Privacy Law Compliance and Telehealth

Download a PDF copy here.

Executive Summary

Note – this information does not constitute legal advice. Ethical decision making is a personal process for each Psychologist. Should you have questions regarding your personal circumstances you will need to obtain legal advice. You need to be aware of the Privacy Act 1988. It is your obligation to gain full informed consent from anyone you are providing services to through Telehealth Platforms (educate regarding the risks and benefits and possible problems). All Psychologists are able to make determination whether an individual is able to give consent and whether a guardian needs to be involved in decision making. You need to be aware where data is stored and whether it is likely to be transmitted outside Australian territory. If it is, you need to be disclosing this information to your client and what risks might be present. Wherever possible client data should be de-identified. You need to take reasonable steps to ensure that the overseas recipient does not breach the Australian Privacy Principles in relation to the information. Where a country has similar law in place to protect privacy there will be less risk (eg HIPPA compliance). If you have taken reasonable steps to ensure your clients data is protected and you have documented fully informed consent then you will have discharged your responsibilities. Your privacy policy needs to be written and given to every client. If in doubt about telehealth then consider using telephone appointments where security can be guaranteed.

Introduction

Our members have been contacting us concerned about providing Telehealth services and wanting advice about what platform to use. There has been a lot of misinformation going around about which platforms are compliant with Australian Law. We summarise below what you need to be aware on in choosing a compliant platform so that you can make an informed choice. Note this is a personal decision for each Psychologist. There are many decisions to be made during the process and you will need to document carefully for each decision you make.

When looking at compliance of Psychologists in Australia we look at the Privacy Act 1988

We have attached the details for a document from the Office of the Australian Information Commissioner that is very easy to read and interpret. Note this is not the Privacy Act (which can be sources very easily online) but explains the principles in full and the OAIC is the body that investigates any breaches of Privacy in Australia.

https://www.oaic.gov.au/assets/privacy/app-guidelines/app-guidelines-july-2019.pdf

A big factor in your decision making is going to be getting informed consent from your clients regarding using these platforms with them. The client needs to have all the information available to them when deciding whether to engage with you in this manner. Written or verbal consent is acceptable but must be fully documented. Consent means ‘express consent or implied consent’ . The four key elements of consent are:

•the individual is adequately informed before giving consent •the individual gives consent voluntarily
•the consent is current and specific, and

•the individual has the capacity to understand and communicate their consent. If they cannot, you need to consider what they want, what their carers want etc. Capacity will vary according to time and circumstance.

NOTE consent can be withdrawn at any time and you will need to change the way you work with that client if they withdraw consent. Consent also needs to be updated regularly. Just because someone consents at one point in time does not mean they will always consent.

Likely overseas disclosures

An Australian Privacy Principle (APP) Privacy Policy must set out whether personal information is likely to be disclosed to overseas recipients and the countries in which such recipients are likely to be located ‘if it is practicable to specify those countries in the policy’.

An APP entity is required to set out in the policy only likely disclosures of personal information to overseas recipients, and not likely uses of personal information by the entity. For example, routing personal information, in transit, through a server located outside Australia would usually be considered a ‘use’.

When making decisions about what teleconferencing platform to use you do need to consider whether your clients information will be transmitted outside of Australian and for what purpose and whether their data can be de-identified so that if viewed by another party outside of Australia whether they would be able to be reasonably identified.

Key points

•Before an APP entity discloses personal information to an overseas recipient, the entity must take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the information.

•An APP entity that discloses personal information to an overseas recipient is accountable for any acts or practices of the overseas recipient in relation to the information that would breach the APPs.

•There are exceptions to the requirement to take reasonable steps and to the accountability provision. The requirement to ensure that an overseas recipient does not breach the APPs is qualified by a ‘reasonable steps’ test. It is generally expected that an APP entity will enter into an enforceable contractual arrangement with the overseas recipient that requires the recipient to handle the personal information in accordance with the Australian Privacy Principles. This includes any cloud based storage that you use or that any platform you use operates with.

Disclosing personal information to an overseas recipient that is subject to a substantially similar law or binding scheme 

 You may disclose personal information to an overseas recipient where the entity reasonably believes that:•the overseas recipient is subject to a law, or binding scheme, that has the effect of protecting the information in a way that, overall, is at least substantially similar to the way the Australian Privacy Principles protect the information, and mechanisms can be accessed by the individual to enforce that protection of the law or binding scheme. It is the responsibility of an APP entity to be able to justify its reasonable belief.

Law or binding scheme 

 An overseas recipient may be subject to a law or binding scheme, where, for example, it is:

•bound by a privacy or data protection law that applies in the jurisdiction of the recipient

•required to comply with another law that imposes obligations in relation to the handling of personal information, for example some taxation law includes provisions that expressly authorise and prohibit specified uses and disclosures, permit the retention of some data, require destruction after a certain period of time and under particular circumstances, and include a right of access to an individual’s personal information

•subject to an industry scheme or privacy code that is enforceable once entered into, irrespective of whether the recipient was obliged or volunteered to participate or subscribe to the scheme or code

•subject to Binding Corporate Rules (BCRs). BCRs allow multinational corporations, international organisations and groups of companies to make intra-organisational transfers of personal information across borders in compliance with EU Data Protection law.

 

Substantially similar to

 A substantially similar law or binding scheme would provide a comparable, or a higher level of privacy protection to that provided by the APPs. Each provision of the law or scheme is not required to correspond directly to an equivalent APP. Rather, the overall effect of the law or scheme is of central importance.

Whether there is substantial similarity is a question of fact. Factors that may indicate that the overall effect is substantially similar, include:

•the law or scheme includes a comparable definition of personal information that would apply to the personal information disclosed to the recipient

•the law or scheme regulates the collection of personal information in a comparable way

•the law or scheme requires the recipient to notify individuals about the collection of their personal information

•the law or scheme requires the recipient to only use or disclose the personal information for authorised purposes

•the law or scheme includes comparable data quality and data security standards

•the law or scheme includes a right to access and seek correction of personal information

Disclosing personal information to an overseas recipient with the individual’s consent after the individual is expressly informed 

 You may disclose personal information to an overseas recipient where:

•the APP entity expressly informs the individual that if they consent to the disclosure, this principle will not apply, and

•the individual then consents to the disclosure

Expressly inform 

 You need to provide the individual with a clear written or oral statement explaining the potential consequences of providing consent. At a minimum, this statement should explain that if the individual consents to the disclosure and the overseas recipient handles the personal information in breach of the Australian Privacy Principles:

•the entity will not be accountable under the Privacy Act

•the individual will not be able to seek redress under the Privacy Act

The statement should also:

•be made at the time consent is sought

•not rely on assumed prior knowledge of the individual.

 

The statement could also explain any other practical effects or risks associated with the disclosure that the APP entity is aware of, or would be reasonably expected to be aware of.

These may include that:

•the overseas recipient may not be subject to any privacy obligations or to any principles similar to the APPs

•the individual may not be able to seek redress in the overseas jurisdiction

•the overseas recipient is subject to a foreign law that could compel the disclosure of personal information to a third party, such as an overseas authority

You need to make a copy of the APP privacy policy made available publicly, free of charge and in an appropriate form.

You need to ensure your staff are compliant!

If you have taken reasonable steps to ensure your clients data is protected and you have documented fully informed consent then you will have discharged your responsibilities.

Available platforms in Australia that are worth investigating are;

• Coviu
• Zoom
• Skype
• VSee
• Doxy.me
• Ruralhealthconnect.com.au

Bottom line, if you do not feel comfortable that you are compliant under National Laws or do not feel comfortable using these platforms do not use them. There are telephone items you can use that would be more suitable for your circumstances. We have also seen a relaxing of legislation in our American colleagues with their HIPPA compliance regulations being relaxed at this time. We will update you further if this is going to occur in Australia.