The role which consent plays in the privacy laws governing the relationship between patient and General Practitioner is particularly important because it largely determines the many decisions concerning how the patient's health information may be handled by the GP as well as the patient's confidence in the public health system. If patients believe that third parties can obtain unfettered access to their health information without their consent, there is a very real danger that they may not seek the health care they require, thereby undermining the state's attempts to protect both their and the public's health.
This emphasis on the consent of the individual is consistent with the philosophy of personal information autonomy which is embodied in the privacy legislation, although subject to the many and varied legislative exceptions where competing public interests are deemed to outweigh the individual’s interests.
Thus, consent is one of the potential triggers for enabling the collectionFN1 of sensitive information, which includes health information, about an individual where that information is also personal information (ie personally identifying).FN2
According to the Privacy Commissioner there are four key elements for valid consent:FN3 it must be provided voluntarily; the patient should be adequately informed (NPP 1.3); it should relate to a specific situation; and the patient must be capable of giving consent (the general law).
Although the Privacy Act defines consent to mean "express consent or implied consent",FN4 the Commissioner takes the view that GPs should generally seek express consent from patients and points out that such consent avoids the potential risks associated with relying on implied consent.FN5 While consent may be oral or written, the Commissioner notes that written consent provides greater protection for both parties should there be any future disagreement.
However, where a GP needs to collect information about a patient from another source (eg the patient's test results from a pathologist), the Commissioner takes the view that it may be possible to assume the patient has given implied consent, but that in most situations this should not be assumed.FN6
The effectiveness of consent depends on the patient's knowledge, and appreciation, of the purposes for which the information is being collected. While it is envisaged that patients may decide to consent or not, the probable reality is that many patients will automatically consent. After all, doctor knows best.
The potential for abuse by GPs of any consent is also fairly large because it will be very difficult for patients to know whether their health information has been used for a purpose for which they have consented or not.FN7
The consent which a patient gives for the collection of health information is limited to the purpose for which it was collected (the primary purpose) as well as any directly-related purposes (secondary purposes) for which the patient would reasonably expect the GP to use or disclose the information.FN8
It is questionable whether, when expressly consenting to the use of health information for purpose A, a patient would expect to also be consenting to its use for directly-related purposes B and C. Some of the Commissioner's examples of directly-related purposes include fairly innocuous uses such as for billing and sending reminders of checkups. However, where a GP refers a patient to a specialist, the Commissioner considers that the disclosure of information to the specialist can be considered directly related and would also fall within the expectations of the patient. Yet, where the specialist wants to then provide certain health information about the patient back to the GP, the Commissioner considers that both the GP and the specialist would need to make sure that the patient consents to this as the patient may not necessarily expect it.FN9 Whether patients, GPs and specialists will appreciate the making of such fine distinctions when it comes to defining the limits of consent is debatable.
However, these limits on consent are somewhat illusory when one considers some of the situations in which NPP 10 allows GPs to collect information about patients without their consent. For example, where the collection is:
If a patient has given consent to a GP to collect information for a particular purpose, then that consent is also given to the GP to use and disclose the information for that purpose and for any directly related purposes for which the patient would reasonably expect the GP to use or disclose the information.FN10
Where the GP wishes to use or disclose the information for any other purposes, consent will generally be required. However, NPP 2 catalogues a number of situations where consent is not required which are similar to those for collection without consent (see above).
Footnotes
FN1 NPP 10.1.
FN2 Sec 6(1); "sensitive information", "health information", "personal information".
FN3 Draft Health Privacy Guidelines, 14 May 2001.
FN4 Sec 6(1).
FN5 Draft Health Privacy Guidelines, 14 May 2001.
FN6 Draft Health Privacy Guidelines, 14 May 2001.
FN7 See, for example: http://www.aar.com.au/privacy/pages/health_sale.htm.
FN8 NPP 2.1(a).
FN9 Draft Health Privacy Guidelines, 14 May 2001.
FN10 NPP 2.1(a).