As a health professional—whether you’re a doctor, nurse, technician or assistant, to name just a few—you have a rewarding yet challenging task.
You’re faced with an endless diversity of patients, medical conditions and circumstances. You use your technical training and your professional judgement to meet the standards expected of you.
And in one way or another, you’ll find yourself navigating legal frameworks affecting you as a health professional.
Privacy and confidentiality are two key areas of the law that impact what you can and can’t do with the information entrusted to you by your patients.
As a medical negligence lawyer, I’ve seen firsthand how many healthcare professionals struggle to navigate the legal system in these areas.
Failing to understand your duties of privacy and confidentiality can make you vulnerable to legal action for breaches of confidence, or a complaint to the Privacy Commissioner - and have significant implications for you and your patients.
This article covers the basic principles of medical confidentiality which apply to health professionals, focusing on some key areas where we commonly get questions.
How is legal action relevant to me as a health professional?
Two common ways you may encounter legal action as a health professional are:
As a witness in a court case
If a patient whose care you are or were involved in becomes involved in a court case, your records, observations, discussions with the patient and/or your opinion may become crucial evidence for this.
Some examples include:
- critical incidents
- post-operative complications and their treatment
- medical negligence (misdiagnosis and failure to diagnose)
- motor vehicle accident, work cover or public liability claims
- Family Law proceedings involving children
- Child Protection proceedings
- Victims of Crime compensation proceedings.
You could be subpoenaed to provide documentation for a court proceeding, or to attend to give evidence in court. When this happens, you’ll want to be crystal clear on your rights and obligations, and those of your patients, concerning privacy and confidentiality.
As part of a compensation claim
You may be contacted by a third party, for example a lawyer representing one of your patients, or an insurance scheme operator, for information to support a compensation claim (e.g. WorkCover).
Understanding the difference between privacy and confidentiality
When it comes to providing patients’ medical information and records to third parties, confidentiality and privacy are two different concepts.
Privacy laws regulate the handling of personal information about individuals (what can and can’t be done with someone’s personal information).
Privacy is a right enshrined in law (Privacy Act 1981, Cth) and in the Australian Privacy Principles (‘APPs’). The Act and APPs apply to individuals and Commonwealth Government agencies. Each State and Territory has its own legislation in relation to privacy obligations of its government departments and agencies.
Confidentiality ensures people or entities protect another person’s or entity’s information which has been conveyed in confidence and which is not readily available to the public.
‘Medical confidentiality’ obliges a health professional to protect (limit access to) the information discussed in confidence between themselves and a patient or client.
There is no specific confidentiality legislation in Australia, so in a strict legal sense it’s governed by the ‘common law’. However, there’s a commonly understood ‘duty of confidentiality’ which is rooted in various sources. We’ll get to this a little later in the article.
Privacy: Understanding your patients’ and your rights and obligations
It’s important you’re aware of the most critical areas involved with privacy laws, in particular: how to collect, store, disclosure, use and access medical records and other health information.
When collecting a person’s information, the most important things to know regarding privacy are:
- Only collect it if it’s necessary for the purpose for which it is being collected
- It should be relevant, up-to-date information
- You must inform the person why you’re collecting it and who it will be given to
- You should only collect it if you have consent.
There are a few exceptions where you don’t need consent to collect it, namely if:
- The law permits collection
- Collection is necessary for a health service
- There are serious and imminent threats to life or health
- The information is required for management, research or statistical purposes.
When storing the information, make sure it’s accurate and up to date (see more on this under ‘Making amendments’ below) and is protected from being lost, misused, accessed without authorisation, modified or disclosed.
Also make sure you destroy information no longer required.
When disclosing or using information, only use or disclose it for the primary purpose for which it was collected, unless:
- The individual has consented otherwise
- A secondary purpose is related to the primary purpose (For example, a test in relation to one illness reveals a second unsuspected illness).
- The information is required for research or statistical purposes.
Disclosure must be to a ‘responsible person’—for example, a guardian, parent or spouse—and can also occur if it is necessary for the provision of appropriate care or treatment to the individual (such as between a doctor and nurse at the same hospital).
The law also requires you to allow individuals to have access to health information held about them.
Keep in mind individuals can access personal information from a government department or other agency of the Commonwealth.
Access should be withheld where:
- It would pose a serious threat to life and health
- Privacy of others will be affected
- Information relates to existing or anticipated legal proceedings
- It would be unlawful to give access
- There is a law enforcement or national security issue.
Making amendments to an individual’s information
This is a common topic of interest for health professionals. If a patient’s information is not up to date or is inaccurate, they may ask to have it amended.
You may take reasonable steps to amend it. This is a straightforward matter for personal details such as change of address, however, it gets complicated if the patient wants opinions and evaluations amended.
In this case, don’t erase information as this can lead to potential legal and medical implications.
Instead, attach comments to the record/s outlining the patient’s claims.
Confidentiality: Understanding your patients’ and your rights and obligations
In health care, there are important reasons for confidentiality. It builds trust. It encourages honest and frank discussion between clients and healthcare staff, including about sensitive issues. It helps enable appropriate diagnosis, treatment and services.
Maintaining your duty of confidentiality is important because if you don’t, you’re vulnerable to legal action for breach of confidence.
The duty of confidentiality has three sources, one of which we’ve already looked at. These are:
- Statutory duty (includes Commonwealth Privacy Act and APPs). This source requires that you must not use or disclose personal information for a ‘secondary purpose’, e.g. fundraising, marketing or media interviews.
- Common law. A patient can sue for breach of confidentiality if it can be shown the breach results in actual injury or damage (this is rare). Compensation is payable under the Privacy Act.
- Ethics. Confidentiality facilitates autonomy and self-determination, and supports the dignity of the patient.
Circumstances where you can share information (exceptions to your duty of confidentiality)
A common question from health professionals is what circumstances enable them to disclose confidential information.
Generally, you can disclose confidential information where:
- The individual has given consent
- The information is in the public interest (that is, the public is at risk of harm due to a patient’s condition)
- Disclosure is compelled by law (often public risk issues are covered by laws that compel disclosure, such as for positive test results for HIV/AIDS)
- The information is in the public domain already.
There are seven specific circumstances where confidential information can be disclosed, otherwise known as ‘exceptions to duty’.
You’ll notice the common theme, or general rule, is to always attempt to get consent to release the information, wherever possible.
A person can give you consent to disclose information. This can be ‘implied’ or ‘express’ consent.
Express consent is the simpler type, where a person clearly states their consent or signs a form allowing you to release information.
Knowing whether you’ve been given ‘implied consent’ to share information can be tricky. An example is speaking to a patient about their medical condition in the presence of their family members (see ‘Information to relatives’ below), or where a patient asks you to help them write a letter to a third party.
In non-urgent cases, it’s best practice to specifically ask the patient for consent to discuss their information when relatives are present, before doing so.
In urgent cases you can assume implied consent, provided a patient has not previously indicated a relative should not be informed, and where that relative needs to know the information to provide appropriate health services.
Even so, this should only occur if the patient is unable to give you express consent.
Information can be disclosed to other health carers or agencies if it is necessary for the care of the patient.
It can also be disclosed for ‘funding, management, planning, monitoring, improvement or evaluation of health services and staff training’, but the information must be de-identified (not reveal individual identity).
You may be asked by another service provider, an external treater or agency/insurer (e.g. WorkCover) to supply confidential information in the form of a report.
You can do so, but before you do, you must:
- Still get the patient’s consent
- Only provide relevant information
- Only provide it for the purpose of making the report.
This issue comes up again under ‘Law enforcement and legal claims’ below.
Hospital files can be used for research purposes; but again, consent is usually required and the information is often de-identified.
You may be subpoenaed to provide notes and records, and if necessary, to answer questions in court, even if it means divulging ‘confidential’ information.
In this situation, the duty of confidentiality requires only relevant information be provided (see ‘Reports to third parties above’).
For example, it would not be appropriate for a doctor to give WorkCover a patient’s entire medical file if only one type of record from the file was requested.
Where getting independent legal advice can be useful
To make sure you know your rights and obligations, getting guidance from an independent lawyer can be useful particularly:
- For getting guidance on precisely what parts of a record fit the definition of ‘relevant’
- If you have concerns about a patient’s wellbeing if certain information in their record was to be released to a third party.
You may disclose information to prevent ‘serious or imminent threat to the life or health of the individual concerned, or another’.
An example is if you become aware of information that could result in a disease epidemic.
Duty to breach confidentiality: When you must disclose confidential information
There are circumstances where health professionals are not only exempted from the duty of confidentiality but are required to breach it by disclosing information to other authorities. These include:
- Notification of births and deaths
- A reasonable suspicion of child sexual abuse
- Notifying the coroner of a death in certain circumstances (for doctors)
- Doctors being required to take a blood sample when a patient presents for treatment of motor vehicle accident injuries
- Blood test results are required for a needlestick injury for a health worker
- Notification of the relevant authority is required for positive test results for certain diseases (e.g. HIV/AIDS, cholera, smallpox).
Want to know more? Arrange a free legal education seminar for health practitioners.
Slater and Gordon run free seminars on medical confidentiality for health professionals.
These seminars are an ideal way for you to get a refresher on what you can and can’t do to maintain medical confidentiality and protect yourself legally.
You will be able to ask questions, hear real life examples, and arm yourself with the knowledge of your rights and obligations.
These seminars are available at your clinic and are cost and obligation free.
Register your interest here.
The contents of this blog post are considered accurate as at the date of publication. However the applicable laws may be subject to change, thereby affecting the accuracy of the article. The information contained in this blog post is of a general nature only and is not specific to anyone’s personal circumstances. Please seek legal advice before acting on any of the information contained in this post.