HIV privacy and confidentiality

Jenny is a new patient and informs you she is HIV positive. She’s anxious to know if this will be recorded and whether it will be seen by others. She tells you she made a complaint about her previous GP who had included her HIV status on a referral to her physiotherapist without her knowledge. Jenny asks you not to include her HIV status on her medical record. What should you do?

Protecting sensitive information

The protection of health-related information is of importance due to its sensitive nature.

• Privacy – the legal right to control access to oneself including information, is regulated in Australia by the Privacy Act 1988 (Cth)¹ and the Australian Privacy Principles.²
• Confidentiality – relates to a health practitioner’s ethical and legal duty to ensure personal health information is not disclosed inappropriately.

Patients don’t have to disclose their HIV (or other BBV) status before undergoing any type of medical examination or treatment. However, this information is often helpful as it may affect decisions about health care. For example, HIV or viral hepatitis medications may interact with other medications or may have an impact on other medical conditions.

It’s important to have a conversation with the patient about when it’s useful to disclose this information. This is particularly important with the introduction of My Health Record in Australia which provides individuals’ health information that is accessible to any healthcare professional involved in that person’s care.

The Australasian Society for HIV, Viral Hepatitis and Sexual Health Medicine (ASHM) has the Guide to My Health Record: for BBV & STI healthcare providers to support their patients³ that provides helpful information and recommendations for healthcare workers to have discussions with patients about the benefits, and any concerns about privacy. This includes supporting patients to understand the privacy and security control options to guide their decision-making in engaging with My Health Record.

Multidisciplinary teams

Working in a multidisciplinary treating team is common in Australia and sharing information is often important in delivering good health care.

Healthcare providers don’t always require a person’s consent to disclose specific health information to another member of a multidisciplinary team if the patient would reasonably expect that information to be shared for a directly related secondary purpose. It would be considered that there would be a strong link between what an individual has been told (about the proposed uses and disclosures) or has consented to, and his or her ‘reasonable expectations’.⁴

It would therefore be prudent for healthcare providers to let patients know how their information will be handled and to gain patient consent rather than relying on implied consent. It's helpful in a group practice to have clear policies to ensure staff are aware of their obligations, and have systems in place to protect patient privacy. 

Jenny is planning to have her tonsils out and her anaesthetist is not sure whether other staff in theatre should be informed of her HIV status.

It would not be expected that theatre staff in general would need to be informed of Jenny’s HIV status, as universal precautions will be in place.

If other health practitioners need to know about her illness and/or medication for her benefit, they should be informed as necessary – otherwise Jenny’s confidentiality should be respected.

Exemptions to privacy and confidentiality obligations

It’s important to discuss with Jenny the circumstances in which certain staff members may become aware of, or have a need to know, her HIV status.

Australian Privacy Principle 6⁵ outlines principles governing the use and disclosure of health information. The ASHM also provides some guidance in relation to HIV:

In short, healthcare workers must not disclose a person’s health information without consent except in a very limited number of circumstances. These may generally be summarised as:

• communicating necessary information to others directly involved in the treatment of a patient during a particular episode of care
• cases of needle-stick injury where a professional is aware of a patient’s HIV positive status and a healthcare worker has been exposed in circumstances where there is a real risk of transmission, and it is not possible to conceal the identity of the source patient who has refused to consent to disclosure
• provision of medical services in a particular instance of care where there is a need to know the infection status for treatment purposes of benefit to the patient (e.g. in an emergency or if the patient is unconscious). This should not, however, detract from the observance of standard infection-control precautions.
  
  

In addition to obligations under privacy legislation, healthcare providers should also be aware of state and territory legislation regarding confidentiality of health information⁶ and, if uncertain, should obtain medico-legal advice.

Jenny feels reassured after having a discussion on who has access to her medical records and the circumstances in which her health information may be released to others.

Summary

Discussion with patients regarding how health information will be handled is important in maintaining privacy and confidentiality obligations. It’s often better to obtain patient consent directly rather than relying on implied consent. If uncertain of your obligations in a specific situation, contact MDA National for medico-legal advice.

References

1. Commonwealth Consolidated Acts. Privacy Act 1988 

2. OAIC. Read the Australian Privacy Principles

3. ASHM. A guide to My Health Record: for BBV & STI healthcare providers to support their patients

4. ASHM. Guide to Australian HIV Laws and Policies for Healthcare Professionals

5. OAIC. Australian Privacy Principles. Chapter 6: APP 6 – Use or disclosure of personal information