- Health information must not be used or disclosed for direct marketing without patient consent.
- Your practice must obtain patient consent to any services with commercial aspects, such as vaccinations.
- Sending unsolicited commercial communications to your patients is generally prohibited.
Prohibitions on direct marketing
General practices might not ordinarily consider themselves as engaging in marketing activities. However, any promotion of a practice’s services, even scheduled reminders or as part of recommended clinical practice, might be considered direct marketing and therefore have privacy considerations.
Direct marketing in a clinical setting refers to any marketing technique where a practice is promoting goods and services directly to patients. Practices should note some daily clinical initiatives might inadvertently breach these laws. For example, letters that use or disclose personal information to promote and advise patients about flu vaccination services could be considered direct marketing.
In contrast, the Australian Privacy Commissioner considers that letters relating to ongoing care are less likely to breach privacy laws, especially if the letters simply inform the patient of scheduled assessments and do not specifically promote any services.
To avoid inadvertently breaching these laws, practices should obtain patient consent by:
- requesting consent (via opt-in or opt-out mechanisms) on patient registration sheets and recording this consent in the management software
- asking for consent as patients present to the practice
- undertaking a directed consent campaign.
Refusal requests for marketing
Practices must have adequate procedures in place to ensure marketing messages are not sent to patients who have expressed their refusal.
The Spam Act and Do Not Call Register
It is important practices are aware of the applicable prohibitions (and their exceptions) when sending electronic (email or text messages) or telephone communications. The Privacy Act defers to the operation of the Spam Act 2003 and the Do Not Call Register Act 2006.
Generally, these Acts prohibit practices from sending unsolicited communications (by email, text message or telephone call) with the aim of selling goods or services. Practices sending solicited communications must ensure they meet any requirements first; for example, providing an unsubscribe function for mobile text message reminders.