13.0 Privacy, confidentiality and legal responsibilities

  • In Australia, it is illegal to discriminate against a person because they have or are presumed to have any disease, including hepatitis B virus (HBV) infection.
  • HBV is a notifiable disease in every Australian state and territory, which means that it is mandatory for health-care practitioners to report any confirmed case. Mandatory notification does not legally breech a patient’s right to privacy, although patients should be informed that notification will occur.
  • Information relating to an individual’s health and health-related treatment is sensitive, and an individual’s right to privacy around this information is protected by state, territory and Federal legislation.
  • The Privacy Act 1988 (Commonwealth) (‘the Act’) is the primary piece of legislation governing privacy of health-care information in Australia. The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (the ‘Privacy Amendment Act’) was passed in November 2012, and came into force on 14 March 2014. The Privacy Amendment Act increases restrictions on the handling of personal information obtained from a third party, and provides the Privacy Commissioner with greater powers and increased penalties for privacy breaches.
  • State and territory governments have also enacted jurisdictional laws and regulations that affect privacy practices. These state and territory instruments may intersect or overlap with the Commonwealth Privacy Act and, as a result, health-care practitioners must make themselves aware of the privacy and confidentiality obligations that relate to their practice within their respective jurisdiction.
  • Health-care practitioners should only collect health information about a patient with that patient’s informed consent, and should advise the patient of the potential use of that information as part of obtaining informed consent. There should be systems in place for secure storage of physical and electronic records, and all staff should be trained in these systems, and aware of their privacy and confidentiality obligations.
  • Health-care workers are required to disclose their status if they are carrying out exposure-prone procedures, applying for the defence forces, or applying for relevant particular types of insurance. They may also be required to disclose to their sexual partners if they are not taking reasonable precautions not to transmit the infection.

The Australian Medical Association Code of ethics (‘the Code’)4 requires medical practitioners to maintain a patient’s confidentiality. The Code notes that exceptions to patient confidentiality ‘must be taken very seriously. They may include where there is a serious risk to the patient or another person, where required by law, or where there are overwhelming societal interests.’

The protection of health-related information attracts special treatment because of the extremely sensitive nature of personal health information, the impact of breaches of these policies on the affected individuals, and the high rate of health-related complaints to state or territory and Commonwealth privacy offices.

Importance of privacy and confidentiality

It is important to maintain privacy and confidentiality because:

  • patients are concerned about the stigma and discrimination associated with their HBV status and related conditions
  • patients want to know that they can choose who can access their health information
  • patients are far more likely to seek medical care, and give full and honest accounts of their symptoms, if they feel comfortable, respected and secure
  • a health-care system with strong privacy mechanisms will promote public confidence and trust in health-care services generally.

 HBV, hepatitis B virus

The terms ‘privacy’ and ‘confidentiality’ are commonly used interchangeably, but they are not identical concepts in the legal sense. ‘Privacy’ laws regulate the handling of personal information (including health information) through enforceable privacy principles, whereas ‘confidentiality’ refers to the legal duty that the health-care practitioner owes to their patient in relation to the protection of their personal health information.

There are a number of broad privacy-related issues that face general practitioners and other primary health-care providers. These issues, discussed below, include collecting information, ensuring that consent is ‘informed’, advising use, notification, accessing personal records, security and storage of health information, and information for teams.

13.4.1 Collecting information

General practitioners should only collect health information about patients with the patients’ informed consent. It can be reasonable to imply informed consent where the information in question is noted from details provided by the patient during a consultation, and where it can be demonstrated that the patient understands what information is being recorded and how the information will be used. Record keeping must be thorough and accurate. This will ensure the best possible ongoing treatment for a patient and, in the worst-case scenario, can be used to support the practitioner should a patient attempt to make a case against a treating doctor for breach of privacy or confidentiality.

13.4.2 Ensuring consent is ‘informed’

All medical procedures require informed consent. Practitioners need to appreciate the potential consequences and impact of an HBV diagnosis on a patient; although running tests and delivering diagnosis may be standard for the health-care practitioner, receiving the results may be anything but routine for the patient. The provision of information both before the test and with the delivery of test results should allow the health-care practitioner to discuss the risks and benefits to the patient in that person’s particular situation, thereby facilitating the patient’s decision-making process.

When offering a test to patients with low proficiency in English, an accredited interpreter should be used to ensure that the patient understands what they are being offered and has the opportunity to ask any questions. The Translating and Interpreting Service is available 24 hours, 7 days a week.7 Telephone interpreting is usually well accepted because it allows patients to maintain anonymity.

13.4.3 Advising use

Patients can only provide informed consent about the use of their health information if they are clear about where the information will go and why. Therefore, patients should be advised of the intended use of their information when it is collected. This point also relates to instances when personal information cannot be shared or disclosed. For example, in a 2003 NSW case (PD), a doctor failed to inform two patients attending a joint consultation that the results of each person’s tests could not be disclosed to the other person. The doctor consequently failed to ensure that both patients understood this situation, and also did not seek their informed consent to share the individual test results with the other patient. One patient tested positive for HIV and later infected the other patient, who had believed the clinic would make her aware if either of them tested positive for HIV. The Court found that the doctors had breached their duty of care and awarded substantial financial damages to the aggrieved patient.8

13.4.4 Notification

There is no absolute right to privacy under Australian or international law. The Commonwealth Privacy Act provides exceptions to privacy where use or disclosure is required by law, generally in order to protect the public from the spread of infectious diseases. In developing Australian privacy laws, the right to individual privacy has been weighed against the rights of the public and against matters that benefit society as a whole.

HBV is a notifiable disease in all Australian states and territories. Legal obligations informing notification are mandated by state laws, which define a doctor’s duty to notify the respective health department of a notifiable disease.

13.4.5 Accessing personal records

Patients are entitled to access their health records, except for a limited number of exceptions outlined under APP 12 (previously NPP 6). These exceptions include where the request for access is frivolous or vexatious, or where providing access would be likely to prejudice an investigation of possible unlawful activity.9

Individuals contacted through the process of notification, also known as ‘contact tracing’, either as an index case (original person identified with an infection) or a subsequent contact, are not entitled to any information relating to their contact’s identity, behaviour or diagnosis without that person’s consent, even if that information is in the patient’s records. Should a patient wish to access their own record, details of the identity of any contacts contained in their record should be redacted.

13.4.6 Security and storage of health information

A range of laws apply to the storage of health information. In summary, health agencies must have:

  • procedures that ensure that only authorised individuals have access to patient health information
  • security measures to prevent unauthorised access to the records
  • where practicable, procedures for storing the information so that patient identity is not readily apparent from the face of the record (e.g. by the use of identification codes)
  • procedures for destroying the records that protect the privacy of the information, in cases where the record is not to be retained.

Electronic records pose different challenges. Although they offer greater convenience of data retrieval and transfer, they also create greater risks of data leakage, access or ‘browsing’ by unauthorised staff and hacking. Agencies and businesses, including medical practices, need to consider the security of their data storage and transfer systems, and the problem of staff intentionally or inadvertently accessing prohibited electronic records. This issue is currently being tackled by the Commonwealth and a number of states through the development of electronic health records systems.

13.4.7 Information for teams

Multidisciplinary treating teams are common practice in Australian health care. Health-care practitioners work together and share necessary information to deliver optimum health care. All transfers of information without the informed consent of the patient require careful ethical consideration.

Although the question has not yet been legally tested, private sector health-service providers may not always require a patient’s consent to disclose specific health information to another member of a multidisciplinary team for a health-care purpose where the patient would reasonably expect that disclosure. Because this has not been legally tested, it is still advisable to directly obtain patient consent about how their information will be handled, to avoid relying on implied consent.

Doctors in group practices should formulate clear internal communication protocols in order to exercise reasonable care (e.g. when communicating test results or considering contact tracing issues). The cross-referencing of files per se will generally not breach statutory confidentiality because results need to be checked; however, information should not be disclosed without explicit patient permission. All staff must be aware of their obligations, and systems must be in place for protecting patient privacy.

Use and disclosure of health information is defined in the Privacy Act under APP6 (previously NPP 2), which states that an organisation must not use or disclose personal information about an individual for a purpose other than the primary purpose of collection except for a number of limited circumstances. Such circumstances include the following:

  • where the person would reasonably expect the information to be disclosed for a secondary purpose (even if the information is not sensitive, it must be related to the primary purpose; and if it is sensitive, it must be directly related to the primary purpose)
  • to lessen or prevent a serious threat to the life, health or safety of an individual, or to public health or safety, where it is unreasonable or impractical to gain consent
  • to take appropriate action in relation to suspected unlawful activity or serious misconduct
  • where to do so is reasonably necessary for establishing, exercising or defending existing or anticipated legal proceedings in a court or tribunal, or for alternative dispute resolution
  • to locate a person reported as missing
  • where to do so is necessary to prevent a serious threat to the life, health or safety of a genetic relative (special conditions apply).

Disclosure of health information to a person’s carer is also allowed:

  • when the person is physically or legally incapable of consent; and
  • the disclosure is necessary to provide appropriate care or treatment of the individual or for compassionate reasons; and
  • the disclosure is not contrary to any wish expressed by the individual before he or she became unable to give consent of which the carer is aware, or could reasonably be expected to be aware; and
  • the disclosure is limited to the extent reasonable and necessary to provide appropriate care or treatment of the individual, or to fulfil the purpose of making a disclosure for compassionate reasons.

There are a number of specific exemptions to APP 6 allowing disclosure of private health information.10

In summary, health-care workers must not disclose a person’s health information except in a limited number of circumstances. These may generally be summarised as:

  • communicating necessary information to others directly involved in the treatment of a patient during a particular episode of care
  • cases of needle-stick injury where a professional is aware of a patient’s HBV-positive status and a health-care worker has been exposed in circumstances where there is a real risk of transmission and it is not possible to conceal the identity of the source patient who has refused to consent to disclosure
  • provision of medical services in a particular instance of care where there is a need to know the infection status for treatment purposes of benefit to the patient (e.g. in an emergency or if the patient is unconscious); this should not, however, detract from the observance of standard infection control precautions.

It is strongly recommended that practitioners familiarise themselves with the APPs and contact the Office of the Australian Information Commissioner or obtain legal advice if they wish to clarify the manner in which the APPs might relate to specific situations.

The practice of contact tracing raises potential conflicts between breaching a patient’s privacy and confidentiality, and alerting a third party to the fact that they may be at risk of HBV infection or have contracted the disease. Health practitioners’ obligations have not yet been legally tested on this point, but it is possible that a practitioner could be found negligent for failing to inform a third party that they may be at risk of, or may have contracted, HBV. Fortunately, public health services afford practitioners expert guidance to resolve the potential conflict between the duties to maintain confidentiality and privacy, with the possible duty of care owed to third parties. In instances where practitioners suspect a person may be putting others at risk, the practitioner should notify the health department, using the methods prescribed in the relevant state or territory. Public health authorities then become responsible for making decisions around contact tracing, including management of privacy issues.

There are two types of criminal offences associated with HBV and other blood-borne viruses. The first relates to disclosure of information regarding a person who has or is suspected of having HBV or other blood-borne virus infection, as discussed above. There are also general criminal laws in every state and territory that arguably could be used if a Court considered the harms associated with HBV transmission sufficiently serious, and determined that the individual who transmitted the infection had the sufficient knowledge of and intent to transmit. There have been no criminal prosecutions for HBV transmission within Australia, but there have been numerous prosecutions around the transmission of HIV.

Antidiscrimination laws operate in all Australian states and territories, and prohibit the discrimination of individuals on the basis of their actual or perceived HBV status. Discrimination based on disease status is legislatively prohibited under ‘disability or impairment’. It is important that health-care practitioners avoid behaviours that are or could be perceived as discriminatory by a patient when testing and managing people with HBV. Such behaviours could include refusing to see a patient, offering different or inappropriate treatment, or placing a patient last on a consultation or operating list. As outlined in Chapter 12, standard precautions ensure a high level of protection against transmission of infection in the health-care setting, and are the level of infection control required in the treatment and care of all patients to prevent transmission of blood-borne infections.

Chapter 12 outlines the obligations of health-care practitioners infected with HBV who perform exposure-prone procedures.

  1. Australasian Society for HIV Medicine (ASHM). Australasian Contact Tracing Manual. Edition 3. Canberra: Commonwealth of Australia, 2006.


Sally Cameron, Consultant, former Policy Analyst at Australian Federation of AIDS Organisations

& Anna Roberts, Australasian Society for HIV Medicine, Surry Hills, NSW

Disclaimer: This chapter does not constitute legal advice. Instead, it references (and in some cases summarises) key Federal and state laws and policies related to privacy, confidentiality and duty of care, and summarises relevant jurisprudence. Practitioners faced with uncertainty in this area are strongly advised to seek legal advice, or to contact their local health department or applicable privacy office. This chapter has been adapted from the Australasian contact tracing manual (1).