S1.5A laboratory must not use or disclose an individual’s health information, including results, except for the primary or directly related secondary purpose for which the information and/or results were collected or produced. In certain circumstances, such information may be used for non-directly related secondary purposes.
C1.5aUse refers to the handling of information within an organisation whereas disclosure refers to transfer of information outside the organisation.
C1.5bThe primary purpose is the main reason that an organisation collects or acquires health information or test results from an individual (e.g. to make a diagnosis).
C1.5cA directly related secondary purpose may include activities necessary for the proper functioning of the laboratory, and will usually be closely bound to the primary purpose (e.g. seeking of a second opinion, billing or debt recovery, disclosure to a medical defence organisation when reporting an adverse incident). Directly related secondary purposes would not normally require special circumstances for the use or disclosure of the health information.
C1.5dA non-directly related secondary purpose normally requires permission from the individual for the use or disclosure of the individual’s health information (e.g. staff training, health service evaluation or monitoring, use of patient databases for fundraising and/or direct marketing). In certain circumstances however, permission is not required to use or disclose an individual’s health information.
G1.5Health information and test results may be used for a directly related secondary purpose where the individual would reasonably expect the organisation to use or disclose the information for that purpose.
G1.6Health information and test results may be used for a non-directly related secondary purpose:
(a) where the individual has consented to the use or disclosure
(b) where the use or disclosure is required, authorised or permitted by law (e.g. reporting a notifiable disease)
(c) where the laboratory providing a health service to an individual reasonably believes that such use or disclosure is necessary for the provision of that health service, and the individual is incapable of giving consent
(d) where the laboratory providing a health service reasonably believes that the use or disclosure is necessary to ensure that further health services are provided safely and effectively
(e) where the use or disclosure is for the purpose of funding, management, planning, monitoring, improvement or evaluation of health services, including training of staff or other persons being trained by the organisation and where:
- the purpose cannot be achieved by using de-identified data, and it is impractical to seek the individual’s consent; or
- reasonable steps are taken to de-identify the data
- a serious and imminent threat to an individual’s life, health, safety or welfare; or
- a serious threat to public health or safety
- it is impractical to seek the individual’s consent; and
- the purpose cannot be achieved by using de-identified data and, in the case of disclosure, it will not be published in a form that identifies individuals
- a reasonable attempt has been made to obtain consent from the first individual;
- it is not reasonably practicable to obtain the consent of that individual; or
- that individual is incapable of giving consent
(j) where the health information is about a deceased individual and is to be used by or disclosed to:
- a legal representative of the deceased;
- a person who was the authorised representative of the deceased and the disclosure is for a purpose relating to the former powers, functions or duties of that person;
- a person nominated in writing by the deceased before their death; or
- a next of kin of the deceased.