Today’s correspondent tells me that there is
… lots of discussion around the traps regarding legality/responses to paramedics enquiring about outcomes for patients they have brought in to hospital (e.g. asking nurses the next day for learning/education/debrief). It’s very variable within hospitals and even within departments (and I have found it the same when enquiring as nurse to nurse from accepting ED to transferring ED etc). Legally, is this a breach of patient confidentiality?
It would be a breach if all that is being sought is salacious gossip – how did that accident really happen? What was the reaction of the family when they saw/discovered/observed?
Let us assume that is not the case. The paramedic wants to know both because they have an emotional investment in the outcome as well as a professional interest in knowing if their diagnosis was correct and their treatment efficacious. There is privacy legislation in each jurisdiction and they all attempt to give effect to agreed privacy principles. For that reason, I’ll refer to the Commonwealth Act that is mirrored in the state and territory legislation.
Under the Privacy Act 1988 (Cth), personal information ‘means information or an opinion about an identified individual, or an individual who is reasonably identifiable’ (s 6). Health information means (s 6FA):
… information or an opinion about:
(i) the health, including an illness, disability or injury, (at any time) of an individual; or …
(iii) a health service provided, or to be provided, to an individual;
that is also personal information;
It follows that information about the actual diagnosis, prognosis and what was done and is being done for the patient’s benefit is ‘health information’. It is also ‘sensitive information’ (s 6).
There are ‘Permitted health situations in relation to the collection, use or disclosure of health information’ (s 16B) including release for research but none of them apply in this context.
The relevant privacy principle is principle 6. It says that an ‘entity’ (in this case the hospital represented by its employee or agent, ie the nurse) must not use or disclose personal information for a purpose other than which it was collected. Information is recorded on hospital records for the hospital’s purposes and to facilitate treatment of the patient. Giving that information to the paramedics is not about advancing the person’s treatment. It would therefore be a breach unless the patient consents (Principle 6.1(a)) or (Principle 6.2(a)):
… the individual [patient] would reasonably expect the … entity to use or disclose the information for the secondary purpose and the secondary purpose is:
(i) if the information is sensitive information–directly related to the primary purpose; or
(ii) if the information is not sensitive information–related to the primary purpose …
I would think most people would reasonably expect health services to share information in the circumstances but that doesn’t answer the question of whether sharing the information with the paramedics is ‘directly related to the primary purpose’.
I think that’s the ‘out’. If a person complained (and why would they) and the sharing of information really was just giving feedback to the paramedics one could argue that closing that information loop was directly related to the primary purpose of their health care. On the other hand, it is also arguable that it’s not ‘directly’ related to the primary purpose for which information is collected as the paramedics have nothing more to do with the patient’s care. It’s one of those situations where depending on what happened, and what information was shared, someone dealing with a complaint would have a way to find there was no breach.
Having said that it does seem to me that technically it is a breach of relevant privacy principle to tell the treating paramedics what the subsequent diagnosis and treatment was.
I’m surprised by the result but my conclusion is that technically it is a breach of the privacy principles. I say ‘technically’ as I can’t imagine most patients would object and would accept that the paramedics have an interest in knowing how the patient they treated has progressed and provided the release was reasonable and well-motivated, a decision maker could find that the disclosure was directly related to the primary purpose of obtaining and recording personal information.
When you run a blog like this you have to ‘back yourself’ – that is I give my opinion so I don’t generally seek the opinion of other’s. But the answer to this question seemed perverse so on this occasion I did seek a second opinion from the Office of the Australian Information Commissioner. The Australian Information Commissioner is responsible for the implementation of privacy laws at Commonwealth, not state level, but the privacy principles are the same, but of course the answer below does hedge its bets around potential state/commonwealth differences. In any event I set out the answer in full, and I’ve highlighted the final paragraph which, sadly, reaches the same conclusion I did. Providing health information to the paramedics although probably good for the paramedics ‘may constitute an interference with the privacy of an individual.’
Thank you for your enquiry. I apologise for the extended delay in our response.
An additional consideration which you have not raised is if the hospital is public or private health service provider. The Australian Privacy Principles (the APPs) contained in the Privacy Act 1988 (Cth) (the Act) regulate the way in which many private sector organisations are to handle personal information and apply to all private health service providers. However the APPs do not apply to State or Territory public health bodies. Contact details for state and territory privacy regulators are available in our other privacy jurisdictions page.
If the APPs do apply, APP 6 outlines when an organisation may use or disclose personal information. Specifically, an organisation may use or disclose an individual’s personal information when it is done for the same purpose for which the information was collected (the primary purpose). Use or disclosure for another purpose (a secondary purpose) is only permitted when one of the exceptions to APP 6 applies.
These exceptions include, but are not limited to, where:
- the secondary purpose is directly related to the primary purpose of collection, and is within the individual’s reasonable expectations
- the individual has consented to the use or disclosure for that other purpose
- the use or disclosure is required or authorised by or under law (see 6.2(b) and 6.2 (e)
- a permitted general situation or a permitted health situation exists in relation to the use or disclosure of the information.
Further information and tips for compliance is available in our published Chapter 6: APP 6 — Use or disclosure of personal information.
Based on the information provided in your email, it does not appear that a the disclosure is for the primary purpose of collection or that any of the exceptions apply.
As such, a disclosure in the circumstances described may constitute an interference with the privacy of an individual.
The Office of the Australian Information Commissioner (the OAIC) regulates the Privacy Act 1988 (Cth) and the Freedom of Information Act 1982 (Cth). The office has the power to investigate complaints about the alleged mishandling of personal information by Australian and Norfolk Island government agencies and many private sector organisations, as well as the power to review FOI decisions of Australian and Norfolk Island government agencies. We are also responsible for handling privacy complaints about ACT public sector agencies.
For further information, please visit our website.
I hope this information has been useful. If you have any further enquiries, please contact theOAIC enquiries line on 1300 363 992.
Office of the Australian Information Commissioner