Section 110 of the ACT Public Health Act 1997 states that a person must not disclose information regarding a person having HIV, unless with the person’s written consent, and the disclosure is for the purposes of the Act or another law, or authorised under a code of practice.

Section 111 states it is an offence for a person to disclose any information regarding a person with HIV that may identify any doctor, nurse, pathology laboratory, hospital, or counsellor related to the HIV notification, without written consent of those persons/agencies or ‘reasonable excuse’ (not defined).

Section 56 of the NSW Public Health Act 2010 states a medical practitioner must not state the name or address of a patient notifying the Department of Health of an HIV-positive test result. Otherwise, a person who, in the course of providing a service, acquires information that another person may be or is HIV positive, must take all reasonable steps to prevent disclosure of the information. There are exemptions, which include:

• when the person consents to disclosure
• when the disclosure is to a person who is involved in the provision of provide care, treatment or counselling to the person concerned
• when a person has reasonable grounds to suspect that failure to disclose the information would be likely to be a risk to public health, identifying information may be disclosed to the Secretary of the Ministry of Health
• in connection with administration of the Public Health Act and accompanying regulations
• for the purposes of legal proceedings arising from the Public Health Act and accompanying regulations, including reporting those proceedings
• in accordance with requirements of the Ombudsman Act 1974
• in circumstances prescribed by the Public Health Regulations.

   

  Section 58 states that the Secretary may apply to the District Court for an order requiring a medical practitioner to disclose the name and address of a person that would otherwise be protected from disclosure. The application may be made only if the Secretary has reasonable grounds to believe that the person has HIV, and identification of the person is necessary to safeguard the health of the public. Such cases are to be heard in the absence of the public.

  A medical practitioner or other person who, without reasonable excuse, fails to comply is guilty of an offence.

  NSW Privacy and Personal Information Act (1998)

  Under the Information Protection Principles contained in the NSW Privacy and Personal Information Act (1998), which covers NSW public-sector agencies that hold personal information, can only disclose personal information in limited circumstances where the individual has consented to it. An agency can also disclose your information if it is for a directly related purpose and it can be reasonably assumed that the individual would not object; if they have been made aware that information of that kind is usually disclosed; or if disclosure is necessary to prevent a serious and imminent threat to any person’s health or safety.

  Health Administration Act 1982

  Section 22 states that if a person discloses any information obtained in connection with the administration or execution of this Act (or any other Act conferring or imposing responsibilities or functions on the Minister, Ministry, Health Secretary, Corporation or Foundation) the person is guilty of an offence. There are limited exemptions, which include when the person consents to disclosure and when disclosure is in connection with another law or legal proceedings which may arise, or there is some other lawful excuse. Section 23 prohibits disclosure of HIV-related information identified during research unless an individual or the Health Minister approves such disclosure. Disclosure of such information relevant to proceedings may be compelled by the Governor.

Notifiable Diseases Act

Section 29 states that where a public sector employee who is present in a room or at a place where a matter under this Act concerning another person is being discussed, shall preserve and aid in preserving secrecy concerning all matters and things which come to his knowledge except as otherwise required.

Public Health Act 2005

Sections 77 to 81 state (among other things) that a person must not directly or indirectly disclose confidential information unless with the written consent of the person to whom the information relates, to prevent or minimise the transmission of HIV (including contact tracing), in the public interest, for public health purpose, or unless authorised under an Act or another law.

South Australian Public Health Act 2011

Section 99 states that if, in the course of official duties, a person obtains personal information relating to another, the person must not intentionally disclose that information without consent except in a range of specific circumstances including:

• carrying out official duties, if required by law or a court, or
• if reasonably required for administration of a hospital or ambulance service.
• specific information may be disclosed to a service provider if required for treatment or care.
• disclosure to a relative, carer or friend if required for treatment or care and there is no reason to believe disclosure would be contrary to the person’s best interests.
• to prevent the transmission of HIV or to lessen a serious threat to the life, health or safety of a person.

For a full list of broad confidentiality restrictions, see Section 99 and Section 100. 

Section 82 (6) and (7) set out additional restrictions on the use of information gained as a result of, or in connection with, an Advisory Panel for managing behaviours that present a risk of HIV transmission. 

In specific circumstances, the Chief Public Health Officer may require a person to provide information reasonably required for the purpose of the South Australian Public Health Act under Section 49.

Public Health Act 1997

Section 147 states that no disclosure of any information is permitted except in certain circumstances including; where the individual’s consent has been obtained, is for the diagnosis, clinical assessment, treatment or counselling of the individual, for the management, detection, notification, treatment or prevention of the spread of a notifiable disease or for managing a threat to public health. For a list of all circumstances in which disclosure is permitted, refer to s147.

Public Health and Wellbeing Act 2008

The Public Health and Wellbeing Act 2008 contains no HIV-specific laws on confidentiality in general practice, however,  section 55 states that a person may disclose information to the Secretary, the Chief Health Officer or an authorised officer of the Department if the person reasonably believes that the disclosure is necessary to assist the Secretary, the Chief Health Officer or the authorised officer to exercise a power, or perform a duty or function, under the Act or the regulations.

Section 133 states that when evidence is proposed to be given on any matter relating to HIV, a court or tribunal may: order whole or part of the proceedings be closed; decide only specified persons are able to attend; and prohibit publication of whole or any part of the proceedings, if deemed necessary because of the social or economic consequences to a person if the information is disclosed.

Health Records Act (2001)

Under the Health Privacy Principles contained in this legislation, which applies to both public and private organisations that hold health information, health information can only be used or disclosed for the primary purpose of its collection or a directly related secondary purpose which the individual would reasonably expect.  Health information can only be used or disclosed for a non-related purpose in some circumstances, such as when there's a serious risk to someone or the information is needed to evaluate the service you received.

Health Services Act 1988

Section 141 of the Health Services Act generally states that a relevant person must not directly or indirectly give to any other person any information acquired through his or her employment (broadly defined to include a broad range of those associated with health care provision) if another person could be identified by that information. The Act continues to provide a long list of exceptions. Those of greatest relevance to the clinical management of HIV include disclosure with the consent of the person; as expressly authorised, permitted or required by law; in relation to criminal court proceedings; in the public interest (defined by the Minister); or in relation to the provision of health care where the information:

• is required for the further treatment of a patient
• is communicated in general terms
• is communicated by a member of the medical staff to next of kin or a near relative of the patient in accordance with the recognised customs of medical practice
• is provided to the Australian Red Cross Society for the purpose of tracing blood or blood products.

Public Health Act 2016

Section 299  states that if a public health official, in good faith and in accordance with the guidelines, discloses relevant information
(a)  to another public health official; or  
(b)  to an officer of an enforcement agency (other than the Chief Health Officer); or (c)  to an officer of an information sharing agency,
they are not liable for any civil or criminal liability is incurred in respect of the disclosure; and the disclosure is not to be regarded as a breach of any duty of confidentiality or secrecy imposed by law. In the event this is not the case, they are potentially civilly or criminally liable.
Section 302 states that a person who, without lawful authority, directly or indirectly, uses or discloses confidential information obtained by reason of any function that the person has, or at any time had, in the administration of this Act or the Health (Miscellaneous Provisions) Act 1911 Part XI commits an offence.

Penalty for an offence under this subsection: a fine of $20 000.

General practitioners should only collect health information about patients with their informed consent. It is usually reasonable to assume that consent is implied if the information is noted from details provided by the patient during a consultation, as long as it is clear the patient understands what information is being recorded and why. It is also vital to ensure that record keeping is thorough and accurate: both to ensure the best possible ongoing treatment of the patient and, in the worst-case scenario, to be used to support the practitioner should a patient attempt to make a case against a treating doctor for breach of privacy or confidentiality.

All medical procedures require informed consent. Practitioners need to appreciate the potential consequences and impact of an HIV diagnosis on a patient; although running tests and delivering diagnosis may be standard for the health-care practitioner, receiving the results may be anything but routine for the patient. The provision of information both before the test and with the delivery of test results should allow the health-care practitioner to discuss the risks and benefits to the patient in that person’s particular situation, thereby facilitating the patient’s decision-making process.

When offering a test to patients with low proficiency in English, an accredited interpreter should be used to ensure that the patient understands what they are being offered and has the opportunity to ask any questions. The Translating and Interpreting Service is available 24 hours, 7 days a week.  Telephone interpreting is usually well accepted because it allows patients to maintain anonymity.

Patients are not able to consent to the use of their information if they are unclear about how the information will be used and why. If possible, patients should be advised of the use of their information when it is collected, which can occur through usual communications during a regular consultation. Patients should also be informed of circumstances in which personal information may be shared or disclosed.

In the case of PD, a doctor correctly refused to give test results to one partner in a couple who had attended a joint consultation. In that case, a couple attended and jointly requested HIV tests. After receiving her result, the HIV-negative partner (PD) unsuccessfully attempted to find out her partner’s test results from the clinic and from her partner, who lied by saying he was HIV negative. PD later contracted HIV infection from her partner. The doctor had not explained during their initial consultation that the results of each person’s test could not be disclosed to the other person, and never sought their understanding of that situation or consent for their test results to be shared. The Court found that the doctors had breached their duty of care and awarded substantial financial damages to the aggrieved patient, though significantly, it upheld the issue of confidentiality and the doctor’s insistence that the partner’s results could not be released. 

This case demonstrates the importance of clarifying at the outset how personal health information will be used and disclosed and of obtaining the patient's consent to do so. If it had been made clear to each party about the need to share HIV test results and consent therefore sought to do so, the doctor could have made the disclosure based on the principle of patient consent.

The case of AJD v Royal Prince Alfred Hospital [2014] NSWCATAD 125; (2 September 2014)  dealt with a breach of health privacy principles. In that case the AJD’s personal health information was recorded in the records of her children from when she gave birth. The hospital then released that information through a GIPA request made by the father (and ex-husband of AJD).  It was found that the hospital had breached the health privacy principles by releasing the information that related to the mother to the father, and also that the hospital failed to ensure the security of the health information against unauthorised use and disclosure.

This may be relevant in the context of HIV as there are often couples who are both receiving care at the same practice. It is important that their health information each be recorded separately on their own files and thoroughly reviewed if requests of release of information have been made.

There is no ‘absolute’ right to privacy under Australian or international law. In developing Australian privacy laws, the right to individual privacy has been weighed against the rights of others and against matters that benefit society as a whole. The Privacy Act 1988 provides exceptions to privacy where use or disclosure is required by law.

HIV is a notifiable disease in all Australian states and territories. Legal obligations around notification are mandated by state laws, which define a doctor’s duty to notify the respective health department of a notifiable disease (see Notification). Specific state laws also allow a health care practitioner to notify their health department of a patient’s name and other confidential information where they fear that patient may by putting others at risk (see internal hyperlink Management of People with HIV who Place Others at Risk). Where the law requires disclosure of confidential information, there can be no action for breach of confidence.

Patients are entitled to access their health records, except for a limited number of important exceptions outlined under Australian Privacy Principle 12, for example, if the request for access is frivolous or vexatious or the record-keeper is required or authorised to refuse that access by law.

Individuals contacted through the process of notification, also known as ‘contact tracing’, either as an index case (original person identified with an infection) or a subsequent contact, are not entitled to any information relating to their contact’s identity, behaviour or diagnosis without that person’s consent, even if that information is in the patient’s records. Should a patient wish to access their own record, details of the identity of any contacts contained in their record should be redacted.

A range of laws apply to the storage of health information. Health agencies should have in place:

• procedures to give access to the information only to those people who are authorised to have access in order to use or disclose the information for the purpose for which it was collected
• security measures to prevent unauthorised access to the records
• where practicable, procedures for storing the information in a way that the identity of the person is not readily apparent from the face of the record, for example, by the use of identification codes
• where the record is not to be retained, procedures for destroying the records that protect the privacy of the information.

HIV Futures 8 found that of the 895 HIV-positive Australians surveyed, 15.8% of respondents had experienced less favourable treatment at a medical service as a result of having HIV.

Multidisciplinary treating teams are common practice in Australian health care. Health care practitioners work together and share necessary information to deliver optimum health care. All transfers of information without the knowledge of the patient require careful consideration. 

Although the question has not yet been legally tested, private sector health service providers do not always require a patient’s consent to disclose specific health information to another member of a multidisciplinary team for a health care purpose as long as the patient would reasonably expect that information to be shared for a directly-related secondary purpose. There would ordinarily be a strong link between what an individual has been told (about the proposed uses and disclosures) or has consented to, and his or her ‘reasonable expectations’. Therefore, it is advisable to tell a patient being treated by a multidisciplinary team how this will affect the handling of his or her health information and to gain patient consent so that implied consent is not relied upon.

Doctors in group practices should formulate clear internal communication protocols in order to exercise reasonable care (e.g. when communicating test results or considering contact tracing issues). The cross-referencing of files per se will generally not breach statutory confidentiality because results need to be checked; however, information should not be disclosed without explicit patient permission. All staff must be aware of their obligations, and systems must be in place for protecting patient privacy.

Health information is considered sensitive information under the Privacy Act, and so greater protections apply to that information than to general personal information.  Use and disclosure of health information is defined in the Privacy Act under APP6, which states that an organisation must not use or disclose personal information about an individual for a purpose other than the primary purpose of collection except for a number of limited circumstances. Such circumstances include the following:

• where the person would reasonably expect the information to be disclosed for a secondary purpose. If the information is health information and so considered sensitive, any disclosure must be directly related to the primary purpose of collection. If the information is not health information and therefore not considered as sensitive, any disclosure must still be related to the primary purpose.
• to lessen or prevent a serious threat to the life, health or safety of an individual, or to public health or safety, where it is unreasonable or impractical to gain consent
• to take appropriate action in relation to suspected unlawful activity or serious misconduct
• where to do so is reasonably necessary for establishing, exercising or defending existing or anticipated legal proceedings in a court or tribunal, or for alternative dispute resolution
• to locate a person reported as missing
• where to do so is necessary to prevent a serious threat to the life, health or safety of a genetic relative (special conditions apply).

When determining the primary purpose for which information was collected, health service providers should recognise that some individuals want to use health services in particular and limited ways. For example, the individual who goes to a sexual health centre seeking assistance in relation only to specific sexual health issues may have high expectations of privacy and confidentiality.

When determining ‘reasonable expectations’, considerations for health service providers include the individual’s age, gender or cultural, linguistic and socio-economic background.

Expectation is more than awareness – telling someone about proposed secondary uses or disclosures may not necessarily create a reasonable expectation. A health service provider should consider the kind of person they are talking to, what his or her understanding is likely to be and therefore what he or she may reasonably expect. Indeed, an individual’s expression of negative views, when made aware of a proposed secondary use or disclosure of his or her personal information would ordinarily indicate that he or she would not reasonably expect that use or disclosure to occur.

From: Office of the Information Commissioner’s business resource: Using and disclosing patients’ health information

Disclosure of health information to a responsible person is also allowed:

• when the person is physically or legally incapable of consent; and
• the disclosure is necessary to provide appropriate care or treatment of the individual or for compassionate reasons; and
• the disclosure is not contrary to any wish expressed by the individual before he or she became unable to give consent of which the carer is aware, or could reasonably be expected to be aware; and
• the disclosure is limited to the extent reasonable and necessary to provide appropriate care or treatment of the individual, or to fulfil the purpose of making a disclosure for compassionate reasons.

Principles governing the use and disclosure of health information are set out in the Privacy Act under Australian Privacy Principle 6 which states that an organisation must not use or disclose personal information about an individual for a purpose other than the primary purpose of collection except for a number of situations, including where an organisation reasonably believes that the use or disclosure is necessary to lessen or prevent a serious and imminent threat to an individual's life, health or safety, or a serious threat to public health or public safety. 

In short, health care workers must not disclose a person’s health information without consent except in a very limited number of circumstances. These may generally be summarised as:

• communicating necessary information to others directly involved in the treatment of a patient during a particular episode of care
• cases of needle-stick injury where a professional is aware of a patient’s HIV positive status and a health care worker has been exposed in circumstances where there is a real risk of transmission and it is not possible to conceal the identity of the source patient who has refused to consent to disclosure.
• provision of medical services in a particular instance of care where there is a need to know the infection status for treatment purposes of benefit to the patient (e.g. in an emergency or if the patient is unconscious). This should not, however, detract from the observance of standard infection-control precautions.

It is strongly recommended that practitioners familiarise themselves with the Australian Privacy Principles (which are legally binding) and contact the Office of the Information Commissioner if they wish to clarify the manner in which the Australian Privacy Principles might relate to specific situations. If in doubt, legal advice should be sought from a legal practitioner. 

Further information on privacy laws and principles is available on the Office of the Australian Information Commissioner’s website. Members of the The Royal Australian College of General Practitioners can also access the the most recent 3rd edition from 2014 of the Handbook for the Management of Health Information in Private Medical Practice here.

In addition to obligations imposed under relevant privacy legislation, there are various provisions in state and territory health legislation relating to confidentiality of health information (summarised below). Those wishing to pursue specific legal requirements should refer to verbatim copies of the indicated Acts and seek legal advice on their application.