“HIPAA Australia” is known as The Privacy Act 1988.  This “HIPAA Australia” is notably different from HIPAA in several aspects. Most significantly, under The Privacy Act, the scope of personal information that is protected is much broader than is so under HIPAA.

“HIPAA Australia”: What is the Privacy Act 1988?

The Privacy Act 1988 (Privacy Act) was introduced to promote and protect the privacy of individuals. The Act also serves to regulate how Australian government agencies and organizations handle personal information (in contrast, HIPAA regulates how PHI, or protected health information, may be handled. PHI in electronic form is known as electronic protected health information, or ePHI). 

Under the Privacy Act 1988, personal information includes a wide range of information, or an opinion, that could identify an individual. 

What constitutes personal information will vary, depending on whether a person can be identified or is reasonably identifiable in the circumstances.

Personal information may include the following information:

• An individual’s name, signature, address, phone number or date of birth
• Credit information
• Employee record information
• Photographs
• Internet protocol (IP) addresses
• Voice print and facial recognition biometrics (because they collect characteristics that make an individual’s voice or face unique)
• location information from a mobile device (because it can reveal user activity patterns and habits)

What Entities Are Regulated by the Privacy Act 1988?

The entities regulated by the Privacy Act 1988 include the following:

• Australian government agencies
• Organizations with an annual turnover of more than $3 million.
  • An “organization” is defined under the Privacy Act as:
    • An individual, including a sole trader
    • A corporation (Australia refers to a corporation using the formal term, “body corporate.”)
    • A partnership
    • Any other unincorporated association; or
    • A trust
    • The following small business operators with an annual turnover of $3 million or less, including:
    • Private sector health service providers. Organizations that provide health services include:
      • Private hospitals
      • Medical practitioners
      • Day surgery center
      • Pharmacists
      • Allied health professionals
      • “Complementary” therapists, such as naturopaths and chiropractors
      • Gyms and weight loss clinics
      • Child care centers, private schools, and private tertiary educational institutions

HIPAA Australia and Confidentiality

Under the Privacy Act 1988, patient medical documents must remain confidential, except when there is a need for legitimate access to these records. Patient data may be released to the relevant individuals under the following circumstances: 

• The patient is at serious risk, or poses a risk of harm to another person
• The data forms part of approved research
• Release of the data is in the best interests of society (HIPAA does not contain such an exception to the rule prohibiting PHI use or disclosure without individual authorization)
• The law requires release of the data (HIPAA contains a similar exception to the rule prohibiting PHI use or disclosure without individual authorization)