Version 1.0, September 2019

Download the print version [116.8KB]

Key points

  • Provided certain requirements are met, you can collect health information where it is necessary for health management activities.
  • You can use or disclose health information for health management activities in accordance with the usual use and disclosure principles.

‘Health management activities’

The Privacy Act 1988 refers to ‘the management, funding or monitoring of a health service’ (referred to in this guide as ‘health management activities’).

‘Health management activities’ are likely to include activities that are reasonably necessary for the ordinary running of a health service. This includes activities that support the community’s expectation that appropriately high standards of quality andsafety will be maintained.

Examples of health management activities include where:

  • a quality assurance body collects data about the quality of a nursing home health service
  • an oversight body collects information from a private hospital about an incident that occurred during a patient’s treatment
  • a health insurer collects information relevant to possible fraud or an incorrect payment
  • a health clinic reports to an accreditation body on the prevalence of patients who have had adverse drug reactions in the last two years.

Sometimes it is difficult to distinguish between a health management activity and a research activity. An activity is less likely to be research if its outcomes are limited in application to the management, funding or monitoring of the specific entity undertaking the activity. If the activity produces an outcome that is more widely applicable to the health sector, then it may be research.

While you normally need a patient’s consent to collect health information, you can collect health information without consent where it is necessary for health management activities, and:

  • the particular purpose cannot be served by collecting de-identified information
  • it is impracticable to obtain the individual’s consent, and
  • the collection is either:
    • required by or under an Australian law (other than the Privacy Act)
    • in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation, or
    • in accordance with guidelines issued by the CEO of the National Health and Medical Research Council and approved by the Commissioner under s 95A of the Privacy Act.


You may only collect health information that is ‘necessary’ for a health management activity. The term ‘necessary’ is applied objectively and in a practical sense. Collection is usually considered necessary if you cannot effectively carry out the health management activity without collecting the information. Collection is not necessary if it is merely helpful, desirable or convenient.

De-identified information is not sufficient

You must consider whether you can achieve the purpose of the health management activity by collecting de-identified information.

For example, to handle patient complaints effectively, you need to obtain patient contact details so that you can follow up and act on the complaint. In this case, you cannot effectively complete the health management activity with de-identified information.

Whether it is impracticable to obtain consent will depend on the circumstances. You will need to justify why it is impracticable to obtain a patient’s consent. Incurring some expense or doing extra work does not in itself make it impracticable to obtain consent.

Examples of where it may be impracticable to seek consent include where:

  • there are no current contact details for the individual and you have insufficient information to obtain up to date contact details
  • obtaining the consent would adversely impact an investigation or monitoring activity.

Required by law, or in accordance with rules or guidelines

The collection must meet one of the following three criteria:

  • required by or under an Australian law
  • be in accordance with binding confidentiality rules established by competent health or medical bodies
  • be in accordance with guidelines approved under s 95A.

Binding rules of confidentiality issued by competent health or medical bodies

The rules dealing with obligations of professional confidentiality must be binding on the organisation and have been established by a competent health or medical body.

Section 95A Guidelines

The National Health and Medical Research Council’s Guidelines approved under Section 95A of the Privacy Act 1988 (s 95A Guidelines) have been approved by the Information Commissioner and are legally binding. The s 95A Guidelines provide a framework for human research ethics committees to assess research proposals involving the handling of health information (without the consent of the subject). The framework requires ethics committees to weigh the public interest in research activities against the public interest in the protection of privacy.

Reasonable steps to de-identify information before disclosure

If you collect health information for health management activities without consent, you must take reasonable steps to de-identify that information before disclosing it.

Reasonable steps to de-identify information will depend on circumstances such as:

  • the possible adverse consequences for an individual if the information is not de-identified before disclosure (and more rigorous steps are required as the risk of adversity increases)
  • the practicability, including time and cost involved. However, you are not excused from taking particular steps to de-identify health information simply because it would be inconvenient, time-consuming or impose some cost. Whether these factors make it unreasonable to take a particular step will depend on whether the burden is excessive in all the circumstances.


An incident monitoring body collects information, including health information, from a private hospital following the occurrence of a number of adverse incidents. The body collects this health information without the relevant patients’ consent as it relied on the ‘health management activities’ exception (for the purposes of this example, it was impracticable to gain the patients’ consent and using de-identified information was not possible).

As the information was collected under this exception, the body is required to take reasonable steps to de-identify the information before disclosing it. This means that, before issuing its report into the incidents, it must ensure that it takes reasonable steps to de-identify any patient health information that is included in the report.

Using and disclosing for health management activities

When using health information for a health management activity, you should always consider whether the proposed activity can be achieved using de-identified information.

If identified information is required, the normal use and disclosure provisions will apply.

Health information collected under the health management activities exception discussed above will have been collected for the primary purpose of a particular health management activity. You can therefore use and disclose the information for that purpose. However, as explained above, you must take reasonable steps to de-identify the information before disclosing it.

Where you originally collected the information you want to use or disclose for a health management activity for a different purpose, you will need to consider whether the use and disclosure provisions allow you to use or disclose it for health management activities. Relevant exceptions are:

  • with patient consent
  • use or disclosure that is reasonably expected and directly related to the primary purpose
  • required or authorised by or under law.

Helpful hint

Use and disclosure principles in NSW, Victoria and the ACT health privacy legislation contain an express exception relating to health management activities. In some cases, additional requirements are contained in statutory guidelines, such as the NSW Statutory guidelines on the management of health services. For further information regarding these additional obligations, contact your State or Territory regulator.