Mandatory Disclosure of Confidential Health Information a Load of Rubbish or a Legal Duty?

Case history

A GP received a letter from a local council requesting the release of confidential patient information.

The council had discovered illegally dumped waste, which included a discarded medication packet. The medication packaging had a prescription label with a patient’s name, the prescribing doctor’s name, as well as the date and the name of the pharmacy that had dispensed the medication.

The council then wrote to the GP (who was the prescribing doctor) requesting the full name, address and date of birth of the patient. The request was made under an obscure piece of environmental legislation (the Protection of the Environment Operations Act 1997 (PEOA)) which carried a penalty in the form of an infringement notice if the GP did not comply.

The GP contacted MDA National’s 24/7 Medico-legal Advisory Service to seek advice on whether they should release the information.

Discussion

A doctor in private practice does not have an absolute duty to ensure the confidentiality of a patient’s health record. Disclosure is governed by the Privacy Act 1988 (Cth). Several broad categories exist where disclosure may be permitted:

1. express or implied consent by the patient
2. mandatory disclosure under compulsion of law
3. an overriding duty in the “public interest” to disclose where there is a risk of harm or safety to the patient or others

This case concerned a duty to disclose under compulsion of law. Typically this will involve issues such as court orders (including subpoenas, summons and search warrants), mandatory reporting (e.g. child abuse and notifiable diseases) and administrative disclosure (births and deaths). However in this case, the law was somewhat more arcane.

After examining the PEOA legislation and the Australian Privacy Principles (to ensure that the request represented a valid interpretation of the law and that no specific exceptions applied), we advised the GP that the release of the requested information was appropriate. A letter was provided for the GP to submit to the council outlining why the information was being released and the relevant concerns the release of information raised. We also advised the GP to inform the patient that their name, address and date of birth had been released to the council after legal advice had been obtained in relation to the council’s request.

On this occasion, although the information requested by the council was still protected under privacy legislation, it was not particularly sensitive. However each case would be assessed on its merits – weighing up the sensitivity of the requested health information against the relevance and penalties of the legislation underlying the request.