Add to collection(s) Add to saved
  1. Science
  2. Health Science

Word version1.4 MB - Office of the Australian Information

advertisement 
Privacy
business resource X
Using and disclosing patients’ health information
Month 2015
This business resource explains the requirements under Australian Privacy Principle (APP) 6 in the Privacy Act
1988 (Cth) (Privacy Act) when using and disclosing patients’ health information.1 These requirements include
only using and disclosing health information for the primary purpose of collection, unless an exception applies.
This resource is part of a series that outlines what private sector health service providers need to know about
handling their patients’ health information. Some of the key health privacy terms used are explained in
Business resource: Key health privacy concepts, while other terms are explained in the Australian Privacy
Principles Guidelines.
Meaning of ‘use’ and ‘disclosure’
APP 6 outlines when you may use or disclose your patients’ health information. The terms ‘use’ and ‘disclosure’ are
not defined in the Privacy Act.
Generally, a use of health information occurs where you handle or undertake an activity with the information that
you hold. Examples of using health information may include:

accessing and reading a patient’s medical file

searching electronic records for a patient’s health information

making a treatment decision based on a patient’s health information

passing the information from one part of your organisation to another.
A disclosure occurs where you make health information accessible to others outside your organisation and the
subsequent handling of that information is released from your effective control. Examples of disclosing health
information may include:

sharing health information with another health service provider or individual

providing health information to an unintended recipient

providing a patient’s health information during a conversation with a person outside your organisation

displaying a computer screen so that health information can be read by someone else, for example, at a
reception counter or in an office.
APP 6 does not apply to the use or disclosure of health information for the purpose of direct marketing (see APP 7),
or government related identifiers (see APP 9).
1
For further information about your obligations see the APP guidelines, Chapter 6: APP 6 — Use or disclosure of personal
information
Business resource X: Using and disclosing health information to provide a health service
Using and disclosing your patients’ health information
You can use or disclose health information about your patients for the ‘primary purpose’ for which the information
was collected. The primary purpose is the main or dominant reason you collect health information. How broadly a
purpose can be described will depend on the circumstances and should be determined on a case-by-case basis. For
example, a general practice’s primary purpose in collecting health information may be to provide general practice
services to diagnose and treat a patient. In cases of ambiguity, and with a view to protecting individual privacy, the
primary purpose of collection should be construed narrowly rather than expansively.
You can also use and disclose your patient’s information for a secondary purpose where an exception applies. These
exceptions are outlined below.
Compliance tips
State or Territory legislation may place additional requirements on providers in those jurisdictions. For example,
providers in the ACT who collect a patient’s personal information from another provider for a particular purpose may
not be permitted to use or disclose it for a secondary purpose.
Contact the NSW Information and Privacy Commission, Office of the Health Services Commissioner Victoria, or ACT
Health Services Commissioner to find out more about any additional requirements.
Reasonably expected by the patient and directly related to the primary purpose
APP 6 allows you to use or disclose health information for a secondary purpose if:

the patient would reasonably expect you to use or disclose the information for that purpose, and

the secondary purpose is directly related to the primary purpose of collection.2
Reasonable expectations
When assessing a patient’s reasonable expectations, you need to consider what an ordinary person would expect to
happen to their health information in the given circumstances. This is based on general community expectations of
how information usually flows within the health system.
Example: Referrals to a specialist
When a general practitioner (GP) refers a patient to a specialist, most patients would reasonably expect that the
specialist would disclose relevant information about the patient back to the GP.
The patient’s reasonable expectations are closely linked to what the provider tells them about how their health
information will be handled, and the patient’s reaction and understanding.
In addition to discussing with a patient how their health information will be used and disclosed, a patient’s
reasonable expectations can also be informed by your APP 5 privacy notice. APP 5 requires health service providers
to tell patients about certain matters when they first collect health information. These matters include why the
information is being collected, how it may be used and to whom it may be disclosed. Business resource: Collecting
patients’ health information contains more information about APP 5.
2
For non-sensitive personal information, this exception only requires the secondary purpose to be ‘related’ to the primary
purpose.
Business resource X: Using and disclosing health information to provide a health service
2
Directly related purpose
A directly related secondary purpose is one which is closely associated with the primary purpose, even if it is not
strictly necessary to achieve that primary purpose. This requirement for a direct relationship recognises that the use
and disclosure of health information can have serious ramifications for the individual or their associates, including
humiliation, embarrassment or loss of dignity. In healthcare, directly related purposes are likely to include anything
to do with the patient’s care or wellbeing.
Other directly related purposes include many activities or processes necessary for the functioning of the health
sector. Provided these purposes fall within the individual’s reasonable expectations, no additional steps need be
taken before using or disclosing the information in this way. These purposes may include:

billing or debt recovery (with care, discretion and consistent with confidentiality)

a provider’s management, funding, complaint-handling, planning, evaluation and accreditation activities (for
example, activities to assess the cost effectiveness of a particular treatment or service), an organisation’s quality
assurance or clinical audit activities, where they evaluate and seek to improve the delivery of a particular
treatment or service3

disclosure to a medical expert (only for medico-legal opinion), an insurer, a medical defence organisation, or a
lawyer, solely for the purpose of addressing liability indemnity arrangements (such as reporting an adverse
incident), or for the defence of anticipated or existing legal proceedings

disclosure to a clinical supervisor by a psychiatrist, psychologist or social worker.
Sharing information with other health service providers without consent
The multi-disciplinary team approach to health care is common in the Australian health system. This approach often
calls for health information to be shared within a ‘treating team’, or on a ‘need to know basis’, so it is important that
a patient understands how this may apply to their situation.
If a patient’s information is likely to be shared within a treating team, you should tell the patient that such
disclosures may take place. You should also tell the patient who is in the treating team (such as a GP, physician,
physiotherapist and others), and how much information may be disclosed to particular members of the team. A
patient may be sensitive about certain information being shared without their consent even across a treatment
team, or with particular members of it.
While information can be shared with consent (see below) consent will generally not be required where effective
communication has established a clear, shared understanding between the provider and the patient about the likely
uses and disclosures that may occur as part of their treatment. Open discussion that usually occurs during
consultations will often achieve this shared understanding.
The Privacy Act is not intended to impose unnecessary administrative burdens on providers, or to inconvenience
patients, by requiring consent every time health information is appropriately shared with another provider, or
otherwise handled in the delivery of healthcare. At the same time, the Privacy Act seeks to ensure that individuals
retain appropriate control over how their information is handled, including ensuring that it is not handled in ways
that an individual would not expect.
Example: Multi-disciplinary care team
3
See Business resource: Collecting, using and disclosing health information for health management activities for further detail.
Business resource X: Using and disclosing health information to provide a health service
3
Pam has Type 2 diabetes. Pam’s GP has explained the benefits of a multidisciplinary care plan for the treatment of
complex conditions like diabetes. The GP has also told Pam about the types of providers that may participate, and
explained their respective roles. With Pam’s agreement, the GP proposes a multidisciplinary care plan including the
GP, an endocrinologist, a dietician, a podiatrist and a diabetes educator (in this case, all private sector providers).
Pam initially visited the GP for a particular symptom of her diabetes (for instance, generally feeling tired and
lethargic). While treatment of these symptoms would be the primary purpose for which the GP collected Pam’s
information, the treatment of any other symptoms of her condition would be directly related to this primary
purpose. Additionally, by discussing the care plan, the GP has effectively established Pam’s reasonable expectations
as to which providers will take part in the multidisciplinary care team.
Under the Privacy Act, information necessary to treat Pam’s diabetes may now be exchanged between the team
members, as these exchanges would be for directly related purposes, and fall within her reasonable expectations.
Using or disclosing health information with consent
You may use or disclose health information for a secondary purpose with the patient’s consent (APP 6.1(a)).
Consent can be either express or implied. Express consent is given explicitly, either orally or in writing. Implied
consent arises where you can infer from the circumstances, and the conduct of the patient, that they are consenting
to the use or disclosure of their health information.
The four key elements of consent are:

the individual is adequately informed before giving consent

the individual gives consent voluntarily

the consent is current and specific

the individual has the capacity to understand and communicate their consent.
Consent in this context refers to a patient’s decision about how their health information is used and disclosed. It
does not cover consent to receive treatment. In practice, consent to the handling of health information and consent
to treatment often occur at the same time, though they are distinct authorities by an individual to do different
things: to provide treatment and to handle health information in particular ways.
For more detailed discussion of ‘consent’, see the APP Guidelines, Chapter B: Key concepts.
Laws requiring or authorising use or disclosure
You may use or disclose health information for a secondary purpose if the use or disclosure is required or authorised
by or under an Australian law or a court/tribunal order. ‘Law’ includes federal, state and territory legislation, and the
common law.
If the law requires you to use or disclose information, you must do so. Examples of such requirements include the
mandatory reporting of child abuse (under care and protection laws) or the mandatory notification of certain
communicable diseases (under public health laws).
If the law authorises the use or disclosure of information, you can decide whether to do so or not – the legal
authority exists, but you have discretion as to whether to handle the information in that way.
Business resource X: Using and disclosing health information to provide a health service
4
The exception is discussed in further detail in the APP Guidelines Chapter B: Key concepts.
Courts and legal proceedings
At times, you may be called to disclose health information to courts or tribunals. If served with a subpoena or other
court order requiring the production of documents, you are generally required by law to provide the documents
identified in the order. However, court orders may be challenged and may not require production of all documents
held by you (such as those for which you may be able to claim legal professional privilege). If you are concerned
about the information required to be produced to the court or tribunal, or you are unsure how to proceed, you could
seek advice via the registrar of the court or tribunal which issued the order, a legal adviser or your professional body.
Lessening or preventing a serious threat to life, health or public safety
You may use or disclose health information for a secondary purpose where:

it is unreasonable or impracticable to obtain the patient’s consent to the use or disclosure, and

you reasonably believe that the use or disclosure is necessary to lessen or prevent a serious threat to the life,
health or safety of any individual, or to public health or safety.4
Reasonable belief
In addition to it being unreasonable or impracticable to obtain consent, you must reasonably believe that the using
or disclosing the information is necessary to lessen or prevent a serious threat. There must be a reasonable basis for
your belief, and not merely a genuine or subjective belief. You must be able to justify your reasonable belief.
Health service providers are not excused from obtaining consent by reason only that it would be inconvenient, timeconsuming or impose some cost to do so. Whether these factors make it impracticable to obtain consent will depend
on whether the burden is excessive in all the circumstances.
Serious threat
A ‘serious’ threat must reflect significant danger, and could include a potentially life threatening situation or one that
might reasonably result in other serious injury or illness to any individual, whether it be the patient concerned or a
third party. A serious threat to public health or safety relates to broader safety concerns affecting a number of
people. This could include the potential spread of a communicable disease, harm caused by an environmental
disaster or harm to a group of people due to a serious, but unspecified, threat.
Example
Where an individual is seriously injured while interstate and, due to their injuries, cannot give consent, the
individual’s usual health service provider can disclose the individual’s health information to the treating health
service provider where the usual provider reasonably believes that disclosure of the information is necessary to
lessen the serious threat to the individual’s life posed by those injuries.
4
This exception is known as a ‘permitted general situation’ and is contained in APP 6.2(c) and s 16A of the Privacy Act. More
information on this exception is contained in the APP Guidelines, Chapter C: Permitted general situations.
Business resource X: Using and disclosing health information to provide a health service
5
Conducting research, or the compilation or analysis of statistics
You may use or disclose health information about an individual if the use or disclosure is necessary for research, or
the compilation or analysis of statistics, relevant to public health or public safety, and a number of other conditions
are met.5 For further information, see Business resource: Collecting, using and disclosing health information for
research.
Preventing a serious threat to the life, health or safety of a genetic relative
The Privacy Act allows you to use or disclose a patient’s genetic information without their consent to prevent a
serious threat to the life, health or safety of a genetic relative, provided a number of conditions are met.6 For more
information, see Business resource: Using and disclosing genetic information to lessen or prevent a serious threat to
the life, health or safety of genetic relatives.
Disclosure to a responsible person for an individual
Where a patient lacks capacity to consent, or is unable to communicate consent, you may be able to disclose their
health information to a responsible person for that patient.7 For more information, see Business resource: Disclosure
of health information and impaired capacity.
Using or disclosing health information for an enforcement related activity
You may use or disclose health information for a secondary purpose where you reasonably believe that the use or
disclosure is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an
enforcement body. If you do so, you must make a written note of the use or disclosure.
‘Enforcement body’ is defined in s 6(1) of the Privacy Act and includes Commonwealth, State and Territory bodies
that are responsible for policing, criminal investigations, and administering laws to protect the public revenue or to
impose penalties or sanctions. Enforcement related activities include the prevention, detection, investigation and
prosecution or punishment of criminal offences and intelligence gathering activities.8
When considering a request from an enforcement body, the importance of maintaining the patient’s confidentiality
must be balanced with the public interest in the investigation and enforcement of criminal law. Police and other
enforcement bodies are generally reliant on voluntary cooperation to provide information.
For more information, see the APP Guidelines, Chapter 6: Use or disclosure of personal information.
Other exceptions
The Privacy Act contains a number of other exceptions where you may use or disclose health information for a
secondary purpose. These include:

to take appropriate action in relation to suspected unlawful activity or serious misconduct

to locate a person reported as missing
5
This exception is known as a ‘permitted health situation’ and is contained in APP 6.2(d) and s 16B(3) of the Privacy Act.
Permitted health situations are discussed generally in the overview resource of this series.
6
This exception is known as a ‘permitted health situation’ and is contained in APP 6.2(d) and s 16B(4) of the Privacy Act.
7
This exception is known as a ‘permitted health situation’ and is contained in APP 6.2(d) and s 16B(5) of the Privacy Act.
8
‘Enforcement related activities’ (see Privacy Act s 6(1)) is discussed in Chapter B (Key concepts) of the APP Guidelines.
Business resource X: Using and disclosing health information to provide a health service
6

where it is reasonably necessary for establishing, exercising or defending a legal or equitable claim

where it is reasonably necessary for a confidential alternative dispute resolution process.
For more information about these exceptions, see the APP Guidelines, Chapter C: Permitted general situations.
De-identifying certain health information before disclosure
Where certain conditions are met, the Privacy Act allows the collection of health information for research relevant to
public health or safety, the compilation or analysis of statistics relevant to public health or public safety, or the
management, funding or monitoring of a health service.
Before disclosing information collected in these circumstances, APP 6.4 requires the disclosing entity to take
reasonable steps to ensure that the information is de-identified. For more information, see Business resource:
Collecting, using and disclosing health information for research and Business resource: Collecting, using and
disclosing health information for health management activities.
The information provided in this resource is of a general nature. It is not a substitute for legal advice.
For further information
telephone: 1300 363 992
email: enquiries@oaic.gov.au
write: GPO Box 5218, Sydney NSW 2001
Or visit our website at www.oaic.gov.au
Business resource X: Using and disclosing health information to provide a health service
7
Related documents
To Whom It May Concern
To Whom It May Concern
Consent to Release Personal and Medical Information
Consent to Release Personal and Medical Information
Confidentiality PowerPoint Presentation
Confidentiality PowerPoint Presentation
THE DISCLOSURE OF MEDICAL INFORMATION
THE DISCLOSURE OF MEDICAL INFORMATION
experimental subject bill of rights
experimental subject bill of rights
sdcc-compliance-guidelines
sdcc-compliance-guidelines
Experimental Subject`s Bill of Rights - Office of Research
Experimental Subject`s Bill of Rights - Office of Research
Chapter10_Disclosure and Privacy
Chapter10_Disclosure and Privacy
Download
advertisement