Access to Medical Records and Confidentiality

Contributed by Robin Gibson and current at 16 December 2021.

One of the patient rights in the Australian Charter of Healthcare Right is the right to privacy and confidentiality of information. There are two major ways to secure the patient’s privacy and confidentiality, by legislation and through health practitioner Codes of Ethics.

Medical Records Legislation

Commonwealth:

In 2012, the Commonwealth passed the Personally Controlled Electronic Health Records Act 2012 (Cth) which has now become the My Health Records Act 2012 (Cth). A My Health Record is not a single document stored in a single database. It is made up of a collection of documents stored in the National Repositories Service or obtained from participating registered repository operators. Information held in each registered repository that registered repository operators maintain is indexed and displayed as a list of available information in the patient’s My Health Record. That information can be accessed by any healthcare professional registered under the My Health Records Act 2012 (Cth). A patient can also authorise the uploading of other information or facts such as any allergies, existence of a medical advance directive or an enduring power of attorney, vaccination records or claims under the Pharmaceutical Benefits Scheme. The information held in My Health Record is handled subject to the My Health Records Act, Healthcare Identifiers Act 2010 (Cth) and the Privacy Act 1988 (Cth).

The Commonwealth has promoted My Health Record as a way to streamline health care in Australia. The object of this legislation is to permit the better treatment of patients such as those who transfer to another healthcare provider, who may be seeking specialist treatment, who may be travelling so that strange healthcare providers can see better the patient’s health profile and current medications, who may be in an emergency situation or numerous other reasons. A patient can see which healthcare provider organisations have accessed the patient’s My Health Record and when in the Access History part of the record.

The purposes for which medical information stored in the central system may be collected, used and disclosed are outlined in Part 4 of the My Health Records Act 2012 (Cth) (“the Act”). The primary purpose is to provide healthcare to a registered healthcare recipient.

Only healthcare provider organisations involved in a person’s care, who are registered with the My Health Record System Operator, are allowed by law to access that person’s My Health Record. This may include general practitioners, pharmacies, pathology labs, hospitals, medical specialists and other allied health professionals.

All persons who have been issued with a Medicare card are automatically registered with My Health Record unless they do not wish to be registered. Existing Medicare card holders were given the opportunity to opt out of automatic registration before 31 January 2019. Even once a person is registered, it is possible to cancel that registration, but cancellation means that all the records held on behalf of that person are removed from the My Health Record system including backups and cannot be recovered. Removal from the My Health Record system does not cancel records held by the patient’s medical practitioner. A person who does not have a My Health Record can apply to be registered, in which case, some personal information has to be provided. This includes the person’s name, sex, Medicare or Department of Veterans’ Affairs (DVA) number and date of birth. My Health Record may also collect evidence of identity information or documentation from the applicant as part of this process.

When a patient is registered, the medical records of that patient will be automatically uploaded to My Health Record. However, a patient may specify what information is not to be uploaded. Provision is made to authorised (section 6) and nominated (section 7) representatives to authorise access to, and manage the information held for that patient on My Health Record. Duties of those authorised or nominated representatives are specified in section 7A. An authorised representative is a person who manages the My Health Record for a patient who is unable to do so, eg children under 14, or people who lack capacity. A nominated representative is a trusted person such as another family member, invited by the patient to help manage that person’s My Health Record. A patient or representative wishing to access the My Health Record online, must link the My Health Record to the relevant myGov account including representatives who will need to link their own myGov account to their My Health Record to access it.

Part 7 of the My Health Records Act established the role of the Data Governance Board (the Board). The Board oversees the operation of the secondary use governance framework as outlined in the Framework to Guide the Secondary Use of the My Health Record system data. The Board’s role also includes guiding and directing the preparation and provision of de-identified data for research or public health purposes and, with consent of the healthcare recipient, health information for the same purposes.

ACT:

Patients, including those who have been treated in public hospitals, do not have an automatic right at common law to their medical records (Breen v Williams (1995-1996) 186 CLR 71). However, they may apply for access to their medical records under Section 12 of the Health Records (Privacy and Access) Act 1997 (ACT). After a request is made the notes must be supplied within 14 days, provided that the disclosure would not create a reasonable risk to the life or health of the patient or to some third party, or disclose information given in confidence (Sections 13-17 of the Health Records (Privacy and Access) Act 1997 (ACT)). Commonwealth privacy legislation is also relevant in this context. (See Chapter 31, PRIVACY).

In the case of an emergency with a patent who is unable to consent to the disclosure of medical records, the doctor may discuss personal medical information with an immediate family member if it is reasonable and necessary for the proper treatment of that patient.

If you have a complaint in relation to access or improper disclosure of medical records you can lodge a complaint with the ACT Health Services Commissioner (http://hrc.act.gov.au/health/ - (See Complaints, Whistleblowing and Initiating Litigation, this chapter).)

Confidentiality in the Doctor-Patient Relationship

Having explained the law, it should be noted that confidentiality in a hospital setting is an unsettled idea. Many people have access to information contained in a patient's file, all of whom will have valid reasons for requiring that access. They may include doctors, nurses, other treating practitioners, and administrative staff. However, health practitioners are also bound by professional codes of ethics.

In addition to the statutory offences of breaching confidentiality, doctors and other health service providers may be sued at common law if they divulge confidential information without a patient's permission. The patient may sue for breach of contract or because the doctor has been negligent in disclosing the information. The patient may then be awarded compensation for loss suffered as a result of the wrongful disclosure. Health practitioners may also be subject to disciplinary action for revealing a patient’s confidential information.

However, it is lawful for a health professional to disclose information if:

• some other law requires disclosure; or
• it can be argued that the person has provided express or implied consent for the disclosure; or
• it may be in the public interest for the information to be disclosed.

Some other laws which require disclosure of otherwise confidential information include:

• revealing the blood alcohol level of a car driver after a motor accident;
• reporting of information under the Births, Deaths and Marriages Registration Act 1997 (ACT);
• reporting unusual deaths to the Coroner;
• reporting by doctors, dentists, nurses, midwives, child care workers and school teachers of cases of suspected child sexual abuse or non-accidental physical injury (Section 356 of the Children and Young People Act 2008 (ACT)); and
  • notifying infectious diseases.

Situations where consent to a breach of confidentiality may be implied include accident compensation claims where the employer may be given information about the nature of the employee's treatment, and reports provided for the purpose of insurance.

Section 261 of the Firearms Act 1996 (ACT) allows (but does not direct) a doctor to breach confidentiality where the doctor believes that a person may self-harm or pose a threat to the community and that that person possesses has access to a firearm.

Doctors who have an HIV-infected patient may also be justified in breaching confidentiality by notifying a spouse or sexual partner of the patient who may be at risk of contracting the disease. There is an ethical and common law duty upon doctors to warn third parties, in order to prevent an immediate risk of serious harm occurring to them through the conduct of a patient.