Health Privacy Principles

The Victorian Health Records Act 2001 regulates privacy of health information handled by the public and private sector bodies in Victoria. The Act became enforceable from 1 July 2002. The Health Records Act contains eleven Health Privacy Principles or HPPs.

The Health Services Commissioner has responsibility for safeguarding privacy of health information under the Act.




HPP1   Collection   Collect health information, necessary for Council's functions or activities, about an individual by lawful, fair and reasonable means and preferably from the individual concerned. At or near the time of collection, notify the individual of why it is being collected, what usual disclosures may be made, if the collection is required by law and their right to access the information. Information communicated in confidence from 3rd parties may be collected.    
HPP2   Use & Disclosure   Use or disclose health information: for the primary purpose collected or for a related secondary purpose an individual would reasonably expect, where the individual consents, for law enforcement purposes, where required by law or for other prescribed exceptions. Where disclosure is for law enforcement a written note should be made of the disclosure.    
HPP3   Data Quality   Take reasonable steps to ensure that health information is accurate, complete, up-to-date and relevant to Council's functions.    
HPP4   Data Security & Data Retention   Take reasonable steps to protect health information held from misuse, loss, unauthorised access, modification or disclosure. Health service providers must retain health information for prescribed periods. Non-health service providers must retain for as long as the lawful purpose or as other Acts specify (eg Public Records Act). For 30 years after death health information is protected by these HPPs.    
HPP5   Openness   Document clearly expressed policies on the management of health information and steps individuals have to take to access health information. Make the policies available to anyone who asks. On request take reasonable steps to let the enquirer know generally, what sort of health information Council holds, for what purposes and how it collects and manages that information.    
HPP6   Access & Correction   Access to health information is dealt with under the Freedom of Information Act within Council. Information collected after 1 July 2002 can be accessed in full. If collected prior to 1 July 2002, at a minimum the individual is entitled only to a summary. If an individual is able to establish that their health information is not accurate, complete and up-to-date, Council must take reasonable steps to correct the information.    
HPP7   Identifiers   May only assign identifiers to individuals if necessary for Council to carry out its functions efficiently. A private sector organisation may not adopt as its own identifier of an individual one that has been assigned to that person by a public sector organisation unless prescribed exceptions apply.    
HPP8   Anonymity   Where it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation.    
HPP9   Transborder Data Flows   May transfer health information about an individual to someone (other than Council or individual) who is outside Victoria only if prescribed conditions apply.    
HPP10   Transfer or Closure of Practice of Health Service Provider   If the practice or business of a health service provider is to be transferred or closed, the provider must comply with a prescribed set of procedures and statutory guidelines, centring on notification to former clients and the public.    
HPP11   Making information available to another provider   If an individual requests a health service provider make their health information available to another provider, the former must comply with the request as soon as practicable.