Privacy and confidentiality

People generally assume that all communication between themselves and their doctor, or other health professionals, will remain private. The law generally reflects this expectation, though the principle of confidentiality is subject to exceptions. For example, in some cases information must be disclosed under law.

Situations where some other laws may require disclosure of otherwise confidential information include:

• revealing to police or a court the presence of alcohol or any other drug in the breath or blood of a driver after a motor accident under the Road Safety Act 1986 (Vic);

• reporting information under the Births, Deaths and Marriages Registration Act 1996 (Vic);

• reporting reportable or reviewable deaths to the coroner under the Coroners Act 2008 (Vic);

• reporting cases of suspected child abuse under the Children, Youth and Families Act 2005 (Vic); and

• notifying infectious diseases and micro-organisms to the Victorian Department of Health under the Public Health and Wellbeing Act 2008 (Vic) (‘PHW Act’).

It is also important to note that confidentiality in a healthcare setting can be a fluid concept. Particularly in hospitals, there may be a large number of people (e.g. doctors, nurses, administration staff) who have access to a person’s file, all of whom have valid reasons for requiring that access.

The HR Act and the Privacy Act set out situations in which it is lawful for health professionals and institutions to disclose health information, and also impose obligations relating to data quality, data security and access to health information. 

In Victoria, all health services are subject to the HR Act and its Health Privacy Principles (HPPs), in addition to any specific statutory restrictions on sharing information (see ‘Confidentiality in hospitals and other services’ below). 

Additionally, private health service providers are subject to the Privacy Act and its Australian Privacy Principles (APPs). 

Both Acts set up complaint procedures for individuals who believe confidential information about them has been unlawfully disclosed to a third party or their health information has not been appropriately handled. For more information, see Chapter 12.2: Privacy and your rights.

In Victoria, the Health Services Act 1988 (Vic) (‘HS Act’) establishes the regulatory framework for various kinds of health services, including public and private hospitals, day procedure centres and community health centres. These bodies are each ‘relevant health services’ that are subject to additional confidentiality obligations in section 141 of the HS Act. 

Section 141 applies to the relevant health service itself, the board of the service, a person who is/was a member of the board, a delegate to a board, a proprietor of such a service, or a person engaged or employed in a service or performing work for the service.

These people are prohibited from disclosing information that could directly or indirectly identify an individual, except to carry out functions or exercise powers under legislation or where an exception applies. The exceptions are listed in section 141(3). They include disclosures: 

• with the consent of the person the information is about or, if they have died, their senior available next of kin;

• concerning the condition of a person who is a patient in, or is receiving health services from, a relevant health service, if the information is communicated: (a) in general terms; or (b) by a member of the medical staff of a relevant health service to the next of kin or a near relative of the patient, in accordance with the recognised customs of medical practice;

• required in connection with the further treatment of a patient, or transferred electronically between hospitals via a specially established electronic records system for the treatment of patients;

• in accordance with the Family Violence Information Sharing Scheme provisions of the Family Violence Protection Act 2008 (Vic) or the Child Information Sharing Scheme provisions of the Child Wellbeing and Safety Act 2005 (Vic); and

• in the circumstances specified in the HR Act, including for a secondary purpose directly related to the purpose for which the information was collected (HPP 2.2(a)); for management of a health service or training of employees (HPP 2.2(f)) or to lessen or prevent a serious threat to the life, health, safety or welfare of an individual or a serious threat to public health, public safety or public welfare (HPP 2.2(h)).

These are only some of the exceptions to confidentiality under section 141(3). It is important to consider the precise terms of section 141(3) and the HR Act (where relevant) to determine if section 141 has been breached.

It is an offence to disclose information in contravention of section 141 of the HS Act. The maximum penalty is a fine of up to $9879.50.

Doctors and other health service providers may be sued at common law (i.e. judge-made law) if they divulge confidential information without a person’s permission. The individual may sue for breach of contract, breach of confidence or because the health professional has been negligent in disclosing the information. Defences to such actions might include that the disclosure was made with consent (e.g. disclosure to an insurer who has referred a patient for a health assessment), was required by law or (possibly) was in the public interest. Such actions are very rare. Complaints about breach of confidentiality are more commonly raised under privacy legislation.

In some cases, the law and ethical guidelines recognise that a health service provider may owe a duty of care to share information with third parties, such as relatives or sexual partners. For example, in the case Harvey v PD (2004) 59 NSWLR 639, the court said that a doctor breached his duty of care to a patient by failing to warn her that her husband, who was also his patient, was HIV positive where they were seen together for sexual health testing.

Australian courts have been reluctant to recognise such duties because of the potential for conflict between the duty to the patient and the duty to the third party. The law provides little guidance about when it may be in the public interest for a health practitioner to disclose information to a third party.

The availability of genetic testing has raised questions about whether health service providers should warn relatives of their patient about genetic risks. The Privacy Act permits private health service providers to disclose genetic information in order to avoid serious risks to the life, health or safety of a patient’s genetic relatives, provided that the disclosure is in accordance with the National Health and Medical Research Council’s guideline titled Use and Disclosure of Genetic Information to a Patient’s Genetic Relatives under section 95AA of the Privacy Act 1988 (Cth) (APP 6.2(d); s 16A(4)). This might justify warning relatives that a patient has a genetic condition if the patient will not warn them.