Patient safety and privacy: where do you draw the line?

Jun 1, 2016

One of your regular patients comes to see you in a highly distressed state. She has previously mentioned her fraught relationship with her previous partner. This time, she says he is intimidating and harassing her, causing her increasing distress and fear. Your patient says she is going to report him to the police and asks for your help.

This is not an uncommon request, and it can be confusing to know whether you should oblige and if so, what information you can include?

While it is well known that doctors have a duty to maintain the privacy and confidentiality of their patients’ health information, it is less clear when doctors can rely on the exceptions to this duty to protect the health and safety of their patient or someone else. The case below helps to clarify when these exceptions apply for doctors.

Patient reports threatening behaviour

Mr Barnes* had been treated for mental health conditions at a hospital where Dr Adams*, a psychiatrist, also worked. Although Dr Adams had not treated Mr Barnes, she had been consulted by colleagues for advice on his care.

Dr Adams also saw patients privately and Mr Barnes’ former wife, Ms Smith*, had been a long-standing patient. Her ex-husband’s behaviour had escalated to the point where she voiced her fears to Dr Adams about his increasingly threatening behaviour. This included repeatedly calling her, parking outside her house and making false calls to emergency services that he was having suicidal thoughts while giving Ms Smith’s address as his residence. Ms Smith had previously reported her concerns to the police, but Dr Adams understood that no action had been taken.

Disclosure of information to police

Dr Adams believed that Ms Smith’s health and safety was under serious threat and wrote a letter for her to give to the police to assist them in investigating the matter. The letter mentioned that Mr Barnes was well known to the local psychiatric health services and that Ms Smith had reported Mr Barnes was harassing, intimidating and possibly stalking her, and she was concerned this behaviour could escalate. Dr Adams said that in writing the letter she relied on recollections of conversations she had with a psychiatry registrar. Two days after writing the letter, Dr Adams accessed Mr Barnes’ clinical record at the hospital for a period of only five seconds.

Subsequently, Mr Barnes complained that the hospital had breached his privacy by Dr Adams accessing his health information and disclosing it to the police.

Legitimate disclosure of health information for a secondary purpose

The tribunal found that the hospital’s system showed Dr Adams had accessed Mr Barnes’ clinical records for a five-second period. Dr Adams admitted this, explaining that she did so to find out the details of Mr Barnes’ case worker to report his alleged behaviour to them.

In determining whether the hospital had breached Mr Barnes’ privacy, the tribunal considered the relevant Health Records and Information Privacy Act (NSW) 2002, particularly the Health Privacy Principles (HPPs) regarding retention, use and disclosure of health information.

The tribunal found that there had been no breach of the privacy principles regarding security and it did not consider any changes to the hospital’s records system or further action were warranted.

The tribunal also considered whether a breach of HPP 11 had occurred. Under the Act, health information can only be used and disclosed where there is consent or for a reasonable secondary purpose, including when there is a serious and imminent threat to the life, health or safety of the patient or someone else, or the public. The Australian Privacy Principles are similar; however, they do not require any threat to life, health or safety to be imminent.

Mr Barnes’ health information was permitted to be discussed between Dr Adams and the psychiatry registrar as this was a legitimate disclosure of health information for a secondary purpose, the tribunal decided.

Tribunal finds patient’s privacy was breached

However, the tribunal found that the patient’s privacy had been breached by Dr Adams writing the letter to the police. The information was hearsay and Dr Adams had no direct knowledge of Mr Barnes or his behaviour. The tribunal was not satisfied that Dr Adams’ belief that the disclosure of Mr Barnes’ information was necessary to prevent or lessen a serious and imminent threat to Ms Smith, was reasonable. The threat was not imminent and the same result could have been achieved without disclosing his health information.

Ultimately, the hospital was found to have breached Mr Barnes’ privacy and ordered to apologise to him. The tribunal also ordered staff to be reminded about the need for vigilance regarding the protection of patients’ sensitive health information.

Key lessons

The decision illustrates that exemptions to disclosing patient information without their consent will be interpreted narrowly.

If the patient’s consent hasn’t been received, information should only be provided to the police in these types of situations:

  • warrant or subpoena is provided (Read Chapter 1 of our handbook on responding to requests for medical records), or
  • it is authorised by a specific legislation provision (e.g. mandatory reporting of child abuse), or 
    there is a reasonable belief that there is a serious threat to the life, health or safety of the patient/and or public. The information relied upon must be accurate, with extra caution taken where the belief is based on hearsay.

Details of all communications with the police should be included in the patient’s medical record along with the considerations undertaken as to why the private information was provided.

* Names have been changed to protect privacy.

Need advice?

If you need guidance on complying with the privacy laws, call the Avant Medico-legal Advisory Service on 1800 128 268.

You may be interested in…

Our article ‘Think twice before providing information to the police.’

Share your view

We welcome your feedback on this article – email the Editor at: