Legislative Council Fifty-Third Parliament, Second Session (53-2) 53 2 Parliament of South Australia Legislative Council published Bills Bills Health Care (Privacy and Confidentiality) Amendment Bill Health Care (Privacy and Confidentiality) Amendment Bill Health Care (Privacy and Confidentiality) Amendment Bill Introduction and First Reading Introduction and First Reading The Hon. S.G. WADE Legislative Council The Hon. S.G. WADE (16:58): Obtained leave and introduced a bill for an act to amend the Health Care Act 2008. Read a first time. Second Reading Second Reading The Hon. S.G. WADE Legislative Council The Hon. S.G. WADE (16:59): I move: That this bill be now read a second time. This bill seeks to amend the Health Care Act 2008 to make it an offence for a health employee to improperly access or use health records or personal information. It is tabled as a consultation draft. I will be writing to health professional, consumer and industry bodies to seek their views before considering refinement of the bill. I would also welcome the views of members of this council, either directly to me or through their contributions at the second reading. Section 93 of the Health Care Act as currently written is directed at where an SA Health employee obtains information in the course of their employment and subsequently discloses that information without authorisation. It is only an offence to disclose personal information. However, a patient's privacy is also breached when a person accesses personal information for their own interest without disclosing that information. More than 20 employees of SA Health have been found by SA Health to have inappropriately accessed the medical records of SA Health patients in the last year or so. They had no work-related reason to access these records and, as far as we know, none of them disclosed the information they gained. If that is the case, it would not be possible to prosecute them under section 93 of the Health Care Act 2008. The opposition considers that it should be an offence to access a health record. The proposed section 94 in the bill creates an offence where people access a health record without authority, whether or not the information is used or disclosed. The further offence deals with unauthorised access, including access beyond what is reasonably required for the performance of the person's job. The access charge is placed as a separate matter because it is, in our view, not necessary to particularise the range of matters in section 93 and it would only need to be proven that the person obtained unauthorised access or access beyond what is reasonable for performance of their position. The second amendment seeks to make it an offence for a person to use information for a non-authorised purpose, even if the person was entitled to access the information and even if they did not disclose it. The need for the amendment is highlighted by the reported case of a security guard at The Queen Elizabeth Hospital. The Advertiser has reported that a security guard employed by a contractor at The Queen Elizabeth Hospital accessed the personal details of a patient and used it to make contact with the patient in the days following their discharge from hospital. In such a case, access to the patient's personal information may have been authorised but its use was improper. As there was no disclosure of the information and they would not be an SA Health employee, the security guard could not have been prosecuted under section 93 of the Health Care Act as drafted. Section 93 applies only to public hospitals, the SA Health department and the ambulance service. The opposition proposes that the offence be broadened to apply to privately contracted services at public hospitals, such as nursing and security, and to private hospitals. I think the relevance of increasing the scope to private hospitals is supported by the fact that publicly funded health services are increasingly being provided at private hospitals. Perhaps the flagship service in that regard, at this stage, is the da Vinci robot. The da Vinci robot at St Andrew's Hospital has been the primary access point for public patients for da Vinci surgery for some years now. We believe the government's response to the patient record scandal thus far has been inadequate. It ignores the fact that our hospitals employ hundreds of workers not subject to Public Service disciplinary processes, such as agency nurses and contracted private security guards. Also, many of the people who do have access to records are not subject to the health professional regulatory authority and its processes. This bill does not deal with identifying breaches, but I have already put on the public record our concern that breaches may well be more prevalent than is currently apparent. We are very concerned that we are not getting any details about what proactive strategies are being used to detect breaches. We do not believe that supports public confidence, in fact we think it fuels the fear that the government has a 'don't look, don't find' approach. Coming back to the focus of this legislation, we believe it is a measured and focused strengthening of the Health Care Act to support the intent that is already there in section 93 to provide a more effective protection of the privacy of patients. With those words, I commend the bill to the house as a consultation draft. Debate adjourned on motion of Hon. T.A. Franks.