FAQ on changes to consent and release of patient information to life insurers

Last updated 17 June 2021

FAQ for patients and GPs on changes to consent and release of patient information

GPs have access to comprehensive health records containing important information about a patient. Third parties (such as insurance companies, motor accident and workers’ compensation agencies, solicitors and welfare agencies) often request access to this information. The process for seeking patient consent and releasing medical information to life insurers is being updated following the introduction of a new Standard.

What is changing for patients?

Under the new Standard No. 26: Consent for accessing health information, insurers will be required to ask for patient consent to access their health information in two standard ways (called an authority). Both authorities will be sought at the same time, but information can only be provided under the second authority under certain, limited conditions.

The authorities are only valid while a claim or application is being assessed, or while disclosures an individual is required to make under an insurance policy are verified. Under both authorities, an insurer must collect, use, store and disclose personal information in accordance with privacy laws and Australian Privacy Principles.

What do the different Authorities mean?

The first authority (called Authority 1) involves the patient consenting to their health provider(s) releasing their health information, except for the consultation notes held by their GP or practice. GPs should provide a medical report which contains relevant information (and may contain both statements of fact and medical opinion) only.

The second authority (called Authority 2) involves the patient consenting to their insurer having access to a full copy of their medical record, including consultation notes. This can only be released when their GP/practice will be unable to, or did not, provide the report within 4 weeks; or the report provided is incomplete, or contains inconsistencies or inaccuracies.

When is this commencing?

The deadline for insurers complying with the new standard is 1 July 2021. However, some insurers have already implemented these new processes.

GPs may receive a consent form via the previous consent process that has been signed before 1 July 2021. This is valid and can be accepted so long as it was signed before 1 July 2021.

I’m a GP – what do I need to do?

The RACGP recommends that GPs provide medical reports as opposed to complete medical records where possible. Therefore, your default approach for releasing your patients’ health information should be a targeted medical report. We recommend this to prevent sharing of patient information which is not relevant to a third-party request.

As always, you must not release medical information to a third party without your patient’s consent, unless you are legally required in response to a subpoena, court order or summons. It is essential that this consent is documented. Similarly, you must have consent or authority to prepare a medical report prior to commencing the reporting process.

Our resource on writing medical reports contains more information, including a suggested report structure and things to consider when setting your fee for preparing a report.

How can patients consent to insurers accessing their health information?

Patients can give their consent by signing a paper copy of each Authority, by verbally consenting, for example when taking out a policy over the phone, or by using a digital signature on-line. These forms of consent are all legally acceptable and each Authority expressly allows GPs to accept digital or verbal consent.

What does it mean if a patient has only consented to one Authority?

If a patient has only consented to one authority (either Authority 1 or Authority 2), then their GP can only provide the health information set out under the respective authority.

On most occasions, we would expect both authorities will have been consented to, this is the intent. But there might be rare occasions where only one consent is given.

Why are these changes happening?

In 2018, following an inquiry into the life insurance industry, the Parliamentary Joint Committee on Corporations and Financial Services (the ‘Committee’) recommended that we work with the Financial Services Council (FSC) to develop a standard process for requesting and providing patient medical information. The Committee supported the view put forward by the RACGP that access to full history/notes was often inappropriate and a targeted medical report should be the default way to share information.

These changes have been designed to protect patient privacy and help ensure companies providing life insurance receive only relevant information from a health record to assess an application or claim.

Where can I access Standard No. 26?

Standard No. 26 can be accessed on the Financial Services Council website.

Who was involved in the development of Standard No. 26?

The Financial Services Council sets mandatory Standards for the financial services industry, which aim to make sure that companies operate openly, fairly and in your best interests.

A standard process was agreed by the RACGP and FSC in mid-2019. This process has been written into the FSC’s Standard No. 26.

Who can I contact with questions?

If you have any questions regarding Standard No. 26, you can contact the Financial Services Council via their website.

GPs are advised to seek the advice of your medical defence organisation if you have any concerns about obligations to provide a report and/or avoid breaches of privacy.

Additional resources