Privacy and confidentiality

Introduction

An individual’s right to privacy and confidentiality has gained increasing recognition over the past decade. In an emergency setting, where patients are more vulnerable because of illness or injury, staff are often provided with confidential family and legal information that would otherwise not be divulged, trusting that it would be used only to assist in the care of the patient. The law preserving confidentiality in public and private hospitals, day procedure centres and community health centres (called ‘relevant health services’ in the act) is to be found in the relevant sections of individual state and territory health services acts. The section applies to the health service itself, the board of the service or a person who is or was a member of the board, a delegate to a board, a proprietor of such a service or engaged or employed in a service or performing work for it. These people are generally prohibited from disclosing information that could directly or indirectly identify a patient. In addition, the individual state or territory’s health records act and the Privacy Act 1988 (Commonwealth) confer statutory privacy rights on patients whether they are treated in a public or private facility. Both acts set up complaint procedures for patients who believe that confidential information about them has been unlawfully disclosed to a third party. New Zealand has similar legislation.

Physical privacy

Emergency departments (EDs) are necessarily designed in an open plan to increase efficiency, observation and communication, but these requirements do intrude on privacy, particularly if cubicles are separated by curtains rather than solid walls. Consultations may be overheard during history taking and when patients are being discussed with other medical staff or specialists, either directly or by telephone.

Patient privacy incidents occur frequently in an ED, risk factors being length of stay and absence of a walled cubicle. Patients who have their conversations overheard are more likely to withhold information and less likely to have their expectations of privacy met. Privacy and confidentiality are further challenged by the physical design of the department, crowding, visitors, film crews, communication and other factors.

Emergency clinicians should take specific steps to mitigate the risk of privacy incidents. Prior permission should be obtained from the patient to allow students, nurses, other medical officers to be present during the history taking, examination and procedures. This applies both in public and private hospitals. Some aspects of privacy in health care in the ED relate to confidentiality while the patient is being assessed (being overheard, seen, exposed or embarrassed), which relate to ED design as well as staff awareness, sensitivity and care. ED staff may be unaware how their routine behaviour may infringe on patient privacy.

Enclosing staff bays with glass screens may be useful to prevent others from hearing the details of a patient’s history or to prevent patients from becoming unnecessarily alarmed by discussion of serious differential diagnoses. However, this may also create an illusion of separation between clinical staff and patients and may cause patients to feel more isolated. It is of the utmost importance that staff at all times behave in the most appropriate and professional manner, seeing that patients will often observe staff very closely and that comments made by staff may be overheard.

In adolescent patients, privacy needs may exclude communication with a parent. An understanding of the relevant informed consent law relating to minors is required. The federal Privacy Act does not specify an age at which a child is considered of sufficient maturity to make his or her own privacy decisions. Doctors must address each case individually, having regard to the child’s maturity, degree of autonomy, understanding of the circumstances and the sensitivity of the information being sought.

The white board for patient tracking has been replaced by computer screens in most EDs. Often, information on tracking screens is visible to everyone in the ED; therefore it is important to minimized this as much as possible. These problems are more common during the shift change-over period. Staff should be aware of such risks and mitigate them whenever possible. Specific steps include rapid and single sign-on/sign-off solutions, roaming Information technology (IT) profiles, the use of screen savers that activate with a short time lag, and preventing patients and relatives from gaining access to clinical screens.

Well-known people (‘very important persons’ [VIPs], politicians, media personalities, and sports stars) need even more privacy than others, and crowd control is often required, since they may be accompanied by support staff and, perhaps, a bevy of reporters who may be difficult to control. They cannot be restricted until such an individual is actually inside the hospital building, after which security is in charge. Even when outside the building, most of this retinue will accept advice to remain in a provided access zone where they may use their cameras or microphones without intruding on the privacy of other patients or their subject of interest. Hospital staff involved in the care of such patients may also wish to have their own privacy protected. Most hospitals now have media relations officers who can provide regular updated bulletins. It is also important that only those staff involved in the clinical care of these patients access their medical histories. For this reason, hospitals often provide these patients with aliases to protect their privacy.

In addition to the statutory offences of breaching confidentiality, doctors and other healthcare providers may be sued at common law if they divulge confidential information without a patient’s consent. The patient may sue for breach of contract or because the doctor has been negligent in disclosing the information. It should be noted that it is lawful for a health professional to disclose information if

• some other law requires disclosure.

• it can be argued that the person has provided express or implied consent for the disclosure.

• it may be in the public interest for the information to be disclosed.

Mandatory reporting

Mandatory reporting overrides privacy laws where such reporting is for the purpose of protecting the health of individuals or communities. For example, mandatory reporting may take place in order to

• reveal to police or a court the presence of alcohol or any other drug in the breath or blood of a driver after a motor vehicle accident.

• report a reportable or reviewable death to the coroner.

• provide notification of a communicable infectious disease.

• report child abuse.

• report elder abuse.

• report domestic violence.

This becomes more difficult when there is merely a suspicion, but doctors are protected if they report on this basis only. The laws vary between jurisdictions.

Health care providers

There is also the important matter of privacy for health providers. Whether full names should be displayed on identity badges is debatable. Details of contact numbers and home addresses of consultants, medical staff and nurses must be kept confidential, as there are cases of disgruntled or mentally unstable patients harassing and stalking clinical staff. Even if the request for contact details is innocent, it is an invasion of a health care worker’s privacy for that information to be released without consent.

Police and medico-legal reports

Assistance must be given to the police when a criminal offence has been committed. In such cases, patient name, date of birth, address, nature of incident, description of injuries and conscious state may be released. An opinion of causation must not be stated.

If an injured patient is suspected of being a crime victim or perpetrator and may be a danger to his own or another’s life, it is the doctor’s civic duty to inform police of the circumstances.

If a police enquiry is made by telephone, it is important to record the name, station, contact number and, preferably, to call back the station, asking for the information after checking its validity. All police statements should be handled by the hospital’s legal department, including requests and completion of statements by clinical staff.

The doctor should state his or her credentials and experience before giving details of a history and physical findings. It is important to be objective and to avoid venturing opinions outside the doctor’s area of expertise.

Assistance is also given to help police seeking to identify missing or deceased persons.

Medical reports by treating clinicians or experts can be provided to lawyers or police officers acting on behalf of a prosecution or defending lawyer after written consent is obtained from the patient. Such reports are the intellectual property of the doctor writing the report. Although a patient has a right to view reports about himself or herself, there is no right for a copy to be supplied unless an appropriate fee for preparation of the report is paid.

Patient health information

Privacy of patients’ health information refers to

• their medical and social conditions.

• their medical records.

• any images (still, video or diagnostic imaging).

• results of investigations.

• their treatments.

• their treating doctors.

• specialist and medicolegal reports.

Legislation

The confidentiality of health information has been the focus of legislation over recent years.

The Privacy Act 1988 applied only to the Australian Commonwealth public sector, but steps were taken early on to introduce it to the private sector, resulting in the Privacy Amendment (Private Sector) Act 2000, which became a law covering the private (and public) health sector in December 2001. Patients who have been treated in public hospitals are able to gain access to their medical records by means of the relevant state or territory freedom of information act (e.g. Freedom of Information Act 1982 [Victoria]). Patients treated in a private hospital, by a private doctor or other private health professional have a right to gain access under the relevant state or territory health records act (e.g. Health Records Act 2001 [Victoria]) and also under the Privacy Act 1988 (Commonwealth).

New Zealand’s Privacy Act was enacted in 1993 and was used to develop the Health Network Code of Practice and Health Information Privacy Code 1994, which was further modified by the Health Information Standards Organization in 2005.