Fact Sheet
Updated November 2019
Accessing your health information in NSW
Under the NSW
Health Records and Information
• A larger-sized organisation with a turnover of over
Privacy Act 2002 (HRIP Act), you have a right to
$3 million that holds health information – e.g.
access health information about you from NSW
insurance company.
health service providers, public sector agencies
and some private sector organisations that hold
Who should I contact if I want to
health information.*
access my personal or health
information?
What is health information?
If you want to access your own health or personal
Health information is a specific type of ‘personal
information, you should contact the holder of the
information’ which may include information about your
information first and ask them how you can do this. This
physical or mental health or disability. It includes:
may be the Privacy Officer at the organisation
concerned. Their details should be on the organisation’s
• Personal information you provide to any health
website. In a NSW public hospital, requests to access
organisation
health information should be sent to the Medical Records
• A health service already provided to you
Department.
• A health service that is going to be provided to you
• A health service you have asked to be provided to
If you need further information you can also contact us.
you
• Some personal information for organ donation
How much does it cost and how long
• Some genetic information about you, your relatives
should it take to access my health
or your descendants.
information?
What is the HRIP Act?
If you ask for your health or personal information under
The HRIP Act:
the HRIP Act it may be free or there may be a charge.
When information is provided to you it should be done
• Protects your privacy rights in NSW by making sure
without undue delay or excessive costs.
that your personal and health information is properly
collected, stored, used or released via the Health
If you want to access your own health information, you
Privacy Principles (HPPs)
should contact the holder of the information first and ask
• Gives you the right to see and ask for changes to be
them how you can do this.
made to your personal or health information
• Al ows you to make a complaint to the NSW Privacy
There may be other important considerations beyond
Commissioner if you believe a NSW public sector
costs and processing times, such as your review rights,
agency, private sector health organisation or health
what form of access you want (e.g. view, copy) and
service provider has misused your personal or
whether other information is involved (e.g. information
health information or breached one of the HPPs.
about a third party).
The HRIP Act applies to:
What can I do if I don’t get access?
• NSW public sector agencies, including local councils
If you believe a NSW public sector agency or private
and universities
organisation has not given access to your health
• Public and private sector health organisations –
e.g.
information:
a private or public hospital or medical centre
• If it is a NSW public sector agency, you may be able
• Health service providers – e.g. your GP, dentist,
to ask for an internal review. If you are not happy
therapist, physiotherapist, chiropractor, optometrist
with the result, you have 28 days to apply to the
NSW Civil and Administrative Tribunal (NCAT) for a
review of the decision.
Information and Privacy Commission NSW
1
www.ipc.nsw.gov.au | 1800 IPC NSW (1800 472 679)
Accessing your health information in NSW
Fact Sheet
• If it is a private sector organisation or individual
health service provider, you can complain to the
NSW Privacy Commissioner. If you are not happy
with the result and, if the Privacy Commissioner has
written a report, you have 28 days to apply to NCAT
for a review of the decision, unless the Privacy
Commissioner’s report states otherwise.
See our guides to accessing health information from
public sector and private sector health service
providers over the page.
*
Access to health records must be requested by the
individual to whom the records relate or an authorised
person for access on their behalf – S26(2). For more information
Contact the Information and Privacy Commission NSW
(IPC):
Freecall:
1800 472 679
Email:
xxxxxxx@xxx.xxx.xxx.xx
Website:
www.ipc.nsw.gov.au
Information and Privacy Commission NSW
2
www.ipc.nsw.gov.au | 1800 IPC NSW (1800 472 679)
Accessing your health information in NSW
Fact Sheet
Accessing your health information under the HRIP Act from a
NSW public sector agency (e.g. public hospital, community
services)
START HERE:
Put your request in writing (optional)
YES
Information provided. Process is complete.
to the agency that holds you r health
information. Include your:
•
Name
•
Address
•
Information not provided OR
NO
•
Date of birth (optional)
•
No response provided within an
•
Format you wish to access the
acceptable timeframe (e.g. 28 days) or
information
explanation for the delay.
•
Lodge an application for an internal review with the organisation (within six months). This is an internal
investigation to assess if the agency has complied with its privacy obligations. The agency has to advise and
consult with the NSW Privacy Commissioner.
The review should be done in 60 days (if practicable). There is
no fee.
•
The agency may have a specific form for you to fil in. Check their website or contact the Privacy Contact
Officer in the agency.
•
If not, there’s a generic form on our website –
www.ipc.nsw.gov.au – complete the form and send it to the
agency receiving the application.
The agency wil commence an internal review. This should be completed within 60 days of receiving the
application and you wil be kept informed of the progress during the review. The agency should complete the review
as soon as reasonably practicable.
After the review:
You wil be informed in writing of the result of the agency’s review. The agency must inform the NSW Privacy
Commissioner. Depending on the findings, the agency may:
• Make a formal apology
• Take remedial action (e.g. they provide access)
• Make assurances that it won’t happen again
• Make administrative changes to ensure it won’t happen again
• Take no further action.
If you are unhappy with the result of the review (or it is not completed in 60 days) you have 28 days* to
apply to the NSW Civil and Administrative Tribunal (NCAT) for a review of the decision to provide access.
NCAT’s decision is enforceable and they may order the agency to provide access, change its practices, apologise
or take steps to remedy any damage.
* Refer to Rule 24 of the Civil and Administrative Tribunal Rules 2014.
Information and Privacy Commission NSW
3
www.ipc.nsw.gov.au | 1800 IPC NSW (1800 472 679)
Accessing your health information in NSW
Fact Sheet
Accessing your health information under the HRIP Act from a
NSW private sector health service provider (e.g. dentist, GP,
private hospital) and larger-sized organisations with a
turnover of over $3 million that holds health information (e.g.
insurance companies)*
START HERE:
Put your request in writing (optional)
YES
Information provided. Process is complete.
to the organisation that holds your
health information. Include your:
•
Name
•
Information not provided OR
•
Address
NO
•
No response within 45 days OR
•
Date of birth (optional)
•
Refuse to provide in ful OR
•
Format you wish to access the
•
Refuse to provide in requested format
information
Write to the NSW Privacy Commissioner. Include a copy of the correspondence to the private sector organisation
or health service provider requesting access to your health information.
The NSW Privacy Commissioner wil assess and decide whether to handle your complaint. If the Privacy
Commissioner accepts your complaint and attemps to resolve it, this is usually done through the following
mechanisms:
Resolution: This is final and
Report on findings: This
Conciliation: This is final
completes the process.
provides you with the
and completes the process.
opportunity for further review
by the NSW Civil and
Administrative Tribunal
(NCAT).
If you are unhappy with the result, and only if the Privacy Commissioner has written a report, you have 28
days to apply to NCAT for a review of the decision to provide access, unless the Privacy Commissioner’s
report states otherwise. NCAT’s decision is enforceable and they may order the organisation to provide access,
change its practices, apologise or take steps to remedy any damage.
NOTE: The information in this fact sheet is to be used as a guide only.
Legal advice should be sought in relation to individual circumstances.
* You may have a right to access your health information from a private sector health service provider organisation
under the federal Privacy Act 1988 – visit www.oaic.gov.au for more information.
Information and Privacy Commission NSW
4
www.ipc.nsw.gov.au | 1800 IPC NSW (1800 472 679)
Document Outline