Health information is regarded as one of the most sensitive types of personal information. For this reason, the Privacy Act 1988 provides extra protections around its handling.

Health service providers

All organisations that provide a health service and hold health information (other than in an employee record) are covered by the Privacy Act, whether or not they are a small business.

Under the Privacy Act a 'health service' includes any activity that involves:

  • assessing, maintaining or improving a person's physical or psychological health
  • where a person’s health cannot be maintained or improved – managing the person’s physical or psychological health
  • diagnosing or treating a person's illness, disability or injury
  • recording a person’s physical or psychological health for the purposes of assessing, maintaining, improving or managing the person’s health
  • dispensing a prescription drug or medicinal preparation by a pharmacist.

This includes activities that take place in the course of providing aged care, palliative care or care for a person with a disability.

Examples of organisations providing a health service include:

  • traditional health service providers, such as private hospitals, day surgeries, medical practitioners, pharmacists and allied health professionals
  • complementary therapists, such as naturopaths and chiropractors
  • gyms and weight loss clinics
  • child care centres and private schools.

The Privacy Act regulates how these organisations collect and handle personal information, including health information. It also includes provisions that generally allow an individual to access information held about them. The Office of the Australian Information Commissioner (OAIC) also regulates the handling of health information held in an individual’s My Health Record, and the handling of healthcare identifiers.

Health and medical research

In certain circumstance, the Privacy Act permits the handling of health information and personal information for health and medical research purposes, where it is impracticable for researchers to obtain individuals' consent. This recognises:

  • the need to protect health information from unexpected uses beyond individual healthcare
  • the important role of health and medical research in advancing public health.

To promote these ends, the Privacy Commissioner has approved two sets of legally binding guidelines, issued by the National Health and Medical Research Council (NHMRC). Researchers must follow these guidelines when handling health information for research purposes without individuals' consent. The guidelines also assist Human Research Ethics Committees (HRECs) in deciding whether to approve research applications. The guidelines are produced under sections 95 and 95A of the Privacy Act. The guidelines are:

  • Guidelines under Section 95 of the Privacy Act 1988, which set out procedures that HRECs and researchers must follow when personal information is disclosed from a Commonwealth agency for medical research purposes.
  • Guidelines under Section 95A of the Privacy Act 1988, which provide a framework for HRECs to assess proposals to handle health information held by organisations for health research (without individuals' consent). They ensure that the public interest in the research activities substantially outweighs the public interest in the protection of privacy.

Using and disclosing genetic information

The Privacy Act does not prevent a health service provider using or disclosing a patient's genetic information, if the patient has given informed consent.

Where a health service provider has not been able to obtain consent from the patient, the Privacy Act allows the use and disclosure of genetic information where:

  • the health service provider obtained the genetic information in the course of providing a health service to the patient
  • the health service provider reasonably believes that there is a serious threat to the life, health or safety of a genetic relative of the patient
  • the use or disclosure to the genetic relative is necessary to lessen or prevent that threat
  • the health service provider has complied with the Guidelines issued under section 95AA of the Privacy Act
  • in the case of disclosure, the recipient of the information is a genetic relative of the patient.