Three stories about health privacy complaints
As an Investigating Officer at the Office of the Privacy Commissioner I investigate interesting complaints from many interesting people.
Urine testing at work
For example, a man - we’ll call him ‘Derek’ - applied for a job that required employees to pass a drug test.
The drug-testing agency collected Derek’s urine sample by having a technician stand behind him in the toilet while he filled a small cup with urine. He found this process to be uncomfortable, embarrassing and a breach of his privacy. He complained to our Office.
We looked at rule 4 of the Health Information Privacy Code (“the Code”), which says health agencies must not collect information in a manner that is illegal, unfair or unreasonably intrusive.
We also looked at the case law from the Employment Court. These cases said that urine testing is always intrusive, but it is also sometimes necessary for an agency’s purposes and therefore permissible. The Court said that the agency needs to minimise the intrusion.
The agency said it used “monitored collection”, which meant a technician standing behind the donor in order to see his general arm movements. This was to check that the donor was not manipulating the sample. This is different from an “observed” collection, in which the technician would have observed Derek’s genitals.
We found that monitored collection was acceptable in these particular circumstances. Derek was applying for a job where drug use had the potential to pose a health and safety risk, and the way the agency collected the urine was proportional to the impact of not collecting it. We found that there had been no breach of the privacy rules, so we closed the file.
Medical notes for health insurance
When we investigate complaints we really appreciate proactive and helpful agencies that recognise that they have an ongoing relationship with their clients or patients. This helps us find a solution which is acceptable to everyone.
For example we received another complaint from a woman, ‘Sally’ who had a health insurance policy.
Several months after the start of the policy Sally lodged a claim. Her insurer contacted her and said it required disclosure of her complete health information for a total of five years before she bought her policy.
Sally said she had amended the standard consent form limiting its authority to collect her health information. In response the insurer said it could not conduct its normal claim checks without this information. The women thought the information the insurer requested was too wide, and much of the information was irrelevant to her claim.
This complaint raised issues under rule 1 of the Code, which says that personal information can only be collected if the collection is for lawful purpose connected with what the agency does, and it is necessary for the agency to collect the information for that purpose.
We pointed this out to the insurer, which said because Sally was a new client it needed to check whether she had made her disclosures in good faith. We were not convinced the insurer had met the high threshold for this kind of wide and extensive collection.
The insurer offered to reduce the amount of information to two years instead of five, but Sally did not accept this offer. She said she was happy for the insurer to receive information - but only information related to her claim.
The insurer suggested asking Sally’s GP to review the questions and the answers Sally provided, and to tell it if any of the questions under these areas were answered incorrectly or incompletely based on specific information from her medical file.
We thought this was a reasonable solution in the circumstances.
Phone call about haemorrhoidectomy surgery
Another patient, ‘Henry’, had upcoming surgery. Henry received a phone call from a nurse at the hospital while he was at work. He said that the nurse announced in a loud voice that she was calling from the hospital and began discussing his scheduled haemorrhoidectomy surgery. Henry said the caller did not confirm whether he was able to talk before discussing his medical information and, due to the volume the caller was speaking at, his colleagues could clearly hear everything the caller said.
Henry said he tried to turn the volume on his phone down but it was already on the lowest setting. He then asked the nurse to hold on a moment while he found a place where his colleagues were no longer able to hear the conversation. Henry said he found this experience embarrassing and humiliating, and he became the subject of jokes at his workplace.
Rule 5 of the Code says a health agency must ensure there are reasonable steps in place to prevent the loss, misuse or disclosure of health information. Discussing specific health information over the phone without confirming the recipient is willing and able to talk at that moment might amount to a breach of rule 5 if it doesn’t meet this standard.
The hospital gave us its guidelines for pre-operative phone calls, reviewed the call notes and talked to the nurse who had made the call, whom it described as ‘quietly spoken’. The nurse remembered the patient saying something about the noise on the phone and that she had quietened her voice as a result.
The hospital suggested that a voicemail that was previously left on the patient’s phone by the nurse might help us work out what happened. We talked to Henry, who said he no longer had the voicemail.
We explained that our process is inquisitorial and that where there wasn’t enough information after investigation to show the hospital had breached rule 5, that we could not take the complaint further. Henry accepted this view but is considering taking this matter further with the Human Rights Review Tribunal.