The Victorian Law Handbook banner


Bookmark and Share Fitzroy Legal Service facebook link Fitzroy Legal Service Twitter link

Privacy and confidentiality

People generally assume all communications between them and their doctor or other health professional will remain private, and the law generally reflects this expectation. If it were not so, some people might be reluctant to seek medical treatment. Also, patients may be less honest in describing their ailments if they are not assured of confidentiality. So most medical consultations are protected by a statutory or common law requirement of confidentiality, in addition to the more recent statutory obligations in relation to privacy (see HRA 2001; PA 1988).

Confidentiality in hospitals and other services

The law preserving confidentiality in public and private hospitals, day procedure centres and community health centres (called "relevant health services" in the Act) is to be found in section 141 of the Health Services Act 1988 (Vic) ("HSA 1988"). The section applies to the health service itself, the board of the service, or a person who is or was a member of the board, a delegate to a board, a proprietor of such a service, or engaged or employed in a service or performing work for it. These people are generally prohibited from disclosing information that could directly or indirectly identify a patient. If they do disclose such information, they have committed an offence under the HSA 1988 for which they may be fined up to $7,218 (this figure is based on 50 penalty units with a value of $144.36 each).

In addition, the HRA 2001 and the PA 1988 confer statutory privacy rights on patients, whether they are treated in a public or private facility. Both Acts set up complaint procedures for patients who believe confidential information about them has been unlawfully disclosed to a third party. For more information on this, see Chapter 21.5: Privacy Rights.

Note, however, there are some exceptions to the statutory privacy protection and doctors are sometimes required, or authorised, to disclose confidential information about patients. For example, if a breach of confidentiality is required to carry out a function under an Act, or the giving out of the information is authorised or required by an Act, then it is permissible to give out information.

Some cases in which confidential information may be lawfully disclosed are set out in section 141(3) of the HSA 1988:

  • with the prior consent of the person to whom it relates or, if that person has died, with the consent of the senior available next of kin of that person; or
  • to a court, in the course of criminal proceedings; or
  • concerning the condition of a person who is a patient in, or is receiving health services from, a relevant health service, if the information is communicated:
    • in general terms; or
    • by a member of the medical staff of a relevant health service to the next of kin or a near relative of the patient in accordance with the recognised customs of medical practice; or
  • to the Australian Red Cross Society for the purpose of tracing blood, or blood products derived from blood, infected with any disease, or the donor or recipient of any such blood; or
  • if it is required in connection with the further treatment of a patient, or transferred electronically between hospitals for the treatment of patients; or
  • the giving of information in accordance with an agreement between the minister and a body to manage a hospital under section 53(1), or a service provider under section 69B(1); or
  • the giving of information as described in HPP 2.2(a) of the Health Privacy Principles (HPPs) in the HRA 2001 (for secondary purpose directly related to primary purpose of collecting information), 2.2(f) (for the management of a health service or training of employees), 2.2(h) (to lessen or prevent a serious and imminent threat to the life, health, safety or welfare of an individual or a serious threat to public health, public safety or public welfare), 2.2(k) (to establish, exercise, or defend a legal or equitable claim), 2.2(l) (to use or disclose in prescribed circumstances) or 2.5 (to identify an individual; or contact family members where, due to an accident, the individual is unable to consent) of the HPPs in the HRA 2001; or
  • the giving of information relating to a notification, claim or potential claim to a person or body providing insurance or indemnity (including discretionary indemnity) for any liability of the relevant health service or a person who is a relevant person in relation to the relevant health service arising from the provision of services by, on behalf of or at the relevant health service; or
  • to the Australian Statistician; or
  • for the purposes of medical or social research, if:
    • the use to which the information will be put and the research methodology have been approved by an ethics committee established under the by-laws of the agency; and
    • the giving of information does not conflict with any other requirements that may be prescribed in regulations under the Act; and
    • it is in accordance with HPP 2.2(g) of the HPPs in the HRA 2001; or
  • to a case-mix auditor or auditor under the Act; or
  • to a person or class of persons designated in the Government Gazette, employed by a health service or its support functions; or
  • to a person to whom, in the opinion of the Minister for Health, it is in the public interest that the information be given.

Both the HRA 2001 and the PA 1988 also set out situations in which it is lawful for health professionals and institutions to disclose health information, which are similar to the provisions in the HSA 1988 above; however, the PA 1988 was amended in 2006 to allow genetic information to be disclosed to blood relatives if a genetic risk is serious but not imminent (ss 18, 19; sch 3 National Privacy Principles 2.1(ea).

Confidentiality in a hospital setting is a fluid concept. There may be a large number of people who may have access to information contained in a patient's file, all of whom will have valid reasons for requiring that access. They may include doctors, nurses, other treating practitioners, and administrative staff.

The Public Health and Wellbeing Act 2008 (PHWA 2008) also contains specific sections preserving confidentiality, which were a response to the special sensitivities and the potential for discrimination associated with HIV and AIDS. Section 132 of the PHWA 2008 states:

A registered medical practitioner or person of a prescribed class must not advise a person who requested a test for HIV or any other prescribed disease of the results of the test if the results of the test are positive unless the registered medical practitioner or person of a prescribed class is satisfied that the prescribed information has been given in accordance with the regulations.

The section contains a note:

The Health Records Act 2001 applies to and in respect of the privacy of information acquired about a person requesting a test.

Section 133 of the PHWA 2008 is a special provision relating to the closure of courts or tribunals, and the restriction of publication of any part of legal proceedings where any matter related to a person's HIV antibody status is to be raised. The court or tribunal may be closed and publication of evidence restricted when it is considered that there may be social or economic consequences to the person as a result of the disclosure of the information.

Confidentiality between patient and doctor

In addition to the statutory offences of breaching confidentiality, doctors and other health service providers may be sued at common law (i.e. judge-made law) if they divulge confidential information without a patient's permission. The patient may sue for breach of contract or because the doctor has been negligent in disclosing the information. However, such actions are very rare and complaints about breach of confidentiality would now almost always be dealt with under the privacy legislation described above.

Again, it should be noted that it is lawful for a health professional to disclose information if:

  • some other law requires disclosure; or
  • it can be argued that the person has provided express or implied consent for the disclosure; or
  • it may be in the public interest for the information to be disclosed.

Situations where some other laws may require disclosure of otherwise confidential information include:

Situations where consent to a breach of confidentiality may be implied include accident compensation claims where the employer may be given information about the nature of the employee's treatment, and reports provided for the purpose of insurance.

The law provides little guidance as to when it may be in the public interest for a health practitioner to disclose information. This area of law has received some attention with the emergence of HIV/AIDS. In the case Harvey v PD (2004) 59 NSWLR 639, for example, the court said that a doctor breached his duty of care to a female patient whose husband, who was also his patient, was HIV positive. However, Australian courts have been reluctant to impose a positive duty on doctors to warn third parties, in order to prevent serious harm occurring to them.

The PA 1988 has been amended to justify doctors disclosing genetic information in order to avoid serious risks to the patient's blood relatives (sch 3 National Privacy Principles 2.1(ea)). This might justify warning relatives that a patient has a genetic condition if the patient will not warn them.

The section of the Australian Medical Association's Code of Ethics that deals with confidentiality states:

“Maintain your patient's confidentiality. Exceptions to this must be taken very seriously. They may include where there is a serious risk to the patient or another person, where required by law, where part of approved research, or where there are overwhelming societal issues.”

This may justify a doctor breaching confidentiality in the "public interest" in order to protect third parties (such as warning the sexual or needle-sharing partner of an HIV positive patient), but does not impose an obligation to warn them. A code of ethics does not have the same legal validity as statute or common law, but it is an indication of accepted medical practice that would provide some defence to a doctor who breached confidentiality in good faith to avoid harm to a third party.

However, the law is unclear in this area; it may equally be found that a doctor is liable for having made an unauthorised disclosure to a third party.

Privacy and confidentiality :: Last updated: Sun Jun 30th 2013