The recent spotlight on Australia’s largest online health booking service, HealthEngine, regarding the use of personal information it obtained from patients, has created significant debate throughout the medical profession and broader community.

It has been alleged in the media that HealthEngine shared information with third parties, including personal injury lawyers, without patients realising this. Those third parties then made direct contact with patients marketing their products or services.  Issues have been raised about whether this was within patient expectations and how it fits with privacy regimes.

HealthEngine has responded publically stating that, while referral arrangements are in place with a range of industry partners, including government, not-for-profit, medical research, private health insurance and other health providers, this is done on an ‘opt-in’ basis.  This involved a ‘pop-up form’ appearing as part of the booking process which allows a patient to complete their details and indicate their consent to share that information, following which a referral is made to a third party provider.  HealthEngine states that users are able to continue to use the booking services even if they do not provide their express consent to being contacted by a referral partner through the pop-up form.

The Federal Government has asked the Office of the Australian Information Commissioner and the Australian Digital Health Agency to inquire into the use of personal information by HealthEngine, a move supported by the AMA.

Irrespective of whether consent has been obtained from an individual, the discovery of HealthEngine’s partnership with third parties and apparent disclosure of patient information to those third parties has caused considerable disquiet amongst patients, medical practitioners and the community.

Whether that disquiet flows on to medical practices using HealthEngine remains to be seen.

There has already been criticism from some patients of medical practices that use HealthEngine for appointment bookings.  Patients have enquired whether the medical practice has shared personal information with HealthEngine, or whether the practice was aware that HealthEngine was disclosing their personal information to third parties.

One consumer group felt it was the responsibility of “doctors who contract with HealthEngine to ensure patients are protected from unrelated business overtures”.¹

MIGA understands that from the medical practice’s perspective, no patient information is shared by the medical practice with HealthEngine that has been disclosed to third parties.  That would suggest that any privacy issues are related to the actions of HealthEngine, rather than the individual medical practice.

From a legal point of view it appears that the medical practice will not have committed any breach of patient privacy. However, it is important for practices to review their terms of agreement with any third party provider, including HealthEngine, to ascertain how patient information may be used by the third party provider.  If it is not clear from the agreement then, in MIGA’s view, it would be reasonable to enquire of the third party provider how they intend to use the information they obtain from individuals and whether there is any risk that it might be shared with others.

If in the medical practice’s opinion, use of personal information by third parties is made without patient consent, or is otherwise concerning, the practice should review its relationship with that service.

There are medical practices that have stopped using the HealthEngine appointment booking service because of concerns the practice had about the use made by HealthEngine of patient information.  It is not MIGA’s role to recommend such action, but we do recommend practices review their agreements with third party providers to ensure that patients’ privacy is safeguarded.

This situation is a good reminder about keeping in mind patient expectations around their health information.   Having in place an up-to-date privacy policy is a must.  Consider what your patients would reasonably expect you to do with their health information.  Think about when you should seek consent in clear and unambiguous terms about certain uses or disclosure of patient information.  MIGA’s privacy resource provides more information about questions you should be thinking about.

“Trust takes years to build, seconds to break, and forever to repair” (unknown source)

¹ Consumer Health Forum. The Medical Republic “HealthEngine feels the heat over data sharing” 27 June 2018 medicalrepublic.com.au/healthengine-feels-heat-data-sharing/

Prefer to read a PDF of the Bulletin? Download it here

We'd love to hear your feedback, comments and ideas

SUBMIT FEEDBACK