Receptionist’s patient privacy breach a ‘red flag’

Sonya Black, LLB (Hons), B.Com, Legal Team Manager – Workplace Law Team, Avant Law, QLD

Thursday, 30 November 2023

Mind map of data privacy words

Privacy breaches are a risk in any practice but knowing how to minimise the risk of breaches and deal with them effectively if they do arise, is important.

In this case, a receptionist worked at a rural practice where her teenage son was a patient. He had recently consulted a GP at the practice and told his mother the consultation was about a urinary tract infection.

The next day, while working at the practice, the receptionist accessed her son’s medical record and discovered the consultation was about a sexually transmitted infection (STI). That night, she told her son how disappointed she was about the diagnosis. The son expressed his anger at his mother for breaching his privacy.

While he didn’t make a formal complaint to the practice, he informed his GP about the privacy breach. The GP told the practice owner of the breach, who called Avant’s Medico-legal Advisory Service for advice on how to deal with the situation. As the receptionist had been an exemplary employee, the practice owner did not wish to dismiss the receptionist but was keen to send a clear message to practice staff about the importance of patient privacy.

As a condition of her employment, the receptionist had conditions in her contract regarding privacy and confidentiality. If she accessed her son’s records, her conduct was in breach of her contract and privacy legislation.

Managing the situation

When concerns are raised about a staff member’s breach of patient privacy or confidentiality, it’s important for the practice to deal with the situation quickly. This can be managed as either a performance issue or a misconduct issue.

Generally, performance issues would include minor breaches of practice policy such as failing to shred documents after scanning them. While many performance issues can be resolved through communication and guidance about the practice’s policies and processes, ongoing performance issues may result in disciplinary action.

On the other hand, a concern should be dealt with as a potential misconduct issue when a specific breach of practice policies and procedures has occurred. For example, discussing confidential patient information outside the practice or accessing patient records for a ‘sticky-beak’.

In this case, Avant’s medico-legal expert advised the practice to treat the breach as a misconduct issue. The practice owner was advised to conduct an initial investigation into the complaint (in this case, by reviewing the receptionist’s access to patient medical records) before raising the issue with the receptionist. Some practice software can identify which records a staff member has accessed, when and for how long. Unfortunately, the practice software was unable to provide this information, so the practice had no independent evidence the receptionist had accessed her son’s medical record.

Avant recommended the practice take the following steps:

1. Advise the receptionist you would like to meet with her to discuss a privacy breach and suggest she brings a support person.

2. Ensure a note-taker is present at the meeting and explain the role of the support person (i.e. they are there to support the receptionist but not to represent her or speak on her behalf).

3. Inform the receptionist her son advised his GP that she had accessed his medical record and discussed the results of the consultation with him. Advise that if proven, this conduct would constitute a breach of her contract and confidentiality agreement and could result in disciplinary action. Give her an opportunity to respond to the complaint.

4. If the receptionist confirms she did access the record, ask her to explain her reason for doing so. Tell her you will consider the next steps and advise her in due course. If you are not satisfied with her explanation, you can take disciplinary action. This might be dismissal or a written warning, depending on all the circumstances.

5. If the receptionist says she did not access the record, you will need to determine whether you think she is telling the truth. For example, by asking her how she became aware of her son’s diagnosis. If you are not satisfied with her explanation, you can still take disciplinary action, but it may be difficult to justify dismissal.

6. It’s important to conduct the meeting appropriately to minimise the risk of the receptionist making a stress claim. Ensure the receptionist is safe to return to work after the meeting or, alternatively, allow her to go home. It’s important to make sure she can get home safely if she is upset.

In this case, there is no need to notify the privacy breach to the Office of the Australian Information Commissioner under the privacy laws. A notification only applies if there is a risk of serious harm to an individual that cannot be remediated. In this case, the son already knows about the privacy breach and steps were taken to remediate the risk of harm.

Treating people you know

Your practice has an obligation under the Privacy Act 1988  to take all reasonable steps to protect the personal information you hold from misuse, interference and loss, and from unauthorised access, modification, or disclosure.

As this case demonstrates, practices should avoid treating staff or their families, given the risks of privacy breaches and other risks as outlined in our factsheet.

A staff member accessing another employee’s medical record, or in this case, their child’s record, whether on purpose or inadvertently, is a privacy breach and may also be a notifiable data breach.

Preventing privacy breaches

It may not be practicable for your practice to avoid treating staff and their families in rural locations where another doctor is some distance away. In these situations, having measures in place can minimise any risks:

  • Train your staff and regularly update them about their privacy obligations.
  • Appoint a senior staff member to be responsible for privacy compliance.
  • Have a privacy policy outlining how information is collected, used and disclosed in your practice.
  • Document processes for managing staff authorisation, authentication and access to records. Where possible, limit access to the clinical aspect of records to clinicians.
  • Place hardcopy referrals and scripts etc into envelopes for collection by patients.
  • Have a process for proactively detecting data breaches.
  • Have a data breach response plan if a privacy breach is discovered.

View our  developed to help practices minimise the risk of data breaches and if they do arise, how to respond.

Key Lessons

Ensuring the privacy and confidentiality of patient information is fundamental to the doctor-patient relationship. Treating staff, practice colleagues and their families heightens the risk of a privacy breach. The simplest answer is to not treat them if you can avoid it.

If you do choose to treat staff, practice colleagues and their families or it is unavoidable in a rare urgent or acute situation:

  • Discuss the issue with new staff and set boundaries and expectations.
  • Ensure you have appropriate systems in place to guard against privacy breaches.
  • Train your staff and regularly update them about their privacy obligations.
  • Document processes for managing staff authorisation, authentication and access to records.

More information

Something went wrong resolving rich text field: "Cannot read properties of undefined (reading 'elements')"

Important: Liability limited by a scheme approved under Professional Standards Legislation. Legal practitioners employed by Avant Law Pty Limited are members of the scheme.

The information in this article is current to 31 October 2023.

Disclaimers

The case discussed in this publication is based on a real case. Certain information has been de-identified to preserve privacy and confidentiality. The information in this article does not constitute legal advice or other professional advice and should not be relied upon as such. It is intended only to provide a summary and general overview on matters of interest and it is not intended to be comprehensive. You should seek legal or other professional advice before acting or relying on any of its content. 

Career stage
Topic
To Top

NSW State Office AddressLevel 6, Darling Park 3, 201 Sussex Street, Sydney NSW 2000
Telephone 02 9260 9000 | Facsimile 02 9261 2921

Mailing addressPO Box 746 Queen Victoria Building NSW 1230

Connect with Avant

facebookxlinkedininstagramyoutube

In the spirit of reconciliation Avant acknowledges the Traditional Custodians of country throughout Australia and their connections to land, sea and community. We pay our respect to their Elders past and present and extend that respect to all Aboriginal and Torres Strait Islander peoples today.

IMPORTANT: Professional indemnity insurance and the Practice Medical Indemnity Policy available from Avant Mutual Group Limited ABN 58 123 154 898 (Avant Mutual) are issued by Avant Insurance Limited, ABN 82 003 707 471, AFSL 238 765 (Avant). Avant Cyber Insurance cover is available to eligible Avant Practice Medical Indemnity Policy holders up to the cessation of their policy and is provided under a Group Policy between Liberty Mutual Insurance Company ABN 61 086 083 605 (Liberty) and Avant. Private health insurance products are issued by The Doctors’ Health Fund Pty Limited, ABN 68 001 417 527, a member of the Avant Mutual Group. Avant arranges Avant Business Insurance as agent of the insurer Allianz Australia Insurance Limited ABN 15 000 122 850, AFSL 234 708 (Allianz) and may receive a commission on each policy arranged. Avant Travel Cover is available under a Group Policy between QBE Insurance (Australia) Limited, ABN 78 003 191 035, AFSL 239 545 (QBE) and Avant Mutual. Avant Travel Cover is underwritten by QBE and Avant may receive a benefit for arranging cover. Avant Financial Services is a registered business name of Avant Doctors’ Finance Pty Ltd (ACN 637 769 361) and licensed to Avant Doctors’ Finance Brokers Pty Ltd (ABN 75 640 406 784). Avant Doctors’ Finance Brokers Pty Ltd is a wholly owned subsidiary of Avant Doctors’ Finance Pty Ltd. Loan products may be provided by Avant Doctors’ Finance Pty Ltd or arranged by Avant Doctors’ Finance Brokers Pty Ltd. Credit services or assistance to which the National Credit Code applies are provided by Avant Doctors’ Finance Brokers Pty Ltd as authorised Credit Representative (Credit Representative Number 523242) for LMG Broker Services Pty Ltd ACN 632 405 504 Australian Credit Licence 517192. Legal services are provided by Avant Law Pty Ltd ABN 63 136 429 153 (Avant Law). Liability limited by a scheme approved under Professional Standards Legislation. Legal practitioners employed by Avant Law are members of the scheme.


The information provided on this website is general advice only and has been prepared without taking into account your objectives, financial situation and needs. You should consider these, having regard to the appropriateness of the advice before deciding to purchase or continue to hold these products. For full details including the terms, conditions, and exclusions that apply, please read and consider the relevant Product Disclosure Statement or policy wording and Target Market Determination (TMD) which are available on this website or by contacting us on 1800 128 268. Information on this site does not constitute legal or professional advice, and is current as at the date of initial publication.