Use for primary and secondary purposes
- A GP’s primary purpose for collecting health information is to provide healthcare services.
- Your practice may use and disclose health information for that ‘primary’ purpose.
- Health information may be used or disclosed for another ‘secondary’ purpose where:
- the patient consents
- the patient would reasonably expect a use or disclosure related to their healthcare
- it is unreasonable to seek consent and the collection is necessary to lessen or prevent a serious threat to life, health or safety of an individual or the public
- a reasonable belief exists that the use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of another individual who is a genetic relative of the first individual
- the patient is physically or legally incapable of giving consent, and the health information is disclosed to a responsible person (which may include parents, adult siblings, spouses, adult relatives, guardians or attorneys granted power concerning health decisions), for compassionate reasons or to enable appropriate care or treatment of the patient.
- A practice may use or disclose health information as required or authorised by or under law.
- Practices are responsible for information disclosed overseas.
When dealing with health information, your practice must determine whether the intended use or disclosure is for a primary purpose (the purpose for collection) or a secondary purpose (which must be directly related).
Health information is usually collected for providing particular healthcare services (this is the primary purpose). Your practice can use or disclose health information for the primary purpose.
In certain circumstances, your practice can choose to use health information for another ‘secondary’ purpose if the patient consents, or the patient would reasonably expect that use or disclosure, which is directly related to their healthcare.
Where there is doubt as to patient expectations, consent should be sought. It is often much simpler to gain a patient’s consent than to balance their belief of reasonable expectations, or justify it if investigated.
A practice relying on ‘reasonable expectations’ must consider these expectations from the perspective of an average patient with no particular medical knowledge. The patient’s age, cultural background and medical history should be considered. Whether the intended use or disclosure was ever notified to the patient is also relevant.
Use or disclosure in the practice setting
In the practice setting, patients will generally expect their health information to be used for a wide variety of activities that are directly related to the healthcare services they have received.
These may include:
- providing information about treatments
- being treated by a person other than their treating GP, such as a specialist or during admission to hospital
- internal assessment practices, such as to assess the feasibility of particular treatments
- management, funding, complaint-handling, planning, evaluation and accreditation activities
- disclosure to experts or lawyers (for legal opinions), insurers or medical defence organisations to report adverse incidents or for the defence of legal proceedings
- disclosure to clinical supervisors.9
Some practices may use or disclose health information for medical research or for quality assessment or clinical audit activities. As these are not uniformly expected by patients, practices should limit their use or disclosure except where consent is obtained. In any event, consent is often a key component to human clinical trial ethical approval (for more information, refer to Section 3.8. Health research).
Case study 1: Primary and directly-related purposes
Laura has been seeing her treating GP for many years. Recently she suffered a stroke, and now suffers from stroke complications, some of which are likely to be permanent.
Laura’s healthcare will need a coordinated effort between her treating healthcare professionals, including her neurologist, rehabilitation team and practice nurse.
In her currently distressed state, Laura may not expect her GP to organise this multidisciplinary team. Accordingly, her GP organises a consultation with Laura to discuss the benefits of multidisciplinary care, so that she can make an informed decision to allow disclosure of her health information to other health practitioners. Laura’s treating GP carefully notes the conversation and Laura’s express consent.
Laura’s GP has recognised that the primary purpose for using Laura’s health information is for the GP to treat and manage her stroke symptoms. Laura would expect this use as part of her regular healthcare.
However, it is unclear whether Laura would expect her health information to be disclosed to other health practitioners. This disclosure by Laura’s GP may be considered a secondary purpose. Under the Privacy Act, the disclosure of the information necessary to treat and manage Laura’s stroke recovery is ordinarily prohibited, unless an exception applies; in this case the two most applicable exceptions are consent and reasonable expectations.
It was therefore prudent for Laura’s GP to seek Laura’s consent. Additionally, by discussing the care plan and the scope of involvement of the multidisciplinary team, Laura’s GP has managed her reasonable expectations regarding the use of her health information by the members of her team. This will allow greater flexibility in treating Laura and it is probably reasonable to not require Laura’s consent to each exchange.
Use for business practices
It is reasonably expected for your practice to use health information for a secondary purpose relating to the general practice business.
For more information, refer to Chapter 3. Information management relating to general practice, and specifically Section 3.1. The business of general practice.
Use for training and education purposes
Patients are often not aware that their health information may be used for GPs’ training and education purposes.
Without consent, it may be unreasonable for GPs to expect patients to permit their health information to be used in such circumstances. However, this expectation may be influenced by the nature of the training activity. For example, filming a family therapy session is highly likely to require express consent. In contrast, GPs are more likely to rely on implied consent for activities more closely linked to the provision of healthcare services, such as reflective discussion with peers or for training registrars.
In the absence of consent, health information should be de-identified before it is used for training or educational purposes, or quality assurance or audit exercises.
GPs should consider whether to include consent for training and education purposes on their patient registration forms to avoid this becoming an issue.
Your practice is encouraged to include information about these activities and clinical audits in your practice policy on managing health information. If a practice intends to use de-identified information, it is still worth notifying patients of this in your privacy notice.
Where health information must be disclosed to a third party, your practice must consider what information is relevant for the proposed purpose. Patients will reasonably expect the disclosure of only the necessary subset of their health information, along with third-party access restrictions.
For example, a referring GP may not be justified in forwarding a copy of a patient’s complete medical record or other health information to another medical practitioner if that health information does not relate to the condition for which the referral is being made. Prior to disclosing any health information, your practice should carefully examine its authority for disclosure and seek advice where necessary (refer to Section 2.3.6. Subpoenas and disclosure required by law).
Case study 2: Limiting disclosure
Laura has commenced her stroke rehabilitation. Her treatment is being led by her GP, who is coordinating a multidisciplinary healthcare team consisting of a neurologist, rehabilitation team and practice nurse. Laura visits her neurologist on a regular basis. The consultation recommendations are provided to Laura’s GP, who then passes them onto the other healthcare professionals.
Laura discloses to her neurologist that she has been having difficulty controlling her emotions, including suffering from depression. Her GP is advised and discusses Laura’s depression with her, and prescribes medication as appropriate.
When Laura visits her treating physiotherapist, he talks to Laura about her depression. Laura is surprised and embarrassed by this. She did not expect her physiotherapist to receive information disclosed to her neurologist.
It is reasonable to expect that Laura consented to her GP disclosing those aspects of her health relevant to each treating team member. However, Laura’s GP did not contemplate that she was unlikely to consent to unrelated disclosures, in this instance, her physiotherapist becoming aware of her depression. This may be an unauthorised disclosure under the Privacy Act, irrespective of whether the physiotherapist acquired the information from her medical record or whether it was disclosed by another team member.
In assessing what aspects of Laura’s medical record should be disclosed, Laura’s GP should have:
- managed the information provided to each team member and maintained strict confidentiality in discussing Laura’s condition
- managed what information was collected in her general file, and what was stored separately
- discussed with Laura how (and with whom) her information would be shared.
Subpoenas and disclosure required by law
GPs are obliged to disclose health information in certain circumstances, including for mandatory reporting purposes – such as to colleagues, or regarding communicable diseases or child abuse.
GPs may also receive demands for medical files as part of legal proceedings. These requests may arise where a patient is suing the GP or another organisation (such as an insurer) and the medical records are relevant.
In such circumstances, a subpoena or discovery order is an exception permitting disclosure. Practices should closely examine the scope of any subpoena or discovery order. These orders may request all or only part of a patient’s medical record although, generally, court rules require only those records that are reasonably necessary and relevant to the proceeding. Appropriate legal advice should be sought where necessary.
What is reasonably necessary is assessed on a case-by-case basis. If a GP deems it inappropriate to provide a patient’s complete health information despite a subpoena, they may have to justify this decision to the court.
GPs may charge reasonable administration charges for the production of these documents. The Australian Medical Association establishes a schedule of professional fees for this.10
Transfers of medical records
Privacy legislation does not expressly cover the transfer of medical files between practices, such as during the sale of a practice. However, the Australian Privacy Commissioner has indicated this may require patient consent obtained by both the vendor and purchaser. Professional advice should be sought to ensure transferring patients’ records is done in accordance with the relevant laws (for more information, refer to Section 3.2. Sale or closure of a practice).
Information transferred overseas
It is particularly important to consider privacy implications in transferring health information outside Australia, as some countries have little or no privacy standards. Once personal information is disclosed in an unregulated manner, it is very difficult to regain control over it.
The need for protection extends to the use of overseas data storage as well as processing of patient information overseas, such as through the use of transcription and reporting services.
It is recommended to seek patient consent before transferring health information outside Australia (note that alerting patients to this possibility is a requirement of privacy policies. Refer to Section 2.4. Privacy policies). However, consent is not strictly necessary in circumstances where reasonable steps have been taken to ensure the overseas recipient does not breach the privacy of that individual, or where the practice believes the overseas recipient is subject to a privacy scheme or law protecting the information in a manner similar to Australia.