Key Messages

The Privacy Act and access to health information

The federal Privacy Act requires health service providers in the private sector to give a patient access to their health information if the individual requests it. However, access may be denied to the individual if an exception listed in the Privacy Act applies.

In the case of health information such as medical records, one exception permits a provider to deny the individual access to their information, where giving access 'would pose a serious threat to the life or health of any individual'. However, these circumstances arise only occasionally.

What is a serious threat to life or health?

The threat must be serious, but does not need to be imminent. It could be a serious threat to the life or health of any person, including the patient, practitioner, relatives, staff or other patients. This may include serious threats to physical or mental health. In deciding whether a threat to life or health is 'serious', providers should consider both the likelihood of the threat eventuating, and the severity of the resulting harm to life or health.

What if access would threaten the therapeutic relationship between patient and provider?

In such cases, a provider could only rely on the 'serious threat' exception to deny access where the relationship breakdown would itself pose a serious threat to someone's life or health. An example may include where a patient with a severe mental illness would withdraw from treatment altogether if they saw the information in their record, and the provider believes the withdrawal would seriously threaten the patient's, or anyone else's, life or health.

This exception cannot be relied upon where there is a threat to the therapeutic relationship that does not seriously threaten life or health, although other exceptions may allow denial of access. An example where there is no 'serious threat' may be where giving access to information may cause a patient to decide to seek treatment elsewhere. Those threats may often be overcome through effective provider-patient communication, and by finding mutually satisfactory ways of giving an individual access to their medical record.

In what other circumstances may access be denied?

This information sheet also briefly discusses other exceptions under the Privacy Act, which permit the denial of access to an individual's personal information. This includes where giving access would unreasonably impact on someone else's privacy, or where another law requires or authorises denial of access.

Individuals appreciate and are entitled to have access to their medical records promptly, either for free or at a reasonable cost (under the Privacy Act, any access fees must not be excessive - see Information Sheet 22).

Background

Who is this information sheet for?

This information sheet is relevant to all health service providers in the private sector ('providers'). Providers include:

• general practitioners;
• mental health professionals;
• other board-accredited specialists;
• private hospitals;
• pharmacists;
• private sector nurses; and
• allied and complementary health care providers.[1]

All providers must comply with the 10 National Privacy Principles ('NPPs') contained in the Privacy Act 1988 (Cth) ('the Privacy Act').

Health service providers in the state and territory public sectors (such as public hospitals and their staff) are not bound by the NPPs, but may have to comply with state and territory privacy laws.

What is this information sheet about?

This information sheet deals with one particular exception to an individual's general right to access their own information under NPP 6. That exception, NPP 6.1(b), allows a provider to deny an individual access to their medical record where 'providing access would pose a serious threat to the life or health of any individual'.

Under NPP 6.1, an 'organisation' (including all providers) that holds personal information about an individual must give the individual access to that information if the individual requests it, unless an exception under NPP 6 applies.

In the Office's experience, circumstances that permit the denial of access to health information due to a 'serious threat to life or health' arise only occasionally.

How the 'serious threat' exception permits denial of access

What is a serious threat to life or health?

The threat referred to in NPP 6.1(b) needs to be serious, but it need not be imminent if the information is 'health information' such as a medical record.[2]

Any personal information held by a provider is likely to be 'health information' as defined by the Privacy Act. Personal information is information about an individual whose identity is apparent, or can reasonably be worked out. Further details on this, including the definition of 'health information', are attached at the end of this information sheet.

A serious threat to life or health can refer to physical or mental health. It can be a serious threat to any person, such as:

• the individual themselves;
• practitioners and staff;
• other patients; and
• the individual's family members.

To be 'serious', the threat must be significant. As the Royal Australian College of General Practitioners (RACGP) suggests, 'the threat must be real, not hypothetical or speculative'.[3] In deciding whether a threat to life or health is 'serious', providers should consider both the likelihood of the threat eventuating, and the severity of the resulting harm to life or health.

Example

A provider could deny a patient access to their information if there are reasonable grounds to believe that the patient would cause deliberate self-harm, or harm to others, if access were provided. Reasonable grounds may include:

• where the patient has a history of self harm or violent behaviour; or
• where a diagnosed condition was known to have a higher probability of such behaviour,

and the information may reasonably be expected to provoke such a response.

It may also be possible to deny access where the information requested would cause significant distress to the patient, which in turn would be a serious threat to their physical or mental health, based on a provider's professional assessment of the patient's condition.

What if access would threaten the therapeutic relationship?

In some cases, a provider may deny an individual access to their health information where access would cause a deterioration or breakdown of the therapeutic relationship between patient and provider - but only where the effect on the relationship would itself seriously threaten someone's life or health. The fact that a patient may not like the information they receive does not mean that the provider can deny access to it.

Example

A psychiatrist may rely on NPP 6.1(b) if they reasonably believe that a patient with a mental illness would be so distressed by being provided access to the information in their record, that they would leave the psychiatrist's care and discontinue treatment altogether - to the serious detriment of their mental health.

However, the psychiatrist could not rely on this exception to deny access if no serious threat to life or health exists. For example, where there are no reasonable grounds to believe that the patient will discontinue important healthcare treatment, or if leaving the provider's care would not pose a serious threat to life or health.While the patient may not always be happy with the information, or may be caused some distress, this is not a basis for denying access.

In some cases, there will be no serious threat to life or health, but providing access may present a risk of misunderstanding, anxiety or disagreement between the patient and provider. As part of good communication, the practitioner should consider whether such risks can be minimised without denying access, such as by explaining the information face to face, or by way of an accompanying letter.

In addition, other NPP 6 exceptions could permit access to be denied to all or part of the information sought - including where giving access would have an unreasonable impact on the privacy of others, such as a relative or the practitioner themselves (see 'Some other aspects of dealing with access requests' below).

Predictability of a serious threat

Some stakeholders have noted that the language in NPP 6.1(b) ('would pose a serious threat...') may imply a degree of certainty that is not always possible in clinical environments. The Office recognises that it may be difficult for providers to predict how a patient will react to being given access to health information, particularly where mental health issues are involved.

If a patient complained to the Privacy Commissioner on this issue, the provider would be asked why they believed that a serious threat existed, and must show they had reasonable grounds for that belief. As this is usually a matter of clinical judgement, the Privacy Commissioner draws on clinical expertise from the health sector when considering whether a denial of access meets the requirements of NPP 6.1(b).[4]

In making decisions about whether to give access, providers may wish to take into account when they last saw the patient. If the provider believes a serious threat may exist but has not seen the patient recently, they may wish to consider the need to further assess the patient before deciding whether or not to deny access.

Some other aspects of dealing with access requests

In what other circumstances may access be denied?

Access can only be denied in limited circumstances under NPP 6. Individuals appreciate and are entitled to be given access promptly and at a reasonable cost, or for free (NPP 6.4 deals with access fees[5] - see Information Sheet 22). Nevertheless, there are circumstances where other NPP 6 exceptions may allow denial of access to all or part of an individual's medical record, aside from a serious threat to life or health.[6]

Among other things, these exceptions allow a provider (and other 'organisations') to deny an individual access to their information where:

• giving access would unreasonably impact on another person's privacy - NPP 6.1(c);
• the request is frivolous or vexatious - 6.1(d);
• providing access would be unlawful - 6.1(g);
• denying access is required or authorised by law - 6.1(h);
• giving access would prejudice certain investigations and other legal and law enforcement matters - 6.1(e), (i)-(k).

Where a health service provider intends to rely on one or more of the exceptions to NPP 6 to deny access, they may consider whether it would be acceptable to remove some of the information and give access to the remainder.

Access to clinicians' notes

The exception relating to another person's privacy usually refers to a third party such as a relative.[7] However, it could occasionally apply to the practitioner's privacy. For example, NPP 6.1(c) may allow a psychotherapist to remove certain personal notes before providing access to a patient's medical record. This may apply to 'process notes' taken during counselling sessions, which are of an intimate nature and may record the therapist's own feelings and reactions to what the patient is saying.

The test for this exception is whether giving the patient access to such notes would have an unreasonable impact on the therapist's own privacy. This exception is not intended to allow the exclusion of medical notes more generally. In cases where access could be denied or limited on these grounds, it may be possible to provide a summary or other form of access that would be acceptable to the patient, without interfering with anyone else's privacy.

Different ways of providing access

NPP 6 does not specify the manner or form in which access should be provided to the individual. In the Office's view, access should generally be provided in the form requested by the individual (such as a copy or summary), unless there are significant reasons preventing this. In some cases, an exception under NPP 6 may justify denying access in a specific form. If another form of access would be acceptable then access should be given in that form.

For example, if an individual requests a copy of their medical record, but the provider believes this would seriously threaten a person's life or health (or another NPP 6 exception applies), the provider should consider whether this threat could be mitigated by giving access in a different way. This could include:

• discussing the information in person, as well as (or instead of) providing a copy;
• giving an accurate summary of the requested information;
• withholding parts of the record to which an exception applies, and giving access to the rest; or
• facilitating access through a mutually agreed intermediary (such as another health service provider), as provided for in NPP 6.3.[8]

Reasons for denial of access

NPP 6.7 requires that reasons must be given to the individual for denial of access. In most cases the Office expects providers to advise individuals which NPP 6 exception they are relying on to deny access. This allows the individual to understand why access has been denied, and may help them decide whether to challenge the denial of access.

However, where access is denied on the basis of a serious threat to life or health, the provider need not specify the precise provision relied upon if they are concerned this would cause the very harm which the denial of access is meant to prevent.

When providing reasons in such circumstances, it may be appropriate to offer the patient a further opportunity to discuss the issues raised in the medical record and to advise that they may contact the Privacy Commissioner to discuss their rights. More information on NPP 6.7 can be found at the end of Information Sheet 4 - Access and Correction

Further information

Definitions of 'personal information' and 'health information'

Briefly, 'personal information' is information or an opinion (whether true or not) about an individual whose identity is apparent, or can reasonably be ascertained. 'Sensitive information' is a defined sub-category of personal information, and it includes 'health information'.

'Health information' is defined under section 6 of the Privacy Act as:

• (a) information or an opinion about:
  • (i) the health or a disability (at any time) of an individual; or
  • (ii) an individual's expressed wishes about the future provision of health services to him or her; or
  • (iii) a health service provided, or to be provided, to an individual;
  • that is also personal information; or
• (b) other personal information collected to provide, or in providing, a health service; or
• (c) other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances; or
• (d) genetic information about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual.

More information on complying with NPP 6 access requests can be found here:

• Information Sheet 4 - Access and Correction
• Information Sheet 22 - Fees for Access to Personal Information
• Guidelines on Privacy in the Private Health Sector
• Guidelines to the National Privacy Principles

Other general privacy relevant to health service providers is available at:

• National Privacy Principles
• Information Sheets
• Frequently Asked Questions - Health Privacy

Private Sector Information Sheets

Information sheets are advisory only and are not legally binding. The National Privacy Principles in Schedule 3 of the Privacy Act do legally bind organisations.

Information sheets are based on the Office of the Privacy Commissioner's understanding of how the Privacy Act works. They provide explanations of some of the terms used in the NPPs and good practice or compliance tips. They are intended to help organisations apply the NPPs in ordinary circumstances. Organisations may need to seek separate legal advice on the application of the Privacy Act to their particular situation. Nothing in an information sheet limits the Privacy Commissioner's ability to investigate complaints under the Privacy Act or to apply the NPPs in the way that seems most appropriate to the facts of the case being dealt with. Organisations may also wish to consult the Commissioner's guidelines and other information sheets.

Office of the Privacy Commissioner

Privacy Enquiries Line 1300 363 992 - local call (calls from mobile and pay phones may incur higher charges) TTY 1800 620 241 - no voice calls; Fax + 61 2 9284 9666; GPO Box 5218, Sydney NSW 2001.

Private Sector Information Sheet 21 Web HTML, Word and PDF published March 2008 ISBN 978-1-877079-54-2
© Commonwealth of Australia 2008

[1] These include physiotherapists, chiropractors, occupational therapists, speech therapists and others. More information on health service providers covered by the Privacy Act is available at www.privacy.gov.au/materials/types/guidelines/view/6517#a21.

[2] For non-health information, a threat related to providing access would need to be both serious and imminent for the equivalent exception to allow denial of access (NPP 6.1(a)).

[3] RACGP and others (2002), Handbook for the Management of Health Information in Private Medical Practice, p 7.

[4] See, for example, K v Health Service Provider [2007] PrivCmrA 13.

[5] NPP 6.4 states that any charges for providing access to personal information must not be excessive, and must not apply to lodging a request for access. For more information on determining a reasonable access fee, see the Office's Information Sheet 22.

[6] These exceptions are examined in detail in the Guidelines on Privacy in the Private Health Sector.

[7] See, for example, K v Health Service Provider [2007] PrivCmrA 13.

[8] NPP 6.3 states that if access may be denied under an NPP 6 exception, 'the organisation must, if reasonable, consider whether the use of mutually agreed intermediaries would allow sufficient access to meet the needs of both parties'. For more information on intermediaries, see the Guidelines on Privacy in the Private Health Sector.