Best practice for accessing an employee's medical records

Understanding your employee’s medical background is a good idea so you can adjust and accommodate to their needs but ensure you’re up to date with federal privacy policies as well as the privacy policies that apply in your state.

An article by HRD’s Coann Labitoria gives you all the information you need when accessing an employee’s medical records and a breakdown of state policies.

While personal information like name, address and date of birth is commonly shared, some personal information must remain private. Sensitive personal information can include political opinions, religious or spiritual beliefs, trade union membership, criminal record and medical history.

There are 13 Australian Privacy Principles (APP) that protect sensitive personal information. It includes guidelines around transparency, anonymity, collection, dealing, notifying, use, security, access, correction and quality of personal information.

Australian businesses can access an employee’s medical records if they have the express written consent of the employee. An employer can also access limited medical records if they need to determine if the employee is fit to work.

When a breach of an APP happens, the breach is reviewed by the Office of the Australian Information Commissioner.

Breakdown of State privacy laws

New South Wales

• Privacy and Personal Information Protection Act 1998 (PPIP Act) for NSW public sector agencies, local councils and universities. It is handled by the NSW Information and Privacy Commission.
• Health Records and Information Privacy Act 2002 (HRIP Act) for NSW public sector agencies, local councils, universities, public sector health organisations, private sector organisations and health service providers.

Victoria

• Privacy and Data Protection Act 2014 (PDP Act) for Victorian government organisations. It Is handled by the Office of the Victorian Information Commissioner.
• Health Records Act 2001 for protecting the health information of an individual. It is handled by the Office of the Health Services Commissioner.

Queensland

• Queensland Information Privacy Act 2009 for Queensland Government agencies. It is handled by the Queensland Office of the Information Commissioner.
• Queensland’s Health Ombudsman handles complaints on health services and health service providers.

Western Australia

• Freedom of Information Act 1992 which deals some privacy principles related to disclosure and amendment of personal information by WA state and local government agencies
• Health and Disability Services Complaints office handles complaints related to WA health and disability services
• South Australia
• South Australian privacy committee for SA government agencies.
• Health and Community Services Complaints Commissioner handles complaints on government, non-government and private health and community services.

Tasmania

• Personal Information and Protection Act 2004 for the Tasmanian public sector and public hospitals. It is handled by the Tasmanian Ombudsman.

ACT

• Information Privacy Act 2014 for ACT public sector agencies. It includes a set of Territory Privacy Principles (TPPs) that covers the storage, use and disclosure of personal information.
• Health Records (Privacy and Access) Act 1997 manages health records held by ACT government agencies and public hospitals. It is handled by the ACT Human Rights Commission.

Northern Territory

• Information Act 2002 manages complaints relating to personal and health information privacy. It is handled by the Office of the Information Commissioner Northern Territory.