Guide to Australian HIV Laws and Policies for Healthcare Professionals

Privacy and confidentiality

The terms ‘privacy’ and ‘confidentiality’ are commonly used interchangeably. However, they are related but not identical concepts. Privacy refers to the right to control access to oneself, and includes physical privacy such as ensuring curtains are closed during physical examinations. Privacy may also relate to information about oneself, and information privacy laws regulate the handling of personal information through enforceable privacy principles. Confidentiality relates to information only. The legal duty of confidentiality obliges health care practitioners to protect their patients against inappropriate disclosure of personal health information.

The Australian Medical Association (AMA) Code of Ethics  requires medical practitioners to maintain a patient’s confidentiality.

Exceptions to this must be taken very seriously. They may include an emergency scenario or where required by law. Across Australia, the protection of health-related information has attracted special treatment, partly as a response to the sensitive nature of health information. This point cannot be over-emphasised. The health sector is second only to the finance sector in the number of privacy complaints received by the Office of the Information Commissioner.

It is important to maintain privacy and confidentiality because:

  • patients may be concerned about the stigma and discrimination associated with their HIV and related conditions
  • patients want to know that they can choose who has access to information about them
  • patients are far more likely to seek medical care and give full and honest accounts of their symptoms if they feel comfortable, respected and secure
  • a health system with strong privacy mechanisms will promote public confidence and trust in health care services generally.

The My Health Record and Privacy

Since January 2019, all Australians will have had a My Health Record created unless they have opted out of getting one.  The My Health Record is online summary of an individual’s health information, accessible to any healthcare professional involved in the individual’s care. They may choose to delete their record at any time.

A clear understanding is crucial of the system’s operation, privacy access control features and the checks-and-balances, including through the use of pin codes – and the ability to opt-out of secondary use. Patients can then make an informed decision about engaging with My Health Record. Individuals with concerns about the disclosures of sensitive health information may choose to opt out to protect their privacy.

Healthcare providers can play a crucial role in talking through with their patients these different facets, to help them decide if/how much to engage in the My Health Record. Clinicians need to be aware that a patient may feel compelled to follow their direction about whether or not to engage with the record, so having an open discussion in a judgment-free manner is very important.

Electronic records generate risks of data leakage, access by unauthorised staff, browsing by unauthorised people and hacking. Agencies and businesses, including medical practices, need to consider the security of their data storage and transfer systems and the problem of staff intentionally or inadvertently accessing prohibited electronic records. For more information on professional legal obligations in respect of the My Health Record, visit the My Health Record page.

There are no nationally agreed laws specifically relating to the management of medical records with HIV or other notifiable diseases and each state and territory has approached the issue differently. However, some consistency of privacy management in the health sector is facilitated by the Commonwealth Privacy Act, which applies to all private sector organisations that provide health services and hold health information (as well as any Commonwealth agency). In summary, a health service can be broadly defined as any activity that involves:

  • assessing, recording, maintaining or improving a person’s health
  • diagnosing or treating a person’s illness or disability
  • dispensing a prescription drug or medicinal preparation by a pharmacist.

Consequently, health services include traditional health service providers such as private hospitals and day surgeries, medical practitioners, pharmacists and allied health professionals, as well as complementary therapists, and many others. An outline of the jurisdiction of the Act is available here.

The Privacy Act contains 13 Australian Privacy Principles governing minimum privacy standards for handling personal information, including:

  • the need to gain consent for the collection of health information
  • what to tell individuals when information is collected
  • what to consider before passing health information on to others
  • the details that should be included in a health service provider’s Privacy Policy
  • securing and storing information
  • providing individuals with a right to access their health records.

Some Australian Privacy Principles state that health service professionals must meet certain obligations, while other Australian Privacy Principles require that they ‘take reasonable steps’ to meet stated obligations. Practitioners should familiarise themselves with the Australian Privacy Principles (which are legally binding) and seek advice if necessary. It is important to understand both state and Commonwealth-based laws. In New South Wales (NSW), for example, state privacy legislation (the Health Records and Information Privacy Act 2002) applies to public sector and private sector health-care providers, and to holders of health records located in NSW. Consequently, private sector health-service providers must comply with two sets of privacy legislation (federal and NSW) that are largely, but not wholly, compatible. The two sets of legislation impose similar obligations on private health-care providers.

Most states now have laws severely restricting the transfer of information in the health sector without the consent of the patient, and in some states, breaches of confidentiality amount to a criminal offence. A person may be able to launch a civil action against a clinician or health service that has breached legal duties. (While not on this particular point, the case of PD reiterated the priority of confidentiality considerations).

A brief overview of the numerous privacy laws in each state and territory (and their intersection with the Federal Privacy Act) is provided by the ‘Office of the Australian Information Commissioner’ at

To ensure compliance with both federal and local privacy laws, you should contact the relevant privacy regulators listed in Table 13.1 and/or consider obtaining legal advice.

Table 13.1 State and territory agencies relevant to privacy laws

State or

Relevant agency

Australian Capital Territory

Office of the Australian Information Commissioner 1300 363 992

New South Wales

NSW Information and Privacy Commission 1800 472 679

Northern Territory

Office of the Information Commissioner 1800 005 610


Office of the Information Commissioner (07) 3234 7373

South Australia

Privacy Committee of South Australia (08) 8204 8786


Ombudsman Tasmania 1800 001 170


Office of the Victorian Privacy Commissioner 1300 666 444

Western Australia

Although Western Australia’s public sector does not currently have a legislative privacy regime, numerous confidentiality provisions cover government agencies, and some of the privacy principles are covered under the Freedom of Information Act 1992. Depending on the nature of the questions, the Office of the Information Commissioner may be able to provide assistance: 1800 621 244

Key confidentiality provisions within various state/territory health laws relating to HIV are summarised below.

There are a number of broad privacy-related issues facing health care providers that are particularly relevant to health care for people with HIV. These include:

State Information

Key health and HIV-related confidentiality provisions within various state and territory health acts (summarised)


  1. This section is partly drawn from on ‘Privacy, Confidentiality and other legal responsibilities’ in ASHM’s B Positive – all you wanted to know about hepatitis B: a guide for primary care providers.
  2. Power, Jennifer (2018). 'HIV Futures 8: Stigma and discrimination data', Australian Research Centre in Sex, Health and Society, La Trobe University, Melbourne, unpublished report