PRIVATE SECTOR INFORMATION SHEET 21 - Denial of access to health information due to a serious threat to life or health
View printable version of this page
Key Messages
The Privacy Act and access to health information
The federal Privacy Act requires health service providers in the private
sector to give a patient access to their health information if the individual
requests it. However, access may be denied to the individual if an exception
listed in the Privacy Act applies.
In the case of health information such as medical records, one exception
permits a provider to deny the individual access to their information, where
giving access 'would pose a serious threat to the life or health of any
individual'. However, these circumstances arise only occasionally.
What is a serious threat to life or health?
The threat must be serious, but does not need to be imminent. It could be a
serious threat to the life or health of any person, including the patient,
practitioner, relatives, staff or other patients. This may include serious
threats to physical or mental health. In deciding whether a threat to life or
health is 'serious', providers should consider both the likelihood of the threat
eventuating, and the severity of the resulting harm to life or health.
What if access would threaten the therapeutic relationship between patient
and provider?
In such cases, a provider could only rely on the 'serious threat' exception
to deny access where the relationship breakdown would itself pose a serious
threat to someone's life or health. An example may include where a patient with
a severe mental illness would withdraw from treatment altogether if they saw the
information in their record, and the provider believes the withdrawal would
seriously threaten the patient's, or anyone else's, life or health.
This exception cannot be relied upon where there is a threat to the
therapeutic relationship that does not seriously threaten life or
health, although other exceptions may allow denial of access. An example where
there is no 'serious threat' may be where giving access to information may cause
a patient to decide to seek treatment elsewhere. Those threats may often be
overcome through effective provider-patient communication, and by finding
mutually satisfactory ways of giving an individual access to their medical
record.
In what other circumstances may access be denied?
This information sheet also briefly discusses other exceptions under the
Privacy Act, which permit the denial of access to an individual's personal
information. This includes where giving access would unreasonably impact on
someone else's privacy, or where another law requires or authorises denial of
access.
Individuals appreciate and are entitled to have access to their medical
records promptly, either for free or at a reasonable cost (under the Privacy
Act, any access fees must not be excessive - see Information Sheet
22).
Background
Who is this information sheet for?
This information sheet is relevant to all health service providers in the
private sector ('providers'). Providers include:
- general practitioners;
- mental health professionals;
- other board-accredited specialists;
- private hospitals;
- pharmacists;
- private sector nurses; and
- allied and complementary health care providers.[1]
All providers must comply with the 10 National Privacy Principles ('NPPs')
contained in the Privacy Act 1988 (Cth) ('the Privacy Act').
Health service providers in the state and territory public sectors (such as
public hospitals and their staff) are not bound by the NPPs, but may have to
comply with state and
territory privacy laws.
What is this information sheet about?
This information sheet deals with one particular exception to an individual's
general right to access their own information under NPP 6. That exception, NPP
6.1(b), allows a provider to deny an individual access to their medical record
where 'providing access would pose a serious threat to the life or health of any
individual'.
Under NPP 6.1, an 'organisation' (including all providers) that holds
personal information about an individual must give the individual access to that
information if the individual requests it, unless an exception
under NPP 6 applies.
In the Office's experience, circumstances that permit the denial of access to
health information due to a 'serious threat to life or health' arise only
occasionally.
How the 'serious threat' exception permits denial of access
What is a serious threat to life or health?
The threat referred to in NPP 6.1(b) needs to be serious, but it need not be
imminent if the information is 'health information' such as a medical record.[2]
Any personal information held by a provider is likely to be 'health
information' as defined by the Privacy Act. Personal information is information
about an individual whose identity is apparent, or can reasonably be worked out.
Further details on this, including the definition of 'health information', are
attached at the end of this information sheet.
A serious threat to life or health can refer to physical or mental health. It
can be a serious threat to any person, such as:
- the individual themselves;
- practitioners and staff;
- other patients; and
- the individual's family members.
To be 'serious', the threat must be significant. As the Royal Australian
College of General Practitioners (RACGP) suggests, 'the threat must be real, not
hypothetical or speculative'.[3] In
deciding whether a threat to life or health is 'serious', providers should
consider both the likelihood of the threat eventuating, and the severity of the
resulting harm to life or health.
Example
A provider could deny a patient access to their information if there are
reasonable grounds to believe that the patient would cause deliberate self-harm,
or harm to others, if access were provided. Reasonable grounds may include:
- where the patient has a history of self harm or violent behaviour; or
- where a diagnosed condition was known to have a higher probability of such
behaviour,
and the information may reasonably be expected to provoke such a response.
It may also be possible to deny access where the information requested would
cause significant distress to the patient, which in turn would be a serious
threat to their physical or mental health, based on a provider's professional
assessment of the patient's condition.
What if access would threaten the therapeutic relationship?
In some cases, a provider may deny an individual access to their health
information where access would cause a deterioration or breakdown of the
therapeutic relationship between patient and provider - but only where the
effect on the relationship would itself seriously threaten someone's life or
health. The fact that a patient may not like the information they receive does
not mean that the provider can deny access to it.
Example
A psychiatrist may rely on NPP 6.1(b) if they reasonably believe that a
patient with a mental illness would be so distressed by being provided access to
the information in their record, that they would leave the psychiatrist's care
and discontinue treatment altogether - to the serious detriment of their mental
health.
However, the psychiatrist could not rely on this exception to deny access if
no serious threat to life or health exists. For example, where there are no
reasonable grounds to believe that the patient will discontinue important
healthcare treatment, or if leaving the provider's care would not pose a serious
threat to life or health.While the patient may not always be happy with the
information, or may be caused some distress, this is not a basis for denying
access.
In some cases, there will be no serious threat to life or health, but
providing access may present a risk of misunderstanding, anxiety or disagreement
between the patient and provider. As part of good communication, the
practitioner should consider whether such risks can be minimised without denying
access, such as by explaining the information face to face, or by way of an
accompanying letter.
In addition, other NPP 6 exceptions could permit access to be denied to all
or part of the information sought - including where giving access would have an
unreasonable impact on the privacy of others, such as a relative or the
practitioner themselves (see 'Some other aspects of dealing with access
requests' below).
Predictability of a serious threat
Some stakeholders have noted that the language in NPP 6.1(b) ('would pose a
serious threat...') may imply a degree of certainty that is not always possible
in clinical environments. The Office recognises that it may be difficult for
providers to predict how a patient will react to being given access to health
information, particularly where mental health issues are involved.
If a patient complained to the Privacy Commissioner on this issue, the
provider would be asked why they believed that a serious threat existed, and
must show they had reasonable grounds for that belief. As this is usually a
matter of clinical judgement, the Privacy Commissioner draws on clinical
expertise from the health sector when considering whether a denial of access
meets the requirements of NPP 6.1(b).[4]
In making decisions about whether to give access, providers may wish to take
into account when they last saw the patient. If the provider believes a serious
threat may exist but has not seen the patient recently, they may wish to
consider the need to further assess the patient before deciding whether or not
to deny access.
Some other aspects of dealing with access requests
In what other circumstances may access be denied?
Access can only be denied in limited circumstances under NPP 6. Individuals
appreciate and are entitled to be given access promptly and at a reasonable
cost, or for free (NPP 6.4 deals with access fees[5] - see Information Sheet
22). Nevertheless, there are circumstances where other NPP 6 exceptions may
allow denial of access to all or part of an individual's medical record, aside
from a serious threat to life or health.[6]
Among other things, these exceptions allow a provider (and other
'organisations') to deny an individual access to their information where:
- giving access would unreasonably impact on another person's privacy - NPP
6.1(c);
- the request is frivolous or vexatious - 6.1(d);
- providing access would be unlawful - 6.1(g);
- denying access is required or authorised by law - 6.1(h);
- giving access would prejudice certain investigations and other legal and law
enforcement matters - 6.1(e), (i)-(k).
Where a health service provider intends to rely on one or more of the
exceptions to NPP 6 to deny access, they may consider whether it would be
acceptable to remove some of the information and give access to the remainder.
Access to clinicians' notes
The exception relating to another person's privacy usually refers to a third
party such as a relative.[7] However,
it could occasionally apply to the practitioner's privacy. For example, NPP
6.1(c) may allow a psychotherapist to remove certain personal notes before
providing access to a patient's medical record. This may apply to 'process
notes' taken during counselling sessions, which are of an intimate nature and
may record the therapist's own feelings and reactions to what the patient is
saying.
The test for this exception is whether giving the patient access to such
notes would have an unreasonable impact on the therapist's own privacy. This
exception is not intended to allow the exclusion of medical notes more
generally. In cases where access could be denied or limited on these grounds, it
may be possible to provide a summary or other form of access that would be
acceptable to the patient, without interfering with anyone else's privacy.
Different ways of providing access
NPP 6 does not specify the manner or form in which access should be provided
to the individual. In the Office's view, access should generally be provided in
the form requested by the individual (such as a copy or summary), unless there
are significant reasons preventing this. In some cases, an exception under NPP 6
may justify denying access in a specific form. If another form of access would
be acceptable then access should be given in that form.
For example, if an individual requests a copy of their medical record, but
the provider believes this would seriously threaten a person's life or health
(or another NPP 6 exception applies), the provider should consider whether this
threat could be mitigated by giving access in a different way. This could
include:
- discussing the information in person, as well as (or instead of) providing a
copy;
- giving an accurate summary of the requested information;
- withholding parts of the record to which an exception applies, and giving
access to the rest; or
- facilitating access through a mutually agreed intermediary (such as another
health service provider), as provided for in NPP 6.3.[8]
Reasons for denial of access
NPP 6.7 requires that reasons must be given to the individual for denial of
access. In most cases the Office expects providers to advise individuals which
NPP 6 exception they are relying on to deny access. This allows the individual
to understand why access has been denied, and may help them decide whether to
challenge the denial of access.
However, where access is denied on the basis of a serious threat to life or
health, the provider need not specify the precise provision relied upon if they
are concerned this would cause the very harm which the denial of access is meant
to prevent.
When providing reasons in such circumstances, it may be appropriate to offer
the patient a further opportunity to discuss the issues raised in the medical
record and to advise that they may contact the Privacy Commissioner to discuss
their rights. More information on NPP 6.7 can be found at the end of Information Sheet 4 -
Access and Correction
Further information
Definitions of 'personal information' and 'health information'
Briefly, 'personal information' is information or an opinion (whether true or
not) about an individual whose identity is apparent, or can reasonably be
ascertained. 'Sensitive information' is a defined sub-category of personal
information, and it includes 'health information'.
'Health information' is defined under section 6 of the Privacy Act as:
- (a) information or an opinion about:
- (i) the health or a disability (at any time) of an individual; or
- (ii) an individual's expressed wishes about the future provision of health
services to him or her; or
- (iii) a health service provided, or to be provided, to an individual;
- that is also personal information; or
- (b) other personal information collected to provide, or in providing, a
health service; or
- (c) other personal information about an individual collected in connection
with the donation, or intended donation, by the individual of his or her body
parts, organs or body substances; or
- (d) genetic information about an individual in a form that is, or could be,
predictive of the health of the individual or a genetic relative of the
individual.
More information on complying with NPP 6 access requests can be found
here:
Other general privacy relevant to health service providers is available at:
Private Sector Information Sheets
Information sheets are advisory only and are not legally binding. The
National Privacy Principles in Schedule 3 of the Privacy Act do legally bind
organisations.
Information sheets are based on the Office of the Privacy Commissioner's
understanding of how the Privacy Act works. They provide explanations of some of
the terms used in the NPPs and good practice or compliance tips. They are
intended to help organisations apply the NPPs in ordinary circumstances.
Organisations may need to seek separate legal advice on the application of the
Privacy Act to their particular situation. Nothing in an information sheet
limits the Privacy Commissioner's ability to investigate complaints under the
Privacy Act or to apply the NPPs in the way that seems most appropriate to the
facts of the case being dealt with. Organisations may also wish to consult the
Commissioner's guidelines and other information sheets.
Office of the Privacy Commissioner
Privacy Enquiries Line 1300 363 992 - local call (calls from
mobile and pay phones may incur higher charges)
TTY 1800 620 241 - no voice
calls; Fax + 61 2 9284 9666; GPO Box 5218, Sydney NSW 2001.
Private Sector Information Sheet 21
Web HTML, Word and PDF published
March 2008
ISBN 978-1-877079-54-2
© Commonwealth of Australia 2008
[1] These include physiotherapists,
chiropractors, occupational therapists, speech therapists and others. More
information on health service providers covered by the Privacy Act is available
at www.privacy.gov.au/publications/hg_01.html#a21.
[2] For non-health
information, a threat related to providing access would need to be both
serious and imminent for the equivalent exception to allow denial of
access (NPP 6.1(a)).
[3] RACGP and others (2002),
Handbook for the Management of Health Information in Private Medical
Practice, p 7.
[4] See, for example, K v Health
Service Provider [2007] PrivCmrA 13.
[5] NPP 6.4 states that any charges for
providing access to personal information must not be excessive, and must not
apply to lodging a request for access. For more information on determining a
reasonable access fee, see the Office's Information Sheet
22.
[6] These exceptions are examined in
detail in the Guidelines on
Privacy in the Private Health Sector.
[7] See, for example, K v Health
Service Provider [2007] PrivCmrA 13.
[8] NPP 6.3 states that if access may
be denied under an NPP 6 exception, 'the organisation must, if reasonable,
consider whether the use of mutually agreed intermediaries would allow
sufficient access to meet the needs of both parties'. For more information on
intermediaries, see the Guidelines on
Privacy in the Private Health Sector.
|
HOME > PRIVATE SECTOR INFORMATION SHEET 21 - Denial of access to health information due to a serious threat to life or health
