privacy, confidentiality and health information - c.ymcdn.com · pdf fileprivacy,...

Privacy, Confidentiality

and Health Information

Charles Hartley

Solicitor, Head Legal Services Metro North Hospital and

Health Service

Charles Hartley Copyright. All rights reserved

Privacy v Confidentiality

• Overlap but different

• Confidentiality arises from doctor/patient relationship (a “fiduciary relationship”). Can exist at common law (case law) but often enshrined in statute eg part 7 Hospital and Health Boards Act 2011

• Privacy is more general; does not require a specific relationship and is usually statute based eg Information Privacy Act (Qld), Article 8.1 Human Rights Act (UK) “Right to a private life”. In Australia (unlike most common law jurisdictions) a right of privacy in tort is developing: Grosse v Purvis 2003 (District Court decision); and Doe v ABC (appealed but settled)


Confidentiality

• Exists at common law

• Hunter v Mann [1974] QB, 767 – a doctor “is under a duty not to [voluntarily] disclose,

without the consent of the patient, information which he, the doctor, has gained in his

professional capacity’.

• Applies to hospitals (private and public)

• Applies to employment

• Set out in Part 7 Hospital and Health Boards Act 2011


Some cases regarding confidentiality

Mid-City Skin Cancer & Laser Centre v Zahedi-Anarak [2006] NSWSC

Dr Z, skin cancer specialist worked at the Sydney Skin Cancer Clinic (the Clinic). Practice owned by Dr K.

Dr Z worked independently and received remuneration equal to 50% of Medicare benefits received by the

Clinic for the patients he treated. By end of 2001 Dr Z earned nearly 73% of fees generated.

Dr Z retained copies of patient booking sheets with their personal information including contact details.

Dr K sold the Clinic. Contract included stock, assets and goodwill. Dr Z could not agree terms of

employment with new owner. Joined another local practice and contacted 479 patients, 176 of whom

came to Dr Z’s new practice.

New owner sued for breach of duty of confidence and/or breach of sale contract by Dr K’s company.


Mid-City Skin Cancer & Laser Centre v Zahedi-Anarak [2006] NSWSC

(cont/)

Court held:

Dr Z owed a duty of confidence not to use confidential information he encountered

in the course of his employment for a purpose other than for treating the patients at

the Clinic. Patients were patients of the Clinic not Dr Z.

Dr Z’s duty of confidence was an asset of the Clinic.

(No damages awarded because new owner could not show loss because with pre-

existing patients the Clinic was working to capacity. Also, the new owner as assignee

could only sue for the loss sustained by the previous owner. Therefore no loss.)


Furniss v Fitchett 1958 NZLR 396

Dr Fitchett provided a report to Mr Furniss about the mental condition of his

wife, Mrs Furniss without her consent. The report was later produced in

separation proceedings much to the shock of Mrs Furniss who then sued for

nervous shock.

Court held that Dr Fitchett owed Mrs Furniss a duty of confidentiality which

he had breached. It was foreseeable that this would cause her shock and

awarded damages.


Part 7 Hospital and Health Boards Act 2011

(HHBA)

• S139 - Confidential information means information, acquired by a person in

the person’s capacity as a designated person, from which a person who is

receiving or has received a public health sector service could be identified.

An example of a designated person is a health professional or a public

service employee. i.e. not just doctors and nurses

• Basic rule s142 – Cannot disclose confidential information even after death

• This is the default position. If in doubt do not disclose.


Exceptions to duty of confidentiality

• There are several exceptions permitting disclosure, notable exceptions

include:

• The disclosure is required or permitted under the Act or by law. (eg

subpoenas, warrants, Public Health Act etc)

• The person who the confidential information is in relation to has given their

consent to the disclosure of their information.


Common exceptions continued

• Information is for care or treatment of the patient

• The information is disclosed to a person who has sufficient interest in the health and welfare of a patient e.g. a spouse, parent or child of the patient. (Cannot disclose if patient objects)

• The disclosure of the information would lessen or prevent a serious risk to life, health or safety of a person or individuals. (s147)

• To protect the safety or wellbeing of a child

• Public interest (s160 - CE only can authorise disclosure)


Other exceptions under Part 7 HHBA

• Funding arrangements and health monitoring

• Purposes relating to evaluating, managing, monitoring or planning health services

• Disclosure to another State or Commonwealth entity under an agreement (MOUs)

• Disclosure to or by an Inspector under HHBA

• Disclosure to or by the Chief Executive

• Disclosure to the health practitioner registration board

• Health Ombudsman

• A person performing actions under the Coroners Act

• Disclosure to lawyers representing the State or the Service


Important recent amendment to Part 7 HHBA!

s 161A HHBA

The chief executive may authorise an external service provider, or a person engaged by

the external service provider, to access an information system.

The chief executive may authorise the access only if satisfied the access is necessary to

enable the external service provider to provide a health service under an agreement

between the chief executive or a Service and the service provider.

Authorisation must be in writing and must describe the information system to which

the authorisation relates.


Privacy Legislation

• Privacy Act 1988 (Cwlth)

• 10 National Privacy Principles (now updated to Australian Privacy Principles)

• Information Privacy Act 2009 (Qld)

• Information Privacy Principles set out in Schedule 3

• 9 NPPs set out in Schedule 4 and apply to public health services (s31) (Transborder

data flow criteria not included – dealt with in s33). These have not been updated in line

with the Australian Privacy Principles.


Information Privacy Act 2009

s12 Meaning of personal information

Personal information is information or an opinion, including information or an

opinion forming part of a database, whether true or not, and whether recorded

in a material form or not, about an individual whose identity is apparent, or can

reasonably be ascertained, from the information or opinion.

(note the difference to definition of confidential information in HHBA)


Information Privacy Act 2009

Sensitive information

Sensitive information includes certain health information about an individual

and information about sensitive subjects such as an individual's political

opinions, religion, sexual preferences or criminal record.


NPP 1 - Collection of personal information

A health agency must not collect personal information unless it is necessary for 1 or more of its functions.

Information must be collected by “lawful and fair means” and not in an “unreasonably intrusive way”.

When collecting personal information from an individual health agency must take reasonable steps to ensure the

individual is aware of:

Identity and contact details of health agency Fact individual can gain access to information

Purpose for which information has been

collected

Types of entities to which health agency usually

discloses this kind of information

Any law requiring particular information to be

collected

Main consequences for individual if information

is not provided


NPP 2 - Limits on use or disclosure of

personal information

A health agency cannot use personal information for a purpose other than the

primary purpose of collection unless:-

(there are several exceptions)


Use of information for secondary purpose

• Secondary purpose is related to primary purpose (directly related if personal

information is sensitive information) and the individual would reasonably

expect the agency to use or disclose the information for the secondary

purpose eg sending personal details to an external pathology or radiology

service

• Individual has consented to the use and disclosure



• Personal information is health information and use/disclosure is necessary

for research or statistical analysis relevant to public health or safety AND

• It is impracticable to seek individual’s consent AND

• Use/disclosure in accordance with guidelines approved by the chief

executive AND

• Health agency reasonable believes receiving entity will not disclose the

information



• Lessen or prevent a serious threat to an individual’s life, health, safety or welfare or a serious threat to public health, safety or welfare

• To report or to assist with the investigation of unlawful activity that has been or may be engaged in

• Use or disclosure authorised or required by law

• To assist an enforcement body with prevention, detection, investigation, prosecution or punishment of criminal offences; protection of public revenue; and confiscation of proceeds of crime



• To a responsible person to assist with care of the individual providing the

individual cannot consent or communicate consent

• Health agency’s marketing to the individual providing personal information is

not sensitive information and it is impracticable to seek the individual’s

consent


NPP 3 – Data Quality

• A health agency must take reasonable steps to ensure that the personal

information it collects, uses or discloses is accurate, complete and up to date.

(Linked to NNP 7)


NPP4 – Data Security

• A health agency must take reasonable steps to protect the personal

information it holds from misuse, loss and unauthorised access, modification

or disclosure.

• If personal information is no longer needed for any purpose under NNP2,

then the health agency must take reasonable steps to ensure the individual

cannot be identified


NPP 5 - Openness

• A health agency must have available policies on its management of personal

information and must make the document available to anyone who asks for

it


NPP6 – Access to documents containing


• If a health agency has control of a document containing personal

information, it must give the subject individual access to the document if the

individual asks for access EXCEPT

• Where the health agency is authorised or required to refuse access OR

• The document is expressly excluded from the operation of an access law


NPP 7 – Amendment of documents containing


• A health agency with control of a document containing personal information

must take all reasonable steps including by the making of appropriate

amendment to ensure personal information is accurate and not misleading

• Does not mean records should be amended to suit the individual!

• Requests for amendment should be attached to the record


NPP 8 - Anonymity

• Wherever it is lawful and practicable, individuals must have the option of not

identifying themselves when entering into transactions with a health agency.


NPP 9 – Sensitive information

• Health agencies must not collect sensitive information about an individual except in

certain circumstances, such as where the individual has consented, the collection is

required by law, the collection is necessary to prevent a serious threat to life;

information is relevant family history and collected from relative or guardian;

collection is necessary for exercise or defence of claim.

• Does not apply where information is still health information reasonably expected to

be collected for intended purpose or is relevant to public health and safety AND

does not identify individual AND impracticable for health agency to obtain consent.


Transfer of information overseas

• S33 IPA

• Can transfer outside of Australia only if:

• Individual agrees to transfer; or

• Transfer authorised or required by law; or

• Transfer necessary to lessen or prevent serious threat to life, health or welfare of an

individual or to public health and safety; or ………..


Transfer of information overseas

• 2 or more of the following apply:

• Health agency reasonably believes recipient of personal information is subject to a

law or binding scheme that upholds fair handling of personal information

• Transfer is necessary for performance of the agency’s functions

• Not practicable to seek consent of the individual who would likely agree

• Health agency has taken reasonable steps to make sure information it transfers will

not be held, used or disclosed by recipient in a way inconsistent with IPPs or NPPs


Before transferring everything to ICloud…..

• Queensland Government Enterprise Architecture

• Health Directive No.15

• Purpose of this Health Service Directive is to specify information,

communications and technology applications and services in order to benefit

from and preserve the integrity of the QH information network

• Sets out standards for maintaining security and privacy


Breaches of Privacy and Confidentiality

• Under Part 7 HHBA unauthorised disclosure of confidential information will incur a fine of up to 100

penalty units – currently $12,150

• Civil claim for breach of confidentiality in equity (and possibly privacy under common law)

• Complaint to Health Ombudsman – referral to AHPRA – fine – public censure – registration affected

• Complaint to Information Commissioner

• Compensation of up to $100,000 can be ordered by QCAT

• HR disciplinary action/internal investigation

• Fine of up to $12,150 for gaining unlawful access to information

• Obligations set out in NPPs and IPPs do not confer a civil right of action Charles Hartley Copyright. All rights reserved

Photographs and video footage

• Sections 227A & B Criminal Code

• Offence to take “visual recording” (video or photographs) of someone without

their consent in a place where they would normally expect privacy eg treatment area.

• Offence to publish or broadcast such visual recording without consent.

• Beware mobile telephones and the internet!

• Keep images with the records or at least cross reference with the records.

• Why are the images being taken?


Privacy and confidentiality within health

services and hospitals

• Need to know basis

• Just because a particular hospital or hospital and health service is the legal

entity responsible for maintaining privacy or patient confidentiality does not

mean everyone employed or engaged by the entity has a right to know

• Most record systems, electronic, paper or otherwise identify and track who

has had access to a set of records


Complaints for breach of privacy

• Use internal complaints process

• Office of the Information Commissioner

• Can refer to Health Ombudsman or the Ombudsman

• Mediate – certified agreement enforceable in QCAT

• Refer to Queensland Civil and Administrative Tribunal if Information Commissioner cannot or is unlikely to be able to resolve

• QCAT can award up to $100,000 in compensation as well as order the Respondent to make an apology, make amendments or take action to compensate or make amends. Can also order payment of costs.


Important points to bear in mind

• What is the information?

Is it personal, confidential or sensitive

information?

• Has it been properly obtained?

• What is relevant?

• Is it accurate?

• Is it secure?

• Obligation to disclose v right to disclose

• Should I be accessing this?

• Patient safety issues?

• Public safety issues?

• Do not act alone!


Case Scenarios


Scenario A

Dr Peter Dogood, is an psychiatry registrar at a large hospital. Whilst making

himself a coffee on the night shift he comes across a top of the range 256Gb

SupaCell data stick which has fallen down the side of the kitchen work surface.

It has a small label stating “HIV study patients 2008”. He quickly looks at it on

his laptop. The names, addresses and contact details of 100 patients along with

summaries of their medical histories, religion and HIV status. Peter thinks they

may have been part of a well known study run by Prof. A Bustard, an eminent

HIV clinician who made Peter’s life hell going through medical school.


Peter’s suspicions appear to be confirmed when he notices that one of the patients

listed is Rupert Lisp, a well known writer and bon vivant who has been openly gay for

years and has publicly discussed his HIV+ status.

He cannot believe it when he sees the name of Buck Bullstrode, a vociferously

homophobic politician whose wife Gertrude heads the national movement “Christian

Women against Abortion”. Peter pulls out Buck Bullstrode’s medical records and

notices that his sexual partner is none other than the Honourable Hank Buckle, the

Minister for Bureaucratic Efficiency who is also aggressively homophobic.

Peter also recognises the name of one of his school mates, Geoff Blue on the list. “So

that is why he has been down for all these years” Peter thinks to himself.

Peter pauses for a moment and then has a cunning plan…….


1. Peter has always wanted to do a ground breaking research project to raise his profile as it’s a

competitive world out there for psychiatry registrars. This is the perfect opportunity. The study can

be on the psychiatric effect of living with HIV with maybe a sub-cohort of patients who are not

openly gay and are homophobic. He will work out the study title later once he has analysed the data.

There is no need for him to obtain research approval as this must have been done by Prof Bustard

for his study.

2. He passes on Geoff Blue’s information and contact details to a HIV support group for gay people.

In fact he pretends he is Geoff and applies online for assistance. Geoff is angry at the intrusion

because as far as he is aware he is not HIV+, heterosexual and only went to the hospital once when

he broke his arm.

3. He downloads all the data from the SupaCell data stick to his cheap online data storage facility for his

research.

4. He sells the SupaCell data stick for $200 to another college friend, Julian Lozenge who is an IT whizz

and runs “Stickyleaks”, an organisation which supports freedom of information.

5. He also downloads the data onto a cheap stick and sends it anonymously to the hospital Chief

Executive with a note stating that Prof Bustard left it lying around in the kitchen.

6. Finally, using an alias he tries to sell extracts to the local paper relating to Buck Bullstrode and Hank

Buckle. They are not interested. Stickyleaks has just published them on the internet.


Scenario B

Alf Ticker has been having chest pains and is referred to his local hospital where he seen by a Consultant Cardiologist, Dr Earnest Endeavour (Dr E) and his new registrar, Dr Evan Keane (Dr K). Dr E carries out a routine examination and asks Dr Keane to take “the usual pathology”. Dr K is not quite sure what Dr E meant by this and orders full blood, immunology and toxicology tests.

The full results are sent to Dr E who cannot believe what Dr K has done. He “counsels” Dr K about how the patient could not possibly have given informed consent for all these tests, the majority of which are irrelevant and have “cost the taxpayer a small fortune”. Detesting irrelevant paperwork he throws away the results of the superfluous tests and keeps those he wanted in the first place. “Records should be Concise! Respectful! Accurate! Pertinent!” he yells. As he is bowing his head in shame Dr K notices in the bin that one of the irrelevant results shows an elevated PSA count……….


Scenario C

Mrs Dawn March attends her GP, Dr Weary for her usual two yearly cervical smear. Things have changed. There is now an agreement between Women’s Health Queensland, GP Primary Healthcare Networks, public hospitals and private pathology clinics. She is referred to the nearest “Super Smear Centre” as they are dubbed in the press. (These are at either a local hospital or pathology clinic) She is told the results will be emailed to her GP who in any event has access to the results.

Mrs March does not hear anything and assumes everything is fine. However she receives a call 6 months later from a WHQ admin officer asking why she has not attended the appointments at the local gynae-oncolgy clinic as she has cervical cancer. The admin officer emails Mrs March the results whilst she is on the telephone.


Scenario D

Health practitioner (HP) would like to be credentialed at a hospital and is preparing

bundle of necessary documentation. HP inadvertently sends to the hospital a response

prepared two years earlier to a complaint to the Health Ombudsman. The response

highlights some concerning basic errors. The incident and the complaint were not

mentioned in the credentialing application because they were “a long time ago” and

HP has since completed refresher training to the satisfaction of the Board. HP has

demanded the return of the documentation and an undertaking that it will not be

taken into account when HP’s application for credentialing is considered because to do

so would be a breach of natural justice.


privacy, confidentiality and health information - c.ymcdn.com · pdf fileprivacy,...

Documents