Can a private hospital use or disclose my health information for its own business or management purposes without my consent?
Yes, there are some circumstances where the Privacy Act allows your health information to be used by private hospitals to manage how they provide health care. The same applies for other health service providers in the private sector, like GPs, specialists and pharmacists.
Generally, private hospitals can only use your health information to treat the condition you have been admitted for. However, there are some exceptions to this.
One of these exceptions is that your health information can be used or disclosed for 'directly related purposes' that are within your 'reasonable expectations'.
Purposes 'directly related' to your care
Health service providers conduct a range of activities that aren't done to provide you with your immediate care. While circumstances vary, many of these activities may still be 'directly related' to your care and within your 'reasonable expectations'.
Some examples of 'directly related' purposes might include:
- reporting and discussing hospital accidents with experts and administrators to help ensure that something similar doesn't happen again
- showing medical records to authorised auditors to help maintain best practice and avoid mistakes in health service delivery (e.g. patients getting the wrong medicine)
- using or disclosing health information for health service accreditation
- using health information to help plan how to best provide care, or simply to administer their business (e.g. billing you for the care you have received, although obviously these activities will not always need detailed clinical information, such as your diagnosis or test results).
As many of these activities are necessary for the ordinary running of the health service, they are directly related to providing you with health care. And because the community expects that the health care system will meet high standards of quality and safety, many of these activities will also fall within patients' reasonable expectations.
Purposes not directly related to your care
There are other activities which will not be directly related to your care. Providers generally need your consent to use or disclose your health information for these activities, unless another provision of the Privacy Act permits them. These activities include:
- direct marketing or fundraising
- training, unless the training forms part of your treatment
- medical research.
Questions or complaints
If you think that a health service provider has used or shared your information for reasons they shouldn't have, you may be able to make a complaint.
- Can a health service provider disclose personal health information it has collected to an accreditation agency during health service accreditation processes?
- Can my health information, when held by a private sector organisation, be used without my consent for research, the collection and analysis of statistics or for health service management?