Breaches of confidentiality
When are you legally allowed or obliged to breach patient confidentiality?
Think of three concentric rings:
| Ring | Legal trigger | Statutory / common‑law source |
|---|---|---|
| 1. Patient says “yes” | Express or implied consent example: – Referral letter – shared‑care plan – workers‑comp certificate the patient has asked you to complete. | APP 6.1(a) – Privacy Act 1988 |
| 2. Law or policy says “you may / must” even without consent | Authorised or required by law | a. Public‑health notification of a notifiable disease (state Public Health Acts) ACT Government b. Mandatory child‑abuse report (state Child‑Protection Acts) c. AHPRA mandatory notification about another practitioner’s impairment, intoxication, sexual misconduct or gross departure from standards Medical Council NSWA HPRA d. Court / tribunal order or subpoena OAIC e. Police report of certain crimes (e.g. concealing child sexual abuse in NSW/Vic/Qld). f. Transport / firearms laws (e.g. WA Firearms Act; SA Motor Vehicle Act) when a statutory form is prescribed. |
| 3. Privacy Act “permitted situations” (APP 6.2‑6.4) | You reasonably believe disclosure is necessary and it is impracticable to obtain consent | a. Serious & imminent threat to life, health or safety (APP s 16A, Item 1) OAIC b. Medico‑legal defence or insurance – giving notes to your MDO/lawyer/insurer OAIC c. Genetic relatives at serious risk of a heritable condition (APP s 16B). d. Quality‑assurance / research / teaching where de‑identified or ethics‑approved. |
If none of these apply → keep it confidential and seek the patient’s consent.
## 1. What counts as a “breach”?
| Breach type | Typical clinical scenario | Why it matters |
|---|---|---|
| Unauthorised disclosure | Discussing a patient by name in a lift; emailing results to the wrong address; handing a script to the wrong parent. | Contravenes APP 6 of the Privacy Act 1988 unless an exception applies. OAIC |
| Unauthorised access | Staff member opens their neighbour’s EMR out of curiosity; cyber‑criminal hacks the PMS. | Triggers OAIC Notifiable Data Breach obligations if “likely to cause serious harm”. OAIC |
| Loss of data | Misplaced USB with backups; pathology results left on café table. | Still a breach even if no‑one is known to have seen the data. |
| Failure to protect | Leaving consult room PC unlocked; talk‑back radio audible on speakerphone telehealth consult. | APP 11 duty to take “reasonable steps” to secure personal information. OAIC |
## 2. When disclosure is lawful without consent
Australian Privacy Principle 6 allows a secondary use/disclosure only if one of these applies (health‑service highlights): OAIC
- Patient consent (best practice — written wherever practicable).
- Reasonable expectation (patient would expect the disclosure and it is directly related to care, e.g. referral letter).
- Required or authorised by law → subpoenas, mandatory disease notification, child‑abuse reports, AHPRA notifications.
- Permitted general situation (s 16A)
- Serious & imminent threat to life/health/safety and impracticable to get consent. OAIC
- Location of a missing person, etc.
- Permitted health situation (e.g. informing genetic relatives of a serious heritable condition). OAIC
- Medico‑legal defence (disclosing notes to insurers/lawyers to respond to a claim).
- Quality‑assurance / teaching (with ethics approval or de‑identification).
If none apply → seek consent or keep it confidential.
## 3. Step‑wise risk‑mitigation framework
(“The four C’s”)
| Step | Key actions | Tools / tips |
|---|---|---|
| Collect only what you need | Minimum necessary information; avoid social media trawling. | Periodic audit of intake forms. |
| Consent & communicate | Obtain specific, informed consent for non‑routine disclosures (e.g. workers’ comp insurer). | Use template consent forms in EMR. |
| Control access | Role‑based log‑ins, 2‑FA screen‑timeout ≤ 2 min locked cabinets. | IT security policy; regular password updates. |
| Contain & report breaches | 4‑step OAIC plan: Contain → Assess → Notify → Review. | Notifiable Data Breach form within 30 days if serious harm likely. OAIC |
## 4. Common medico‑legal pitfalls (with fixes)
| Pitfall | How to fix |
|---|---|
| “Discussing cases in corridors / on social media” | Adopt a “no patient identifiers outside consult room” rule; staff training; signage in staff areas. |
| Emails with unencrypted attachments | Use secure messaging (Argus, Medical‑Objects) or password‑protected PDFs; obtain consent if standard email. |
| Copy‑all fax to shared device | Move to secure e‑fax integrated with EMR; audit fax logs. |
| Cloud storage outside Australia | Ensure provider signs APP‑compliant agreement or get informed patient consent. |
| Staff access for curiosity | Automatic EMR audit trails; immediate investigation & disciplinary action (case law shows reception breach led to HCC complaint). Med Indemnity Solutions |
## 5. Quick decision tree
Need to share info?
1 . Can I de‑identify? → Do that.
2 . Do I have valid consent? → Disclose.
3 . Is it required/authorised by law or a serious threat? → Disclose minimal details, document legal basis.
4 . Otherwise → Don’t disclose. Ask the patient first.
### Take‑home
- Consent first wherever practicable.
- Know the APP 6 exceptions — especially serious threat, legal compulsion, and quality‑assurance.
- Breach = any unauthorised access, disclosure or loss — respond with the OAIC 4‑step plan.
- Good documentation & robust systems are your best medico‑legal defence.