Filing room of medical records

Privacy: the essentials

This factsheet provides an overview of your obligations under privacy legislation to protect confidential patient information. Privacy law is complex. If you have any queries about your obligations and how privacy laws apply in your practice, contact us for advice.

Sunday, 12 May 2024

Quick guide

  • Patient Information is confidential and protected by privacy legislation.
  • Privacy legislation determines how you collect and manage patient information.
  • Privacy laws are complicated and may differ depending on the state or territory where you practise and the clinical setting (public or private) in which you work.

Privacy and confidentiality

Terminology

While the terms “privacy” and “confidentiality” are often used interchangeably, they are not the same.

Confidentiality is the duty a practitioner owes to the patient regarding the information obtained from and about the patient.

Privacy is the statutory regime that governs how a patient’s personal information should be collected and  managed, and the circumstances in which it can be used and disclosed.

Types of information

Privacy and confidentiality requirements apply to:

  • personal information, such as name, address, contact details, and date of birth
  • sensitive information, a subset of personal information, which includes health and genetic information.

Sensitive information requires a higher level of privacy protection.

Health information is not confined to information contained in the actual clinical record. It includes:

  • any information or opinion about a patient’s health status, their medical conditions or disability and treatment plans
  • information collected about a person for providing healthcare (e.g. scans or photos)
  • other information related to a patient’s physical or mental health

Definitions and examples of health information can be found on the OAIC’s Australian Privacy Principles guidelines Chapter B: Key concepts.

Legal framework

The legal framework includes Commonwealth and state/territory legislation and governs:

  • the collection, use and disclosure of personal information, including when an organisation can disclose information to someone other than the patient
  • an organisation’s accountability and governance obligations relating to privacy and security
  • the integrity and correction of personal information
  • the rights of individuals to access their personal information

The Commonwealth Privacy Act 1988 contains 13 Australian Privacy Principles (APPs) that apply to all private sector entities in Australia, including health care providers.  Details of the APPs are outlined in the table below.

Public sector agencies, such as public hospitals and health services, are governed by equivalent state-based legislation such as state information privacy law and state records legislation.

NSW, Victoria and the ACT have their own health privacy legislation. 

Further information on the law that applies in the states and territories can be found here.

Australian Privacy Principles (APPs)

PrincipleTitlePurpose
APP 1Open and transparent management of personal informationIncludes the requirement to have a clearly expressed and up to date privacy policy outlining how personal information is managed in the practice.
APP 2Anonymity and pseudonymityRequires entities to give individuals the option of not identifying themselves, or of using a pseudonym. This is difficult to apply in the health context and there is an exception where it is impractical for the entity to deal with individuals who do not identify themselves or use a pseudonym.
APP 3Collection of solicited personal informationOutlines that an entity can only collect health information where it is reasonably necessary for the entity to perform its functions or activities and with the individual’s consent.
APP 4Dealing with unsolicited personal informationOutlines how entities must deal with unsolicited personal information.
APP 5Notification of the collection of personal informationOutlines when and in what circumstances an entity that collects personal information must tell an individual about certain matters.
APP 6Use or disclosure of personal informationOutlines the circumstances in which an entity may use or disclose personal information that it holds.
APP 7Direct marketingOutlines that an organisation may only use or disclose personal information for direct marketing purposes if certain conditions are met.
APP 8Cross-border disclosure of personal informationOutlines the steps an entity must take to protect personal information before it is disclosed overseas.
APP 9Adoption, use or disclosure of government related identifiersOutlines the limited circumstances when an organisation may adopt a government related identifier of an individual as its own identifier, or use or disclose a government related identifier of an individual.
APP 10Quality of personal informationRequires that an entity must take reasonable steps to ensure the personal information it collects is accurate, up to date and complete. An entity must also take reasonable steps to ensure the personal information it uses or discloses is accurate, up to date, complete and relevant, having regard to the purpose of the use or disclosure.
APP 11Security of personal informationRequires that an entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. An entity has obligations to destroy or de-identify personal information in certain circumstances.
APP 12Access to personal informationOutlines an entity’s obligations when an individual requests to be given access to personal information held about them by the entity. This includes a requirement to provide access unless a specific exception applies.
APP 13Correction of personal informationOutlines an APP entity’s obligations in relation to correcting the personal information it holds about individuals.

Source: Office of the Australian Information Commissioner website - www.oaic.gov.au

Privacy and data breaches

Breaches of privacy can occur in many ways – from talking about a patient’s health information in a full waiting room, sending an email containing health information to the wrong person, losing a laptop containing patient information or your database being hacked. Unauthorised access or disclosure, or loss of personal information held in your practice is known as a “data breach”.  

The notifiable data breach scheme under the Commonwealth Privacy Act requires you to notify certain data breaches to affected individuals and the Office of the Australian Information Commissioner (OAIC).  For more information about this scheme see the OAIC's information on notifiable data breaches and our factsheet Responding to a data breach.

Penalties for breaches of the Commonwealth Privacy Act range from $2.5 million for individuals to $50 million for corporations (or the lesser amount calculated from the company turnover or the profit generated from the breach). 

Privacy and your practice

The privacy framework outlined above will apply to all the ways you manage information in your practice. 

Key requirements

Key requirements are:

  • ensuring you have a privacy policy that outlines how you manage patient information.
  • ensuring staff are appropriately trained about their privacy and security obligations, including cyber risks and mitigation strategies, such as not sharing passwords and not clicking on suspicious links. For more information see Cyber: what you need to know
  • keeping patient information and records safe from cyber attacks.
  • only sharing patient information with someone other than the patient when you have the patient’s consent or with the appropriate legal authority.

Accessing patient records

Patients have a right to access personal information you or your practice hold about them.  Access should be provided unless a specific exemption applies.  For more information see Chapter 4: Giving access to health information | OAIC

As a health practitioner, you are generally entitled to access the clinical records for any patient whose care you are directly involved with.  You can also share that information with other clinicians within the treating team without specific patient consent, unless the patient expressly refuses.

You are also able to access a patient’s clinical record if it is necessary for the purpose of responding to a complaint from that patient.

Your employment within a hospital or practice does not give you permission to access any other medical record available to you without a legitimate clinical purpose. This applies to clinical and non-clinical staff.  Access to electronic medical records is easily tracked.  Inappropriate access to records may result in professional and legal consequences. If you want access for a purpose other than treating the patient (including for research or education), you should ensure you have the appropriate authority to do so.

Practice staff, like medical practitioners, have a duty to protect the privacy and confidentiality of patient information.  They should only have access to the information that they need to know to do their job, and there should be appropriate access controls in place.

Some practical tips to protect privacy

Determine whether telephone conversations can be heard by patients at the reception desk or while waiting to see a medical practitioner. If so, implement strategies to ensure that patients do not become aware of other patients’ health information as a result of overhearing telephone conversations.

Similar considerations apply to conversations practice staff have with patients at the reception desk. It is inappropriate for practice staff to triage patients where discussions may be overheard by other patients.

Clinical records, whether in storage, or awaiting the attention of a medical practitioner, must not be in view of patients attending the practice.

Place computer screens so they cannot be viewed by patients attending the practice.  

When sending an SMS or email, ensure that the phone number or email address is current before sending.

The OAIC’s web page for Health service providers, has detailed and helpful information on privacy law generally and more specifically, its application to healthcare in private practice.  In the public sector, always refer to your hospital or health service’s privacy manual and procedures when dealing with patient information.

Additional resources

Avant factsheet - Providing medical records to a third party

Avant factsheet - Responding to a data breach

Avant collection - Cyber: what you need to know

Office of the Australian Information Commissioner – Health service providers

Office of the Australian Information Commissioner – Chapter 4: Giving access to health information

Office of the Australian Information Commissioner – Notifiable data breaches

Officer of the Australian Information Commissioner – Key concepts health information

More information

For medico-legal advice, please contact us on nca@avant.org.au or call 1800 128 268, 24/7 in emergencies.

Disclaimers

*IMPORTANT: This publication is not comprehensive and does not constitute legal or medical advice. You should seek legal or other professional advice before relying on any content, and practise proper clinical decision making with regard to the individual circumstances. Persons implementing any recommendations contained in this publication must exercise their own independent skill or judgement or seek appropriate professional advice relevant to their own particular practice. Compliance with any recommendations will not in any way guarantee discharge of the duty of care owed to patients and others coming into contact with the health professional or practice. Avant is not responsible to you or anyone else for any loss suffered in connection with the use of this information. Information is only current at the date initially published. © Avant Mutual Group Limited 2023 fact-001 10/23

Topic

Other resources

Computer keyboard and padlock

Responding to data breach

User typing on keyboard securely

Preventing data breaches

Doctor working on laptop

Email communication with patients: privacy and patient safety

More ways we can help you

Indemnity insurance
Health insurance
Practice solutions
Finance
Legal services
Life & income protection
To Top

NSW State Office AddressLevel 6, Darling Park 3, 201 Sussex Street, Sydney NSW 2000
Telephone 02 9260 9000 | Facsimile 02 9261 2921

Mailing addressPO Box 746 Queen Victoria Building NSW 1230

Connect with Avant

facebookxlinkedininstagramyoutube

In the spirit of reconciliation Avant acknowledges the Traditional Custodians of country throughout Australia and their connections to land, sea and community. We pay our respect to their Elders past and present and extend that respect to all Aboriginal and Torres Strait Islander peoples today.

IMPORTANT: Professional indemnity insurance and the Practice Medical Indemnity Policy available from Avant Mutual Group Limited ABN 58 123 154 898 (Avant Mutual) are issued by Avant Insurance Limited, ABN 82 003 707 471, AFSL 238 765 (Avant). Avant Cyber Insurance cover is available to eligible Avant Practice Medical Indemnity Policy holders up to the cessation of their policy and is provided under a Group Policy between Liberty Mutual Insurance Company ABN 61 086 083 605 (Liberty) and Avant. Private health insurance products are issued by The Doctors’ Health Fund Pty Limited, ABN 68 001 417 527, a member of the Avant Mutual Group. Avant arranges Avant Business Insurance as agent of the insurer Allianz Australia Insurance Limited ABN 15 000 122 850, AFSL 234 708 (Allianz) and may receive a commission on each policy arranged. Avant Travel Cover is available under a Group Policy between QBE Insurance (Australia) Limited, ABN 78 003 191 035, AFSL 239 545 (QBE) and Avant Mutual. Avant Travel Cover is underwritten by QBE and Avant may receive a benefit for arranging cover. Avant Finance is a registered business name of Avant Doctors’ Finance Pty Ltd (ACN 637 769 361) and licensed to Avant Doctors’ Finance Brokers Pty Ltd (ABN 75 640 406 784). Avant Doctors’ Finance Brokers Pty Ltd is a wholly owned subsidiary of Avant Doctors’ Finance Pty Ltd. Loan products may be provided by Avant Doctors’ Finance Pty Ltd or arranged by Avant Doctors’ Finance Brokers Pty Ltd. Credit services or assistance to which the National Credit Code applies are provided by Avant Doctors’ Finance Brokers Pty Ltd as authorised Credit Representative (Credit Representative Number 523242) for LMG Broker Services Pty Ltd ACN 632 405 504 Australian Credit Licence 517192. Legal services are provided by Avant Law Pty Ltd ABN 63 136 429 153 (Avant Law). Liability limited by a scheme approved under Professional Standards Legislation. Legal practitioners employed by Avant Law are members of the scheme.


The information provided on this website is general advice only and has been prepared without taking into account your objectives, financial situation and needs. You should consider these, having regard to the appropriateness of the advice before deciding to purchase or continue to hold these products. For full details including the terms, conditions, and exclusions that apply, please read and consider the relevant Product Disclosure Statement or policy wording and Target Market Determination (TMD) which are available on this website or by contacting us on 1800 128 268. Information on this site does not constitute legal or professional advice, and is current as at the date of initial publication.