Main Content

Not your patient, not your business

Not your patient, not your business

Privacy and confidentiality can lead to thorny issues

As a nurse, midwife or personal care worker, you have a duty to hold the health information of your patients in confidence.

Key points

  • Accessing a patient’s health information is regulated by legislation and organisational policies.
  • The Nursing and Midwifery Board of Australia’s nurses’ and midwives’ codes of conduct states you must ‘access records only when professionally involved in the care of the person and authorised to do so’.
  • A breach of patient confidentiality may result in disciplinary action including the termination of your employment and/or a notification to the Australian Health Practitioner Regulation Agency (AHPRA).
  • It may also attract a hefty fine in some situations 50 penalty units ($9,087) under section 141 Health Services Act 1988, 60 penalty units ($10,904.40) under section 92 Health Records Act 2001).
  • Any information where a patient is able to be identified is confidential.
  • You do not have to share, distribute or publish patient information to breach patient confidentiality – accessing the information of a patient not under your care is still a breach.
  • Electronic patient records systems generally log each time a file accessed.
    This means employers know who and when you access records.
  • Accessing the records of someone who you provided care to in the past is still a breach of patient confidentiality, unless you have proper reason and authorisation (for example, for approved research, quality control or legal proceedings).

Be familiar with the situations where a breach of patient confidentiality might occur and know how to reduce the risks of exposure to these situations: they may be happening without you even realising.

What information is confidential?

Health information includes progress notes, personal details, medical assessments and pathology results. Any information from which a patient can be identified is deemed confidential.

What is my duty?

It is your duty to protect the confidentiality of patients who are directly under your care, and those who are not directly under your care, but whose health information and records you have access to because of your employment and position in the health profession. Failing to do either of these things will result in a breach of patient confidentiality.

When does a breach occur?

A breach of patient confidentiality occurs when the health information of a patient is shared or distributed. A breach of patient confidentiality also occurs when patient information is accessed by someone who is not directly involved in the care of this patient.

Be certain you are authorised

Nurses, midwives and personal care workers are in a privileged position of having access to information about others that is often very sensitive and deeply personal. Accessing information about patients directly under your
care is legitimate and indeed vital to providing appropriate care. You must familiarise yourself and your organisation’s policy in relation accessing health information. Before you access health information for a purpose other than direct patient care you must be certain that you are authorised to do so.

If you need further advice complete a ANMF Member Assistance inquiry form.

Case studies

A nurse works at a clinic where her son (a minor) is a patient. Her son underwent blood tests as ordered by his doctor at that clinic. As his parent, the nurse signed and consented to her son’s blood tests. The nurse then accessed her son’s blood test results by looking at the clinic’s electronic system where the pathology results were stored. Her son’s treating doctor had not yet reviewed the results or communicated these to the nurse and her son.

Outcome: The nurse breached patient confidentiality and hospital electronic access policy. A workplace investigation was carried out and the employer found that the nurse’s actions amounted to serious misconduct. The nurse received legal advice during the investigation process and received a first and final warning from her employer.

A nurse was employed at both a hospital and an education centre. Some of her patients at the hospital were also students at the education centre. The nurse accessed the hospital records of students at the education centre. She felt it would assist in understanding their medical needs at the education centre. The students were not under the nurse’s care at the hospital, the nurse was not authorised to access their records.

Outcome: The nurse had breached patient confidentiality and hospital health record access policy. The nurse received a first and final warning from her employer, noting the circumstances in which the nurse required the information, being motivated to better understand the students’ health needs at the education centre. The nurse was also reported to and investigated by AHPRA.

A nurse accessed the pathology records of her former partner while at work who was not under her care, in order to confirm their COVID-19 test results.

Outcome: The nurse breached patient confidentiality. The nurse received a caution from AHPRA and was required to disclose to her current employer that they had breached patient confidentiality in accessing their former partner’s records.

A nurse took photos of patient contact details at the hospital where they worked who were under their direct care. The nurse used these details to contact the patients via their own separate business that they operated to provide home care assistance for patients.

Outcome: The nurse had accessed, disclosed and used confidential patient information for improper purposes, including personal financial gain. The nurse’s employment was terminated. The hospital considered but did not
pursue legal action against the nurse.

A nurse accessed and viewed the records of patients who she knew and socialised with outside of work, but who were not under her care at work. The nurse accessed and viewed attendance summaries, pathology results, emergency department observation summaries, discharge summaries and specialist referrals. These records were not relevant to the ward where the nurse worked or to the patients she cared for.

Outcome: The nurse had breached patient confidentiality by accessing records of patients not in her care. The nurse was notified that her employer intended to terminate her employment and report her to AHPRA. The nurse chose to resign and was later investigated by AHPRA.

Curiosity causes distress


Just in case you read no further – electronic patient record systems track every time a patient record is accessed.

This means health service employers have a log of who accesses records and when.

Imagine being a patient requiring surgery, treatment or care at the hospital where you work. How would you feel if your colleagues looked at your patient records, containing the most intimate personal details.

The unauthorised access may be out of concern. For others it may be a simple sticky beak. Motivated by care or curiosity, the outcome is the same.

Trust is broken. The law is broken. The NMBA code of conduct is breached.

Accessing records of patients not in your direct care can cause harm and distress to patients. And nurses and midwives lose their jobs.

This scenario is not common, but it is not rare either and ANMF has advised and represented members in this preventable situation.

Peaking at the records of your own child, a celebrity or well-known person or a colleague – is not harmless and you may lose your job.

Nurses and midwives are some of the most trusted professions – for very good reasons. Only access your patient’s records. And only when you are authorised to do so.

Accessing medical records: the dos and don’t

The ANMF Education Centre will hold a half-day ‘Accessing medical records: the dos
and don’ts’ workshop on 9 December 2021 for registered and enrolled nurses and midwives.

Designed to highlight the issues surrounding access to medical records, this workshop aims to increase the understanding of the legal and ethical principles related to accessing medical records, including the associated legislation relating to privacy and confidentiality.

Register here