Key Messages

Privacy and the handling of health information

The federal Privacy Act is consistent with good treatment practices and permits appropriate information flows within the private health care sector, including for the management, funding and monitoring of a health service. It achieves this by building on existing relationships of trust between health professionals and patients.

The Privacy Act sets out 10 privacy principles with which private sector health service providers must comply.

What does the Privacy Act say about how patients' information should be handled for the management, funding and monitoring of a health service?

Under the Privacy Act, health service providers in the private sector may generally only use or disclose their patients' health information for the main reason for which it was initially collected. This is called the primary purpose.

The primary purpose should be interpreted narrowly, such as to diagnose and treat a particular condition or set of symptoms. However, the Privacy Act also offers exceptions to this general rule.

Theterm 'management, funding and monitoring of a health service' is used in the privacy principle which regulates the collection of health information. It establishes a mechanism for health information to be collected for these purposes without consent. However, there is no such express reference to this term in the privacy principle that regulates use and disclosure.

While not expressly referring to management, funding and monitoring of a health service, the use and disclosure principle includes a number of exceptions which might allow for these kinds of 'secondary' purposes.  These include where the individual consents or where the use or disclosure is required or authorised by law.

Directly related purposes, within your patient's reasonable expectations

Another exception is where the use or disclosure is for another purpose that is 'directly related' to the primary purpose, and where the patient would 'reasonably expect' it to happen.

In health care, directly related purposes may include handling of health information for the management, funding or monitoring of a health service. The patient's reasonable expectations will then dictate whether the use or disclosure may occur for that purpose.

Managing your patient's reasonable expectations

A patient's expectations can be effectively managed through good provider-patient communication. This usually means the patient has been told the use or disclosure would happen, or they would expect it to happen in the context of why they provided the information in the first place. If the patient would not reasonably expect the use or disclosure that the provider has in mind, such as for managing a health service, then the provider will usually need to get the patient's consent before proceeding.

Background

Who is this information sheet for?

This information sheet is relevant to all health service providers in the private sector ('providers'), from sole practitioners to private hospitals, as well as specialists, private sector nurses, pharmacists and providers of allied and complementary healthcare. All of these providers are 'organisations' under the Privacy Act 1988 (Cth) ('the Privacy Act'), and need to comply with the 10 National Privacy Principles ('NPPs').

Health service providers in the state and territory public sectors (such as public hospitals) are not bound by the NPPs, but state and territory privacy laws may apply to them.

This information sheet is intended for health service providers that collect health information for the purpose of providing health care.

Sometimes, third party organisations provide related management or accreditation services to health service providers. These may be provided under contractual or outsourcing arrangements, such as specialist auditors or quality assurance agencies. Third party consultants have particular collection obligations.  These obligations are mentioned briefly at the end of this information sheet.

What is this information sheet about?

This information sheet gives guidance as to how health service providers may use within their organisation, or disclose to other organisations, personal health information for the purpose of the management, funding or monitoring of their health service. It also provides general guidance on what activities may be considered to constitute management, funding and monitoring of a health service.

What is health information?

Briefly, the Privacy Act applies to all 'personal information'. This refers to information about an individual whose identity is apparent or can be reasonably ascertained.

'Sensitive information' is a defined sub-category of personal information, and it includes 'health information'. Any personal information held by a health service provider is likely to be 'health information' as defined under section 6 of the Privacy Act. This may also include information which is not necessarily of a clinical nature.

For example, an individual's name and address will often be 'health information' when held by a health service provider, as it may indicate that the individual has received a health service from that provider. The full definition of health information is located at the end of this information sheet.

What does the Privacy Act say about the management, funding and monitoring of a health service?

In setting out obligations regarding the collection of health information, NPP 10.3 uses the term 'management, funding and monitoring of a health service' and establishes a mechanism for health information to be collected for these purposes without consent.

However, while NPP 10 permits the collection of health information for this purpose, NPP 2, which regulates uses and disclosures, does not expressly permit it being used or disclosed for these same purposes.   This can create confusion, as the Privacy Act appears to create a mechanism for collecting health information for these purposes, though it may not be clear how the same information may be used or disclosed for these same purposes.

This information sheet explains how and when an individual's health information may be used or disclosed for the management, funding and monitoring of a health service.

What activities might be considered management, funding or monitoring of a health service?

The term 'management, funding or monitoring' is not defined in the Privacy Act. Whether an activity falls within 'management, funding or monitoring of a health service' will depend on the circumstances.

Such activities are likely to include those reasonably necessary for the ordinary running of the health service, including activities that support the community's expectation that appropriately high standards of quality and safety will be maintained. These expectations may be underpinned by professional standards or legal obligations.

For example, 'management, funding or monitoring of a health service' may include some quality assurance and audit activities. Examples of the types of activities that may fall within 'management, funding or monitoring' are provided throughout this information sheet.

For the purposes of the information sheet, 'management, funding and monitoring of a health service' will be abbreviated to 'health service management'.

When the Privacy Act does not apply to health service management

Handling information that does not identify an individual

The Privacy Act only applies to information about an individual whose identity is apparent or reasonably ascertainable.

A key question for health service providers is whether or not a health service management activity requires individuals to be identified. While it may not always be possible, it is good privacy practice for an activity to be performed in a way that does not identify the person or allow the person's identity to be reasonably ascertained.

Example

Internal peer review processes and committees can form an important quality assurance function. Generally, cases discussed during peer review conferences should be in a form that does not identify the individual patient. However, this may not be possible in a small health service organisation.  It may also be difficult where the patient has a particularly unusual condition, or where the treatment has entailed a large multidisciplinary team at a private hospital.

In such cases, the individual's identity may be reasonably ascertainable even if they are not explicitly named.

The Privacy Act would apply where an individual's identity might be apparent or reasonably ascertainable.

Some options for handling individuals' health information for health service management

Where the individual consents to the use or disclosure

NPP 2.1(b) permits use or disclosure of personal information (including health information) where the individual consents. Consent has three elements:

• knowledge of the matter being agreed to;
• voluntary agreement by the individual; and
• the individual being capable of giving consent, including capacity to understand the issues, form views based on reasoned judgement, and to communicate their decision.

In order for a health service provider to use or disclose information based on the individual's consent, the health service provider must provide the individual with adequate information about what the intended uses and disclosures are and any potential consequences. The individual may then indicate their consent expressly or impliedly.

Express consent means giving it explicitly, either orally or in writing. Implied consent is agreement that can be inferred from an individual's conduct. Although the Privacy Act does not specify the type of consent, given the special sensitivities associated with health information it will often be good privacy practice, and to the benefit of all parties, to rely on the certainty of express consent, rather than infer that consent is implied.

In order for the individual's consent to be valid, the individual must have been given sufficient information to make an informed decision.

If consent can't be obtained, including where the individual lacks capacity, or where it may be impracticable, then the health service provider may consider what other exceptions in the Privacy Act may apply.

Where the use or disclosure is required or authorised by law

NPP 2.1(g) permits use or disclosure where it is required or authorised by law.  Law includes Commonwealth, State and Territory legislation as well as common law. If a law requires that a health service provider use or disclose information, the provider must do so. Disclosure must also occur if there is a warrant or subpoena requiring the health service provider to do so.

If the law authorises the use or disclosure of information, the health service provider can decide whether to do so. There is no compulsion to use or disclose the information, but if they choose to use or disclose the information, it will not be an interference with privacy under the Privacy Act.

Example: Required by law

A radiologist is required under section 23DS of the Health Insurance Act to produce records of diagnostic imaging services, if requested by the Chief Executive Office of Medicare Australia. Under regulation 20 of the Health Insurance Regulations 1975, the radiologist is required to provide the name of the individual to whom the imaging service was provided and the date of the service.

The GP should take care to disclose only enough information to meet the legal requirement.

If a use or disclosure is not required or authorised by law, then the provider would need to consider what other provision of the Privacy Act may allow the handling of health information for health service management.

Management of health service as a directly related purpose within an individual's reasonable expectations

If consent is not practicable or cannot be sought for some other reason, and where a use or disclosure is not authorised by law, then the exception that health service providers are most likely to be able to rely upon when handling health information for the management of a health service is NPP 2.1(a).  This exception permits uses or disclosures for a purpose that:

• is directly related to the purpose for which the information was initially collected; and
• is within the individual's expectations.

What is a directly related purpose?

While health information will generally be collected by health service providers to afford treatment to patients, some health service management activities will be directly related purposes.

In general, a directly related secondary purpose must be something that arises in the context of the primary purpose and is integral to it.

A directly related purpose is one which is closely associated with the original purpose, even if it is not strictly necessary to achieve that purpose. This should be distinguished from purposes that may only be 'related'.

Directly related purposes may include many activities or processes that are integral to the functioning of the health service.

Example: Directly related purposes

Health service management activities that may be directly related purposes include service-monitoring, funding, complaint-handling, planning, evaluation and accreditation activities.

They may also include disclosures to a medical expert for medico-legal opinion, an insurer, a medical defence organisation, or lawyer, solely for the purpose of addressing liability indemnity arrangements, for example in reporting an adverse incident.

Marketing, fund-raising, or research are unlikely to be directly related purposes, and generally consent should be obtained.  In addition, training that does not relate to the direct provision of health care is also unlikely to be directly related and consent should be sought.

Provided it is within the reasonable expectations of the individual (see below for more details on 'reasonable expectations') then no extra steps, such as seeking consent, need be taken when using or disclosing relevant personal information for some health service management activities.

For guidance on directly related purposes in the specific context of providing health care to the individual, see Information Sheet 25 Sharing health information to provide health care.[1]

Example: External audit activities

A GP engages an external organisation for the purposes of quality assurance in order to maintain status as being 'vocationally registered' including to remain eligible for Medicare claiming. As part of this process, activities approved by the RACGP or ACRRM are undertaken.[2] These accreditation activities may often be directly related secondary purposes.

In this case, a clinical records audit is conducted by the external party of a small sample of practice records. As information may be shared with an outside organisation, this would constitute a 'disclosure'. As this audit may entail a random, 'on the spot' examination of records, it may be difficult to get the patient's consent.

Alternatively, a GP may be subject to an audit of prescribing practices by an appropriate body.  This may entail the review of several hundred consultations to ensure that the GP's prescribing accords with good practice. This is likely to be a directly related purpose.

However, the GP would need to consider the scope and purpose of such an activity to ensure that it wasn't a form of research. Research will almost always require either consent, or ethical approval under NPP 2.1(d) (except where the information is collected for the primary purpose of research). See 'When should ethics approval be sought?' later in this information sheet.

What are 'reasonable expectations'?

In handling health information for the purpose of managing a health service, any use or disclosure for secondary purposes must meet both conditions - it must be for a directly related secondary purpose, and it must be within the individual's reasonable expectations.

The starting point for determining reasonable expectations is to consider what a reasonable individual with no special knowledge of the health sector would expect to happen to their health information.  This may vary between individuals.

During normal consultations, a patient may discuss the types of things that they reasonably expect may happen to their personal information; this should guide the provider's assessment of the patient's reasonable expectations.

In the Office's view, there is a general community expectation that health service providers meet high standards, including undertaking ongoing quality assurance activities.  At the same time, there is a clear expectation among many individuals that their health information will be afforded strong privacy protections and handled appropriately.

Example: Managing business activities

As part of a health service provider's ordinary business activities, the provider uses health information, such as its patients' names and addresses, so that its accounts receivable department can process payments. This use would generally be considered to be for a directly related purpose.

Further, it would seem reasonable for an individual to expect that their information will be used to process any payments they owe. This expectation requires no special knowledge of the health system.

However, the scope of the personal information used should be limited to only that which is necessary for the purposes of billing. Individuals would generally not expect that clinical information, including diagnosis and test results would be used for such management activities.

Example: Accreditation

In order for a residential aged care service to be able to gain funding through charging accommodation bonds or accommodation charges, as well as to receive subsidies, they must be certified by the Department of Health and Ageing as being capable of providing suitable accommodation and care.[3] If, as part of this process, it is necessary to disclose personal health information, this would generally be considered a disclosure for a directly related purpose.

Other accreditation requirements may be imposed on different providers, though these need not always be established under law. For example, professional bodies may require accreditation for eligibility, and private health insurers may require it of providers for different levels of rebates.

Example: Incident monitoring

As part of internal hospital monitoring, incident reports recording operational problems in the hospital are sent to the internal hospital management group. These reports may contain some personal health information. Such a use of health information would generally be considered a use for a directly related purpose, though it would also be good practice to consider whether the reports can be compiled in an anonymous form.

How do I assess a patient's reasonable expectations?

What the patient is told will happen

There will ordinarily be a strong link between what an individual has been told (about the proposed uses and disclosures) or has otherwise consented to, and their 'reasonable expectations'. A health service provider should be aware though that an expectation is more than mere awareness - telling someone about proposed secondary uses or disclosures may not necessarily create a reasonable expectation.

If an individual expresses negative views when made aware of a proposed secondary use or disclosure of their personal information, this would ordinarily indicate that they would not reasonably expect that use or disclosure to occur.

Good privacy practice would also include referring to these types of activities in the health service provider's information handling policy, statements or brochures.

Notice and openness obligations under the Privacy Act

NPP 1 requires that individuals are told various matters when their information is collected, or as soon as practicable thereafter. This includes why their information is being collected, how it will be used and to whom it may be disclosed.

NPP 5 requires that organisations must set out and make available a document clearly expressing policies on its management of personal information, as well as take reasonable steps to let the person know, generally, what sort of personal information it holds, for what purposes, and how it collects, holds, uses and discloses that information.

Compliance with these principles will generally add greatly to ensuring alignment between an individual's reasonable expectations and how their health information will be handled.

Other considerations in considering a patient's reasonable expectations

A health service provider should consider the kind of person they are talking to, what their understanding is likely to be and therefore what they may reasonably expect.

Factors that might be relevant when considering what individuals' reasonable expectations are, include:

• The general community expectation that health service providers will undertake activities which promote quality and safety in the provision of health care.
• The sensitivity of an individual's condition. A rare condition, or one to which stigma may attach, may mean that this individual is less likely to reasonably expect that their health information would be used or disclosed.
• The extent of an individual's experience with the health sector. If an individual suffers from a chronic or long term illness which has resulted in extended period of exposure to the health sector, they may be more familiar with how information may be used or disclosed.
• What the individual is told by the health service provider about likely uses or disclosures of health information, including in the provider's privacy policy or, if consent has been sought for other activities, the content of the consent notice.
• Moreover, a patient's individual expectations may vary, depending on the type of practice they are visiting. If the practice they're attending is a multi-professional practice, where they regularly see different providers, they may have an expectation that several different health service providers may attend to them and see their health information.

On the other hand, if an individual sees a provider who only shares premises with other providers, they may not have any expectations that their personal information will be shared.

Example: Private hospital accreditation

As part of being accredited in line with ACHS standards,[4] a private hospital discloses health information for the purposes of accreditation to an approved accreditation body. The quality assurance component of this accreditation supports quality and safety in the provision of healthcare to the individual, and will generally be a directly related purpose.

In this case, the disclosure of health information to promote quality and safety is likely to be a directly related purpose, and may fall within the individual's reasonable expectations, depending on their understanding of the health sector and what they have been told.

The patient may expect a use, but would they reasonably expect a disclosure to an outside organisation?

The reasonable expectations of an individual may vary depending on whether the personal health information is going to be used or disclosed, even where the purpose is the same. Some individuals may expect that their personal information may be used within the same health service, which they know and trust, for a particular purpose, though not expect it to be disclosed outside to a third-party, even if it is for the same purpose.

Therefore, the health service provider will need to consider whether it intends to use or disclose individuals' personal health information and effectively communicate individuals, thereby raising the individuals' reasonable expectations about what will happen to their information.

Example: Disclosures to contractors

A health service provider outsources IT functions, including the maintenance of systems supporting activities such as electronic discharge summaries, to a third party provider. The maintenance of such systems and the generation of discharge summaries are likely to be a directly related purpose, and individuals may reasonably expect that it is an integral part of managing a health service.

However, while the individual may expect it to be used in this way, they may not anticipate it being disclosed to a contractor.

In such situations, it is important for health service providers to address individuals' reasonable expectations as to whether their health information is used internally and remains within the health service, or is disclosed to another party. This could be done through their privacy statement as well as by discussion about the handling of the individual's health information.

When should ethics approval be sought?

This information sheet should be read in conjunction with the guidance produced by the National Health and Medical Research Council, When does Quality Assurance in Health Care Require Independent Ethical Review?

It can be difficult to distinguish between some health service management activities and forms of medical or other research.

In the Office's view, an activity is less likely to constitute research if its outcomes are limited in application to the management, funding or monitoring of the specific health service undertaking the activity. On the other hand, if the outcomes of an activity are applicable more widely to the health sector, then it may be a form of research.

The NHMRC has also noted that activities which affect the risk (including of physical or psychological harm) or degree of burden (such as intrusiveness, inconvenience or embarrassment) imposed on patients, may also generally require ethical approval.  This would also apply if the activity entailed a departure from clinical care that would otherwise be provided if the activity was not undertaken. For such activities, consent will generally be required or, where that was impracticable, ethics approval should be sought.

In the context of collecting health information to provide a health service to an individual, research relevant to public health or public safety is not a directly related secondary purpose.  The Privacy Act makes special provision in regard to uses or disclosure for such purposes.

Subject to certain criteria being met, including approval by a properly constituted Human Research Ethics Committee, health information may be used or disclosed for some research purposes. This is discussed in Information Sheet 9, Handling Health Information for Research and Management.

Collecting health information for health service management- NPP 10.3(a)(iii)

Health service providers will usually collect health information for the purpose of providing a health service to the individual.  Some organisations may, however, collect this information for the primary purpose of conducting health service management activities, including on behalf of the health service provider.

In such cases, NPP 10.3(a)(iii) permits the collection of health information without consent where:

• the collection is necessary for the management, funding or monitoring of a health service;
• information that does not identify an individual is inadequate for that purpose; and
• it is impracticable to gain consent from the individual.

Where such circumstances exist, the information must be collected:

• as required by law;
• in accordance with binding rules of confidentiality established by a competent health or medical body; or
• in accordance with guidelines approved under section 95A of the Privacy Act;

Once lawfully collected, health information that has been collected for the purpose of managing a health service may be use or disclosed for the same purpose.

For further information on collection obligations, see the Office's Guidelines on Privacy in the Private Health Sector and the Guidelines approved under section 95A of the Privacy Act, made by the NHMRC.

Selected relevant provisions extracted from the Privacy Act

Health information

Health information is defined in section 6 of the Privacy Act. It is

• '(a) information or an opinion about:
  • (i) the health or a disability (at any time) of an individual; or
  • (ii) an individual's expressed wishes about the future provision of health services to him or her; or
  • (iii) a health service provided, or to be provided, to an individual;
  • that is also personal information; or
• (b) other personal information collected  to provide, or in providing, a health service; or
• (c) other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances.'

'Health service' is also defined in section 6 of the Privacy Act.

Further information

Other general information that may be relevant to health services providers is available at:

• Information Sheet 9 on Handling Health Information for Research and Management
• National Privacy Principles
• Guidelines to the National Privacy Principles
• Guidelines on Privacy in the Private Health Sector
• Frequently Asked Questions on Health

Private Sector Information Sheets

Information sheets are advisory only and are not legally binding. The National Privacy Principles in Schedule 3 of the Privacy Act do legally bind organisations.

Information sheets are based on the Office of the Privacy Commissioner's understanding of how the Privacy Act works. They provide explanations of some of the terms used in the NPPs and good practice or compliance tips.  They are intended to help organisations apply the NPPs in ordinary circumstances.  Organisations may need to seek separate legal advice on the application of the Privacy Act to their particular situation. Nothing in an information sheet limits the Privacy Commissioner's ability to investigate complaints under the Privacy Act or to apply the NPPs in the way that seems most appropriate to the facts of the case being dealt with. Organisations may also wish to consult the Commissioner's guidelines and other information sheets.

Office of the Privacy Commissioner

Privacy Enquiries Line 1300 363 992 - local call (calls from mobile and pay phones may incur higher charges) TTY 1800 620 241 - no voice calls; Fax + 61 2 9284 9666; GPO Box 5218, Sydney NSW 2001.

Private Sector Information Sheet 23 Web HTML, Word and PDF published March 2008 ISBN 978-1-877079-56-6
© Commonwealth of Australia 2008

http://www.privacy.gov.au/

[1] For further information on directly related purposes, see the Office's Guidelines on Privacy in the Private Health Sector.

[2] Respectively, the Royal Australian College of General Practitioners and Australian College of Rural and Remote Medicine.

[3] See http://www.health.gov.au/internet/wcms/publishing.nsf/Content/C23D6EC93CB225FBCA2570E70077E54D/$File/factsheet1.rtf

[4] See, Australian Council on Healthcare Standards, http://www.achs.org.au/