Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Privacy fact sheet 49: Health information and your privacy

pdfPrintable version375.99 KB

January 2017

When you visit a doctor or other health service, they may need to ask for health information about you.

Australian privacy law governs how they can collect, use and share your health information. It also requires them to protect, correct and give you access to your health information. So please take a moment to read this fact sheet and understand the rules and responsibilities in place to protect your health information.

What is my ‘health information’?

Health information includes information about your health or a disability. It also includes any personal information collected while you are receiving a health service. This means that information such as your name, billing details, your Medicare number, or personal details about your race, sexuality or religion, may also be considered ‘health information’ in this context.

Health information is sensitive information and the Privacy Act[1] places rules and restrictions as to how health service providers must manage it.

What is a ‘health service provider’?

As you might expect, common examples of health service providers include doctors, pharmacists, dentists, private hospitals and nurses.

What you may not know is that allied services — such as counsellors, psychologists, chiropractors, disability services, physiotherapists, naturopaths, masseurs, gyms, weight loss clinics, child care centres and private schools – are also ‘health service providers’ in the context of collecting health information, and are bound by the same rules.

When can a provider collect my health information?

Generally, a provider can only collect your health information when you consent; should only collect it directly from you; and should only collect information they need to carry out their service to you.

Your consent to collection should be explicitly given, although there may be times where your consent can be assumed. For example, a doctor would normally make notes of symptoms during an appointment, so your consent to do so is implied unless you ask them not to.

In some situations, your doctor may not need your consent, such as in an emergency. For example, if you were unconscious and required urgent treatment, information about you could be collected from your family or doctor without your consent.

What does the provider need to tell me about my privacy?

The provider should ensure you understand why they are collecting your health information, how they will store and protect it, and if there are other parties they may disclose it to. They can tell you this verbally or in writing. It is common practice to provide it to you with a written notice on forms you fill out.

All health services providers are required to have a privacy policy outlining how they handle health information. You can ask for your provider’s privacy policy at any time if you want more information about how they will handle your details.

How can a provider use my health information? Can they share it with other parties?

A provider can use and share your health information for the purpose for which they collected it, or for a directly related purpose you would reasonably expect. For example, a GP collects your health information to diagnose and treat you. They then use this information to bill you for the services provided – this activity is directly related and you would expect them to do so.

Similarly, if a GP needs to refer you to a physiotherapist for broken leg muscle strain, you would expect them to provide details and history relevant to that injury, but you may not expect them to provide details of your appendicitis five years earlier.

Providers can also use or share your health information for any other purpose if you consent. So, if your GP knows an excellent trainer for people recovering from arm injuries they can provide your details to them, if you agree.

A provider can only use and/or share your health information for direct marketing purposes if you have consented to them doing so, and you can ask them (or any other organisation they have given your details to), to stop sending you communications if you change your mind.

What other rights do I have?

You generally have a right to access and correct your health information. For more information about these rights, please see Privacy fact sheet 50: Accessing and correcting your health information.

You generally have a right to not identify yourself, or to use a pseudonym.For example, when using phone counselling services on sensitive issues such as gambling addiction, or attending sexual health clinics. However, a provider does not have to accommodate this when it is impractical to do so, or if they are required by law to identify you (for example, treating a condition which requires mandatory reporting).

You have the right to make a complaint to us if you believe a provider has not handled your health information properly. You should talk to your provider first, and give them an adequate opportunity to deal with the complaint (usually 30 days). A provider cannot charge you for making a complaint, and their privacy policy must explain how you can complain to them. If you are not satisfied with their response, you can complain to us.

Footnotes

[1] Please note that state-managed public health services may be subject to state-based privacy acts or guidelines. For more detail please see state and territory health privacy.