Queries about privacy and confidentiality of patient medical records are the most frequent enquiry our Claims and Legal Services team receives.
Health service providers have an obligation to protect the personal and sensitive information of individuals. The Privacy Act 1988 (Cth) and similar legislation in some states enshrines this obligation¹. The legislation sets out the health service providers’ obligations with respect to every aspect of an individual’s information including its collection, use and disclosure.
Access to information
By far the most common enquiry relates to access to information, whether that is by the individual, for example a patient requesting a copy of their medical record, or a third party. The privacy legislation and Australian Privacy Principles entitle an individual to access their personal information. With the individual’s consent a third party is also able to request access to the medical records. Access to this information can occur in such form as requested which may mean reviewing the information and discussing it with the patient, but most commonly, the patient (or a third party) requests a copy of the medical record.
In most cases where an individual requests a copy of their own records, the records should be provided. It is however important health service providers are aware of the exceptions which prescribe when certain information within the medical record may be withheld. The most common exception that may apply is where access would pose a serious threat to the life or health of any individual or to public health or public safety. This captures a situation where the information may cause the individual significant distress or lead to self-harm or harm to another person. Situations like this can arise where the records are provided directly to the patient.
Another exception to providing the records is where the release of the information would have an unreasonable impact on the privacy of another person. For example, where a third party (a family member) has provided information about the patient to the health service provider but does not want the patient to know the information has been provided.
If either of these exceptions arise, access should still be considered rather than a blanket refusal. In this situation, you may decide to provide access by sending the records to another health practitioner or inviting the patient in to discuss the record. In some cases the medical record is still provided but the concerning information is either removed or redacted.
Some of the other, more common, enquiries about accessing medical records are:
Can I release letters and reports received from other health professionals, such as specialists, when I provide the patient’s medical records?
Yes. The letters and reports form part of the patient’s medical record. This is the same for investigation results. The same exceptions referred to above need to be considered which may require certain information to be withheld. For example, within a GP’s records is a letter from a treating psychiatrist detailing their assessment of the patient which may cause the patient’s health to deteriorate if they were to read it. In those circumstances, the psychiatrist’s letter should be withheld from production to the patient.
What if the letter from the specialist contains wording such as ‘not to be released to the patient’, ‘not to be released for medical-legal purposes’ or ‘not to be released to a third party without my permission’?
Statements such as these are often located at the top of the letter and, on their own, are not a valid reason to withhold the provision of the medical report. However, the notation may alert the treating doctor to the content of the report and, particularly, something that may lead to the document being withheld pursuant to one of the exceptions under the privacy legislation.
The letter from the lawyer/insurer/WorkCover seeks the entire medical record whereas the signed consent from the patient is limited.
The patient’s consent will guide you on the scope of the medical record to provide.
It is possible to inadvertently breach a patient’s privacy when responding to requests for medical records. A letter arrives with a signed consent attached. It is not unusual to receive a letter quite general in its wording seeking patient information. When you read the patient’s consent form it is limited to specific information such as “relevant medical information about my motor vehicle accident related injury/illness” or to only provide information after a particular date. We have dealt with complaints where information outside the patient consent has been provided. This is most likely a breach of privacy and could result in a complaint to the practice, AHPRA or the Office of the Australian Information Commissioner.
Risk management tips
Some tips to help deal with these requests:
- Develop a practice policy for dealing with requests for medical records
- If the request relates to a compensable injury, find out from the patient what the compensable injury actually is. This is not always clear
- If administration staff print off the medical records, someone (ideally the treating doctor(s)) should always review the request, consent form and the medical records to ensure only those records within the consent are provided
- The treating doctor should review the content of the medical record for any information that may fall within the exceptions (detailed above)
- Confirm consent with the patient to release the medical records. In contentious claims, a patient may have withdrawn consent to release the medical records subsequent to signing the consent form.
MIGA responds to privacy questions on a daily basis. If the medical records contain any information or documents that you are concerned about, contact us for assistance on how to respond to requests to access those records.