Your browser has 'Cookies' disabled, alert boxes will continue to appear without this feature.

Interpretive guide to the RACGP Standards

for Aboriginal community controlled health services

Standard 4.2 Management of health information

Our practice has an effective system for managing patient information.

Criterion 4.2.1

Confidentiality and privacy of health information

Our practice collects personal health information and safeguards its confidentiality and privacy in accordance with Australian Privacy Principles.


► A. Our practice team can describe how we ensure the confidentiality of patient health records.

► B. Our practice team can demonstrate how patient health records can be accessed by an appropriate team member when required.

► C. Our practice team can describe the processes we use to provide patients with access to their health information.

► D. Our practice team can demonstrate how patients are informed about our practice’s policy regarding management of their personal health information.

► E. Our practice team can describe the procedures for transferring relevant patient health information to another service provider.

► F. Our practice team can demonstrate how we facilitate the timely, authorised and secure transfer of patient health information in relation to valid requests.

► G. When we collect patient health information for quality improvement or professional development activities, we only transfer identified patient health information to a third party once informed patient consent has been obtained. Amended in May 2013.

► H. Whenever any member of our practice team is conducting research involving our patients, we can demonstrate that the research has appropriate approval from an ethics committee.


Key points

  • Privacy of health information is a legislative requirement
  • The practice needs to have a documented privacy policy for the management of patient health information
  • Patients need to be informed about the practice’s privacy policy
  • Guidelines on Australian Privacy Principles will assist general practices to meet their legal obligations in relation to the collection, use and disclosure of health information.

Personal information and health information

The Privacy Act 1988 applies to personal information. Health information is a particular subset of personal information and can include any information collected to provide a health service, such as a person’s name, address, account details, Medicare number and any health information such as a medical or personal opinion about a person’s health, disability or health status.

Sometimes details about a person’s medical history or other contextual information such as details of an appointment can identify them, even if no name is attached to that information. This is still considered health information and as such it must be protected under the Privacy Act 1988.

Australian Privacy Principles

In March 2014, privacy law reforms introduced the Australian Privacy Principles (APPs) into the Privacy Act 1988. The APPs regulate the handling of personal information by both Australian government agencies and some private sector organisations. The reforms compliment the culture of confidentiality that exists in general practice.

Practices should familiarise with the APPs, including the Australian Privacy Principle Guidelines published by the Office of the Australian Information Commissioner. The Guidelines are available at

RACGP Handbook

The RACGP Handbook for the management of health information in general practice (3rd edition) provides further information about safeguards and procedures required by general practices in order to meet appropriate legal and ethical standards concerning the privacy and security of patient records.

RACGP Computer and Information security standards (CISS)

‘Compliance indicators for the Australian Privacy Principles’ is an addendum to the Computer and information security standards (2nd edition) (CISS)and is designed to assist general practice to meet its legal obligations of the APPs. CISS provides a brief explanation of each APP requirement and the steps general practices need to take to ensure compliance.

State privacy legislation

As well as being familiar with the APPs, practices need to be familiar with the relevant state/territory privacy and health records legislation (where relevant) as this will also impact on the way in which practices manage patient health information. For more information visit or the local state equivalent.

Practice privacy policy

The RACGP has developed a privacy policy template for general practices to assist compliance with the requirements of the APPs. The template is titled the APP privacy policy: managing patient health information.

Communicating with patients

A practice’s privacy policy can be made available to patients in a number of ways including a sign at reception, a separate brochure and a section of the patient information sheet or a notice/link on the practice website.

The Privacy Act 1988 sets out two compulsory mechanisms for informing patients about how their health information will be used.

  1. A practice privacy policy. Organisations are required to provide this policy on request and commonly satisfy this requirement by making their privacy policy available on their website or on a sign at reception.
  2. A ‘collection statement’ which contains prescribed information, including the following:
  • the identity of the practice and how to contact it
  • the fact information is collected and the circumstances of that collection
  • the fact that patients can access their own heath information
  • the purpose for which the information is collected
  • other organisations to which the practice usually discloses patient health information
  • any law that requires the particular information to be collected
  • the main consequence for the individual if important health information is not provided
  • the existence of a supporting privacy policy.

Patient consent

Patient consent should be obtained at an early stage in the process of clinical care. It is important to distinguish between consent to treatment and consent to the handling of patient health information even if such consent processes happen to occur at the same time.

Consent may be written (ideal) or verbal, and may be provided by way of:

  • express consent, such as where the patient signs or clearly articulates their agreement
  • implied (or inferred) consent, where the circumstances are such to reasonably infer the patient has consented.

Transfer of health information

The correct process for transferring patient health information to others, such as other health service providers or in response to third party requests, is outlined in section 2 ‘Use and Disclosure’ in the OFPC Guidelines on Privacy in the Private Health Sector. Practices are advised to contact their insurers if they have any concerns about third party requests for the transfer of patient health information.


Research is an important component of general practice in Australia. Practices are encouraged to participate in research both within their own practice and through reputable external bodies.

If a practice is using de-identified patient health information, there are still some situations in which a practice should obtain informed patient consent, and some situations where informed patient consent is not required. Consent requirements, when using de-identified data, will be decided by a Human Research Ethics Committee.

Further information about research in general practice, including the requirements for ethics approval, can be found in the National Health and Medical Research Council’s (NHMRC) National statement on ethical conduct in human research available at

Quality improvement

For a quality improvement activity to be undertaken within a general practice, where the primary purpose is to monitor, evaluate or improve the quality of healthcare delivered by the practice, ethics approval is not required.

Clinical audits using a tool such as the Clinical Audit Tool (CAT) (see Criterion 3.1.1 Quality improvement activities) or ‘plan, do, study, act’ cycles undertaken within a general practice as part of a quality improvement activity do not require ethics approval. For example, a practice wishing to determine how many of its pregnant patients are given advice on smoking cessation, or how many patients with heart failure are prescribed ACE inhibitors and beta blockers, may complete an audit on their practice data.

In general, a practice’s quality improvement or clinical audit activities for the purpose of seeking to improve the delivery of a particular treatment or service would not be considered a directly related secondary purpose for information use or disclosure. In other words, it is likely the practice would need to seek specific consent for this use of patients’ health information for clinical audit activities.

To ensure patients understand and have reasonable expectations of quality improvement activities, practices are encouraged to include information about quality improvement activities and clinical audits in the practice policy on managing health information. Ideally, express consent for these activities will be obtained upon patient registration.

Disclosure of health information to carers

The disclosure of necessary health information by an organisation to an individual’s responsible person (such as a carer) is permitted by the Privacy Act 1988, providing it is reasonably necessary, in the context of providing a health service to that individual and the individual is physically or legally incapable of consenting or communicating that consent. If a situation arises where a carer is seeking access to a patient’s health information, practices are encouraged to contact their medical defence organisation for advice before such access is granted.

Practice closures

The correct process for handling patient health information on the closure of a practice can be accessed from the Office of the Australian Information Commissioner at

Standard 4.2 Management of health information

Our practice has an effective system for managing patient information.

Other information for Standard 4.2

Related external standards

Some of the standards and criteria in the Standards for general practices are similar to those in broader organisational standards – specifically the QIC Health and community services standards (6th edition) and the InternationalOrganizationfor Standardization’s ISO 9001:2008 (E) (4th edition). Where these similarities occur they are identified. This may reduce the amount of work undertaken to achieve accreditation for both sets of standards.

Be aware, though, that each set of standards has a different purpose and scope. This means that you will need to be familiar with both sets of standards, and their similarities and differences, so that you respond appropriately as well as efficiently to the requirements of each.

The QIC Standards include the following standards that are relevant to Standard 4.2 Management of health information:

1.6 Knowledge management
2.4 Consumer rights

The ISO Standards include the following sections that are relevant to Standard 4.2 Management of health information:

6 Resource management
7 Product realisation

Useful resources

The Standards for general practices includes specific resources for each criterion. The following additional resources may be useful if you wish to enhance your understanding of this Standard or identify any gaps in your service’s policies, processes and procedures. Some of these resources will contain sample policies or templates that have been developed by other health services or support organisations, which you could customise to suit your particular circumstances.

Your state or territory NACCHO affiliate or Medicare Local may provide support and training for health services and general practices seeking accreditation against the Standards.

AGPAL and GPA ACCREDITATION plus have some useful tools and resources – including a fact sheet on information security – on their websites:

GPA ACCREDITATION plus also has a template, Feedback on transfer of medical records, for obtaining information on why the request for transfer was made and practice performance:

The South Eastern Health Providers Association has a very useful set of resources for health services and general practices freely available on its website. These include a Policy and procedure manual (2011), designed to align with the Standards for general practices:

The Privacy Amendment (Private Sector) Act 2000 extends the 1988 legislation to cover the private health sector throughout Australia. Ten national privacy principles form part of the legislation and promote greater openness between health service providers and consumers in relation to the handling of health information. Privacy in the private health sector (2001), published by the Office of the Federal Privacy Commissioner, is a set of guidelines that aims to help health service providers comply with the national privacy principles. Section 2, Use and disclosure, sets out the correct process for transferring patient health information to others, such as other health service providers or in response to third-party requests.

The RACGP Handbook for the management of health information in private medical practice sets out minimum safeguards and procedures to be followed to meet appropriate legal and ethical standards concerning privacy and security of patient records:

Relevant state and territory privacy legislation is available at:

The Aboriginal Health and Medical Research Council’s Ethics Committee has published its Guidelines for research into Aboriginal health – key principles:

The NSW Aboriginal health information guidelines were published to ensure consistency and good practice in the management of health and health-related information about Aboriginal peoples in NSW:

The NHMRC website has a downloadable publication, National statement on ethical conduct in human research (2007, updated 2009):

The NHMRC publication Keeping research on track: a guide for Aboriginal and Torres Strait Islander peoples about health research ethics is a resource document for Aboriginal and Torres Strait Islander peoples to refer to when making decisions about health research in their communities:

Services with AGPAL accreditation can access a range of resources on information security at:

The RACGP Computer and information security standards and workbook is available at:

Search Standards
Search Interpretive guide