From 21 December 2001 health service providers covered by the federal Privacy Act have needed to comply with ten National Privacy Principles that allow for individuals to exercise new rights and choices about how their personal and health information is handled in the private health sector. The Act also gives people these rights over personal information held by other private sector organisations.
Health information is generally defined in both Federal and State Acts as information or opinion about a client regarding such things as wellbeing, disabilities, health services provided or to be provided, and personal information generally. Health information also includes details such as a client’s name, address, account details, Medicare number and health service appointments.
In general a health service provider is required to:
Our practice needs to ensure that consumers are informed about why their health information is being collected, who is collecting it, and how it will be used, to whom it may be given and that they can access it if they wish.
Privacy legislation stipulates that a practice should only collect health information that is necessary for its functions or activities.
The practice uses fair and lawful ways to collect health information and, where reasonable and practicable, collects health information directly from an individual.
The practice takes reasonable steps to make a client understand why information is being collected and who else it might be given to.
The practice is deemed to be collecting information if it gathers, acquires or obtains information from any source and by any means. Collection covers information kept by the practice even where the practice has not asked for the information or has come across it by accident.
In general, the practice should obtain an individuals consent to collect health information. This consent may be implied or express/explicit.
Implied consent refers to circumstances where it is reasonable for the health professional to infer that consent has been given by the client. For example, if a client presents to a physiotherapist and discloses health information which is written down by the physiotherapist during the consultation, this will generally be regarded as the client giving implied consent to the physiotherapist to collect health information for certain purposes. The extent of the purposes will usually be evident from the discussion between the physiotherapist and the client during the consultation.
Express consent refers to consent that is clearly and unmistakably stated (either in writing, orally, or in another fashion where consent is clearly communicated).
Consent to the collection and handling of health information and consent to treatment are two separate authorities provided by the client.
Use of health information refers to the handling of client information within a practice. Disclosure refers to the transfer of information outside the practice.
A health service provider may use or disclose health information:
Directly-related secondary purposes may include:
The practice should only use and disclose health information for other than primary or directly related secondary purposes, if the client gives consent (express or implied) or if an exception applies. Exceptions include uses or disclosures required or authorised by law; uses or disclosures necessary to manage a threat to someone’s life, health or safety; and uses or disclosures for research provided certain conditions are met.
Health professionals in the practice must use or disclose health information if the law requires them to do so. For example, health professionals are required to report child abuse (under care and protection laws) and notify the diagnosis of certain communicable diseases (under public health laws).
If a health professional is served with a subpoena or other form of Court order requiring the production of documents to the Court they are generally required to supply the documents. If a health professional is concerned about how to proceed, they can seek advice from the Registrar of the Court or Tribunal which issued the order or from a lawyer.
The use of health information for training and education will usually require the client’s consent. Where consent is sought, the individual should have a genuine choice and not be pressured to agree. If the practice uses de-identified health information for training, client consent is not required.
The practice may use or disclose health information without consent for research or statistics that are relevant to public health or safety. The health information may be used or disclosed only if:
If a client wants to transfer to a physiotherapist in another practice, they can authorise the disclosure of health information from the original practice to a new practice. A copy of the health information could be transferred in this way. For medico-legal reasons, our practice retains the original record and provides the new physiotherapist with a summary or a copy. If a summary of the client’s health record is provided to the new physiotherapist, a copy of the summary should be kept on file for record purposes.
Our practice charges a reasonable fee to the practice or the client for transferring the client’s health record to another practice.
Client health information that is transmitted electronically over a public network such as the internet can pose significant privacy risks. It is technically possible for a third party to intercept and read emails or for emails to be inadvertently sent to the wrong person. Practices should not transfer client information by email unless it is encrypted.
If the original practice declines to transfer the health information, the client may seek access to the information, request a copy and then take it to the new practice.
Use of health information for practice marketing purposes:
The APA contends that advertising which seeks to inform the public on the scope and availability of physiotherapy services is appropriate. The APA supports the Australian Competition and Consumer Commission (ACCC) position that advertising offers a rich source of information which allows consumers to make informed decisions around their treatment choices and to compare physiotherapy services with a range of professions. Advertising that complies with the Trade Practices Act (1974)1 and provides consumers with choice should be encouraged amongst the profession.
All advertising by APA members should comply with the APA Code of Conduct.
In this practice we do not use patient health information for marketing purposes.
Join the PhysioPlus community and receive latest news & insights from our team.