An organisation may use or disclose personal health information for a purpose (the secondary purpose), which is directly related to the primary purpose of collection, if this is within the reasonable expectation of the individual.

A directly related secondary purpose may include many activities necessary to the provision of health services. The Federal Privacy Commissioner's Guidelines on Privacy in the Private Health Sector note that such secondary purposes may include the management, funding and monitoring of a health service, together with complaint-handling, planning, evaluation and accreditation activities.

It is essential to recognise the importance of the "reasonable expectation" test here, since many individuals may be unaware of the range of activities, such as accreditation processes, for which their personal health information may be used and disclosed within the health system. To ensure the appropriate use of personal health information for such activities, it is important that organisations tell individuals what could be done with the personal health information the provider collects about them. Organisations may need to raise the understanding and expectations of the community about the reasonable and necessary uses of health information, such as the accreditation of health service providers.