Privacy Law and Policy Reporter
Patient consent falls into two broad categories.
Consent for treatment involves obtaining informed consent for a particular procedure or course of treatment to occur. This can involve the disclosure of potential medical benefits and risks and a discussion of other relevant issues, including religious concerns.
Consent for use of personal information includes disclosure of the use and disclosure of personal information obtained in the health environment, and on some occasions obtaining informed consent to certain types of disclosure. Consent for use of personal information in the health environment is still a developing area of law.
This article discusses the latter form of consent.
In Australia, general privacy laws apply a set of common principles relating to use and disclosure (and related consent requirements) to a wide range of situations. The National Privacy Principles (NPPs) contained in the Privacy Act 1988 (Cth), for example, apply equally to a simple transaction at a video store and to a complex financial transaction with an insurance company.
The health environment has been recognised as one area where these generic principles may prove to be insufficient to provide the degree of privacy control that consumers desire over their personal health information. In some jurisdictions privacy law has been split between health and non-health data. In other jurisdictions specific health clauses or exemptions are provided within an omnibus privacy law.
One specific challenge for health practitioners is the management of patient consent in a multidisciplinary team environment – a situation where the patient will be treated by a (potentially large) team of health professionals taking a holistic approach to the care and rehabilitation of the patient.
KJ v Wentworth Area Health Service
In March 2004 the NSW Administrative Decisions Tribunal handed down its decision in KJ v Wentworth Area Health Service  NSWADT 84. This is one of those small cases that shine a light on bigger picture issues in privacy law.
The events leading to the case occurred in the period 2000-2003. The new Health Records and Information Privacy Act 2002 does not apply in NSW until 1 September 2004, so the complaint was determined under the Privacy and Personal Information Protection Act 1988 (NSW) (the PPIPA Act).
KJ was treated for cancer at the Nepean Cancer Care Centre (NCCC) - a unit of Nepean Hospital - during 2000 and 2001. KJ was referred to the NCCC by her general practitioner. During this time KJ consulted the units psychologist and, in the psychologist’s absence, the psychiatrist. Both the psychologist and the psychiatrist placed notes on KJ’s general medical file.
In 2003 KJ complained to the Wentworth Area Health Service (the Agency) that at no time was she informed about what records were being created about her, how they were to be used or to whom they were to be disclosed. Additionally, she complained about a letter that the psychiatrist had written to her surgeon (and copied to her general practitioner). KJ subsequently obtained copies of her medical records from the NCCC, and discovered that psychological information about her had been placed on her general medical file.
KJ asserted that these actions were a violation of her privacy and trust and were in contravention of specific provisions of the Commonwealth Privacy Act.
The Wentworth Area Health Service (the Agency) treated KJ’s letter as an application for internal review under section 53 of the Privacy Act. The Wentworth Area Health Service (the Agency) proposed administrative changes to better inform patients about the multi-disciplinary nature of care and the general practice of the whole treating team having access to patient information; a proposal to have patients sign a consent to the information being shared; a proposal for an information sheet for patients about the role of the psycho-oncology team; and the availability of in-service education about privacy and confidentiality.
After investigation, the Nepean Hospital’s Privacy Contact Officer concluded that:
“[KJ] was not aware, or did not appreciate that this category of personal information about her and about which she is particularly concerned, would form part of the medical record available to all the treating team. Had she been, and had the reasons been explained to her, she may or may not have consented, but it is evident she was not aware and did not have the opportunity to consider the matter and therefore I am satisfied that her complaint is substantiated in this respect.”
The Privacy Contact Officer also agreed to a notation on KJ’s file and the removal and separate storage of notes concerning her psychiatric/psychological information. In addition, the NCCC wrote to KJ formally apologising to her for what had happened. KJ, however, was dissatisfied with the Agency’s conduct and the outcome of the review. She was also dissatisfied with the Agency’s apology.
Consent and disclosure
KJ asserted, successfully, that the Wentworth Area Health Service (the Agency) breached Information Privacy Principle 3 (IPP 3), by the psychiatrist’s and the psychologist’s action in placing their clinical notes on her general medical record file (and thus making them available to others at the NCCC).
IPP 3 states that if a public sector agency collects personal information from an individual, the agency must take such steps as are reasonable in the circumstances to ensure that, before the information is collected or as soon as practicable after collection, the individual to whom the information relates is made aware of (amongst other things) the fact that the information is being collected and the intended recipients of the information.
In evidence, KJ stated that she believed that that the psychiatrist and the psychologist collected the information for the sole purpose of their future consultations with KJ. She submitted that because of the sensitivity of this information, it was reasonable to assume that the information would be kept separately and would be accessible by only the psychiatrist and the psychologist. She stated that the staff of the NCCC did nothing to disabuse her of this expectation.
KJ said that the psychologist told her that she would speak to the psychiatrist about her. KJ had no objection to the psychiatrist and the psychologist sharing information about her between themselves as they were both dealing with her psychological issues and she trusted them with the information. However, KJ said that she was not told and that she did not expect that the information would be shared with anyone else.
A key part of the judgment is the following quote:
“KJ said that it did not occur to her that the psychiatrist and the psychologist would make her psychological information available to doctors, nurses, the dietician and the physiotherapist who were treating her physical illness - most of whom she did not know very well and some of who she held in little regard. KJ said that had she been asked, she would not have given her consent to the wider sharing of the information.”
The psychologist and KJ disagreed as to what KJ was told about the use that would be made of her medical record and any notes that were placed upon it. The Tribunal noted that it was possible that the psychologist had “overlooked” giving KJ the usual consent information. The Tribunal noted that it was also possible that KJ was in a state of distress at the time, was given information about the purposes for which the information was being collected and “simply did not recall it”. In the circumstances the Tribunal did not need to make a ruling on the factual dispute, as the Agency conceded that it did not tell KJ who the recipients of the information might be.
However the Agency argued that there was no breach of IPP3. They argued that IPP 3 is not concerned with the provision of information to employees of the Agency itself. The Tribunal disagreed:
“I do not agree that IPP 3 should be given such a narrow interpretation. In the absence of an express limitation, the provision of information to employees of the relevant Agency should not be considered as falling outside the scope of IPP 3. Such an artificial distinction is not consistent with the Privacy Act’ purpose of establishing principles for dealing with personal information in an open and accountable manner. It may also be inconsistent with an individual’s reasonable expectations of how their personal information, will be handled by an agency.”
Having succeeded in her argument that the NCCC had breached IPP3, KJ also asked for a referral of the general issue of privacy protection of patient information within multidisciplinary treating teams for consideration by the Minister of Health and the Privacy Commissioner.
KJ asserted that the matters she complained about are not confined to two clinicians in one health agency but rather that it was a systemic problem. She argued that there is a “lack of alignment between the expectations of patients about how their privacy will be respected and a culture of disclosure that exists in the medical community”.
However, the Tribunal noted that the Health Records and Information Privacy Act 2002 was to be implemented in 2004. In the circumstances the Tribunal chose not to refer the matter to the Minister and the Privacy Commissioner.
The Tribunal therefore restricted its orders to the particular case before it. The four orders were:
“1. I declare that the Wentworth Area Health Service has contravened the Information Protection Principles provided for by sections 10 (IPP 3) and 19 (IPP 12) of the Privacy & Personal Information Protection Act 1998.
2. The Wentworth Area Health Service is ordered to refrain from collecting personal information from the Applicant without informing her of the purposes for which the information is being collected and the intended recipients of the information.
3. The Wentworth Area Health Service is ordered to refrain from disclosing the Applicant’s health information without her informed consent.
4. The Application is otherwise dismissed.”
Health Records and Information Privacy Act 2002 (NSW)
As discussed above, the case was considered under the existing PPIPA legislation, rather than new Health Records and Information Privacy Act 2002. Will the new legislation, which applies in NSW after 1 September 2004, resolve the issue of consent in multi-disciplinary teams?
The two relevant principles in the new legislation are Principle 4 and Principle 11.
Principle 4 states that organisations must, at or before the time that of collection, take steps that are reasonable in the circumstances to ensure that individual are aware of (amongst other matters) the purposes for which the information is collected, and “the persons to whom (or the types of persons to whom) the organisation usually discloses information of that kind”. This represents only a small variation from IPP3 in the PPIPA Act. It seems clear under this Principle that some form of broad description of the use of information within a multidisciplinary team will be required.
Principle 11 states that organisations must not disclose the information for a purpose (a secondary purpose) other than the purpose (the primary purpose) for which it was collected. There are, however, two exceptions:
Consent - Where the individual to whom the information relates has consented to the disclosure of the information for that secondary purpose; and
Direct relation - Where the secondary purpose is directly related to the primary purpose and the individual would reasonably expect the organisation to disclose the information for the secondary purpose.
This part of the HRIP Act also contains the following note:
“For example, if information is collected in order to provide a health service to the individual, the disclosure of the information to provide a further health service to the individual is a secondary purpose directly related to the primary purpose.”
Principle 11 is therefore a substantial deviation from the PPIPA Act. Health information is treated as a special category in the PPIPA Act and its disclosure is severely restricted by IPP12. There is no ability to argue that a disclosure is directly related to the primary purpose and within the reasonable expectation of the patient. The only relevant exemption to the restriction in IPP 12 is where the express consent of the patient has been obtained.
So, in moving from IPP 12 in PPIPA to Principle 11 in HRIPA it seems possible that broader disclosure of information may be possible where it is related to the primary care of the patient (almost always the case) and where the disclosure is within the reasonable expectations of the patient. This last requirement still presents a challenge. In the above case, both the Agency and the Tribunal accepted that KJ did not expect her information to be exchanged between members of her treating team and between the team and her surgeon and GP.
The case of KJ v Wentworth Area Health Service may have helped to expose a weakness in the management of privacy consent where a multidisciplinary team approach is involved. However, at least part of the weakness appears to be that the law has not yet caught up with common medical practice.
The implementation of the new Health Records and Information Privacy Act 2002 on 1 September 2004 will help to overcome this weakness, at least as far as some disclosure of information is concerned. However, two significant management issues remain:
First, even though disclosure to members of a multi-disciplinary team (including the disclosure to treating surgeons and the patient’s GP) may be permitted, an Agency will still be required to provide information about the use and disclosure (including the broad categories of recipients) under Principle 4 of the new Health Records and Information Privacy Act 2002. The provision of this information will have to be recorded in order to avoid the type of factual dispute at the heart of KJ’s case.
Second, the new test of when information can be exchanged amongst members of a multi-disciplinary team includes a requirement that such disclosure is within the ‘reasonable expectation’ of the patient. On paper this may seem like an easier test (because explicit consent is no longer required). In practice it may be difficult to argue that the reasonable expectations test has been met. As KJ’s case demonstrates, there may be a wide range of expectations, and there is no certainty about how the courts may interpret reasonable expectations in a multidisciplinary environment. In KJ’s case, the Tribunal took a sympathetic view to the expectations of the patient, without making any recognition that a multidisciplinary approach is now the norm.
Ultimately, this case reflects that the barriers between different silos of medical information are breaking down at a faster pace than the expectations of either the law or health consumers. Managing patient consent in a multidisciplinary environment must therefore be seen as a management issue, rather than a legal one. The HRIP Act test provides too much uncertainty to be useful in practice. Health sector agencies will have to develop management tools which ensure greater provision of information to specific patients, and broader awareness raising and education about the use of information within multidisciplinary teams.
Chris Connolly is a Director of Galexia Consulting and a Visiting Fellow in the Law Faculty at the University of New South Wales, where he teaches Electronic Commerce Law and Practice (amongst other courses commerce).