Reading time: 6 minutes

Certain businesses in Australia are required to comply with the Australian Privacy Principles (APPs) in the Privacy Act. Health service providers, and businesses that hold health information, fall into this category. Businesses that need to comply with the APPs are known as APP entities. Knowing how to comply with the Privacy Act can be confusing and complicated, particularly if you are not aware of your privacy obligations. If you are a health service provider, it is crucial to understand your privacy obligations and how the Privacy Act applies to your business. 

This article unpacks the meaning of a health service provider and sensitive information. As a health service provider, there are also key obligations you must obey, including: 

  • correctly collecting personal information; 
  • using and disclosing personal information;
  • if disclosing personal information overseas, ensuring it is done so safely; and
  • ensuring the security of personal information. 

Health Service Providers

Businesses provide a health service when they assess, treat, manage, diagnose, and record information about an individual’s health. Common examples of health service providers are:

  • doctors;
  • hospitals;
  • allied health professionals;
  • pharmacists;
  • gyms; and
  • weight loss clinics.

If you are a health service provider, you must comply with APPs and other relevant provisions within the Privacy Act. Compliance will not only help you avoid large penalties for breaching the law but will also help to foster trust between you and your patients. Therefore, you should ensure you are collecting, managing and storing your patients’ sensitive health information with care. 

Sensitive Information

As a health service provider, you will inevitably collect personal information in the course of your business. Much of this will be sensitive information, which attracts extra protection under the Privacy Act. One category of sensitive information is health information.

Health information includes:

  • information or opinions about someone’s health, such as a doctor’s written notes about their patient, dental records, or prescriptions;
  • information collected to provide a health service, such as a patient’s name and Medicare number;
  • personal information connected to the donation of body parts; and
  • genetic information that could indicate the health of an individual. 

To summarise, the Privacy Act governs the use of personal information. One category of personal information, which is afforded extra protection under the Privacy Act, is sensitive information. Health information is a type of sensitive information. 

Collecting Personal Information

You should only collect personal information that is reasonably necessary for your business activities. For example, if you run a psychology business, you should only ask clients for information that you reasonably need in order to treat them. It is best practice to assess whether certain information is necessary before asking your patients to disclose sensitive health information.

When you collect personal information, you should notify individuals of:

  1. your business name (so that the individual can identify who is collecting the information);
  2. why you are collecting the information;
  3. whether the law requires the collection of certain information;
  4. where they can find your privacy policy; and
  5. whether you disclose information to overseas recipients. 

A privacy collection notice can succinctly describe these points. If your patients fill out a form when they attend your practice, this is a good place to display your privacy collection notice. 

Using and Disclosing Personal Information

Once you have collected patients’ sensitive health information, the next stage is thinking about how you use and disclose that information. 

You can use and disclose personal information, including health information, for the primary purpose that you collected it. For example, if you collect information to set up an appointment for a patient, then you may use the information you collect to set up the appointment.

If you plan to use the health information you have collected for another purpose, such as to share information about a patient with other medical specialists, this would be a secondary purpose.  Although you can assess that your patient may reasonably expect you to disclose sensitive information when making a referral, as best practice, you should get consent for the disclosure. 

Disclosing Personal Information Overseas

Disclosing personal information overseas includes storing personal information with an overseas third party., For example, patient management software, or if you provide information to a third party which accesses, stores or discloses that personal information overseas. If your business stores personal information with a third party overseas, then you will need to take reasonable steps to ensure that the overseas recipient does not breach the APPs.  An exception to this is where you believe that the recipient is subject to very similar laws to the Privacy Act. 

Security of Personal Information

It is essential to take steps to protect the personal information you collect and hold from misuse, unauthorised access, interference, modification and loss. You must also take reasonable steps in the circumstances to destroy or de-identify personal information if:

  • you no longer need the information; and
  • you do not need to legally keep the information. 

Data Breaches

It can be particularly problematic if the health information about your patients is subject to a data breach, and that is why, as an APP entity, you have data breach reporting obligations. Data breaches are the unauthorised access to, or disclosure of, personal information. Examples include: 

  • loss of a laptop (that is not password protected) containing patient’s files; and
  • unauthorised access to a database, for example, if a hacker was to access your clinic management software.

Where a data breach has occurred, you must assess whether it is a notifiable data breach, and therefore whether you must notify the privacy commissioner and affected individuals. 

Consequences of Not Complying 

The Privacy Commission can investigate businesses which do not comply with the Privacy Act. Alternatively, individuals can bring complaints to the Commissioner if they have concerns about how a health service provider is handling their personal information. The Privacy Commission can fine businesses for breaches. Where an individual can show that they have suffered loss as a result of a company’s breach of the Privacy Act, they may receive monetary compensation. 

Key Takeaways

As a health service provider, you need to understand your obligations under the Privacy Act when collecting, using and disclosing patients’ sensitive information. You should also take steps to protect the personal information you collect and hold from misuse, unauthorised access, interference, modification and loss. If you require assistance in understanding your privacy obligations as a health service provider, contact LegalVision’s privacy lawyers on 1300 544 755 or fill out the form on this page. 

About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.

The majority of our clients are LVConnect members. By becoming a member, you can stay ahead of legal issues while staying on top of costs. From just $119 per week, get all your contracts sorted, trade marks registered and questions answered by experienced business lawyers.

Learn more about LVConnect

Need Legal Help? Get a Free Fixed-Fee Quote

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

Our Awards

  • 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Winner – Australasian Lawyer
  • 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2020 AFR Fast 100 List - Australian Financial Review
  • 2021 Law Firm of the Year - Australasian Law Awards
  • 2019 Most Innovative Firm - Australasian Lawyer