The complainant was a patient of a health agency. To provide him with treatment, his medical file was made available to the agency's clinical director of mental health. Some time later there was speculation about the director's qualifications and the agency employed an outside psychiatrist to review the treatment provided by the director.

The patient complained to me that the director might have misused or photocopied his file, and that the agency had disclosed his medical file to the reviewing psychiatrist without his authority.

His complaint raised issues under rules 5 and 11 of the Health Information Privacy Code 1994.

Rule 5

Rule 5 requires a health agency to ensure that health information it holds is protected by reasonable security safeguards against loss, access, use, modification, disclosure, or other misuse. The essential issue to be determined under this rule is whether the agency had suitable rules and procedures to guard against unauthorised actions with health information.

The agency had a policy on the employment of medical practitioners. The agency followed its established processes and checked the director's references, annual practising certificate and registration status. The Medical Council was advised of the proposed appointment and the director's immigration status was checked. The director was considered suitable for employment. By virtue of that employment the director was authorised to access patients' files to enable treatment. The complainant was a patient of the director.

I considered in this case the agency had reasonable security safeguards in place to prevent unauthorised access and there was no breach of rule 5.

Rule 11

Rule 11 places a general limit on the disclosure of health information by an agency, subject to certain exceptions.

The agency disclosed the complainant's file, and the files of all patients treated by the director, to the reviewing psychiatrist. Since doubt had been cast upon the director's qualifications, the agency wished to ensure that treatment of patients provided by the director was appropriate. Had anything untoward been detected by the reviewing psychiatrist, it could have been followed up immediately by the agency.

In my view the agency's action fell within rule 11(2)(a). This provides that a health agency may disclose health information if it believes, on reasonable grounds, that the disclosure of the information is directly related to one of the purposes in connection with which the information was obtained. It is not necessary for the health agency to obtain authorisation from the individual concerned if the agency has reasonable grounds to believe it either not desirable or not practicable to do so.

I considered that the disclosure of the medical files of those patients who were treated by the director was directly related to the purposes for which the agency obtained the information concerning its patients - that is, to provide the best medical treatment to those patients and to ensure that the best medical treatment had been received.

Due to the number of people involved and their vulnerable position, the agency considered it was not desirable to obtain the authorisation of the patients. The agency did not want to raise concerns with the patients while it was unclear whether there were any issues concerning their previous treatment. The agency's preference was to write to their patients immediately after the review if any issues had been identified.

I formed the opinion that the action of the agency in disclosing the complainant's medical file to the psychiatrist without patient authorisation was not in breach of rule 11 as it fell within the exception provided by rule 11(2)(a).

Indexing terms: Storage and security - Health agency - Access to health information by employee psychiatrist - Reasonable security safeguards to protect against unauthorised access -Health Information Privacy Code 1994, Rule 5.

Disclosure - Health Agency - Health information disclosed to reviewing psychiatrist - No authorisation by patient - Disclosure directly related to purpose of collection - not desirable to obtain authorisation - Health Information Privacy Code 1994, Rule 11(2)(a).

July 2001