If you or your business are deemed a “health service” provider and hold “health information” for the purposes of the Privacy Act 1988 (Cth) (“Privacy Act”), then you need to be aware of your obligations under the Privacy Act and in particular the requirements of the Australian Privacy Principles which are contained in Schedule 1 of the Privacy Act (“APPs”).
What is a health service provider?
For the purposes of the Privacy Act, the provision of a health service occurs where the activity performed is intended or claimed by the individual or person performing it:
- “to assess, maintain or improve the individual’s physical or psychological health; or
- to manage the individual’s physical or psychological health; or
- to diagnose the individual’s illness, disability or injury; or
- to treat the individual’s illness ,disability or injury or suspected illness, disability or illness; or
- to record the individual’s physical or psychological health for the purposes of assessing, maintaining, improving or managing the individual’s physical or psychological health”.
Further, the “dispensing on prescription of a drug or medicinal preparation by a pharmacist” is a health service.
Examples of a health service provider as outlined by the Office of the Australian Information Commissioner (“OAIC”) can include a “medical practitioner, private aged care, radiology services, a dentist, a pharmacist, an online health service and a gym or weight loss clinic”, where they provide a health service to another individual and hold any health information in relation to the individual.
What is health information?
Health information is any personal information, including an opinion, about an individual’s:
- “health, including an illness, disability or injury; or
- expressed wishes about the future provision of health services to the individual; or
- health service provided, or to be provided, to an individual”.
As outlined by the OAIC, this can include “notes of your symptoms or diagnosis, information about a health service you’ve had or will receive, dental records, your wishes about future health services and appointment and billing details”.
What are your obligations?
If you or your business is a health service provider and holds “health information” as defined under the Privacy Act, then you will need to consider how you handle personal information in accordance with the Privacy Act
The Privacy Act provides that an APP entity which is subject to the Privacy Act must not do an act, or engage in a practice, that breaches the APPs. Failure to comply with the Privacy Act or the Australian Privacy Principles can result in an “interference with the privacy of an individual” and result in regulatory action and penalties.
 Privacy Act 1998 (Cth) s 6FA(1).
 Ibid s 6FA(2).
 Privacy Act 1998 (Cth) s 6FB.
 Australian Privacy Principle 3.3.
 Privacy Act 1988 (Cth) s 15.
 ‘IV’ and ‘IW’  AICmr 41.