4. Privacy and confidentiality of patient information
Learning objectives
• understanding the legal and professional obligation of confidentiality in relation to patient and client information
• identifying the legal and professional consequences when the obligation to keep information confidential is breached
• identifying the professional codes of ethics and conduct that protect patient and client confidentiality
• describing the practical effect of exceptions to the obligation of client confidentiality
• locating and understanding the Privacy Act (Cth) and/or National Privacy Principles (NPPs) and/or Information Privacy Principles (IPPs) and legislation relevant to the state or territory in which you will practise medicine
• discussing legislation that facilitates access to information contained in patient and client health records.
Introduction
The nature of medical practice, whether conducted in the private or public sectors, whether provided by a general practitioner practising alone in a rural area, or by medical practitioners working as members of an institutional healthcare team, will almost always include access to patient and client information. This access, to patient and client private and confidential information, is based on the therapeutic relationship which exists between a medical practitioner and their patient or client. Indeed, it is a combination of the legal, professional and ethical obligations imposed on medical practitioners to keep the patient’s and client’s information confidential — and the patient’s and client’s perception that such information will be kept confidential — that underpins the therapeutic relationship. That is, a medical practitioner needs the patient or client to disclose all their relevant health information to be able to make informed decisions regarding which medical treatment options may be most suitable and appropriate. The patient is only likely to disclose such information, however, if it is understood that their information will be kept confidential and used only for the purpose of clinical decision-making. It is therefore important that medical practitioners have an understanding of the legal, professional and ethical obligations that maintain the confidentiality of patient information and the mechanisms by which privacy of, and access to, patient information is secured.
Various situations in medical practice require the medical practitioner to follow and adhere to the strict provisions of privacy and confidentiality legislation, policies and guidelines. The Good Medical Practice: Code of Conduct for Doctors in Australia1 and the Australian Medical Association (AMA) Code of Ethics2 both expressly refer to the obligation and responsibility of a medical practitioner to keep patient information confidential. Flowing from the application of legislation, policies, guidelines and codes are the principles laid down in case law which have direct application to the day-to-day practice of any medical practitioner involved in the care and treatment of their patients and clients.
Skene3 notes that privacy and confidentiality are different issues in that privacy is focused on the collection of information, whereas confidentiality is focused on communication of that information. Although the duties imposed on a medical practitioner in relation to these two issues differ conceptually, they are complimentary to one another in their application and there is a considerable overlap within a healthcare context.
The Obligation to Keep Information Confidential
The modern day notion of confidentiality, within the context of healthcare delivery by any health professional, originates in the provisions of the Hippocratic Oath. Under this oath a medical practitioner agreed to be bound by the ethical obligation to ensure:
All that may come to my knowledge in the exercise of my profession or outside of my profession or in daily commerce with men, which ought not be spread abroad, I will keep secret and never reveal. 4
The confidentiality of patient and client information is therefore one of the fundamental presumptions founding the relationship between medical practitioners and their patients or clients. Indeed, medical practice takes place in an environment in which the client expects their information will be kept confidential and the medical practitioner appreciates and respects the obligations imposed by that expectation. As stated in the case of Seager v Copydex:5
[A person who] has received information in confidence shall not take unfair advantage of it. He must not make use of it to the prejudice of he who gave it without obtaining consent.
It could be argued that for any medical practitioner to provide optimum care to a patient or client they must have full and frank disclosure of all relevant information by that individual. In the case of X v Y, involving a medical practitioner, the court observed:
If people felt that there was any chance of information given to their doctor, or the doctor’s diagnosis, being passed on, people would be reluctant to seek advice and the disease would go underground. Confidentiality must be absolute or almost absolute … In the long run, preservation of confidentiality is the only way of securing public health; otherwise doctors will be discredited as a source of education, for future individual patients will not come forward if doctors are going to squeal on them. Consequently, confidentiality is vital to secure public as well as private health, for unless those infected come forward they cannot be counselled and self-treatment does not provide the best care. 6
The obligation to keep information confidential has both a legal and ethical basis and includes information such as the patient’s current and previous medical details, family history, social and financial circumstances and any facts in relation to the patient’s or client’s current or previous treatment or medication history. In fact the disclosure by a medical practitioner of information such as the person attended a hospital or a GP may constitute a breach of the duty of confidentiality.
Professional and ethical obligations
Professional codes of conduct and ethics protect the rights of patients and clients to have their information kept confidential. The Good Medical Practice: A Code of Conduct for Doctors in Australia7 expressly recognises the obligation imposed upon medical practitioners to keep patient information confidential. Principle 3 of the Code, ‘Working with patients’ states at 3.2 under ‘Doctor–patient partnership’:
A good doctor–patient partnership requires high standards of professional conduct. This involves …
3.2.3 Protecting patients’ privacy and rights to confidentiality, unless release of information is required by law or by public interest considerations.
And under 3.4 ‘Privacy and Confidentiality’:
Patients have a right to expect that doctors and their staff will hold all information about them in confidence, unless release of information is required by law or public interest considerations. Good medical practice involves:
3.4.1 Treating information about patients as confidential.
3.4.2 Appropriately sharing information about patients for their healthcare, consistent with privacy law and professional guideline about confidentiality.
3.4.3 Being aware that there are complex issues related to genetic information and seeking appropriate advice about disclosure of such information.
Consistent with these provisions, the AMA Code of Ethics states under the section ‘The Doctor and the patient’ at 1.1 ‘Patient care’:
that the medical practitioner is to –
l. Maintain … patient’s confidentiality. Exceptions to this must be taken seriously — may include where there is a serious risk to the patient or another person, where required by law, where part of approved research or where there are overwhelming societal interests.
The professional codes of conduct and ethics therefore impose clear obligations on members of the medical profession to respect the confidentiality of information acquired in the course of professional practice relating to their patients. Such information must not be disclosed to anyone without the consent of the patient or client. Exceptions may arise where the health of the client or others is at risk, where information is sought under legislation or common law, where a court order requires the release of confidential information, or the information is released to those assuming legal responsibility for the patient; for example, when a patient looses capacity and requires a substitute decision-maker for the purpose of healthcare decisions (refer to Chapter 6, consent).
Statutory obligations
Legislation exists at state, territory and federal levels directed specifically to the maintenance of confidentiality in relation to patient and client information. The legislation generally provides that patients and clients of healthcare services have a legally based expectation that the health services are being provided in a way that respects their right to the confidentiality of their information. That is, there is a legislatively imposed obligation on all health professionals (and others who come into contact with the patient’s information as part of their work in the delivery of healthcare services) to protect the patient’s information from disclosure, unauthorised access and/oruse. The legislation can be divided into two categories: first, that which protects the identity of the patient; 8 and second, that which protects information about the patient’s medical condition. 9 In legislation protecting the confidentiality of patient information, health professionals, often referred to as the ‘designated person’ or ‘relevant person’, must not disclose patient information either directly or indirectly to others and there is usually a statutory penalty in circumstances in which information is disclosed inappropriately. As an example, the Queensland Health Services Act 1991, ss 60–62, imposes on public health sector employees a duty of confidentiality and a penalty for breach of that statutory duty. Section 62A states:
Confidentiality
(1) A designated person, or former designated person must not disclose to another person, whether directly or indirectly, any information (confidential information) acquired because of being a designated person if a person who is receiving or has received a public sector health service could be identified from the confidential information.
Maximum penalty — 50 penalty units.
Common law obligations
In addition to the legislative obligations there are obligations imposed on medical practitioners to keep patient information confidential which are imposed and maintained through the various common law decisions. The following is an overview of the legal basis upon which a client may initiate an action at common law in circumstances in which they consider there has been a breach of this obligation.
Negligence
The duty to keep information confidential is part of the duty of care owed by a medical practitioner to their clients. In circumstances in which this duty is breached through the medical practitioner divulging patient information, the medical practitioner may be sued in negligence for the damage caused by the breach. 10 In the case of Furniss v Fitchett11 the medical practitioner disclosed the medical information about his patient to the patient’s husband. The husband then used that information in legal proceedings. In this case Barrowclough CJ stated: 12
[A] doctor’s duty to care for his patients includes a duty not to give a third party a certificate as to his patient’s condition, if he can reasonably foresee that the certificate might come to the patient’s knowledge, and if he can reasonably foresee that that would be likely to cause his patient physical harm.
The decision suggests that where a medical practitioner causes injury, by carelessly revealing confidential information about the condition of the patient, it would amount to a breach of the duty of care. The duty however is not only ‘to avoid telling unauthorised persons things that are confidential. It also covers taking proper precautions to ensure that confidential information does not fall into the wrong hands’. 13
Contract
It is an implied term of a contract involving the provision of healthcare that all information disclosed in relation to that care will be kept confidential. In the public sector there are no contracts between individual health professionals such as medical practitioners and their patients and clients. Contracts in this context are most frequently between the healthcare institution and the government under the Medicare arrangements. However, in the private sector, where the patient receives a service for the fee paid directly to the medical practitioner, a contract will exist which may provide the ground for an action in breach of contract where a client’s information is inappropriately disclosed.
Defamation
Buy Membership for Internal Medicine Category to continue reading. Learn more here
