I have been asked to provide a statement concerning the application of the Privacy Act and the Health Information Privacy Code in situations such as that being inquired into by the coroner.
I have not read the evidence which has been given and so it is inappropriate for me to apply the law to the evidence given.
The Privacy Act 1993 establishes 12 information privacy principles which relate to the collection, storage, retention, use and disclosure of personal information – information about identifiable individuals – collected by ‘agencies’, and to rights of access to and correction of that information by the individuals concerned.
The Health Information Privacy Code 1994 (‘the Code’) which I have issued under the Privacy Act modifies the principles by imposing some standards that are stricter and some that are less strict than the privacy principles. The rules of the code follow the same sequence as the information privacy principles and prescribe how the principles apply to a number of situations met by health agencies in relation to health information. In some cases the rules provide exceptions for actions which would otherwise breach a principle.
Health information is personal information about an identifiable individual, including information about:
- a person’s health or disabilities;
- a person’s medical history;
- any health or disability services provided to someone; and
- patients which is collected while providing health and disability services to them.
The code also refers to ‘representatives’ which includes a parent or guardian where a person is under 16, and in other cases someone who seems to be lawfully acting on the person’s behalf or in his or her interests when the person is unable to give consent or exercise his or her rights directly.
The Act defines an interference with privacy. In a complaint about access to personal information by the person concerned, the Commissioner will consider whether the agency had a proper basis for the decision complained about. In any other complaint the Commissioner will consider whether the agency has breached a rule and whether the breach also:
- has caused loss, detriment, damage or injury to the person; or
- has adversely affected the person’s rights, benefits, privileges, obligations or interests; or
- has resulted in significant humiliation, significant loss of dignity, or significant injury to the person’s feelings; or in any case may do so.
Because the Code allows an agency to make any use or disclosure of health information where that use or disclosure was one of the purposes for which the information was obtained, the Code effectively allows agencies to set their own policies for collecting, using and disclosing health information. The Code then goes on to prescribe certain exceptional circumstances in which the agency can make use or disclosure outside of the circumstances originally planned. Agencies should take responsibility for their policies and be open when explaining a decision which has been made in accordance with such policy.
This statement is central to understanding the way in which the Health Information Privacy Code affects health agencies whether they are organisations or individual health professionals.
If an agency is open about its information handling policies and conveys these at the time of collection, people will know why information is being collected. Subsequently the agency should not have problems when the information is used or disclosed in accordance with those policies.
Rule 3 requires people to be made aware of proposed uses and disclosures of their information. It is not necessary to obtain their specific consent to such purposes.
The rules relating to use (rule 10) and disclosure (rule 11) relate back to the purposes in collecting information. For instance health information can be used or disclosed if that use or disclosure was a purpose for obtaining information in the first place.
So if an agency collects information for particular uses or disclosures and those purposes are clearly set out in a policy they will be clearly established for later use or disclosure.
The openness is more particularly detailed in rule 3. When information is collected directly from patients, an agency must take reasonable steps to ensure that they are made aware of a number of matters, including:
- the fact that information is being collected;
- the purposes of the collection;
- the intended recipients of the information.
People should be told about the agency’s practices and any particular disclosures proposed to be made. It is not necessary to list every possible purpose or every possible recipient, no matter how remote. However, people should get a good understanding of who is likely to see the information and the reasons for that.
Clinical staff are obvious recipients whereas students, researchers or reviewers are not as obvious. Members of a wider care team may not be obvious, depending on the circumstances.
* the patient’s rights of access and correction given by rules 6 and 7 of the code.
There are exceptions to fulfilling rule 3 requirements. For instance, compliance by the agency may not be reasonably practicable in the particular circumstances. This could apply when the patient is not capable of assimilating an explanation when it is offered or when it may cause a violent reaction.
If it is not practicable to give an explanation when the information is first collected, it should be done as soon as practicable thereafter but it is not necessary to repeat a recent explanation every time similar information is collected.
However purposes may change or new purposes become clear and normally the person should be told of them unless one of the exceptions excuses that.
Compliance with rule 3 helps to prevent misunderstandings which can be critical when it is proposed to disclose information to a third party.
I have encouraged health agencies to establish their own quite formal policies so that they have due regard to the sorts of disclosures that might be anticipated. These policies can be drawn to the attention of the individual patient so that when a subsequent disclosure occurs it does not come as a surprise to the patient. I have also encouraged the development of treatment plans, including the circumstances on disclosure from hospitals which might envisage limited disclosures to third parties on whom the person if particularly dependent or with whom they are living or working.
Disclosing health information can pose special problems, especially where people are suspicious or wary of health agencies. The agencies have to balance retaining a patient’s trust and fulfilling functions as health professionals, which may sometimes include acting in what is believed to be a patient’s best interests, even if the patient disagrees. This is especially so in the area of mental health.
Disclosure can become an issue because agencies
- have to disclose;
- want to disclose;
- have been asked to disclose.
On occasion an agency may have to address the risk of committing a breach in the interests of treatment or safety after considering whether it would constitute an ‘interference’ with the privacy of the patient which requires some loss or harm to result. (In this connection, a disclosure made which falls within the purposes for which the information was obtained may not have been advised under rule 3. The harm arising from the breach is not the harm caused by the disclosure, but any harm caused by failing to give prior notice under rule 3).
The Agency has to disclose
Agencies may have to disclose health information because that is required by law. The Health Information Privacy Code does not derogate from any law which authorises or requires information to be made available. Such a law must be followed. Health professionals are also governed by their own codes of ethics. Codes of ethics will usually allow disclosure if it is required by law. In most cases there will be nothing to prevent the agency from telling the patient that the disclosure has to be made.
The agency wants to disclose
Unless required to disclose by law, agencies do not have to disclose information. The health professions have a long tradition of confidentiality. Ethical and legal standards tend to support this approach. They can choose not to disclose. But if they want to disclose, they must find legal as well as ethical provisions that allow it. Some statutes authorise disclosure. They do not require agencies to disclose, but give them a choice.
An example is the Children and Young Persons and Their Families Act 1989 where sections 15 and 16 allow anyone who believes a child or young person is at risk from harm, ill treatment, abuse, neglect or deprivation to report the matter to a social worker or the police.
If agencies want to disclose information and there is no law requiring or authorising it, they must consider rule 11 of the Health Information Privacy Code. If the agency simply does not want to give out the information it should say so. It would not be because of the Privacy Act or the Code, but would be for other reasons such as policy, legal duties of confidentiality or ethical requirements of confidentiality. In my experience, the decision is more likely to be made on ethical or clinical criteria but legal requirements are given as an explanation that is more readily accepted.
Rule 11 allows disclosure where that is a purpose for obtaining the information. These disclosures can be identified because they form part of regular procedures, are commonly made, or can be reasonably anticipated.
- Disclosing relevant information to other members of treatment teams.
- Disclosing details to the patient’s first contact person, including medication details;
- Referring the patient to other health agencies.
These purposes should normally have been notified or discussed with the patient in accordance with rule 3.
Agencies may disclose information if that is one of the purposes for obtaining the information. In setting purposes, agencies should remember right 4(5) of the Code of Health and Disability Services Consumers’ Rights, which gives the consumers the right to cooperation among providers to ensure quality and continuity of services. Cooperation would include the sharing of information with other providers where that was necessary for that treatment, so this would be a purpose for having obtained the information. That should normally be communicated to the patient when information is collected but failure to do so does not cause a breach of rule 11. Agencies may have a policy of disclosing information to family members or friends or people with whom they are living and people who may have varying levels of involvement with the individual’s treatment. The extent of disclosure might be different in each case.
Rule 11 also allows disclosure if it is to the individual concerned or his or her representative if the individual cannot exercise his or her rights or to a representative who is a parent or guardian in the case of a patient under 16.
Disclosure can also be made if it is authorised by the individual concerned or his or her representative. This could arise if there was an agreed treatment plan.
It is not always practicable or desirable to get a patient’s authorisation to disclose information. The patient may be unconscious not competent or have refused to give an authorisation. In these circumstances rule 11 allows disclosure when certain exceptions apply. For instance, registered health professionals may give information to a person nominated by the patient or the principal caregiver or a near relative in accordance with recognised professional practice provided this is not contrary to the patients or the representative’s express request (rule 11(2)(b)). Information may be disclosed if it is necessary to prevent or lessen a serious and imminent threat to public health or public safety or the life of health of any individual, including the patient (rule 11(2)(d)). The threat must be serious and imminent; it must be a threat to the public health or public safety the life of a person or health of the person; and the information must be given to someone who can act to prevent or lessen the threat. Only the information necessary to achieve that purpose should be given; it might not be necessary to disclose all of the available information.
The Agency may be asked to disclose
Agencies may be asked to disclose information, perhaps because the police are investigating a matter, the media are following up on story, a social worker is investigating a case of suspected abuse or a family wants information about a relative who is receiving treatment.
Some statutory provisions which require authorised disclosure may only be triggered by a request. A common example is section 22F Health Act 1956. This requires disclosure unless an exception applies. Caregivers and representatives can use it to obtain information. Health professionals can use it to obtain relevant information from other health professions. For instance it can be used if a patient transfers to a new clinic and their notes are needed from their old clinic for the patient’s medical history. The health information must, with exceptions, be disclosed on request to:
- the individual about whom the information is held; or
- the individual’s representative; or
- any other person providing health or disability services to the individual.
A request may be refused if there are reasonable grounds to believe that the patient does not want the information to be disclosed to the representative or to the person providing health or disability services. If a request is made by the patient it must be treated as an access request under rule 6 of the Code.
If a request is made by the patient’s representative, the agency should consider rule 11(4) of the Code which allows it to refuse the request if:
- disclosure would be contrary to patients interest;
- the agency has reasonable grounds for believing the patient does not want the information disclosed;
- one of the withholding grounds in sections 27-29 of the Act would apply if the request had been made by the patient. If the withholding grounds do not apply the information must be disclosed in accordance with the request. Even if the withholding grounds do apply the agency can disclose the information if it wants to because reliance on the withholding grounds is discretionary; the agency may withhold but are not required to do so.
Disclosures may have to be made to guardians of children under 16 in order for proper consent to be obtained and this is required under the Code of the Health Disability Services Consumers’ Rights which gives consumers the right to fully informed when giving consent.
The Official Information Act may give third parties right to information from a public sector health agency. Such a request is for information already held ie. not the generation of new information. Section 9(2)(a) allows information to be withheld if it is necessary to protect the privacy of a person. The Ombudsman has said that when considering section 9(2)(a) agencies must consider whether it is necessary to withhold the information to protect the privacy of the individual.
This is done by:
1. identifying the actual privacy interest requiring protection;
2. assessing the strength of the privacy interests in the circumstances of the case;
3. identifying any consideration favouring disclosures of the information in the public interest;
4. assessing the relevant strength of such consideration favouring disclosure; and
5. considering whether in the circumstances of a particular case, they outweigh the need to withhold the information to protect personal privacy.
The Ombudsmen recognise there are, in most cases, strong privacy interests attaching to health information and consider the public interest in disclosure has to be stronger to outweigh the privacy interest.
Section 22C Health Act 1956 also permits agencies to provide health information to specific people if it is required for their functions. This includes in the circumstances specified probation officers, social workers, care and protection coordinators and police officers. The information is to be disclosed in response to a request.
Health information may also be disclosed if it is necessary to avoid ‘prejudice to maintenance of the law’ by a public sector agency or for the conduct of proceedings (rule 11(2)(i)). This could apply for instance to the Police, one of their responsibilities being to prevent the commission of offences. Thus a health agency may decide that it is necessary to notify the Police of the possibility of a person committing an offence so that the Police may assist in preventing that occurring. The Police would be able to make further disclosures in the course of their activities consistent with the purposes for which they have the information.
It is not in my province to decide, except on an investigation, what might be the applicable purposes for which information was held in respect of a disclosure to a third party such as a person with whom a patient is living.
It has however been put to me in general terms that there seemed to be somewhat different considerations in the minds of health professionals as to what disclosures it might be appropriate to make upon the discharge of a patient or following the discharge of a patient when they are in a situation of living or working with other people while treatment is continuing. In non-mental health cases it is not uncommon for health professionals to advise the person who collects a discharged patient from hospital, or someone with whom they are living, what the patient is required to take by way of medication. There may be an emphasis placed on the regularity of taking it, whether it is taken with or without meals and they may be urged to look for telltale signs which may indicate some adjustment to dose or that a check with the health professional is necessary.
For reasons which might be sensible in relation to the particular patient, in mental health cases there seems to be a reluctance to pass on such information to third parties. I have surmised that this is because of the therapeutic relationship essential to the treatment of the patient. If a patient believes that the information they give to the health professional about their wellbeing, their feelings and thoughts will be immediately conveyed to their family, or to police or to other third parties with whom they are living, they will lose the trust and confidence in the health professional. That seems to have been an underlying consideration when decisions not to reveal information about the patient have been challenged but is not often articulated. Likewise I gather there may be a concern that disclosure will lead to discrimination against the patient.
However, I have in the past been concerned that the health professionals have tended to give an explanation based on the constraints of the law, in particular the Health Information Privacy Code or even to say it was ‘because of the Privacy Act’ itself. This implies that but for that legal constraint they would have been happy to pass on the information. When I have enquired about those decisions I have found that sometimes the Act or Code was cited simply to save time, explanation or embarrassment. In some cases such information has not normally been given out or it was not appropriate to be given out in a particular case. It was less offensive to an angry family member to say that the Privacy Act prevented the disclosure than to explain that the patient does not want the information to be given or that simply the health professional believes that the information was held in confidence and cannot properly be disclosed in accordance with their clinical judgment or their ethical standards. In other cases the statement has been made in ignorance or as a result of poor training.
As I have often challenged such statements when I have heard of them, I believe that there are now fewer occasions where the Privacy Act is cited as the reason for not passing on information, at least publicly.
It appears to me that the information process in relation to mental health is so vital and difficult that it is absolutely important to the best treatment of the patients that the policies be well thought out and established and that less reliance is placed on the provisions of rule 11 intended to cover those disclosures which were unauthorised, which go outside the purposes of the collection in the first place, and outside the policies adopted by the health agency.
In describing the information situation I have tried not to exhaustively quote provisions of the code which may not be relevant to the type of situation faced by the coroner in similar cases. A short statement however cannot possibly cover the myriad of situations that actually arise in practice.
My office has established workshops covering an introduction to the Health Information Privacy Code and specialist one day workshops for those involved in mental health. We have been increasingly called upon to provide in-house workshops for workers in this field and have positively urged them to take a day for training. We have generally found that those who attend the courses have little difficulty later in applying the Health Information Privacy Code sensibly.
Issues of patient confidentiality were not created by the Privacy Act and have posed dilemmas for the medical profession over the centuries. Patient confidentiality is important to the relationship with patients. I believe the Health Information Privacy Code is flexible enough to meet a wide variety of situations.
In any other case I may authorise a disclosure if the public interest in the disclosure involves a clear benefit to the individual concerned which outweighs the interference or if the public interest in the disclosure outweighs, to a substantial degree, any interference with the privacy of the individual that could result from the disclosure. (Section 54.)
I have produced two publications, the first with the assistance of the Mental Health Commission:
Mental Health Professionals and Patient Information: Guidance Notes for Agencies in the Health Sector (1997, and
On the Record: A Practical Guide to Health Information (1999).
B H Slane
5 July 2000