Today’s correspondent tells me that Victoria’s CFA has:
… qualified EMR responders at some of our brigades, and they are notified of “Priority 0” medical cases via pager, with information including case number, address, type of case (eg cardiac arrest), age, and gender.
My questions are:
- Is it legally (or ethically) [permissible] … for non-EMR responders at the same brigade to also receive the same pager message? These people are obviously not involved in patient care.
- Is it legally (or ethically) [permissible] … for the same pager message to be displayed on screens within the brigade, permitting EMR responders, non-EMR responders and in fact potentially members of the public (eg at brigade open days etc) to view?
The relevant legislation will be the Health Records Act 2001 (Vic). The Health Records Act defines ‘health information’ as:
(a) information or an opinion about—
(i) the physical, mental or psychological health (at any time) of an individual; or…
(iv) a health service provided, or to be provided, to an individual
An organisation that collects health information can use that information for the primary purpose for which it is collected (Health Privacy Principle [2.1]). I infer that the relevant information referred to here is collected by Triple Zero Victoria and it is collected for the purposes of dispatching emergency health care assistance whether that care is from Ambulance Victoria or Ambulance Victoria in conjunction with the CFA or Fire and Rescue Victoria. Sending the message via the pager is therefore consistent with using the information for the purpose for which it was received.
But what of sharing that information with people who do not need to know? Even if the person is not identified by name they may be identifiable via the address so someone may receive a page and know that the address is where Mrs So-and-so lives, and in a small community it may mean that members fo the CFA, who are not going to have any direct involvement in her care, are informed about her ‘physical, mental or psychological health’ and of the nature of a health services that is to be provided.
One could argue that the information is given to the CFA and everyone in the CFA is bound by confidentiality, but I don’t think that is sufficient. If someone had responded and was then asked by another member they could not and should not share information about the job even though that other person is also a member of the CFA. There has to be some limit imposed by a ‘need to know’.
The disclosure could be justified if the organisation ‘reasonably believes that the use or disclosure is necessary to lessen or prevent— (i) a serious threat to an individual’s life, health, safety or welfare…’ (Health Privacy Principle 2.2(h)(i)). That might be the case if there is no practical way to have a separate paging system for members of a brigade who are part of the emergency medical response and those that are not; or if non-EMR members are still required to attend to, for example, drive the appliance and be an ‘extra set of hands’ if required.
The same would be true for the display of the information on screens in the station. There needs to be a system to page responders and if there is no practical alternative to set up a different system, or of others in the brigade need to know where the emergency medical responders are in order (eg so they are aware of their residual response capacity or to be able to monitor their welfare etc) then it could be justified as both part of the response and a legitimate secondary purpose (ie the management of the brigade).
I don’t think it could be justified, or would be anything other than an impermissible disclosure, to have the information in a place where the public can view it. As noted if they can read the information and know the address they are then being given health information about a person they may know with no legitimate purpose. If there’s an open day the screens should be covered or turned off.
Conclusion
It is of course impossible to be definitive but it would appear that the disclosure to non EMR members would be within the principles if there was no reasonably practicable alternative or they needed to know so people knew about that status of the brigade, ie what other members were still available for the next call and where members were if they needed support or back up.
It can’t be permissible to have health information about a person that can be identified (and in a small community the address may be enough) displayed in a way that is viewable by the public. One needs only ask ‘how would you feel if someone reported to you that they know about your heart attack as they saw the CFA has been responded?’ to realise that cannot be permissible.
This blog is a general discussion of legal principles only. It is not legal advice. Do not rely on the information here to make decisions regarding your legal position or to make decisions that affect your legal rights or responsibilities. For advice on your particular circumstances always consult an admitted legal practitioner in your state or territory.
Australian Emergency Law 
My brigade is only starting this journey so I don’t have first hand experience. The information we have been told is that only the Fire Medical Response (FMR is the CFA version of FRV’s EMR) members will get the full data. The non FMR members of the brigade only get a notification of a call out, without any identifiable data.