What is a health service provider?
For the purposes of the Privacy Act, the provision of a health service occurs where the activity performed is intended or claimed by the individual or person performing it:
- “to assess, maintain or improve the individual’s physical or psychological health; or
- to manage the individual’s physical or psychological health; or
- to diagnose the individual’s illness, disability or injury; or
- to treat the individual’s illness ,disability or injury or suspected illness, disability or illness; or
- to record the individual’s physical or psychological health for the purposes of assessing, maintaining, improving or managing the individual’s physical or psychological health”.
Further, the “dispensing on prescription of a drug or medicinal preparation by a pharmacist” is a health service.
Examples of a health service provider as outlined by the Office of the Australian Information Commissioner (“OAIC”) can include a “medical practitioner, private aged care, radiology services, a dentist, a pharmacist, an online health service and a gym or weight loss clinic”, where they provide a health service to another individual and hold any health information in relation to the individual.
What is health information?
Health information is any personal information, including an opinion, about an individual’s:
- “health, including an illness, disability or injury; or
- expressed wishes about the future provision of health services to the individual; or
- health service provided, or to be provided, to an individual”.
As outlined by the OAIC, this can include “notes of your symptoms or diagnosis, information about a health service you’ve had or will receive, dental records, your wishes about future health services and appointment and billing details”.
What are your obligations?
If you or your business is a health service provider and holds “health information” as defined under the Privacy Act, then you will need to consider how you handle personal information in accordance with the Privacy Act
The Privacy Act provides that an APP entity which is subject to the Privacy Act must not do an act, or engage in a practice, that breaches the APPs. Failure to comply with the Privacy Act or the Australian Privacy Principles can result in an “interference with the privacy of an individual” and result in regulatory action and penalties.
 Privacy Act 1998 (Cth) s 6FA(1).
 Ibid s 6FA(2).
 Privacy Act 1998 (Cth) s 6FB.
 Australian Privacy Principle 3.3.
 Privacy Act 1988 (Cth) s 15.
 ‘IV’ and ‘IW’  AICmr 41.
tel:+61 3 8625 8926
tel:+61 3 8625 8956
Level 14, 565 Bourke Street
+61 3 961 47707
+61 3 961 46676
6/111 Elizabeth Street
+61 2 9790 0640
+61 3 9614 6676