A Health Check on Your Privacy Obligations

If you or your business are deemed a “health service” provider and hold “health information” for the purposes of the Privacy Act 1988 (Cth) (“Privacy Act”), then you need to be aware of your obligations under the Privacy Act and in particular the requirements of the Australian Privacy Principles which are contained in Schedule 1 of the Privacy Act (“APPs”).

What is a health service provider?

For the purposes of the Privacy Act, the provision of a health service occurs where the activity performed is intended or claimed by the individual or person performing it:

• “to assess, maintain or improve the individual’s physical or psychological health; or
• to manage the individual’s physical or psychological health; or
• to diagnose the individual’s illness, disability or injury; or
• to treat the individual’s illness ,disability or injury or suspected illness, disability or illness; or
• to record the individual’s physical or psychological health for the purposes of assessing, maintaining, improving or managing the individual’s physical or psychological health”.[1]

Further, the “dispensing on prescription of a drug or medicinal preparation by a pharmacist” is a health service.[2]

Examples of a health service provider as outlined by the Office of the Australian Information Commissioner (“OAIC”) can include a “medical practitioner, private aged care, radiology services, a dentist, a pharmacist, an online health service and a gym or weight loss clinic”,[3] where they provide a health service to another individual and hold any health information in relation to the individual.

What is health information?

Health information is any personal information, including an opinion, about an individual’s:

• “health, including an illness, disability or injury; or
• expressed wishes about the future provision of health services to the individual; or
• health service provided, or to be provided, to an individual”.[4]

As outlined by the OAIC, this can include “notes of your symptoms or diagnosis, information about a health service you’ve had or will receive, dental records, your wishes about future health services and appointment and billing details”.[5]

What are your obligations?

If you or your business is a health service provider and holds “health information” as defined under the Privacy Act, then you will need to consider how you handle personal information in accordance with the Privacy Act

It is important that you also comply with the APPs, which contain 13 principles that govern the rights, obligations and standards in relation to privacy including to the collection use and disclosure of personal information, governance and accountability. For instance, the APPs require you to have an up-to-date privacy policy that is available free of charge (usually on a website) and state that you must not collect sensitive information unless the individual consents to the collection and the information is reasonably necessary for a function or activity, unless an exception applies.[6]

The Privacy Act provides that an APP entity which is subject to the Privacy Act must not do an act, or engage in a practice, that breaches the APPs.[7] Failure to comply with the Privacy Act or the Australian Privacy Principles can result in an “interference with the privacy of an individual” and result in regulatory action and penalties.

For instance, in 2016 the acting Australian Information Commissioner ordered that a medical practitioner pay a complainant $10,000 compensation for non-economic loss.[8] It was found that the medical practitioner breached the APPs when he responded to an email from the complainant including six third party recipients. The response from the medical practitioner was sent to the complainant and such third parties referring to the management of the complainant’s delusional depression. He was found to have breached the APPs for various reasons, including on the basis that the complainant had not provided consent to the disclosure and a permitted exception did not exist. The actions of the medical practitioner were also found to be inconsistent with their privacy policy.

If you wish to seek advice or require assistance in relation to these matters, including privacy policies, please contact Felicity Cara-Carson or Jess Tomlinson on (03) 9614 7707.

[1] Privacy Act 1998 (Cth) s 6FA(1).
[2] Ibid s 6FA(2).
[3] https://www.oaic.gov.au/privacy/health-information/what-is-a-health-service-provider/
[4] Privacy Act 1998 (Cth) s 6FB.
[5] https://www.oaic.gov.au/privacy/health-information/what-is-health-information/
[6] Australian Privacy Principle 3.3.
[7] Privacy Act 1988 (Cth) s 15.
[8] ‘IV’ and ‘IW’ [2016] AICmr 41.