Skip to main content
Skip to secondary navigation
Australian Government - Office of the Australian Information Commissioner - Home

Business resource: Disclosure of health information and impaired capacity

This is a draft business resource. The OAIC conducted a public consultation on a suite of new draft health privacy guidance resources for health service providers and consumers in late 2015. Those resources are currently being finalised.

docxWord version1.39 MB

This business resource explains the requirements under the Privacy Act 1988 (Privacy Act) when providers are considering disclosing a patient’s health information to relatives and others where the patient is unable to provide their consent. This resource is part of a series that outlines what private sector health service providers need to know about handling their patients’ health information. Some of the key health privacy terms used are explained in Business resource — Key health privacy concepts, while other terms are explained in the Australian Privacy Principles Guidelines.

Can I disclose health information if the patient is unable to provide consent?

Under the Privacy Act, APP 6 regulates how you can use and disclose health information.[1] Under APP 6, if you hold personal information that was collected for a particular purpose (the primary purpose), you cannot disclose that information for another purpose (secondary purpose) unless the patient consents or another exception applies.

One of the exceptions under APP 6 allows you to disclose a patient’s health information to a responsible person for that patient, where the patient lacks the capacity to consent to the disclosure, or is unable to communicate their consent.[2] As a health service provider, this enables you to disclose a patient’s health information and discuss potential treatment plans with people such as the patient’s spouse or guardian, where the patient is unable to provide consent.

In order to be able to disclose health information under this exception, the following conditions apply:

  • your organisation must provide a health service to the patient
  • the patient must be unable to give or communicate their consent
  • you can only disclose the patient’s health information to a ‘responsible person’ for the patient
  • the disclosure must be necessary for the provision of healthcare or made for compassionate reasons
  • the disclosure must be limited to the extent reasonable and necessary for the provision of health or compassionate grounds
  • the disclosure cannot be contrary to the expressed wishes of the individual.

These conditions are considered in further detail below.

Providing a health service to the patient

To rely on this exception, your organisation must provide a health service to the patient whose information you are seeking to disclose. ‘Health service’ is discussed in Business resource: Key health privacy concepts.

Unable to give or communicate consent

To disclose information under this exception, the patient must be incapable of physically or legally giving consent, or of physically communicating their consent.


A patient may be physically or legally incapable of giving consent if they cannot understand the issues relating to the decision to be made, and are unable to form a reasoned judgement. This can occur on either a permanent basis (for example, when a patient has advanced dementia), or a temporary basis (for example, when a patient is unconscious).

Some patients may intermittently lose their capacity to give consent, or their capacity may gradually deteriorate as a result of illness. In such circumstances, it is the responsibility of the treating health service provider to determine if the patient possesses sufficient capacity to indicate consent at the time of disclosure.

It is good practice:

  • where there is an intermittent loss of capacity, to subsequently advise the patient when they have regained their capacity that you disclosed their health information to the responsible person
  • in cases of a gradual loss of capacity, to determine the patient’s wishes for how their health information is disclosed before they lose capacity to express such wishes. 
Example: Do children have the capacity to legally give consent?

The Privacy Act does not specify an age after which individuals can make their own privacy decisions. Generally, an individual under the age of 18 has capacity to consent where they have a sufficient understanding and maturity to understand what is being proposed. This determination will require an assessment on a case by case basis.

If it is unreasonable or impracticable to assess capacity, you may presume that a patient aged under 15 years does not have the capacity to give consent. In these circumstances, you may disclose their health information to a person responsible for the child such as the child’s parent or guardian in the circumstances outlined in this exception.

Unable to communicate consent

The exception also recognises when a patient is physically unable to communicate their consent to the disclosure, despite being able to develop an informed judgement. In these circumstances, you are able to disclose information to a responsible person without needing to form a view as to the individual’s capacity to consent.  An example may be a patient who has a physical condition or disease which impairs their ability to communicate.

Disclosure to a responsible person for the patient

You can only disclose a patient’s health information to a ‘responsible person’ for the patient. The Privacy Act defines a responsible person for an individual to be:

  • a parent
  • a child or sibling (who is at least 18 years old)
  • spouse or de facto partner of the individual
  • an individual’s relative (if the relative is over 18 years old and part of the individual’s household)
  • the individual’s guardian
  • a person exercising an enduring power of attorney granted by the individual that is exercisable in relation to decisions about the individual’s health
  • a person who has an intimate personal relationship with the individual or
  • a person nominated by the individual to be contacted in the case of emergency.

The definition of ‘responsible person’ includes step relationships, in-laws, adopted relationships, foster relationships and half-brothers and sisters.

Determining that disclosure is necessary to provide healthcare or that there are compassionate grounds

The Privacy Act uses the term ‘carer’ to refer to the individual providing the health service for the organisation. This may include a doctor, nurse or pharmacist. The term ‘carer’ should not be confused with the common use of the term as a family member or close friend.

To rely on this exception, the carer must be satisfied that the disclosure of information is ‘necessary’ to provide appropriate care or treatment for the patient. What is ‘necessary’ depends on the circumstances of each case. While the disclosure does not need to be critical for the provision of healthcare, it must be more than just a mere convenience. If a patient’s care cannot continue or is diminished as a result of not disclosing a particular piece of information, then disclosure would be considered necessary for providing appropriate care. It is the carer, rather than the organisation, who must be satisfied, as this helps to ensure an adequate clinical understanding of the circumstances.


You give the medication requirements of a dementia patient (with a temporary or permanent loss of capacity) to a close relative who provides care for the patient. The disclosure is more than a mere convenience as the dementia sufferer is likely to forget to take their medication. In this situation, the disclosure to the responsible person for the patient would be necessary for the provision of appropriate care.

The exception also allows the disclosure of a patient’s health information for compassionate reasons. Examples of disclosures made for compassionate reasons may include telling a patient’s relative about the extent of the patient’s injuries following a car accident, or for a cancer patient who lacks capacity to consent, discussing that patient’s prognosis with a relative.

Limiting the disclosure to the extent reasonable and necessary for care or compassionate reasons

When the carer is satisfied that disclosure is necessary for care or that disclosure is being made for compassionate reasons, the disclosure that is made must be limited to the extent reasonable and necessary for achieving that purpose.

In the example above where the carer is satisfied that disclosure of medication requirements is necessary for appropriate care, this additional requirement means that the extent of that disclosure must be limited to the information that is necessary and reasonable for providing that care. This means the disclosure would likely need to be limited to information about the prescribed medications, including drug names and dosages. It is unlikely to be necessary or reasonable to disclose information about the patient’s previous unrelated medical procedures.

Ensuring the disclosure is not contrary to the expressed wishes of the individual

You must also ensure that your disclosure is not contrary to wishes expressed by the individual before they were unable to give or communicate consent. This requirement applies to wishes of which you are aware, or of which you could reasonably be expected to be aware. A clinician is reasonably expected to know the expressed wishes of their patient if, for instance, it is recorded in the patient’s file. A patient’s expressed wishes do not have to be in writing.


An aged care resident was admitted into a private hospital following a fall. During the course of her treatment, you discover that she has terminal bone cancer. The patient has requested that this information not be disclosed to her family as she does not want to worry them. In these circumstances, disclosure of the bone cancer to the patient’s family member may breach APP 6.

You should be aware that some Australian laws may compel disclosure even if it is against the expressed wishes of the individual. This may include reporting requirements in suspected cases of child abuse, notification of diagnosis of certain notifiable diseases, or from a court order.


A young patient was recently admitted into a private hospital with a suspected drug overdose. In the course of providing treatment, you discover that the patient has Hepatitis C. When the patient regained capacity, he advised you not to tell anyone about his diagnosis. Although the APP 6 exception does not allow you to disclose this information to a responsible person for the patient, you may be required by legislation to notify health authorities of certain notifiable diseases, such as Hepatitis C.

The information provided in this resource is of a general nature. It is not a substitute for legal advice.


[1] The meaning of ‘health information’ is discussed in more detail in the overview resource of this series. Generally, all personal information collected in the course of providing a health service is ‘health information’ under the Privacy Act.

[2] This exception is known as a ‘permitted health situation’ and is contained in APP 6.2(d) and s 16B(5) of the Privacy Act. Permitted health situations are discussed generally in the overview resource of this series.