Questions and Answers

Quick links











Do I need my patient's consent to collect their information?

Generally speaking, yes, but this is generally implied by the patient presenting for medical attention and giving the doctor the relevant medical history for that purpose. See also Consent.

What do I tell the patient about the information I collect?
The patient must be told and agree to the main purpose for which the information is collected. The main (or primary) purpose is a fundamental concept under the Act which doctors must carefully consider when collecting health information from patients. Unless the doctor's and patient's expectations about the main purpose for which the information is required are aligned, a myriad of consents might be required for later use and disclosure of the information in the course of the patient's health care. See Use and Disclosure.
The patient has to be advised how their information will be handled. This includes:

  • that information will be collected;
  • the purpose of collection;
  • that they may access information collected about them;
  • to whom the information will be disclosed.

General information about this can be set out in a patient information brochure or pamphlet (see Section Five for samples). If possible, the patient should be told how the information will be handled at the time of collecting the health information. Often, when the patient first sees the doctor, the advice can be given during usual communications. The patient might be handed an information sheet or pamphlet and also be given information orally during the consultation.
Can I collect information from other sources than the patient?
Collection should primarily be from the patient, but may come from other sources, for example, x-rays and specialists' reports. Sometimes information about a patient is volunteered from family or other sources. Unless it would be a serious threat to the life or health of any individual, the patient should be told that information has been collected, the purpose of collection, that they may access the information, to whom the information will be disclosed, the identity of, and how to contact, the organisation collecting the information, and any law that requires the information to be collected.
Can I collect information from other doctors about a patient without seeing the patient?
Radiologists, pathologists and in some circumstances anaesthetists often collect patient information without seeing the patient, or attending them in circumstances not conducive to informing the patient about the collection, use and disclosure likely to occur in relation to their personal information. They sometimes might rely upon the diligence of the referring doctor to ensure collection of health information complies with the privacy legislation.
If the referring doctor has sufficiently explained the purpose of collecting a medical history at the time of taking it, and the patient understands that the information would be used for this type of ongoing health care, members of the treating team could reasonably proceed without the need for further specific consents.
Radiologists and pathologists, and other specialists might also comply with the Act by telling the patient about how their information was handled, say, by including an appropriately drafted statement on the back of the patient's account. An example of such a statement is available in Section Five.

Can I collect information about other family members when taking a medical history?
Yes. See below for consent requirements.


Is it necessary or advisable to obtain written consent to collect information from patients?

The Act is not prescriptive. The doctor has to be satisfied that a person genuinely consents to the collection of their personal information.
Consent can be express, oral or implied. It is implied, for example, where a patient gives a medical history to the doctor when presenting for treatment.
The signing of forms does not provide the assurance doctors would like. People often sign forms although they are not aware of what they are signing or why, but assume they have to sign in order to obtain treatment.
The fact that a patient presents for health care and freely gives the information will generally be evidence of consent. The clinical notes usually tell the best story. If the doctor requires additional information, (for example, to assess whether secondary problems exist, or for ongoing health care) and explains this, the patient's agreement should be noted at the time.
If this becomes the doctor's usual practice, then the notation can be brief, as later reference to it will show that the usual practice was followed. Contemporaneous notes usually provide the best evidence of what has occurred.
Where the doctor has any doubts, express consent should be obtained and noted. Consent forms are not obligatory, but may be necessary in some situations. Obtaining written consent is advisable, for example, where the use of patient information is requested for secondary purposes, such as scientific or market research. A sample consent form is provided in Section Five.

Do I need the consent of third parties to collect information about them in the course of taking a family or social history?
Best clinical practice requires collecting a full family and social history from patients.
NPP 10.1 states that'sensitive information' (which by definition includes all personal information collected for the purpose of providing a health service) about an individual is not to be collected unless the individual has consented. This causes difficulties for doctors taking family or social histories from patients without the consent of relevant family and other third parties.
The Privacy Commissioner has addressed this by issuing a Temporary Public Interest Determination (TPID) of 21 December 2001 (which is to stand for a period of 12 months) which declares that no organisation is taken to contravene the Act if personal information is recorded by a health service provider in circumstances where:
(a) the collection of the third party's information is necessary for [the organisation]
(i) to provide a health service directly to the individual; and
(ii) to diagnose, treat or care for the individual; and
(b) (i) the third party is a member of the individual's family or household, or the third party's information is otherwise relevant to the individual's family medical history or social medical history; and
(ii) [The organisation] collects the information about the third party in either or both of the following circumstances:
(c) without obtaining the consent of the third party; or
(d) without taking reasonable steps under the National Privacy Principle 1.5 to ensure that the third party is or has been made aware of the matters listed in National Privacy Principle 1.3
The TPID covers family histories, and it also covers personal information taken from patients about non-family members, recorded in the context of the patient's relevant interpersonal relationships. Thus, GPs, psychiatrists, and other mental health practitioners treating stress, anxiety conditions and other mental health issues can safely record verbatim information about third parties in order to assess, diagnose, treat or care for a person's health.
Can I collect family and social history in order to produce a medico-legal report?
The Temporary Public Interest Determination (TPID) is not intended to prohibit doctors from collecting family and social histories in order to produce medico-legal reports. The terms of the TPID, at the time of this publication, are being considered during the Office of the Federal Privacy Commissioner's public consultation process, before any ongoing Public Interest Determination (PID) in the area is declared. Whether any such PID needs to cover any or all medico-legal assessments is being considered.


Can I release patient information to other doctors?
A patient must give implied or express consent for their personal information to be collected. Once the doctor has collected patient information it may be used or disclosed for the main reason it was collected or for other directly related purposes if the person would reasonably expect this. Otherwise, further consent is required for its use or disclosure.
If the main purpose of collecting patient information is to assess, diagnose and treat a patient, then the use or disclosure of that information to others in the treating team for that particular episode of care is a directly related secondary disclosure that is likely to be within the reasonable expectation of the patient, and further consent is not required. This should have been explained to the patient at the time of the collection. On the other hand, its disclosure, say, for the purposes of medical research, is clearly an unrelated secondary use that requires patient consent.
Where information is to be used and disclosed for later episodes of care not in the patient's or doctor's mind at the time of collecting it, the situation becomes more difficult. Further patient consent is required, unless the main purpose for collecting the information was at the outset agreed between the patient and doctor to be for the purpose of providing ongoing holistic care of the patient.
The main purpose of collection is therefore a crucial concept. Reaching an understanding about this with the patient when medical histories are being taken is essential.
It is therefore important that doctors get patients' agreement to collect information for the broader purpose of caring for their health as a whole, if that accords with their general practice, and ensure that they have aligned their expectations to that of the patient's. Further consent is not then required for the consequent sharing of information with other doctors in the course of caring for those health needs.

Can I share patient information in multi-disciplinary medical teams?
The multi-factorial nature of some medical conditions, such as psychiatric disorders, usually requires multi-disciplinary involvement with management and hence communication between various organisations for whom the involved health professionals work. The need for consent at each and every instance of 'extra-organisational therapy' is impractical and can be avoided if at the outset the patient understands, and consents to the sharing of information between the treating team for the holistic care of the patient.
Can I record patient information on a Medical Register?
If a doctor suggests a diabetes test and the patient agrees, then consent to collect relevant information about this condition is implied. The use to be made of the information and to whom the information is likely to be disclosed and why, should be explained at the time of collection. The information, once collected, can be used (within the practice) and disclosed (outside the practice), for example, to other members of the treating team, if treatment for the condition is required.
However, recording patient health information on medical registers such as diabetics registers raises other issues. Although recall/reminder systems are directly related to the patient's health, if register information is being recorded somewhere other than on the patient's file, and particularly if the register system is to be used to facilitate government practice incentive payments, the purpose of the register should be explained to the patient. Depending on how the information will be used and disclosed the patient's agreement is likely to be required if the register is held outside the practice, for example, by GP Divisions. To avoid inadvertently making an unlawful disclosure, the doctor should establish and record the method(s) of recall/reminder to which the patient agrees. That is, whether it is in order for a phone call to be made and a message left with the person who answers the phone, or a recorded message, or whether the reminder should be by way of letter only.
It is important to note that:
unless the information is de-identified, or consent is obtained, information should be transmitted to General Practice Divisions and the Health Department only for the purpose for which the doctor collected it and not for their own purposes;
doctors transmitting information electronically must ensure that it is encrypted;
unique identifiers such as Medicare numbers should not be used or disclosed unless required by Medicare (Health Insurance Commission) or as otherwise necessary for purposes under the Medicare legislation.

Ideally, a general practice might prepare a patient information sheet or pamphlet promoting its health prevention and care plan that sets out the practice's policy to provide patients with a recall/reminder system. The information should refer to the government practice incentive program and the practice's desire to ensure the privacy of its patients' personal information. It might go on to explain the minimum requirements of a health care program, the additional levels of care that might be needed, and the frequency of the care activities.

Can I disclose patient information to my Medical Defence Organisation?
Patients are more likely to reasonably expect this if it is set out in an information sheet supplied to them. Where doctors may be obliged to disclose patient information relating to adverse outcomes to their Medical Defence Organisation, insurer, medical experts or lawyers, and if it is within patients' reasonable expectations, then such disclosures may proceed without seeking patient consent.

Can I give patient information to a debt collector?

Names and addresses recorded by doctors form part of the patient's health information, and thus must be afforded the highest level of privacy. Generally, such information should only be used for the primary purpose for which it was collected, namely to provide health care to the patient or for directly related secondary purposes which are in the patient's reasonable expectation. Using the patient's name and address details for billing purposes, or for pursuing non-payment, falls into the category of directly-related secondary purposes which patients might reasonably expect. Thus it is permissible to disclose a patient's name and address to a debt collection agency to recover a bad debt. It is advisable to ensure, perhaps by way of contact with the debt collector, that the personal information disclosed to the debt collector will not be used or disclosed for any other purpose.

Do I have to alter my office layout to comply with the privacy legislation?
Accidental disclosure of patient information can occur if discussions between the receptionist and patient can be overheard.
Most medical waiting rooms are set up with receptionists seated behind a counter at which they work, take telephone calls, attend to approaching patients, and keep an eye on waiting patients. If for example, an ill patient had an epileptic fit, they could be appropriately assisted. Conversations can often be overheard. Some patients have hearing impairments, and speaking to them softly is not appropriate. To ensure no conversation is overheard would require substantial changes to waiting room layout and staff practices, possibly including a private interview room, and additional staff to ensure that there is always somebody from the practice is in the waiting room. This would not only be inefficient but would generate costs which would inevitably be passed on to the consumer.
Doctors are expected under the Act to do their best to protect their patients' privacy without compromise to other patient needs, or incurring excessive costs.
The layout of the waiting room should ensure that the reception desk is high enough to protect patient information from unauthorised eyes. Staff should be made aware of the need to position themselves so as to limit the chance of others overhearing their telephone conversations and to avoid making unnecessary identification of patients about whom they are speaking. Similarly, doctors calling in patients by name should refrain from extraneous comments about the patient's health. Patients might also be given the option of completing a form rather than answering questions asked by the receptionist.
Care should be taken that individuals cannot see computer screens that show information about other individuals.

Can I fax and e-mail medical information?
Faxing medical reports and health information, for example, to other members of a treating team, is permissible. It is important that the receiving medical practices ensure that the fax machine is secure and out of sight. Appropriate security safeguards need to be in place for the e-mailing of information, including encryption and ensuring the identity of the receiver. Note that unencrypted e-mail is not a secure means of transmitting information.

Can I leave telephone messages?
Unwitting breaches of patient privacy can occur by a medical practice leaving a message with a person or on an answering machine when a patient is not available. Medical practices should implement a policy of asking patients to tell the practice if they do not want telephone messages left.

What are my obligations when I have to disclose information without the patient's consent?
If disclosure is permitted or required by law, for example, the notification of a communicable disease, where practical the patient should be informed of that having occurred. Doctors are required to keep a register of disclosures made to an authorised enforcement body (see NPP 2.1(h)).


How should a request for access be handled' Should it be made in writing?
A patient can not be required to put a request for access in writing. Medical practices should develop a policy for the handling of access requests, which could be set out in a patient information pamphlet that can be given to patients who have complicated access requests. A patient can be asked to make a written request. However, most requests are likely to be simply satisfied, for example, by the doctor explaining the medical information or providing a copy of a test result after discussing the result with the patient. The practice should establish a form for use when asking a patient make an access request in writing. The signed form should be placed, or an oral request should be noted, on the patient's file. All requests should be referred to the doctor who is likely to want to go through the patient's notes to ensure that nothing in them is likely to cause serious harm to the patient, or anyone else, or unduly infringe someone else's privacy. The nature of the access required and the cost to the patient of the type of access requested should be explained in advance.
Can I ask a patient why they require access?
Patients do not have to give reasons for requesting access. However, the scope of the request may need clarifying so that the access granted is appropriate, which may not necessarily involve providing a copy of the whole of the patient file. The patient might only want to look at the notes during a consultation. They may want to take some notes of their own, or have a copy of a particular report.
Do I have to provide a copy of my whole medical file on that patient?

Common sense and proper doctor/patient communication will best determine the best form of access provided to patients. What the patient requires should be clarified, and the appropriate format in which it should be provided should be discussed. A patient may not want the whole of the record but may be happy to receive a summary of the notes or of a specialist's opinion, or an explanation, or simply a copy of a test report. It is not sufficient to provide illegible notes or incomprehensible computer print outs. The cost of any elaboration or rewriting should also be made clear prior to providing the documents to the patient.

How much time do I have in which to process an access request?
Access requests do not have to be responded to immediately. Doctors should go through the notes to ensure that access is not likely to cause serious harm to the patient or some other person and that test results and so forth have been discussed in a clinical situation with the patient. In general an access request should be met within 30 days, taking into account the patient's needs.

How much can I charge to provide access to a patient?
Patients cannot be charged application fees to lodge a request for access. They can be charged a reasonable fee to cover administrative costs, the costs of photocopying, and the doctor's time spent perusing the notes or explaining them to the patient, or rewriting incomprehensible records. The cost cannot be charged to Medicare or to health funds. However, if the patient is seeking an explanation of, or access to, limited information as part of a normal medical consultation, then it may be appropriate to give this during the consultation in accordance with good clinical practice, as part of the normal consultation time and cost.
The doctor and patient may have differing views about what is a reasonable cost for complying with the request for access. Other laws that provide for photocopy costs, for example, Freedom of Information or Health Records legislation, will provide a guide. The doctor and the patient should jointly ascertain the scope of the request and discuss the costs involved.

Do I have to provide access to medical records created before 21 December 2001?
There is a difference between information collected prior to 21 December 2991 and that collected after. The Act generally applies to information collected on or after 21 December 2001. However, there is some retrospectivity to the access provisions. Personal information collected before that date that remains in use after that date forms part of the information to which the patient has access.
Past records are 'still in use' if they relate to a condition still being treated, or they are referred to in the course of continuing health care. This applies to records used within the practice (referred to by the doctor) or disclosed (to specialists or others outside the practice), whether they comprise factual or opinion information. If providing access to past records causes an undue financial or administrative burden, then a summary of the relevant part of the records will suffice.
There is therefore no obligation on a doctor to provide access to a patient to information collected prior to 21 December 2001 not in use. However, a request for access to these records should be handled in accordance with good clinical and ethical practice.
NPP 6.3 should also be noted. That is, where grounds exist to deny access, consideration should be given to whether the use of mutually agreed intermediaries would allow sufficient access to meet the needs of both parties.
Can a parent always get access to their children's medical records?

The Act does not specify an age at which a child is considered of sufficient maturity to make his or her own privacy decisions. Doctors need to address each case individually, having regard to the child's maturity, degree of autonomy, understanding of the relevant circumstances and the type and sensitivity of the information sought to be accessed.
In the case of a baby the circumstances are likely to be rare where there are real concerns for the child's health that can't be disclosed to the accompanying parent.
In the case of a young teen, the doctor might quite properly take the view that access to the records without the child's consent would be a breach of confidentiality. The request for access should then be treated as a parental request for disclosure, and denying the parent access requires no reason other than confidentiality having to be maintained.
NPP6.3 should also be noted. That is, where grounds exist to deny access, consideration should be given to whether providing access to mutually agreed intermediaries would be sufficient to meet the needs of both parties.
However, if a doctor suspects that parents are using the child's health for their own domestic purposes, the doctor will need to ask the accompanying parent which parent is entitled to receive information about the child. If the matter can't easily or quickly be resolved and the child has health needs that require attention, it would be prudent to advise the absent parent of the disclosure necessarily made to the accompanying parent. A doctor should assess each situation in a clinical and privacy context.

Can a GP provide a patient access to a specialist's report contained on their file?
Patient access to a GP's medical records includes access to specialists reports on the GP's files, notwithstanding that they may be marked 'not to be released to the patient without my permission'. Such a notation is also to be ignored if the patient authorises the release, or the law requires it. However, a specialist notation of this kind may alert the referring doctor to something in the report that might cause serious harm to the patient or another person, and thus provide a reason for restricted release. Otherwise the specialist's consent to patient access is not required.
The specialist retains copyright over reports he/she writes and the opinions contained in them. Simply referring the patient to the specialist author of a report is not an advisable course. A GP might need to consult the specialist about any harm disclosure of the report might pose. However, a specialist is more likely to defer to the GP, who is generally better placed to assess whether the release of the report is likely to cause serious harm to the patient (or another person) ' the main reason under the Act to restrict access to health information.

Can I restrict patient access to mental health notes?
Some GPs and specialists such as psychiatrists collect information during counselling sessions and make process notes that often include intimate notes of an interactive doctor/patient relationship. The therapeutic process often requires a verbatim record of a patient's account of events that involve other people, or indeed the doctor, that are not necessarily accurate.
Where access to the notes is requested, doctors should consider questions such as whether providing access would pose a serious threat to the patient or to any other person, or whether providing access would have an unreasonable impact upon the privacy of another, including the doctor.
If there are grounds for refusing access to all the information, other means of providing access other than copying the complete notes should be considered, including the provision of a summary report.
A psychiatrist or psychotherapist might find it helpful to let patients know in advance (or in a patient information pamphlet) that most of the material collected from the patient will be in the form of psychotherapy 'process notes', rather than factual material, and that it may be the case that patient access to such notes is restricted on the grounds that access and correction of the notes might impede the therapeutic process and cause serious harm to the patient. It could be explained that usually only a summary of this material is provided in response to a patient request for access. Up-front open communication with patients is to be encouraged. However, no agreement should be reached to this effect as a matter of course because if a patient does insist on a full copy of the notes after being offered a summary, then the situation has to be revisited to see if a restriction is warranted under the Act.

Do I have to give immediate access to test results?
If a patient pre-empts a medical appointment and requests access to test results before discussing the report with the doctor the access should be deferred until the consultation has taken place. By way of contrast, if a patient asks for a copy of a report of say 12 months ago after appropriate clinical interventions have occurred, the practice's procedures for access requests (which may still include reference to the doctor) should be followed.
The Quality Use of Pathology Committee (QUPC) has given consideration to how pathologists should handle a situation where a patient demands test results which the referring doctor, their GP, had withheld.
The QUPC protocol takes account of the fact that doctors are not expected under the legislation to hand over 'raw' notes and results immediately upon being asked. The QUPC recommends:
Consult the referring doctor, since the GP is best placed to interpret test results to the patient in the context of clinical history. Circumstances where releasing uninterpreted test results to a patient could cause life-threatening harm constitute a valid reason under the NPPs not to do so.
Having contacted the referring doctor to ascertain why test results were being withheld, the pathologist should give the patient a written response, explaining why results are being reserved if he or she concurs with the patients' GP. A copy of the response should go to the referring doctor.
If the GP has not had the opportunity of discussing the results, the patient having pre-empted the appointment, then the specialist can tell the patient that access to the test results will be deferred until after that appointment.

The goal here is to facilitate access in the most appropriate manner, not to deny access.


Who owns the medical records' the doctor or patient?
The Act gives patients a general right of access to information held about them. It does not necessarily give a patient the right of ownership of that information. As a general rule the doctor who holds patient information owns and controls it. Doctors retain their legal rights in relation to copyright of their own work. Access to this information is a separate issue.
Included in the health information a doctor often holds about a patient are diagnostic notes, perhaps a medical protocol tailored to a patient's particular needs, letters written by the doctor, clinical notes taken about the patient. The doctor owns the intellectual property rights in that information. The copyright of specialists' reports held on a GP's file belongs to the specialist who wrote the report.
The High Court case of Breen v Williams (1995) 186 CLR 71 confirmed doctors' rights in this regard. The Act is subject to existing law, and that includes court-made law as well as Parliament-made law. Thus, the granting to patients of access to their medical information does not necessarily give patients the right to deal with the information as they wish. The Act restricts doctors as how they may use and disclose the patient's information. But as well, patients' rights to access their health information may be subject to restrictions on its reproduction and use subject to the doctor's permission. In practice this would be hard to enforce or explain, and there is probably little reason to do it. However, in relation to medical reports it is important, because there is a question of ensuring that nobody else reproduces the doctor's opinion for commercial purposes without the doctor's permission, and there is the question of the right to charge a fee for reports.
There is nothing to stop a doctor from asserting copyright over the material that indicates that the doctor's consent is required for further reproduction of the material. However, the doctor should ensure that this does not breach his/her ethical duty, by preventing relevant material being made available to another doctor or medical treatment team member.


Am I obliged to provide access to the patient of a medico-legal report?
The Act provides patients with a general right to access personal information held about them. Opinions expressed in medical reports prepared at the request of lawyers on behalf of clients form part of the health record to which the Act applies. The intellectual property rests with the author of the report. But, subject to certain exemptions, a person is entitled to know and see what information is held about them. Sometimes a person requests a copy of a medico-legal report written about them before the agreed fee for the preparation of the report is paid.
Three distinct situations must be appreciated:
Where a doctor, other than a treating doctor of the patient, is requested by a third party ' say the insurer of a defendant to a legal proceeding ' to prepare a medico-legal report. The patient's consent is required before the doctor examines the patient for the purpose of preparing the report. Where the report, commissioned by a third party, is the subject of legal professional privilege, then it is exempt from the access requirements under the Act.

Where a third party commissions the report - say, for insurance purposes rather than for legal proceedings - where no legal professional privilege applies. The patient is, subject to other restricted exemptions under the Act, entitled to access that report. A doctor might be concerned that a patient might then use the report for other unrelated purposes - in pending litigation, or for some other purpose such as to get a pilot's licence. While under the Act the doctor is not entitled to ask why a patient seeks access, it is reasonable for the doctor to assert copyright over a medico-legal report. In that event the doctor in providing access can stipulate that the report be not further published or reproduced without the doctor's permission and thus ascertain whether the patient is attempting to use the Act to avoid paying the appropriate fee.

Where the treating doctor has been asked to provide a report for medico-legal or other commercial reasons, on behalf of the patient - though a commercial fee for the preparation of the report is agreed, the patient could circumvent its payment by accessing the report through the Act. A doctor concerned that this might happen could ask for payment of the agreed fee before examining the patient and preparing the report and so avoid the problem.

Doctors performing medico-legal assessments are performing a 'health service' for the purpose of the Act in that they are assessing, recording or diagnosing an individual's actual or suspected illness or disability. They must, therefore, comply with the Act, but similarly are able to take family and other personal histories under the TPID as it stands.

Should I forward medical records to a solicitor or a patient's agent?
While a doctor is not entitled to ask why access is requested, it is appropriate to seek clarification of the request to enable agreement about the nature of the access and the appropriate cost. When a patient seeks to have notes forwarded to a solicitor it is likely that the material is to be used for medico-legal purposes. It is improper for lawyers to use the Act as a back-door method of obtaining access to medical opinions. It would be appropriate to ask the patient to clarify what part of the notes is required. The doctor then, as in every case where copies of the whole or part of a file are required, should go through the notes to identify any information to which access should be restricted (such as information about other people collected in the course of history taking). Then, whether part or all of the notes are required, the doctor should ask for payment of reasonable administrative costs incurred in reviewing the notes and for photocopying before their release to the solicitor.

To whom can I disclose a report prepared for a commissioning agent?
If you are not the treating doctor, and you are commissioned by a third party, the report, if requested for the purpose of or in anticipation of litigation, is the subject of legal professional privilege, and while the patient has no right of access to it, it can be disclosed to the commissioning party. The patient has consented to an examination and the report being prepared and would reasonably expect it to be used and disclosed for the purpose it was prepared.
If the report was commissioned for other purposes, say for production to a Mental Health Tribunal, or Parole Board, the disclosure is authorised or permitted by law, whether or not the patient has consented to the disclosure and the patient may very likely be able to access the report.
In some states Work Cover legislation authorises the release of information to a statutory board and requests are made to doctors for information without providing the patient's consent. Generally, the patient's having applied for a Work Cover benefit covers the consent requirement. If the relevant legislation authorises the release of information, no further consent is required, but good clinical practice would surely dictate that the doctor should tell the patient about the request and that it has been met.
If an insurance company or employer commissions the report, so long as the person has given authority for the report to be prepared, then it follows that the report can be disclosed to the commissioning agent, which is why the material was collected in the first place. However, if an employer seeks information from a doctor to verify a sickness certificate, the doctor should obtain the patient's consent before dealing with this inquiry. Similarly, if a family member asks whether or not a patient has made an appointment to see the doctor, this information should not be given without the patient's consent, if the patient has capacity or maturity to make decisions about management of their health information.


I'm retiring ' what do I need to do to with my records?
When a practitioner retires or dies and another doctor within the practice takes over responsibility for the patient records held by the retiring or deceased practitioner, it is appropriate that the practitioner, or the estate, issue a circular announcing the retirement or the death advising that the records will be held by a nominated doctor in the practice. If that is not feasible, then it is appropriate that patients be informed about the new arrangement when they contact the practice giving them the opportunity to have their records transferred to another doctor or practice.
If no arrangements can be made to transfer the records to another doctor, then suitable storage arrangements should be made so that they can be easily accessed if required, and the practice's phone number might have to be retained or redirected to enable patients to be told about the new arrangements.

A patient wants to change doctors. What am I required to do?

A doctor should always do what accords with best clinical practice and relevant codes of ethics, to ensure that the new practitioner gets all papers and records reasonably required to treat the patient adequately.
If the patient has requested transfer of the full medical file, then the patient's wish should be met, with copies of the file being provided to the nominated doctor. The transferring doctor should retain all original documents on his/her own file and archive for medico-legal purposes.
The authorship of material on the doctor's file is irrelevant, as the practitioner who holds the material is responsible for complying with the request for access/transfer.
It may be appropriate to clarify the scope of the patient's request, to understand the needs of the patient and the new treating practitioner.

What are the consequences of non-compliance?
The enforcement process is generally complaint driven. The Federal Privacy Commissioner has no judicial powers but has wide powers of investigation. The approach to enforcement is one of conflict resolution. At first instance the individual complaint is to be made to the organisation or doctor. If it is not resolved at that stage, the Commissioner may investigate. The Commissioner can dismiss a complaint at any stage. If the Commissioner finds there has been a breach, the Commissioner can make an enforceable determination that the conduct is not to be repeated, that the doctor or organisation should do 'any reasonable act' to redress loss or damage suffered, and that a specific amount of compensation be paid.
If, for example, the inadvertent disclosure of a patient's HIV status found its way to an employer, and the individual was sacked, a large damage award could result. Such a worst scenario is unlikely. However, the inconvenience, embarrassment and cost of investigation to a doctor should not be underestimated.

Does my MDO cover me for privacy breaches?
Doctors are advised to check whether their professional medical indemnity arrangements cover awards and/or the costs of investigations and representation.

Do doctors need to have a complaint handling process?
Yes. In most cases simply discussing the issues with the patient should resolve the matter to the patient's satisfaction. The Commissioner will look into a complaint only if that process fails. An investigation could be time consuming and costly to the practice.

What should doctors do if the Privacy Commissioner investigates them?

Doctors are advised to obtain their own independent legal advice and/or notify their MDO. In addition, AMA members are invited to tell the Federal AMA office about any investigation. Doctors and their staff should comply with any direction given by the Commissioner, as monetary fines or imprisonment may result from non-compliance (see Section 46 of the Act).