Version 1.0, September 2019
Download the print version [150KB]
- You can use and disclose a patient’s health information for the primary purpose for which you collected it.
- You can use and disclose a patient’s health information for another purpose with the patient’s consent.
- Otherwise, you can only use and disclose a patient’s health information for another purpose in certain circumstances.
Using or disclosing health information
You can use or disclose health information about a patient:
- for the primary purpose for which you collected it, or
- for a secondary purpose in certain circumstances.
Using or disclosing for the primary purpose
You can use or disclose health information about your patients for the ‘primary purpose’ for which you collected it. The primary purpose is the specific main activity for which you collected the information.
The context in which you collect health information helps to identify the primary purpose of collection. For example, if a patient provides a GP with his health information during a consultation, the primary purpose of the GP collecting his information is to provide general practice services to diagnose and treat that patient.
The intent behind the use and disclosure requirements is to ensure that you only use and disclose a patient’s health information in ways the patient would expect. Therefore, if the primary purpose of collection is unclear, you should view it narrowly so that your subsequent uses and disclosures are in line with a patient’s expectations.
State or Territory legislation may place additional requirements on providers in those jurisdictions. For example, providers in the ACT who collect a patient’s personal information from another provider for a particular purpose may not be permitted to use or disclose it for a secondary purpose.
Using or disclosing for a secondary purpose
Any purpose other than the primary purpose is a secondary purpose. You can only use or disclose a patient’s health information for a secondary purpose in the circumstances set out below.
You can use or disclose health information for a secondary purpose with the patient’s consent.
Reasonably expected and directly related
You can use or disclose a patient’s health information if:
- the patient would reasonably expect you to use or disclose the information for that purpose, and
- the purpose is directly related to the primary purpose of collection.
A patient’s reasonable expectations are what an ordinary person would expect to happen to the health information in the circumstances. This is based on:
- general community expectations of how information usually flows within the health system
- what you tell your patient about how the health information will be handled (both during discussions and in your privacy notice), and the patient’s reaction to this information.
Example: Referral to a specialist
When a GP refers a patient to a specialist, most patients would expect the GP to disclose personal health information in the referral letter, and would expect the specialist to disclose information arising from the consultation back to the GP.
This general expectation reflects this common information handling practice in the health system. In addition, GPs and specialists usually advise their patient that they will contact the other practitioner in connection with the referral, and these discussions further inform a patient’s reasonable expectation of when you will disclose the health information.
Example: Treating team
A multi-disciplinary team approach to health care is common and usually involves sharing a patient’s health information within a ‘treating team’. It is important that the patient understands when and what information will be shared within a treating team, and who is part of the team. Once you have discussed this with your patient, there will be a reasonable expectation that health information will be disclosed within the treating team (provided the patient has not expressed concerns), and team members will not need to get the patient’s consent to uses and disclosures. If the patient has expressed concern about disclosures to certain team members, then you are likely to need consent to share information with that practitioner.
A directly related secondary purpose is a purpose closely associated with the primary purpose, even if it is not strictly necessary to fulfil that primary purpose. Directly related purposes are likely to include anything to do with the patient’s care or wellbeing.
Activities or processes necessary for the functioning of the health sector may also be directly related purposes (see examples below). Provided these purposes are within a patient’s reasonable expectations, you do not need to take other steps before use or disclosure. In addition, you should only use or disclose the minimum amount of information necessary to achieve the purpose.
Example: Directly related purposes
- Billing or debt recovery (provided this is done consistently with confidentiality obligations).
- Management, funding, complaint-handling, planning, evaluation and accreditation activities, and quality assurance, incident monitoring or clinical audit activities (although you should consider whether de-identified information can achieve these purposes).
- Disclosure to a medical expert (for a medico-legal opinion), insurer, medical defence organisation, or lawyer, for the purpose of addressing liability indemnity arrangements (such as reporting an adverse incident), legal proceedings, or for the provision of legal advice.
- Disclosure to a clinical supervisor by a psychiatrist, psychologist or social worker.
You are audited for quality assurance as part of being ‘vocationally registered’ under Medicare. The auditor examines patient records ‘on the spot’. This could be a disclosure and there is limited opportunity for you to obtain patient consent. While you originally collected the health information for the primary purpose of providing healthcare, the disclosure for the secondary purpose will be permitted if being vocationally registered is considered directly related to providing healthcare, and if the patient would reasonably expect this disclosure.
Required or authorised by law
You can use or disclose health information where the use or disclosure is required or authorised by or under an Australian law or a court/tribunal order.
If the law requires you to use or disclose information, you must do so. Examples include mandatory reporting of child abuse (under care and protection laws) and mandatory notification of certain communicable diseases (under public health laws).
If the law authorises you to use or disclose information, you can decide whether to do so or not — the legal authority exists, but you have discretion as to whether to handle information in that way.
Example: required by law
Under s 23DS of the Health Insurance Act 1973, a radiologist is required to produce records of diagnostic imaging services upon request by Medicare. Given the legislative requirement, a radiologist can disclose records in this situation without breaching the Privacy Act 1988 (Privacy Act).
Example: courts and legal proceedings
If you are served with a subpoena or other court order requiring you to produce documents, you are generally required by law to provide those documents. However, you can challenge court orders in some situations and you may not be required to produce all the documents you hold (such as where you can claim legal professional privilege over a legal advice prepared for you by a lawyer).
If you are concerned or unsure about how to proceed, you could seek advice via the registrar of the issuing court or tribunal, a legal adviser, your professional body or your indemnity insurer.
You can use or disclose health information where it is unreasonable or impracticable to obtain consent to the use or disclosure, and you reasonably believe the use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety.
You must have a reasonable basis for your belief, and you must be able to justify it. The test is what a reasonable person, who is properly informed, would believe in the circumstances.
You cannot avoid obtaining consent just because it would be inconvenient, time-consuming or impose some cost. Whether these factors make it impracticable to obtain consent will depend on whether the burden is excessive in all the circumstances.
A hospital is treating a seriously injured patient. The hospital asks you (the patient’s usual GP) to disclose health information about the patient, which is needed to ensure the hospital can provide safe and effective treatment. Due to the nature and extent of his injuries, the patient is unable to consent to you disclosing the information. However, in this case you can disclose the information because it is reasonable for you to believe the disclosure is necessary to lessen a serious threat to the patient’s life.
Conducting research, or the compilation or analysis of statistics
You may use or disclose a patient’s health information if this is necessary for research, or the compilation or analysis of statistics, relevant to public health or public safety, and a number of other conditions are met. For further information, see Chapter 7.
Preventing a serious threat to the life, health or safety of a genetic relative
You can use or disclose a patient’s genetic information without consent to prevent a serious threat to the life, health or safety of a genetic relative, provided a number of conditions are met. For more information, see Chapter 8.
Disclosure to a responsible person for an individual
Where a patient lacks capacity to consent, or is unable to communicate consent, you may be able to disclose health information to a responsible person for that patient. For more information, see Chapter 9.
For enforcement related activities
You can use or disclose health information where you reasonably believe that the use or disclosure is reasonably necessary for enforcement related activities conducted by, or on behalf of, an enforcement body. If you do so, you must make a written note of the use or disclosure.
Enforcement bodies include Commonwealth, State and Territory bodies that are responsible for policing, criminal investigations, and administering laws to protect public revenue or to impose penalties or sanctions. Enforcement related activities include the prevention, detection, investigation and prosecution or punishment of criminal offences, and intelligence gathering and monitoring activities.
You must have a reasonable basis for your belief that the disclosure is necessary, and you must be able to justify it. A disclosure is reasonably necessary if a reasonable person, who is properly informed, would agree that the disclosure was reasonable in the circumstances.
While the Privacy Act allows disclosure in this situation, it does not require disclosure. Other obligations, such as your duty of confidentiality, may affect whether you can disclose information to enforcement bodies.
Example: Does the enforcement related activities exception apply?
A police officer was investigating a man’s complaint that his neighbour had harassed him and damaged his property in an ongoing dispute. The officer phoned the man’s GP to ask whether he ‘was psychotic’. The GP disclosed that ‘it was possible but further assessment was needed’.
Following this disclosure, the man made a privacy complaint to the Privacy Commissioner and the Commissioner made a determination on the matter.
The Commissioner concluded that, while the police force is an enforcement body, the GP could not rely on the ‘enforcement related activities’ exception and the disclosure therefore breached the Privacy Act. The Commissioner noted:
- there was no evidence that a warrant required the disclosure
- there was no suggestion that the officer’s phone call related to an ‘enforcement related activity’
- the GP had failed to consider the risks associated with disclosing the man’s personal information without his consent, or that the GP had inquired about the purpose of the phone call to establish the severity of the situation.
Other situations where you may use or disclose health information without consent include:
- to take appropriate action in relation to suspected unlawful activity or serious misconduct
- to locate a person reported as missing
- where reasonably necessary for establishing, exercising or defending a legal or equitable claim
- where reasonably necessary for a confidential alternative dispute resolution process.
For more information, see the Australian Privacy Principles (APP) Guidelines, Chapter C: Permitted general situations.
Before you disclose health information to an overseas recipient, you must take reasonable steps to ensure that recipient does not breach the APPs in relation to that information. In addition, where you have disclosed health information to an overseas recipient, you will be accountable for any conduct the recipient engages in which would breach the APPs.
There are exceptions to these requirements. See the APP Guidelines, Chapter 8: APP 8 — Cross-border disclosure of personal information for more information.
You can only use or disclose a patient’s health information for direct marketing if the patient has provided consent. A patient’s health information includes name and contact details.
Direct marketing is directly promoting goods or services to an individual, using personal information.
Government related identifiers
You can only use or disclose a patient’s government related identifier (such as the patient’s Medicare number) in certain circumstances, including where the use or disclosure:
- is reasonably necessary for you to verify the patient’s identity for your activities
- is reasonably necessary for you to fulfil your obligations to an agency or a State or Territory authority
- is required or authorised by or under an Australian law or a court/tribunal order
- in your reasonable belief, is reasonably necessary to lessen or prevent a serious threat to the life, health or safety of an individual, or to public health or safety
- in your reasonable belief, is reasonably necessary for enforcement related activities conducted by, or on behalf of, an enforcement body.
See the APP Guidelines, Chapter 9: APP 9 — Adoption, use or disclosure of government related identifiers for more information.
 More specific requirements apply to the use and disclosure of:
- health information for the purpose of direct marketing
- government-related identifiers that are considered health information
- healthcare identifiers
- health information relating to the My Health Record system.