Avant’s Medico-legal Advisory Service (MLAS) receives many calls seeking advice about how to respond if police call or attend a practice requesting information about a patient. A recent decision by the Commonwealth Privacy Commissioner, requiring a doctor to apologise and pay $6,500 compensation, highlights the need for practices to consider a patient’s privacy before providing any information to the police.
Practice managers should schedule regular educational opportunities for doctors and staff to ensure compliance with the privacy legislation. The following case demonstrates how easy it is for any staff member, nurse, practice manager or practitioner to unwittingly breach patient confidentiality.
In 2006, Queensland police officers visited Mr Z at his home to investigate his allegations of a neighbour’s harassment and property damage. The police officers noted that Mr Z explained his concerns in a ‘highly excited and at times paranoid fashion’. He told them he suffered from post-traumatic stress disorder, anxiety disorder and severe back and knee pain.
The police sergeant called Mr Z’s treating doctor, Dr Y, but she was unavailable. The sergeant left a message with another doctor, who recorded that the police were concerned that Mr Z was psychotic and acting strangely. The sergeant spoke to Dr Y a few days later and asked whether she thought Mr Z was psychotic. She said it was possible but further assessment was required.
Allegations against GP
In 2009, Mr Z obtained documents under the Freedom of Information Act 1982 that revealed this conversation. Mr Z lodged a complaint against Dr Y under the Privacy Act 1988 (Cth) alleging:
- improper disclosure of personal information
- inaccurate disclosure of personal information
- failure to have a proper system in place to protect against the improper disclosure of information.
Disclosure to police without patient’s consent
Dr Y conceded that she had disclosed personal information to the police without Mr Z’s consent. However, she defended this disclosure citing permitted reasons for disclosure under the then National Privacy Principles (in March 2014 the Australian Privacy Principles replaced the National Privacy Principles (NPPs)):
- there was an urgent threat to the safety of Mr Z and/or the public by the mere fact that the police had contacted her (NPP 2.1(e))
- there was reason to suspect that 'unlawful activity’ had occurred as the police had contacted the practice twice (NPP 2.1(f))
- it was ‘required or authorised by law’ (NPP 2.1(g))
- she had a ‘reasonable belief’ that it was necessary for the prevention or investigation of a crime (NPP 2.1(h)).
The Privacy Commissioner rejected these arguments.
He found there was no evidence that Dr Y had formed a ‘reasonable belief’ that Mr Z posed a serious and imminent threat to himself or the public, or that he was involved in any unlawful activity. She had not asked the police about the nature of their enquiry or if they suspected Mr Z of a serious unlawful activity. There was also no warrant, subpoena or legislative provision compelling or authorising the disclosure of the private information to the police.
The Privacy Commissioner also noted that Dr Y had given insufficient consideration to her obligations under the various policies, guidelines and obligations in law that apply to the disclosure of personal health information.
While Dr Y made the disclosure to a police officer in ‘good faith’, this is not sufficient to justify disclosure of private information.
The Privacy Commissioner found that Mr Z suffered injury to his feelings and distress due to the interference with his privacy by Dr Y. He determined that Mr Z’s complaint was proven and Dr Y had breached the NPPs 2.1 and 4.1 by disclosing Mr Z’s personal information to police.
Dr Y was ordered to apologise to Mr Z in writing and pay him $6500 in compensation for the loss caused by the interference with Mr Z’s privacy.
Key lessons from the case
If consent hasn’t been received from a patient, information should only be provided to the police in these types of situations:
- a warrant or subpoena is provided, or
- it is authorised by a specific legislative provision (e.g. mandatory reporting of child abuse), or
- there is a ‘reasonable belief’ that there is a serious threat to the health or safety of the patient and/or the public.
This requires the doctor to ask questions of the police to understand the nature of their enquiry, and to consult the patient’s medical records to ensure inaccurate information isn’t provided.
Details of all communications with the police should be included in a patient’s medical record along with the considerations undertaken as to why the private information was provided to the police.
This case also highlights that taking reasonable steps to protect health information extends beyond the physical security of records to decisions about when to disclose information.
Read the full determination and reasons from the case ‘EZ’ and ‘EY’  AICmr 23 (27 March 2015)
Call Avant's Medico-legal Advisory Service (MLAS) on 1800 128 268 for advice if you are requested by police for information in any other circumstances.
Avant’s MLAS is available 24 hours a day, seven days a week for emergency advice. Call 1800 128 268 if you are uncertain about whether to provide information to the police or any other third party.
Avant Learning Centre resources also support ongoing education to meet the practice’s compliance with the Australian Privacy Principles.