The Australian Privacy Principles (APPs) were introduced in March 2014, to supplement the Privacy Act. The APPs apply to all health service providers. If you run a medical business, you need to make sure your Privacy Policy complies with the APPs, to comply with the law, as there are considerable fines for breach.

A thorough and up-to-date privacy policy will also help show your clients that you respect their personal information and take steps to keep it safe.

A Privacy Policy for a medical business needs to address the items set out below.

Collection of Personal Information

First, set out what type of information your business collects. Personal information includes:

  • name;
  • contact details;
  • date of birth;
  • demographics; and
  • preferences.

If your business receives personal information from third parties, you should indicate that you do so, and explain that you will protect this third party information in the same way you protect information collected directly.

Medical businesses also collect sensitive information, which is a subset of personal information. This is given higher protection under the APPs.

Sensitive information includes:

  • information or an opinion about an individual’s race, political opinions, religions and beliefs, memberships of a particular association, sexual orientation, or criminal records, which are also personal information;
  • health information;
  • genetic information (that is not otherwise health information); and
  • biometric information.

Use and Disclosure of Personal Information

Your Privacy Policy needs to set out how personal information will be used and disclosed. Personal information should not be used without consent.

Uses may include contacting and communicating with clients, for internal record keeping, marketing, and providing information to third parties.

You are allowed to disclose personal information to credit reporting agencies and courts where your clients fail to pay for any goods or services you provided, to law enforcement agencies as required by law, and to third parties who may assist in providing information, products or services to the client.

In relation to sensitive information, use and disclosure is stricter.

For a medical business, generally, sensitive information may only be used or disclosed under the following circumstances:

  • if the client would reasonably expect the business to use or disclose the information for a secondary purpose, and only if that secondary purpose is directly related to the primary purpose for which the sensitive information was collected;
  • if it is required or authorised by law;
  • if you reasonably believe that the disclosure is necessary for law enforcement purposes; or
  • if a permitted health situation exists.

A permitted health situation only exists where the information is necessary to provide a health service to the individual and the collection is either:

  • required or authorised by or under an Australian law; or
  • in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation.

 Storage and Security

You need to show your client that you are committed to keeping personal and sensitive information secure. You should outline what procedures you have in place to protect information such as physical, electronic or managerial procedures.

However, to limit your liability, it is wise to explain that whilst measures are taken, no information transmitted over the internet can be guaranteed to be secure.

Contact Details

You must provide details of how people can contact you in regards to the personal information that is held with your business and how they can correct this information.

Conclusion

When you operate a medical business, you collect, use and disclose personal and sensitive information on a regular basis. It is important that this information is protected. You need a good quality Privacy Policy in place and you need to follow it. To ensure that your Privacy Policy complies with the APPs, and covers your business, you should check the Privacy Act or have assistance from a lawyer.

Ursula Hogben

Ask Ursula a Question

If you would like further information on any of the topics mentioned in this article, please get in touch using the form on this page.