Privacy and managing health information in general practice

Use and disclosure of health information

Limiting disclosure

Last revised: 24 May 2023

Limiting disclosure

Where health information must be disclosed to a third party, your practice must consider what information is relevant for the proposed purpose. Patients will expect that only the necessary parts of their health information will be disclosed.

For example, a referring GP might not be justified in forwarding a complete copy of a patient’s medical record to another practitioner if that information does not relate to the referral.

Prior to disclosing any health information, your practice should carefully examine its authority for disclosure and seek advice where necessary (refer to section on Subpoenas and disclosure required by law).

For further information, refer to the RACGP’s resources on managing the use of your practice data, available at

Case study: Limiting disclosure

Laura has commenced her stroke rehabilitation. Her treatment is being led by her GP, who is coordinating a multidisciplinary healthcare team consisting of a neurologist, rehabilitation team and practice nurse. Laura visits her neurologist on a regular basis. The consultation recommendations are provided to Laura's GP, who then passes them on to the other healthcare professionals.

Laura discloses to her neurologist that she has been having difficulty controlling her emotions, including experiencing depression. Her GP is advised and discusses Laura’s depression with her and prescribes medication as appropriate.

When Laura visits her treating physiotherapist, he talks to Laura about her depression. Laura is surprised and embarrassed by this. She did not expect her physiotherapist to receive information disclosed to her neurologist.

It is reasonable to expect that Laura consented to her GP disclosing those aspects of her health relevant to each treating team member. However, Laura’s GP did not consider that she was unlikely to consent to unrelated disclosures, such as in this instance where her physiotherapist has been made aware of her depression. This might be an unauthorised disclosure under the Privacy Act, irrespective of whether the physiotherapist acquired the information from her medical record or whether it was disclosed by another team member.

In assessing what aspects of Laura’s medical record should be disclosed, Laura’s GP should have:

  • managed the information provided to each team member and maintained strict confidentiality in discussing Laura’s condition
  • managed what information was collected in her general file and what was stored separately
  • discussed with Laura how (and with whom) her information would be shared.


  1. Australian Government, Office of the Australian Information Commissioner. Australian Privacy Principles quick reference. 2014 [Accessed 7 November 2022].
  2. National Health and Medical Research Council, Australian Research Council, Australian Vice-Chancellors’ Committee. National statement on ethical conduct in human research (2007) (updated 2018). 2018 [Accessed 16 January 2023].
  3. Commonwealth of Australia. Privacy Act 1988.1988 [Accessed 7 November 2022].
  4. Australian Government, Office of the Australian Information Commissioner. Australian Privacy Principles guidelines: Privacy Act 1988. 2015 [Accessed 16 January 2023].
  5. Australian Government, Attorney-General. Parliament approves Government’s privacy penalty bill. 2022 [Accessed 16 January 2023].
  6. Medical Board of Australia, AHPRA. Good medical practice: A code of conduct for doctors in Australia. 2020 [Accessed 16 January 2023].
  7. Australian Government, Office of the Australian Information Commissioner. Business resource. Chapter 9: Research. 2019 [Accessed 16 January 2023].
  8. Australian Government, Office of the Australian Information Commissioner. Chapter 5: APP 5 – Notification of the collection of personal information. 2019 [Accessed 8 November 2022].
  9. Australian Medical Association. Frequently asked questions – Fees. [date unknown] [Accessed 8 November 2022].
  10. Australian Government, Office of the Australian Information Commissioner. Privacy for organisations: Trading in personal information. [date unknown] [Accessed 16 January 2023].
  11. National Health and Medical Research Council. Use and disclosure of genetic information to a patient’s genetic relatives under Section 95AA of the Privacy Act 1988 (Cth) – Guidelines for health practitioners in the private sector. 2014 [Accessed 16 January 2023].