Requirements for Information Communication (2007 Edition)

Use and disclosure of information

Page last updated: 14 January 2008

Standard

S1.5
A laboratory must not use or disclose an individual’s health information, including results, except for the primary or directly related secondary purpose for which the information and/or results were collected or produced. In certain circumstances, such information may be used for non-directly related secondary purposes.

Commentary

C1.5a
Use refers to the handling of information within an organisation whereas disclosure refers to transfer of information outside the organisation.
C1.5b
The primary purpose is the main reason that an organisation collects or acquires health information or test results from an individual (e.g. to make a diagnosis).
C1.5c
A directly related secondary purpose may include activities necessary for the proper functioning of the laboratory, and will usually be closely bound to the primary purpose (e.g. seeking of a second opinion, billing or debt recovery, disclosure to a medical defence organisation when reporting an adverse incident). Directly related secondary purposes would not normally require special circumstances for the use or disclosure of the health information.
C1.5d
A non-directly related secondary purpose normally requires permission from the individual for the use or disclosure of the individual’s health information (e.g. staff training, health service evaluation or monitoring, use of patient databases for fundraising and/or direct marketing). In certain circumstances however, permission is not required to use or disclose an individual’s health information.

Guidelines

G1.5
Health information and test results may be used for a directly related secondary purpose where the individual would reasonably expect the organisation to use or disclose the information for that purpose.
G1.6
Health information and test results may be used for a non-directly related secondary purpose:
(a) where the individual has consented to the use or disclosure
(b) where the use or disclosure is required, authorised or permitted by law (e.g. reporting a notifiable disease)
(c) where the laboratory providing a health service to an individual reasonably believes that such use or disclosure is necessary for the provision of that health service, and the individual is incapable of giving consent
(d) where the laboratory providing a health service reasonably believes that the use or disclosure is necessary to ensure that further health services are provided safely and effectively
(e) where the use or disclosure is for the purpose of funding, management, planning, monitoring, improvement or evaluation of health services, including training of staff or other persons being trained by the organisation and where:
    • the purpose cannot be achieved by using de-identified data, and it is impractical to seek the individual’s consent; or
    • reasonable steps are taken to de-identify the data
(f) where the laboratory reasonably believes that the use or disclosure is necessary to lessen or prevent:
    • a serious and imminent threat to an individual’s life, health, safety or welfare; or
    • a serious threat to public health or safety
(g) where the use or disclosure is required for research, or the compilation or analysis of statistics, in the public interest and:
    • it is impractical to seek the individual’s consent; and
    • the purpose cannot be achieved by using de-identified data and, in the case of disclosure, it will not be published in a form that identifies individuals
(h) in the case of genetic information of an individual that is, or could be, predictive at any time of the health of another individual, and the organisation reasonably believes that the use or disclosure is necessary to lessen or prevent a serious threat to that other individual’s life, and:
    • a reasonable attempt has been made to obtain consent from the first individual;
    • it is not reasonably practicable to obtain the consent of that individual; or
    • that individual is incapable of giving consent
(i) where the use or disclosure is necessary to establish, exercise or defend a legal or equitable claim
(j) where the health information is about a deceased individual and is to be used by or disclosed to:
    • a legal representative of the deceased;
    • a person who was the authorised representative of the deceased and the disclosure is for a purpose relating to the former powers, functions or duties of that person;
    • a person nominated in writing by the deceased before their death; or
    • a next of kin of the deceased.
G1.7
Registered health service providers should not disclose health information to a law enforcement agency unless they are satisfied that the disclosure would be authorised under the general law of confidence.

Commentary

C1.7
The general law currently applies to providers and only permits disclosure where the duty of confidence is outweighed by a countervailing public interest in law enforcement.

Guidelines

G1.8
De-identified health information is information that does not identify an individual, and where there is no reasonable basis to believe that the information can be used to identify an individual. The size of a specific population will affect the criteria determining which data must be removed to ensure that an individual cannot be identified from published de-identified data (e.g. postcodes of small communities, age [year of birth] where individuals are over the age of 89). Methods that may be used to de-identify data include the safe harbour method and the statistical method. Laboratories should be aware that privacy principles may still apply to de-identified information depending on what other knowledge the recipient has. These data may be referred to as ‘aggregated data’.
G1.9
Where possible, individuals should be made aware of any persons or organisations (in addition to the referring practitioner) to whom their health information, including results, may be disclosed (e.g. cancer or cervical registries). Where the laboratory has disclosed, or intends to disclose, health information to a registry or other pertinent body, the laboratory may indicate this in the test result report.