Blurred professional boundaries results in doctor email privacy breach

Sep 20, 2016

One sentence in one email; that’s all it took for a doctor to breach two provisions of the privacy legislation. The doctor was ordered to pay a patient $10,000 in compensation for disclosing the patient’s personal information to six other people.

The recent decision of the Australian Information Commissioner (AIC) demonstrates how boundaries can blur when treating patients who are also friends or associates. The case highlights the need for doctors to be vigilant about maintaining professional boundaries and the privacy and confidentiality of health information in these situations.

A case of blurred boundaries and the ‘reply all’ button

Mr Williams* was a patient of Dr Harris*, a GP. They were also acquaintances through their common faith.

A few years after Dr Harris treated Mr Williams for an anxiety related condition, the two became involved in a series of theological discussions – both in person and via email – about Mr Williams’ decision to renounce his faith.

The discussion became somewhat heated and Dr Harris, concerned about Mr Williams’ welfare, repeatedly recommended that he see a GP or psychiatrist for treatment.

The situation culminated in Mr Williams sending an email to Dr Harris along with six other recipients requesting a response to some questions about religion. Dr Harris replied to all (including the six other recipients), suggesting Mr Williams should avoid being deluded in relation to the issues in question. He also included a line about his treatment of Mr Williams for “delusional depression.”

Patient seeks compensation for privacy breach

Mr Williams lodged a complaint under the Privacy Act 1988 (Cth) seeking compensation for damage to his business, social standing and reputation for disclosing his health information with malicious intent.

Mr Williams alleged that Dr Harris had breached:

  • Australian Privacy Principle (APP) 6.1 by improperly disclosing his personal information, collected for the purpose of providing him with medical treatment, to six third parties to convince them that a delusional depressive illness had caused him to leave his faith. 
  • APP 10.2 for disclosing inaccurate information to convince others that he suffered from a serious mental illness when he does not. 

Use or disclosure of personal information

APP 6.1 stipulates that personal information which has been held about a person and collected for a primary purpose, in this case for the provision of health care, must not be used or disclosed for a secondary purpose unless the person has provided consent.

The AIC found that the substance of the emails exchanged between the parties primarily related to theology, not to Mr Williams’s medical history.

“I am satisfied that the disclosure of the complainant’s [Mr Williams] ‘Delusional Depression’ made in the email…was not made for the primary purpose of providing him with medical care,” the AIC said.

Argument of implied consent rejected

The Commissioner did not accept Dr Harris's argument that Mr Williams had given his implied consent to the disclosure by copying in the other recipients in his email. The Commissioner indicated that Mr Williams may have consented to the inclusion of third parties in a theological discussion. However, he did not agree that Dr Harris could have “reasonably assumed” that Mr Williams consented to the disclosure of his medical history in these circumstances.

It was noted that the disclosure also breached Dr Harris’s practice privacy policy which requires written consent to be provided, except where a patient is admitted to hospital.

The Commissioner found that the disclosure was not necessary to lessen or prevent any serious threat to life, health or safety, or for research purposes, which are exemptions permitting disclosure under APP 6.1.

Relevance of disclosure of personal information

The Commissioner also determined if a breach of APP 10.2 had also occurred. Under this privacy principle, doctors must take reasonable steps in the circumstances to ensure that any personal information they use or disclose is “accurate, up to date, complete and relevant.”

Given that Dr Harris was not asked to provide his opinion on medical issues in the email, the disclosure of Mr William’s medical condition was irrelevant to the purpose for which it was disclosed. Therefore, Dr Harris had breached APP 10.2.

The Commissioner found no evidence to suggest that the disclosure of personal information was malicious.

Assessment of compensation

In awarding $10,000 to Mr Williams, the following factors were considered:

  • the sensitivity of the information disclosed
  • Mr Williams’ position of vulnerability
  • the disclosure was made by email to six other people
  • the responsibility of doctors to have a “sound understanding” of their privacy obligations
  • no long term emotional or psychological harm to Mr Williams was likely.

Key lessons

This case illustrates several key lessons for doctors including the importance of maintaining professional boundaries. Making friends with patients or treating friends as patients can lead to unreasonable patient demands, so it is best to avoid:

  • having conversations of a personal nature with patients
  • seeing patients outside the surgery without a clinical reason
  • calling or emailing patients without a clinical reason.

The decision also raises critical lessons for doctors around privacy and confidentiality obligations. It is important to ensure that you have a sound understanding of your privacy obligations (Read our ‘Privacy Essentials’ fact sheet). These tips will also help:

  • do not assume that you have a patient’s consent to release their health information to a third party – it is best to obtain their express consent in writing
  • review and comply with your practice or hospital’s privacy policy
  • beware of the ‘reply all’ button when responding to emails
  • consider any privacy issues before hitting ‘send’
  • if you are unsure about whether you can release information to a third party, check with the patient, or call Avant’s Medico-legal Advisory Service on 1800 128 268 for advice.

* The doctor’s name has been changed to protect privacy.

Learn more

Visit the Avant Learning Centre for case studies, articles, fact sheets, webinars, eLearning courses and checklists, to help you comply with the APPs.

You may be interested in…

Our articles ‘Patient safety and privacy: where do you draw the line?’ and ‘Think twice before providing information to the police.’

Share your view

We welcome your feedback on this article – email the Editor at: