Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

We respect your Do Not Track preference.

A couple complained to our office after they found out that a medical centre receptionist had disclosed sensitive medical information about them.

The receptionist had been at a family gathering with a number of extended family members.

One of the people present was a close friend of the couple and knew that they had visited the medical centre. During the gathering, she showed the receptionist a photo of the couple and asked why they had been at the centre.

The receptionist initially rebuffed the questions, explaining she could not discuss patient records because it breached patient privacy. At this point, she claimed she was pressured further to divulge details of the appointment. After swearing others to secrecy, the receptionist revealed the couple had been into the clinic months ago for a sexual health test.

The news of the disclosure got back to the couple when one of the guests told them.

The receptionist called to apologise. During the conversation, the receptionist admitted the privacy breach.

The couple complained to the Health and Disability Commissioner, who then referred the case to us.

Complaint

In their complaint to us, the couple said there was no reasonable explanation as to why the receptionist would have known about the test, unless she had improperly accessed medical files.

The complaint raised issues under rules 5 and 11 of the Health Information Privacy Code (HIPC).

The couple said that the disclosure of their personal information to people they knew had caused them extreme humiliation and emotional distress.

Health Information Privacy Code, rules 5 and 11

Rule 5 of HIPC requires health agencies to ensure health information is protected by reasonable security safeguards to protect against unauthorised access or disclosure.

Rule 11 states that an agency must not disclose health information unless it believes on reasonable grounds that it is authorised by the individual concerned, or that one of the exceptions to that rule applies.

Our investigation

We contacted the medical centre. The medical centre admitted the breach, but said it did not believe it was responsible for the employee’s disclosure.

During the medical centre’s own investigation, the receptionist claimed to have come across the information in the patient notes months earlier, but was unable to recall for what reason.

We asked the medical centre to outline what privacy training it gave its staff to assess whether they were adhering to the HIPC rules. The centre said it had taken steps to ensure its staff were aware of the importance of keeping patient information confidential. New employees were required the complete the Privacy Commissioner’s online training module and their employment contracts included confidentiality agreements.

The centre informed us that its patient file management system recorded when a staff member edited a file, but not when they accessed it.

We informed the medical centre of its obligations under rule 5 of the HIPC to secure information against inappropriate employee browsing. We advised it would be unlikely to meet those standards if its systems did not record times when staff accessed patient records.   

Section 4

Under section 4 of the Privacy Act, the actions of an employee are treated as the actions of the agency. Agencies shall be found liable for their employees’ actions unless they can prove they took all “steps as were reasonably practicable to prevent the employee from doing that act.” (section 126(4)).

The clinic argued that it should not be held liable for the wrongful actions of its employee.

Conclusion  

We suggested the medical centre make changes to its electronic records system to ensure its security safeguards were more robust.

The medical centre began a disciplinary process that resulted in the receptionist being dismissed.

We formed the view that the appropriate forum to determine whether the medical centre had a defence under s 126(4) of the Privacy Act was the Human Rights Tribunal (HRRT).

We discontinued our investigation after several emails to the complainants were not responded to. We provided the complainants with a certificate of investigation to take the case to the HRRT, should they wish to take the case further.