Privacy confidentiality and legal responsibilities

KEY POINTS

In Australia, it is illegal to discriminate against people because they have or are presumed to have any disease, including hepatitis B virus (HBV) infection.
HBV is a notifiable disease in every Australian state and territory, which means that it is mandatory for health-care practitioners to report any confirmed case. Mandatory notification does not legally breach a patient’s right to privacy, although patients should be informed that notification will occur.
Information relating to an individual’s health and health-related treatment is sensitive, and an individual’s right to privacy around this information is protected by state, territory and federal legislation.
The Privacy Act 1988 (Commonwealth) (the Privacy Act) is the primary piece of legislation governing privacy of health information in Australia. Under amendments to the Privacy Act that came into force in March 2014, there are now increased restrictions on the handling of personal information obtained from a third party, and the Privacy Commissioner has greater enforcement powers and increased penalties for privacy breaches.
State and territory governments have also enacted jurisdictional laws and regulations that affect privacy practices. These state and territory instruments may intersect or overlap with the Privacy Act and, as a result, health-care practitioners must make themselves aware of the privacy and confidentiality obligations that relate to their practice within their respective jurisdiction.
Health-care practitioners should only collect health information about a patient with that patient’s informed consent, and should advise the patient of the potential use of that information as part of obtaining informed consent. There should be systems in place for secure storage of physical and electronic records, and all staff should be trained in these systems, and aware of their privacy and confidentiality obligations.
Health-care workers are required to disclose their status if they are carrying out exposure-prone procedures, applying for the defence forces, or applying for relevant types of insurance. They may also be required to disclose to their sexual partners if they are not taking reasonable precautions not to transmit the infection.

The Australian Medical Association Code of Ethics requires medical practitioners to maintain a patient’s confidentiality (1). The Code notes that exceptions to patient confidentiality include ‘where required or authorised by law.’

The protection of health-related information attracts special treatment because of the extremely sensitive nature of personal health information, the impact of breaches of these policies on the affected individuals, and the high rate of health-related complaints to state or territory and Commonwealth privacy offices.

Importance of privacy and confidentiality
It is important to maintain privacy and confidentiality because: patients are concerned about the stigma and discrimination associated with their HBV status and related conditions patients want to know that they can choose who can access their health information patients are far more likely to seek medical care, and give full and honest accounts of their symptoms, if they feel comfortable, respected and secure a health-care system with strong privacy mechanisms will promote public confidence and trust in health-care services generally.
HBV: hepatitis B virus

Importance of privacy and confidentiality

It is important to maintain privacy and confidentiality because:

patients are concerned about the stigma and discrimination associated with their HBV status and related conditions
patients want to know that they can choose who can access their health information
patients are far more likely to seek medical care, and give full and honest accounts of their symptoms, if they feel comfortable, respected and secure
a health-care system with strong privacy mechanisms will promote public confidence and trust in health-care services generally.

HBV: hepatitis B virus

The terms privacy and confidentiality are commonly used interchangeably, but they are not identical concepts in the legal sense. Privacy laws regulate the handling of personal information (including health information) through enforceable privacy principles, whereas confidentiality refers to the legal duty that the health-care practitioner owes to their patients in relation to the protection of their personal health information.

Issues relating to the management of personal information, including health information, are covered by the Privacy Act 1988 (Commonwealth) (the Privacy Act). The Privacy Act applies to all private sector organisations that provide health services or hold health information. A health service can be broadly defined as any activity that involves:

assessing, recording, maintaining or improving a person’s health
diagnosing or treating a person’s illness or disability
dispensing a prescription drug or medicinal preparation by a pharmacist.

Consequently, health services include traditional health-service providers (e.g. private hospitals and day surgeries, medical practitioners, pharmacists and allied health professionals), as well as complementary therapists, gyms, weight loss clinics and many other services.

The Privacy Act generally covers all health-sector employees (e.g. medical practitioners, nurses, administrators, trainers and cleaners) not directly employed by a state or territory government, because they are usually covered by state laws. Further information on who is covered by the Privacy Act is available from the Office of the Australian Information Commissioner (2).

There is no federal legislation that relates specifically to the diagnosis, treatment or contact tracing of patients with HBV (or other notifiable diseases). In the absence of any such federal legislation, each state and territory has developed its own approach to privacy and confidentiality. Some jurisdictions have developed specific, targeted laws and policies, whereas others rely on more generic laws and processes.

The Privacy Act contains 13 Australian Privacy Principles (APPs) (3), which outline minimum privacy standards for handling health information. These APPs are legally binding; hence, all practitioners should familiarise themselves with these principles.

Some APPs outline specific obligations for health-service professionals, whereas others simply mandate that a practitioner ‘take reasonable steps’ to meet the stated obligations. Practitioners should seek legal advice on how the APPs apply to their particular circumstances.

There may be overlapping obligations on health-care practitioners deriving from Commonwealth, state and territory laws and regulations. However, under the Australian Constitution, when a state or territory law is inconsistent with a Commonwealth law, the Commonwealth law prevails. Consequently, all private sector health-service providers are required to comply first and foremost with the provisions of the Privacy Act, and secondly with any additional and non-conflicting state or territory laws.

It is important to understand both state and Commonwealth-based laws. In New South Wales (NSW), for example, state privacy legislation (the Health Records and Information Privacy Act 2002) applies to public sector and private sector health-care providers, and to holders of health records located in NSW. Consequently, private sector health-service providers must comply with two sets of privacy legislation (federal and NSW) that are largely, but not wholly, compatible. The two sets of legislation impose similar obligations on private health-care providers.

Most states now have laws severely restricting the transfer of information in the health sector, and in some states, breaches of confidentiality may amount to a criminal offence. In addition to these intersecting laws, many states also have multiple layers of regulation. To ensure compliance with both federal and local privacy laws, you should contact the relevant privacy regulators listed in Table 13.1 and/or consider seeking legal advice.

Table 13.1 State and territory agencies relevant to privacy laws
State or territory	Relevant agency
Australian Capital Territory	Office of the Australian Information Commissioner 1300 363 992 [email protected]
New South Wales	NSW Information and Privacy Commission 1800 472 679 [email protected]
Northern Territory	Office of the Information Commissioner 1800 005 610 [email protected]
Queensland	Office of the Information Commissioner (07) 3234 7373 [email protected]
South Australia	Privacy Committee of South Australia (08) 8204 8786 p[email protected]
Tasmania	Ombudsman Tasmania 1800 001 170 [email protected]
Victoria	Office of the Victorian Privacy Commissioner 1300 666 444 [email protected]
Western Australia	Although Western Australia’s public sector does not currently have a legislative privacy regime, numerous confidentiality provisions cover government agencies, and some of the privacy principles are covered under the Freedom of Information Act 1992. Depending on the nature of the questions, the Office of the Information Commissioner may be able to provide assistance: 1800 621 244 [email protected]

There are a number of broad privacy-related issues that face general practitioners and other primary health-care providers. These issues, discussed below, include collecting information, ensuring that consent is informed, advising use, notification, accessing personal records, security and storage of health information, and information for teams.

Collecting information

General practitioners should only collect health information about patients with the patients’ informed consent. It can be reasonable to imply informed consent where the information in question is noted from details provided by the patient during a consultation, and where it can be demonstrated that the patient understands what information is being recorded and how the information will be used. Record keeping must be thorough and accurate. This will ensure the best possible ongoing treatment for a patient and, in the worst-case scenario, can be used to support the practitioner should a patient attempt to make a case against a treating doctor for breach of privacy or confidentiality.

Ensuring consent is informed

All medical procedures require informed consent. Practitioners need to appreciate the potential consequences and impact of an HBV diagnosis on a patient; although running tests and delivering diagnosis may be standard for the health-care practitioner, receiving the results may be anything but routine for the patient. The provision of information both before the test and with the delivery of test results should allow the health-care practitioner to discuss the risks and benefits to the patient in that person’s particular situation, thereby facilitating the patient’s decision-making process.

When offering a test to patients with low proficiency in English, an accredited interpreter should be used to ensure that the patient understands what they are being offered and has the opportunity to ask questions. The Translating and Interpreting Service is available 24 hours, 7 days a week on the Doctors Priority Line on 1300 131 450. Telephone interpreting is usually well accepted because it allows patients to maintain anonymity.

Advising of use

Patients can only provide informed consent about the use of their health information if they are clear about where the information will go and why. Therefore, patients should be advised of the intended use of their information when it is collected. This point also relates to instances when personal information cannot be shared or disclosed. For example, in a 2003 NSW case (PD), a doctor failed to inform two patients attending a joint consultation that the results of each person’s tests could not be disclosed to the other person. The doctor consequently failed to ensure that both patients understood this situation, and also did not seek their informed consent to share the individual test results with the other patient. One patient tested positive for HIV and later infected the other patient, who had believed the clinic would make her aware if either of them tested positive for human immunodeficiency virus (HIV). The Court found that the doctors had breached their duty of care and awarded substantial financial damages to the aggrieved patient. An outline of this and other cases is available at https://hivlegal.ashm.org.au/.

Notification

There is no absolute right to privacy under Australian or international law. The Privacy Act provides exceptions to privacy protections where the use or disclosure is required by law, generally in order to protect the public from the spread of infectious diseases. In developing Australian privacy laws, the right to individual privacy has been weighed against the rights of the public and against matters that benefit society as a whole.

HBV is a notifiable disease in all Australian states and territories. Legal obligations informing notification are mandated by state laws, which define a doctor’s duty to notify the respective health department of a notifiable disease.

Accessing personal records

Patients are entitled to access their health records, except for a limited number of exceptions outlined under APP 12 (3). These exceptions include where the request for access is frivolous or vexatious, or where providing access would be likely to prejudice an investigation of possible unlawful activity.

Individuals contacted through the process of notification, also known as contact tracing, either as an index case (original person identified with an infection) or a subsequent contact, are not entitled to any information relating to their contact’s identity, behaviour or diagnosis without that person’s consent, even if that information is in the patient’s records. Should a patient wish to access their own record, details of the identity of any contacts contained in their record should be redacted.

Security and storage of health information

A range of laws apply to the storage of health information. In summary, organisations that provide a health service or hold health information must have:

procedures that ensure that only authorised individuals have access to patient health information
security measures to prevent unauthorised access to the records
where practicable, procedures for storing the information so that patient identity is not readily apparent from the face of the record (e.g. by the use of identification codes)
procedures for destroying the records that protect the privacy of the information, in cases where the record is not to be retained.

Electronic records pose different challenges. Although they offer greater convenience of data retrieval and transfer, they also create greater risks of data leakage, access or browsing by unauthorised staff and hacking. Agencies and businesses, including medical practices, need to consider the security of their data storage and transfer systems, and the problem of staff intentionally or inadvertently accessing prohibited electronic records. This issue is currently being tackled by the Commonwealth and a number of states through the development of electronic health records systems.

Sharing information in teams

Multidisciplinary treating teams are common practice in Australian health care. Health-care practitioners work together and share necessary information to deliver optimum health care. All transfers of information without the informed consent of the patient require careful ethical consideration.

Although the question has not yet been legally tested, private sector health-service providers may not always require a patient’s consent to disclose specific health information to another member of a multidisciplinary team for a health-care purpose where the patient would reasonably expect that disclosure. Because this has not been legally tested, it is still advisable to directly obtain patient consent about how their information will be handled, to avoid relying on implied consent.

Doctors in group practices should formulate clear internal communication protocols in order to exercise reasonable care (e.g. when communicating test results or considering contact tracing issues). The cross-referencing of files per se will generally not breach statutory confidentiality because results need to be checked; however, information should not be disclosed without explicit patient permission. All staff must be aware of their obligations, and systems must be in place for protecting patient privacy.

When information can be used or disclosed

Health information is considered sensitive information under the Privacy Act, and so greater protections apply to that information than to general personal information. Use and disclosure of health information is defined in the Privacy Act under APP6, which states that an organisation must not use or disclose personal information about an individual for a purpose other than the primary purpose of collection except for a number of limited circumstances. Such circumstances include the following:

where the person would reasonably expect the information to be disclosed for a secondary purpose. If the information is health information and so considered sensitive, any disclosure must be directly related to the primary purpose of collection. If the information is not health information and therefore not considered as sensitive, any disclosure must still be related to the primary purpose.
to lessen or prevent a serious threat to the life, health or safety of an individual, or to public health or safety, where it is unreasonable or impractical to gain consent.
to take appropriate action in relation to suspected unlawful activity or serious misconduct.
where to do so is reasonably necessary for establishing, exercising or defending existing or anticipated legal proceedings in a court or tribunal, or for alternative dispute resolution
to locate a person reported as missing.
where to do so is necessary to prevent a serious threat to the life, health or safety of a genetic relative (special conditions apply).

Disclosure of health information to a responsible person is also allowed when the person is physically or legally incapable of consent and:

the disclosure is necessary to provide appropriate care or treatment of the individual or for compassionate reasons; and
the disclosure is not contrary to any wish expressed by the individual before he or she became unable to give consent of which the carer is aware, or could reasonably be expected to be aware; and
the disclosure is limited to the extent reasonable and necessary to provide appropriate care or treatment of the individual, or to fulfil the purpose of making a disclosure for compassionate reasons.

There are a number of specific exemptions to APP 6 allowing disclosure of private health information (3).

In summary, health-care workers must not disclose a person’s health information except in a limited number of circumstances. These may generally be summarised as:

communicating necessary information to others directly involved in the treatment of a patient during a particular episode of care
cases of needle-stick injury where a professional is aware of a patient’s HBV-positive status and a health-care worker has been exposed in circumstances where there is a real risk of transmission and it is not possible to conceal the identity of the source patient who has refused to consent to disclosure
provision of medical services in a particular instance of care where there is a need to know the infection status for treatment purposes of benefit to the patient (e.g. in an emergency or if the patient is unconscious); this should not, however, detract from the observance of standard infection control precautions.

It is strongly recommended that practitioners familiarise themselves with the APPs and contact the Office of the Australian Information Commissioner or obtain legal advice if they wish to clarify the manner in which the APPs might relate to specific situations.

When are patients legally required to disclose their status?

Health-care practitioners should refer patients to seek independent legal advice if the patients have particular concerns about their disclosure obligations and the possible risks associated with failure to disclose in certain situations. However, practitioners should be aware of general rules around disclosure and communicate this information to patients.

Laws around disclosure are based on the idea that individuals should not intentionally or negligently harm others, and that individuals have a right to be warned of a possible risk of transmission where there is a real danger of that risk. Therefore, disclosure is only mandatory where there is no other way to avoid the risk of transmission; generally, disclosure is only required in a few discrete circumstances. In particular, patients will need to know their responsibilities around employment, insurance and sexual partners.

Patients are not legally obligated to disclose their status to sexual partners where they are taking reasonable precautions against transmission; such precautions may include the use of condoms and lubricants, and having an undetectable viral load. It is important to note that the courts in Australia have not articulated what constitutes reasonable precautions. Patients are legally obligated to disclose their status to their partner or partners before engaging in unprotected sexual activity, including vaginal, oral or anal intercourse. There have been no cases of criminal prosecution for the transmission of HBV. However, the intentional transmission of HBV might attract criminal penalties where the court finds that the individual who transmitted the virus had the necessary intention and that the impact of transmission is sufficiently detrimental to the individual who now has the disease.

Circumstances requiring disclosure of status
It is mandatory for patients to disclose their status in a few exceptional circumstances: Health-care workers engaging in exposure-prone procedures are required to disclose to employers or potential employers. This particularly applies to surgery, trauma care and some orthopaedics (4). Applicants or serving individuals in the Australian Defence Force (ADF) are required to disclose their status. The ADF is exempt from federal anti-discrimination legislation, and can test applicants and serving individuals, and remove them from service if they are found to have a blood-borne virus. Insurance companies require disclosure where the type of insurance being applied for is relevant to the health condition (e.g. life, disability or income protection). If a patient fails to disclose their status where relevant, the insurance company may not have to pay out on any claim that is made.

Circumstances requiring disclosure of status

It is mandatory for patients to disclose their status in a few exceptional circumstances:

Health-care workers engaging in exposure-prone procedures are required to disclose to employers or potential employers. This particularly applies to surgery, trauma care and some orthopaedics (4).
Applicants or serving individuals in the Australian Defence Force (ADF) are required to disclose their status. The ADF is exempt from federal anti-discrimination legislation, and can test applicants and serving individuals, and remove them from service if they are found to have a blood-borne virus.
Insurance companies require disclosure where the type of insurance being applied for is relevant to the health condition (e.g. life, disability or income protection). If a patient fails to disclose their status where relevant, the insurance company may not have to pay out on any claim that is made.

The practice of contact tracing raises potential conflicts between breaching a patient’s privacy and confidentiality, and alerting a third party to the fact that they may be at risk of HBV infection or have contracted the disease. Health practitioners’ obligations have not yet been legally tested on this point, but it is possible that a practitioner could be found negligent for failing to inform a third party that they may be at risk of, or may have contracted, HBV. Fortunately, public health services afford practitioners expert guidance to resolve the potential conflict between the duties to maintain confidentiality and privacy, with the possible duty of care owed to third parties. In instances where practitioners suspect a person may be putting others at risk, the practitioner should notify the health department, using the methods prescribed in the relevant state or territory. Public health authorities then become responsible for making decisions around contact tracing, including management of privacy issues.

There are two types of criminal offences associated with HBV and other blood-borne viruses. The first relates to disclosure of information regarding a person who has or is suspected of having HBV or other blood-borne virus infection, as discussed above. There are also general criminal laws in every state and territory that arguably could be used if a court considered the harms associated with HBV transmission sufficiently serious, and determined that the individual who transmitted the infection had the sufficient knowledge of and intent to transmit. There have been no criminal prosecutions for HBV transmission within Australia, but there have been several successful prosecutions for the transmission of HIV. There have been prosecutions for transmission of hepatitis B in other countries with similar legal systems, such as the United Kingdom.

Anti-discrimination laws operate in all Australian states and territories, and prohibit the discrimination of individuals on the basis of their actual or perceived HBV status. Discrimination based on disease status is legislatively prohibited under disability or impairment. It is important that health-care practitioners avoid behaviours that are or could be perceived as discriminatory by a patient when testing and managing people with HBV. Such behaviours could include refusing to see a patient, offering different or inappropriate treatment, or placing a patient last on a consultation or operating list. Standard precautions ensure a high level of protection against transmission of infection in the health-care setting, and are the level of infection control required in the treatment and care of all patients to prevent transmission of blood-borne infections (see: Infection control and occupational health).

For anyone who has experienced discrimination because of their HBV status in relation to employment, education or receipt of health care, practitioners should provide referrals to hepatitis support organisations and legal-complaints services.

Table 13.2 State and territory hepatitis support organisations
State or Territory	Relevant agency
Australian Capital Territory	Hepatitis ACT 6230 6344 [email protected] www.hepatitisact.com.au
New South Wales	Hepatitis NSW (02) 9332 1853 [email protected] www.hep.org.au
Northern Territory	Northern Territory AIDS and Hepatitis C Council (08) 8944 7777 [email protected] www.ntahc.org.au
Queensland	Hepatitis Queensland (07) 3846 0020 [email protected] www.hepqld.asn.au
South Australia	Hepatitis SA (08) 8362 8443 [email protected] www.hepatitissa.asn.au
Tasmania	Tasmanian Council on AIDS, Hepatitis & Related Diseases (03) 6234 1242 [email protected] https://www.tascahrd.org.au/
Victoria	LiverWELL (03) 9274 9796 [email protected] https://liverwell.org.au/
Western Australia	Hepatitis WA (08) 9328 8538 [email protected] www.hepatitiswa.com.au

HIV AIDS Legal Centre (HALC) also represent people with hepatitis:
02 9206 2060
www.halc.org.au

Health complaints commissions in Australia and New Zealand https://www.hccc.nsw.gov.au/

This chapter does not constitute legal advice. Instead, it references (and in some cases summarises) key Federal and state laws and policies related to privacy, confidentiality and duty of care, and summarises relevant jurisprudence. Practitioners faced with uncertainty in this area are strongly advised to seek legal advice, or to contact their local health department or applicable privacy office. This chapter has been adapted from the Australasian contact tracing manual (5).

Australian Medical Association (AMA). AMA Code of Ethics. 2004. Editorially revised 2006. Revised 2016. Available at: https://ama.com.au/position-statement/code-ethics-2004-editorially-revised-2006-revised-2016 (last accessed 4 July 2018).
Australian Government. Office of the Australian Information Commissioner. Rights and responsibilities. Who has rights under the Privacy Act? [internet]. Available at: https://www.oaic.gov.au/privacy/the-privacy-act/rights-and-responsibilities (last accessed 4 July 2018).
Australian Government. Office of the Australian Information Commissioner. Australian Privacy Principles. (as at 2 March 2018) [internet]. Available at: https://www.oaic.gov.au/agencies-and-organisations/app-guidelines/ (last accessed 4 July 2018).
Communicable Diseases Network Australia (CDNA). Australian national guidelines for the management of health care workers known to be infected with blood-borne viruses. 28 February 2012. Available at: http://www.health.gov.au/internet/main/publishing.nsf/content/cda-cdna-bloodborne.htm#BBVs (last accessed 4 July 2018).
Australasian Society for HIV Medicine (ASHM). Australasian Contact Tracing Manual [internet]. Available at: http://contacttracing.ashm.org.au (last accessed 4 July 2018).

Previous chapter