Practitioners need to think twice before accessing clinical records.  A recent decision of the NSW Civil and Administrative Tribunal – Occupational Division highlights the potential consequences of unauthorized access to clinical records.  An enrolled nurse was deregistered after accessing the clinical records of several patients in circumstances where she was not involved in their care.  Although this case involved an enrolled nurse working in a hospital context there is no doubt the principles apply across professions.

The case in question, HCCC v Livermore [2021] NSWCATOD 48, involved an enrolled nurse (Livermore) working in the Orange Base Hospital Patient Transport Unit.  Livermore accessed the electronic health records of 13 persons on 154 occasions over a period of approximately 2.5 years in circumstances where she knew that:

  • she did not have authority to do so;
  • she did not have the patient’s prior consent and knowledge;
  • she did not have a proper therapeutic or clinical reason to do so; and
  • she had not been involved in the health care of the patients.

Livermore also accessed her own medical records without seeking authorisation from her employer.

When questioned in evidence, Livermore said that her intention in accessing the medical records was just to check on these people and their welfare.  The Tribunal found that hers “was an entrenched pattern of behaviour motivated by personal curiosity”.  Of the 13 people whose records she accessed, one was a friend, one was the wife of a work colleague, two were work colleagues, two had no connection to Livermore and the remainder were family members.

Livermore admitted all of the allegations made against her and accepted that her conduct amounted to unsatisfactory professional conduct.  She was sorry for her conduct, undertook to never again access patient records unless she is authorized to do so and took steps to address her behaviour by undertaking relevant education.  Livermore did not admit that her conduct amounted to professional misconduct.   She left this to the Tribunal to determine.

Decision of the Tribunal 
The Tribunal held that Livermore’s conduct did indeed amount to professional misconduct and stated that any order short of deregistration would be an inadequate response to the seriousness of her misconduct.  Her registration was cancelled by the Tribunal and an order was made that she should not be permitted to apply for re-registration for a period of 6 months.

Code of Conduct 
The professional responsibilities of doctors in respect to patient privacy and confidentiality are outlined in Medical Practice: A Code of Conduct for Doctors in Australia:

Patients have a right to expect that doctors and their staff will hold information about them in confidence, unless release of information is required or permitted by law. Good medical practice involves:

4.4.1 Treating information about patients as confidential.
4.4.2 Appropriately sharing information about patients for their healthcare, consistent with privacy laws and professional guidelines about confidentiality.
4.4.3 Accessing an individual’s medical record only when there is a legitimate need.
4.4.4 Using consent processes, including forms if required, for the release and exchange of health
4.4.5 Being aware that there are complex issues related to genetic information and seeking appropriate
advice about its disclosure.
4.4.6 Ensuring that your use of digital communications (e.g. email and text messages) and social media is consistent with your ethical and legal obligations to protect patient confidentiality and privacy and the
Board’s social media guidance.

Other healthcare providers including nurses and midwives have professional responsibilities set out in codes of conduct.  For midwives these are set out in clause 3.5 of the Code of Conduct for Midwives.

Healthcare providers also have professional and ethical responsibilities. In relation to privacy these obligations are set out in the Privacy Act 1988.

It is important to note that Privacy legislation in Australia permits access and disclosure of health records in certain situations. These include defending complaints as well as quality control activities or clinical audits. However, practitioners need to ensure that when accessing records for these non-clinical purposes, they are also doing so in accordance with any relevant hospital or practice policies.  We suggest that you err on the side of caution when faced with these decisions and seek the guidance of your colleagues or the legal services team at MIGA.

Key takeaway 
This case is a reminder to practitioners about the importance to be placed on patient privacy and confidentiality.  It is never appropriate to access patient records in circumstances where there is no clinical or other justification to do so. As the Livermore case demonstrates, it can lead to very serious consequences, including deregistration.

Information in this Bulletin does not constitute legal or professional advice.  Call us if you need advice on any of the issues covered in this article.

Prefer to read a PDF of the Bulletin? Download it here

We'd love to hear your feedback, comments and ideas