Skip to main content
Skip to secondary navigation
Australian Government - Office of the Australian Information Commissioner - Home

Business resource: Key health privacy concepts

This is a draft business resource. The OAIC conducted a public consultation on a suite of new draft health privacy guidance resources for health service providers and consumers in late 2015. Those resources are currently being finalised.

docxWord version1.39 MB

This business resource is part of a series that outlines what private sector health service providers need to know about handling their patients’ health information. It explains the key health privacy concepts used throughout the series: ‘health service provider’, ‘health information’, ‘permitted health situation’, and ‘permitted general situation’. Other general key privacy concepts are explained in Chapter B: Key concepts of the Australian Privacy Principles Guidelines.

Health service provider

Under the Privacy Act, a ‘health service provider’ is a private sector organisation that provides a ‘health service’.

‘Health service’ is defined under the Privacy Act to mean (s 6(1)):

  1. an activity performed in relation to an individual that is intended or claimed (expressly or otherwise) by the individual or the person performing it:
    1. to assess, record, maintain or improve the individual’s health; or
    2. to diagnose the individual’s illness or disability; or
    3. to treat the individual’s illness or disability or suspected illness or disability; or
  2. the dispensing on prescription of a drug or medicinal preparation by a pharmacist.

Some examples of health service providers include:

  • general practitioners and medical specialists
  • private hospitals and day procedure centres
  • pharmacists
  • other health and allied health professionals in private practice including psychologists, physiotherapists, dentists, podiatrists, occupational and speech therapists and optometrists
  • private aged care facilities
  • pathology and radiology services
  • complementary medicine practitioners, including herbalists, naturopaths, chiropractors, massage therapists, nutritionists, and traditional Chinese medicine practitioners
  • health services provided in the non-government sector, such as phone counselling services or drug and alcohol services
  • private schools
  • child care centres
  • gyms and weight loss clinics
  • blood and tissue banks
  • assisted fertility and IVF clinics
  • health services provided via the Internet (eg counselling, advice, medicines), telehealth and health mail order companies.

Health information

The Privacy Act classes specific types of personal information, including health information, as ‘sensitive information’. The Privacy Act contains additional protections for sensitive information[1] and a number of additional provisions deal specifically with health information.[2] All personal information collected in the course of providing a health service is considered health information under the Privacy Act.

‘Health information’ under the Privacy Act includes:

  • personal information about the health or disability (at any time) of an individual, their expressed wishes about their future health treatment or health services provided or to be provided to them
  • other personal information collected to provide, or in providing a health service. This includes personal details such as a patient’s name, address, admission and discharge dates, billing information and Medicare number
  • information relating to physical or biological samples, where it can be linked to a patient (for example if they are labelled with the patient’s name or other identifier)
  • other personal information collected in connection with an individual’s donation of their organs or tissues
  • genetic information about an individual in a form that is, or could be, predictive of the health of that individual or a genetic relative.

Health information could include information held in any form, including paper, electronic and visual information. Examples include:

  • information about an individual’s physical or mental health
  • notes of an individual’s symptoms or diagnosis and the treatment given
  • specialist reports and test results
  • appointment and billing details
  • prescriptions and other pharmaceutical purchases
  • dental records
  • records held by a fitness club about an individual
  • an individual’s healthcare identifier when it is collected to provide a health service
  • any other personal information (such as information about an individual’s date of birth, gender, race, sexuality, religion), collected for the purpose of providing a health service.

Permitted health situations and permitted general situations

There are exceptions to the information handling requirements imposed by the APPs dealing with collection and use and disclosure (APP 3 and APP 6) if a ‘permitted general situation’ or a ‘permitted health situation’ exists. A number of these exceptions are dealt with in more detail in this series for health service providers.

The ‘permitted health situations’ exceptions apply to the collection, use or disclosure of health information or genetic information by an organisation.  The five permitted health situations are:

There are seven permitted general situations. The permitted general situation most relevant to health service providers arises where it is unreasonable or impracticable to obtain the individual’s consent to the collection, use or disclosure of their health information, and you reasonably believe it is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety (see Collecting patients’ health information and Using and disclosing patients’ health information).

The information provided in this resource is of a general nature. It is not a substitute for legal advice.


[1] This includes APP 3 (collection of personal information), APP 6 (use and disclosure of personal information) and APP 7 (direct marketing).

[2] This includes the ‘permitted health situations’ under s 16B.