Health information is highly sensitive and Australia's privacy law extends to health information a higher level of protection than other forms of personal information. Yet the existing health privacy guidance in Australia is also considered to be out-dated and overly complex. The release of the new health privacy guidance by the Office of the Australian Privacy Commissioner (OAIC) should provide some greater clarity for health care providers and consumers.

Currently in Australia, health information, which is broadly defined to capture any information or opinion about an individual's health, is protected under various federal, state and territory laws, including the Privacy Act 1988 (Cth). Navigating the myriad of requirements with overlapping regulatory perimeters, and with areas of inconsistency between certain various jurisdictions, can be a difficult task for health service providers operating across Australia. It can be even more difficult for consumers who are, understandably, protective of their health information. The development and release by the OAIC of a series of new draft health privacy resources for health service providers and consumers (the Guidance) for public comment is a timely and welcomed move.

The Guidance

The Guidance reflects last year's changes to the Privacy Act 1988 (Cth), including the introduction of the Australian Privacy Principles (APPs) and, when finalised, will replace the OAIC's existing health privacy guidance for providers and consumers. The Guidance will supplement the APPs, focusing on information that is of value to the health and research sector, and those matters which arise most frequently in that sector.

The Guidance comprises 11 new business resources designed to assist health service providers in the process of handling health information. The business resources cover a range of topics, offering practical tips to facilitate health providers' compliance with the APPs. The information includes advice on:

  • Key health privacy concepts, including the meaning of 'health information' and 'health service provider'
  • How health information should be collected, used and handled, including any consents required (and any exceptions)
  • When and how health information can be corrected or disclosed, including examples of excess access charges
  • How to process and respond to patient and other requests to access health information, including when access can be refused
  • How a change of business circumstances or closure of a health service impacts privacy obligations, and
  • The circumstances where health information can be collected, used or disclosed for one of the following purposes:  
    • health management activities
    • research
    • to lessen or prevent a serious threat to the life, health or safety of genetic relatives, and
    • where the patient is unable to provide consent.

The Guidance also comprises two new fact sheets for consumers which not only inform consumers of their rights in relation to the privacy of their health information but also provide an explanation of the key concepts and answers basic questions about when a provider can collect and access health information. In addition to this, the fact sheets also detail the circumstances where health providers are required to obtain patient consent together with information on how consumers can make a complaint in relation to a health provider's failure to comply with the APPs.

The Guidance also provides significant information on the interaction of health service providers' privacy obligations and the Privacy Act 1988 (Cth). In addition, the Guidance indicates when additional State and Territory obligations may apply. For example the Guidance provides that pursuant to NSW Public Health Act 2010, health service providers are required to record information about patients with certain medical conditions, such as AIDS, malaria and measles, and notify the NSW Department of Health. However, the information detailing the State and Territory privacy obligations is comparatively limited and in many instances directs the health service provider to other resources where they can further investigate any additional privacy requirements.


The OAIC is seeking public comments on the Guidelines from health industry groups, health service providers, individuals with an interest or expertise in the health industry, health consumers, or any other interested parties by Tuesday 20 October 2015. The OAIC is seeking responses to some or all of the general questions below:

  • Is any of the content unnecessary? Is any additional content needed?
  • Are the guidance materials easy to read?
  • Is the layout presented clearly, and in a way that is likely to be useful to health service providers and health consumers?
  • Are there any other ways in which the material could be enhanced?

In addition to the above, the OAIC has asked stakeholders to raise any other specific issues regarding the resources.

More information on the Guidelines, including how to make comments can be found on the OAIC website.