Access to patient medical records: when is it not okay?

17 September 2020 | Kate Gillman, BA LLB, Head of the Medico-legal Advisory Service and Dr Peter Henderson, M.B., Ch.B., FRCOG, FRANZCOG, General Manager - Medical Advisory Services

Doctors face potentially serious risks for inappropriately accessing medical records if access is not required for the medical treatment of the patient or another authorised purpose.

Recently, we have assisted an increasing number of members in employment and disciplinary matters alleging they have inappropriately accessed patient medical records. These matters can also result in patient complaints and investigations by the Privacy Commissioner.

Doctor accesses ex-wife’s records

In one scenario, Dr Parker*, a consultant in a public hospital was going through a nasty divorce. His young daughter told him her mother had been crying all the time and stayed at the hospital where he worked. Concerned for his children’s welfare, Dr Parker accessed his ex-wife’s medical record to understand her medical condition and treatment. He discovered she had been admitted for treatment of a mental health condition.

A couple of days later, Dr Parker received a letter from his employer asking him to explain why he had accessed his ex-wife’s medical records. The letter warned that his employment may be terminated if he was found to have engaged in misconduct and the matter may be referred to the Medical Board.

In this scenario, he accessed his ex-wife’s medical record for a purpose other than providing clinical care to her and without her written consent. He could also use the information for other purposes such as in custody proceedings.

The matter was referred to the Medical Board and Dr Parker was ordered to undergo education on decision-making in patient confidentiality. Avant assisted the member by providing education resources to help him meet the Medical Board’s requirements.

Dos and don’ts

We have also assisted a number of doctors required to attend formal disciplinary meetings to explain why they were accessing the records of certain patients, particularly high-profile patients or celebrities. Although it may be tempting to access these records out of interest – it is not appropriate if you are not involved in the treatment of the patient without their consent or other legal authority.

Many practices and hospitals have policies about accessing medical records which stipulate you cannot access confidential patient information unless it is for the treatment of the patient, or otherwise with patient consent or other legal authority. You should not, for example, access the record of a patient you have treated for a reason unrelated to that treatment such as to check the patient’s termination of pregnancy records if they were referred for peripheral nerve conduction studies.

The use of electronic medical records enables practices and hospitals to monitor and discover such unauthorised access as required. Therefore, it is important to log out of a computer when you are not using it to avoid the risk of your username and password being linked to unauthorised access of records by other staff members. We continue to see examples of this occurring across hospitals, with doctors having to establish that they were not involved in the access of records despite their credentials being used. In one recent case, a doctor was called to explain why she was accessing the medical records of a patient admitted with COVID-19 when she was not involved in the patient’s care. The doctor was completely unaware that someone else had accessed these records when she walked away from the computer.

These requirements are also reflected in the rules governing use of the My Health Record system. Any person who is authorised by a healthcare organisation can access and view an individual’s My Health Record where it is for the purpose of providing healthcare services to a patient. In addition to clinicians, a healthcare organisation may authorise other staff to access the My Health Record system as part of their role in healthcare delivery.

Privacy legislation in Australia permits access and disclosure of health records in certain situations. This includes defending complaints as well as quality control activities, such as mortality and morbidity meetings or clinical audits. However, you need to ensure that when accessing records for these non-clinical purposes, you are also doing so in accordance with any relevant hospital or practice policies.

Key lessons

Generally, you should only access medical records:

  • for the purpose of providing medical treatment to the patient at the time
  • in accordance with your practice or hospital’s policies
  • for non-clinical purposes in accordance with privacy legislation, practice or hospital polices or with the patient’s consent.

Useful resources

If you have concerns about accessing a patient’s medical records, you can contact our medico-legal advisers via email at nca@avant.org.au or call 1800 128 268, available 24/7 in emergencies.

*The scenario in this article is based on Avant claims experience to date. Certain information has been de-identified to preserve privacy and confidentiality.

Share your view

We welcome your feedback on this article.