A practice was investigated by the Office of the Australian Information Commissioner (OAIC) following a complaint claiming it had interfered with a patient’s privacy after it refused to delete medical records at the patient’s request.
Privacy law is a complex area. This case highlights the benefit of practices having their own medical indemnity cover. In this case, the practice was able to obtain assistance from Avant to respond to the patient’s complaint and have the complaint resolved in its favour.
Refusal to delete upon request
A patient was referred for an ultrasound investigation. After the report and imaging were sent to the GP, the patient asked the radiology practice to destroy the images.
The practice was concerned by the request to delete medical records and refused to do so. They explained that the medical sonographer takes several images during the performance of the ultrasound. These images are reviewed by a specialist and form the basis for a report which is then provided to the requesting medical practitioner.
The practice assured the patient that these images form part of the medical record and are stored securely in accordance with privacy legislation.
Patient takes further action
The patient was unhappy with their images being stored at the practice, so they lodged a privacy complaint to the OAIC, alleging the practice:
- didn’t provide details of how their images are kept secure
- didn’t delete their images on request
- collected multiple images they considered unnecessary
- didn’t provide them with access to their images when the patient requested them.
How the practice responded
Once the practice received the notification of the complaint from the OAIC, it contacted Avant’s Medico-legal Advisory Service for help on how to respond.
Avant’s team helped the practice draft a letter addressing all the points in the complaint including:
- When the patient signed a release form on their first visit, they consented to the collection and handling of their information.
- Evidence of how the images are kept securely on servers, using accredited software.
- Confirmation that the images form part of the patient’s medical record, which the practice holds for a minimum of seven years. This covers the Medicare requirement to hold records related to MBS claims for at least two years.
Practice proposed resolution
The practice claimed it did not receive the patient’s request for access to their images. However, the patient’s email records showed the practice did receive the request but did not respond.
To resolve this aspect of the complaint, the practice provided the patient with a copy of the images by registered post, waiving its usual administration fees. The tracking number provided proof that the patient had received the images.
After the practice provided evidence of how the matter was handled, the OAIC found in favour of the practice, deciding that the practice had adequately dealt with the patient’s request for access and had not interfered with the patient’s privacy. The matter was closed without further investigation.
- Practices have an obligation under privacy legislation to keep medical records, including images, securely. In NSW, the ACT and Victoria, legislation requires health records to be kept for seven years from the date of the last entry or if they relate to a child, until the child is aged 25. There is also a Medicare requirement to keep records related to MBS claims for two years.
- Practices do have an obligation under Australian privacy laws to destroy or permanently de-identify personal information collected for a specific purpose when it is no longer needed for that purpose. This includes medical records. In NSW, the ACT and Victoria, this is subject to the record keeping requirements above.
- However, it is reasonable to keep medical records if you believe they may be needed to respond to a future claim or complaint.
- In response to the patient’s concerns, the practice was able to cite a legitimate specific purpose for retaining the images (in this case, the Medicare two-year requirement for imaging, and a general policy of retaining records for at least seven years after the date of the last entry).
- Even though the practice didn’t immediately respond to the patient’s request for access to the images, this was subsequently addressed by sending the images to the patient and waiving the usual fees.
Factsheet: Medical records – the essentials
Resource: Data breaches – all you need to know
If you require assistance with responding to a notification, email us on firstname.lastname@example.org or call 1800 128 268, available 24/7 in emergencies.