Privacy and confidentiality can lead to thorny issues for graduates

17 May 2023

Privacy and confidentiality can lead to thorny issues

As a graduate, you’ll deal with a lot of health information.

However, inappropriately accessing sensitive personal information can lead to serious issues with significant consequences, such as disciplinary action or notification to Australian Health Practitioner Regulation Agency (AHPRA), or both.

Have you found yourself in any of the following situations?

You looked up the health information of someone you know, such as a colleague whom you were not providing care to.
You walked away from your work computer forgetting to sign out of your patient’s health record.
You posted a photo of the adorable baby in the post natal ward on social media.
You were curious about why a ‘celebrity’ was in care at your workplace and accessed their record or participated while another staff member did.
You were approached by the media about a person in your care and made comment.
You unintentionally took your handover sheet home and disposed of it in the recycling bin.
You accessed and reviewed a patient’s medical imaging for education purposes, however, the patient was not under your direct care.
You asked questions out of curiosity about a patient who was not under your direct care.
You were asked about your patient by another patient, and your answer provided health information.
You debriefed about a patient to your family or friends.
You looked up health information to help a friend or a family member.

All the above scenarios are examples of privacy and confidentiality breaches, and can lead to disciplinary action, including termination of your employment and being reported to AHPRA.

How is privacy and confidentiality regulated?

Graduate practice, along with all health care providers, is heavily regulated by a range of different legislation, codes and guidelines to ensure privacy and confidentiality standards are maintained. These include:

Nursing and Midwifery Board of Australia (NMBA) Code of conduct for nurses/Code of conduct for midwives
Individual health facility policies
My Health Records Act 2012 (Cth)
Healthcare Identifiers Act 2010 (Cth)
Privacy & Data Protection Act 2014 (Vic)
Health Records Act 2001 (Vic)
Section 141 of the Health Services Act 1988 (Vic)
Section 140 and 141 of the Mental Health Act 2014 (Vic)
Health Complaints Act 2016 (Vic)
Section 13 of the Charter of Human Rights and Responsibilities Act 2006 (Vic)
Children, Youth and Families Act 2005 (Vic)
Freedom of Information Act 1982 (Vic)
Public Records Act 1973 (Vic)

You should familiarise yourself with your employer’s privacy policy and privacy statement. Note that all workplace policies must be in accordance with the above legislation.

What is defined as health information?

According to the Health Records Act, ‘health information’ is defined broadly and includes information or opinion about a person’s physical/mental health.

Health information can include a range of documents, including photos. It also includes information that is not recorded in a document and said orally. For example, personal information such as contact details, if collected in order to provide a health service, is health information.

The Health Records Act protects the privacy and confidentiality of health information. The Health Privacy Principles (HPPs) set out in the Act, regulates how health information is collected, stored, accessed and disclosed. In accordance with the HPPs, health information can only be used or disclosed for the primary purpose for which it was collected – that is, to provide a health service to a person.

Under the HPPs, there are some exceptions where health information can be used for purposes other than to providing health service. However, graduates should exercise extreme caution in using health information other than for the primary purpose of providing direct patient care. For instance, even if you have consent from your family or friends to access their files, you must direct them to make a request to the health service directly.

The NMBA codes of conduct for nurses and midwives sets out a series of statements about what nurses and midwives must do to uphold privacy and confidentiality of health information. This includes not disclosing a person’s information without their consent and ensuring that your use of social media is consistent with their obligations regarding privacy.

The NMBA code of conduct for nurses’ states that:

‘Nurses have ethical and legal obligations to protect the privacy of people. People have a right to expect that nurses will hold information about them in confidence, unless the release of information is needed by law, legally justifiable under public interest considerations or is required to facilitate emergency care…’

While we have quoted the code of conduct for nurses, this is also stated in the code of conduct for midwives.

What can happen if I have breached privacy and confidentiality?

A complaint about misuse of health information can be made to AHPRA, if the person who engaged in the conduct is a registered health practitioner, or otherwise to the Health Complaints Commissioner.

The NMBA/AHPRA investigates complaints regarding nurses and midwives and acts where necessary. The Board can act when it forms a view that a practitioner has engaged in conduct that is unsatisfactory. If a practitioner fails to meet their professional obligations regarding confidentiality of health information, and a complaint is made to AHPRA, the Board will likely take some action.

Employers will often have their own policies and procedures about the management of health information, privacy and confidentiality. Policy breaches could result in disciplinary action, including termination of employment. If your employer invokes a disciplinary process, contact the ANMF as soon as possible for advice and support.