Version 1.0, September 2019
- With your patients’ consent, you can collect their health information when it is reasonably necessary for your activities.
- You must only collect health information by lawful and fair means, and generally only directly from the patient.
- You must take reasonable steps to notify the patient of certain matters when you collect health information.
Collecting health information
You can collect health information about a patient if:
- the patient consents (expressly or impliedly) to you collecting it, and
- the information is reasonably necessary for your activities (which would generally be providing a health service to that patient).
Example: Implied consent to collection
During a consultation, a patient describes his symptoms and provides you with his medical history. You add this information to the patient’s record on your system. From the patient’s conduct in this situation, you can imply the patient’s consent to you collecting his health information.
How should you collect health information?
Directly from the patient
You must only collect health information about a patient directly from the patient, unless it is not reasonable or practical to do so.
Whether collecting directly from the patient is reasonable and practicable depends on a number of factors, including the nature of the information and accepted practice in the health sector.
Examples of where collecting health information directly from a patient may not be reasonable or practical include:
- in an emergency you may need to collect the patient’s background health information from relatives
- where a patient is a child, or an adult who lacks capacity, you may need to collect the information from parents, guardians or relatives, or
- where a pathologist collects a specimen and related information from a referring provider.
By lawful and fair means
You must only collect health information by lawful and fair means.
‘Lawful’ collection is a collection that does not breach any State, Territory or Commonwealth law.
‘Fair means’ is collecting without intimidation or deception, and in a way that is not unreasonably intrusive.
Example: Unlawful collection
Under the Telecommunications (Interception) Act 1979 (Cth) and State and Territory listening devices laws, it is illegal to record a telephone consultation without informing the patient the call is being recorded. Collection via this method would therefore not be by lawful means. If a call is to be recorded or monitored, you must inform the individual at the beginning of the conversation so that the individual has a chance to end the call or ask not to be recorded.
Example: Intrusive collection
Patients may be concerned or embarrassed about discussing health issues in an open or public area such as a waiting room or open pharmacy. When collecting health information, you should consider the surroundings and take additional steps where required to make the patient more comfortable. For example, you might lower your voice so only the patient can hear what you are saying, take the patient to one side, or use a private room.
Notifying patients of collection (privacy notices)
When you collect a patient’s health information, you must take reasonable steps to notify the patient of certain matters. Providing this notice ensures the patient understands why the information is being collected and how it will be handled.
When should you provide notice?
Generally, you should give this notice before or at the time of collection. This allows a patient to make an informed choice about whether to provide the health information.
If that is not practicable, you should give notice as soon as practicable afterwards. For example, in a medical emergency, there is unlikely to be time to provide notice or the individual may not be in a fit state to comprehend the information. In this case, you should notify the patient of the matters as soon as practical after you provide the health service.
What must you include in a privacy notice?
The matters to include in your privacy notice are:
- your organisation’s identity and contact details
- if the patient may not be aware of the collection (including where the information is collected from a third party), the fact that you collect the information and the circumstances of collection
- whether the collection is required or authorised by law
- the purposes of collection
- any consequences for the patient if the health information is not collected
- your usual disclosures of the health information you collect
- how patients can access and correct the health information you hold about them
- how patients can make a complaint about how you handle their health information, and details of how you will deal with a complaint
- whether you are likely to disclose health information overseas (and if so, where).
As part of notifying patients about your usual disclosures of their health information, it is a good idea to ensure patients are aware of which members of a ‘treating team’ you will disclose their health information to. This may be a requirement for providers practising in the ACT — contact the ACT Health Services Commissioner to find out more about this requirement.
How do you provide notice?
You are required to take reasonable steps to notify the patient of these matters. What steps are reasonable depends on the circumstances.
Some of the matters may be obvious (such as the identity and contact details of the practice when a patient attends their GP) in which case it may be reasonable to take no steps to notify the patient of those matters. In addition, unless there is a change in information handling practices, you will only need to notify a patient of these matters on the first visit, and it is reasonable to take no notification steps when you collect information on subsequent visits.
Example: Privacy notices
Examples of ways in which you might choose to provide a privacy notice include:
- Prominently displaying a brief notice at the check-in counter covering key information, and giving the individual more detailed notice in a leaflet.
- Including a privacy notice on a paper or online form used to collect patients’ health information.
- Discussing the information orally during a consultation with a patient. To ensure all relevant matters are covered, it would be useful to also provide the patient with a written notice in this situation.
For more information, see the APP Guidelines, Chapter 5: APP 5 — Notification of the collection of personal information.
Collecting health information without consent
While you generally need consent to collect a patient’s health information, you may collect it without consentin the situations set out below.
Required or authorised by law
You may collect health information without consent where the collection is ’required or authorised by or under an Australian law or a court/tribunal order’.
Example: Law requiring collection
Under State and Territory public health legislation, health service providers are required to record information about individuals with certain diseases and notify the relevant health authority.
For example, under the NSW Public Health Act 2010, doctors, hospitals and pathology laboratories are required to record information about patients with certain medical conditions, such as AIDS, malaria, measles, tetanus and typhoid, and notify the NSW Department of Health. To meet your legislative obligations, you can collect relevant health information without the patient’s consent.
You may collect health information without consent where it is unreasonable or impracticable to obtain consent to the collection, and you reasonably believe the collection is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety.
You must have a reasonable basis for your belief that there is a serious threat, and you must be able to justify it. The test is what a reasonable person, who is properly informed, would believe in the circumstances.
You cannot avoid obtaining consent just because it would be inconvenient, time-consuming or impose some cost. Whether these factors make it impracticable to obtain consent will depend on whether the burden is excessive in all the circumstances.
Example: Necessary to lessen a serious threat to an unconscious patient
A patient is in hospital and unconscious as a result of a stroke and the hospital needs further information from his GP to determine how best to treat him. Given the patient’s condition, it is not practical to obtain his consent to the collection. Further, the hospital reasonably believes that the collection of this information from the GP is necessary to lessen the serious threat to the patient’s health. In this situation, the hospital can collect health information without the patient’s consent.
Providing a health service
You may collect health information without consent where the information is necessary to provide a health service to a patient, and either:
- the collection is required or authorised by or under an Australian law, or
- it is collected in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which are binding on you.
You can collect health information from a patient about another individual, without that individual’s consent, where:
- it is part of the patient’s family, social or medical history, and
- that history is necessary to provide a health service to the patient.
Examples of information that are part of a patient’s family, social or medical history include:
- aspects of the medical history of the patient’s family members, such as inheritable conditions
- information about non-family members, such as a household member with a contagious illness
- information about the health of a primary carer of a disabled patient, where the patient advises that the carer is struggling with some aspects of the patient’s care due to severe arthritis
- a drug rehabilitation service collecting information about the mental health of a patient’s partner.
You should limit the information you collect to that which is necessary to provide the health service to the patient. Information is ‘necessary’ to provide a health service if you cannot effectively provide the health service without collecting it.
Conducting research; compiling or analysing statistics; management, funding or monitoring of a health service
You may collect health information about an individual if:
- the collection is necessary for research or statistical activities relevant to public health or public safety, or for the management, funding or monitoring of a health service, and
- certain other criteria are met.
If you collect health information in these circumstances and subsequently want to disclose that information, you must take reasonable steps to de-identify the information before disclosing it.
For more information, see Chapter 9.
Other situations where you may collect health information without consent include:
- taking appropriate action in relation to suspected unlawful activity or serious misconduct
- locating a person reported as missing
- where it is reasonably necessary for establishing, exercising or defending a legal or equitable claim, or for a confidential alternative dispute resolution process.
For more information, see the APP Guidelines Chapter C: Permitted general situations.
Anonymity and pseudonymity
The Privacy Act 1988 (Privacy Act) requires you to consider whether it is practical to give patients the option of not identifying themselves, or using a pseudonym, when dealing with you. A patient may prefer to deal anonymously or pseudonymously with a health service provider for various reasons. For example, a patient may wish to access counselling or other services without this information being linked to her identity and potentially becoming known to others.
However, you do not have to deal with patients anonymously or pseudonymously where:
- you are required or authorised under an Australian law, or a court/tribunal order, to deal with individuals who have identified themselves, or
- it is not practical for you to deal with unidentified individuals or those using a pseudonym.
There may also be consequences for patients if they do not identify themselves, such as for their ongoing healthcare and their ability to claim a Medicare or health fund rebate.
See the APP Guidelines, Chapter 2: APP 2 — Anonymity and pseudonymity for more information.
Unsolicited health information
Unsolicited health information is information that you come across by accident, or receive but have not requested.
If you receive unsolicited health information you should, within a reasonable period of time, determine whether the Privacy Act would have allowed you to collect the information. As outlined above, you generally would have needed the patient’s consent to collect the health information, unless an exception applies. If you could have collected the information, then you must comply with the Privacy Act when handling it.
If you could not have collected the information, then you must destroy or de-identify the health information as soon as practicable if it is lawful and reasonable to do so.
For further information, see the APP Guidelines, Chapter 4: APP 4 — Dealing with unsolicited personal information.
Example: Collecting unsolicited information to lessen a serious threat
The son of an elderly patient sends you an email expressing his concern that your patient is unfit to drive. The son suggests that your patient has caused a number of recent near car accidents. The son claims his Dad is determined to keep driving, and the son says he is worried his Dad may injure himself and others. He provides details of these incidents and there appears to be cause for concern, particularly given the patient’s recent medical history. Having received this unsolicited information, you need to consider whether you could have collected this information under the Privacy Act. In this case, you may be able to conclude that you could have collected this information because you reasonably believe the collection is necessary to enable you to take steps to lessen or prevent a serious threat to the health or safety of your patient and other individuals.
 Note that under the My Health Records Act 2012 more specific requirements apply to the collection of health information relating to the My Health Record system. Similarly, the Healthcare Identifiers Act 2010 has particular requirements for the collection of healthcare identifiers.