Why this matters for your practice
Health information is the reason a medical practice is fully bound by the Privacy Act. It is treated as sensitive information, the most protected category, and the fact that you hold it is what removes the small-business exemption: any organisation that provides a health service and holds health records is covered, no matter how small. Almost every clinical note, test result, referral, and care plan you hold is health information, so the strongest privacy rules apply to the bulk of your records.
Knowing precisely what counts as health information helps a practice apply the right consent, security, and retention rules.
What counts as health information
Health information includes:
- Information or an opinion about a person's physical or mental health, or disability.
- Information about a health service provided, or to be provided, to a person.
- Other personal information collected to provide a health service, such as a patient's history.
- Genetic information that is predictive of health, and some body donation information.
Because it is collected to provide a health service, even administrative details gathered in that context can take on the protections of health information.
Why it is treated as sensitive information
As sensitive information, health information attracts stronger rules than ordinary personal information:
- It generally cannot be collected without consent, and only when reasonably necessary.
- It has tighter use and disclosure limits.
- It demands robust security (APP 11), which underpins your data breach obligations.
Retention and access
Health information is also subject to retention rules, which vary with state health records legislation and the age of the patient, and patients have a right to access their own health information, within set timeframes.
Common mistakes
- Assuming only clinical notes are health information. Information collected to provide care can be too.
- Collecting without consent or beyond what is reasonably necessary.
- Destroying records too early, breaching retention requirements.
- Underprotecting it, treating security as optional rather than an APP 11 duty.
Frequently Asked Questions
What is health information under the Privacy Act?
Health information is information or an opinion about a person's health, disability, or the health services they have received, including clinical records. It is a subset of sensitive information, the most protected category of personal information under the Privacy Act 1988.
Is health information the same as personal information?
Health information is a type of personal information, but it is also classed as sensitive information, which attracts stronger protections. It generally cannot be collected without consent and requires tighter security, use, and disclosure controls than ordinary personal information.
How long do I have to keep health records?
Retention periods depend on state health records legislation and the patient's age, and are generally measured in years after the last entry or after the patient reaches adulthood. Practices should follow the rules in their state and their records management policy rather than destroy records early.
Go deeper
Last reviewed