Privacy and managing health information in general practice

Information management relating to patients

Key points

  • Your practice should not collect health information unless the patient consents and the information is reasonably necessary for delivery of healthcare services.
  • Your practice must collect personal information only by lawful and fair means (without being unreasonably intrusive or using methods of intimidation).
  • Consent is not required where:
    • the health information is collected in accordance with the law or rules established by ‘competent health or medical bodies’8
    • it is unreasonable to seek it and the collection is necessary to ‘lessen or prevent a serious threat to life, health or safety’ of an individual or the public.8
    • Other exceptions also apply.
  • Unsolicited information (received without asking) must be destroyed unless your practice would ordinarily have lawfully collected that information.

Prior to making an informed decision about whether to provide health information, your practice’s patients should be notified about how their information may be used or disclosed, and what rights of access will apply. 

In the context of a general practice, it may be reasonable to consider an attending and willing patient as consenting unless their consent is expressly revoked. If there is any doubt, it is best to obtain the patient’s express consent (by a signed admittance form, for example). 

When a patient first attends their consulting GP, it is suitable to take a full patient medical history where clinically appropriate.

Health information from third parties

While GPs obtain most health information directly from the patient (and should do so wherever practical), they will receive some health information from third parties, such as guardians or other health professionals involved in the patient’s care.

Where personal information is received without the GP soliciting it, GPs should determine whether or not they could have ordinarily collected the information. If not, the information should be destroyed or de-identified. 

In many situations, such as where GPs collect a family medical history from a patient, it may not be possible to obtain each family member’s consent. GPs can collect a patient’s family, social or medical health information when necessary to provide them with healthcare services, however will need to be careful during any disclosure of that material (refer to Refusing access below).2


Notification obligations

Key points

  • Upon collecting health information, or as soon as possible afterwards, GPs must take reasonable steps to notify the patient of such collection.
  • Notified information must include the practice’s details, the purpose for which the information is collected, to whom the health information may be disclosed, and whether it will be disclosed to an overseas recipient (and if so, where).

Patients need to be made aware of the potential use and disclosure of their health information. Extensive prescribed notification requirements apply to the collection of health information.

It is not necessary to notify your practice’s patients if their health information is being collected during recurring consultations, as it is clearly apparent. It is not necessary to notify patients if their health information will need to be disclosed when referring to a specialist. 

However, there are various aspects of collection that are not so straightforward. For example, the organisation ultimately collecting and holding the information may not be obvious, particularly in incorporated practices with sophisticated administration and complex corporate structures. 

For those items that are prescribed but not obvious or covered during a consultation, more formal notification requirements will be needed. 

The notification requirements have administrative implications for incorporated practices, practices with operating services trusts and practices using cloud computing. 

It is recommended practices ensure their patient information/consent forms are updated to account for this prescribed notification. Where necessary, your practice should secure renewed consent from its patients.

Privacy notices

Your practice should consider whether a privacy notice (also known as a ‘collection notice’ or ‘APP 5 Notice’) addressing the prescribed notification matters in a predetermined format and medium would be an appropriate medium for notifying your patients. 

Such notices may include information about:

  • disclosure within a multidisciplinary medical team
  • disclosure to colleagues as part of case management
  • use and disclosure in medical research
  • disclosure for practitioner continuing professional development purposes or for quality improvement activities
  • the process for disclosure to other specialists. 

The practice can always choose whether to provide additional information about how a patient’s health information may be used. This will assist in managing the patient’s expectations, promoting trust as well as increasing the likelihood that further uses of that patient’s health information will constitute secondary use (refer to Section 2.3. Use and disclosure of health information). 

It is recommended to use practice information notices for this purpose. This information may also be considered for inclusion in your general practice’s collection notice and incorporated into your practice’s privacy policy (for more information on privacy policies. 

When used appropriately, these notices will assist patients to understand how their health information is used and disclosed. 

Download

Your practice can customise the RACGP Patient privacy pamphlet which is available to download.


Use for primary and secondary purposes 

Key points

  • A GP’s primary purpose for collecting health information is to provide healthcare services.
  • Your practice may use and disclose health information for that ‘primary’ purpose.
  • Health information may be used or disclosed for another ‘secondary’ purpose where: 
    • the patient consents
    • the patient would reasonably expect a use or disclosure related to their healthcare
    • it is unreasonable to seek consent and the collection is necessary to lessen or prevent a serious threat to life, health or safety of an individual or the public
    • a reasonable belief exists that the use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of another individual who is a genetic relative of the first individual
    • the patient is physically or legally incapable of giving consent, and the health information is disclosed to a responsible person (which may include parents, adult siblings, spouses, adult relatives, guardians or attorneys granted power concerning health decisions), for compassionate reasons or to enable appropriate care or treatment of the patient.
  • A practice may use or disclose health information as required or authorised by or under law.
  • Practices are responsible for information disclosed overseas.

When dealing with health information, your practice must determine whether the intended use or disclosure is for a primary purpose (the purpose for collection) or a secondary purpose (which must be directly related). 

Health information is usually collected for providing particular healthcare services (this is the primary purpose). Your practice can use or disclose health information for the primary purpose. 

In certain circumstances, your practice can choose to use health information for another ‘secondary’ purpose if the patient consents, or the patient would reasonably expect that use or disclosure, which is directly related to their healthcare.

Where there is doubt as to patient expectations, consent should be sought. It is often much simpler to gain a patient’s consent than to balance their belief of reasonable expectations, or justify it if investigated. 

A practice relying on ‘reasonable expectations’ must consider these expectations from the perspective of an average patient with no particular medical knowledge. The patient’s age, cultural background and medical history should be considered. Whether the intended use or disclosure was ever notified to the patient is also relevant.

Use or disclosure in the practice setting

In the practice setting, patients will generally expect their health information to be used for a wide variety of activities that are directly related to the healthcare services they have received. 

These may include:

  • providing information about treatments
  • being treated by a person other than their treating GP, such as a specialist or during admission to hospital
  • internal assessment practices, such as to assess the feasibility of particular treatments
  • management, funding, complaint-handling, planning, evaluation and accreditation activities
  • disclosure to experts or lawyers (for legal opinions), insurers or medical defence organisations to report adverse incidents or for the defence of legal proceedings
  • disclosure to clinical supervisors.9 

Some practices may use or disclose health information for medical research or for quality assessment or clinical audit activities. As these are not uniformly expected by patients, practices should limit their use or disclosure except where consent is obtained. In any event, consent is often a key component to human clinical trial ethical approval (for more information, refer to Section 3.8. Health research).

 Case study 1: Primary and directly-related purposes

Laura has been seeing her treating GP for many years. Recently she suffered a stroke, and now suffers from stroke complications, some of which are likely to be permanent. 

Laura’s healthcare will need a coordinated effort between her treating healthcare professionals, including her neurologist, rehabilitation team and practice nurse. 

In her currently distressed state, Laura may not expect her GP to organise this multidisciplinary team. Accordingly, her GP organises a consultation with Laura to discuss the benefits of multidisciplinary care, so that she can make an informed decision to allow disclosure of her health information to other health practitioners. Laura’s treating GP carefully notes the conversation and Laura’s express consent.

Laura’s GP has recognised that the primary purpose for using Laura’s health information is for the GP to treat and manage her stroke symptoms. Laura would expect this use as part of her regular healthcare. 

However, it is unclear whether Laura would expect her health information to be disclosed to other health practitioners. This disclosure by Laura’s GP may be considered a secondary purpose. Under the Privacy Act, the disclosure of the information necessary to treat and manage Laura’s stroke recovery is ordinarily prohibited, unless an exception applies; in this case the two most applicable exceptions are consent and reasonable expectations. 

It was therefore prudent for Laura’s GP to seek Laura’s consent. Additionally, by discussing the care plan and the scope of involvement of the multidisciplinary team, Laura’s GP has managed her reasonable expectations regarding the use of her health information by the members of her team. This will allow greater flexibility in treating Laura and it is probably reasonable to not require Laura’s consent to each exchange.

Use for business practices

It is reasonably expected for your practice to use health information for a secondary purpose relating to the general practice business. 

For more information, refer to Chapter 3. Information management relating to general practice, and specifically Section 3.1. The business of general practice.

Use for training and education purposes

Patients are often not aware that their health information may be used for GPs’ training and education purposes. 

Without consent, it may be unreasonable for GPs to expect patients to permit their health information to be used in such circumstances. However, this expectation may be influenced by the nature of the training activity. For example, filming a family therapy session is highly likely to require express consent. In contrast, GPs are more likely to rely on implied consent for activities more closely linked to the provision of healthcare services, such as reflective discussion with peers or for training registrars. 

In the absence of consent, health information should be de-identified before it is used for training or educational purposes, or quality assurance or audit exercises. 

GPs should consider whether to include consent for training and education purposes on their patient registration forms to avoid this becoming an issue. 

Your practice is encouraged to include information about these activities and clinical audits in your practice policy on managing health information. If a practice intends to use de-identified information, it is still worth notifying patients of this in your privacy notice.

Limiting disclosure

Where health information must be disclosed to a third party, your practice must consider what information is relevant for the proposed purpose. Patients will reasonably expect the disclosure of only the necessary subset of their health information, along with third-party access restrictions. 

For example, a referring GP may not be justified in forwarding a copy of a patient’s complete medical record or other health information to another medical practitioner if that health information does not relate to the condition for which the referral is being made. Prior to disclosing any health information, your practice should carefully examine its authority for disclosure and seek advice where necessary (refer to Section 2.3.6. Subpoenas and disclosure required by law). 

Case study 2: Limiting disclosure

Laura has commenced her stroke rehabilitation. Her treatment is being led by her GP, who is coordinating a multidisciplinary healthcare team consisting of a neurologist, rehabilitation team and practice nurse. Laura visits her neurologist on a regular basis. The consultation recommendations are provided to Laura’s GP, who then passes them onto the other healthcare professionals. 

Laura discloses to her neurologist that she has been having difficulty controlling her emotions, including suffering from depression. Her GP is advised and discusses Laura’s depression with her, and prescribes medication as appropriate. 

When Laura visits her treating physiotherapist, he talks to Laura about her depression. Laura is surprised and embarrassed by this. She did not expect her physiotherapist to receive information disclosed to her neurologist.

It is reasonable to expect that Laura consented to her GP disclosing those aspects of her health relevant to each treating team member. However, Laura’s GP did not contemplate that she was unlikely to consent to unrelated disclosures, in this instance, her physiotherapist becoming aware of her depression. This may be an unauthorised disclosure under the Privacy Act, irrespective of whether the physiotherapist acquired the information from her medical record or whether it was disclosed by another team member. 

In assessing what aspects of Laura’s medical record should be disclosed, Laura’s GP should have: 

  • managed the information provided to each team member and maintained strict confidentiality in discussing Laura’s condition
  • managed what information was collected in her general file, and what was stored separately
  • discussed with Laura how (and with whom) her information would be shared.

Subpoenas and disclosure required by law

GPs are obliged to disclose health information in certain circumstances, including for mandatory reporting purposes – such as to colleagues, or regarding communicable diseases or child abuse. 

GPs may also receive demands for medical files as part of legal proceedings. These requests may arise where a patient is suing the GP or another organisation (such as an insurer) and the medical records are relevant. 

In such circumstances, a subpoena or discovery order is an exception permitting disclosure. Practices should closely examine the scope of any subpoena or discovery order. These orders may request all or only part of a patient’s medical record although, generally, court rules require only those records that are reasonably necessary and relevant to the proceeding. Appropriate legal advice should be sought where necessary.

What is reasonably necessary is assessed on a case-by-case basis. If a GP deems it inappropriate to provide a patient’s complete health information despite a subpoena, they may have to justify this decision to the court. 

GPs may charge reasonable administration charges for the production of these documents. The Australian Medical Association establishes a schedule of professional fees for this.10

Transfers of medical records

Privacy legislation does not expressly cover the transfer of medical files between practices, such as during the sale of a practice. However, the Australian Privacy Commissioner has indicated this may require patient consent obtained by both the vendor and purchaser. Professional advice should be sought to ensure transferring patients’ records is done in accordance with the relevant laws (for more information, refer to Section 3.2. Sale or closure of a practice).

Information transferred overseas

It is particularly important to consider privacy implications in transferring health information outside Australia, as some countries have little or no privacy standards. Once personal information is disclosed in an unregulated manner, it is very difficult to regain control over it. 

The need for protection extends to the use of overseas data storage as well as processing of patient information overseas, such as through the use of transcription and reporting services. 

It is recommended to seek patient consent before transferring health information outside Australia (note that alerting patients to this possibility is a requirement of privacy policies. Refer to Section 2.4. Privacy policies). However, consent is not strictly necessary in circumstances where reasonable steps have been taken to ensure the overseas recipient does not breach the privacy of that individual, or where the practice believes the overseas recipient is subject to a privacy scheme or law protecting the information in a manner similar to Australia.

Key points

  • Your practice must have an up-to-date and patient-focused privacy policy (which includes describing how health information is managed in your practice).
  • Your practice’s privacy policy must be available free of charge and easily accessible to your patients in an appropriate form.
  • Privacy policies must accurately reflect your practice’s actual procedures and address certain prescribed requirements.
  • A privacy policy must explain: – how personal information is collected, used and disclosed within the practice – how a patient may access and correct their information – how privacy complaints can be made and how the complaint will be dealt with – whether information is likely to be disclosed overseas and, if so, where.

External privacy policies

Your practice should maintain a clearly expressed privacy policy that is freely available in printed or electronic form. For example, display a printed copy at the practice reception desk or in waiting areas, or publish an electronic copy on the practice website. 
The privacy policy’s content will depend on each practice’s processes and structure and the record-keeping system used. 

Your practice’s privacy policy will enable the practice to better manage patient enquiries or complaints concerning their health information. 

The RACGP has developed a privacy policy template. It is important to adapt this template to ensure its relevance to your practice. The template is available at www.racgp.org.au/ehealth/privacy

Internal privacy procedures

It is strongly recommended your practice has documented internal privacy procedures. Such procedures should include information about: 

  • the collection of health information, ensuring it is conducted in a discreet manner protecting the information from unauthorised access
  • obtaining a patient’s consent to the use or disclosure of health information by practice employees (including doctors, locums, registrars and other authorised healthcare service providers)
  • obtaining the patient’s consent to the use or disclosure of health information for the purposes of medical research, quality assurance and improvement (where relevant) • providing patients with access to their health information
  • de-identifying health information • ensuring health information is appropriately disclosed where authorised
  • classifying health information, to ensure disclosure is limited to that authorised
  • ensuring protection against unauthorised access across each medium the practice employs  (eg hard copy or electronic records, verbal disclosures)
  • ensuring protection against any loss of data
  • retention of individual medical records to satisfy health record law requirements  (refer to Section 3.3.3. Retention and destruction of medical records). 

Your practice’s internal procedures should include information about privacy and confidentiality training. All staff handling health information must be aware of and comply with the practice’s internal procedures. 

It is recommended to nominate one person who will be responsible for overseeing the implementation and operation of the privacy policy and to be the point of contact for privacy concerns.

Key points

  • Wherever it is lawful and practical to do so, patients must have the option of not identifying themselves or using a pseudonym when requesting healthcare.
  • Anonymity and pseudonymity take their ordinary meaning, although it is important to understand they are distinct concepts.

The nature of general practice and the provision of healthcare do not easily accommodate the notions of anonymity and pseudonymity. Medical histories are required and identities need to be confirmed before a GP can make a diagnosis or prescribe medications. GPs are obliged by law to report communicable diseases and child abuse.

These circumstances should be explained to the patient. 

A patient may experience detriment in their treatment if they choose to remain anonymous. This should also be explained to the patient. 

Where practical, offering the option of anonymity and pseudonymity should be integrated into usual practice. A telephone service for general or referral advice or providing general assistance (for basic information or on issues such as quitting smoking or mental health) are examples of when anonymity or pseudonymity may be used.

Key points

  • Patients may access all their personal information held by your practice, subject to limited exceptions.
  • Your practice must respond to requests for access within a reasonable period (generally 30 days).
  • It is important to verify the identity of the requesting person.
  • Practices are not required to provide access if they reasonably believe:
    • it would unreasonably impact the privacy of another
    • it may threaten the life, health or safety of another or the public.
    • Other exceptions to providing access may apply.
  • Refusal to grant access must be communicated in writing with reasons and the process for lodging a complaint.

Scope of access

The scope of a patient’s access rights is quite broad and encompasses all of a patient’s personal information. A patient’s medical record includes all information created by the treating GP(s) or received from other practitioners, and usually exists in both electronic and hard copy documents. Therefore, such requests will affect information held on the practice’s administrative system as well as in the medical record. 

Your practice must be able to identify those records containing another patient’s personal information, or have the capacity to search relevant medical records where necessary. This commonly occurs in the family setting.

Managing access

Some state legislation requires access requests be made in writing. In any event, it may be preferable to request the patient to put it in writing. 

Some requests may involve collating a significant amount of information. A written request will permit greater clarity on the information being sought. A written request also provides a record of the request. 

Where a patient is provided with access to their medical record, it may be desirable for the usual treating GP to be available to clarify its contents and to discuss any concerns with the patient. 

Alternatively, it may be appropriate to refer the patient to the original author of a record (such as when health information is received from a specialist). 

In some circumstances, GPs may discharge their obligation to provide access to health information by arranging for the patient to obtain the information from an intermediary, such as a referring doctor. This might be the preferred option for a pathologist, for example, who has had no direct contact with the patient. In all cases, however, the intermediary must be mutually agreed upon. 

Some states only allow the use of intermediaries where there is a serious threat to the life or health of the requesting patient.

Manner of access

Requests will usually be for access to a patient’s entire medical record. However, requests for particular information may be received by email, phone or in person. 

A practice may not be comfortable in providing entire medical records (although they may choose to do so); however, merely being uncomfortable or asserting proprietary rights is not a valid ground for refusal. The privacy laws require access as requested, where reasonable and practical, or in a mutually agreed way if not reasonable or practical. 

A practice may not be comfortable in providing entire medical records (although they may choose to do so); however, merely being uncomfortable or asserting proprietary rights is not a valid ground for refusal. The privacy laws require access as requested, where reasonable and practical, or in a mutually agreed way if not reasonable or practical. 

In many cases, patient requests for access to health information may be satisfied by way of an up-to-date summary containing all relevant material. However, this may prove more administratively burdensome, and in any event a patient will retain their right to access their full medical record. Another alternative is to provide access to a patient’s medical files in a room at the practice.

Refusing access

It is recommended that your practice is familiar with the grounds on which it may refuse to provide access, when and where necessary, and therefore can defer to the appropriate provision when required. 

In particular, your practice should consider the risk of distress to other patients. For example, practices may consider refusing access when: 

  • that access would lead to significant distress or lead to self-harm or harm to another person3
  • the health information of another patient is contained within the medical record
  • the requesting patient’s information was disclosed by another patient in confidence
  • the possibility of domestic abuse or child abuse exists. 

If a GP is considering refusing access, they should obtain professional advice. 

When third-party patient records are involved in the request for access, the practice may consider approaching the affected patient for their consent. It is not recommended practices attempt to de-identify third-party information for this purpose as it is unlikely to be effective. However, practices may delete or make unreadable the relevant information from the file prior to providing access.

Case study 3: Access through an intermediary

Mary has requested her medical file.

In assessing her request, the practice manager notes Mary has recently moved away from the practice. Satisfying the request would mean sending a copy of the medical record by courier. The practice determines the costs of doing so would be quite high. 

In addition, Mary’s treating GP does not want to send the full medical record. She is concerned Mary would not understand some of the information, and the inevitable internet searching that would follow to clarify unknown medical terms, would only cause further stress. 

In consultations with the GP, the practice manager determines it would not be reasonable or practical to send the medical file to Mary. However, they contact Mary to inquire whether sending the record to a closer GP would assist her. Mary agrees and is able to discuss the contents of the record with her local GP in an informed environment.

Access fees

Your practice can charge a fee for providing a patient access to their personal information, but not for merely requesting access. You should therefore only consider imposing fees (if at all) after the request is made. 

A practice may levy reasonable fees to cover the cost of:

  • administration for file searching, collating, etc
  • copying or printing records
  • postage or courier fees
  • facilitating access with intermediaries. Your practice may wish to consider the patient’s individual circumstances and their capacity to pay prior to determining and/or waiving access fees. 

Practices should keep in mind the potential to align a patient’s access request with a consultation, or being compensated through reasonable administrative fees. Appropriate legal advice should be sought to determine where this is allowable and practical within the context of the practice.

Policy on access

It is recommended your practice develops and implements a policy covering patient record access. Such a policy would have information about:

  • how and to whom requests for access should be made
  • the process for identity verification
  • how access will be granted
  • response times
  • whether access fees will apply, and in what circumstances (if any) these charges will be waived.

This information may be incorporated into your practice’s privacy policy (refer to Section 2.4. Privacy policies).




 
  1. National Health and Medical Research Council, Australian Research Council, Australian Vice-Chancellors’ Committee. National statement on ethical conduct in human research (2007) (updated May 2015). Canberra: NHMRC, 2015. [Accessed 4 April 2017].
  2. Commonwealth of Australia. Privacy Act 1988. Canberra: Commonwealth of Australia, 1988. [Accessed 4 April 2017].
  3. Office of the Australian Information Commissioner. Australian Privacy Principles guidelines: Privacy Act 1988. Canberra: OAIC, 2015. [Accessed 4 April 2017].
  4. Office of the Chief Parliamentary Counsel Victoria. Health Records Act 2001. Melbourne: OCPC, 2001. E52D30DC34D78CA2580B8001878C3/$FILE/01-2aa033%20authorised.pdf [Accessed 4 April 2017].
  5. NSW Parliamentary Counsel’s Office. Health Records and Information Privacy Act 2002. Sydney: PCO, 2002. [Accessed 4 April 2017].
  6. ACT Parliamentary Counsel’s Office. Health Records (Privacy and Access) Act 1997. Canberra: PCO, 1997. [Accessed 4 April 2017].
  7. Medical Board of Australia. Good medical practice: A code of conduct for doctors in Australia. Melbourne: Medical Board of Australia, 2014. [Accessed 4 April 2017].
  8. Office of the Australian Information Commissioner. Business resource: Collecting, using and disclosing health information for research (draft). Canberra: OAIC, 2015. business-resource-collecting-using-and-disclosing-health-information-for-research [Accessed 21 April 2017].
  9. Office of the Australian Information Commissioner. Business resource: Using and disclosing patients’ health information (draft). Canberra: OAIC, 2015. [Accessed 5 April 2017].
  10. Australian Medical Association. Frequently Asked Questions – Fees. Canberra: AMA, [date unknown]. [Accessed 5 April 2017].
  11. Office of the Australian Information Commissioner. What happens if I sell my small business including a customer database? Canberra: OAIC, [date unknown]. what-happens-if-i-sell-my-small-business-including-a-customer-database [Accessed 5 April 2017].
  12. National Health and Medical Research Council. Use and disclosure of genetic information to a patient’s genetic relatives under Section 95AA of the Privacy Act 1988 (Cth) – Guidelines for health practitioners in the private sector. Canberra: NHMRC, 2014. [Accessed 5 April 2017].
  13. Office of the Australian Information Commissioner. Guide to securing personal information. Canberra: OAIC, 2015. [Accessed 5 April 2017].
  14. Australian Health Practitioner Regulation Agency. Social media policy. Canberra: AHPRA, 2014. [Accessed 5 April 2017].
  15. Department of Health and Ageing, Therapeutic Goods Administration. The Australian clinical trial handbook. Canberra: TGA, 2006. [Accessed 5 April 2017].
This event attracts CPD points and can be self recorded

Did you know you can now log your CPD with a click of a button?

Create Quick log