Health information and the Privacy Act
Health information is regarded as one of the most sensitive types of personal information. For this reason, the Privacy Act 1988 (Privacy Act) provides extra protections around its handling. For example, an organisation generally needs an individual's consent before they can collect their health information.
In addition, all organisations that provide a health service are covered by the Privacy Act, whether or not they are a small business. Under the Privacy Act a 'health service' includes any activity that involves:
- assessing, recording, maintaining or improving a person's health; or
- diagnosing or treating a person's illness or disability; or
- dispensing a prescription drug or medicinal preparation by a pharmacist.
Organisations providing a health service include:
- traditional health service providers, such as private hospitals, day surgeries, medical practitioners, pharmacists and allied health professionals
- complementary therapists, such as naturopaths and chiropractors
- gyms and weight loss clinics
- child care centres, private schools and private tertiary educational institutions.
The Privacy Act regulates how these organisations collect and handle personal information, including health information. It also includes provisions that generally allow a person to access information held about them. The Office of the Australian Information Commissioner (OAIC) also regulates the handling of health information held in an individual’s personally controlled electronic health record.
The OAIC has developed privacy fact sheets and privacy guides to help individuals and organisations providing a health service understand their rights and responsibilities. Further information about health and medical research is also available on the Privacy Topics — Health page.
The Privacy Act permits the handling of health information for health and medical research purposes in certain circumstances, where researchers are unable to seek individuals' consent. This recognises:
- the need to protect health information from unexpected uses beyond individual healthcare
- the important role of health and medical research in advancing public health.
To promote these ends, the Privacy Commissioner has approved two sets of legally binding guidelines, issued by the National Health and Medical Research Council (NHMRC). Researchers must follow these guidelines when handling health information for research purposes without individuals' consent. The guidelines also assist Human Research Ethics Committees (HRECs) in deciding whether to approve research applications. The guidelines are produced under sections 95 and 95A of the Privacy Act. The guidelines are:
- Guidelines under Section 95 of the Privacy Act 1988, which set out procedures that HRECs and researchers must follow when personal information is disclosed from a Commonwealth agency for medical research purposes.
- Guidelines under Section 95A of the Privacy Act 1988, which provide a framework for HRECs to assess proposals to handle health information for health and medical research (without individuals' consent). They ensure that the public interest in the research activities substantially outweighs the public interest in the protection of privacy.
Using and disclosing genetic information
The Privacy Act does not prevent a health service provider using or disclosing a patient's genetic information, if the patient has given informed consent.
Where a health service provider has not been able to obtain consent from the patient, the Privacy Act allows the use and disclosure of genetic information where:
- the health service provider reasonably believes that there is a serious threat to the life, health or safety of a genetic relative of the patient
- the use or disclosure to the genetic relative is necessary to lessen or prevent that threat
- the health service provider has complied with the Guidelines issued under section 95AA of the Privacy Act.