Do you need your own privacy policy?

Having a privacy policy is a legal obligation in many circumstances. Understandably, when it comes to health information, the importance of a solid privacy policy becomes even greater.

The Australian Privacy Principles generally apply to private sector organisations of a certain size (revenue more than $3,000,000).

Health information is regarded as one of the most sensitive types of personal information. As a result, all organisations that provide a health service are covered by the Privacy Act regardless of whether they are above or below the threshold that would ordinarily apply.  A “health service” includes any activity that involves:

  • assessing, recording, maintaining or improving a person’s health; or
  • diagnosing or treating a person’s illness.

Even so, the Privacy Act only applies to smaller organisations in respect of health information.  “Health information” includes any information collected about a person’s health or disability and any information collected in relation to a health service a person has received. It includes such things as:

  • the symptoms described by a patient or the provider’s observations of the patient’s health
  • prescriptions
  • billing details
  • pathology reports, such as those relating to blood samples and X-rays
  • dental records
  • Medicare number
  • private hospital and day surgery admission and discharge records
  • genetic information – perhaps following a genetic or paternity test
  • other sensitive information about things such as race, sexuality or religion when it’s collected by a health service.

So the definition is pretty broad.  Information required for processing accounts would be caught by the third bullet point. A healthcare identifier is a unique 16 digit number used to identify individuals under the personally controlled electronic health (eHealth) record system.  It is different to a Medicare card number.

So what are the risks?

The main risk with failing to have a privacy policy is the potential for litigation. As discussed in our last blog (see here), if health information is not stored appropriately or safely, there is a risk that it can be exposed to unauthorised persons. Health information is highly sensitive, therefore the consequences of inappropriately handled information are severe.

The need here is obvious; private practicing Specialist Doctors should follow best practice principles and have a privacy policy if they are storing patient data.

What’s not so obvious is where to source one. Sourcing a template online might seem like a fast and easy solution, but there may be loopholes that can go unnoticed if not looked over by someone with expertise in this area. Conversely, approaching a legal professional to create one is a costly option and can take some time.

Another option is of course outsourced administration providers. All outsourced administration services should have a privacy policy which covers all of their clients, particularly if they are storing customer health data on your behalf. If the administration provider also holds all your patient data, you won’t be liable if anything should go wrong.

Are you currently adhering to best practice when it comes to managing health data privacy? If you outsource your administration, does your provider have a privacy policy that covers you?

If you would like any further clarification on how the absence of a privacy policy affects your practice, you can reach out to me directly at, or by leaving a comment below. I have also left some links below as a resource for more information.

I look forward to hearing your thoughts on the matter.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply