Health and the law

People generally assume that all communication between themselves and their doctor, or other health professional, will remain private. If it were not so, people might be reluctant to seek medical treatment and may be less honest in describing their ailments. The law generally reflects this expectation, though the principle of confidentiality is subject to exceptions.

The HR Act and the Privacy Act set out situations in which it is lawful for health professionals and institutions to disclose health information, and also impose obligations relating to data quality, data security and access to health information (amongst other things). In Victoria, all health services are subject to the HR Act and its Health Privacy Principles (HPPs), in addition to any specific statutory restrictions on sharing information (see ‘Confidentiality in hospitals and other services’ below).

Additionally, private health service providers are subject to the Privacy Act and its Australian Privacy Principles (APPs).

Both Acts set up complaint procedures for individuals who believe confidential information about them has been unlawfully disclosed to a third party or their health information has not been appropriately handled. For more information, see Chapter 12.2: Privacy and your rights.

In Victoria, the Health Services Act 1988 (Vic) (‘HS Act’) establishes the regulatory framework for various kinds of health services, including public and private hospitals, day procedure centres and community health centres. These bodies are each ‘relevant health services’ that are subject to additional confidentiality obligations in section 141 of the HS Act. That section applies to the relevant health service itself, the board of the service, a person who is/was a member of the board, a delegate to a board, a proprietor of such a service, or a person engaged or employed in a service or performing work for the service.

These people are generally prohibited from disclosing information that could directly or indirectly identify an individual, except to carry out functions or exercise powers under legislation or where an exception applies (see below).

Additionally, the HS Act (s 141(3)) lists the cases in which confidential information may be lawfully disclosed:

• with the prior consent of the person to whom it relates or, if that person has died, with the consent of the senior available next of kin of that person; or
• to a court, in the course of criminal proceedings; or
• concerning the condition of a person who is a patient in, or is receiving health services from, a relevant health service, if the information is communicated: – in general terms; or – by a member of the medical staff of a relevant health service to the next of kin or a near relative of the patient in accordance with the recognised customs of medical practice; or
• to the Australian Red Cross for the purpose of tracing blood, or blood products derived from blood, infected with any disease, or the donor or recipient of any such blood; or
• if it is required in connection with the further treatment of a patient, or transferred electronically between hospitals via a specially established electronic records system for the treatment of patients; or
• the giving of information in accordance with an agreement between the minister and a body to manage a hospital under section 53(1), or a service provider under section 69B(1); or
• the giving of information as described in the following HPPs in the HR Act: HPP 2.2(a) (for a secondary purpose directly related to the primary purpose for collecting the information), 2.2(f) (for the management of a health service or training of employees), 2.2(h) (to lessen or prevent a serious threat to the life, health, safety or welfare of an individual or a serious threat to public health, public safety or public welfare), 2.2(k) (to establish, exercise, or defend a legal or equitable claim), 2.2(l) (to use or disclose in prescribed circumstances) or 2.5 (to identify an individual; or contact family members where the individual is missing or, due to an accident, the individual is unable to consent); or
• the giving of information relating to a notification, claim or potential claim to a person or body providing insurance or indemnity (including discretionary indemnity) for any liability of the relevant health service or a person who is a relevant person in relation to the relevant health service arising from the provision of services by, on behalf of or at the relevant health service; or
• to the Australian Statistician; or
• for the purposes of medical or social research, if: – the use to which the information will be put and the research methodology have been approved by an ethics committee established under the by-laws of the agency; and – the giving of information does not conflict with any other requirements that may be prescribed in regulations under the Act; and – it is in accordance with HPP 2.2(g) of the HR Act; or
• to a case-mix auditor or auditor under the Act; or
• to a person or class of persons designated in the Government Gazette, employed by a health service or its support functions; or
• in accordance with the Family Violence Information Sharing Scheme provisions of the Family Violence Protection Act 2008 or the Child Information Sharing Scheme provisions of the Child Wellbeing and Safety Act 2005; or
• to a person to whom, in the opinion of the Minister for Health, it is in the public interest that the information be given. If a person who is subject to section 141 discloses identifying information without authority, they may have committed an offence under the HS Act for which they may be fined up to $9616 (or 50 penalty units with a value of $192.31 each). See ‘A note about penalty units’ at the start of this book. Confidentiality in a hospital setting is a fluid concept. There may be a large number of people (e.g. doctors, nurses, administration staff) who have access to a person’s file, all of whom have valid reasons for requiring that access.

Doctors and other health service providers may be sued at common law (i.e. judge-made law) if they divulge confidential information without a person’s permission. The individual may sue for breach of contract, breach of confidence or because the health professional has been negligent in disclosing the information. However, such actions are very rare and complaints about breach of confidentiality would now almost always be dealt with under the privacy legislation described above.

Again, it should be noted that it is lawful for a health professional to disclose information if:

• some other law requires disclosure; or
• it can be argued that the person has provided express or implied consent for the disclosure; or
• it may be in the public interest for the information to be disclosed. Situations where some other laws may require disclosure of otherwise confidential information include:
• revealing to police or a court the presence of alcohol or any other drug in the breath or blood of a driver after a motor accident under Part 5 of the Road Safety Act 1986 (Vic);
• reporting of information under the Births, Deaths and Marriages Registration Act 1996 (Vic);
• reporting a reportable death or a reviewable death to the coroner under the Coroners Act 2008 (Vic);
• reporting cases of suspected child abuse under chapter 4 of the Children, Youth and Families Act 2005 (Vic); and
• notifying infectious diseases and micro-organisms to the Victorian Government Department of Health under Part 8 Division 3 of the Public Health and Wellbeing Act 2008 (Vic) (‘PHW Act’). Situations where consent to a disclosure of information may be implied include a treating doctor giving information to a health provider they are making a referral to, and reports provided for the purpose of insurance where the person has been examined at the request of the insurer.

In some cases, the law and ethical guidelines recognise that a health service provider may owe a duty of care to share information with third parties, such as relatives or sexual partners.

Australian courts have been reluctant to recognise such duties because of the potential for conflict between the duty to the patient and the duty to the third party. The law provides little guidance about when it may be in the public interest for a health practitioner to disclose information.

This area of law received attention with the emergence of HIV/AIDS and, more recently, the advent of genetic testing . For example, in the case Harvey v PD (2004) 59 NSWLR 639, the court said that a doctor breached his duty of care to a female patient whose husband, who was also his patient, was HIV positive. Likewise, in the English case of ABC v St George’s Healthcare NHS Trust & Ors [2020] EWHC 455 (QB), the court recognised that a limited duty of geneticists to disclose genetic information about a patient to the patient’s relatives could exist, but held that the duty had not been breached in that case.

In this regard, the provisions of the privacy legislation described above may be relevant. In particular, the Privacy Act permits private health service providers to disclose genetic information in order to avoid serious risks to the life, health or safety of a patient’s genetic relatives, provided that the disclosure is in accordance with the National Health and Medical Research Council’s guideline titled ‘Use and Disclosure of Genetic Information to a Patient’s Genetic Relatives under section 95AA of the Privacy Act 1988 (Cth) (APP 6.2(d) and s 16A(4)). This might justify warning relatives that a patient has a genetic condition if the patient will not warn them.