🗒 Legal bag - privacy and confidentiality

Understanding the legal principles of privacy and confidentiality

As a healthcare professional, you are required to interpret legal frameworks, use your technical training and professional judgement to assess and treat a myriad of medical conditions. Privacy and confidentiality are two aspects of your legal obligations that determine what you are allowed and not allowed to do with the information confided to you by your patients.

AHPRA Code of conduct references

4 Working with patients

4.4 Confidentiality and privacy

Patients have a right to expect that doctors and their staff will hold information about them in confidence, unless release of information is required or permitted by law. Good medical practice involves:

  • 4.4.1 Treating information about patients as confidential.
  • 4.4.2 Appropriately sharing information about patients for their healthcare, consistent with privacy laws and professional guidelines about confidentiality.
  • 4.4.3 Accessing an individual’s medical record only when there is a legitimate need.
  • 4.4.4 Using consent processes, including forms if required, for the release and exchange of health information.
  • 4.4.5 Being aware that there are complex issues related to genetic information and seeking appropriate advice about its disclosure.
  • 4.4.6 Ensuring that your use of digital communications (e.g. email and text messages) and social media is consistent with your ethical and legal obligations to protect patient confidentiality and privacy and the Board’s social media guidance.

Privacy Act 1988 (amended 2014)

Australian Privacy Principles (APPs) apply to all health services providers. These mainly relate to:

  • collection 
  • access 
  • storage of data 
  • provision of information to third parties. 

Most relevant issues

  • Health providers must maintain a compliant, accessible privacy policy
  • Have documented practices, policies and procedures
  • There are new enhanced penalties & investigatory powers under the Act where:
    • a serious interference with the privacy of an individual
    • a practice repeatedly interferes with privacy (e.g. disclosing sensitive information to another business)

Key strategies

  • Ensure all requests for patient information are in writing, contemporaneous and confirming the authority 
  • Ensure the reason for the request is obtained
  • Never respond verbally to such requests
  • Always obtain advice from your supervisors, employer, hospital legal adviser and/or MIPS
  • Contemporaneously document your actions and responses
  • Copy any documents and keep originals 
  • All obligations of confidence (codes and the law) work in a similar fashion and overlap
  • Always be vigilant in how and what personal information is released and to whom
  • Ensure your practice staff (clinical and others) are trained adequately in the essential aspects of privacy and confidentiality - and the possible harms from breaches
  • Ensure your practice complies with Practice Privacy policy
  • If you any concerns or suspicions as to why records are requested, investigate further and advise MIPS.

Tips for dealing with law enforcement

Do not provide medical information to police or these other similar entities unless: 

  • you have the patient’s consent/permission
  • there is a search warrant, subpoena or other court order.

In all cases:

  • compliance is required and action in a timely manner. 
  • this is the law & allowed under APP6 - Use & disclosure of personal information.

A warrant, subpoena, court order is a forced disclosure defence to breaking your patient confidence. 

Situations where you can disclose information

  1. Public health laws - infectious diseases, STDs, AIDs, BAC, fitness to drive, child abuse, drug dependent patients. 
  2. To reduce or avoid a serious an imminent threat to life or health, or to public safety or health


Medical Board Good Medical Practice - a code of conduct for doctors in Australia

Back to top