Privacy Obligations Of Health Service Providers
In Australia, health service providers have a special responsibility to protect their patients’ privacy. At a minimum, these providers must comply with Australian Privacy Principles (APP) when collecting and holding sensitive medical data. A health service provider’s failure to protect their patients’ privacy can lead to sanctions and a loss of public trust. This article explains the privacy obligations of health service providers in Australia.
Health Service Providers
Health service providers are professionals that provide medical assessment, treatment and diagnosis, and businesses that provide medical record management and storage. This category includes doctors, hospitals, allied health professionals, pharmacies and weight loss clinics. Other businesses (such as gyms, spas and beauticians) are health service providers because they collect personal and medical information. A business is considered a health service provider even if it is not the primary activity of the business.
These professionals and businesses are called “APP entities” to identify that they manage sensitive information. They are also held to a higher standard than other businesses. APP entities have legal obligations to comply with the Australian Privacy Principles. Compliance with these principles also engenders trust between health providers and their patients.
Sensitive Information
Health service providers gather personal information during the course of their business. Much of this data is sensitive information, which is afforded extra protection under the Privacy Act 1988. Sensitive health information includes:
- Data necessary to provide a health service, such as the patient’s name and Medicare number;
- Medical records, such as doctor’s notes, dental records and prescriptions;
- Genetic profiles that reveal the health of a patient; and
- Organ and body part donation data.
Under the Privacy Act, health service providers must meet their statutory obligations when:
- Collecting personal information;
- Using or disclosing personal information; and
- Securely storing personal data.
Collecting Sensitive Information
A health service provider should only collect sensitive information they reasonably need for their business activities. They should consider whether it is strictly necessary to have certain information before asking their patient to disclose sensitive health information. For example, a podiatrist should only ask a client for information needed to deliver podiatry services, such as Medicare identification and relevant medical history. A podiatrist does not have a reasonable need to know other sensitive information, such as their client’s psychiatric history.
When collecting sensitive information, health service providers should identify themselves and provide access to their privacy policy. They need to explain the reason for the data collection, including whether it is legally required, and disclose whether the information is ever shared with overseas recipients. Many health service providers include this information in a privacy collection notice in patient paperwork.
The Use Of Sensitive Information
Health service providers also have privacy obligations when using and disclosing sensitive information. An APP entity can only use and disclose sensitive information for the primary purpose behind the collection. For example, a weight loss clinic can pass client intake information to a weight loss consultant for use in client consultation. However, it is not a primary purpose if the weight loss consultant wants to use the information for research purposes. Although some secondary disclosure of sensitive information is standard (such as with a specialist referral), it is best practice to get consent for disclosure.
Disclosure Of Sensitive Information Overseas
Health service providers often store sensitive patient data with companies based overseas. For instance, a business may store sensitive information in overseas patient management software systems. In that case, the health service provider needs to take reasonable steps to ensure the overseas entity complies with the APPs or is subject to similar international privacy laws.
Securing Sensitive Information
A health service provider must also protect collected sensitive information from unauthorised access, misuse, interference or loss. They must de-identify or destroy sensitive information when it is no longer needed or legally required.
A particular danger for health service providers is data breaches that allow access to sensitive client information. Data breaches include unauthorised disclosure through a cyberattack or access to physical or digital patient files. As an APP entity, health service providers have data breach reporting obligations. If it is a notifiable data breach, the business must notify the Privacy Commissioner and any affected patients.
Non-Compliance
The Privacy Commissioner investigates non-compliance with the Privacy Act. A patient can file a complaint with the Commissioner if they are worried about how an APP entity handles their sensitive information. The Privacy Commission can issue fines for breaches of the Act. Also, a patient or client who suffers a loss due to a company’s negligence may receive monetary compensation.
Health service providers and APP entities must fully understand their obligations under Australian privacy law. You should take care to collect, use and store your patient’s sensitive health information in accordance with your statutory obligations. Please contact Armstrong Legal by calling 1300 038 223 for specialist legal advice from our experienced solicitors.
This article was written by Dr Nicola Bowes
Dr Nicola Bowes holds a Bachelor of Arts with first class honours from the University of Tasmania, a Bachelor of Laws with first class honours from the Queensland University of Technology, and a PhD from The University of Queensland. After a decade working in higher education, Nicola joined Armstrong Legal in 2020.