Patient confidentiality is a cornerstone of medical practice and is a fundamental legal right. Upholding confidentiality is an essential part of clinical consultations and healthcare professionals have ethical, professional and legal obligations to respect a patient’s right to privacy and confidentiality.
With the spread of COVID-19 we have seen an increase in privacy enquiries from our members. Not only are our members and clients seeking advice relating to the rights of their patients but they are also seeking advice in relation to their own right to confidentiality in circumstances where they have been diagnosed with COVID-19.
The obligations of privacy and confidentiality
The obligations of privacy and confidentiality continue to operate for patients with suspected or confirmed COVID-19. Healthcare professionals are of course entitled to the same privacy. Disclosing a patient’s health information to a third party without lawful cause would constitute a breach of confidentiality and could potentially expose the healthcare professional to the threat of litigation and/or regulatory action.
Duty to notify
COVID-19 is a notifiable disease to State and Territory health departments. This is not a breach of privacy or confidentiality and is a legal requirement. Failure to disclose this information can result in serious penalties.
Exceptions to confidentiality
Healthcare providers have important obligations to maintain a safe work place for staff and visitors and to handle health information appropriately. This has proven to be a challenge in recent times due to the spread of COVID-19.
There may be situations where it is necessary to disclose the occurrence of COVID-19. The Courts, the Australian Privacy Principles and the Privacy Act 1988 (Cth) all recognise exceptions to the duty of confidentiality where disclosure is in the public interest and/or to avoid public harm. Sharing information with close contacts of a patient or healthcare professional that has tested positive to COVID-19 may fall within this exception. Healthcare professionals should take the time to carefully consider what information and how much information is necessary to disclose in order to lessen or prevent serious harm to another person or to the public. The consent of the patient should first be sought unless it is unreasonable or impracticable to do so.
In the case of a patient or staff member of a healthcare professional who has tested positive for COVID-19, it is appropriate to inform staff who have been in close contact with the person. Depending on the circumstances, it may not be necessary to reveal the name of the individual in order to prevent or manage COVID-19, or the disclosure of the name of the individual may be restricted to a limited number of people on a ‘need-to-know basis’. We encourage our members and clients to seek advice from the Department of Health if faced with this situation.
One of our members recently contacted the Legal Services team at MIGA for advice in relation to a situation where the media had reported his positive COVID-19 result. Although his name was not disclosed, details of the practices where he consulted were released. Our member was concerned that he could be identified by this information and was seeking advice as to whether there had been a breach of his privacy and whether he had any recourse.
This is an example of a situation where an individual’s right to privacy can conflict with a public health authority’s need to respond to a rapidly-changing public health emergency. It is important in these situations to remember that, despite the COVID-19 pandemic, personal information (especially health information) must only be used or disclosed in circumstances permitted by the law.
Understanding your privacy obligations to your staff
In order to manage COVID-19 while respecting privacy the Office of the Australian Information Commissioner has offered the following tips:
- Personal information should be used or disclosed only on a ‘need-to-know’ basis
- Only the minimum amount of personal information reasonably necessary to prevent or manage COVID-19 should be collected, used or disclosed
- Consider taking steps now to notify staff of how their personal information will be handled in responding to any potential or confirmed case of COVID-19 in the workplace
- Ensure reasonable steps are in place to keep personal information secure, including where employees are working remotely
If you have any questions in relation to matters of privacy and confidentiality our Legal Services team would be happy to discuss these with you. For further information and guidance, we recommend that you visit the MIGA website and also websites of the OAIC and the Department of Health.