HealthEngine controversy - Data Sharing with Third Party Providers – Privacy Issues

Medico Legal HealthEngine controversy

Anthony Mennillo, Claims and Legal Services, MIGA discusses the recent spotlight on the use by Australia’s largest online health booking service, HealthEngine, of personal information it obtained from patients has created significant debate throughout the medical profession and broader community.

It has been alleged through the media that HealthEngine shared information with third parties, including personal injury lawyers, without patients realising this. Those third parties then made direct contact with patients marketing their products or services.  Issues have been raised about whether this was within patient expectations and how it fits with privacy regimes. 

HealthEngine has responded publicly stating that, while referral arrangements are in place with a range of industry partners, including Government, not for profit, medical research, private health insurance and other health providers, this is done so on an ‘opt-in’ basis.  This involved a ‘pop-up form’ appearing as part of the booking process which allows a patient to complete their details and indicate their consent to share that information, following which a referral is made to a third-party provider.  HealthEngine states that users are able to continue to use the booking services even if they do not provide their express consent to being contacted by a referral partner through the pop-up form.

Most recently HealthEngine advised that it was abandoning third party referrals and advertising business to restore trust with its users.

The Federal Government has asked the Office of the Australian Information Commissioner and the Australian Digital Health Agency to inquire into the use of personal information by HealthEngine, a move supported by the AMA.

Irrespective of whether consent has been obtained from an individual, the discovery of HealthEngine’s partnership with third parties and apparent disclosure of patient information to those parties has caused considerable disquiet amongst patients, medical practitioners and the community.

Whether that disquiet flows on to medical practices using HealthEngine remains to be seen.

There has already been criticism from some patients of medical practices that use HealthEngine for appointment bookings.  Patients have enquired whether the medical practice has shared personal information with HealthEngine, or whether the practice was aware that HealthEngine was disclosing their personal information to third parties.

One consumer group felt it was the responsibility of “doctors who contract with HealthEngine to ensure patients are protected from unrelated business overtures”.

MIGA understands that, from the medical practice’s perspective, no patient information is shared by the medical practice with HealthEngine that has been disclosed to third parties.  That would suggest that any privacy issues are for HealthEngine rather than the individual medical practice. 

From a legal point of view, it appears that the medical practice has not committed any breach of patient privacy. However, it is important for practices to review their terms of agreement with any third party provider, including HealthEngine, to ascertain how patient information may be used by the third-party provider.  If it is not clear from the agreement then, in MIGA’s view, it would be reasonable to enquire with the third-party provider how they intend to use the information they obtain from individuals. 

If in the medical practice’s opinion, use of personal information by third parties is made without patient consent, or is otherwise concerning, the practice should review its relationship with that service. 

There are medical practices that have stopped using the HealthEngine appointment booking service because of concerns the practice had about the use made by HealthEngine of patient information.  It is not MIGA’s role to recommend such action, but we do recommend practices review their agreements with third party providers to ensure that patients’ privacy is safeguarded.

This situation a good reminder about keeping in mind patient expectations around their health information.   Having in place an up-to-date privacy policy is a must.  Consider what your patients would reasonably expect you to do with their health information.  Think about when you should seek consent in clear and unambiguous terms about certain uses or disclosure of patient information.  MIGA’s privacy resource provides more information about questions you should be thinking about.


Trust takes years to build, seconds to break, and forever to repair” (unknown source)


Disclaimer Insurance policies available through MIGA are issued by Medical Insurance Australia Pty Ltd.  MIGA has not taken into account your personal objectives or situation.  Before you make any decisions about our policies, please read our Product Disclosure Statement and Policy Wording and consider your own needs.  Call MIGA for a copy on 1800 777 156 or visit our website at  The information contained in this document is of a general nature only and does not purport to take into account, or be relevant to your personal circumstances. This information is not intended to be nor should it be relied upon as a legal or any other type of professional advice.

The Private Practice Magazine

This article featured in our
Summer 2018 Edition

head-settings Created with Sketch.

Speak to an expert

Guidance such as that provided in this article is just one of the many ways MIGA helps its insured clients. MIGA offer cover complemented by expert medico-legal support that is available 24/7. If you'd like to discuss further, please contact us for an introduction to Nihal D’Cruz.

Contact us for an introduction 

Call us on 02 9229 9731 or leave your details, including the name of person you would like an introduction to and we will be in touch.

By signing up, you confirm you are happy to be contacted about The Private Practice Services and offers. View our privacy policy.