Privacy and Confidentiality

1 The terms 'privacy' and 'confidentiality' are commonly used interchangeably. However, they are related but not identical concepts. Privacy refers to the right to control access to oneself, and includes physical privacy such as ensuring curtains are closed during physical examinations. Privacy may also relate to information about oneself, and information privacy laws regulate the handling of personal information through enforceable privacy principles. Confidentiality relates to information only. The legal duty of confidentiality obliges health care practitioners to protect their patients against inappropriate disclosure of personal health information.

The Australian Medical Association (AMA) Code of Ethics requires medical practitioners to maintain a patient’s confidentiality:

Exceptions to this must be taken very seriously. They may include where there is a serious risk to the patient or another person, where required by law . . . or where there are overwhelming societal interests.

The Code also requires confidentiality to be maintained, although it makes some exception ‘where there is a serious risk to the patient or another person, where required by law, where part of approved research, or where there are overwhelming societal interests’. Across Australia, the protection of health-related information has attracted special treatment, partly as a response to the sensitive nature of health information. This point cannot be over-emphasised. Most enquiries to the Office of the Privacy Commissioner are from the health sector, and the health sector is second only to the finance sector in the number of complaints received.

It is important to maintain privacy and confidentiality because:
  • patients are concerned about the stigma and discrimination associated with their HIV and related conditions
  • patients want to know that they can choose who has access to information about them
  • patients are far more likely to seek medical care and give full and honest accounts of their symptoms if they feel comfortable, respected and secure
  • a health system with strong privacy mechanisms will promote public confidence and trust in health care services generally.
There are no nationally agreed laws specifically relating to the management of medical records with HIV or other notifiable diseases and each state and territory has approached the issue differently. However, some consistency of privacy management in the health sector is facilitated by the Commonwealth Privacy Act, which applies to all private sector organisations that provide health services and hold health information. In summary, a health service can be broadly defined as any activity that involves:
  • assessing, recording, maintaining or improving a person's health
  • diagnosing or treating a person's illness or disability
  • dispensing a prescription drug or medicinal preparation by a pharmacist.
Consequently, health services include traditional health service providers such as private hospitals and day surgeries, medical practitioners, pharmacists and allied health professionals, as well as complementary therapists, and many others. An outline of the jurisdiction of the Act is available at http://www.privacy.gov.au/publications/hg_01.html#a2

The Privacy Act contains ten National Privacy Principles governing minimum privacy standards for handling personal information, including:
  • the need to gain consent for the collection of health information
  • what to tell individuals when information is collected
  • what to consider before passing health information on to others
  • the details that should be included in a health service provider’s Privacy Policy
  • securing and storing information
  • providing individuals with a right to access their health records.
Some National Privacy Principles state that health service professionals must meet certain obligations, while other National Privacy Principles require that they ‘take reasonable steps’ to meet stated obligations. An outline of the 10 National Privacy Principles is available at http://www.privacy.gov.au/materials/types/infosheets/view/6583. Practitioners should familiarise themselves with the National Privacy Principles (which are legally binding), and seek advice if necessary. While the different layers of federal, state and territory laws and regulations do, in some instances, complicate privacy obligations, in most cases the privacy protections required by Commonwealth and state or territory privacy laws are similar. Under the Australian Constitution, when a state or territory law is inconsistent with a Commonwealth law, the Commonwealth law prevails. Consequently, across Australia, all private sector health service providers are required to comply with the provisions of the (Commonwealth) Privacy Act as well as any state or territory laws.

Practitioners must familiarise themselves with both their federal and state-based legal requirements. In New South Wales, for example, state privacy legislation (the Health Records and Information Privacy Act 2002) applies to public sector and private sector health care providers and holders of health records located in New South Wales. Consequently, private sector health service providers must comply with two sets of privacy legislation (federal and New South Wales), which are largely but not wholly compatible. The two sets of legislation impose similar obligations on private health care providers, however, it could be argued that the New South Wales legislation has a higher compliance threshold, so that if a health care practitioner complies with the New South WalesHealth Records and Information Privacy Act, they will generally also comply with the federal Act (although the two sets of legislation have different enforcement regimes).

Most states now have laws severely restricting the transfer of information in the health sector without the consent of the patient, and in some states, breaches of confidentiality amount to a criminal offence. A person may be able to launch a civil action against a clinician or health service that has breached legal duties. (While not on this particular point, the case of PD [Duty of Care to Third Parties and Civil Liability] reiterated the priority of confidentiality considerations).

A brief overview of the numerous privacy laws in each state and territory (and their intersection with the Federal Privacy Act) is provided by the ‘Office of the Australian Information Commissioner’ at http://www.privacy.gov.au/privacy_rights/laws/index.html#1.

Key confidentiality provisions within various state/territory health acts relating to HIV are summarised below.

There are a number of broad privacy-related issues facing general practitioners and other primary health care providers that are particularly relevant to health care for people with HIV. These include:

Collecting information

Normally, general practitioners should only collect health information about patients with their consent. It is usually reasonable to assume that consent is implied if the information is noted from details provided by the patient during a consultation, as long as it is clear the patient understands what information is being recorded and why. It is also vital to ensure that record keeping is thorough and accurate: both to ensure the best possible ongoing treatment of the patient and, in the worst case scenario, to be used as a defence if a case is made against a treating doctor.

Informing patients of how their information will be used

Patients are not able to consent to the use of their information if they are unclear how the information will be used and why. If possible, patients should be advised of the use of their information when it is collected, which can occur through usual communications during a regular consultation. This point also relates to instances when personal information cannot be shared or disclosed.

In the recent legal case of PD, a doctor correctly refused to give test results to one partner in a couple who had attended a joint consultation. In that case, a couple attended and jointly requested HIV tests. After receiving her result, the HIV-negative partner (PD) unsuccessfully attempted to find out her partner’s test results from the clinic and from her partner, who lied by saying he was HIV negative. PD later contracted HIV infection from her partner. The doctor had not explained during their initial consultation that the results of each person’s test could not be disclosed to the other person, and never sought their understanding of that situation or consent for their test results to be shared. This case demonstrates the importance of clarifying at the outset how personal health information will be used and disclosed and of obtaining the patient's consent to do so. If it had been made clear that the parties intended the exchange of HIV test results, the doctor could have made the disclosure based on the principle of patient consent. The doctor was found liable for negligence for reasons unrelated to confidentiality, but the court upheld the issue of confidentiality and the doctor’s insistence that the partner’s results could not be released.

Notification

It might be argued that reporting details of a patient’s health status to a health department official involves breaching the patient’s privacy, however, this practice is legal because there is no ‘absolute’ right to privacy under Australian or international law. In developing Australian privacy laws, the right to individual privacy has been weighed against the rights of others and against matters that benefit society as a whole. The Privacy Act provides exceptions to privacy where use or disclosure is required by law.

HIV is a notifiable disease in all Australian states and territories. Legal obligations around notification are mandated by state laws, which define a doctor’s duty to notify the respective health department of a notifiable disease. Specific state laws also allow a health care practitioner to notify their health department of a patient’s name and other confidential information where they fear that patient may by putting others at risk (see Management of People with HIV who Place Others at Risk). Where the law requires disclosure of confidential information, there can be no action for breach of confidence.

Accessing personal records

Patients are entitled to access their health records, except for a limited number of important exceptions outlined under National Privacy Principle 6, for example, if the request for access is frivolous or vexatious or the record-keeper is required or authorised to refuse that access by law. Patients, including the patient identified as HIV positive or a contact, are not entitled to any information that relates to their contact’s identity (assuming it is not already known), behaviour or diagnosis without that person’s consent, even if that information is in the patient’s records. Patients’ records generally should not contain information about other persons (other than that provided by the patient), however, in the event that their records do contain such information, that information should be deleted.

Security and storage of health information

A range of laws apply to the storage of health information. Health agencies should have in place:
  • procedures to give access to the information only to those people who are authorised to have access in order to use or disclose the information for the purpose for which it was collected
  • security measures to prevent unauthorised access to the records
  • where practicable, procedures for storing the information in a way that the identity of the person is not readily apparent from the face of the record, for example, by the use of identification codes
  • where the record is not to be retained, procedures for destroying the records that protect the privacy of the information.
Electronic records pose new challenges. While they offer greater convenience of data retrieval and transfer, electronic record systems also create greater risks of data leakage, access by unauthorised staff and browsing by unauthorised people. Agencies and businesses, including medical practices, need to consider the security of their data storage and transfer systems and the problem of staff intentionally or inadvertently accessing prohibited electronic records. This issue is currently being tackled by the Commonwealth and a number of states in the development of their electronic health records systems, and has proven enormously complex.

HIV Futures 7 reports that of the 1058 HIV-positive Australians surveyed, 28% of respondents had experienced less favourable treatment at a medical service as a result of having HIV. 39% of those reported confidentiality problems.

(ARCSHS 2 2013)

Information for teams

Multidisciplinary treating teams are common practice in Australian health care. Health care practitioners work together and share necessary information to deliver optimum health care. All transfers of information without the knowledge of the patient require careful consideration.

Although the question has not yet been legally tested, private sector health service providers do not always require a patient’s consent to disclose specific health information to another member of a multidisciplinary team for a health care purpose as long as the patient would reasonably expect that information to be shared for a directly-related secondary purpose. There would ordinarily be a strong link between what an individual has been told (about the proposed uses and disclosures) or has consented to, and his or her ‘reasonable expectations’. Therefore, it is advisable to tell a patient being treated by a multidisciplinary team how this will affect the handling of his or her health information and to gain patient consent so that implied consent is not relied upon. Other limited exceptions under National Privacy Principle 2 permit disclosure without consent in certain circumstances including to lessen a serious and imminent threat to an individual’s life, health or safety, or where the disclosure is required or authorised by law.

When determining the primary purpose for which information was collected, health service providers should recognise that some individuals want to use health services in particular and limited ways. For example, the individual who goes to a sexual health centre seeking assistance in relation only to specific sexual health issues may have high expectations of privacy and confidentiality.

When determining ‘reasonable expectations’, considerations for health service providers include the individual’s age, gender or cultural, linguistic and socio-economic background.

Expectation is more than awareness – telling someone about proposed secondary uses or disclosures may not necessarily create a reasonable expectation. A health service provider should consider the kind of person they are talking to, what his or her understanding is likely to be and therefore what he or she may reasonably expect. Indeed, an individual’s expression of negative views, when made aware of a proposed secondary use or disclosure of his or her personal information would ordinarily indicate that he or she would not reasonably expect that use or disclosure to occur.

From: Guidelines on Privacy in the Health Sector. Office of the Privacy Commissioner 2001.

There is a need for doctors in group practices to formulate clear internal communication protocols in order to comply with privacy principles, for example, when communicating test results or considering contact tracing issues. The cross-referencing of files per se will generally not breach statutory confidentiality because results need to be checked, though information should not be disclosed without explicit permission. It is vital that all staff are aware of their obligations, and that systems are in place for protecting patient privacy.

Exemptions to privacy and confidentiality obligations

Principles governing the use and disclosure of health information are set out in the Privacy Act under National Privacy Principle 2 which states that an organisation must not use or disclose personal information about an individual for a purpose other than the primary purpose of collection except for a number of situations, including where an organisation reasonably believes that the use or disclosure is necessary to lessen or prevent a serious and imminent threat to an individual's life, health or safety, or a serious threat to public health or public safety.

In short, health care workers must not disclose a person’s health information without consent except in a very limited number of circumstances. These may generally be summarised as:
  • cases of needle-stick injury where a professional is aware of a patient’s HIV positive status and a health care worker has been exposed in circumstances where there is a real risk of transmission and it is not possible to conceal the identity of the source patient who has refused to consent to disclosure.
  • provision of medical services in a particular instance of care where there is a need to know the infection status for treatment purposes of benefit to the patient (e.g. in an emergency or if the patient is unconscious). This should not, however, detract from the observance of standard infection-control precautions.
It is strongly recommended that practitioners familiarise themselves with the National Privacy Principles (which are legally binding) and contact the Office of the Privacy Commissioner if they wish to clarify the manner in which the National Privacy Principles might relate to specific situations. Legal advice should be sought from a legal practitioner.

Resources

Further information on privacy laws and principles is available on the Office of the Australian Information Commissioner’s website at http://www.privacy.gov.au/law. Members of the The Royal Australian College of General Practitioners can also access the 2012 edition of the Handbook for the Management of Health Information in Private Medical Practice at http://www.racgp.org.au/your-practice/business/tools/privacy-handbook/

State-based health information confidentiality laws

In addition to obligations imposed under relevant privacy legislation, there are various provisions in state and territory health legislation relating to confidentiality of health information (summarised below). Those wishing to pursue specific legal requirements should refer to verbatim copies of the indicated Acts and seek legal advice on their application.

State Information
+ ACT
Key health and HIV-related confidentiality provisions within various state and territory health acts (summarised)
Australian Capital Territory

Public Health Act 1997

Section 56 states a medical practitioner must not state the name or address of a patient in written or oral communication for the purpose of arranging an HIV test or when notifying the Department of Health of an HIV-positive test result. Otherwise, a person who, in the course of providing a service, acquires information that another person may be or is HIV positive, must take all reasonable steps to prevent disclosure of the information. There are exemptions, which include:

  • when the person consents to disclosure
  • when it is necessary to provide care, treatment or counselling
  • when the person is receiving particular services in a hospital
  • when the Director-General of Health has reasonable grounds to suspect the information is necessary to prevent a risk to public health
  • in connection with administration of the Public Health Act and accompanying regulations
  • for the purposes of legal proceedings arising from the Public Health Act and accompanying regulations, including reporting those proceedings
  • in accordance with requirements of the Ombudsman Act 1974
  • in circumstances prescribed by the Public Health Regulations

Section 58 has strengthened the safeguards permitting the Director General of Health to require a medical practitioner to disclose the name and address of a person living with HIV. The section states that the Director General of Health may apply to the District Court for an order requiring a medical practitioner to disclose the name and address of a person that would otherwise be protected from disclosure. (Previously, public health law stated that the Director General may make a direct order.) The application may be made only if the Director-General has reasonable grounds to believe that person has HIV, and identification of the person is necessary to safeguard the health of the public. Such cases are to be heard in the absence of the public.

A medical practitioner or other person who, without reasonable excuse, fails to comply is guilty of an offence.

 
Health Administration Act 1982

Section 110 states that a person must not disclose information regarding a person having HIV, unless with the person’s consent, with ‘good reason’ (not defined), for the purposes of the Act or another law, or authorised under a code of practice. Section 111 states it is an offence for a person to disclose any information regarding a person with HIV that may identify any doctor, nurse, pathology laboratory, hospital, or counsellor related to the HIV notification, without written consent of those persons/agencies or ‘reasonable excuse’ (not defined).

+ NSW
Key health and HIV-related confidentiality provisions within various state and territory health acts (summarised)
New South Wales

Public Health Act 2010

Section 56 states a medical practitioner must not state the name or address of a patient in written or oral communication for the purpose of arranging an HIV test or when notifying the Department of Health of an HIV-positive test result. Otherwise, a person who, in the course of providing a service, acquires information that another person may be or is HIV positive, must take all reasonable steps to prevent disclosure of the information. There are exemptions, which include:

  • when the person consents to disclosure
  • when it is necessary to provide care, treatment or counselling
  • when the person is receiving particular services in a hospital
  • when the Director-General of Health has reasonable grounds to suspect the information is necessary to prevent a risk to public health
  • in connection with administration of the Public Health Act and accompanying regulations
  • for the purposes of legal proceedings arising from the Public Health Act and accompanying regulations, including reporting those proceedings
  • in accordance with requirements of the Ombudsman Act 1974
  • in circumstances prescribed by the Public Health Regulations

Section 58 has strengthened the safeguards permitting the Director General of Health to require a medical practitioner to disclose the name and address of a person living with HIV. The section states that the Director General of Health may apply to the District Court for an order requiring a medical practitioner to disclose the name and address of a person that would otherwise be protected from disclosure. (Previously, public health law stated that the Director General may make a direct order.) The application may be made only if the Director-General has reasonable grounds to believe that person has HIV, and identification of the person is necessary to safeguard the health of the public. Such cases are to be heard in the absence of the public. A medical practitioner or other person who, without reasonable excuse, fails to comply is guilty of an offence.

 
Health Administration Act 1982

Section 22 states that if a person discloses any information obtained in connection with the administration or execution of this Act (or any other Act conferring or imposing responsibilities or functions on the Minister, Department, Director-General, Corporation or Foundation) the person is guilty of an offence. There are limited exemptions, which include when the person consents to disclosure and when disclosure is in connection with another law or legal proceedings which may arise. Section 23 prohibits disclosure of HIV-related information identified during research unless an individual or the Health Minister approves such disclosure. Disclosure of such information relevant to proceedings may be compelled by the Governor.

+ NT
Key health and HIV-related confidentiality provisions within various state and territory health acts (summarised)
Northern Territory

Notifiable Diseases Act

Section 29 states that where a public sector employee who is present in a room or at a place where a matter under this Act concerning another person is being discussed, shall preserve and aid in preserving secrecy concerning all matters and things which come to his knowledge except as otherwise required.

+ QLD
Key health and HIV-related confidentiality provisions within various state and territory health acts (summarised)
Queensland

Public Health Act 2005

Sections 77 to 81 state (among other things) that a person must not directly or indirectly disclose confidential information unless with the written consent of the person to whom the information relates, to prevent or minimise the transmission of HIV (including contact tracing), in the public interest, or unless authorised under an Act or another law.

+ SA
Key health and HIV-related confidentiality provisions within various state and territory health acts (summarised)
South Australia

South Australian Public Health Act 2011

Section 99 states that if, in the course of official duties, a person obtains personal information relating to another, the person must not intentionally disclose that information without consent except in a range of specific circumstances including carrying out official duties, if required by law or a court, or if reasonably required for administration of a hospital or ambulance service. Specific information may be disclosed to a service provider if required for treatment or care. It may also be disclosed to a relative, carer or friend if required for treatment or care and there is no reason to believe disclosure would be contrary to the person’s best interests. Section 99 also permits disclosure of a person’s personal information to prevent the transmission of HIV or to lessen a serious threat to the life, health or safety of a person.

For a full list of broad confidentiality restrictions, see Section 99 and Section 100.

Section 82 (6) and (7) set out additional restrictions on the use of information gained as a result of, or in connection with, an Advisory Panel for managing behaviours that present a risk of HIV transmission.

In specific circumstances, the Chief Public Health Officer may require a person to provide information reasonably required for the purpose of the South Australian Public Health Act under Section 49.

+ TAS
Key health and HIV-related confidentiality provisions within various state and territory health acts (summarised)
Tasmania

Public Health Act 1997

Section 61 states a person must not disclose any information in relation to an HIV notification, investigation or inquiry into a notifiable disease, or the identity of a person to whom notification, investigation or inquiry relate.

 
HIV/AIDS Preventative Measures Act 1993

Section 17 states a person must not record, collect, transmit or store records, information or forms in respect of HIV tests or related medical assessments of another person other than in accordance with state privacy guidelines.

Section 18 states a person must not directly or indirectly disclose a person’s identity in relation to HIV testing, in any records or forms except in accordance with any privacy guidelines issued under section 17.

Section 19 states a person must not disclose any information concerning the result of a person’s HIV status except with the written consent of the person (a number of other consent options are provided such as if the person is deceased or a child); to another (defined) health care worker directly involved in the treatment or counselling of that person, for authorised research; or to a court or tribunal when strictly relevant, if authorised under the Act.

+ VIC
Key health and HIV-related confidentiality provisions within various state and territory health acts (summarised)
Victoria

Public Health and Wellbeing Act 2008

The Public Health and Wellbeing Act 2008 (which superceded the Health Act 1958) contains no HIV-specific laws on confidentiality in general practice, however, (section 133 states that when evidence is proposed to be given on any matter relating to HIV, a court or tribunal may: order whole or part of the proceedings be closed; decide only specified persons are able to attend; and prohibit publication of whole or any part of the proceedings, if deemed necessary because of the social or economic consequences to a person if the information is disclosed.

 
Health Services Act 1988

The Health Services Act generally states that a relevant person must not directly or indirectly give to any other person any information acquired through his or her employment (broadly defined to include a broad range of those associated with health care provision) if another person could be identified by that information. The Act continues to provide a long list of exceptions. Those of greatest relevance to the clinical management of HIV include disclosure with the consent of the person; as expressly authorised, permitted or required by law; in relation to criminal court proceedings; in the public interest (defined by the Minister); or in relation to the provision of health care where the information:

  • is required for the further treatment of a patient
  • is communicated in general terms
  • is communicated by a member of the medical staff to next of kin or a near relative of the patient in accordance with the recognised customs of medical practice
  • is provided to the Australian Red Cross Society for the purpose of tracing blood or blood products.
+ WA
Key health and HIV-related confidentiality provisions within various state and territory health acts (summarised)
Western Australia

Health Act 1911

Section 314 states every person employed in the administration of the Act who does not preserve secrecy with regard to all matters that may come to his or her knowledge in the course of such employment, and communicates any such matter to another person except in the performance duties under this Act commits an offence.

Section 314 continues to state that where the Executive Director of Public Health suspects or knows that a person of or under the age of 16 years is suffering from venereal disease, the Executive Director may communicate the suspicion or knowledge to the parents or persons standing in the place of parents of the person.

1 This section is based on ‘Privacy, Confidentiality and other legal responsibilities’ in ASHM’s B Positive – all you wanted to know about hepatitis B: a guide for primary care providers.

2 Grierson J, Pitts M and Koelmeyer R (2013) HIV Futures 7: The Health and Wellbeing of HIV Positive People in Australia, monograph series number 88, The Australian Research Centre in Sex, Health and Society, Latrobe University, Melbourne, Australia. Available at: http://www.latrobe.edu.au/__data/assets/pdf_file/0007/546037/HIV-Futures-Seven-Report.pdf

PrintEmail

Search - mobile