Australia: The dangers of accessing health records without consent

Electronic medical records are now the norm in most hospitals and medical practices. There are undoubtedly many benefits, enabling health practitioners to work more efficiently and provide care to patients with less delay.

However, with this ease of access to sensitive health information, medical practitioners must ensure that they have obtained the relevant consent and/or authority to access an individual's health records who are not under their care. There can be serious ramifications if records are accessed without such consent or authority in place and such conduct is likely to be viewed by the Medical Board and/or a responsible Tribunal as serious conduct falling below the standard expected of a medical practitioner and a breach of their ethical obligations.  

The case of Health Care Complaints Commissioner v Payne  [2021] NSWCATOD 145 (Payne) demonstrates the serious risks health practitioners face if they access patient health records without authority. In that case, a nurse's registration was cancelled and a non-review period of six months was imposed.

Whilst this case is on the extreme end in terms of conduct and the health practitioner clearly accessed records without the patients' consent or authority and for her own personal gain, the case is a timely reminder for medical practitioners to ensure they have the appropriate authority in place before they access health records of any individual and that such access or disclosure is for a proper purpose.

What happened?

Between January and August 2019, whilst working in the intensive care unit of a hospital, a nurse accessed her own health records as well as the health records of:

• her husband;
• two former partners of the husband;
• three children of the husband; and
• 27 people who had no apparent association with her.

These records were held on an electronic database maintained by the hospital and access was password protected. None of the patients she accessed the health records of were ICU patients or in her care.

In her employment at the hospital, the nurse had received training about restrictions on access to health records and the obligation to maintain confidentiality. She admitted she understood that access to health records was only permitted for the purpose of providing care to patients. She also admitted when she accessed the records of her husband's family members she understood she lacked the authority to do so.

The hospital terminated her employment and notified NSW Police and the Independent Commission Against Corruption (ICAC). The nurse was charged under section 308H(1) of the Crimes Act 1900  (NSW), which makes it an offence for a person to cause unauthorised access to restricted data held in a computer. The nurse pleaded guilty and a conditional release order was made for a period of 12 months.

In separate disciplinary proceedings, the Tribunal found the nurse accessed the health records of family members for the purpose of providing information contained in those records to her husband, to be used by him in family law proceedings. In addition, she admitted accessing information contained in her husband's health records for use by him in a compensation claim. In relation to the other health records, the Tribunal noted there were a number of reasons which could have explained the nurse's actions, including idle curiosity.

Tribunal noted that while her conduct could not be described as 'falling at the high end of the scale in terms of criminality', it was a very serious breach of her ethical obligations with respect to the use of health records. The Tribunal warned:

"It goes without saying that unauthorised access by a health practitioner of health records is conduct of a most serious nature."

The Tribunal found that because the nurse could not offer any plausible explanation as to why she accessed the health records in many instances, there was an appreciable risk she would again abuse her position and access health records without authorisation.

Ultimately, her registration was cancelled and a non-review period of six months was imposed.

The Health Legislation Amendment (Information Sharing) Bill 2021

The timing of this case is significant. The Victorian Health Legislation Amendment (Information Sharing) Bill 2021 is likely to pass into law in coming months. This Bill aims to improve health outcomes by electronically sharing patient data and medical records across public hospitals and services through a central database.

Under the system, patient health information state-wide will be collated and stored in one central location. Participating health services state-wide will then be able to access that information for care delivery. The intention is to address the challenges associated with a fragmented patient health information system, where information is spread across different health services, databases and in paper records.

A particular concern is that patient consent will not be required for the collection, use and disclosure of their health information, nor will patients be able to opt-out of the system. To ensure appropriate security measures are in place, the Bill introduces two new criminal offences to specifically deal with unauthorised access and access for unauthorised purposes. These criminal offences will attract a fine of 240 penalty units or a maximum term of imprisonment of two years.

This approach would bring Victoria in line with NSW and Queensland, which have centralised health record systems. Due to the nature of such systems, where any public health provider in the state can potentially access any patient's records, the scope for and risk of abuse and breaches of privacy is much greater. Accordingly, an uncompromising stance is taken to prevent this occurring. As AMA President Dr Roderick McRae recognises, it's a complex balance between protecting privacy and ensuring the health care system is efficient and safe.

It is worth noting that the current approach in Victoria is no less stringent than in NSW. For example, in the case of Nursing and Midwifery Board of Australia v Middleton  [2020] VCAT 744, a registered nurse had accessed a patient's medical records without authority on four occasions while being in a personal and sexual relationship with him. The nurse admitted that on at least one occasion, she had accessed the records in the absence of the treating doctor because the patient had asked her to do it to help him pursue a compensation claim. The Tribunal held her misconduct was of 'a very serious nature', and she was ultimately reprimanded and disqualified for one year.

When is it appropriate?

The complex balance is further borne out by various circumstances in which it may be appropriate for medical practitioners to access and disclose the health records of patients who are not under their care. Under the Privacy Act 1988  (Cth), such circumstances can include:

• Certain types of medical research;
• Certain health service management or monitoring activities (such as audits and quality assurance);
• To lessen or prevent a serious threat to the life, health or safety of any individual or to the public health or safety; and
• Taking appropriate action in relation to suspected unlawful activity or serious misconduct.

There may also be circumstances where medical practitioners are required  to access and disclose health information, including:

• Notification of births and deaths;
• By warrant, subpoena or court order; and
• Mandatory disease notification.

Ultimately however, medical practitioners should only access health records for the purpose of providing medical treatment to the patient, and in accordance with the practice or hospital's policies. For access for non-clinical purposes, this should be done in accordance with relevant legislation and policies. In all instances, the patient's consent should be obtained. If this is not possible, where appropriate, the patient should at least be informed of their records having been accessed and this information should be documented in their records.

Best practices

There are potentially serious ramifications for inappropriately accessing health records. As the case of Payne  demonstrates, these can include:

• Termination of employment;
• Disciplinary proceedings;
• Criminal proceedings; and
• Investigations by bodies such as ICAC or the Privacy Commissioner.

Even if you are not the one who actually accessed the records, if your credentials were used and that is recorded in the system, it will be very difficult to argue you were not involved in accessing the records.  Therefore, it is imperative that medical practitioners take best practices to protect themselves. Some simple steps practitioners can take include:

• Being up-to-date with your workplace's policies which govern the use of and access to health records;
• Being familiar with the terms of the Codes of Conduct published by your registration board, which make clear the requirements for ethical conduct and maintaining confidentiality of health records; and
• Always remembering to log out of computers, whether public or private, to avoid your credentials being linked to unauthorised accessing of records by other staff.