Skip to content

I Am a Health Service Provider. What Are My Privacy Obligations?

Certain businesses in Australia are required to comply with the Australian Privacy Principles (APPs) in the Privacy Act. Health service providers, and businesses that hold health information, fall into this category. Businesses that need to comply with the APPs are known as APP entities. Knowing how to comply with the Privacy Act can be confusing and complicated, particularly if you are not aware of your privacy obligations. If you are a health service provider, it is crucial to understand your privacy obligations and how the Privacy Act applies to your business. 

This article unpacks the meaning of a health service provider and sensitive information. As a health service provider, there are also key obligations you must obey, including: 

  • correctly collecting personal information; 
  • using and disclosing personal information;
  • if disclosing personal information overseas, ensuring it is done so safely; and
  • ensuring the security of personal information. 

Health Service Providers

Businesses provide a health service when they assess, treat, manage, diagnose, and record information about an individual’s health. Common examples of health service providers are:

  • doctors;
  • hospitals;
  • allied health professionals;
  • pharmacists;
  • gyms; and
  • weight loss clinics.

If you are a health service provider, you must comply with APPs and other relevant provisions within the Privacy Act. Compliance will not only help you avoid large penalties for breaching the law but will also help to foster trust between you and your patients. Therefore, you should ensure you are collecting, managing and storing your patients’ sensitive health information with care. 

Sensitive Information

As a health service provider, you will inevitably collect personal information in the course of your business. Much of this will be sensitive information, which attracts extra protection under the Privacy Act. One category of sensitive information is health information.

Health information includes:

  • information or opinions about someone’s health, such as a doctor’s written notes about their patient, dental records, or prescriptions;
  • information collected to provide a health service, such as a patient’s name and Medicare number;
  • personal information connected to the donation of body parts; and
  • genetic information that could indicate the health of an individual. 

To summarise, the Privacy Act governs the use of personal information. One category of personal information, which is afforded extra protection under the Privacy Act, is sensitive information. Health information is a type of sensitive information. 

Continue reading this article below the form
Loading form

Collecting Personal Information

You should only collect personal information that is reasonably necessary for your business activities. For example, if you run a psychology business, you should only ask clients for information that you reasonably need in order to treat them. It is best practice to assess whether certain information is necessary before asking your patients to disclose sensitive health information.

When you collect personal information, you should notify individuals of:

  1. your business name (so that the individual can identify who is collecting the information);
  2. why you are collecting the information;
  3. whether the law requires the collection of certain information;
  4. where they can find your privacy policy; and
  5. whether you disclose information to overseas recipients. 

A privacy collection notice can succinctly describe these points. If your patients fill out a form when they attend your practice, this is a good place to display your privacy collection notice. 

Using and Disclosing Personal Information

Once you have collected patients’ sensitive health information, the next stage is thinking about how you use and disclose that information. 

You can use and disclose personal information, including health information, for the primary purpose that you collected it. For example, if you collect information to set up an appointment for a patient, then you may use the information you collect to set up the appointment.

If you plan to use the health information you have collected for another purpose, such as to share information about a patient with other medical specialists, this would be a secondary purpose.  Although you can assess that your patient may reasonably expect you to disclose sensitive information when making a referral, as best practice, you should get consent for the disclosure. 

Disclosing Personal Information Overseas

Disclosing personal information overseas includes storing personal information with an overseas third party., For example, patient management software, or if you provide information to a third party which accesses, stores or discloses that personal information overseas. If your business stores personal information with a third party overseas, then you will need to take reasonable steps to ensure that the overseas recipient does not breach the APPs.  An exception to this is where you believe that the recipient is subject to very similar laws to the Privacy Act. 

Security of Personal Information

It is essential to take steps to protect the personal information you collect and hold from misuse, unauthorised access, interference, modification and loss. You must also take reasonable steps in the circumstances to destroy or de-identify personal information if:

  • you no longer need the information; and
  • you do not need to legally keep the information. 

Data Breaches

It can be particularly problematic if the health information about your patients is subject to a data breach, and that is why, as an APP entity, you have data breach reporting obligations. Data breaches are the unauthorised access to, or disclosure of, personal information. Examples include: 

  • loss of a laptop (that is not password protected) containing patient’s files; and
  • unauthorised access to a database, for example, if a hacker was to access your clinic management software.

Where a data breach has occurred, you must assess whether it is a notifiable data breach, and therefore whether you must notify the privacy commissioner and affected individuals. 

Consequences of Not Complying 

The Privacy Commission can investigate businesses which do not comply with the Privacy Act. Alternatively, individuals can bring complaints to the Commissioner if they have concerns about how a health service provider is handling their personal information. The Privacy Commission can fine businesses for breaches. Where an individual can show that they have suffered loss as a result of a company’s breach of the Privacy Act, they may receive monetary compensation. 

Key Takeaways

As a health service provider, you need to understand your obligations under the Privacy Act when collecting, using and disclosing patients’ sensitive information. You should also take steps to protect the personal information you collect and hold from misuse, unauthorised access, interference, modification and loss. If you require assistance in understanding your privacy obligations as a health service provider, contact LegalVision’s privacy lawyers on 1300 544 755 or fill out the form on this page. 

Register for our free webinars

ACCC Merger Reforms: Key Takeaways for Executives and Legal Counsel

Online
Understand how the ACCC’s merger reforms impact your legal strategy. Register for our free webinar.
Register Now

Ask an Employment Lawyer: Contracts, Performance and Navigating Dismissals

Online
Ask an employment lawyer your contract, performance and dismissal questions in our free webinar. Register today.
Register Now

Stop Chasing Unpaid Invoices: Payment Terms That Actually Work

Online
Stop chasing late payments with stronger terms and protections. Register for our free webinar.
Register Now

Managing Psychosocial Risks: Employer and Legal Counsel Responsibilities

Online
Protect your business by managing workplace psychosocial risks. Register for our free webinar.
Register Now
See more webinars >
Jessica Anderson

Jessica Anderson

Senior Lawyer | View profile

Jessica is a Senior Lawyer in LegalVision’s Commercial Contracts team. From day to day, Jessica enjoys preparing contracts to suit her clients’ needs, and walking clients through key-risk issues whether within a contract or within the broader regulatory landscape, from privacy law, consumer law, or community gaming and charities law.

Qualifications: Bachelor of Laws, Graduate Diploma of Legal Practice, Macquarie University.

Read all articles by Jessica

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards