Confidentiality and Privacy of Medical Records

Confidentiality versus privacy – what is the difference?

‘Privacy’ and ‘confidentiality’ are terms that are often associated with medical treatment records. It is important to understand that they do not mean the same thing. Privacy is covered by Commonwealth and state legislation that addresses how specific personal information can be used. Confidentiality is a broader obligation that limits the access to information provided by a patient to their healthcare provider during treatment.

Confidential information

The obligation of confidentiality comes from various sources including legislation, ethical codes and the common law. In Queensland, the duty of confidentiality in relation to public health services is also specifically provided for in the Hospitals and Health Boards Act 2011 (Qld).

A medical practitioner’s obligation to maintain confidentiality is not absolute, and there are certain situations where disclosure of confidential information can occur without the practitioner breaching their obligation of confidence. These situations may include, but are not limited to:

• the person consenting to the release of the information
• child abuse and neglect of a child requiring mandatory reporting under the Child Protection Act 1999 (Qld)
• a court order (e.g. subpoena) requiring the release of documents for a proceeding or attendance at the proceedings to give evidence
• an emergency situation necessitating the provision of information to the treating doctor or hospital
• legislation requiring a doctor to release information to a health authority when they treat a person with a diagnosis of a notifiable conditions (e.g. certain sexually transmitted diseases) (s 70 Public Health Act 2005 (Qld)).

Private information

The Information Privacy Act 2009 (Qld) regulates how personal information is handled by public hospitals and health services in Queensland. Similar protection is provided to personal information about an individual collected by private sector health providers such as private hospitals, general practitioners and medical centres under the Privacy Act 1988 (Cth).

Both Acts set out requirements in relation to the collection, storage, use and disclosure of personal and sensitive information by health agencies. Those requirements are known as the National Privacy Principles (NNPs) and the Australian Privacy Principles (APPs) respectively. Under the NPPs, a health agency must:

• not collect personal information unless it is necessary (NPP 1(1))
• not collect sensitive information (which includes health information) unless consent is provided or another exception applies (NPP 9)
• only use or disclose the collected personal information for the reason it was collected (with some exceptions) (NPP 2(1))
• take steps to make sure the information is accurate, complete and up to date (NPP 3)
• make sure the information is secure (NPP 4)
• set out the health agency’s policy on its management of personal information (NPP 5)
• provide access to documents holding personal information if requested by the individual whose personal information it is (NPP 6).

The APPs that apply to organisations such as general practitioners’ practices and private hospitals impose similar obligations regarding collection, security, use and disclosure. For example, a person’s GP can only use or disclose the information they hold about the person for the purpose for which it was collected (i.e. the healthcare or treatment of the individual). It can only be used or disclosed for other purposes in limited situations, including if the individual consents (APP 6.1, 6.2).

Access to medical records

The process for accessing medical records will depend on whether the relevant records are held by a public or private practitioner or facility, how much information is being sought, and whether the information is a complete record or specific information.

Public system

There are three ways a patient can request their records in the public system:

• administrative access
• application under the Information Privacy Act 2009 (Qld)
• application under the Right to Information Act 2009 (Qld).

In Queensland, each hospital and health service (HHS) handles the medical records that are held in the hospitals and clinics in its area. The Queensland Office of the Information Commissioner advises that ‘… each HHS is an independent agency, so will have different procedures in place to access to medical records’. If you are seeking access to your records, it would be worthwhile taking some preliminary steps such as:

• identifying the correct HHS that runs the facility where your records are held. If you are seeking records from multiple medical facilities that spread across multiple HHSs, you will need to make separate applications for access to those records
• contact the relevant HHS or go online to request more information about the process and the information required by that HHS.

Some information is exempt from being released. For example, if the personal information of another person is contained in the medical records, it may be exempt. Finally, if it has been 10 years since your treatment, or if you were a minor at the time of your treatment then 10 years from your 18th birthday, the records may have been destroyed under the Health Sector (Clinical Records) Retention and Disposal Schedule.

For further information on right to information and correction of information see the Queensland Law Handbook chapter ‘Right to Information and Freedom of Information’.

Private system

Unlike public medical records, private health records are governed by national legislation rather than state legislation. In particular, the system is covered by the Commonwealth Privacy Act 1988 (Cth) and the AAPs.

In accordance with these principles:

• a person has the right to access personal information held by a private sector health provider such as a general practitioner (AAP 12.1)
• access to the information may be refused on several grounds (APP 12.3)
• charges for access may be imposed in some circumstances but these fees must not be excessive (APP 12.8)
• a person can request to correct personal information held about them (APP 13).

For more information on the NPPs and the APPs see the Queensland Law Handbook chapter ‘Right to Information and Freedom of Information’.

My Health Record

Most Australians will now have access to an online summary of their records through My Health Record. This digital summary contains information such as allergies, current medications, medical history, pathology test results and immunisation records.

Any person with a profile can choose to:

• remove their records
• grant or limit access to their digital records by health providers
• be notified when the records have been accessed
• nominate another person to manage their records.

Whilst this information will not provide a patient with a copy of their complete records, it offers an online option for obtaining certain limited information, which may be useful.