Skip to main content
Privacy
  • On this page

Publication date: November 2017

There are a number of different types of communications which health service providers may want to send to patients. These may include, for example, notifications of test results, disease screening reminders, notifications about care plans and practice newsletters.

The Australian Privacy Principles (APPs) establish a framework that facilitates an open relationship between health service providers and their patients where the provider and patient can reach a shared understanding of how the patient’s health information, including contact details, will be used and disclosed. This ensures that health information is generally only used and disclosed in accordance with a patient’s expectations.

The OAIC has developed a flowchart that outlines the considerations in sending communications to patients. The flow chart is designed to be read in conjunction with the information in this resource.

For many communications, a patient’s consent to receiving the communication can usually be implied, which means sending the communication will comply with the Privacy Act 1988 (see Implied consent).

When it is not reasonable to imply the patient’s consent, you will need to consider whether there are other grounds under the Privacy Act that permit the communication to be sent (see Communications Without Implied Consent).

Consent under the Privacy Act can be express or implied and consists of the following four elements:

  • the individual is adequately informed before giving consent
  • the individual gives consent voluntarily
  • the consent is current and specific, and
  • the individual has the capacity to understand and communicate their consent.

Further information on consent can be found in Chapter B of the APP Guidelines.

Implied consent arises where consent may reasonably be inferred in the circumstances from the conduct of the patient and the health service provider. Where there is open communication and information sharing between the provider and the patient, consent issues will usually be addressed during the course of the consultation. If the consultation discussion has provided the individual with an understanding about how their health information may be used, then it may be reasonable for you to rely on implied consent.

For example, in general practice, demographic and healthcare information is collected to provide both immediate and longitudinal care. Follow-up for continuing care is dependent on a multitude of factors. However, in accordance with accepted clinical guidelines, practices will initiate communications with patients where clinically appropriate. This is implicit in the doctor patient relationship and in accordance with the clinical duty of care.

In a healthcare setting, a patient may take certain actions that imply their consent to receiving communications from their health service provider. For example, when a parent takes their baby to the GP to get the recommended two month, four month and six month immunisations, it would be reasonable for the GP to imply the parent’s consent to being sent a reminder about the next immunisation due, if the parent does not book an appointment at the recommended time.

The requirements for demonstrating that it is reasonable to imply consent are often highly dependent on the context in which the health information is collected, used and disclosed. However, you are more readily able to rely on implied consent to send communications to a patient in situations where:

  • the patient has previously received and/or discussed with you the particular service addressed in the particular communication
  • the patient regularly attends the clinic or health service
  • the patient recently attended the clinic or health service
  • the patient would reasonably expect you to communicate with them in that way based on prior provider-patient communications.

You will need to decide, on a case-by-case basis, whether consent can be implied, as consent is highly dependent on the context in which health information is collected, used and disclosed. However, generally it is reasonable to imply the patient’s consent to receiving the following types of communications:

  • notification of results, recalls and follow-up after disease screening, blood tests and other health assessments
  • reminder to attend the practice to follow up on or remove long acting contraception
  • a reminder is sent to a patient to attend a scheduled longer appointment
  • sending a letter to an elderly patient on statins for primary prevention to make an appointment to review their medications
  • follow-up on treatment the patient is currently receiving, such as an established care plan to assist with quitting smoking, ongoing treatment for a thyroid disorder, or hormone replacement therapy
  • communications in relation to an established care plan such as a chronic disease management plan (CDM) plan
  • a reminder to patients that an administrative fee may be incurred if they do not cancel and do not present at their scheduled appointment time if this appointment has been previously missed.

Example: Chronic Disease Management Plan

Geoff has type 2 diabetes. His GP has developed an individualised Chronic Disease Management (CDM) Plan to help plan and coordinate the management and care of Geoff’s condition. As part of the CDM Plan, Geoff’s GP sends him reminders to attend the practice to test his HbA1c levels every 3 months to monitor glycaemic control.

Based on Geoff’s agreement to his CDM Plan, it is reasonable for the GP to imply Geoff’s consent to receiving this type of reminder.

If you are not confident that it is reasonable to imply a patient’s consent to receiving a particular communication, you will need to consider whether the communication is still permitted under the Privacy Act. The grounds on which the communication may be permitted will depend on whether or not the communication is direct marketing.

Is the communication direct marketing?

Direct marketing is where an entity directly promotes goods or services to an individual, using their personal information. It can encompass any communication made by or on behalf of an entity to an individual. The use or disclosure of personal information to direct market is regulated by APP 7.

The Spam Act and the Do Not Call Register

APP 7 only applies to direct marketing that is not regulated by the Spam Act 2003 and the Do Not Call Register Act 2006 (DNCR Act). These Acts contain specific provisions that regulate direct marketing by electronic messaging (e.g. text and email) and telephone numbers that are registered on the Do Not Call Register.

Visit the ACMA website for more detailed information about the DNCR Act and the Spam Act.

Express consent

Under APP 7, direct marketing using sensitive information, such as health information, is only permitted with the implied or express consent of the individual. Therefore, if consent cannot be implied for sending a specific communication to a patient, express consent is required.

Express consent is given explicitly, either orally or in writing. This could include a handwritten signature or an oral statement (such as a verbal agreement). Express consent does not last forever, and can be withdrawn at any time.

The best evidence of express consent is given when a person has to do something deliberate to indicate their consent, such as writing a letter, ticking a consent box or signing a statement indicating their consent. A patient may also give express consent face-to-face during a consultation with their health service provider.

Generally, express consent is needed for communications that are not targeted to an individual patient’s specific healthcare and which are sent in a more indiscriminate manner to a practice’s entire database. These communications might include, for example a letter sent to an entire practice’s database about the availability of the influenza vaccination, or a letter sent to an entire practice’s database to promote the addition of a physiotherapist to a multidisciplinary practice.

Communications that are not direct marketing

If the communication is not direct marketing, APP 6 will apply. Under APP 6, unless an exception applies, you can only use or disclose health information to send a particular communication if sending that communication is part of the primary purpose for which the information was collected. It is unlikely that a situation would arise where consent cannot be implied and yet the sending of a communication is for the primary purpose for which the patient’s contact details were collected. Therefore, if you are not confident that it is reasonable to imply your patient’s consent to receiving a communication, then it is unlikely that it is the primary purpose for which you collected the information and you should instead consider whether an exception applies.

Health information can be used for a secondary purpose if an exception applies. Exceptions that may be relevant in this context include where:

  • the patient has expressly consented to a secondary use or disclosure[1] (discussed below)
  • the patient would reasonably expect the health service provider to use or disclose their personal information for the secondary purpose and that purpose is directly related to the primary purpose (discussed below)
  • the use or disclosure is required or authorised by or under an Australian law or a court/tribunal order.

The full range of exceptions is discussed in detail in the APP guidelines.

Express consent to a secondary use or disclosure

If a health service provider collects information for the primary purpose of providing healthcare to a patient, they will generally be able to use that information for the secondary purpose of sending out communications, if the patient has expressly consented to their information being used for that secondary purpose.

Example: Filling out a consent form

Anne attends a GP clinic for the first time and is asked to fill out a form with her personal details. The form also includes a checklist of different types of communications that the GP clinic sends out to patients that have indicated they would like to receive those specific communications.

Anne puts a tick next to some of the communications she would like to receive, and a cross next to the communications that she does not want to receive. The GP clinic would be authorised under APP 6 to send Anne the specific communications she has indicated she would like to receive. This is because, by ticking the checkbox, Anne has expressly consented to her contact details being used for the secondary purpose of sending her those specific communications.

Reasonable expectation/directly related purpose

Health information, including contact details, can be used for a secondary purpose if the patient would reasonably expect the health service provider to use or disclose the information for the secondary purpose, and the secondary purpose is directly related to the primary purpose of collection. This creates a two-limb test which focuses both on the reasonable expectations of the patient and the relationship between the primary and secondary purpose.

Example: Government screening program

Winston regularly attends his local GP clinic. His health information, including his contact details, have been collected by the clinic for the purpose of providing general practice services to diagnose and treat the conditions which Winston has presented with.

When Winston turned 50 years old he became eligible to participate in the Australian government’s National Bowel Cancer Screening Program. As a result, Winston’s GP initiated a discussion with him on preventative health recommendations related to bowel cancer. His GP then sent him a letter to encourage him to participate in the screening program and to use the free screening kit which he would receive via mail from the Department of Health. The letter’s sole purpose was to explain the screening program and to encourage Winston to participate.

This type of communication is allowed under APP 6 because Winston would reasonably expect his GP to use his contact details for the directly related secondary purpose of encouraging him to participate in the fully-funded government program for bowel cancer screening.

Flowchart

The flowchart below summarises the issues that a health service provider should consider before sending communications to patients.

Some of the key health privacy terms that are used are explained in the APP Guidelines.

Flowchart image. Link to long text description follows.

View long text description of Flowchart

Long text description of flowchart

Question 1: Can you imply consent for the communication to be sent?

  • Yes: Sending the communication is acceptable under the APPs, as long as the other APPs are complied with
  • No: Go to Question 2

Question 2: Is it a form of direct marketing that is covered by APP 7?

Question 3: Do you have the patient’s express consent to send the communication?

  • Yes: Sending the communication is acceptable under the APPs, as long as the other APPs are complied with
  • No: Sending the communication would breach the APPs

Question 4: Does an APP 6 exception apply?

Further explanation below.

  • Yes: Sending the communication is acceptable under the APPs, as long as the other APPs are complied with
  • No: Sending the communication would breach the APPs

When does an APP 6 exception apply?

  • the patient has expressly consented to a secondary use or disclosure
  • the patient would reasonably expect the health service provider to use or disclose their personal information for the secondary purpose and that purpose is directly related to the primary purpose
  • the use or disclosure is required or authorised by or under an Australian law or a court/tribunal order

Back to Flowchart

Footnote

[1] Implied consent is also an exception to APP 6 but is not mentioned in this list given this section of the guidance relates to health service providers sending communications where it is not reasonable for them to imply consent.