Skip to main content
Skip to secondary navigation
Australian Government - Office of the Australian Information Commissioner - Home

Business resource: Collecting, using and disclosing health information for health management activities

This is a draft business resource. The OAIC conducted a public consultation on a suite of new draft health privacy guidance resources for health service providers and consumers in late 2015. Those resources are currently being finalised.

docxWord version1.4 MB

This business resource explains the requirements under the Privacy Act 1988 (Privacy Act) for providers who are collecting, using or disclosing health information for the purposes of managing, funding or monitoring a health service (‘health management activities’). This resource is part of a series that outlines what private sector health service providers need to know about handling their patients’ health information. Some of the key health privacy terms used are explained in Business resource — Key health privacy concepts for health service providers, while other terms are explained in the Australian Privacy Principles Guidelines.

Collecting health information for health management activities without consent

Under Australian Privacy Principle (APP) 3, an organisation generally can collect health information[1] where it is reasonably necessary for its functions or activities, and the individual concerned consents to the collection. However, an organisation may collect health information without consent if an exception applies.

One of the exceptions allows collection where it is necessary for the management, funding or monitoring of a health service (health management activities), and:

  • the particular purpose cannot be served by collecting de-identified information
  • it is impracticable to obtain the individual’s consent, and
  • the collection is either:
    • required by or under an Australian law (other than the Privacy Act)
    • in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation, or
    • in accordance with guidelines issued by the CEO of the National Health and Medical Research Council and approved by the Commissioner under s 95A of the Privacy Act (s 16B(2)).[2]

This exception contains a number of key terms that you should understand before collecting health information relying on this exception.

Health management activities

The term ‘management, funding or monitoring of a health service’ (referred to in this resource as ‘health management activity’) is not defined by the Privacy Act. However, activities that are reasonably necessary for the ordinary running of a health service are likely to be considered a health management activity, including activities that support the community’s expectation that appropriately high standards of quality and safety will be maintained.

Examples of where health management about an individual may be collected for the ‘management, funding or monitoring of a health service’ include collection by:

  • a quality assurance body, of data about the quality of a health service provided by a nursing home or hostel
  • an oversight body, of information from a private hospital about an incident occurring in an individual’s health treatment
  • a health insurer, of information relevant to possible fraud or an incorrect payment.

Sometimes it is difficult to distinguish between a health management activity and a research activity. An activity is less likely to be research if its outcomes are limited in application to the management, funding or monitoring of the specific entity undertaking the activity. If the activity produces an outcome that is more widely applicable to the health sector generally, then it may be a form of research.

If an activity is considered to be medical research, see Business resource — Collecting, using and disclosing health information for research.

Collection must be ‘necessary’

Under this exception, you may only collect health information that is ‘necessary’ for a health management activity. The term ‘necessary’ is applied objectively and in a practical sense; if you cannot effectively carry out the health management activity without collecting health information, then collection would usually be considered necessary. It would not be considered necessary if the collection is merely helpful, desirable or convenient.

De-identified information cannot serve the health management activity purpose

You must consider whether the health management activity purpose can be achieved by collecting de-identified information. For example, to handle patient complaints, staff must obtain the patient’s contact details so that they can follow up and act on their complaint. In this example, de-identified information cannot serve the purpose of the health management activity as staff would not be able to act upon the patient’s complaint.

Personal information is de-identified once the information is no longer about an identifiable individual or an individual who is reasonably identifiable. Generally, de-identification includes two steps:

  • removing personal identifiers, such as name, address, date of birth or other identifying information, and
  • removing or altering other information that may allow an individual to be identified, for example, because of a rare characteristic of the individual, or a combination of unique or remarkable characteristics.

For further information on how to de-identify information, and how to manage and mitigate the risk of re-identification, see Privacy business resource 4: De-identification of data and information.

Impracticable to seek consent

To rely on this exception, it must be impracticable to obtain consent. Whether it is impractical to seek consent will depend on the circumstances, however, simply incurring expenses or doing extra work will not alone make it impracticable to obtain consent.

Examples of where it may be impracticable to seek consent include:

  • where there are no current contact details for the individual and you have insufficient information to obtain up to date contact details
  • where obtaining the individual’s consent would adversely impact an investigation or monitoring activity.

In the event that an individual has intermittent capacity, it is good practice to inform the individual when they have regained their capacity that you have collected their health information for health management purposes. You should also consider if collection can be held off until the individual regains capacity.

Collection required by law, or in accordance with rules or guidelines

The collection must meet one of the following three criteria:

  • be required by or under an Australian law
  • be in accordance with binding confidentiality rules established by competent health or medical bodies
  • be in accordance with guidelines approved under s 95A.

Collection required by or under an Australian law

Collection is ‘required by or under an Australian law’ if a law compels you to collect the information. You must have a legal obligation to handle information in a particular way and cannot choose to act differently. The obligation will usually be indicated by words such as ‘must’ or ‘shall’, and may be accompanied by a sanction for non-compliance. Being ‘required by or under law’ is distinct from the situation where a law authorises or permits collection but the organisation can choose whether or not to collect the information.

In accordance with binding rules of confidentiality issued by competent health or medical bodies

The rules dealing with obligations of professional confidentiality must be binding on the organisation and they must have been established by a competent health or medical body. The Privacy Act does not specify which bodies qualify as ‘competent health or medical bodies’. Common examples include medical boards and other rule-making bodies recognised in an applicable Australian law. Generally, a binding rule is one that will attract a sanction or adverse consequence if breached.

In accordance with guidelines approved under s 95A

The National Health and Medical Research Council’s Guidelines approved under Section 95A of the Privacy Act 1988 (s 95A Guidelines) have been approved by the Commissioner under s 95A and are legally binding. The s 95A Guidelines provide a framework for human research ethics committees to assess research proposals involving the handling of health information (without the consent of the subject). The framework requires ethics committees to weigh the public interest in research activities against the public interest in the protection of privacy.

Reasonable steps to de-identify the information before disclosure

If you collect health information relying on the exception for health management activities, you must take reasonable steps to de-identify that information before it is subsequently disclosed under APP 6 (see APP 6.4). This requirement only applies to information collected under the specific health management activities exception.

What are reasonable steps to de-identify information will depend on circumstances such as:

  • the possible adverse consequences for an individual if the information is not de-identified before disclosure (and more rigorous steps may be required as the risk of adversity increases)
  • the practicability, including time and cost involved. However, you would not be excused from taking particular steps to de-identify health information by reason only that it would be inconvenient, time-consuming or impose some cost to do so. Whether these factors make it unreasonable to take a particular step will depend on whether the burden is excessive in all the circumstances.

Use and disclosure of health information for health management activities

Once you have collected health information, APP 6 regulates how you may use and disclose that information. Under APP 6, if you collect health information for a particular or ‘primary purpose’, you generally cannot use or disclose that information for a ‘secondary purpose’ unless an exception applies.

Health information collected under the health management activities exception discussed above would generally be collected for the primary purpose of a particular health management activity. APP 6 therefore allows the information to be used for this purpose. However, as explained above, you must take reasonable steps to de-identify the information before disclosing it (APP 6.4).

For health information collected for a different primary purpose, APP 6 does contain a number of exceptions which may allow for the use or disclosure of that information for health management activities.

Consent for use or disclosure of health information

One exception is where you use or disclose personal information for a secondary purpose with a patient’s consent. Consent can be either express or implied. Express consent is given explicitly, either orally or in writing. Implied consent arises where you can infer from the circumstances, and the conduct of the patient, that they are consenting to the use or disclosure of their health information. Further information on ‘consent’ can be found in the APP Guidelines, Chapter B: Key concepts and Business resource — Using and disclosing patient's health information.

Use and disclosure that is reasonably expected by the individual and directly relates to the primary purpose

Under APP 6.2(a), health information initially collected for the primary purpose of providing healthcare may be used or disclosed for health management activities if that secondary purpose is directly related to the primary purpose of collection, and within the individual’s reasonable expectations. For instance, if health information was collected to diagnose and treat a patient’s condition, you could use this information to prepare and send the patient an invoice for payment as these purposes are directly related and would generally be within a patient’s reasonable expectations.

The health management activity must be ‘directly related’ to the primary purpose

A ‘directly related’ purpose is one which is closely associated with the original purpose for collecting the health information. When considering whether there is a direct relationship between the primary purpose of collection and the health management activity, consider why the information was collected in the first place against what you intend to do with the information. In general, a directly related secondary purpose must be something that arises in the context of the primary purpose and is integral to it.

For example, you collect health information from a patient for the primary purpose of providing healthcare. You are then audited for quality assurance as part of being ‘vocationally registered’ under Medicare. The auditor examines patient records ‘on the spot’ and there was limited opportunity for you to obtain patient consent. As viewing records by an external auditor could be a disclosure, you could rely on APP 6.2(a) if being vocationally registered is directly related to providing healthcare.

The patient must ‘reasonably expect’ the health management activity

In addition, the patient must also ‘reasonably expect’ that the use or disclosure of their health information is for a directly related health management activity. What an individual may ‘reasonably expect’ will depend on the circumstances. The test of reasonable expectations is from the perspective of an ordinary individual with no specialist training in the provision of healthcare.

Some examples of reasonable expectations may include the use of health information to send invoices or to conduct incident monitoring. For example, as part of an internal hospital monitoring system, incident reports recording operational problems are sent to an internal management group. Some of these reports contain a patient’s health information. Such a use of health information would generally be considered within a patient’s reasonable expectation, noting that it is good practice to consider whether this information could be provided in an anonymous form.

Other management activities, such as marketing and research, might not be within the reasonable expectations of an individual.

Compliance tip

Creating a clear dialogue between you and the patient about how their information will be handled is good privacy practice and should inform what the reasonable expectations of the patient are. A patient’s reasonable expectations can also be informed by clear privacy policies and notices.

You should also take into account general community expectations for ensuring a high standard of care and how this may influence a patient’s expectations. For instance, accreditation activities may be reasonably expected in order to provide quality healthcare.

When assessing a patient’s expectations, some relevant factors include the sensitivity of the health information, the patient’s previous experiences with you (or another health service provider) and the nature of your practice. It may be reasonably expected that a multi-professional practice may use an individual’s health information between different practitioners when providing healthcare.

Where the use or disclosure is required or authorised by or under law

APP 6.2(b) permits use or disclosure where it is required or authorised by or under an Australian law. Law includes Commonwealth, State and Territory legislation as well as common law. If a law requires that a health service provider use or disclose information, the provider must do so. Disclosure must also occur if there is a court or tribunal order requiring the health service provider to do so.

Legislation may contain provisions which facilitate health management activities such as compliance audits and other monitoring activity. For example, under s 23DS of the Health Insurance Act 1973, a radiologist is required to produce records of diagnostic imaging services if requested to by the Chief Executive of Medicare.    

If the law authorises the use or disclosure of information, the health service provider can decide whether to do so. There is no compulsion to use or disclose the information, but if they choose to use or disclose the information, it will not be an interference with privacy under the Privacy Act.

You should take care to disclose only enough information to meet the legal requirement.

Compliance tip

Use and disclosure principles in NSW, Victoria and the ACT health privacy legislation do contain an express exception relating to health management activities. In some cases, additional requirements are contained in statutory guidelines, such as the NSW Statutory guidelines on the management of health services. For further information regarding these additional obligations, please contact your state or territory regulator.

The information provided in this resource is of a general nature. It is not a substitute for legal advice.


[1] The meaning of ‘health information’ is discussed in more detail in the overview resource of this series. Generally, all personal information collected in the course of providing a health service is ‘health information’ under the Privacy Act.

[2] This exception is known as a ‘permitted health situation’ and is contained in APP 3.4(c) and s 16B(2) of the Privacy Act. Permitted health situations are discussed generally in the overview resource of this series.