Reading time: 6 minutes

Certain businesses in Australia are required to comply with the Australian Privacy Principles (APPs) in the Privacy Act. Health service providers, and businesses that hold health information, fall into this category. Businesses that need to comply with the APPs are known as APP entities. Knowing how to comply with the Privacy Act can be confusing and complicated, particularly if you are not aware of your privacy obligations. If you are a health service provider, it is crucial to understand your privacy obligations and how the Privacy Act applies to your business. 

This article unpacks the meaning of a health service provider and sensitive information. As a health service provider, there are also key obligations you must obey, including: 

  • correctly collecting personal information; 
  • using and disclosing personal information;
  • if disclosing personal information overseas, ensuring it is done so safely; and
  • ensuring the security of personal information. 

Health Service Providers

Businesses provide a health service when they assess, treat, manage, diagnose, and record information about an individual’s health. Common examples of health service providers are:

  • doctors;
  • hospitals;
  • allied health professionals;
  • pharmacists;
  • gyms; and
  • weight loss clinics.

If you are a health service provider, you must comply with APPs and other relevant provisions within the Privacy Act. Compliance will not only help you avoid large penalties for breaching the law but will also help to foster trust between you and your patients. Therefore, you should ensure you are collecting, managing and storing your patients’ sensitive health information with care. 

Sensitive Information

As a health service provider, you will inevitably collect personal information in the course of your business. Much of this will be sensitive information, which attracts extra protection under the Privacy Act. One category of sensitive information is health information.

Health information includes:

  • information or opinions about someone’s health, such as a doctor’s written notes about their patient, dental records, or prescriptions;
  • information collected to provide a health service, such as a patient’s name and Medicare number;
  • personal information connected to the donation of body parts; and
  • genetic information that could indicate the health of an individual. 

To summarise, the Privacy Act governs the use of personal information. One category of personal information, which is afforded extra protection under the Privacy Act, is sensitive information. Health information is a type of sensitive information. 

Collecting Personal Information

You should only collect personal information that is reasonably necessary for your business activities. For example, if you run a psychology business, you should only ask clients for information that you reasonably need in order to treat them. It is best practice to assess whether certain information is necessary before asking your patients to disclose sensitive health information.

When you collect personal information, you should notify individuals of:

  1. your business name (so that the individual can identify who is collecting the information);
  2. why you are collecting the information;
  3. whether the law requires the collection of certain information;
  4. where they can find your privacy policy; and
  5. whether you disclose information to overseas recipients. 

A privacy collection notice can succinctly describe these points. If your patients fill out a form when they attend your practice, this is a good place to display your privacy collection notice. 

Using and Disclosing Personal Information

Once you have collected patients’ sensitive health information, the next stage is thinking about how you use and disclose that information. 

You can use and disclose personal information, including health information, for the primary purpose that you collected it. For example, if you collect information to set up an appointment for a patient, then you may use the information you collect to set up the appointment.

If you plan to use the health information you have collected for another purpose, such as to share information about a patient with other medical specialists, this would be a secondary purpose.  Although you can assess that your patient may reasonably expect you to disclose sensitive information when making a referral, as best practice, you should get consent for the disclosure. 

Disclosing Personal Information Overseas

Disclosing personal information overseas includes storing personal information with an overseas third party., For example, patient management software, or if you provide information to a third party which accesses, stores or discloses that personal information overseas. If your business stores personal information with a third party overseas, then you will need to take reasonable steps to ensure that the overseas recipient does not breach the APPs.  An exception to this is where you believe that the recipient is subject to very similar laws to the Privacy Act. 

Security of Personal Information

It is essential to take steps to protect the personal information you collect and hold from misuse, unauthorised access, interference, modification and loss. You must also take reasonable steps in the circumstances to destroy or de-identify personal information if:

  • you no longer need the information; and
  • you do not need to legally keep the information. 

Data Breaches

It can be particularly problematic if the health information about your patients is subject to a data breach, and that is why, as an APP entity, you have data breach reporting obligations. Data breaches are the unauthorised access to, or disclosure of, personal information. Examples include: 

  • loss of a laptop (that is not password protected) containing patient’s files; and
  • unauthorised access to a database, for example, if a hacker was to access your clinic management software.

Where a data breach has occurred, you must assess whether it is a notifiable data breach, and therefore whether you must notify the privacy commissioner and affected individuals. 

Consequences of Not Complying 

The Privacy Commission can investigate businesses which do not comply with the Privacy Act. Alternatively, individuals can bring complaints to the Commissioner if they have concerns about how a health service provider is handling their personal information. The Privacy Commission can fine businesses for breaches. Where an individual can show that they have suffered loss as a result of a company’s breach of the Privacy Act, they may receive monetary compensation. 

Key Takeaways

As a health service provider, you need to understand your obligations under the Privacy Act when collecting, using and disclosing patients’ sensitive information. You should also take steps to protect the personal information you collect and hold from misuse, unauthorised access, interference, modification and loss. If you require assistance in understanding your privacy obligations as a health service provider, contact LegalVision’s privacy lawyers on 1300 544 755 or fill out the form on this page. 


How Franchisors Can Avoid Misleading and Deceptive Conduct

Wednesday 18 May | 11:00 - 11:45am

Ensure your franchise is not accused of misleading and deceptive conduct. Register for our free webinar today.
Register Now

New Kid on the Blockchain: Understanding the Proposed Laws for Crypto, NFT and Blockchain Projects

Wednesday 25 May | 10:00 - 10:45am

If you operate in the crypto space, ensure you understand the Federal Government’s proposed licensing and regulation changes. Register today for our free webinar.
Register Now

How to Expand Your Business Into a Franchise

Thursday 26 May | 11:00 - 11:45am

Drive rapid growth in your business by turning it into a franchise. To learn how, join our free webinar. Register today.
Register Now

Day in Court: What Happens When Your Business Goes to Court

Thursday 2 June | 11:00 - 11:45am

If your business is going to court, then you need to understand the process. Our free webinar will explain.
Register Now

How to Manage a Construction Dispute

Thursday 9 June | 11:00 - 11:45am

Protect your construction firm from disputes. To understand how, join our free webinar.
Register Now

Startup Financing: Venture Debt 101

Thursday 23 June | 11:00 - 11:45am

Learn how venture debt can help take your startup to the next level. Register for our free webinar today.
Register Now

About LegalVision: LegalVision is a commercial law firm that provides businesses with affordable and ongoing legal assistance through our industry-first membership.

By becoming a member, you'll have an experienced legal team ready to answer your questions, draft and review your contracts, and resolve your disputes. All the legal assistance your business needs, for a low monthly fee.

Learn more about our membership

Need Legal Help? Submit an Enquiry

If you would like to get in touch with our team and learn more about how our membership can help your business, fill out the form below.

Our Awards

  • 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Winner – Australasian Lawyer
  • 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2020 AFR Fast 100 List - Australian Financial Review
  • 2021 Law Firm of the Year - Australasian Law Awards
  • 2019 Most Innovative Firm - Australasian Lawyer