Privacy and caring for your patient
The Privacy Act 1988 (Privacy Act) is consistent with good treatment practices and promotes appropriate information flows within the health sector, by building on existing relationships of trust between health professionals and patients.
What does the Privacy Act say about how patients' information should be used and disclosed?
Generally speaking, under the Privacy Act, health service providers in the private sector may only use or disclose their patients' health information for the main reason for which it was initially collected. This is called the 'primary purpose' of collection.
The primary purpose should be interpreted narrowly, such as to diagnose and treat a particular condition or set of symptoms. However, the Privacy Act also offers exceptions to this general rule.
One exception is where the patient consents to their information being used or disclosed for another purpose.
Directly related purposes, within your patient's reasonable expectations
Another exception allows the use or disclosure of health information for another purpose that is directly related to the primary purpose, where the patient would reasonably expect this to happen. In healthcare, directly related purposes are likely to include anything to do with the patient's care or wellbeing. The patient's reasonable expectations will then dictate whether the use or disclosure for that purpose should occur.
'Disclosures' for directly related purposes will often arise where a team of practitioners need to share relevant information to provide healthcare. 'Uses' for directly related purposes may include where a provider uses their patient's information to treat a number of conditions, without sharing the information.
How does this affect whether a provider needs a patient's consent to use or share information?
Health service providers in the private sector don't always need the patient's consent to use or disclose their health information for another, directly related purpose - as long as the patient would reasonably expect the use or disclosure that the provider has in mind to provide care.
A patient's expectations can be effectively managed through good provider-patient communication. This usually means the patient has been told the use or disclosure would happen, or they would expect it to happen because of why they gave the information to the provider in the first place.
If the patient would not reasonably expect the use or disclosure that the provider has in mind, then the provider will usually need to get the patient's consent before proceeding. Other exceptions in the Privacy Act permit disclosure without consent in certain circumstances, such as to lessen a serious and imminent threat to life, health or safety, or where the disclosure is required or authorised by law.
Who is this information sheet for?
All health service providers in the private sector (providers) must comply with the 10 National Privacy Principles (NPPs) under the Privacy Act when handling personal information. Providers include general practitioners, mental health professionals and private sector nurses, other board-accredited specialists and private hospitals, as well as those providing allied and complementary healthcare.
Health service providers in the state and territory public sectors (such as public hospitals and their staff) are not bound by the NPPs, but may have to comply with state and territory privacy laws.
What is this information sheet about?
This information sheet gives guidance to providers on how the Privacy Act applies to using and disclosing a patient's health information, in the course of providing the patient with a health service. This includes when disclosing information to other members of an individual's treating team, as well as when providing care in a holistic manner.
How does the Privacy Act apply to using and disclosing health information?
National Privacy Principle 2 (NPP 2) is consistent with providers' obligations of confidentiality to their patients, and the strong tradition of trust between patients and providers. Providers must use or disclose patients' health information in a way that is consistent with NPP 2.
What is 'use' and what is 'disclosure'?
In general terms, the use of health information refers to the handling of that information within the organisation that collects it. Disclosure of health information involves the release of that information to someone outside the organisation, other than the individual whom the information is about.
Generally, under NPP 2, health information may only be used or disclosed:
- for the main reason that the provider collected it (the 'primary purpose'); or
- for another, directly related purpose (including other healthcare purposes) that the individual would reasonably expect; or
- with the individual's consent.
Providers should be confident about their use or disclosure of health information where there is a clear, shared understanding with their patient about matters such as:
- the reasons that personal information is being collected;
- the circumstances when it may be used and disclosed; and
- to whom disclosures are likely to occur in the course of assessment, treatment or referral.
NPP 2 contains other exceptions which allow use and disclosure in limited circumstances, such as where disclosing the information would lessen a serious and imminent threat to someone's life or health.
What is health information?
Briefly, the Privacy Act applies to all 'personal information', which is information about an individual whose identity is apparent, or can be reasonably ascertained. 'Sensitive information' is a sub-category of personal information, and it includes 'health information'. Any personal information held by a health service provider is likely to be health information under the Privacy Act.
Primary purpose for collecting health information
The Privacy Act distinguishes between the main reason that information is collected for, called the 'primary purpose'; and other purposes, called 'secondary purposes'. The primary purpose or main reason for collecting health information will usually be narrow, such as to diagnose and treat a particular condition or set of symptoms. Working out the primary purpose of collection should be possible from the given situation when the information is collected, even though the provider may also have other, secondary reasons in mind.
NPP 2 permits health information to be used or disclosed for the primary purpose for which it was collected, without seeking the patient's consent. Importantly though, the Privacy Act does require that individuals are told how their information will be handled (see below).
Use and disclosure for directly related secondary purposes
Secondary purposes for using and disclosing health information may either be 'directly related' to the primary purpose that the information was collected, or not directly related.
A directly related purpose is one which is closely associated with the original purpose, even if it is not strictly necessary to achieve that purpose. This should be distinguished from purposes that may only be 'related'.
For health service providers, directly related purposes generally include those which involve providing treatment or care, including for health and wellbeing outside of the primary purpose. A provider can use or disclose a patient's health information for directly related secondary purposes, if the patient would reasonably expect the use or disclosure.
Other directly related purposes include many activities or processes necessary to the functioning of the health sector. Provided these fall within the individual's reasonable expectations, no additional steps need be taken before using or disclosing the information. These purposes may include:
- providing an individual with further information about treatment options;
- billing or debt-recovery (with care and discretion, consistent with confidentiality);
- a provider's management, funding, complaint-handling, planning, evaluation and accreditation activities (for example, activities to assess the cost effectiveness of a particular treatment or service);
- disclosure to a medical expert (only for medico-legal opinion), an insurer, a medical defence organisation, or a lawyer, solely for the purpose of addressing liability indemnity arrangements (such as reporting an adverse incident), or for the defence of anticipated or existing legal proceedings;
- an organisation's quality assurance or clinical audit activities, where they evaluate and seek to improve the delivery of a particular treatment or service; and
- disclosure to a clinical supervisor by a psychiatrist, psychologist or social worker.
More information on using and disclosing personal information for secondary purposes relating to the management, funding and monitoring of a health service is available in Information Sheet 23.
Example: Primary and directly related purposes
A patient presents to a GP with a sprained ankle from a fall. The primary purpose of collecting the patient's health information will be to treat the sprained ankle.
During the course of the consultation, the GP discovers that the fall was due to an episode of dizziness.
Assessing and treating the dizziness is a 'directly related' purpose. When treating a patient, providers will need to consider whether information collected for the primary purpose can also be used for a directly related secondary purpose. The key to this is the patient's reasonable expectations.
Most patients would reasonably expect that any information collected in their medical record would be used by their provider to treat them. This means that as well as treating the sprained ankle, the patient's health information may also be used to diagnose the cause of the dizziness and treat any underlying condition.
However, if providers plan to disclose the information to another provider, such as a specialist or member of a treating team, then patients may be less likely to expect this sharing and the provider may need to take more active steps to ensure that there is a mutual understanding. Usual patient-clinician communication will help to align expectations of how the patient's health information will be used and disclosed.
Giving notice to patients about the reasons for collection (NPP 1.3)
The Privacy Act requires that providers give notice to their patients about certain matters when they first collect health information. These matters include why the information is being collected, how it may be used and to whom it may be disclosed. The full notice requirements are set out in NPP 1.3.
This collection notice lays the groundwork for a shared understanding between the provider and the patient as to how the patient's health information may be handled. This is important to determining the scope for later uses or disclosures of that information.
Providers may give notice by providing it in written form, direct discussions, signage and pamphlets. While written notice is useful in fulfilling notice requirements, it is also important that provider and patient discuss their expectations about uses and disclosures. Providers should regularly check that this shared understanding between patient and provider reflects the evolving relationship.
When can a patient's information be shared without consent for their treatment?
This is a key issue for providers. Consent will generally not be required where effective communication has established a clear, shared understanding between the provider and the patient about likely uses and disclosures that may occur as part of their treatment. Open discussion that usually occurs during consultations will often achieve this shared understanding.
The Privacy Act is not intended to impose unnecessary administrative burdens on providers, or to inconvenience patients, by requiring consent each time health information is appropriately shared with another provider, or otherwise handled in the delivery of healthcare.
At the same time, the Privacy Act seeks to ensure that individuals retain appropriate control over how their information is handled, including ensuring that it is not handled in ways that an individual would not expect.
Disclosures may occur without consent in the circumstances outlined below.
(a) Disclosures for the primary purpose that the information was collected
NPP 2 permits providers to use or disclose a patient's health information for the main reason, or 'primary purpose', that it was collected for. In healthcare, the primary purpose is the main or dominant reason that the individual is seeking assessment, treatment or care.
(b) Disclosures for other directly-related purposes that the patient would reasonably expect as part of their care and treatment
Providers may also use or disclose health information for another purpose that is both directly related to the primary purpose and within the individual's reasonable expectations (NPP 2.1(a)). Where these two conditions are satisfied, providers may share health information for healthcare purposes without having to seek the patient's consent.
Example: Multi-disciplinary care team
Pam has Type 2 diabetes. Pam's GP has explained the benefits of a multidisciplinary care plan for the treatment of complex conditions like diabetes. The GP has also told Pam about the types of providers that may participate, and explained their respective roles. With Pam's agreement, the GP proposes a multidisciplinary care plan including the GP, an endocrinologist, a dietitian, a podiatrist and a diabetes educator (in this case, all working in the private sector). Pam is happy for information about her diabetes to be shared between these providers, and doesn't feel the need to be asked for her consent on each occasion where information is exchanged.
Pam initially visited the GP for a particular symptom of her diabetes (for instance, generally feeling tired and lethargic). While this would be the primary purpose that the GP collected Pam's information, the treatment of any other symptoms of her condition would be directly related to this primary purpose. Additionally, by discussing the care plan, the GP has effectively established Pam's reasonable expectations regarding which providers will take part in the multidisciplinary care team.
Under the Privacy Act, information necessary to treat Pam's diabetes may now be exchanged between the team members, as these exchanges would be for directly related purposes, and fall within her reasonable expectations. It is not necessary to get Pam's consent to each exchange.
Checking what the patient's expectations are is important. If the patient would not reasonably expect the disclosure, the provider will need to seek consent, unless another NPP 2 exception would permit the disclosure.
(c) Disclosures for other purposes where another exception applies
There are other limited exceptions under NPP 2, which permit a provider to disclose a patient's information without consent, even if the patient would not reasonably expect the disclosure.
This includes where using or disclosing the information would lessen or prevent a serious and imminent threat to any person's life, health or safety. For example, where a life-threatening condition is discovered while a patient is unconscious during a surgical procedure, and consent to use or share this information is not possible.
NPP 2.4 also permits disclosures to a person who is responsible for an individual with a decision-making disability, such as a parent, for treatment reasons or compassionate reasons. More information on NPP 2.4 can be found in Information Sheet 23.
How do I assess whether a patient would 'reasonably expect' a use or disclosure?
Here are some considerations for whether a use or disclosure may be within a patient's reasonable expectations:
Would a reasonable individual with no special knowledge of the health sector expect their information to be used or disclosed in this way?
Has the patient been told that their information may be used and disclosed in this way? Did they understand what they were told? For example, the patient could be told by way of NPP 1.3 collection notices (see above), further discussions during consultations, signage or pamphlets.
Would the patient's own experience with the health sector affect their expectations, whether that experience is considerable or very limited? This could include factors such as age, cultural background and medical history.
These considerations will be discussed in turn.
What might a 'reasonable person' expect?
The usual starting point for assessing a patient's reasonable expectations is what an ordinary individual would expect to happen to their health information in the given circumstances. This is based on general community expectations of how information usually flows within the health system.
Example: Referrals to a specialist
When a GP refers a patient to a specialist, most patients would expect that the specialist would disclose relevant information about the patient back to the GP, unless special circumstances would inhibit this. However, it may be appropriate for the specialist to check this with the patient during consultations.
Example: Admission for an operation
A patient goes into hospital for an operation. Generally, uses or disclosures necessary to carry out the operation (including information sharing with pathologists, radiographers or anaesthetists) are integral in delivering the health service. Further consent is not needed where it is the individual would reasonably expect the involvement of these sorts of providers in the procedure.
As discussed below, when collecting health information that may be shared with a treating team, providers should explain to the patient how the team-based treatment approach will affect how their information is handled.
What the patient is told will happen to their information (including within treating teams)
The patient's reasonable expectations are closely linked to what the provider tells them about how their health information will be handled, and the patient's reaction and understanding. This includes the mandatory notice given to the patient about likely uses and disclosures under NPP 1.3 (discussed above at 'Giving notice to patients about the reasons for collection').
The multi-disciplinary team approach to healthcare is common to the Australian health system. This approach often calls for health information to be shared within a 'treating team', or on a 'need to know basis', so it is important that a patient understands how this may apply to their situation.
If a patient's information is likely to be shared within a treating team, the provider should tell the patient that such disclosures may take place. The provider should also tell the patient who is in the treating team (such as a GP, physician, physiotherapist and others), and how much information may be disclosed to particular members of the team. A patient may be sensitive about certain information being shared without their consent even across a treatment team, or with particular members of it.
Neil has recently been diagnosed with prostate cancer. He has discussed the potential health benefits of multidisciplinary care with his GP. While Neil is anxious about his recent diagnosis, he is open to treatment through a multidisciplinary team.
The GP refers Neil to an urologist, who becomes the lead clinician in the multidisciplinary care team based at a private hospital. The urologist assumes responsibility for organising regular care team meetings and documenting clinical plans and discussions.
The urologist explains to Neil what will be involved in his treatment. He explains the roles of the members of the care team, including a medical oncologist, nutritionist, dietitian, psychologist and clinical nursing staff, and that information will need to be shared between these providers to facilitate Neil's care.
Neil is comfortable with information being shared with most members of the team. These disclosures are likely to be within Neil's reasonable expectations. However, he questions whether a dietitian needs to be involved in the care team. The urologist explains the dietitian's role in the team, and how it is important for Neil to maintain a good diet during treatment.
Despite this advice, Neil still appears uncertain about his health information being shared with the dietitian. At this point, the urologist is likely to need Neil's consent, rather than assume that the disclosure would fall within Neil's reasonable expectations.
Neil is given time to think it over. He later calls the urologist back, and gives consent to share his information with the dietitian. Both Neil and the urologist are now confident about using and disclosing Neil's health information in the ways that were outlined.
The urologist documents his discussions with Neil about sharing information within the care team, and that Neil understands who his information will be shared with. The urologist also records that Neil has consented to sharing information with the dietitian.
The members of the care team may now share information to treat Neil's cancer without seeking his further consent.
In circumstances where a range of diagnoses are possible and would lead to a range of potential disclosures to other providers, it may be appropriate to tell the patient this up-front. This will ensure the patient knows when and why their information may be disclosed, and will present an opportunity to discuss these possible disclosures.
The patient's own experience
A patient's own experience and familiarity with the health sector may affect their reasonable expectations in the circumstances. This experience may depend on factors such as age, gender, cultural background, and previous medical treatment.
An individual who has lived with a chronic condition for many years, and demonstrates a strong familiarity with their condition and how it is treated, may be keenly aware of routine information flows within the health sector. With experienced patients, providers should still initially check the patient's level of understanding and discuss what will happen in a given situation, rather than assuming such knowledge exists.
How much information should a provider disclose?
Providers should only disclose information that is necessary for the given circumstances, in line with usual obligations of confidentiality. If the information is particularly sensitive to the patient, they may be particularly interested in limiting who else may see it.
For instance, a patient who attends a sexual health clinic may provide their information to be used for specific sexual health purposes, and may not expect their information to be disclosed outside the clinic at all. Generally, a provider would need that patient's consent for any disclosures or other uses, unless another NPP 2 exception applied. An exception could include statutory disease notification requirements that were required or authorised by law.
Dorothy is being treated for breast cancer under an agreed team care arrangement. This involves a range of private sector providers including her GP, an oncologist, psychologist, nursing staff, imaging and pathology staff.
In consultations with the psychologist, Dorothy discusses a number of incidents from her childhood, which are unrelated to her current treatment. Along with other information, these sensitive psychosocial details are placed on Dorothy's general medical file, which several of the other providers are able to see. Dorothy was not told that these details would be placed on her general file.
Later, Dorothy overhears nursing staff discussing the information she had told the psychologist about her childhood. She feels that the sharing of this private information is an interference with her privacy. Dorothy complains to the psychologist about the disclosure.
The disclosure of the psychosocial information to the nursing staff is likely to be a breach of NPP 2. The primary purpose of collection in this instance would be for the psychologist to provide treatment and support for breast cancer. Dorothy's information could be disclosed for a directly related purpose (such as where it was necessary for other providers to treat the patient) only if Dorothy would reasonably expect the disclosure.
Dorothy may have reasonably expected that some of her psychosocial information might be shared with nursing staff, particularly if it were necessary for her immediate care. However, without being better informed, Dorothy would not have reasonably expected that the information about her childhood would be disclosed to nursing staff, as it is unlikely to be necessary for her treatment.
A better outcome
The disclosure could have satisfied NPP 2 if the psychologist had explained to whom that information would be shared (to ensure that Dorothy would have reasonably expected the disclosure). Alternatively, the psychologist could have gained Dorothy's consent to share that information. It would also have been important to consider how much information needed to be shared with other members of the multidisciplinary treating team.
More generally, this situation could have been better handled if Dorothy had been told:
- why the psychologist was collecting information about her mental health;
- what information would be placed on her general medical file;
- what information would be stored separately to maintain greater confidentiality; and
- which other providers (if any) would be able to view the different types of information.
Do shared electronic health records affect when health information can be exchanged within a treating team?
Providers should exercise special care when sharing health information via shared electronic health records. Such records are generally much more widely accessible than paper-based systems, so it may be more difficult to ensure that the handling of health information will stay within the individual's reasonable expectations.
In such cases, it may be better to seek your patient's consent, making sure that they fully understand who may see their record. This would promote a shared understanding of how the patient's health information may be handled.
When is my patient's consent needed to disclose their information?
Gaining a patient's free and informed consent for a disclosure is a common way to lawfully share their information for other purposes. This can be particularly important where a patient would not otherwise expect their information to be disclosed for that purpose.
Consent is likely to be necessary for uses and disclosures such as:
- training and education purposes, where using de-identified information would not be sufficient;
- disclosures to the media that would identify an individual, whether or not they are named; and
- fundraising or direct marketing, for example, raising money by contacting former patients.
Private Sector Information Sheets
Information sheets are advisory only and are not legally binding. The National Privacy Principles in Schedule 3 of the Privacy Act do legally bind organisations.
Information sheets are based on the Office of the Australian Information Commissioner's understanding of how the Privacy Act works. They provide explanations of some of the terms used in the NPPs and good practice or compliance tips. They are intended to help organisations apply the NPPs in ordinary circumstances. Organisations may need to seek separate legal advice on the application of the Privacy Act to their particular situation. Nothing in an information sheet limits the Commissioner's ability to investigate complaints under the Privacy Act or to apply the NPPs in the way that seems most appropriate to the facts of the case being dealt with. Organisations may also wish to consult the Commissioner's guidelines and other information sheets.
Office of the Privacy Commissioner
Enquiries Line 1300 363 992 - local call (calls from mobile and pay phones may incur higher charges) TTY 1800 620 241 - no voice calls;
Fax + 61 2 9284 9666
GPO Box 5218, Sydney NSW 2001.
Private Sector Information Sheet 25 Web HTML, Word and PDF published March 2008 ISBN 978-1-877079-58-0
© Commonwealth of Australia 2008
 For example, physiotherapists, osteopaths and pharmacists. More information on health service providers covered by the Privacy Act can be found at www.privacy.gov.au/materials/types/guidelines/view/6517#a21.
 The terms 'health information' and 'health service' are defined under section 6 of the Privacy Act.
 See the Office of the Australian Information Commissioner's Guidelines on Privacy in the Private Health Sector (2001), p19.
 NPP 2.1(e)(i). This and other exceptions to NPP 2 are listed at http://www.privacy.gov.au/materials/types/infosheets/view/6583#npp2.