Patient Information – Third Party Disclosure

The privacy breach occurred when the GP answered a phone call from the police asking if she thought her patient was psychotic. Dr Z knew the patient well, having seen him on 26 occasions over the previous two years, but she had not seen him for two months. The GP replied to the police that it was possible, but further assessment was needed.

Professional obligations – confidentiality and privacy

According to Good Medical Practice: A Code of Conduct for Doctors in Australia, patients have a right to expect that doctors and their staff will hold information about them in confidence, unless the release of information is required by law or public interest considerations.²

The ethical and professional duty of confidentiality dates back to Hippocrates and forms the basis of trust in the doctor–patient relationship. It encourages patients to disclose information truthfully, without fear of harm, discrimination or embarrassment that may arise from the dissemination of the information. However, the duty of confidentiality is not absolute and there are exceptions.

A doctor will occasionally face a situation where they need to weigh up their obligation to protect patient confidentiality against acting in the “public interest” in trying to protect the health or safety of the general community.

Legal obligations – privacy

In what circumstances can you disclose information about one of your patients to a third party?

Under the Privacy Act 1988 (Cth), a patient’s health information can be disclosed to a third party in certain circumstances, including when:

• the patient provides their consent for the information to be released to the third party
• it is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety, where it is unreasonable or impracticable to obtain the patient’s consent:
• includes a threat to physical or mental health and safety
• may include a threat of serious harm to the patient or to any other unspecified individual
• it is required or authorised by or under an Australian law or a court/tribunal order (e.g. mandatory reporting of child abuse, a subpoena or search warrant)
• it is reasonably expected by the patient and directly related to the primary purpose of providing health care (e.g. complaints handling, audit, disclosure to a medical defence organisation)
• it is reasonably necessary for one or more enforcement-related activities conducted by, or on behalf of, an enforcement body:
• a written note of the disclosure must be made
• enforcement-related activities include the prevention, detection, investigation and prosecution or punishment of criminal offences and intelligence-gathering activities
• “enforcement body” includes bodies responsible for policing, criminal investigations and administering laws to protect public revenue or to impose penalties or sanctions.

Preventing a breach

What should Dr Z have done to prevent a breach of privacy when she was contacted by the police?

She could have asked the police whether any of the exceptions to her duty of confidentiality and privacy applied. Specifically, whether the patient had given his permission for the GP to discuss his health information with the police; if the information was needed to lessen or prevent a serious threat to life, health or safety; or whether the information was necessary for an enforcement-related activity by the police.

If Dr Z was not certain how to respond, she could have asked the police to put their request in writing to enable her to obtain advice from her medical defence organisation, and/or discuss the situation with the patient, if appropriate.

Summary points

• If a patient provides you with consent to release their health information or medical records to a third party, you should do so.
• In the absence of your patient’s consent, there are limited circumstances in which you can release their health information or medical records to a third party.

Dr Sara Bird
Manager, Medico-legal and Advisory Services
MDA National

References

1. ‘EZ’ & ‘EY’ [2015] AICmr 23. Available at: oaic.gov.au/privacy-law/determinations/2015-aicmr-23
2. Medical Board of Australia. Good Medical Practice: A Code of Conduct for Doctors in Australia. 2014. Section 3.4. Available at: medicalboard.gov.au/Codes-Guidelines-Policies/Code-of-conduct.aspx