The Australian Medical Association Code of ethics (‘the Code’)4 requires medical practitioners to maintain a patient’s confidentiality. The Code notes that exceptions to patient confidentiality ‘must be taken very seriously. They may include where there is a serious risk to the patient or another person, where required by law, or where there are overwhelming societal interests.’
The protection of health-related information attracts special treatment because of the extremely sensitive nature of personal health information, the impact of breaches of these policies on the affected individuals, and the high rate of health-related complaints to state or territory and Commonwealth privacy offices.
|Importance of privacy and confidentiality|
It is important to maintain privacy and confidentiality because:
HBV, hepatitis B virus
The terms ‘privacy’ and ‘confidentiality’ are commonly used interchangeably, but they are not identical concepts in the legal sense. ‘Privacy’ laws regulate the handling of personal information (including health information) through enforceable privacy principles, whereas ‘confidentiality’ refers to the legal duty that the health-care practitioner owes to their patient in relation to the protection of their personal health information.
Issues relating to the management of privacy in the health sector are covered by the Privacy Act 1988 (Commonwealth) (‘the Act’). The Act applies to all private sector organisations that provide health services or hold health information. A ‘health service’ can be broadly defined as any activity that involves:
- assessing, recording, maintaining or improving a person’s health; or
- diagnosing or treating a person’s illness or disability; or
- dispensing a prescription drug or medicinal preparation by a pharmacist.
Consequently, health services include traditional health-service providers (e.g. private hospitals and day surgeries, medical practitioners, pharmacists and allied health professionals), as well as complementary therapists, gyms, weight loss clinics and many others.
There is no Federal legislation that relates specifically to the diagnosis, treatment or contact tracing of patients with HBV (or other notifiable diseases). In the absence of Federal legislation, each state and territory has developed its own approach to privacy and confidentiality. Some jurisdictions have developed specific, targeted laws and policies, whereas others rely on more generic laws and processes.
The Act generally covers all health-sector employees (e.g. medical practitioners, nurses, administrators, trainers and cleaners) not directly employed by a state or territory government, because they are usually covered by state laws. Further information on who is covered by the Act is available from the Office of the Australian Information Commissioner.5
The Act contains 13 Australian privacy principles6 (APPs), which outline minimum privacy standards for handling health information. These APPs are legally binding; hence, all practitioners should familiarise themselves with these principles.
Some APPs outline specific obligations for health-service professionals, whereas others simply mandate that a practitioner ‘take reasonable steps’ to meet the stated obligations. Practitioners should seek legal advice if they are unsure of the application of the APPs to particular situations.
In some instances, the layers of Commonwealth, state and territory laws and regulations may overlap across particular privacy obligations. However, under the Australian Constitution, when a state or territory law is inconsistent with a Commonwealth law, the Commonwealth law prevails. Consequently, all private sector health-service providers are required to comply first and foremost with the provisions of the Commonwealth Privacy Act, and secondly with any additional and non-conflicting state or territory laws.
It is important to understand both state and Commonwealth-based laws. In New South Wales (NSW), for example, state privacy legislation (the Health Records and Information Privacy Act 2002) applies to public sector and private sector health-care providers, and to holders of health records located in NSW. Consequently, private sector health-service providers must comply with two sets of privacy legislation (Federal and NSW) that are largely, but not wholly, compatible. The two sets of legislation impose similar obligations on private health-care providers. However, it could be argued that the NSW legislation has a higher compliance threshold, so that if a health-care practitioner complies with the NSW Health Records and Information Privacy Act, they will generally also comply with the Commonwealth Privacy Act.
Most states now have laws severely restricting the transfer of information in the health sector, and in some states, breaches of confidentiality may amount to a criminal offence. In addition to these intersecting laws, many states also have multiple layers of regulation. Those seeking advice on state or territory privacy laws should contact the agencies shown in Table 13.1.
Health-care practitioners should refer patients to seek independent legal advice if the patients have particular concerns about their disclosure obligations and the possible risks associated with failure to disclose in certain situations. However, practitioners should be aware of general rules around disclosure that can be communicated to patients.
Laws around disclosure are based on the idea that individuals should not intentionally or negligently harm others, and that individuals have a right to be warned of a possible risk of transmission where there is a real danger of that risk. Therefore, disclosure is only mandatory where there is no other way to avoid the risk of transmission; generally, disclosure is only required in a few discrete circumstances. In particular, patients will need to know their responsibilities around employment, insurance and sexual partners.
Patients are not legally obligated to disclose their status to sexual partners where they are taking ‘reasonable precautions’ against transmission; such precautions may include the use of condoms and lubricants. Patients are legally obligated to disclose their status to their partner or partners before engaging in unprotected sexual activity, including vaginal, oral or anal intercourse. There have been no cases of criminal prosecution for the transmission of HBV. However, the intentional transmission of HBV might attract criminal penalties where the Court finds that the impact of transmission is sufficiently detrimental to the individual who now has the disease, and that the individual who transmitted the virus had the necessary intention.
|Circumstances requiring mandatory disclosure of status|
It is mandatory for patients to disclose their status in a few exceptional circumstances:
There are a number of broad privacy-related issues that face general practitioners and other primary health-care providers. These issues, discussed below, include collecting information, ensuring that consent is ‘informed’, advising use, notification, accessing personal records, security and storage of health information, and information for teams.
13.4.1 Collecting information
General practitioners should only collect health information about patients with the patients’ informed consent. It can be reasonable to imply informed consent where the information in question is noted from details provided by the patient during a consultation, and where it can be demonstrated that the patient understands what information is being recorded and how the information will be used. Record keeping must be thorough and accurate. This will ensure the best possible ongoing treatment for a patient and, in the worst-case scenario, can be used to support the practitioner should a patient attempt to make a case against a treating doctor for breach of privacy or confidentiality.
13.4.2 Ensuring consent is ‘informed’
All medical procedures require informed consent. Practitioners need to appreciate the potential consequences and impact of an HBV diagnosis on a patient; although running tests and delivering diagnosis may be standard for the health-care practitioner, receiving the results may be anything but routine for the patient. The provision of information both before the test and with the delivery of test results should allow the health-care practitioner to discuss the risks and benefits to the patient in that person’s particular situation, thereby facilitating the patient’s decision-making process.
When offering a test to patients with low proficiency in English, an accredited interpreter should be used to ensure that the patient understands what they are being offered and has the opportunity to ask any questions. The Translating and Interpreting Service is available 24 hours, 7 days a week.7 Telephone interpreting is usually well accepted because it allows patients to maintain anonymity.
13.4.3 Advising use
Patients can only provide informed consent about the use of their health information if they are clear about where the information will go and why. Therefore, patients should be advised of the intended use of their information when it is collected. This point also relates to instances when personal information cannot be shared or disclosed. For example, in a 2003 NSW case (PD), a doctor failed to inform two patients attending a joint consultation that the results of each person’s tests could not be disclosed to the other person. The doctor consequently failed to ensure that both patients understood this situation, and also did not seek their informed consent to share the individual test results with the other patient. One patient tested positive for HIV and later infected the other patient, who had believed the clinic would make her aware if either of them tested positive for HIV. The Court found that the doctors had breached their duty of care and awarded substantial financial damages to the aggrieved patient.8
There is no absolute right to privacy under Australian or international law. The Commonwealth Privacy Act provides exceptions to privacy where use or disclosure is required by law, generally in order to protect the public from the spread of infectious diseases. In developing Australian privacy laws, the right to individual privacy has been weighed against the rights of the public and against matters that benefit society as a whole.
HBV is a notifiable disease in all Australian states and territories. Legal obligations informing notification are mandated by state laws, which define a doctor’s duty to notify the respective health department of a notifiable disease.
13.4.5 Accessing personal records
Patients are entitled to access their health records, except for a limited number of exceptions outlined under APP 12 (previously NPP 6). These exceptions include where the request for access is frivolous or vexatious, or where providing access would be likely to prejudice an investigation of possible unlawful activity.9
Individuals contacted through the process of notification, also known as ‘contact tracing’, either as an index case (original person identified with an infection) or a subsequent contact, are not entitled to any information relating to their contact’s identity, behaviour or diagnosis without that person’s consent, even if that information is in the patient’s records. Should a patient wish to access their own record, details of the identity of any contacts contained in their record should be redacted.
13.4.6 Security and storage of health information
A range of laws apply to the storage of health information. In summary, health agencies must have:
- procedures that ensure that only authorised individuals have access to patient health information
- security measures to prevent unauthorised access to the records
- where practicable, procedures for storing the information so that patient identity is not readily apparent from the face of the record (e.g. by the use of identification codes)
- procedures for destroying the records that protect the privacy of the information, in cases where the record is not to be retained.
Electronic records pose different challenges. Although they offer greater convenience of data retrieval and transfer, they also create greater risks of data leakage, access or ‘browsing’ by unauthorised staff and hacking. Agencies and businesses, including medical practices, need to consider the security of their data storage and transfer systems, and the problem of staff intentionally or inadvertently accessing prohibited electronic records. This issue is currently being tackled by the Commonwealth and a number of states through the development of electronic health records systems.
13.4.7 Information for teams
Multidisciplinary treating teams are common practice in Australian health care. Health-care practitioners work together and share necessary information to deliver optimum health care. All transfers of information without the informed consent of the patient require careful ethical consideration.
Although the question has not yet been legally tested, private sector health-service providers may not always require a patient’s consent to disclose specific health information to another member of a multidisciplinary team for a health-care purpose where the patient would reasonably expect that disclosure. Because this has not been legally tested, it is still advisable to directly obtain patient consent about how their information will be handled, to avoid relying on implied consent.
Doctors in group practices should formulate clear internal communication protocols in order to exercise reasonable care (e.g. when communicating test results or considering contact tracing issues). The cross-referencing of files per se will generally not breach statutory confidentiality because results need to be checked; however, information should not be disclosed without explicit patient permission. All staff must be aware of their obligations, and systems must be in place for protecting patient privacy.
Use and disclosure of health information is defined in the Privacy Act under APP6 (previously NPP 2), which states that an organisation must not use or disclose personal information about an individual for a purpose other than the primary purpose of collection except for a number of limited circumstances. Such circumstances include the following:
- where the person would reasonably expect the information to be disclosed for a secondary purpose (even if the information is not sensitive, it must be related to the primary purpose; and if it is sensitive, it must be directly related to the primary purpose)
- to lessen or prevent a serious threat to the life, health or safety of an individual, or to public health or safety, where it is unreasonable or impractical to gain consent
- to take appropriate action in relation to suspected unlawful activity or serious misconduct
- where to do so is reasonably necessary for establishing, exercising or defending existing or anticipated legal proceedings in a court or tribunal, or for alternative dispute resolution
- to locate a person reported as missing
- where to do so is necessary to prevent a serious threat to the life, health or safety of a genetic relative (special conditions apply).
Disclosure of health information to a person’s carer is also allowed:
- when the person is physically or legally incapable of consent; and
- the disclosure is necessary to provide appropriate care or treatment of the individual or for compassionate reasons; and
- the disclosure is not contrary to any wish expressed by the individual before he or she became unable to give consent of which the carer is aware, or could reasonably be expected to be aware; and
- the disclosure is limited to the extent reasonable and necessary to provide appropriate care or treatment of the individual, or to fulfil the purpose of making a disclosure for compassionate reasons.
There are a number of specific exemptions to APP 6 allowing disclosure of private health information.10
In summary, health-care workers must not disclose a person’s health information except in a limited number of circumstances. These may generally be summarised as:
- communicating necessary information to others directly involved in the treatment of a patient during a particular episode of care
- cases of needle-stick injury where a professional is aware of a patient’s HBV-positive status and a health-care worker has been exposed in circumstances where there is a real risk of transmission and it is not possible to conceal the identity of the source patient who has refused to consent to disclosure
- provision of medical services in a particular instance of care where there is a need to know the infection status for treatment purposes of benefit to the patient (e.g. in an emergency or if the patient is unconscious); this should not, however, detract from the observance of standard infection control precautions.
It is strongly recommended that practitioners familiarise themselves with the APPs and contact the Office of the Australian Information Commissioner or obtain legal advice if they wish to clarify the manner in which the APPs might relate to specific situations.
The practice of contact tracing raises potential conflicts between breaching a patient’s privacy and confidentiality, and alerting a third party to the fact that they may be at risk of HBV infection or have contracted the disease. Health practitioners’ obligations have not yet been legally tested on this point, but it is possible that a practitioner could be found negligent for failing to inform a third party that they may be at risk of, or may have contracted, HBV. Fortunately, public health services afford practitioners expert guidance to resolve the potential conflict between the duties to maintain confidentiality and privacy, with the possible duty of care owed to third parties. In instances where practitioners suspect a person may be putting others at risk, the practitioner should notify the health department, using the methods prescribed in the relevant state or territory. Public health authorities then become responsible for making decisions around contact tracing, including management of privacy issues.
There are two types of criminal offences associated with HBV and other blood-borne viruses. The first relates to disclosure of information regarding a person who has or is suspected of having HBV or other blood-borne virus infection, as discussed above. There are also general criminal laws in every state and territory that arguably could be used if a Court considered the harms associated with HBV transmission sufficiently serious, and determined that the individual who transmitted the infection had the sufficient knowledge of and intent to transmit. There have been no criminal prosecutions for HBV transmission within Australia, but there have been numerous prosecutions around the transmission of HIV.
Antidiscrimination laws operate in all Australian states and territories, and prohibit the discrimination of individuals on the basis of their actual or perceived HBV status. Discrimination based on disease status is legislatively prohibited under ‘disability or impairment’. It is important that health-care practitioners avoid behaviours that are or could be perceived as discriminatory by a patient when testing and managing people with HBV. Such behaviours could include refusing to see a patient, offering different or inappropriate treatment, or placing a patient last on a consultation or operating list. As outlined in Chapter 12, standard precautions ensure a high level of protection against transmission of infection in the health-care setting, and are the level of infection control required in the treatment and care of all patients to prevent transmission of blood-borne infections.
Chapter 12 outlines the obligations of health-care practitioners infected with HBV who perform exposure-prone procedures.
4. Available from https://ama.com.au/codeofethics
8. An outline of this and other cases is available at http://www.ashm.org.au/HIVLegal/
9. The full list of current exemptions listed under APP12 is available at http://www.oaic.gov.au/images/documents/privacy/privacy-resources/privacy-fact-sheets/privacy-fact-sheet-17-australian-privacy-principles_2.pdf.
10. The full list can be accessed under APP 6 at: http://www.oaic.gov.au/privacy/privacy-resources/privacy-fact-sheets/other/privacy-fact-sheet-17-australian-privacy-principles with ‘permitted health situations’ explained at: http://www.oaic.gov.au/privacy/applying-privacy-law/app-guidelines/chapter-d-permitted-health-situations and ‘permitted general situations’ explained at: http://www.oaic.gov.au/privacy/applying-privacy-law/app-guidelines/chapter-c-permitted-general-situations