Privacy and your health information
The Privacy Act 1988 (Privacy Act) protects your personal information. Personal information is information or an opinion that identifies you or could identify you, and includes information about your health. This fact sheet provides a summary of the rights the Privacy Act gives you in relation to private sector health service providers’ handling of your health information.
What is health information?
Health information is any information about your health or a disability, as well as any other personal information collected while you are receiving a health service, including:
- notes about the symptoms you describe or the health service provider’s observations and opinions of your health
- prescription information
- contact and billing details
- test results and reports, such as those relating to blood samples and X-rays
- dental records
- your Medicare number
- private hospital and day surgery admission and discharge records
- other sensitive information about you such as your race, sexuality or religion.
Health information is sensitive information under the Privacy Act. This means there are added restrictions on how health service providers can handle health information compared to other types of personal information.
What is a health service provider?
A health service provider (provider) is any organisation that:
· assesses or records information about your health, including any disability
· maintains or improves your health, including any disability
· gives out prescription drugs or medicines.
Examples of providers include doctors (such as General Practitioners), pharmacists, dentists, private hospitals, counsellors, psychologists, nurses, chiropractors, physiotherapists, naturopaths, masseurs, gyms, weight loss clinics, child care centres, private schools and disability services.
All private sector providers are covered by the Australian Privacy Principles (APPs).Public hospitals and clinics are covered by State and Territory legislation.
When can a provider collect your health information?
Generally, a provider can only collect your health information when:
- you consent to them doing so, and
- the information is reasonably necessary for them to carry out their functions or activities (such as diagnosing or treating your illness).
A provider should only collect your health information directly from you, unless it is unreasonable or impractical for them to do so.
There are certain situations where a provider can collect your health information without your consent.
These situations include where getting your consent is not practical due to the circumstances but a provider reasonably believes that they need the information to lessen or prevent a serious threat to any individuals’ (including you) life, health or safety, or the public’s health or safety.
For example, in an emergency where you are seriously injured, or unconscious, and require urgent healthcare, a doctor could collect relevant health information about you from your family or General Practitioner (GP) without your consent so they can give you the healthcare you need.
When a provider requires your consent to collect your health information for a particular purpose, they generally should ensure you understand what will happen to your information and what you are consenting to.
Your consent should be given voluntarily. You also need to have the capacity to consent to your health information being collected. There may be situations where a guardian or person who is responsible for you will need to provide consent on your behalf.
There may be times where your consent to a provider collecting your health information can be implied. For example, a GP would not normally need to specifically ask you for permission to make notes of symptoms you describe during an appointment because your consent can be implied from your conduct in attending the appointment and describing your symptoms.
You can withdraw your consent to a provider collecting your health information. However, this may impact on a provider’s ability to provide you with their services.
Generally, a provider has to let you know about a number of things at the time, or as soon after, they collect your health information. These include:
· the purposes for which they are collecting your information
· the main consequences, if any, for you if they do not collect your information
· any other third parties to which they usually disclose your information
There are a number of ways a provider may tell you about these things, such as verbally during an appointment or in writing on a form you fill out.
How can a provider use and disclose your health information?
Generally, a provider can only use and/or disclose your health information for the particular purpose for which they originally collected the information (known as the ‘primary purpose’).
A provider can also use and/or disclose your health information for another purpose (a ‘secondary purpose’) where you consent to them doing so.
There are situations where a provider can use and/or disclose your health information for a secondary purpose even if you have not consented to them doing so. These situations include where you would be reasonably expecting a provider to use or disclose your health information for a secondary purpose that is directly related to the primary purpose of collection.
Your ‘reasonable expectation’ about what health information might be shared with other providers might vary depending on the situation. For example, where a GP refers you to a specialist doctor for the treatment of a serious condition, you may reasonably expect your GP to give the specialist doctor your complete medical history and any related test results so the specialist doctor can decide how to treat your condition.
In contrast, where a GP refers you to a physiotherapist for a specific back problem, you may not reasonably expect your GP to give the physiotherapist information about unrelated health conditions, such as a previous diagnosis of depression.
A provider can only use and/or disclose your health information for direct marketing purposes where you have consented to them doing so.
Where you have previously consented to receiving direct marketing from your provider, your provider should provide you with the option of stopping any more marketing communications in the future.
Can you use a health service anonymously?
There may be situations where you do not want to give your identity information (such as name) to a provider. For example, you may not want to be identified when using phone counselling services on sensitive issues such as gambling addiction, or attending sexual health clinics for health advice.
You have a right to not identify yourself, or to use a pseudonym, when dealing with providers. However, a provider does not have to provide you with these options where it is impractical to do so or they are required or authorised by law to deal with identified individuals.
Examples of where a provider will need your identifying information include:
· where they are treating you for a disease that must be recorded and notified under a public health law
· where they need to get your medical history from a past provider to give you appropriate healthcare
· where you want to claim Medicare or other benefits for the healthcare a provider gives you.
Can you access and/or correct your health information?
Generally, you have the right to ask your provider for access to records of your health information in a particular way and your provider is required to give you access to that information in the way you have requested. However, there are some situations where your provider can refuse your access request or give you access in a different way from that which you requested. For example, your provider may be allowed or required to refuse you access because of a law or a court/tribunal order.
For more detailed information about your right to access your health information please refer to the [insert link to access and correction fact sheet].
You have a right to ask your provider to correct information you think is not accurate in your health information records. However, your provider can refuse your request where for example, they have taken reasonable steps to satisfy themselves that the information is accurate.
For more detailed information about your right to have your health information corrected please refer to the [insert link to access and correction fact sheet].
How can you complain?
You can make a complaint if you believe a provider has not handled your health information properly under the APPs.
You should first make a complaint to the relevant provider and give them an adequate opportunity to deal with the complaint. Depending on the situation, you should generally allow your provider at least 30 days to respond to your complaint.
If you are not satisfied with a provider’s response to your complaint, you may then complain to us. For more information about our process, please refer to the OAIC’s privacy complaintswebpage.
The information provided in this resource is of a general nature. It is not a substitute for legal advice.
For further information
telephone: 1300 363 992
write: GPO Box 5218, Sydney NSW 2001
Or visit our website at www.oaic.gov.au
Some private sector providers are also covered by State or Territory privacy laws.