collected in the course of providing a health service.

Regulation of health privacy under the HR Act has evolved. From 21 September 2017, the Office of the Victorian Information Commissioner (OVIC) assumed the regulatory role previously held by the Health Services Commissioner, operating within the framework of the Privacy and Data Protection Act 2014. However, the Health Complaints Commissioner (HCC) continues to handle complaints relating to the HR Act, a function that began on 1 February 2017. Schedule 1 of the HR Act outlines the 11 Health Privacy Principles (HPPs).

Health Privacy Principles 1-6

The Health Records Act 2001 outlines several Health Privacy Principles (HPPs) that guide the management of health information by both public and private health providers. HPP 1 concerns the collection of health information. Organisations must only collect information that is necessary for their functions. Where reasonably practicable, this information should be collected directly from the individual. A collection notice must be provided. APP 1.3 privacy policy minimum content 2026 details minimum content requirements for privacy policies.

HPP 2 addresses the use and disclosure of health information. Information can only be used or disclosed for the primary purpose for which it was collected, or a directly related secondary purpose that the individual would reasonably expect. Exceptions to this rule exist, including situations involving consent, a serious threat to life, health, or safety, research, and legal obligations. HPP 3 mandates that providers take reasonable steps to ensure the accuracy, completeness, currency, and relevance of the health information they hold.

Further HPPs outline responsibilities for data management. HPP 4 requires providers to protect health information from misuse, loss, and unauthorised access, and to adhere to specified retention periods. For adults, this is generally seven years from the last service provided; for children, retention continues until they reach the age of 25. HPP 5 requires providers to clearly express their policies regarding health information management and make them available upon request. Finally, HPP 6 grants individuals the right to access their own health information and request corrections to any inaccuracies.

Health Privacy Principles 7-11

HPP 7 addresses the use of unique identifiers. Health providers must limit the use and disclosure of identifiers assigned by other organisations. HPP 8 requires providers to offer options for dealing with the organisation anonymously, where this is lawful and practicable. HPP 9 regulates the transfer of health information outside of Victoria, stipulating that such transfers require specific safeguards, such as consent, comparable laws, or contractual protections.

The Victorian Health Records Act includes two unique HPPs not present in other jurisdictions. HPP 10 mandates that providers give notice of practice transfer or closure and facilitate patient access to their records. HPP 11 concerns the handover of summaries or records when a patient transfers care to another health service provider. APP 11 reasonable steps security personal information

These principles are crucial for maintaining patient privacy and ensuring responsible data handling within the Victorian health sector. The specific requirements of HPPs 10 and 11 highlight the Victorian HR Act’s focus on continuity of care and patient rights during transitions and provider handovers.

Enforcement and interaction with federal law

Complaints regarding non-compliance with the Health Records Act 2001 (HR Act) are handled through the Health Complaints Commissioner, operating under the Health Complaints Act 2016 (Vic). This process may involve compliance notices, conciliation, and the potential for orders from the Victorian Civil and Administrative Tribunal (VCAT). VCAT can issue compensation orders, with a maximum limit of $100,000.

Private sector health service providers have dual obligations. They must adhere to the requirements of the HR Act and also comply with the Privacy Act 1988 (Cth). Notably, the Privacy Act’s small-business exemption does not apply to organisations providing health services.

The Office of the Victorian Information Commissioner (OVIC) maintains a regulatory and guidance role concerning health privacy, as part of its broader privacy regulatory responsibilities. Furthermore, when a Victorian public sector body holds information, the Privacy and Data Protection Act 2014 (Vic) (PDP Act) applies to non-health personal information.