INSIGHTS: Handling sensitive health information about patients and customers – do you understand your obligations?

October 22, 2019


Shannon Mony

The Office of the Australian Information Commissioner (the OAIC) has released a Guide to Health Privacy to assist health care providers to understand their obligations under the Privacy Act 1988 (Cth) (the Privacy Act) regarding the handling of sensitive health information about their patients and customers.

Health care providers range from doctors, hospitals, allied health professionals, complementary medicine practitioners, pharmacists and the like.

The Guide to Health Privacy outlines the key practical steps that health care providers should take to ensure that the sensitive information is handled correctly. It also outlines how privacy obligations apply to and operate in the healthcare context.

The Guide to Health Privacy should be read in conjunction with the Privacy Act and the Australian Privacy Principles Guidelines.


An eight-step plan for better privacy practice

The Guide to Health Privacy details an eight-step plan for better privacy practice. These steps should be taken in order to establish, implement and maintain adequacy in privacy processes in the context of health service provision. The steps are as follows:

  1. Develop and implement a privacy management plan
  2. Develop clear lines of accountability for privacy management
  3. Create a documented record of the types of personal information you handle
  4. Understand your privacy obligations and implement processes to meet those obligations
  5. Hold staff training sessions on privacy obligations
  6. Create a privacy policy
  7. Protect the information you hold
  8. Develop a data breach response plan.


Practical management

The Guide to Health Privacy provides practical direction in relation to:

  • How health information should be collected and how patients should be notified about the collection of that information.
  • The primary and secondary purposes for which a health care provider can disclose of a patient’s health information as well as overseas disclosure, direct marketing and government related identifiers.
  • The patient’s right to their health information, how to deal with requests for health information, and the grounds for refusing access to health information.
  • The reasonable steps that should be taken to ensure the health information is correct, responding to a patient’s request to correct health information, and giving notice to the individual if the health service provider refuses to correct health information.
  • Defining “health management activities” and how to collect, disclose or use health information where necessary for health management activities.
  • When and to whom health information about patients with impaired capacity or an inability to communicate consent can be disclosed.
  • When and how a patient’s genetic information can be used or disclosed as well as the collection and use of contact details of a patient’s genetic relatives and related consent issues.
  • When and how health information can be used for research and the relationship with the compilation of health information for analysis of statistics relevant to public health or safety, and related consent issues.

All health care providers and those who work within a health care environment should be aware of the Guide to Health Privacy and their obligations under the Privacy Act and the Australian Privacy Principles Guidelines.

This article was written by Principal, Shannon Mony and Senior Associate, Will Goodheart. Please contact us if you have any questions or would like more information. 

Download Health Insights


Disclaimer: This information is current as of October 2019. This article does not constitute legal advice and does not give rise to any solicitor/client relationship between Meridian Lawyers and the reader. Professional legal advice should be sought before acting or relying upon the content of this article.