- Advice Summaries
- Case Notes
- Codes of Conduct
- Compliance Notes
- Fact Sheets
Information Sheet (Private Sector) 24 - 2008: Disclosure of health information and impaired capacity
The Privacy Act and Impaired Capacity
There will often be times where a patient is unable to give consent to the disclosure of their health information to loved ones.
Under the federal Privacy Act, doctors and other health service providers may share the information of an incapacitated patient with family, a partner or others 'responsible' for the patient - either to provide care or treatment, or for compassionate reasons. However, such disclosures may not go against a patient's known wishes.
Who is a 'responsible' person?
A person 'responsible' for a patient is defined in National Privacy Principle 2.5. It includes: a spouse, de facto or partner; a parent or guardian; a child over 18 years; a relative who lives with the patient; an emergency contact; or someone with a health-related 'enduring power of attorney' (a legal document that allows someone to handle certain affairs, even if the patient loses mental capacity).
What does provision of care or compassionate reasons include?
Provision of care or treatment may include where a health service provider, such as a doctor or nurse believes they should give relevant information to family members who will be caring for a patient, for example, after discharge from a private hospital.
Compassionate reasons may include updating family members or an emergency contact about the condition or progress of an unconscious patient.
How much information can be shared?
Providers should only share as much health information as is necessary for appropriate care or treatment, or for compassionate reasons. The patient's known wishes should also be respected, unless another Privacy Act exemption permits disclosure (see 'Other disclosures' below).
Discretion is with the provider
The Privacy Act permits this type of disclosure, but it does not require it - the discretion is left with the health service provider. This situation is distinct from a request for access to information by a patient's legal representative.
Other disclosures where the patient's decision making capacity is impaired
This information sheet also outlines other circumstances where a health service provider may disclose health information about a patient who is unable to consent. This includes where a law requires or authorises disclosure (such as under a guardianship order), or where there is a serious and imminent threat to an individual's life, health or safety.
For guidance on individual rights of access to information under the Privacy Act, please see the Office's Information Sheet 4. Otherwise, read on for further information and see the resources at the end of this Information Sheet.
Who is this information sheet for?
This information sheet is relevant to all health service providers in the private sector ('providers'). This includes:
- general practitioners;
- mental health professionals;
- other board-accredited specialists;
- private hospitals;
- nurses; and
- allied and complementary health providers.
All providers must comply with the 10 National Privacy Principles ('NPPs') contained in the Privacy Act 1988 (Cth) ('Privacy Act').
Health service providers in the state and territory public sectors (such as public hospitals and their staff) are not bound by the NPPs, but may have to comply with state and territory privacy laws.
What is this information sheet about?
This information explains the circumstances in which a patient's health information may be disclosed to relatives and others, where the patient lacks the capacity to consent to the disclosure or capacity is impaired.
The Privacy Act is intended to ensure adequate privacy protections for incapacitated individuals, while permitting information handling practices that align with community expectations and which are, overall, intended to benefit the individual.
This information sheet does not deal with the collection of health information by organisations, nor does it address how an organisation should generally deal with individuals with impaired capacity in other contexts. The information sheet deals with decisions regarding the disclosure of health information - it does not relate to making decisions regarding medical treatment.
What is 'personal information' and 'health information'?
Briefly, 'personal information' is information about a living individual whose identity is apparent, or can be reasonably ascertained. 'Sensitive information' is a defined sub-category of personal information, and it includes 'health information'. Any personal information held by a provider is likely to be 'health information' under the Privacy Act. The full definition of 'health information' is attached at the end of this information sheet.
Use and disclosure under National Privacy Principle 2 (NPP 2)
In general terms, 'use' refers to the handling of an individual's personal information inside an organisation. 'Disclosure' involves the release of that information to someone outside the organisation (apart from the individual themselves).
Generally under the Privacy Act, a patient's health information may only be disclosed for:
- the primary purpose for which it was collected;
- a directly related purpose that the patient would reasonably expect; or
- another purpose with the patient's consent.
Further NPP 2 exceptions permit disclosure without an individual's consent in other limited circumstances. These include where the disclosure is:
- required or authorised by law (such as a court order or mandatory disease notification); or
- necessary to lessen or prevent a serious and imminent threat to life, health or safety (or a serious threat to public health and public safety).
Disclosure for treatment or compassionate reasons where the individual lacks capacity to consent
The NPPs also make provision for situations where a patient may not be able to give or communicate their consent, but where there may be a community expectation that health information should be shared in a limited way.
NPP 2.4 permits (but does not compel) a provider to disclose health information in limited circumstances where:
- the patient is unable to give consent; and
- the disclosure does not go against the patient's known wishes.
In addition, NPP 2.4 only permits a disclosure:
- to ensure the individual receives appropriate care or treatment; or
- where it is for compassionate reasons.
NPP 2 also sets out who such a disclosure might be made to, and includes a spouse, a parent, or a child of the individual at least eighteen years of age, a guardian, a close relative or close friend.
These provisions are attached at the end of this information sheet, and further explanation of the terms used in these provisions is provided below.
1. Who can rely on this exception?
This exception may be used by organisations that provide a health service. 'Health service' is defined in the Privacy Act to include an activity that is intended or claimed by the individual, or person performing it, to assess, record, maintain or improve the person's health, or to diagnose or treat illness or disability.
2. What does it mean to be physically or legally incapable of giving consent?
NPP 2.4 only operates where an individual is 'physically or legally incapable' of providing consent, or cannot communicate that consent. Consent means voluntary and informed agreement.
A patient may be physically or legally incapable of providing consent if they cannot understand the issues relating to the decision, and then form a view based on reasoned judgment.
This is different to being physically incapable of communicating their decision to give or withhold consent, which is discussed at point 3 below.
Impairment to an individual's capacity to consent may be a permanent or a temporary condition. In some cases, it may only affect an individual's decision-making ability some of the time, such as where an individual has a particular mental illness which may be episodic in nature. Impact on an individual's decision-making ability may also be incremental, such as with some dementias. However, it may be that the individual can make decisions about the handling of their information if they are provided with the necessary support.
In applying NPP 2.4, providers should draw on their professional judgement to determine whether an individual is capable of giving informed consent.
3. What is the difference between when an individual is "physically or legally incapable of giving consent to the disclosure" and when an individual "physically cannot communicate consent to the disclosure"?
The Office considers that the important distinction here is between whether an individual is able to understand the issues and form a reasoned judgement, and whether an individual is able to physically communicate their decision.
By separating these factors, NPP 2.4 anticipates that there may be circumstances where an individual cannot communicate their consent, but may in fact be capable of making decisions about the handling of their information. In these circumstances, NPP 2.4 will permit a health service provider to disclose information to a responsible person without having to form a view as to the individual's capacity.
4. What information may be disclosed?
Where the criteria established in NPP 2.4 are satisfied, the provider organisation may disclose health information about the patient to a person who is 'responsible' for the patient. However, the information that may be disclosed must be limited to the information that is reasonable and necessary:
- to ensure the provision of appropriate care or treatment; or
- to satisfy a compassionate reason (NPP 2.4(d)).
A provider may disclose health information about prescribed medications to a relative of a dementia patient, where that relative provides care to the patient at home and needs to know the information to provide that care. However, it is unlikely to be necessary to disclose information about previous sexual health procedures that the patient has undergone.
It should be noted that the meaning of 'responsible person' is set out in NPP 2.5 and NPP 2.6 and discussed below at point 10.
5. Who must be satisfied that the disclosure is necessary or appropriate for care, treatment or compassionate reasons (NPP 2.4(b))?
There are a number of elements of NPP 2.4 which must be met before the disclosure of health information is permitted. One element is that the person (not the organisation) who is providing the health service for the organisation (the 'carer'), must be satisfied that the disclosure is necessary to provide appropriate care or treatment of the individual, or that the disclosure is for a compassionate reason.
The person who is providing the health service for the organisation could be an employee of the organisation or, for example, a locum or visiting medical officer.
As noted above, NPP 2.4(b) uses the term 'carer' to refer to the person providing the health service. This should not be confused with the common use of 'carer' (meaning a family member or close friend). The person required to be satisfied under NPP 2.4(b) is the person providing a health service, such as a doctor, nurse or pharmacist.
This is to ensure that the carer who exercises the discretion to disclose information has an adequate clinical understanding of the circumstances. For example, it would not be appropriate for administrative or managerial staff to assess a patient's decision making capacity, or to make judgement about whether various disclosures would be necessary to afford appropriate care.
6. What does it mean to say that the disclosure is 'necessary' for care or treatment in NPP 2.4(b)(i)?
The Office interprets 'necessary' in a practical sense. If the individual's ongoing care cannot in practice be ensured without disclosing the information, then the disclosure would be considered necessary for that purpose. Generally speaking, to be necessary, the disclosure need not be critically essential, but it must be more than just useful or convenient.
A disclosure necessary for care or treatment could include an occupational therapist telling a sibling, who provides care in the home, about aspects of a patient's current physical condition. The information might cover limitations to the patient's physical and cognitive abilities, in order to explain how to carry out certain personal care tasks.
7. What would 'compassionate reasons' include?
NPP 2.4(b)(ii) permits the disclosure of information for compassionate reasons where the patient cannot consent, where all the other elements of NPP 2.4 are met.
A disclosure for compassionate reasons could include a doctor telling a patient's partner about the extent of the patient's injuries and their prognosis following a car accident.
It could also include disclosing information to someone who the patient has nominated as an emergency contact, as long as reasonable steps are taken to verify that person's identity.
As noted above, disclosures should be limited to that which is reasonable and necessary to achieve the purpose (NPP 2.4(d)).
8. Do a patient's wishes in NPP 2.4(c) have to be in writing?
There is no requirement that the patient's wishes or preferences for (non)disclosure to relatives and others must be in writing.
An individual may express a wish while they are competent, in anticipation of no longer being able to make decisions about their health information. Discussing these matters may be particularly useful for individuals with a degenerative condition which will eventually lead to a lack of capacity. This allows the patient to have some control over how their information will be handled in the future.
The patient's wishes would be unlikely to override a guardianship order or other relevant legal authority, unless that guardianship order or other legal authority is limited or makes reference to the patient's wishes. This is because, in such circumstances, the disclosure would be made under NPP 2.1(g), which does not expressly include reference to the patient's wishes.
9. What is a wish that the 'carer could reasonably be expected to be aware' of in NPP 2.4(c)(ii)?
As noted in 5. above, under NPP 2.4(b), the 'carer' is the person who is providing care or treatment to the patient on behalf of the health service provider.
Circumstances where the individual health service provider could be expected to be aware may include where the wish is included on the patient's medical record. If the wish had been expressed previously, and recorded for the future handling of the patient's information, the carer could be expected to be aware of the wish. Such wishes may also have been expressed verbally during normal clinician-patient consultations prior to the individual losing capacity.
10. To whom can the information be disclosed? Who is a person 'responsible' for a patient?
In brief, the following people are defined as 'responsible' for an individual:
- a spouse, de facto, or a person who has an intimate personal relationship with the individual;
- a parent or guardian;
- a child over 18 years;
- a relative who lives with the patient;
- an emergency contact; or
- someone with sufficient authority under an 'enduring power of attorney' (a legal document that allows someone to handle certain affairs, even if the patient loses mental capacity).
Whether someone can be deemed a 'responsible person' under some of these provisions, will be a judgement based on the facts of each case.
Depending on the circumstances, 'a person who has an intimate personal relationship with the individual' may include a same-sex partner, someone in a close relationship or close friendship with the individual, or a companion or personal carer of the individual.
The Privacy Act does not specify that a parent must be a 'custodial parent'.
Disclosure of information to a person 'responsible' for an individual in this sense does not, of itself, mean someone with responsibility to make decisions regarding medical treatment for the individual.
If a health service provider is unsure as to nature of the relationship between the patient and the other person, they should generally err on the side of not disclosing the patient's health information until they know more about the relationship.
11. Intermittent capacity
Some individuals, such as those with an episodic mental illness, may have capacity some of the time, and at other times, be unable to make decisions about the handling of their information. It will fall to the carer (staff) to determine whether a patient has capacity to make a decision at the relevant time, or whether it is necessary to disclose the patient's information to a person responsible for them. In these circumstances it is particularly important to ensure that only the information necessary for treatment, care or compassionate reasons is disclosed to the 'responsible' person.
Once the patient regains capacity, it will generally be good practice to tell them that the disclosure has occurred.
12. Gradual incapacity
Some individuals may lose capacity gradually, such as patients with dementia. For a period of time, they may be able to make decisions about the handling of their information if they are given assistance. The provider needs to determine whether the individual has capacity to make a decision, or whether it is appropriate to disclose the individual's information to a person responsible for them.
If incapacity can be anticipated, it may be helpful to discuss the patient's wishes before this point.
13. Can a decision made by a health service provider under NPP 2.4 be challenged?
NPP 2.4 gives providers the discretion to disclose information in particular circumstances. It does not establish a right to obtain information about the individual, exercisable by a person 'responsible' for them. As such, there is no compulsion to disclose the individual's information, even where a person who fits a description in NPP 2.5 considers that the provider may do so.
If a provider decides not to disclose information about an individual, and the person responsible for the individual disagrees, there is no right to challenge the health service provider's decision under the Privacy Act. This is distinct from a legal representative requesting access on the individual's behalf.
If a provider decides to disclose the information about a patient to a 'responsible' person, and the patient, or a legal representative believes the disclosure was inappropriate (for example, where the conditions in NPP 2.4 were not met), they should complain directly to the health service provider in the first instance. If they are dissatisfied with the response, they may complain to this Office. See the Office's How To Complain page for more information.
Disclosures to guardians, administrators, and under powers of attorney
NPP 2.1(g) permits use or disclosure where it is required or authorised by law. In this sense, 'law' includes Commonwealth, State and Territory legislation as well as common law.
If a law requires that a health service provider use or disclose information, the provider must do so. Generally, a disclosure is required if there is some form of penalty or fine for not disclosing that information. This may include mandatory reporting of child abuse (under care and protection laws), or the notification of diagnoses of certain communicable diseases (under public health laws). Disclosure must also occur if there is a warrant requiring the health service provider to do so.
If the law authorises the use or disclosure of information, the health service provider can decide whether to do so. There is no compulsion to use or disclose the information, but if they choose to use or disclose the information, it will not be an interference with privacy under the Privacy Act.
Disclosures in the health sector, under this provision, would include those to guardians or administrators (depending on the decision-making powers conferred upon them) and to guardianship, administration and mental health tribunals. It is possible that this would also apply where an enduring power of attorney is held, depending on the particular wording of the authority. It may be relevant to consider whether the authority extends to decisions regarding medical treatment and the handling of health information. This section would not permit disclosures to carers or family members who were not legally empowered to act on the individual's behalf, unless another law authorises the disclosure.
For more information on this see Information Sheet 7.
- National Privacy Principles
- Guidelines to the National Privacy Principles
- Guidelines on Privacy in the Private Health Sector
- Frequently Asked Questions on Health
- How to Complain
Some relevant extracts from the Privacy Act
NPP 2.4-2.6 Disclosure of health information to a person 'responsible' for an individual (extracted from the National Privacy Principles, Schedule 3 of the Privacy Act)
2.4 Despite subclause 2.1 [of NPP 2], an organisation that provides a health service to an individual may disclose health information about the individual to a person who is responsible for the individual if:
- (a) the individual:
- (i) is physically or legally incapable of giving consent to the disclosure; or
- (ii) physically cannot communicate consent to the disclosure; and
- (b) a natural person (the carer) providing the health service for the organisation is satisfied that either:
- (i) the disclosure is necessary to provide appropriate care or treatment of the individual; or
- (ii) the disclosure is made for compassionate reasons; and
- (c) the disclosure is not contrary to any wish:
- (i) expressed by the individual before the individual became unable to give or communicate consent; and
- (ii) of which the carer is aware, or of which the carer could reasonably be expected to be aware; and
- (d) the disclosure is limited to the extent reasonable and necessary for a purpose mentioned in paragraph (b).
2.5 For the purposes of subclause 2.4, a person is responsible for an individual if the person is:
- (a) a parent of the individual; or
- (b) a child or sibling of the individual and at least 18 years old; or
- (c) a spouse or de facto spouse of the individual; or
- (d) a relative of the individual, at least 18 years old and a member of the individual's household; or
- (e) a guardian of the individual; or
- (f) exercising an enduring power of attorney granted by the individual that is exercisable in relation to decisions about the individual's health; or
- (g) a person who has an intimate personal relationship with the individual; or
- (h) a person nominated by the individual to be contacted in case of emergency.
2.6 In subclause 2.5:
- child of an individual includes an adopted child, a step-child and a foster-child, of the individual.
- parent of an individual includes a step-parent, adoptive parent and a foster-parent, of the individual.
- relative of an individual means a grandparent, grandchild, uncle, aunt, nephew or niece, of the individual.
- sibling of an individual includes a half-brother, half-sister, adoptive brother, adoptive sister, step-brother, step-sister, foster-brother and foster-sister, of the individual.
Definition of 'health information' (under section 6 of the Privacy Act) health information means:
- (a) information or an opinion about:
- (i) the health or a disability (at any time) of an individual; or
- (ii) an individual's expressed wishes about the future provision of health services to him or her; or
- (iii) a health service provided, or to be provided, to an individual;
- that is also personal information; or
- (b) other personal information collected to provide, or in providing, a health service; or
- (c) other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances; or
- (d) genetic information about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual.
Definition of 'health service' (under section 6 of the Privacy Act) health service means:
- (a) an activity performed in relation to an individual that is intended or claimed (expressly or otherwise) by the individual
or the person performing it:
- (i) to assess, record, maintain or improve the individual's health; or
- (ii) to diagnose the individual's illness or disability; or
- (iii) to treat the individual's illness or disability or suspected illness or disability; or
- (b) the dispensing on prescription of a drug or medicinal preparation by a pharmacist.
Private Sector Information Sheets
Information sheets are advisory only and are not legally binding. The National Privacy Principles in Schedule 3 of the Privacy Act do legally bind organisations.
Information sheets are based on the Office of the Privacy Commissioner's understanding of how the Privacy Act works. They provide explanations of some of the terms used in the NPPs and good practice or compliance tips. They are intended to help organisations apply the NPPs in ordinary circumstances. Organisations may need to seek separate legal advice on the application of the Privacy Act to their particular situation. Nothing in an information sheet limits the Privacy Commissioner's ability to investigate complaints under the Privacy Act or to apply the NPPs in the way that seems most appropriate to the facts of the case being dealt with. Organisations may also wish to consult the Commissioner's guidelines and other information sheets.
Office of the Privacy Commissioner
Privacy Enquiries Line 1300 363 992 - local call (calls from mobile and pay phones may incur higher charges) TTY 1800 620 241 - no voice calls; Fax + 61 2 9284 9666; GPO Box 5218, Sydney NSW 2001.
Private Sector Information Sheet 24
Web HTML, Word and PDF published March 2008
Â© Commonwealth of Australia 2008
 These include physiotherapists, chiropractors, occupational therapists, speech therapists and others. For more information see www.privacy.gov.au/materials/types/guidelines/view/6517#a21.