Obtaining patient consent to the collection of health information
17 May 2016
If you are a health service provider, all personal information that you collect about an individual to provide, or in providing a health service to that individual is classified as health information for the purposes of the Privacy Act.
You are considered a health service provider if you provide a health service and hold health information, even if providing a health service is not your primary activity.
A health service is defined broadly in the Privacy Act and includes activities intended to assess, maintain or improve an individual’s health, to record a person’s health, and the dispensing of prescription drugs by a pharmacist.
The Privacy Act regulates how all private sector health service providers handle health information and applies regardless of financial turnover.
The Privacy Act imposes stricter requirements on health service providers when they collect information including an obligation to obtain consent from patients to the collection of their health information.
How do you obtain consent?
How do you obtain consent? Is the consent that you obtain quality consent?
Health service providers should have systems and procedures in place to obtain and record their patients’ consent to minimise the potential for allegations that information was collected improperly.
Obtaining consent is not a ‘one size fits all’ approach, and a strategy for obtaining consent must be developed having regard to each situation where health information is collected.
When consent is necessary
As a general rule, you may only collect health information where you have the patient’s consent to do so. Consent may be express or implied.
However, consent may not be required if:
- the collection is required or authorised by an Australian law or court order;
- collection of the information is necessary to prevent a serious threat to the life, safety or health; or
- the information is necessary to provide a health service to the individual, and the collection is performed in accordance with the rules of a competent health or medical body (for example, the Medical Board of Australia or the Royal Australian College of General Practitioners).
Quality of consent
Where consent is necessary, it must be:
- informed: patients should be aware of the implications of their decision to provide or withhold consent, for example, whether certain health services will not be available to them;
- voluntary: a patient should have a genuine opportunity to either provide or withhold their consent;
- given by a patient with capacity; and
- current and specific: consent must not be assumed to endure indefinitely. Consent should relate to a purpose for collection (e.g. the provision of medical services), and providers should describe this purpose clearly.
Consent is often given expressly (for example, when a patient signs a consent statement on the patient registration form), but it can also be implied.
Consent may be implied where the conduct of the patient and the provider gives rise to a reasonable inference that the patient consents to the collection of their information, for example, when a patient presents for a health service and gives the provider the relevant information.
However, providers should be cautious in seeking to infer consent from the silence of a patient or from the patient’s failure to ‘opt-out’. The Office of the Australian Information Commissioner advises that providers should generally seek express consent before handling health information, given the greater privacy impact this could have.
We can help your health service business become privacy compliant, including by developing a seamless and transparent strategy for obtaining consent.
This week marks OAIC Privacy Awareness Week. Contiue the conversation: #2016PAW