Handling health information

Last updated: 8 August 2019

On this page

  • When a health service provider can collect your health information
  • What they should tell you when they collect it
  • When they’re allowed to disclose it and when they’re not

A health service provider needs to handle your health information to carry out their work. But Australian privacy law has strict rules about how they collect it, and what they must tell you.

When can a health service provider collect your health information?

Usually, a health service provider may only collect your health information if you consent to it. You may give express consent (for example, by signing a consent form) or you may give implied consent (for example, when your doctor takes notes during an appointment and you don’t specifically ask them not to). Most of the time you will give your health information to a health service provider directly.

There are times, however, when a health care provider doesn’t need your consent for them to collect your health information. Such as when:

  • it’s required by law
  • the information is necessary to provide a health service and the health service provider is following rules set by a competent health or medical body (such as a medical board)
  • it’s necessary to prevent a serious threat to life, health or safety and it’s not practical to get your consent (for example, if there’s an emergency and you’re unconscious, then a family member or your doctor can give them your health information)

What you should be told when your health information is collected

When your health service provider collects your health information, they should make sure you understand why they are collecting it, how they will store and protect it, and if there are other parties they may disclose it to. They can tell you this verbally or in writing – it’s often included on forms you fill out.

A health service provider must also have a privacy policy that tells you how they handle health information. You can ask for your health service provider’s privacy policy at any time.

When a health service provider can disclose your health information

A health service provider can disclose your health information to others in certain situations, such as:

  • for the same purpose they collected it from you
  • if it’s directly related to a purpose that you would reasonably expect
  • if it’s required by law
  • if it’s necessary to prevent a serious threat to life, health or safety and it’s not practical to get your consent, or
  • if you agree to it

Direct marketing

Health information can’t be used for direct marketing unless you’ve specifically agreed to it. If you agree initially, you can later ask not to receive any further marketing material.

If you’re not happy how a health service provider handled your health information, you can lodge a complaint with us

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at websitefeedback@oaic.gov.au