Long before there was a specific Act of Parliament about privacy, there was a legal and ethical principle that records kept by health care professionals should be kept confidential.
There have always been exceptions to this principle, in particular when a party to a legal case in court asks through the court process for another party to produce medical records that are relevant to the court case (‘issues a subpoena’).
A failure to keep health records confidential may be a breach of confidentiality. It may also be a breach of specific privacy laws.
This section deals with:
If you think a health care practitioner or a health care providerIn the context of the NDIS, a provider is someone who provides products or services to assist NDIS participants to achieve the goals outlined in their plan. If you do not self-manage any of your NDIS funding, as an NDIS participant you are required to use providers who are registered with the NDIS Quality and Safeguards Commission. All registered NDIS providers; must implement and comply with appropriate WHS and quality management systems, that meet NDIS practice standard requirements, the NDIS rules, and are relevant to the NDIS supports delivered. In the context of mental health and psychosocial services, a provider may be any service that provide clinical care and treatment or psychosocial rehabilitation and support services including, but not limited to housing, employment, education and training as well as information and advocacy services. More has breached the confidentiality of your health records or of any discussions you have had with them as part of your treatment and care, you can complain to the Health Care Complaints Commission.
You may, particularly if you suffer financial loss as a result of breach of confidentiality, also be able to take legal action in court for breach of confidentiality. The law is developing in this area, and there have been calls for new laws to give individuals a right to take legal action for breach of privacy.
Breach of confidentiality of patient records is usually dealt with as part of the disciplinary process for health care professionals such as doctors, dentists and pharmacists.
To find out more about where to get advice about your options to complain about a breach of confidentiality in relation to your health care, click here.
In Australia, there are specific pieces of legislation (‘Acts’ made by parliaments) that protect the privacy of personal information.
Generally speaking, Australian privacy laws are about how your personal information may be handled. For example, the Privacy Act 1988 (Cth), which applies across Australia, covers:
The Privacy Act 1988 (Cth) applies to the private sector as well as the public sector and in particular to health information, which includes medical and hospital records.
In NSW, the law that applies to health information in both the private and public health care sectors is the Health Records and Information Privacy Act 2002 (NSW).
This Act applies to health information, which is considered ‘sensitive information’ and which requires extra protection under privacy law.
If you are not sure if the Commonwealth or NSW Act applies to an organisation you want to complain about call either to the Commonwealth Privacy Commissioner or to the Information and Privacy Commission NSW.
The Privacy Act 1988 (Cth) includes the Australian Privacy Principles that apply to the Federal Government and some private sector agencies.
In NSW there is also a set of Health Privacy Principles that form part of that form part of Health Records and Information Privacy Act 2002 (NSW).
If you think a person or an organisation has not followed them, then you can complain either to the Commonwealth Privacy Commissioner or to the Information and Privacy Commission NSW.
If you think a health care providerIn the context of the NDIS, a provider is someone who provides products or services to assist NDIS participants to achieve the goals outlined in their plan. If you do not self-manage any of your NDIS funding, as an NDIS participant you are required to use providers who are registered with the NDIS Quality and Safeguards Commission. All registered NDIS providers; must implement and comply with appropriate WHS and quality management systems, that meet NDIS practice standard requirements, the NDIS rules, and are relevant to the NDIS supports delivered. In the context of mental health and psychosocial services, a provider may be any service that provide clinical care and treatment or psychosocial rehabilitation and support services including, but not limited to housing, employment, education and training as well as information and advocacy services. More has breached privacy principles in relation to your personal health information, you can complain. To find out more about privacy complaints, click here
Updated October 31, 2019