Privacy and Data Protection

Is the use of telehealth permitted?

Yes, telehealth is permitted in Australia.

Prior to the COVID-19 pandemic, there were limited situations where telehealth could be used for the delivery of healthcare services in Australia. This was largely due to Medicare (Australia’s publicly funded universal healthcare system) restricting registered healthcare providers to delivering their services from a registered location (i.e., their medical practice), and limiting the availability of government subsidies for telehealth consultations to patients in rural and remote communities where pre existing provider-patient relationships existed.

On 30 March 2020, in response to the COVID-19 pandemic, the Health Insurance (Section 3C General Medical Services – COVID-19 Telehealth and Telephone Attendances) Determination 2020 (Cth) ("Telehealth Determination") came into force. As a result of the Telehealth Determination, a range of healthcare services delivered via telehealth that previously could not be subsidised under Medicare (including e.g., standard general practitioner consultations) became eligible for subsidy. That is, a variety of telehealth services became available at a subsidised cost or at no cost to the patient under Medicare.

When the Telehealth Determination was first introduced, it permitted the delivery of healthcare services via telephone or video-conferencing to patients where there was no pre existing provider-patient relationship (although an existing relationship was preferred).

The Telehealth Determination was subsequently amended so that from 20 July 2020, healthcare providers were required to have an existing and continuous relationship with a patient in order to provide telehealth services. Therefore, at present, unless an exception applies (e.g., the patient is less than 12 months old), a medical practitioner can only provide telehealth services to patients who have seen the practitioner for a face-to-face service in the last 12 months, or have seen another medical practitioner at the same practice for a face-to-face service during the same period. 

Although the Telehealth Determination was scheduled to be revoked on 30 September 2020, the Australian Government has made the Telehealth Determination permanent, meaning that more than 200 telehealth services have become permanently available.  These changes mean that video and telephone services are available nationally from general practitioners, medical specialists and other health professional via Medicare.

How is telehealth regulated?

There are currently no laws or regulations specifically relating to telehealth in Australia.  Existing laws and regulations relating to the provision healthcare apply to telehealth.  However, various regulatory and industry bodies across the healthcare profession have released guidance notes on delivering services via telehealth.

For example, the Australian Health Practitioner Regulation Agency ("AHPRA"), the federal body responsible for regulation of all recognised health professionals in Australia (including medical doctors, dentists, nurses, optometrists, psychologists and numerous others) has published on its website a telehealth guidance for health practitioners ("AHPRA Guidance").  The AHPRA Guidance states that all registered health practitioners can use telehealth as long as it is safe and clinically appropriate for the health service being provided and suitable for the patient.

The AHPRA Guidance also observes that no specific equipment is required to provide telehealth services and that services can be provided through telephone and widely available video calling apps and software. However, the AHPRA Guidance continues to note that free versions of applications (i.e. non-commercial versions) may not meet applicable laws for security and privacy and practitioners must ensure that their chosen telecommunications solution meets their clinical requirements, their patient’s or client’s needs and satisfies privacy laws.

The Medical Board of Australia ("MBA"), being the regulator of the medical profession has recently published an advance copy of telehealth guidelines for medical doctors entitled “Guidelines: Telehealth consultations with patients”, which complement the existing code of conduct for medical doctors, entitled “Good Medical Practice: A Code of Conduct for Doctors in Australia”.  These new guidelines will take effect from 1 September 2023 and are discussed in the “Anticipated Reforms” section of this guide. The MBA’s current guidelines, “Guidelines for technology-based patient consultations”, will continue to operate until 31 August 2023.

Are there specific fields of healthcare in relation to which telehealth services are currently available, and do they involve the use of proprietary technology or platforms?

A range of healthcare services can be provided to patients as telehealth services including:

• general practice consultations;
• specialist consultations (ranging from consultations with psychiatrists to with surgeons);
• allied health services (e.g., psychology, physiotherapy, chiropractic, podiatry, dietetics); and
• mental health services.

The Australian Government recommends videoconference services as the preferred approach for substituting a face-to-face consultation. However, audio-only services can be offered if video is not available. No specific equipment is required for the purpose of providing Medicare-compliant telehealth services.

Does the public health system include telehealth services, and if so, are such services free of charge, subsidised or reimbursed? Where the public health system does not include telehealth services, are such services covered by private health insurance?

As discussed in Availability of Telehealth, at present, generally only telehealth services where there is an existing and continuous relationship between the medical practitioner and patient are subsidised by Medicare and made available at no cost to the patient.

In relation to healthcare services that are outside the scope of Medicare, where previously, prior to the COVID-19 pandemic, private health insurers generally did not reimburse claims for healthcare services delivered remotely, an increasing number of private health insurers have since approved coverage for certain forms of telehealth services accessed by their members. However, what is permitted varies from insurer to insurer and is dependent on the terms and conditions of the policy.

How should the cross-border transfer of personal information collected and processed in the course of telehealth services be carried out to ensure compliance with applicable privacy laws?

Cross-border transfers of telehealth data that contain personal information within the meaning of the Privacy Act must comply with APP 8. In short, a telehealth business must not transfer an individual’s personal information to a recipient in an overseas location without having taken steps as are reasonable in the circumstances to ensure that the recipient will not breach the APPs (e.g. by putting contractual protections in place), or otherwise being satisfied that the recipient is subject to a law or binding scheme that has the overall effect of protecting the health information in a manner that is substantially similar to the Privacy Act and APPs. Otherwise, a patient’s consent is required to any cross-border disclosure.

Where a telehealth service provider intends to transfer personal information outside of Australia, it is also required to include this information in its Privacy Policy as part of the notification obligations set out in APP 1, for example by stating that collected information may be transferred overseas, and to the extent possible, identifying those recipient locations.

Are there any currently applicable codes of conduct on the use of telehealth systems and/or security of telehealth data in your jurisdiction?

Health information is “sensitive information” for the purpose of Privacy Act, and is afforded greater protection (express and implied) than other types of personal information.  The guidance from the Office of the Australian Information Commissioner (the Privacy Act regulator) provides that online health services and telehealth providers are "health service providers” within the meaning of the Privacy Act.

Other government and regulatory bodies have issued guidance which addresses the security of telehealth data.  For example, the Federal Department of Health has issued a "Privacy Checklist for Telehealth Services".  This checklist provides high level guidance on key obligations, including obtaining patient consent, disclosure of cross-border transfers, privacy notices, and ensuring that other "relevant measures" (such as end-to-end encryption, multi-factor authentication, etc.) have been adopted in accordance with guidance made available by bodies such as the Australian Cyber Security Centre.

Are any specific laws, regulations, or self-regulatory instruments expected to be adopted in the near future?

On 31 May 2023, the MBA released its revised guidelines for telehealth consultations between medical doctors and their patients (Revised Guidelines), effective from 1 September 2023. The Revised Guidelines:

• Set out what a medical doctor must do before, during and after a telehealth consultation (including guidance relating to use of technology, ensuring patient privacy, and providing instructions to the patient if the technology fails);
• Note that the MBA does not support a medical doctor prescribing or providing healthcare where a patient has never had a real-time direct consultation (in-person or via video or telephone) with that doctor, which includes, but is not limited to, prescribing medication via questionnaire-based asynchronous web-based tools;
• Provide that telehealth consultations are not appropriate in all circumstances and therefore, do not operate as a complete replacement for in-person consultations; and
• Clarify registration requirements for medical practitioners who use telehealth to provide services across geographical borders.

On 16 February 2023, the Australian Attorney General released a report on the Privacy Act, containing 116 reform proposals.  Although the report did not target telehealth providers directly, below is a summary of the proposals relevant to telehealth providers:

• The collection, use, and disclosure of personal information must be fair and reasonable in the circumstances (when assessed through an objective lens);
• APP entities must conduct a Privacy Impact Assessment for activities with high privacy risks. The Attorney-General has requested that the OAIC develop guidance which articulates factors that may indicate a high privacy risks.  In this regard, it may be the case that telehealth providers may need to conduct Privacy Impact Assessment on its telehealth consults and/or recordings they have of patient consults (to the extent they keep any recordings);
• Additional protections must be provided for children and vulnerable persons, requiring entities to make collection notices and privacy policies ‘clear and understandable’;
• Individuals may have right to access, and obtain an explanation about, their personal information if they request it; and
• Amending APP 11.1 to ensure that ‘reasonable steps’ include technical and organisational measures, which may affect what technical measures will need to be implemented for telehealth consultations.

As the use of telehealth grows and becomes more mainstream the Australian medical sector it is possible that specific guidance on privacy issues in the context of telehealth may be developed to complement the current obligations set out in the Privacy Act (and applicable surveillance laws), but there has been no public indication to date that such developments are imminent.