Today’s correspondent tells me that there is
… lots of discussion around the traps regarding legality/responses to paramedics enquiring about outcomes for patients they have brought in to hospital (e.g. asking nurses the next day for learning/education/debrief). It’s very variable within hospitals and even within departments (and I have found it the same when enquiring as nurse to nurse from accepting ED to transferring ED etc). Legally, is this a breach of patient confidentiality?
It would be a breach if all that is being sought is salacious gossip – how did that accident really happen? What was the reaction of the family when they saw/discovered/observed?
Let us assume that is not the case. The paramedic wants to know both because they have an emotional investment in the outcome as well as a professional interest in knowing if their diagnosis was correct and their treatment efficacious. There is privacy legislation in each jurisdiction and they all attempt to give effect to agreed privacy principles. For that reason, I’ll refer to the Commonwealth Act that is mirrored in the state and territory legislation.
Under the Privacy Act 1988 (Cth), personal information ‘means information or an opinion about an identified individual, or an individual who is reasonably identifiable’ (s 6). Health information means (s 6FA):
… information or an opinion about:
(i) the health, including an illness, disability or injury, (at any time) of an individual; or …
(iii) a health service provided, or to be provided, to an individual;
that is also personal information;
It follows that information about the actual diagnosis, prognosis and what was done and is being done for the patient’s benefit is ‘health information’. It is also ‘sensitive information’ (s 6).
There are ‘Permitted health situations in relation to the collection, use or disclosure of health information’ (s 16B) including release for research but none of them apply in this context.
The relevant privacy principle is principle 6. It says that an ‘entity’ (in this case the hospital represented by its employee or agent, ie the nurse) must not use or disclose personal information for a purpose other than which it was collected. Information is recorded on hospital records for the hospital’s purposes and to facilitate treatment of the patient. Giving that information to the paramedics is not about advancing the person’s treatment. It would therefore be a breach unless the patient consents (Principle 6.1(a)) or (Principle 6.2(a)):
… the individual [patient] would reasonably expect the … entity to use or disclose the information for the secondary purpose and the secondary purpose is:
(i) if the information is sensitive information–directly related to the primary purpose; or
(ii) if the information is not sensitive information–related to the primary purpose …
I would think most people would reasonably expect health services to share information in the circumstances but that doesn’t answer the question of whether sharing the information with the paramedics is ‘directly related to the primary purpose’.
I think that’s the ‘out’. If a person complained (and why would they) and the sharing of information really was just giving feedback to the paramedics one could argue that closing that information loop was directly related to the primary purpose of their health care. On the other hand, it is also arguable that it’s not ‘directly’ related to the primary purpose for which information is collected as the paramedics have nothing more to do with the patient’s care. It’s one of those situations where depending on what happened, and what information was shared, someone dealing with a complaint would have a way to find there was no breach.
Having said that it does seem to me that technically it is a breach of relevant privacy principle to tell the treating paramedics what the subsequent diagnosis and treatment was.
Conclusion
I’m surprised by the result but my conclusion is that technically it is a breach of the privacy principles. I say ‘technically’ as I can’t imagine most patients would object and would accept that the paramedics have an interest in knowing how the patient they treated has progressed and provided the release was reasonable and well-motivated, a decision maker could find that the disclosure was directly related to the primary purpose of obtaining and recording personal information.
Even so, on a strict reading of the Act, and subject to the hospital’s published privacy policy, it does appear that giving feedback to the paramedics would be a breach without the patient’s express consent.
POST SCRIPT
When you run a blog like this you have to ‘back yourself’ – that is I give my opinion so I don’t generally seek the opinion of other’s. But the answer to this question seemed perverse so on this occasion I did seek a second opinion from the Office of the Australian Information Commissioner. The Australian Information Commissioner is responsible for the implementation of privacy laws at Commonwealth, not state level, but the privacy principles are the same, but of course the answer below does hedge its bets around potential state/commonwealth differences. In any event I set out the answer in full, and I’ve highlighted the final paragraph which, sadly, reaches the same conclusion I did. Providing health information to the paramedics although probably good for the paramedics ‘may constitute an interference with the privacy of an individual.’
Dear Michael
Thank you for your enquiry. I apologise for the extended delay in our response.
An additional consideration which you have not raised is if the hospital is public or private health service provider. The Australian Privacy Principles (the APPs) contained in the Privacy Act 1988 (Cth) (the Act) regulate the way in which many private sector organisations are to handle personal information and apply to all private health service providers. However the APPs do not apply to State or Territory public health bodies. Contact details for state and territory privacy regulators are available in our other privacy jurisdictions page.
If the APPs do apply, APP 6 outlines when an organisation may use or disclose personal information. Specifically, an organisation may use or disclose an individual’s personal information when it is done for the same purpose for which the information was collected (the primary purpose). Use or disclosure for another purpose (a secondary purpose) is only permitted when one of the exceptions to APP 6 applies.
These exceptions include, but are not limited to, where:
- the secondary purpose is directly related to the primary purpose of collection, and is within the individual’s reasonable expectations
- the individual has consented to the use or disclosure for that other purpose
- the use or disclosure is required or authorised by or under law (see 6.2(b) and 6.2 (e)
- a permitted general situation or a permitted health situation exists in relation to the use or disclosure of the information.
Further information and tips for compliance is available in our published Chapter 6: APP 6 — Use or disclosure of personal information.
Based on the information provided in your email, it does not appear that a the disclosure is for the primary purpose of collection or that any of the exceptions apply.
As such, a disclosure in the circumstances described may constitute an interference with the privacy of an individual.
About us
The Office of the Australian Information Commissioner (the OAIC) regulates the Privacy Act 1988 (Cth) and the Freedom of Information Act 1982 (Cth). The office has the power to investigate complaints about the alleged mishandling of personal information by Australian and Norfolk Island government agencies and many private sector organisations, as well as the power to review FOI decisions of Australian and Norfolk Island government agencies. We are also responsible for handling privacy complaints about ACT public sector agencies.
For further information, please visit our website.
I hope this information has been useful. If you have any further enquiries, please contact theOAIC enquiries line on 1300 363 992.
Yours sincerely
Enquiries Officer
Office of the Australian Information Commissioner
Australian Emergency Law 
As an SES volunteer involved in numerous rescues over many years, this is an annoying situation.
Our rescue teams work for hours to extract a casualty from a situation in a remote location and never hear the outcome (unless the person involved is a local or has local connections). We often never hear of the actual injuries (as opposed to what was diagnosed on-scene).
It may be viewed as unnecessary, as we have done our part of the job and should let go once the casualty is in the ambulance/ helicopter.
There are three reasons, I believe, it is important to receive some feedback:
i) closure – a sense of fufilment that the casualty got to hospital and is recovering (or not); from observations of other volunteers and my personal experience, there is a greater sense of achievement when we hear of the outcome.
ii) ‘professional’ development – knowledge of the injuries actually sustained and the outcome would allow us to review our own procedures and to consider whether we were prepared properly for that rescue (techniques, equipment). Should we have taken in another spine board? Did we have enough people for a ‘carry’? Do we need to purchase another stretcher wheel? Was the first aid kit adequate?
iii) managing our own reactions – in a major trauma incident, where there may be multiple casualties, severe injuries or death, the effects on the volunteers’ psychological well-being (as well as that of any other personnel on scene – police, ambulance, firefighters) can be significant. Knowing the outcome can help volunteers deal with any issues that may arise. It can help them in talking to counsellors about the incident and the effects it has had on them.
Regarding patient privacy, in the majority of cases, we (as SES) do not know (nor need to know) the casualty’s full name. Often we only know a first name / nickname as in the case of conscious and responsive casualties, we ask for a name in order to make a more personal connection with casualty and to create a rapport with them through their pain and discomfort.
All that we would need to know, is that, for example, the paraglider was found to have three broken ribs and should be out of hospital in a couple of days, that the motorcyclist has a broken pelvis but is otherwise all right, or that the driver had a heart attack in the ambulance and did not make it.
Regardless of the outcome, it is better for us to know than not, as it is easier to deal with the real than the unknown.
P.S. Sometimes the casualties let you know what happened themselves.
I wonder if it could be argued that the Public Good over-rides the Private Good? The private benefit to the patient of privacy versus the broader benefit to everyone in society that paramedics get feedback and learn.
There isn’t some general rule that allows the law, passed by Parliament, to be ignored because it seems like a good idea – the legislature has thought of such things so there are rules in the Privacy legislation to allow agencies to share information so a hospital can provide information to family members for compassionate reasons, share information with law enforcement agencies and also share information during declared disasters, but none of that’s relevant here.
I think the best arguments are 1) giving feedback to the paramedics is directly related to the primary purpose information is obtained so hospitals make diagnoses and record health information for reasons other than just health care (eg billing; see a related post https://emergencylaw.wordpress.com/2015/01/31/first-aid-patient-records-who-and-what-are-they-for/). Paramedics record personal health information about the patient and what happened to them and give that to the hospital to advance patient care, completing a feedback loop is good communication practice and I can see therefore that telling them is directly related to the primary purpose for which they were collecting, recording and sharing inforamtion. 2) De minimus non curat lex – the law is not concerned with trifles. This may be a technical breach and giving information for salacious gossip would be wrong, but would anyone including the patient really care or disapprove?
From a CFS Road Rescue brigade in South Australia, I often wonder “how did that person get on” ? “did they get a good outcome”? or similar. No way can I relate this to the persons ongoing medical treatment, but it seems to be a good thing to feed back some general message to the people involved in the effort to assist the person.
One I wonder about is a very old lady who had a fall; We were to assist ambulance as she needed a delicate carry in a stretcher some distance uphill, she was conscious and in great pain (no strong painkillers because of low blood pressure) . She had two broken shoulders. It would be nice to know how she got on. Did she even survive? And its not for any gratification or salacious gossip; its just being a decent concerned human being. But there is no law for that.
The problem is how would you write a law like that? There is a provision in the Privacy Act (Cth) that nearly covers the situation. Section 16B(5) allows for information to be given to ‘a responsible person for the individual’ (which is defined and doesn’t include the treating paramedic) for compassionate reasons. But if you wanted to extend that to carers at the scene how do you define them or draw the line? It would be a very hard law to draft but as I’ve said before, law is not self executing, so it may be a technical breach to release the information is a) anyone going to care (and of course they will if the confidentiality isn’t maintained by the paramedics) and b) I think there arguments a decision maker can use to justify telling at least the paramedics what the outcome was and giving them feedback is directly related to the reason they were collecting and recording information in the first place.
Some of this could be addressed (and may be is) in relevant hospital’s privacy policies.
I was surprised by my own conclusion here so I took the unusual step of writing to the Office of the Australian Information Commissioner (the OAIC). They say “We generally aim to respond to all written enquiries within ten working days. However, we currently have a delay in allocating new enquiries to an officer within that timeframe. At this time it may be 8-12 weeks before an officer is able to respond to your written enquiry. We will contact you earlier if we are able to do so.”
I’ll post any response they come up with, but there’s something wrong if they aim to take 10 days, but actually take 8-12 weeks to respond to a question. Don’t hold your breath!