Privacy in practice
Jenny, a practice manager from a medical centre in the Wairarapa,* called our Enquiries line. A patient had taken a support person with her to an appointment, and then complained that her GP had revealed sensitive things about her that she didn’t consider relevant, and which her support person didn’t previously know. What should the medical centre do?
Another medical centre called in after it had been contacted by the sister of an elderly male patient. The sister had said ‘he’s blind as a bat and shouldn’t be driving’. The patient then came in and passed the medical examination for his driving reassessment, but his doctor was obliged to refer him for further tests based on the information received – and to tell him why. Even though no names were mentioned, the patient had a good idea of who dobbed him in. What should the centre do?
When individuals contact us, we always encourage them to contact the agency directly with their concerns and hopefully to resolve the matter. A patient contacting you about their complaint is your opportunity to try and put things right for them and (hopefully) avoid a complaint to us. A complaint is also a chance for you to learn from what has happened – whether you made a mistake or not.
We often suggest that a patient discusses a specific rule of the Health Information Privacy Code when they do this. Knowing which rule might apply gives doctors and their patients a much better legal context to understand and explain what has happened.
Applying the law to the facts
To take the situations above, rule 11 of the Health Information Privacy Code says information can only be disclosed in limited circumstances. One of these is where the individual has authorised the disclosure. To a GP, it may not seem unreasonable to assume that a patient has implicitly authorised disclosure by bringing a support person to a consultation.
Clearly, the patient in Scenario 1 did not see it that way. When we get an enquiry like that our Enquiries team will discuss the Health Code with her and might suggest the exception the GP may have been relying on. It is not our role, however, to explain the actions of the GP or to say whether or not the information should have been disclosed.
Information can also be disclosed under rule 11 where disclosure is for a purpose related to that for which the information was obtained. Acting on unsolicited information about an individual’s driving risk would appear to be a clearly related purpose, and we were told the doctor in Scenario 2 was careful not to disclose their informant’s name.
The sister who gave the information to the medical centre, however, had apparently not considered the possibility that due to outside factors, her involvement in the matter might become known to her brother. Again, our Enquiries staff can discuss rule 11 and possible exceptions with enquirers, but it is the medical centre’s responsibility to address their particular concerns and explain their actions in the first instance.
In these situations, there may have been no action the medical centres could have taken that would have prevented these individuals feeling the way they did. But even where that’s the case, it is likely that everyone involved will feel aggrieved, including the GP. This needs to be acknowledged when you receive a complaint. Empathy and understanding can go a long way towards resolving most matters, whether there has been a breach under the Code or not.
As these examples show, particular care needs to be taken when other people become involved in some way with an individual’s information.
- With vulnerable patients in particular, check they are aware that sensitive information may be discussed if they arrive for a consultation with someone new.
- Make a note of your conversation on their file.
- Difficulties might be avoided by having an authority form your patients can sign if they wish to bring someone else into their consultation. On the form, you can draw their attention to the fact that there might be issues they don’t want discussed in front of a third party. This gives your patient an opportunity to stop and consider what they are consenting to – and to understand that they are consenting to it.
- Be open with your patients, and with others who may provide information about them, about how their information may be used or disclosed.
- It may not always be possible, for example, to keep the identity of someone who provides information confidential. Tell them this. It may need to be disclosed, for instance, if you have to act on the information, or if the individual requests access to their notes under rule 6 and discovers information on their file they didn’t know was there.
- While information can be withheld in certain circumstances in response to a rule 6 request, people need to be aware that the right to access is a strong one and that their disclosure, and their identity, may become known.
- If something does go wrong, it can be a good time to re-visit your privacy policies and statements.
Help is at hand
Have a privacy officer, make sure your patients and staff know who it is, and have a process for dealing with complaints. Visit our website: www.privacy.org.nz. We have tools to assist you with writing your privacy statement. We have the full health Information Privacy Code and guiding commentary available for you to download. Use our AskUs tool if you have any questions: www.privacy.org.nz/ask or contact our Enquiries staff: www.privacy.org.nz/enquiries. We aren’t here to judge you, we’re here to help.
*All examples and names are fictional