68 Corrupt disclosure or use of health information by public sector officials
(1) A public sector official must not, otherwise than in connection with the lawful exercise of his or her official functions, intentionally disclose or use any health information about an individual to which the official has or had access in the exercise of his or her official functions.Maximum penalty: 100 penalty units or imprisonment for 2 years or both.
(2) A person must not induce or attempt to induce a public sector official (by way of a bribe or other similar corrupt conduct) to disclose any health information about an individual to which the official has or had access in the exercise of his or her official functions.Maximum penalty: 100 penalty units or imprisonment for 2 years or both.
(3) Subsection (1) does not prohibit a public sector official from disclosing any health information if the disclosure is made in accordance with the Public Interest Disclosures Act 1994.(4) In this section, a reference to a public sector official includes a reference to a person who was formerly a public sector official.Note. Corrupt conduct by employees or agents of private sector persons in relation to health information may be dealt with under Part 4A (Corruptly receiving commissions and other corrupt practices) of the Crimes Act 1900.
69 Offering to supply health information that has been disclosed unlawfully
(1) A person who offers to supply (whether to a particular person or otherwise), or holds himself or herself out as being able to supply (whether to a particular person or otherwise), health information that the person knows, or ought reasonably to know, has been or is proposed to be disclosed in contravention of section 68 is guilty of an offence.Maximum penalty: 100 penalty units or imprisonment for 2 years, or both.
(2) If a person is convicted of an offence under section 68 or subsection (1), the court may order the confiscation of any money or other benefit alleged to have been obtained by the person in connection with the offence and for that money or other benefit to be forfeited to the Crown.
70 Intimidation, threats or misrepresentation
(1) A person must not, by threat, intimidation or misrepresentation, persuade or attempt to persuade an individual:(a) to refrain from making or pursuing:(i) a request for access to health information, or(ii) a complaint to the Privacy Commissioner or the Tribunal under Part 6, or(iii) an application under Part 5 of the PPIP Act with respect to the alleged contravention of a Health Privacy Principle or a health privacy code of practice, or(b) to withdraw such a request, complaint or application.Maximum penalty: 100 penalty units.
(2) A person must not, by threat, intimidation or false representation, require another person:(a) to give a consent under this Act, or(b) to do, without consent, an act for which consent is required.Maximum penalty: 100 penalty units.
(1) Nothing in this Act gives rise to, or can be taken into account in, any civil cause of action, and, without limiting the generality of the foregoing, nothing in this Act:(a) operates to create in any person any legal rights enforceable in a court or tribunal otherwise than in accordance with the procedures set out in this Act, or(b) affects the validity, or provides grounds for review, of any judicial or administrative act or omission.(2) A contravention of this Act does not create any criminal liability except to the extent expressly provided by this Act.
(1) Civil proceedings do not lie against a person in respect of loss, damage or injury of any kind suffered by another person by reason only of any of the following acts done in good faith:(a) the making of a complaint or application under this Act,(b) the making of a statement to, or the giving of a document or information to, the Privacy Commissioner, whether or not pursuant to a requirement under section 59 or 63.(2) If an organisation provides an individual with access to health information under this Act, and the access was required by HPP 7 (Access to health information) or Part 4, or an employee, officer or agent of the organisation believed in good faith that the access was required by HPP 7 or a provision of Part 4:(a) no action for defamation or breach of confidence lies against the organisation, any employee, officer or agent of the organisation or the Crown by reason of the provision of access, and(b) no action for defamation or breach of confidence in respect of any publication involved in, or resulting from, the giving of access lies against the person who provided the health information to the organisation by reason of the person having supplied the health information to the organisation, and(c) the organisation, or any employee, officer or agent of the organisation, or any other person concerned in giving access to the health information is not guilty of an offence merely because of the giving of access.(3) The provision of access to health information in the circumstances referred to in subsection (2) must not be taken to constitute, for the purposes of the law relating to defamation or breach of confidence, an authorisation or approval of the publication of the health information by the person to whom access to the information is provided.
(1) An organisation may charge a fee for any of the following matters:(a) giving an individual a copy of health information,(b) giving an individual an opportunity to inspect and take notes of the health information,(c) amending health information at the request of an individual,(d) any other matter prescribed by the regulations.(2) Any fee charged must not exceed such fee (if any) prescribed by the regulations for the matter concerned.
Proceedings for an offence against this Act are to be dealt with summarily before the Local Court.
(1) The Governor may make regulations, not inconsistent with this Act, for or with respect to any matter that by this Act is required or permitted to be prescribed or that is necessary or convenient to be prescribed for carrying out or giving effect to this Act.(2) Without limiting the generality of subsection (1), regulations may be made for or with respect to the following matters:(a) disapplying any provision or provisions of Part 6 with respect to any private sector person or class of private sector persons, subject to subsection (3),(b) the manner in which health privacy codes of practice are to be prepared and developed,(c) exempting specified persons, private sector persons or public sector agencies, or classes of person, private sector persons or public sector agencies, from:(i) any of the requirements of this Act or the regulations relating to the collection, use or disclosure of specified classes of health information, or(ii) any other provision of this Act,(d) providing for 2 or more public sector agencies or classes of public sector agencies to be treated as a single agency:(i) for the purposes of this Act generally, or(ii) for the purposes of specified provisions of this Act, or(iii) for the purposes of specified Health Privacy Principles or health privacy codes of practice,(e) providing for 2 or more private sector persons or classes of private sector persons (including private sector persons that are related bodies corporate) to be treated as a single private sector person:(i) for the purposes of this Act generally, or(ii) for the purposes of specified provisions of this Act, or(iii) for the purposes of specified Health Privacy Principles or health privacy codes of practice,(f) the auditing of compliance by organisations with the provisions of this Act, including the types of activities or conduct that may be subject to audit, the persons or bodies by whom an audit may be conducted and the frequency or timing of audits.(3) A regulation made under subsection (2) (a) applies with respect to a private sector person only for so long as an individual is entitled to make a complaint that an act or practice by the private sector person may be an interference with the privacy of the individual (as referred to in section 13A of the Privacy Act 1988 of the Commonwealth) under a Commonwealth privacy code binding the private sector person or class of private sector persons concerned that sets out procedures for making and dealing with complaints in relation to acts or practices of the private sector person or class of private sector persons.(4) The regulations may create offences punishable by a penalty not exceeding 50 penalty units.(5) In this section:Commonwealth privacy code means a privacy code approved by the Commonwealth Privacy Commissioner under the Privacy Act 1988 of the Commonwealth.
complaint means a complaint of any kind, regardless of the nature of any remedies that may be available in respect of the complaint.
75A Regulations with respect to healthcare identifiers
(1) Without limiting section 75, regulations may be made for or with respect to healthcare identifiers.(2) In particular, the regulations may specify the circumstances in which a person may or may not use or disclose a healthcare identifier.(3) A person who uses or discloses a healthcare identifier in contravention of a regulation made under subsection (2) is guilty of an offence.Maximum penalty:
(a) 600 penalty units in the case of a body corporate, or(b) 120 penalty units or imprisonment for 2 years, or both, in any other case.
76 Savings and transitional provisions
Schedule 2 has effect.
(1) The Minister is to review this Act to determine whether the policy objectives of the Act remain valid and whether the terms of the Act remain appropriate for securing those objectives.(2) The review is to be undertaken as soon as possible after the period of 5 years from the date of assent to this Act.(3) A report on the outcome of the review is to be tabled in each House of Parliament within 12 months after the end of the period of 5 years.