Today’s correspondent asks about access to medical records where:

… St John Ambulance (or any private EMS organisation) provides medical services to a venue. The venue wants access to the patient record. What are the legalities around this?

It is quite possible a staff member is treated and discloses quite personal medical information (mental health / HIV) in the course of being treated for an injury e.g. trip.

Can we share records? What are the limitations/considerations?

The critical question is ‘who owns the records?’

The Courts on ownership of medical records

The starting point is the High Court of Australia’s decision in Breen v Williams [1996] HCA 57. In that case the plaintiff, Ms Breen claimed a right to access ‘her’ medical records, that is the records kept by the medical practice regarding her ongoing care. Brennan CJ said (at [11] of his judgment) “Documents prepared by a professional person to assist the professional to perform his or her professional duties are not the property of the lay client; they remain the property of the professional”.

Gaudron and McHugh JJ said (at [7] of their judgment)

The concession that Ms Breen did not own the documents was plainly correct. Professional persons are not ordinarily agents of their clients … Documents prepared by an agent are ordinarily the property of the principal. But documents prepared by a professional person to assist him or her to do work for a client are the property of the professional person, not the lay client.

Dawson, Toohey and Gummow JJ agreed that the practice, and not the patient owned the physical documents that constituted the medical record.

Critical in that discussion was the rule of agency. The doctor was not the patient’s agent and was not completing the documents ‘for’ the patient. That would be different if a patient brought a form in that needed to be completed by a medical practitioner and engaged the practitioner to complete the form. That record would belong to the patient, not the doctor.

Prima facie that suggests that the records are owned by the person completing them, in the context of today’s question, the first aider particularly if they are a registered health professional.  But it’s not that simple. Breen v Williams answered the question of whether the patient owned the record and the court held that she did not. The doctor, in that case, owned them because of the nature of his practice.

In Health Services for Men Pty Ltd v D’Souza [2000] NSWCA 56, Dr D’Souza practised in a health clinic. He was not an employee but a contractor.  The headnote (ie a summary rather than the actual judgment) says:

Contrary to the trial Judge’s view, the relationship between each respondent [doctor] and the appellants [Health Services for Men Pty Ltd] was a contractual one whereby the [doctors] agreed to assist [Health Services for Men Pty Ltd] to provide the diagnostic and treatment service that the appellants offered.

There was no basis upon which it could be inferred, or implied as a matter of contract, that the parties intended that the examination sheets became the property of the [doctors]. …

Mason P said (at [8], emphasis added):

The passages in Breen v Williams (1996) 186 CLR 71 recognising that a professional person may have property in certain documents prepared in the performance of professional duties address the position as between the professional and the lay patient or client. They have nothing to say about ownership as between groups of professionals (eg partners inter se or an employer and employee) or as between a corporation employing or engaging the services of professionals.

What these cases tell us is that unless there is an express contractual term where a health practitioner is asked to complete a record either for the patient, or for another organisation, then the author of the document owns the document.  In Breen v Williams Ms Williams did not contract with Dr Breen for the doctor to complete a certificate as someone might if they need a doctor’s clearance for work or travel so Dr Breen owned his own records. In Health Services for Men Pty Ltd v D’Souza, the company did contract with the doctors that they would, amongst other things, complete the company’s records as the patients were coming to the company, not the particular doctor, for treatment.

In the context of the EMS organisation one can infer that the staff and volunteers are completing the patient care records for the EMS organisation not for themselves. People attend the St John first aid post to be treated by ‘St John Ambulance’ not the particular individual on duty. It is part of the member’s duty to complete the organisations patient care record, so the record belongs to St John, not the member completing it. But that does not suggest that the record belongs to the venue or organiser that requested the first aid services.

The relationship between the EMS organisation and the venue is the issue raised by Mason P of ‘a corporation employing or engaging the services of professionals’.  In that case ownership of the medical records, and therefore access to them, would depend on the terms of the agreement and the practices adopted. 

The EMS organisation owns the records

If the EMS organisation has its own patient records that its staff complete, that are used for its purposes (eg billing, quality assurance and continuity of care) then the inference is that the patient records are owned by the EMS organisation.  As they have collected and recorded the information it is incumbent upon them to use the information in accordance with the privacy principles (Privacy Act 1988 (Cth) Schedule 1).  There are 13 principles but the most relevant one is principle 6 which says, in effect, that the information must only be used and disclosed for the purposes for which the information was obtained.  The information was obtained to allow the EMS organisation to provide care for the patient and, I would suggest, for the EMS organisation’s own purposes (see First aid patient records – who and what are they for? (January 31, 2015)). 

Information could be shared with the venue for its purposes if the patient consents to the sharing of the information or (Privacy Principle 6.2):

… the individual would reasonably expect the [EMS organisation] to use or disclose the information for the secondary purpose and the secondary purpose is:

(i) if the information is sensitive information–directly related to the primary purpose; or

(ii) if the information is not sensitive information–related to the primary purpose;

Sensitive information includes ‘health information’ that is:

(a) information or an opinion about:

(i) the health, including an illness, disability or injury, (at any time) of an individual; or

(ii) an individual’s expressed wishes about the future provision of health services to the individual; or

(iii) a health service provided, or to be provided, to an individual;…

where the person is identified or could be reasonably identified (ss 6FA definition of ‘health information’ and s 6 definition of ‘personal information’).

Therefore, the health information could be shared if a) the patient would reasonably expect it was going to be shared and b) it was directly related to the primary purpose for which the information was retained which, I would suggest, is the provision of health care.  Whether those criteria are met would depend on the particular circumstances of the event and what the EMS provider has been contracted to do.  If the EMS organisation is providing work-based health screening then those conditions may be met, but I infer that is not what is being considered.

If were considering ‘event first aid’ and it is simply by bad luck that the person seeking care is an employee of the venue rather than, say a ticket holder then the criteria above may not be met. The venue would have a legitimate interest in knowing how many people were treated and the nature of injuries or illness. Sharing deidentified statistical information is no breach of privacy. The venue may also have an interest in knowing the identify of those treated as it may want to follow up and may of course face compensation claims. Whether sharing that information is ‘directly’ related to the primary purpose for which the information was obtained or whether a patient would ‘reasonably expect’ that information to be shared would again depend on the context and in particular what the patient is told.

My own feeling is that I was an employee and went to my employer’s health service for first aid I would not expect the health service to report the details to the employer. It would be different if I knew I was going for a physical examination to check for fitness for duty or for a compensation claim, but not just for treatment.  Even if I was injured ‘at work’ it would be up to me to decide to notify my employer. If that is a reasonable expectation, I would also expect that if my employer had contracted with an EMS organisation and I got injured and needed to go to them, they too would keep confidential the ‘sensitive’ information obtained.

If there is a subsequent compensation claim, the patient care records would be available under the legal processes of ‘discovery’ or ‘subpoena’. We don’t need to consider those in detail suffice to say that the release of confidential records in response to legal process is not a breach of privacy, and the venue could access the material but only if and when it becomes necessary to do so.

The venue owns the records

But it may be that the venue owns the records. This would be the case if, for example, the venue provided the patient care record and as part of its contract with the EMS organisation it asked the EMS organisation to complete the company’s records. In that case, as in Health Services for Men Pty Ltd v D’Souza, the person completing the record is doing so as agent for the venue.  If that were the case, then they are the venue’s records and of course they can look at them.

In that case, however, Privacy Principle 3 says that information should only be collected that is necessary for the purpose of the entity collecting it. The venue has a legitimate interest in knowing how many people require care and the nature of the injuries or illness that are reported as that may raise flags about risk and that action somewhere is required. But do they have a legitimate interest in knowing all the personal details of everyone treated as they are not going to be providing any ongoing care? To answer that question, context is everything.

The solution

The solution is to think about it before hand. The EMS organisation should have a privacy policy (Privacy Principle 1) and should have considered its response to this situation. Different organisations will have different business models and different approaches so what I am about to say is out of context and is not legal advice but my own ‘preferred’ model.

If I was running an EMS organisation, I would want a policy that says:

  1. We provide the patient care record, we complete it, we store and secure it and we will only use that information for the purpose for which it was obtained and our legitimate secondary purposes (eg quality assurance, billing).
  2. Patient information will be shared with other health professionals (most usually paramedics) on a needs-to-know basis that is when handing over patient care and a copy of the record will be delivered to form part of the patient record to ensure continuity of care.
  3. A copy can be made available to a patient’s treating GP with written permission from the patient.
  4. A copy will not be made available to the venue/contractor unless required by law.
  5. The venue/contractor will be provided with de-identified statistics on patient numbers and the type of injuries/illnesses only.
  6. If the venue/contractor wants us to complete a record on their behalf, we will only do so with the consent of the patient ie we will tell the patient that this record will go to the venue. 
  7. There will be privacy policy document that can be given to any patient that explains how we will handle information.

If there is such a policy, then that could be provided to the venue/contractor so they know where they stand. If that does not suit them then the matter could be open to negotiation. If the venue wants EMS staff to complete the venue’s documentation the EMS organisation would want to consider –

  • What information are they being asked to record and is ‘the information … reasonably necessary for, or directly related to, one or more of the [venue’s] functions or activities’? (Privacy Principle 3.1).
  • Does the venue have a privacy policy that it too is willing to make available to patient’s explaining why that information is being collected and how it will be used and stored? (Privacy Principle 1).


A short form of the question asked is:

… St John Ambulance (or any private EMS organisation) provides medical services to a venue. The venue wants access to the patient record. Can we share records? What are the limitations/considerations?

My view (like any good lawyer’s answer) is ‘it depends’.  It depends on the contracted terms between the venue and the EMS organisation, it depends on the context so why the venue wants or needs to know, and it depends on what the patient knows or expects.

Having said that my starting point would be no, the records cannot be shared. If the venue wants the EMS organisation to share patient information that has to be negotiated as part of the agreement to provide the services to the venue. Patients should be told before the records are completed that this information will go to the venue; or their consent obtained if that was not made clear at the time.

The EMS organisation, whatever route it wants to take, should have a privacy policy that sets out what information is collected and how it is used and shared and this should be available to organisers who seek to engage their services, and to patients.

A word on the Privacy Act 1988 (Cth)

The Privacy Act 1988 is an Act of the Commonwealth parliament. There is no specific power in the Australian Constitution to give the Commonwealth the power to makes laws with respect to privacy.  As a result, the Privacy Act only applies to entities that fall within another head of Commonwealth power eg a federal government agency, a corporation etc (see Privacy Act 1988 (Cth) s 6 definitions of ‘APP entity’ and ‘agency’ and s 6C definition of ‘organisation’).

Organisations that do not fall within the definition of an APP entity are not bound by the Commonwealth Act but will be caught by state law that also implements the Privacy Principles (see for example Privacy and Personal Information Protection Act 1998 (NSW) and the Health Records and Information Privacy Act 2002 (NSW)).  Any organisation would have to determine for itself whether it is the federal or state legislation that governs its operations but, given the Privacy Principles are adopted nationally, I suggest my opinion on the issues raised would be similar, if not the same, under any state or territory privacy legislation.

This blog is made possible with generous financial support from the Australasian College of Paramedicine, the Australian Paramedics Association (NSW), Natural Hazards Research Australia, NSW Rural Fire Service Association and the NSW SES Volunteers Association. I am responsible for the content in this post including any errors or omissions. Any opinions expressed are mine, and do not necessarily reflect the opinion or understanding of the donors.