Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Business resource: Using and disclosing patients’ health information

This is a draft business resource. The OAIC conducted a public consultation on a suite of new draft health privacy guidance resources for health service providers and consumers in late 2015. Those resources are currently being finalised.

docxWord version1.4 MB

This business resource explains the requirements under Australian Privacy Principle (APP) 6 in the Privacy Act 1988 (Cth) (Privacy Act) when using and disclosing patients’ health information.[1] These requirements include only using and disclosing health information for the primary purpose of collection, unless an exception applies. This resource is part of a series that outlines what private sector health service providers need to know about handling their patients’ health information. Some of the key health privacy terms used are explained in Business resource — Key health privacy concepts, while other terms are explained in the Australian Privacy Principles Guidelines.

Meaning of ‘use’ and ‘disclosure’

APP 6 outlines when you may use or disclose your patients’ health information. The terms ‘use’ and ‘disclosure’ are not defined in the Privacy Act.

Generally, a use of health information occurs where you handle or undertake an activity with the information that you hold. Examples of using health information may include:

  • accessing and reading a patient’s medical file
  • searching electronic records for a patient’s health information
  • making a treatment decision based on a patient’s health information
  • passing the information from one part of your organisation to another.

A disclosure occurs where you make health information accessible to others outside your organisation and the subsequent handling of that information is released from your effective control. Examples of disclosing health information may include:

  • sharing health information with another health service provider or individual
  • providing health information to an unintended recipient
  • providing a patient’s health information during a conversation with a person outside your organisation
  • displaying a computer screen so that health information can be read by someone else, for example, at a reception counter or in an office.

APP 6 does not apply to the use or disclosure of health information for the purpose of direct marketing (see APP 7), or government related identifiers (see APP 9).

Using and disclosing your patients’ health information

You can use or disclose health information about your patients for the ‘primary purpose’ for which the information was collected. The primary purpose is the main or dominant reason you collect health information. How broadly a purpose can be described will depend on the circumstances and should be determined on a case-by-case basis. For example, a general practice’s primary purpose in collecting health information may be to provide general practice services to diagnose and treat a patient. In cases of ambiguity, and with a view to protecting individual privacy, the primary purpose of collection should be construed narrowly rather than expansively.

You can also use and disclose your patient’s information for a secondary purpose where an exception applies. These exceptions are outlined below. 

Compliance tips

State or Territory legislation may place additional requirements on providers in those jurisdictions. For example, providers in the ACT who collect a patient’s personal information from another provider for a particular purpose may not be permitted to use or disclose it for a secondary purpose.

Contact the NSW Information and Privacy Commission, Office of the Health Services Commissioner Victoria, or ACT Health Services Commissioner to find out more about any additional requirements.

Reasonably expected by the patient and directly related to the primary purpose

APP 6 allows you to use or disclose health information for a secondary purpose if:

  • the patient would reasonably expect you to use or disclose the information for that purpose, and
  • the secondary purpose is directly related to the primary purpose of collection.[2]

Reasonable expectations

When assessing a patient’s reasonable expectations, you need to consider what an ordinary person would expect to happen to their health information in the given circumstances. This is based on general community expectations of how information usually flows within the health system.

The patient’s reasonable expectations are closely linked to what the provider tells them about how their health information will be handled, and the patient’s reaction and understanding.

In addition to discussing with a patient how their health information will be used and disclosed, a patient’s reasonable expectations can also be informed by your APP 5 privacy notice. APP 5 requires health service providers to tell patients about certain matters when they first collect health information. These matters include why the information is being collected, how it may be used and to whom it may be disclosed. Business resource: Collecting patients’ health information contains more information about APP 5.  

Example: Referrals to a specialist

When a general practitioner (GP) refers a patient to a specialist, most patients would reasonably expect that the specialist would disclose relevant information about the patient back to the GP.

Directly related purpose

A directly related secondary purpose is one which is closely associated with the primary purpose, even if it is not strictly necessary to achieve that primary purpose. This requirement for a direct relationship recognises that the use and disclosure of health information can have serious ramifications for the individual or their associates, including humiliation, embarrassment or loss of dignity. In healthcare, directly related purposes are likely to include anything to do with the patient’s care or wellbeing.

Other directly related purposes include many activities or processes necessary for the functioning of the health sector. Provided these purposes fall within the individual’s reasonable expectations, no additional steps need be taken before using or disclosing the information in this way. These purposes may include:

  • billing or debt recovery (with care, discretion and consistent with confidentiality)
  • a provider’s management, funding, complaint-handling, planning, evaluation and accreditation activities (for example, activities to assess the cost effectiveness of a particular treatment or service), an organisation’s quality assurance or clinical audit activities, where they evaluate and seek to improve the delivery of a particular treatment or service[3]
  • disclosure to a medical expert (only for medico-legal opinion), an insurer, a medical defence organisation, or a lawyer, solely for the purpose of addressing liability indemnity arrangements (such as reporting an adverse incident), or for the defence of anticipated or existing legal proceedings
  • disclosure to a clinical supervisor by a psychiatrist, psychologist or social worker.

Sharing information with other health service providers without consent

The multi-disciplinary team approach to health care is common in the Australian health system. This approach often calls for health information to be shared within a ‘treating team’, or on a ‘need to know basis’, so it is important that a patient understands how this may apply to their situation.

If a patient’s information is likely to be shared within a treating team, you should tell the patient that such disclosures may take place. You should also tell the patient who is in the treating team (such as a GP, physician, physiotherapist and others), and how much information may be disclosed to particular members of the team. A patient may be sensitive about certain information being shared without their consent even across a treatment team, or with particular members of it.

While information can be shared with consent (see below) consent will generally not be required where effective communication has established a clear, shared understanding between the provider and the patient about the likely uses and disclosures that may occur as part of their treatment. Open discussion that usually occurs during consultations will often achieve this shared understanding.

The Privacy Act is not intended to impose unnecessary administrative burdens on providers, or to inconvenience patients, by requiring consent every time health information is appropriately shared with another provider, or otherwise handled in the delivery of healthcare. At the same time, the Privacy Act seeks to ensure that individuals retain appropriate control over how their information is handled, including ensuring that it is not handled in ways that an individual would not expect.

Example: Multi-disciplinary care team

Pam has Type 2 diabetes. Pam’s GP has explained the benefits of a multidisciplinary care plan for the treatment of complex conditions like diabetes. The GP has also told Pam about the types of providers that may participate, and explained their respective roles. With Pam’s agreement, the GP proposes a multidisciplinary care plan including the GP, an endocrinologist, a dietician, a podiatrist and a diabetes educator (in this case, all private sector providers).

Pam initially visited the GP for a particular symptom of her diabetes (for instance, generally feeling tired and lethargic). While treatment of these symptoms would be the primary purpose for which the GP collected Pam’s information, the treatment of any other symptoms of her condition would be directly related to this primary purpose. Additionally, by discussing the care plan, the GP has effectively established Pam’s reasonable expectations as to which providers will take part in the multidisciplinary care team.

Under the Privacy Act, information necessary to treat Pam’s diabetes may now be exchanged between the team members, as these exchanges would be for directly related purposes, and fall within her reasonable expectations.

Using or disclosing health information with consent

You may use or disclose health information for a secondary purpose with the patient’s consent (APP 6.1(a)).

Consent can be either express or implied. Express consent is given explicitly, either orally or in writing. Implied consent arises where you can infer from the circumstances, and the conduct of the patient, that they are consenting to the use or disclosure of their health information.

The four key elements of consent are:

  • the individual is adequately informed before giving consent
  • the individual gives consent voluntarily
  • the consent is current and specific
  • the individual has the capacity to understand and communicate their consent.

Consent in this context refers to a patient’s decision about how their health information is used and disclosed. It does not cover consent to receive treatment. In practice, consent to the handling of health information and consent to treatment often occur at the same time, though they are distinct authorities by an individual to do different things: to provide treatment and to handle health information in particular ways.

For more detailed discussion of ‘consent’, see the APP Guidelines, Chapter B: Key concepts.

Laws requiring or authorising use or disclosure

You may use or disclose health information for a secondary purpose if the use or disclosure is required or authorised by or under an Australian law or a court/tribunal order. ‘Law’ includes federal, state and territory legislation, and the common law.

If the law requires you to use or disclose information, you must do so. Examples of such requirements include the mandatory reporting of child abuse (under care and protection laws) or the mandatory notification of certain communicable diseases (under public health laws).

If the law authorises the use or disclosure of information, you can decide whether to do so or not – the legal authority exists, but you have discretion as to whether to handle the information in that way.

The exception is discussed in further detail in the APP Guidelines Chapter B: Key concepts.

Courts and legal proceedings

At times, you may be called to disclose health information to courts or tribunals. If served with a subpoena or other court order requiring the production of documents, you are generally required by law to provide the documents identified in the order. However, court orders may be challenged and may not require production of all documents held by you (such as those for which you may be able to claim legal professional privilege). If you are concerned about the information required to be produced to the court or tribunal, or you are unsure how to proceed, you could seek advice via the registrar of the court or tribunal which issued the order, a legal adviser or your professional body.

Lessening or preventing a serious threat to life, health or public safety

You may use or disclose health information for a secondary purpose where:

  • it is unreasonable or impracticable to obtain the patient’s consent to the use or disclosure, and
  • you reasonably believe that the use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety.[4]

Reasonable belief

In addition to it being unreasonable or impracticable to obtain consent, you must reasonably believe that the using or disclosing the information is necessary to lessen or prevent a serious threat. There must be a reasonable basis for your belief, and not merely a genuine or subjective belief. You must be able to justify your reasonable belief.

Health service providers are not excused from obtaining consent by reason only that it would be inconvenient, time-consuming or impose some cost to do so. Whether these factors make it impracticable to obtain consent will depend on whether the burden is excessive in all the circumstances.

Serious threat

A ‘serious’ threat must reflect significant danger, and could include a potentially life threatening situation or one that might reasonably result in other serious injury or illness to any individual, whether it be the patient concerned or a third party. A serious threat to public health or safety relates to broader safety concerns affecting a number of people. This could include the potential spread of a communicable disease, harm caused by an environmental disaster or harm to a group of people due to a serious, but unspecified, threat.

Example

Where an individual is seriously injured while interstate and, due to their injuries, cannot give consent, the individual’s usual health service provider can disclose the individual’s health information to the treating health service provider where the usual provider reasonably believes that disclosure of the information is necessary to lessen the serious threat to the individual’s life posed by those injuries.

Conducting research, or the compilation or analysis of statistics

You may use or disclose health information about an individual if the use or disclosure is necessary for research, or the compilation or analysis of statistics, relevant to public health or public safety, and a number of other conditions are met.[5] For further information, see Business resource: collecting, using and disclosing health information for health research.

Preventing a serious threat to the life, health or safety of a genetic relative

The Privacy Act allows you to use or disclose a patient’s genetic information without their consent to prevent a serious threat to the life, health or safety of a genetic relative, provided a number of conditions are met.[6] For more information, see Business resource: Using and disclosing genetic information to lessen or prevent a serious threat to the life, health or safety of genetic relatives.

Disclosure to a responsible person for an individual

Where a patient lacks capacity to consent, or is unable to communicate consent, you may be able to disclose their health information to a responsible person for that patient.[7] For more information, see Business resource: Disclosure of health information and impaired capacity.

Using or disclosing health information for an enforcement related activity

You may use or disclose health information for a secondary purpose where you reasonably believe that the use or disclosure is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body. If you do so, you must make a written note of the use or disclosure.

‘Enforcement body’ is defined in s 6(1) of the Privacy Act and includes Commonwealth, State and Territory bodies that are responsible for policing, criminal investigations, and administering laws to protect the public revenue or to impose penalties or sanctions. Enforcement related activities include the prevention, detection, investigation and prosecution or punishment of criminal offences and intelligence gathering activities.[8]

When considering a request from an enforcement body, the importance of maintaining the patient’s confidentiality must be balanced with the public interest in the investigation and enforcement of criminal law. Police and other enforcement bodies are generally reliant on voluntary cooperation to provide information.

For more information, see the APP Guidelines, Chapter 6: Use or disclosure of personal information.

Other exceptions

The Privacy Act contains a number of other exceptions where you may use or disclose health information for a secondary purpose. These include:

  • to take appropriate action in relation to suspected unlawful activity or serious misconduct
  • to locate a person reported as missing
  • where it is reasonably necessary for establishing, exercising or defending a legal or equitable claim
  • where it is reasonably necessary for a confidential alternative dispute resolution process.

For more information about these exceptions, see the APP Guidelines, Chapter C: Permitted general situations.

De-identifying certain health information before disclosure

Where certain conditions are met, the Privacy Act allows the collection of health information for research relevant to public health or safety, the compilation or analysis of statistics relevant to public health or public safety, or the management, funding or monitoring of a health service.

Before disclosing information collected in these circumstances, APP 6.4 requires the disclosing entity to take reasonable steps to ensure that the information is de-identified. For more information, see Business resource — Collecting, using and disclosing health information for research and Business resource — Collecting, using and disclosing health information for health management activities.

The information provided in this resource is of a general nature. It is not a substitute for legal advice.

Footnotes

[1] For further information about your obligations see the APP guidelines, Chapter 6: APP 6 — Use or disclosure of personal information

[2] For non-sensitive personal information, this exception only requires the secondary purpose to be ‘related’ to the primary purpose.

[3] See Business resource: Collecting, using and disclosing health information for health management activities for further detail.

[4] This exception is known as a ‘permitted general situation’ and is contained in APP 6.2(c) and s 16A of the Privacy Act. More information on this exception is contained in the APP Guidelines, Chapter C: Permitted general situations.

[5] This exception is known as a ‘permitted health situation’ and is contained in APP 6.2(d) and s 16B(3) of the Privacy Act. Permitted health situations are discussed generally in the overview resource of this series.

[6] This exception is known as a ‘permitted health situation’ and is contained in APP 6.2(d) and s 16B(4) of the Privacy Act.

[7] This exception is known as a ‘permitted health situation’ and is contained in APP 6.2(d) and s 16B(5) of the Privacy Act.

[8] ‘Enforcement related activities’ (see Privacy Act s 6(1)) is discussed in Chapter B (Key concepts) of the APP Guidelines.