Informed Consent and the Australian Privacy Act: AHPRA Obligations for Registered Health Practitioners
Informed consent and privacy law intersect at every clinical encounter in Australia. The Privacy Act 1988 sets out specific obligations around how health information is collected, used, and disclosed — and consent is a key basis for many of those obligations. AHPRA's Codes of Conduct reinforce and extend these duties. This guide explains exactly where the two frameworks overlap, what registered practitioners must do, and how to document compliance.
Two Frameworks, One Clinical Encounter
Every clinical consultation triggers obligations under two frameworks at once: the Privacy Act (through the Australian Privacy Principles and, in health, the specific rules around health information) and AHPRA's Codes of Conduct. Consent sits at the intersection — consent to care, and consent to collection and handling of personal information.
What the Privacy Act Requires
Health information is one of the most strongly protected categories of personal information under the Privacy Act. Key obligations include: collecting only information reasonably necessary, telling the patient why it is being collected, using it only for primary purposes or clearly-related secondary purposes, keeping it secure, and allowing the patient access and correction.
Health information should be collected directly from the patient where possible, with knowledge of what is being collected and why.
Patients must be told how their information will be used, who it may be shared with, and how to access it. A privacy notice or practice information handout satisfies this at the service level.
Information is used for the primary purpose (providing care) or closely-related secondary purposes. Broader uses require consent or specific legal bases.
Reasonable steps must be taken to protect health information — physical, technical, and administrative safeguards.
Patients can generally access their own records and request correction of inaccurate information.
How AHPRA's Codes Reinforce These Duties
Every National Board's Code expects practitioners to protect confidentiality, document accurately, and communicate honestly about how information is handled. Breaches of privacy — such as discussing patients in public, loose documentation, or unauthorised disclosure — regularly appear in notifications.
Consent for Information Sharing
Consent for sharing information is distinct from consent for treatment. It must be specific, informed, and voluntary. Blanket consent ("I agree to share with anyone") is not meaningful. Specific consent ("I agree to sharing with my GP and specialist") is.
| Sharing Scenario | Consent Required? |
|---|---|
| Referral to another treating clinician | Usually implied through consent to care |
| Secondary use (audit, teaching) | Specific consent or de-identification |
| Research | Specific written consent |
| Mandatory reporting (child protection) | No consent required — legal duty overrides |
| Insurance or legal requests | Specific written consent |
Documentation Requirements
Document what was explained about privacy, what consent was obtained, and what was shared with whom. Contemporaneous, specific notes are the strongest evidence of compliance.
"Consent to share" is not a single signature — it is a series of specific agreements to specific disclosures. Document each one.
Digital Records and Telehealth
Electronic records, My Health Record, and telehealth each introduce specific privacy considerations. Patients must be told if sessions are recorded, how data is stored, and how to withdraw consent. The Office of the Australian Information Commissioner publishes specific guidance on health information handling.
When Things Go Wrong: Breach Response
Data breaches in health settings trigger the Notifiable Data Breaches scheme under the Privacy Act. Practitioners should know their organisation's breach response process and follow it promptly. Failure to do so can itself be a regulatory issue.
Consent and Privacy CPD for Australian Practitioners
- ✓ Ethics & CPD Courses for Healthcare Professionals in Australia
- ✓ Privacy Act 1988 and APP-aligned training
- ✓ Documentation and breach response skills
- ✓ 100% online — complete at your own pace
Key Takeaways
- Informed consent and Privacy Act obligations intersect at every clinical encounter
- Five Privacy Act pillars: lawful collection, notification, controlled use/disclosure, security, access/correction
- AHPRA Codes reinforce confidentiality, documentation, and honesty about information handling
- Consent to share information is distinct from consent to treatment — it must be specific
- Some disclosures (mandatory reporting) are required without consent
- Digital records and telehealth introduce additional privacy considerations
- Data breaches must be handled through the Notifiable Data Breaches scheme
Frequently Asked Questions
Is health information treated differently under the Privacy Act?
Yes — health information is a sensitive category with stronger protections than ordinary personal information.
Does consent to care cover sharing with other clinicians?
Usually yes, for directly related care. Broader sharing requires specific consent or a legal basis.
What if a family member asks about a patient's condition?
Do not disclose without the patient's consent, except in specific legal circumstances such as emergencies or where capacity is impaired.
Do I need written consent every time I share records?
Written consent is best practice for non-routine sharing. Verbal consent with documentation may suffice for routine care coordination.
What is the Notifiable Data Breaches scheme?
A Privacy Act scheme requiring notification of serious data breaches to affected individuals and the OAIC.
Can patients access their own records?
Yes, generally, with specific exceptions. Requests should be facilitated promptly.
Are telehealth sessions covered by the same rules?
Yes — privacy obligations apply fully to telehealth, with additional considerations around recording and data storage.
What about information shared with My Health Record?
My Health Record has its own specific consent and access framework, layered on top of Privacy Act requirements.
Meet Consent and Privacy Obligations with CPD
Complete AHPRA and Privacy Act-aligned training covering consent, confidentiality, and documentation — fully online.
View Ethics & CPD Courses →This article is published by Healthcare Ethics Courses Australia for educational purposes only. It does not constitute legal, medical, or professional advice. Always refer to the current guidance on the AHPRA website and your National Board's Code of conduct for direction specific to your situation.