Download the print version Show
Version 1.0, September 2019 Key points
You can collect health information about a patient if:
Example: Implied consent to collection During a consultation, a patient describes his symptoms and provides you with his medical history. You add this information to the patient’s record on your system. From the patient’s conduct in this situation, you can imply the patient’s consent to you collecting his health information. Directly from the patientYou must only collect health information about a patient directly from the patient, unless it is not reasonable or practical to do so. Whether collecting directly from the patient is reasonable and practicable depends on a number of factors, including the nature of the information and accepted practice in the health sector. Examples of where collecting health information directly from a patient may not be reasonable or practical include:
By lawful and fair meansYou must only collect health information by lawful and fair means. ‘Lawful’ collection is a collection that does not breach any State, Territory or Commonwealth law. ‘Fair means’ is collecting without intimidation or deception, and in a way that is not unreasonably intrusive.
Example: Unlawful collection Under the Telecommunications (Interception) Act 1979 (Cth) and State and Territory listening devices laws, it is illegal to record a telephone consultation without informing the patient the call is being recorded. Collection via this method would therefore not be by lawful means. If a call is to be recorded or monitored, you must inform the individual at the beginning of the conversation so that the individual has a chance to end the call or ask not to be recorded.
Example: Intrusive collection Patients may be concerned or embarrassed about discussing health issues in an open or public area such as a waiting room or open pharmacy. When collecting health information, you should consider the surroundings and take additional steps where required to make the patient more comfortable. For example, you might lower your voice so only the patient can hear what you are saying, take the patient to one side, or use a private room. Notifying patients of collection (privacy notices)When you collect a patient’s health information, you must take reasonable steps to notify the patient of certain matters. Providing this notice ensures the patient understands why the information is being collected and how it will be handled. When should you provide notice?Generally, you should give this notice before or at the time of collection. This allows a patient to make an informed choice about whether to provide the health information. If that is not practicable, you should give notice as soon as practicable afterwards. For example, in a medical emergency, there is unlikely to be time to provide notice or the individual may not be in a fit state to comprehend the information. In this case, you should notify the patient of the matters as soon as practical after you provide the health service. What must you include in a privacy notice?The matters to include in your privacy notice are:
Helpful hint As part of notifying patients about your usual disclosures of their health information, it is a good idea to ensure patients are aware of which members of a ‘treating team’ you will disclose their health information to. This may be a requirement for providers practising in the ACT — contact the ACT Health Services Commissioner to find out more about this requirement. How do you provide notice?You are required to take reasonable steps to notify the patient of these matters. What steps are reasonable depends on the circumstances. Some of the matters may be obvious (such as the identity and contact details of the practice when a patient attends their GP) in which case it may be reasonable to take no steps to notify the patient of those matters. In addition, unless there is a change in information handling practices, you will only need to notify a patient of these matters on the first visit, and it is reasonable to take no notification steps when you collect information on subsequent visits.
Example: Privacy notices Examples of ways in which you might choose to provide a privacy notice include:
For more information, see the APP Guidelines, Chapter 5: APP 5 — Notification of the collection of personal information. While you generally need consent to collect a patient’s health information, you may collect it without consentin the situations set out below. You may collect health information without consent where the collection is ’required or authorised by or under an Australian law or a court/tribunal order’.
Example: Law requiring collection Under State and Territory public health legislation, health service providers are required to record information about individuals with certain diseases and notify the relevant health authority. For example, under the NSW Public Health Act 2010, doctors, hospitals and pathology laboratories are required to record information about patients with certain medical conditions, such as AIDS, malaria, measles, tetanus and typhoid, and notify the NSW Department of Health. To meet your legislative obligations, you can collect relevant health information without the patient’s consent. Serious threatYou may collect health information without consent where it is unreasonable or impracticable to obtain consent to the collection, and you reasonably believe the collection is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety. You must have a reasonable basis for your belief that there is a serious threat, and you must be able to justify it. The test is what a reasonable person, who is properly informed, would believe in the circumstances. You cannot avoid obtaining consent just because it would be inconvenient, time-consuming or impose some cost. Whether these factors make it impracticable to obtain consent will depend on whether the burden is excessive in all the circumstances.
Example: Necessary to lessen a serious threat to an unconscious patient A patient is in hospital and unconscious as a result of a stroke and the hospital needs further information from his GP to determine how best to treat him. Given the patient’s condition, it is not practical to obtain his consent to the collection. Further, the hospital reasonably believes that the collection of this information from the GP is necessary to lessen the serious threat to the patient’s health. In this situation, the hospital can collect health information without the patient’s consent. Providing a health serviceYou may collect health information without consent where the information is necessary to provide a health service to a patient, and either:
Medical history-takingYou can collect health information from a patient about another individual, without that individual’s consent, where:
Examples of information that are part of a patient’s family, social or medical history include:
You should limit the information you collect to that which is necessary to provide the health service to the patient. Information is ‘necessary’ to provide a health service if you cannot effectively provide the health service without collecting it. Conducting research; compiling or analysing statistics; management, funding or monitoring of a health serviceYou may collect health information about an individual if:
If you collect health information in these circumstances and subsequently want to disclose that information, you must take reasonable steps to de-identify the information before disclosing it. For more information, see Chapter 9. Other situationsOther situations where you may collect health information without consent include:
For more information, see the APP Guidelines Chapter C: Permitted general situations. Anonymity and pseudonymityThe Privacy Act 1988 (Privacy Act) requires you to consider whether it is practical to give patients the option of not identifying themselves, or using a pseudonym, when dealing with you. A patient may prefer to deal anonymously or pseudonymously with a health service provider for various reasons. For example, a patient may wish to access counselling or other services without this information being linked to her identity and potentially becoming known to others. However, you do not have to deal with patients anonymously or pseudonymously where:
While it may often be unlawful or impracticable to provide a health service anonymously or pseudonymously, you should still consider whether there are situations in which you can offer anonymous or pseudonymous healthcare in certain situations and ensure patients are aware of this possibility if applicable.For example, your privacy policy could explain the circumstances in which a patient may deal anonymously or by pseudonym with you, and the procedures for doing so. There may also be consequences for patients if they do not identify themselves, such as for their ongoing healthcare and their ability to claim a Medicare or health fund rebate. See the APP Guidelines, Chapter 2: APP 2 — Anonymity and pseudonymity for more information. Unsolicited health information is information that you come across by accident, or receive but have not requested. If you receive unsolicited health information you should, within a reasonable period of time, determine whether the Privacy Act would have allowed you to collect the information. As outlined above, you generally would have needed the patient’s consent to collect the health information, unless an exception applies. If you could have collected the information, then you must comply with the Privacy Act when handling it. If you could not have collected the information, then you must destroy or de-identify the health information as soon as practicable if it is lawful and reasonable to do so. For further information, see the APP Guidelines, Chapter 4: APP 4 — Dealing with unsolicited personal information.
Example: Collecting unsolicited information to lessen a serious threat The son of an elderly patient sends you an email expressing his concern that your patient is unfit to drive. The son suggests that your patient has caused a number of recent near car accidents. The son claims his Dad is determined to keep driving, and the son says he is worried his Dad may injure himself and others. He provides details of these incidents and there appears to be cause for concern, particularly given the patient’s recent medical history. Having received this unsolicited information, you need to consider whether you could have collected this information under the Privacy Act. In this case, you may be able to conclude that you could have collected this information because you reasonably believe the collection is necessary to enable you to take steps to lessen or prevent a serious threat to the health or safety of your patient and other individuals. [1] Note that under the My Health Records Act 2012 more specific requirements apply to the collection of health information relating to the My Health Record system. Similarly, the Healthcare Identifiers Act 2010 has particular requirements for the collection of healthcare identifiers. |