Today’s correspondent tells me that there is

… lots of discussion around the traps regarding legality/responses to paramedics enquiring about outcomes for patients they have brought in to hospital (e.g. asking nurses the next day for learning/education/debrief). It’s very variable within hospitals and even within departments (and I have found it the same when enquiring as nurse to nurse from accepting ED to transferring ED etc).  Legally, is this a breach of patient confidentiality?

It would be a breach if all that is being sought is salacious gossip – how did that accident really happen?  What was the reaction of the family when they saw/discovered/observed?

Let us assume that is not the case.  The paramedic wants to know both because they have an emotional investment in the outcome as well as a professional interest in knowing if their diagnosis was correct and their treatment efficacious.  There is privacy legislation in each jurisdiction and they all attempt to give effect to agreed privacy principles.  For that reason, I’ll refer to the Commonwealth Act that is mirrored in the state and territory legislation.

Under the Privacy Act 1988 (Cth), personal information ‘means information or an opinion about an identified individual, or an individual who is reasonably identifiable’ (s 6).  Health information means (s 6FA):

… information or an opinion about:

(i)  the health, including an illness, disability or injury, (at any time) of an individual; or …

(iii)  a health service provided, or to be provided, to an individual;

that is also personal information;

It follows that information about the actual diagnosis, prognosis and what was done and is being done for the patient’s benefit is ‘health information’.   It is also ‘sensitive information’ (s 6).

There are ‘Permitted health situations in relation to the collection, use or disclosure of health information’ (s 16B) including release for research but none of them apply in this context.

The relevant privacy principle is principle 6.  It says that an ‘entity’ (in this case the hospital represented by its employee or agent, ie the nurse) must not use or disclose personal information for a purpose other than which it was collected.  Information is recorded on hospital records for the hospital’s purposes and to facilitate treatment of the patient.  Giving that information to the paramedics is not about advancing the person’s treatment.  It would therefore be a breach unless the patient consents (Principle 6.1(a)) or (Principle 6.2(a)):

… the individual [patient] would reasonably expect the … entity to use or disclose the information for the secondary purpose and the secondary purpose is:

(i)  if the information is sensitive information–directly related to the primary purpose; or

(ii)  if the information is not sensitive information–related to the primary purpose …

I would think most people would reasonably expect health services to share information in the circumstances but that doesn’t answer the question of whether sharing the information with the paramedics is ‘directly related to the primary purpose’.

I think that’s the ‘out’.  If a person complained (and why would they) and the sharing of information really was just giving feedback to the paramedics one could argue that closing that information loop was directly related to the primary purpose of their health care.  On the other hand, it is also arguable that it’s not ‘directly’ related to the primary purpose for which information is collected as the paramedics have nothing more to do with the patient’s care.  It’s one of those situations where depending on what happened, and what information was shared, someone dealing with a complaint would have a way to find there was no breach.

Having said that it does seem to me that technically it is a breach of relevant privacy principle to tell the treating paramedics what the subsequent diagnosis and treatment was.


I’m surprised by the result but my conclusion is that technically it is a breach of the privacy principles. I say ‘technically’ as I can’t imagine most patients would object and would accept that the paramedics have an interest in knowing how the patient they treated has progressed and provided the release was reasonable and well-motivated, a decision maker could find that the disclosure was directly related to the primary purpose of obtaining and recording personal information.

Even so, on a strict reading of the Act, and subject to the hospital’s published privacy policy, it does appear that giving feedback to the paramedics would be a breach without the patient’s express consent.