On this page
Health service providers
Under the Privacy Act a 'health service' includes any activity that involves:
- assessing, recording, maintaining or improving a person's health; or
- diagnosing or treating a person's illness or disability; or
- dispensing a prescription drug or medicinal preparation by a pharmacist.
Examples of organisations providing a health service include:
- traditional health service providers, such as private hospitals, day surgeries, medical practitioners, pharmacists and allied health professionals
- complementary therapists, such as naturopaths and chiropractors
- gyms and weight loss clinics
- child care centres and private schools.
The Privacy Act regulates how these organisations collect and handle personal information, including health information. It also includes provisions that generally allow an individual to access information held about them. The Office of the Australian Information Commissioner (OAIC) also regulates the handling of health information held in an individual’s personally controlled electronic health record, and the handling of healthcare identifiers.
The OAIC has developed privacy fact sheets and business resources to help individuals and organisations providing a health service understand their rights and responsibilities. Further information about health and medical research is also available on the FAQS for individuals — Health and FAQs for health service providers.
Health and medical research
In certain circumstance, the Privacy Act permits the handling of health information and personal information for health and medical research purposes, where it is impracticable for researchers to obtain individuals' consent. This recognises:
- the need to protect health information from unexpected uses beyond individual healthcare
- the important role of health and medical research in advancing public health.
To promote these ends, the Privacy Commissioner has approved two sets of legally binding guidelines, issued by the National Health and Medical Research Council (NHMRC). Researchers must follow these guidelines when handling health information for research purposes without individuals' consent. The guidelines also assist Human Research Ethics Committees (HRECs) in deciding whether to approve research applications. The guidelines are produced under sections 95 and 95A of the Privacy Act. The guidelines are:
- Guidelines under Section 95 of the Privacy Act 1988, which set out procedures that HRECs and researchers must follow when personal information is disclosed from a Commonwealth agency for medical research purposes.
- Guidelines under Section 95A of the Privacy Act 1988, which provide a framework for HRECs to assess proposals to handle health information held by organisations for health research (without individuals' consent). They ensure that the public interest in the research activities substantially outweighs the public interest in the protection of privacy.
Privacy business resource 19: Collecting, using and disclosing health information for research contains further information about the requirements under the Privacy Act when handling health information for health research purposes.
Using and disclosing genetic information
The Privacy Act does not prevent a health service provider using or disclosing a patient's genetic information, if the patient has given informed consent.
Where a health service provider has not been able to obtain consent from the patient, the Privacy Act allows the use and disclosure of genetic information where:
- the health service provider obtained the genetic information in the course of providing a health service to the patient
- the health service provider reasonably believes that there is a serious threat to the life, health or safety of a genetic relative of the patient
- the use or disclosure to the genetic relative is necessary to lessen or prevent that threat
- the health service provider has complied with the Guidelines issued under section 95AA of the Privacy Act
- in the case of disclosure, the recipient of the information is a genetic relative of the patient.
Privacy business resource 20: Using and disclosing genetic information to lessen or prevent a serious threat to the life, health or safety of genetic relatives contains further information about the requirements under the Privacy Act when handling genetic information.