Do I need my patient's consent to collect their information?
Generally speaking, yes, but this is generally implied by
the patient presenting for medical attention and giving
the doctor the relevant medical history for that purpose.
See also Consent.
What do I tell the patient about
the information I collect?
The patient must be told and agree to the main purpose for
which the information is collected. The main (or primary)
purpose is a fundamental concept under the Act which doctors
must carefully consider when collecting health information
from patients. Unless the doctor's and patient's expectations
about the main purpose for which the information is required
are aligned, a myriad of consents might be required for
later use and disclosure of the information in the course
of the patient's health care. See Use and Disclosure.
The patient has to be advised how their information will
be handled. This includes:
that information will be collected;
the purpose of collection;
that they may access information collected
to whom the information will be disclosed.
General information about this can be set out
in a patient information brochure or pamphlet (see Section
Five for samples). If possible, the patient should be told
how the information will be handled at the time of collecting
the health information. Often, when the patient first sees
the doctor, the advice can be given during usual communications.
The patient might be handed an information sheet or pamphlet
and also be given information orally during the consultation.
Can I collect information from other
sources than the patient?
Collection should primarily be from the patient, but may come
from other sources, for example, x-rays and specialists' reports.
Sometimes information about a patient is volunteered from
family or other sources. Unless it would be a serious threat
to the life or health of any individual, the patient should
be told that information has been collected, the purpose of
collection, that they may access the information, to whom
the information will be disclosed, the identity of, and how
to contact, the organisation collecting the information, and
any law that requires the information to be collected.
Can I collect information from other
doctors about a patient without seeing the patient?
Radiologists, pathologists and in some circumstances anaesthetists
often collect patient information without seeing the patient,
or attending them in circumstances not conducive to informing
the patient about the collection, use and disclosure likely
to occur in relation to their personal information. They sometimes
might rely upon the diligence of the referring doctor to ensure
collection of health information complies with the privacy
If the referring doctor has sufficiently explained the purpose
of collecting a medical history at the time of taking it,
and the patient understands that the information would be
used for this type of ongoing health care, members of the
treating team could reasonably proceed without the need for
further specific consents.
Radiologists and pathologists, and other specialists might
also comply with the Act by telling the patient about how
their information was handled, say, by including an appropriately
drafted statement on the back of the patient's account. An
example of such a statement is available in Section Five.
Can I collect information about other
family members when taking a medical history?
Yes. See below for consent requirements.
Is it necessary or advisable to obtain written consent to
collect information from patients?
The Act is not prescriptive. The doctor has to be satisfied
that a person genuinely consents to the collection of their
Consent can be express, oral or implied. It is implied, for
example, where a patient gives a medical history to the doctor
when presenting for treatment.
The signing of forms does not provide the assurance doctors
would like. People often sign forms although they are not
aware of what they are signing or why, but assume they have
to sign in order to obtain treatment.
The fact that a patient presents for health care and freely
gives the information will generally be evidence of consent.
The clinical notes usually tell the best story. If the doctor
requires additional information, (for example, to assess whether
secondary problems exist, or for ongoing health care) and
explains this, the patient's agreement should be noted at
If this becomes the doctor's usual practice, then the notation
can be brief, as later reference to it will show that the
usual practice was followed. Contemporaneous notes usually
provide the best evidence of what has occurred.
Where the doctor has any doubts, express consent should be
obtained and noted. Consent forms are not obligatory, but
may be necessary in some situations. Obtaining written consent
is advisable, for example, where the use of patient information
is requested for secondary purposes, such as scientific or
market research. A sample consent form is provided in Section
Do I need the consent of third parties
to collect information about them in the course of taking
a family or social history?
Best clinical practice requires collecting a full family and
social history from patients.
NPP 10.1 states that'sensitive information' (which by definition
includes all personal information collected for the purpose
of providing a health service) about an individual is not
to be collected unless the individual has consented. This
causes difficulties for doctors taking family or social histories
from patients without the consent of relevant family and other
The Privacy Commissioner has addressed this by issuing a Temporary
Public Interest Determination (TPID) of 21 December 2001 (which
is to stand for a period of 12 months) which declares that
no organisation is taken to contravene the Act if personal
information is recorded by a health service provider in circumstances
(a) the collection of the third party's information is necessary
for [the organisation]
(i) to provide a health service directly to the individual;
(ii) to diagnose, treat or care for the individual; and
(b) (i) the third party is a member of the individual's family
or household, or the third party's information is otherwise
relevant to the individual's family medical history or social
medical history; and
(ii) [The organisation] collects the information about the
third party in either or both of the following circumstances:
(c) without obtaining the consent of the third party; or
(d) without taking reasonable steps under the National Privacy
Principle 1.5 to ensure that the third party is or has been
made aware of the matters listed in National Privacy Principle
The TPID covers family histories, and it also covers personal
information taken from patients about non-family members,
recorded in the context of the patient's relevant interpersonal
relationships. Thus, GPs, psychiatrists, and other mental
health practitioners treating stress, anxiety conditions and
other mental health issues can safely record verbatim information
about third parties in order to assess, diagnose, treat or
care for a person's health.
Can I collect family and social history
in order to produce a medico-legal report?
The Temporary Public Interest Determination (TPID) is not
intended to prohibit doctors from collecting family and social
histories in order to produce medico-legal reports. The terms
of the TPID, at the time of this publication, are being considered
during the Office of the Federal Privacy Commissioner's public
consultation process, before any ongoing Public Interest Determination
(PID) in the area is declared. Whether any such PID needs
to cover any or all medico-legal assessments is being considered.
Can I release patient information to
A patient must give implied or express consent for their personal
information to be collected. Once the doctor has collected
patient information it may be used or disclosed for the main
reason it was collected or for other directly related purposes
if the person would reasonably expect this. Otherwise, further
consent is required for its use or disclosure.
If the main purpose of collecting patient information is to
assess, diagnose and treat a patient, then the use or disclosure
of that information to others in the treating team for that
particular episode of care is a directly related secondary
disclosure that is likely to be within the reasonable expectation
of the patient, and further consent is not required. This
should have been explained to the patient at the time of the
collection. On the other hand, its disclosure, say, for the
purposes of medical research, is clearly an unrelated secondary
use that requires patient consent.
Where information is to be used and disclosed for later episodes
of care not in the patient's or doctor's mind at the time
of collecting it, the situation becomes more difficult. Further
patient consent is required, unless the main purpose for collecting
the information was at the outset agreed between the patient
and doctor to be for the purpose of providing ongoing holistic
care of the patient.
The main purpose of collection is therefore a crucial concept.
Reaching an understanding about this with the patient when
medical histories are being taken is essential.
It is therefore important that doctors get patients' agreement
to collect information for the broader purpose of caring for
their health as a whole, if that accords with their general
practice, and ensure that they have aligned their expectations
to that of the patient's. Further consent is not then required
for the consequent sharing of information with other doctors
in the course of caring for those health needs.
Can I share patient information in
multi-disciplinary medical teams?
The multi-factorial nature of some medical conditions, such
as psychiatric disorders, usually requires multi-disciplinary
involvement with management and hence communication between
various organisations for whom the involved health professionals
work. The need for consent at each and every instance of 'extra-organisational
therapy' is impractical and can be avoided if at the outset
the patient understands, and consents to the sharing of information
between the treating team for the holistic care of the patient.
Can I record patient information on
a Medical Register?
If a doctor suggests a diabetes test and the patient agrees,
then consent to collect relevant information about this condition
is implied. The use to be made of the information and to whom
the information is likely to be disclosed and why, should
be explained at the time of collection. The information, once
collected, can be used (within the practice) and disclosed
(outside the practice), for example, to other members of the
treating team, if treatment for the condition is required.
However, recording patient health information on medical registers
such as diabetics registers raises other issues. Although
recall/reminder systems are directly related to the patient's
health, if register information is being recorded somewhere
other than on the patient's file, and particularly if the
register system is to be used to facilitate government practice
incentive payments, the purpose of the register should be
explained to the patient. Depending on how the information
will be used and disclosed the patient's agreement is likely
to be required if the register is held outside the practice,
for example, by GP Divisions. To avoid inadvertently making
an unlawful disclosure, the doctor should establish and record
the method(s) of recall/reminder to which the patient agrees.
That is, whether it is in order for a phone call to be made
and a message left with the person who answers the phone,
or a recorded message, or whether the reminder should be by
way of letter only.
It is important to note that:
unless the information is de-identified, or consent is obtained,
information should be transmitted to General Practice Divisions
and the Health Department only for the purpose for which the
doctor collected it and not for their own purposes;
doctors transmitting information electronically must ensure
that it is encrypted;
unique identifiers such as Medicare numbers should not be
used or disclosed unless required by Medicare (Health Insurance
Commission) or as otherwise necessary for purposes under the
Ideally, a general practice might prepare a
patient information sheet or pamphlet promoting its health
prevention and care plan that sets out the practice's policy
to provide patients with a recall/reminder system. The information
should refer to the government practice incentive program
and the practice's desire to ensure the privacy of its patients'
personal information. It might go on to explain the minimum
requirements of a health care program, the additional levels
of care that might be needed, and the frequency of the care
Can I disclose patient information
to my Medical Defence Organisation?
Patients are more likely to reasonably expect this if it is
set out in an information sheet supplied to them. Where doctors
may be obliged to disclose patient information relating to
adverse outcomes to their Medical Defence Organisation, insurer,
medical experts or lawyers, and if it is within patients'
reasonable expectations, then such disclosures may proceed
without seeking patient consent.
Can I give patient information to a debt collector?
Names and addresses recorded by doctors form part of the patient's
health information, and thus must be afforded the highest
level of privacy. Generally, such information should only
be used for the primary purpose for which it was collected,
namely to provide health care to the patient or for directly
related secondary purposes which are in the patient's reasonable
expectation. Using the patient's name and address details
for billing purposes, or for pursuing non-payment, falls into
the category of directly-related secondary purposes which
patients might reasonably expect. Thus it is permissible to
disclose a patient's name and address to a debt collection
agency to recover a bad debt. It is advisable to ensure, perhaps
by way of contact with the debt collector, that the personal
information disclosed to the debt collector will not be used
or disclosed for any other purpose.
Do I have to alter my office layout
to comply with the privacy legislation?
Accidental disclosure of patient information can occur if
discussions between the receptionist and patient can be overheard.
Most medical waiting rooms are set up with receptionists seated
behind a counter at which they work, take telephone calls,
attend to approaching patients, and keep an eye on waiting
patients. If for example, an ill patient had an epileptic
fit, they could be appropriately assisted. Conversations can
often be overheard. Some patients have hearing impairments,
and speaking to them softly is not appropriate. To ensure
no conversation is overheard would require substantial changes
to waiting room layout and staff practices, possibly including
a private interview room, and additional staff to ensure that
there is always somebody from the practice is in the waiting
room. This would not only be inefficient but would generate
costs which would inevitably be passed on to the consumer.
Doctors are expected under the Act to do their best to protect
their patients' privacy without compromise to other patient
needs, or incurring excessive costs.
The layout of the waiting room should ensure that the reception
desk is high enough to protect patient information from unauthorised
eyes. Staff should be made aware of the need to position themselves
so as to limit the chance of others overhearing their telephone
conversations and to avoid making unnecessary identification
of patients about whom they are speaking. Similarly, doctors
calling in patients by name should refrain from extraneous
comments about the patient's health. Patients might also be
given the option of completing a form rather than answering
questions asked by the receptionist.
Care should be taken that individuals cannot see computer
screens that show information about other individuals.
Can I fax and e-mail medical information?
Faxing medical reports and health information, for example,
to other members of a treating team, is permissible. It is
important that the receiving medical practices ensure that
the fax machine is secure and out of sight. Appropriate security
safeguards need to be in place for the e-mailing of information,
including encryption and ensuring the identity of the receiver.
Note that unencrypted e-mail is not a secure means of transmitting
Can I leave telephone messages?
Unwitting breaches of patient privacy can occur by a medical
practice leaving a message with a person or on an answering
machine when a patient is not available. Medical practices
should implement a policy of asking patients to tell the practice
if they do not want telephone messages left.
What are my obligations when I have
to disclose information without the patient's consent?
If disclosure is permitted or required by law, for example,
the notification of a communicable disease, where practical
the patient should be informed of that having occurred. Doctors
are required to keep a register of disclosures made to an
authorised enforcement body (see NPP 2.1(h)).
How should a request for access be
handled' Should it be made in writing?
A patient can not be required to put a request for access
in writing. Medical practices should develop a policy for
the handling of access requests, which could be set out in
a patient information pamphlet that can be given to patients
who have complicated access requests. A patient can be asked
to make a written request. However, most requests are likely
to be simply satisfied, for example, by the doctor explaining
the medical information or providing a copy of a test result
after discussing the result with the patient. The practice
should establish a form for use when asking a patient make
an access request in writing. The signed form should be placed,
or an oral request should be noted, on the patient's file.
All requests should be referred to the doctor who is likely
to want to go through the patient's notes to ensure that nothing
in them is likely to cause serious harm to the patient, or
anyone else, or unduly infringe someone else's privacy. The
nature of the access required and the cost to the patient
of the type of access requested should be explained in advance.
Can I ask a patient why they require
Patients do not have to give reasons for requesting access.
However, the scope of the request may need clarifying so that
the access granted is appropriate, which may not necessarily
involve providing a copy of the whole of the patient file.
The patient might only want to look at the notes during a
consultation. They may want to take some notes of their own,
or have a copy of a particular report.
Do I have to provide a copy of my whole medical file on that
Common sense and proper doctor/patient communication will
best determine the best form of access provided to patients.
What the patient requires should be clarified, and the appropriate
format in which it should be provided should be discussed.
A patient may not want the whole of the record but may be
happy to receive a summary of the notes or of a specialist's
opinion, or an explanation, or simply a copy of a test report.
It is not sufficient to provide illegible notes or incomprehensible
computer print outs. The cost of any elaboration or rewriting
should also be made clear prior to providing the documents
to the patient.
How much time do I have in which to
process an access request?
Access requests do not have to be responded to immediately.
Doctors should go through the notes to ensure that access
is not likely to cause serious harm to the patient or some
other person and that test results and so forth have been
discussed in a clinical situation with the patient. In general
an access request should be met within 30 days, taking into
account the patient's needs.
How much can I charge to provide access
to a patient?
Patients cannot be charged application fees to lodge a request
for access. They can be charged a reasonable fee to cover
administrative costs, the costs of photocopying, and the doctor's
time spent perusing the notes or explaining them to the patient,
or rewriting incomprehensible records. The cost cannot be
charged to Medicare or to health funds. However, if the patient
is seeking an explanation of, or access to, limited information
as part of a normal medical consultation, then it may be appropriate
to give this during the consultation in accordance with good
clinical practice, as part of the normal consultation time
The doctor and patient may have differing views about what
is a reasonable cost for complying with the request for access.
Other laws that provide for photocopy costs, for example,
Freedom of Information or Health Records legislation, will
provide a guide. The doctor and the patient should jointly
ascertain the scope of the request and discuss the costs involved.
Do I have to provide access to medical
records created before 21 December 2001?
There is a difference between information collected prior
to 21 December 2991 and that collected after. The Act generally
applies to information collected on or after 21 December 2001.
However, there is some retrospectivity to the access provisions.
Personal information collected before that date that remains
in use after that date forms part of the information to which
the patient has access.
Past records are 'still in use' if they relate to a condition
still being treated, or they are referred to in the course
of continuing health care. This applies to records used within
the practice (referred to by the doctor) or disclosed (to
specialists or others outside the practice), whether they
comprise factual or opinion information. If providing access
to past records causes an undue financial or administrative
burden, then a summary of the relevant part of the records
There is therefore no obligation on a doctor to provide access
to a patient to information collected prior to 21 December
2001 not in use. However, a request for access to these records
should be handled in accordance with good clinical and ethical
NPP 6.3 should also be noted. That is, where grounds exist
to deny access, consideration should be given to whether the
use of mutually agreed intermediaries would allow sufficient
access to meet the needs of both parties.
Can a parent always get access to their children's medical
The Act does not specify an age at which a child is considered
of sufficient maturity to make his or her own privacy decisions.
Doctors need to address each case individually, having regard
to the child's maturity, degree of autonomy, understanding
of the relevant circumstances and the type and sensitivity
of the information sought to be accessed.
In the case of a baby the circumstances are likely to be rare
where there are real concerns for the child's health that
can't be disclosed to the accompanying parent.
In the case of a young teen, the doctor might quite properly
take the view that access to the records without the child's
consent would be a breach of confidentiality. The request
for access should then be treated as a parental request for
disclosure, and denying the parent access requires no reason
other than confidentiality having to be maintained.
NPP6.3 should also be noted. That is, where grounds exist
to deny access, consideration should be given to whether providing
access to mutually agreed intermediaries would be sufficient
to meet the needs of both parties.
However, if a doctor suspects that parents are using the child's
health for their own domestic purposes, the doctor will need
to ask the accompanying parent which parent is entitled to
receive information about the child. If the matter can't easily
or quickly be resolved and the child has health needs that
require attention, it would be prudent to advise the absent
parent of the disclosure necessarily made to the accompanying
parent. A doctor should assess each situation in a clinical
and privacy context.
Can a GP provide a patient access to
a specialist's report contained on their file?
Patient access to a GP's medical records includes access to
specialists reports on the GP's files, notwithstanding that
they may be marked 'not to be released to the patient without
my permission'. Such a notation is also to be ignored if the
patient authorises the release, or the law requires it. However,
a specialist notation of this kind may alert the referring
doctor to something in the report that might cause serious
harm to the patient or another person, and thus provide a
reason for restricted release. Otherwise the specialist's
consent to patient access is not required.
The specialist retains copyright over reports he/she writes
and the opinions contained in them. Simply referring the patient
to the specialist author of a report is not an advisable course.
A GP might need to consult the specialist about any harm disclosure
of the report might pose. However, a specialist is more likely
to defer to the GP, who is generally better placed to assess
whether the release of the report is likely to cause serious
harm to the patient (or another person) ' the main reason
under the Act to restrict access to health information.
Can I restrict patient access to mental
Some GPs and specialists such as psychiatrists collect information
during counselling sessions and make process notes that often
include intimate notes of an interactive doctor/patient relationship.
The therapeutic process often requires a verbatim record of
a patient's account of events that involve other people, or
indeed the doctor, that are not necessarily accurate.
Where access to the notes is requested, doctors should consider
questions such as whether providing access would pose a serious
threat to the patient or to any other person, or whether providing
access would have an unreasonable impact upon the privacy
of another, including the doctor.
If there are grounds for refusing access to all the information,
other means of providing access other than copying the complete
notes should be considered, including the provision of a summary
A psychiatrist or psychotherapist might find it helpful to
let patients know in advance (or in a patient information
pamphlet) that most of the material collected from the patient
will be in the form of psychotherapy 'process notes', rather
than factual material, and that it may be the case that patient
access to such notes is restricted on the grounds that access
and correction of the notes might impede the therapeutic process
and cause serious harm to the patient. It could be explained
that usually only a summary of this material is provided in
response to a patient request for access. Up-front open communication
with patients is to be encouraged. However, no agreement should
be reached to this effect as a matter of course because if
a patient does insist on a full copy of the notes after being
offered a summary, then the situation has to be revisited
to see if a restriction is warranted under the Act.
Do I have to give immediate access
to test results?
If a patient pre-empts a medical appointment and requests
access to test results before discussing the report with the
doctor the access should be deferred until the consultation
has taken place. By way of contrast, if a patient asks for
a copy of a report of say 12 months ago after appropriate
clinical interventions have occurred, the practice's procedures
for access requests (which may still include reference to
the doctor) should be followed.
The Quality Use of Pathology Committee (QUPC) has given consideration
to how pathologists should handle a situation where a patient
demands test results which the referring doctor, their GP,
The QUPC protocol takes account of the fact that doctors are
not expected under the legislation to hand over 'raw' notes
and results immediately upon being asked. The QUPC recommends:
Consult the referring doctor, since the GP is best placed
to interpret test results to the patient in the context of
clinical history. Circumstances where releasing uninterpreted
test results to a patient could cause life-threatening harm
constitute a valid reason under the NPPs not to do so.
Having contacted the referring doctor to ascertain why test
results were being withheld, the pathologist should give the
patient a written response, explaining why results are being
reserved if he or she concurs with the patients' GP. A copy
of the response should go to the referring doctor.
If the GP has not had the opportunity of discussing the results,
the patient having pre-empted the appointment, then the specialist
can tell the patient that access to the test results will
be deferred until after that appointment.
The goal here is to facilitate access in the
most appropriate manner, not to deny access.
Who owns the medical records' the doctor
The Act gives patients a general right of access to information
held about them. It does not necessarily give a patient the
right of ownership of that information. As a general rule
the doctor who holds patient information owns and controls
it. Doctors retain their legal rights in relation to copyright
of their own work. Access to this information is a separate
Included in the health information a doctor often holds about
a patient are diagnostic notes, perhaps a medical protocol
tailored to a patient's particular needs, letters written
by the doctor, clinical notes taken about the patient. The
doctor owns the intellectual property rights in that information.
The copyright of specialists' reports held on a GP's file
belongs to the specialist who wrote the report.
The High Court case of Breen v Williams (1995) 186 CLR 71
confirmed doctors' rights in this regard. The Act is subject
to existing law, and that includes court-made law as well
as Parliament-made law. Thus, the granting to patients of
access to their medical information does not necessarily give
patients the right to deal with the information as they wish.
The Act restricts doctors as how they may use and disclose
the patient's information. But as well, patients' rights to
access their health information may be subject to restrictions
on its reproduction and use subject to the doctor's permission.
In practice this would be hard to enforce or explain, and
there is probably little reason to do it. However, in relation
to medical reports it is important, because there is a question
of ensuring that nobody else reproduces the doctor's opinion
for commercial purposes without the doctor's permission, and
there is the question of the right to charge a fee for reports.
There is nothing to stop a doctor from asserting copyright
over the material that indicates that the doctor's consent
is required for further reproduction of the material. However,
the doctor should ensure that this does not breach his/her
ethical duty, by preventing relevant material being made available
to another doctor or medical treatment team member.
Am I obliged to provide access to the
patient of a medico-legal report?
The Act provides patients with a general right to access personal
information held about them. Opinions expressed in medical
reports prepared at the request of lawyers on behalf of clients
form part of the health record to which the Act applies. The
intellectual property rests with the author of the report.
But, subject to certain exemptions, a person is entitled to
know and see what information is held about them. Sometimes
a person requests a copy of a medico-legal report written
about them before the agreed fee for the preparation of the
report is paid.
Three distinct situations must be appreciated:
Where a doctor, other than a treating doctor of the patient,
is requested by a third party ' say the insurer of a defendant
to a legal proceeding ' to prepare a medico-legal report.
The patient's consent is required before the doctor examines
the patient for the purpose of preparing the report. Where
the report, commissioned by a third party, is the subject
of legal professional privilege, then it is exempt from the
access requirements under the Act.
Where a third party commissions the report -
say, for insurance purposes rather than for legal proceedings
- where no legal professional privilege applies. The patient
is, subject to other restricted exemptions under the Act,
entitled to access that report. A doctor might be concerned
that a patient might then use the report for other unrelated
purposes - in pending litigation, or for some other purpose
such as to get a pilot's licence. While under the Act the
doctor is not entitled to ask why a patient seeks access,
it is reasonable for the doctor to assert copyright over a
medico-legal report. In that event the doctor in providing
access can stipulate that the report be not further published
or reproduced without the doctor's permission and thus ascertain
whether the patient is attempting to use the Act to avoid
paying the appropriate fee.
Where the treating doctor has been asked to
provide a report for medico-legal or other commercial reasons,
on behalf of the patient - though a commercial fee for the
preparation of the report is agreed, the patient could circumvent
its payment by accessing the report through the Act. A doctor
concerned that this might happen could ask for payment of
the agreed fee before examining the patient and preparing
the report and so avoid the problem.
Doctors performing medico-legal assessments
are performing a 'health service' for the purpose of the Act
in that they are assessing, recording or diagnosing an individual's
actual or suspected illness or disability. They must, therefore,
comply with the Act, but similarly are able to take family
and other personal histories under the TPID as it stands.
Should I forward medical records to
a solicitor or a patient's agent?
While a doctor is not entitled to ask why access is requested,
it is appropriate to seek clarification of the request to
enable agreement about the nature of the access and the appropriate
cost. When a patient seeks to have notes forwarded to a solicitor
it is likely that the material is to be used for medico-legal
purposes. It is improper for lawyers to use the Act as a back-door
method of obtaining access to medical opinions. It would be
appropriate to ask the patient to clarify what part of the
notes is required. The doctor then, as in every case where
copies of the whole or part of a file are required, should
go through the notes to identify any information to which
access should be restricted (such as information about other
people collected in the course of history taking). Then, whether
part or all of the notes are required, the doctor should ask
for payment of reasonable administrative costs incurred in
reviewing the notes and for photocopying before their release
to the solicitor.
To whom can I disclose a report prepared
for a commissioning agent?
If you are not the treating doctor, and you are commissioned
by a third party, the report, if requested for the purpose
of or in anticipation of litigation, is the subject of legal
professional privilege, and while the patient has no right
of access to it, it can be disclosed to the commissioning
party. The patient has consented to an examination and the
report being prepared and would reasonably expect it to be
used and disclosed for the purpose it was prepared.
If the report was commissioned for other purposes, say for
production to a Mental Health Tribunal, or Parole Board, the
disclosure is authorised or permitted by law, whether or not
the patient has consented to the disclosure and the patient
may very likely be able to access the report.
In some states Work Cover legislation authorises the release
of information to a statutory board and requests are made
to doctors for information without providing the patient's
consent. Generally, the patient's having applied for a Work
Cover benefit covers the consent requirement. If the relevant
legislation authorises the release of information, no further
consent is required, but good clinical practice would surely
dictate that the doctor should tell the patient about the
request and that it has been met.
If an insurance company or employer commissions the report,
so long as the person has given authority for the report to
be prepared, then it follows that the report can be disclosed
to the commissioning agent, which is why the material was
collected in the first place. However, if an employer seeks
information from a doctor to verify a sickness certificate,
the doctor should obtain the patient's consent before dealing
with this inquiry. Similarly, if a family member asks whether
or not a patient has made an appointment to see the doctor,
this information should not be given without the patient's
consent, if the patient has capacity or maturity to make decisions
about management of their health information.
OF MEDICAL RECORDS
I'm retiring ' what do I need to do
to with my records?
When a practitioner retires or dies and another doctor within
the practice takes over responsibility for the patient records
held by the retiring or deceased practitioner, it is appropriate
that the practitioner, or the estate, issue a circular announcing
the retirement or the death advising that the records will
be held by a nominated doctor in the practice. If that is
not feasible, then it is appropriate that patients be informed
about the new arrangement when they contact the practice giving
them the opportunity to have their records transferred to
another doctor or practice.
If no arrangements can be made to transfer the records to
another doctor, then suitable storage arrangements should
be made so that they can be easily accessed if required, and
the practice's phone number might have to be retained or redirected
to enable patients to be told about the new arrangements.
A patient wants to change doctors. What am I required to do?
A doctor should always do what accords with best clinical
practice and relevant codes of ethics, to ensure that the
new practitioner gets all papers and records reasonably required
to treat the patient adequately.
If the patient has requested transfer of the full medical
file, then the patient's wish should be met, with copies of
the file being provided to the nominated doctor. The transferring
doctor should retain all original documents on his/her own
file and archive for medico-legal purposes.
The authorship of material on the doctor's file is irrelevant,
as the practitioner who holds the material is responsible
for complying with the request for access/transfer.
It may be appropriate to clarify the scope of the patient's
request, to understand the needs of the patient and the new
PRIVACY COMMISSIONERS POWERS
What are the consequences of non-compliance?
The enforcement process is generally complaint driven. The
Federal Privacy Commissioner has no judicial powers but has
wide powers of investigation. The approach to enforcement
is one of conflict resolution. At first instance the individual
complaint is to be made to the organisation or doctor. If
it is not resolved at that stage, the Commissioner may investigate.
The Commissioner can dismiss a complaint at any stage. If
the Commissioner finds there has been a breach, the Commissioner
can make an enforceable determination that the conduct is
not to be repeated, that the doctor or organisation should
do 'any reasonable act' to redress loss or damage suffered,
and that a specific amount of compensation be paid.
If, for example, the inadvertent disclosure of a patient's
HIV status found its way to an employer, and the individual
was sacked, a large damage award could result. Such a worst
scenario is unlikely. However, the inconvenience, embarrassment
and cost of investigation to a doctor should not be underestimated.
Does my MDO cover me for privacy breaches?
Doctors are advised to check whether their professional medical
indemnity arrangements cover awards and/or the costs of investigations
Do doctors need to have a complaint
Yes. In most cases simply discussing the issues with the patient
should resolve the matter to the patient's satisfaction. The
Commissioner will look into a complaint only if that process
fails. An investigation could be time consuming and costly
to the practice.
What should doctors do if the Privacy Commissioner investigates
Doctors are advised to obtain their own independent legal
advice and/or notify their MDO. In addition, AMA members are
invited to tell the Federal AMA office about any investigation.
Doctors and their staff should comply with any direction given
by the Commissioner, as monetary fines or imprisonment may
result from non-compliance (see Section 46 of the Act).