Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

opc header logo

Print | Email this page

Case Note 26781 [2003] NZPrivCmr 21 - Patient complains about medical clinic losing her medical records

A patient asked the medical clinic she attended for a copy of her medical records, and said she wanted to pick them up herself from the clinic. However, the receptionist told her that the clinic's usual practice was to forward files directly to the new doctor. After some discussion, it was agreed the patient could come in and collect her file. She never did. The patient eventually contacted a new doctor and asked the clinic to transfer the file. The patient said the new doctor had no record of receiving the file, although the clinic advised it had sent it.

The patient complained to me about the loss of her file. Her complaint raised issues under rules 5 and 6 of the Health Information Privacy Code 1994. I investigated the clinic's record-handling processes and found it had not breached either rule.

Rule 6

Rule 6 provides individuals with the right to access personal health information held by a health agency, where that information is readily retrievable. It is subject to certain exceptions.

The clinic agreed that the patient had requested a copy of her medical records and wanted to collect them from the clinic. Although arrangements were made for the patient to collect the file, it was not collected, and remained at the clinic until the new doctor faxed through a request for the file. In response to the fax, the clinic told me that it sent the file by New Zealand Post to the new clinic. Later, the patient contacted the clinic about the file, as it had not been delivered to her new doctor.

The clinic undertook an extensive search for the file by looking through its own archives, contacting other surgeries in the area in case of a misdelivery, contacting the new clinic and other clinics with a similar name which may have had the file misdirected to them. An investigation was also undertaken by New Zealand Post. Despite these searches, the clinic was unable to locate the patient's file.

Section 29(2)(b) of the Privacy Act provides that an agency may refuse a request made under rule 6, if the information requested does not exist or cannot be found. I was satisfied that, in the circumstances, the clinic could not find or no longer held the file and, therefore, it had a proper basis to refuse the request. It was my opinion that the actions of the clinic did not amount to a breach of rule 6.

Rule 5

Rule 5 requires an agency to ensure reasonable security safeguards exist to prevent loss or unauthorised access or disclosure of the health information it holds. Assessing what is reasonable depends on the sensitivity or confidentiality of the information involved and the ease with which safeguards could be put in place to protect the information. When I consider an alleged breach of rule 5, I take into account the agency's policies and practices, including any staff training. The clinic told me the procedures it followed when transferring medical records to and from other medical practices. It also told me about its storage of medical records and the Privacy Act training given to its staff.

The clinic logbook showed that the file was to have been uplifted by the patient on a certain date. However, as the file had not been collected, the logbook also recorded the date the file was sent to the new clinic. The patient said that her new doctor sent a fax in November requesting her medical records from the clinic. The clinic said that it sent her file to her new doctor in October: this was the date recorded in its logbook. The clinic had not kept a copy of the fax, but argued that the only reason to post the patient's file was receiving the fax from the new clinic. The clinic also said that its receptionist recalled that, before posting the file, she put the fax in the envelope with the file so that the new clinic would be aware why it was being sent.

Although the clinic's logbook recorded a date prior to the date the patient maintained the request was sent, in light of the clinic's policies and practices, it was difficult to substantiate that the clinic's security safeguards were not reasonable in the circumstances.

An agency may not be in breach of rule 5, even though there has been a “one off” loss of information. It is extremely difficult for an agency to prevent occasional instances of human error, and it is possible for an agency to have reasonable security safeguards in place which still do not prevent the occasional loss of a file. I formed the view that it was not possible to substantiate the patient's complaint that the actions of the clinic amounted to a breach of rule 5 of the Code.

I decided not to refer the complaint to Human Rights Review Tribunal but advised the patient of her right to do so. I then closed my file.

September 2003

Indexing terms: Storage and security – Medical clinic – Request to transfer medical records – Records sent but not received – Reasonable safeguard and procedures – Health Information Privacy Code 1994, rule 5

Access to personal information – Medical clinic – Request to transfer medical records – Records sent but not received – Information did not exist or could not be found – Privacy Act 1993, s 29(2)(b) – Health Information Privacy Code 1994, rule 6

Back to top