Privacy: the essentials
This factsheet provides an overview of your obligations under privacy legislation to protect confidential patient information. Privacy law is complex. If you have any queries about your obligations and how privacy laws apply in your practice, contact us for advice.
Sunday, 12 May 2024
Quick guide
- Patient Information is confidential and protected by privacy legislation.
- Privacy legislation determines how you collect and manage patient information.
- Privacy laws are complicated and may differ depending on the state or territory where you practise and the clinical setting (public or private) in which you work.
Privacy and confidentiality
Terminology
While the terms “privacy” and “confidentiality” are often used interchangeably, they are not the same.
Confidentiality is the duty a practitioner owes to the patient regarding the information obtained from and about the patient.
Privacy is the statutory regime that governs how a patient’s personal information should be collected and managed, and the circumstances in which it can be used and disclosed.
Types of information
Privacy and confidentiality requirements apply to:
- personal information, such as name, address, contact details, and date of birth
- sensitive information, a subset of personal information, which includes health and genetic information.
Sensitive information requires a higher level of privacy protection.
Health information is not confined to information contained in the actual clinical record. It includes:
- any information or opinion about a patient’s health status, their medical conditions or disability and treatment plans
- information collected about a person for providing healthcare (e.g. scans or photos)
- other information related to a patient’s physical or mental health
Definitions and examples of health information can be found on the OAIC’s Australian Privacy Principles guidelines Chapter B: Key concepts.
Legal framework
The legal framework includes Commonwealth and state/territory legislation and governs:
- the collection, use and disclosure of personal information, including when an organisation can disclose information to someone other than the patient
- an organisation’s accountability and governance obligations relating to privacy and security
- the integrity and correction of personal information
- the rights of individuals to access their personal information
The Commonwealth Privacy Act 1988 contains 13 Australian Privacy Principles (APPs) that apply to all private sector entities in Australia, including health care providers. Details of the APPs are outlined in the table below.
Public sector agencies, such as public hospitals and health services, are governed by equivalent state-based legislation such as state information privacy law and state records legislation.
NSW, Victoria and the ACT have their own health privacy legislation.
Further information on the law that applies in the states and territories can be found here.
Australian Privacy Principles (APPs)
Principle | Title | Purpose |
APP 1 | Open and transparent management of personal information | Includes the requirement to have a clearly expressed and up to date privacy policy outlining how personal information is managed in the practice. |
APP 2 | Anonymity and pseudonymity | Requires entities to give individuals the option of not identifying themselves, or of using a pseudonym. This is difficult to apply in the health context and there is an exception where it is impractical for the entity to deal with individuals who do not identify themselves or use a pseudonym. |
APP 3 | Collection of solicited personal information | Outlines that an entity can only collect health information where it is reasonably necessary for the entity to perform its functions or activities and with the individual’s consent. |
APP 4 | Dealing with unsolicited personal information | Outlines how entities must deal with unsolicited personal information. |
APP 5 | Notification of the collection of personal information | Outlines when and in what circumstances an entity that collects personal information must tell an individual about certain matters. |
APP 6 | Use or disclosure of personal information | Outlines the circumstances in which an entity may use or disclose personal information that it holds. |
APP 7 | Direct marketing | Outlines that an organisation may only use or disclose personal information for direct marketing purposes if certain conditions are met. |
APP 8 | Cross-border disclosure of personal information | Outlines the steps an entity must take to protect personal information before it is disclosed overseas. |
APP 9 | Adoption, use or disclosure of government related identifiers | Outlines the limited circumstances when an organisation may adopt a government related identifier of an individual as its own identifier, or use or disclose a government related identifier of an individual. |
APP 10 | Quality of personal information | Requires that an entity must take reasonable steps to ensure the personal information it collects is accurate, up to date and complete. An entity must also take reasonable steps to ensure the personal information it uses or discloses is accurate, up to date, complete and relevant, having regard to the purpose of the use or disclosure. |
APP 11 | Security of personal information | Requires that an entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. An entity has obligations to destroy or de-identify personal information in certain circumstances. |
APP 12 | Access to personal information | Outlines an entity’s obligations when an individual requests to be given access to personal information held about them by the entity. This includes a requirement to provide access unless a specific exception applies. |
APP 13 | Correction of personal information | Outlines an APP entity’s obligations in relation to correcting the personal information it holds about individuals. |
Source: Office of the Australian Information Commissioner website - www.oaic.gov.au
Privacy and data breaches
Breaches of privacy can occur in many ways – from talking about a patient’s health information in a full waiting room, sending an email containing health information to the wrong person, losing a laptop containing patient information or your database being hacked. Unauthorised access or disclosure, or loss of personal information held in your practice is known as a “data breach”.
The notifiable data breach scheme under the Commonwealth Privacy Act requires you to notify certain data breaches to affected individuals and the Office of the Australian Information Commissioner (OAIC). For more information about this scheme see the OAIC's information on notifiable data breaches and our factsheet Responding to a data breach.
Penalties for breaches of the Commonwealth Privacy Act range from $2.5 million for individuals to $50 million for corporations (or the lesser amount calculated from the company turnover or the profit generated from the breach).
Privacy and your practice
The privacy framework outlined above will apply to all the ways you manage information in your practice.
Key requirements
Key requirements are:
- ensuring you have a privacy policy that outlines how you manage patient information.
- ensuring staff are appropriately trained about their privacy and security obligations, including cyber risks and mitigation strategies, such as not sharing passwords and not clicking on suspicious links. For more information see Cyber: what you need to know
- keeping patient information and records safe from cyber attacks.
- only sharing patient information with someone other than the patient when you have the patient’s consent or with the appropriate legal authority.
Accessing patient records
Patients have a right to access personal information you or your practice hold about them. Access should be provided unless a specific exemption applies. For more information see Chapter 4: Giving access to health information | OAIC
As a health practitioner, you are generally entitled to access the clinical records for any patient whose care you are directly involved with. You can also share that information with other clinicians within the treating team without specific patient consent, unless the patient expressly refuses.
You are also able to access a patient’s clinical record if it is necessary for the purpose of responding to a complaint from that patient.
Your employment within a hospital or practice does not give you permission to access any other medical record available to you without a legitimate clinical purpose. This applies to clinical and non-clinical staff. Access to electronic medical records is easily tracked. Inappropriate access to records may result in professional and legal consequences. If you want access for a purpose other than treating the patient (including for research or education), you should ensure you have the appropriate authority to do so.
Practice staff, like medical practitioners, have a duty to protect the privacy and confidentiality of patient information. They should only have access to the information that they need to know to do their job, and there should be appropriate access controls in place.
Some practical tips to protect privacy
Determine whether telephone conversations can be heard by patients at the reception desk or while waiting to see a medical practitioner. If so, implement strategies to ensure that patients do not become aware of other patients’ health information as a result of overhearing telephone conversations.
Similar considerations apply to conversations practice staff have with patients at the reception desk. It is inappropriate for practice staff to triage patients where discussions may be overheard by other patients.
Clinical records, whether in storage, or awaiting the attention of a medical practitioner, must not be in view of patients attending the practice.
Place computer screens so they cannot be viewed by patients attending the practice.
When sending an SMS or email, ensure that the phone number or email address is current before sending.
The OAIC’s web page for Health service providers, has detailed and helpful information on privacy law generally and more specifically, its application to healthcare in private practice. In the public sector, always refer to your hospital or health service’s privacy manual and procedures when dealing with patient information.
Additional resources
Avant factsheet - Providing medical records to a third party
Avant factsheet - Responding to a data breach
Avant collection - Cyber: what you need to know
Office of the Australian Information Commissioner – Health service providers
Office of the Australian Information Commissioner – Chapter 4: Giving access to health information
Office of the Australian Information Commissioner – Notifiable data breaches
Officer of the Australian Information Commissioner – Key concepts health information
More information
For medico-legal advice, please contact us here, or call 1800 128 268, 24/7 in emergencies.
Disclaimers
*IMPORTANT: This publication is not comprehensive and does not constitute legal or medical advice. You should seek legal or other professional advice before relying on any content, and practise proper clinical decision making with regard to the individual circumstances. Persons implementing any recommendations contained in this publication must exercise their own independent skill or judgement or seek appropriate professional advice relevant to their own particular practice. Compliance with any recommendations will not in any way guarantee discharge of the duty of care owed to patients and others coming into contact with the health professional or practice. Avant is not responsible to you or anyone else for any loss suffered in connection with the use of this information. Information is only current at the date initially published. © Avant Mutual Group Limited 2023 fact-001 10/23
More ways we can help you
Our CPD courses for Avant members
Tick off some CPD hours and learn more with our in-depth eLearning courses, free for Avant members. Our courses include education activities, reviewing performance and measuring outcomes.