The new addition to the Privacy Act – Information Privacy Principle (IPP) 3A – and the corresponding addition in the Health Information Privacy Code (HIPC) of Rule 3A, means that from 1 May 2026, when health information about an individual is collection indirectly (i.e. from someone other than the individual themselves), there is an obligation to ensure the individual is made aware of that collection. This includes telling them that information has been collected, why it has been collected, what it will be used for, and (among other things) that they have the right to access and request correction of it.
Private specialists are in a different position to GPs. Their involvement in patient care is typically more time-limited, and they do not have the same ongoing need to be kept consistently up to date with all aspects of a patient’s health. As a result, specialists may receive less health information indirectly overall. However, they will commonly receive referral letters from other providers containing health information and may also be copied into laboratory and radiology results or receive updates from other clinicians. Rule 3A will apply to this indirectly collected information.
More detail about Rule 3A is provided below. At a practical level however, steps specialists can take to promote compliance with the new Rule include:
- Asking referrers to always copy referrals to the patient as well.
- When you contact a patient, include reference (for example in an email footer) to your practice’s Privacy Statement, including how the patient can read this (for example by clicking on a link).
- Update your Privacy Statement to include reference to Rule 3A. MPS can provide advice on how to do this.
- When engaging with a new patient, include getting their agreement to your Privacy Statement and you receiving information about them from third parties as part of the onboarding process.
Consider introducing as an administrative step always sending the patient an initial short acknowledgment email (possibly automated), confirming that a referral has been received and it contains health information that will be managed in accordance with your Privacy Statement. This will ensure patients are aware who holds their health information. More details, and completion of any remaining notification requirements, can follow later – in a way that best fits the specialist’s practice – such as during a consultation or through detailed written communication.
The new Rule in greater detail:
HIPC Rule 2 provides that health information must be collected directly from the patient, unless an exception applies. Indirect collection may still be lawful if, for example:
(a) the individual concerned authorises collection of the information from someone else having been made aware of the matters set out in Rule 3A(1); or
(d) compliance is not reasonably practicable in the circumstances of the particular case.
In many referral situations, specialists will not know in advance that health information is about to be sent to them and will not yet have the patient’s contact details. In these circumstances, it is not reasonably practical for the specialist to collect the referral information directly from the patient.
Once the referral information arrives and is in the specialist’s possession, Rule 3A then applies to that indirectly collected information.
When specialists receive referrals, there is generally an expectation that they will act on them, rather than simply collecting and holding the information. This provides an opportunity to comply with Rule 3A, as there will usually be some form of communication with the patient as part of responding to the referral. For example, if the specialist contacts the patient by email, they could attach (a) a copy of the referral received so the patient knows what information about them the specialist holds; and (b) a link to the specialist’s Privacy Statement.
Where a patient has been copied into the referral letter, or the letter specifically states that the patient is aware of the referral and that their information is being shared with the specialist, there will be a reasonable basis to believe the patient is already aware of the indirect collection. In some cases, the referral itself may also cover a number of the Rule 3A matters, such as who is receiving the information, why it is being shared and who it relates to.
However, where it is not clear if the patient is already aware, the specialist will need to notify them of the Rule 3A(1) matters as soon as is reasonably practicable after the information is received. The Privacy Commissioner has recognised there is some flexibility in how this is done, taking into account contextual factors. Ultimately, though, it will be for the individual specialist to be able to explain and justify any delay.