Case study guide - Mishandling patient information is risky business

Ben Ryan, Avant Law - Partner, Commercial & Corporate

Marko Novakov, Avant Law - Senior Associate, Commercial & Corporate

Monday, 14 October 2024

doctor writing on note pad

This Case Study Guide is an addendum to our article dated 15 October 2024 entitled: Mishandling patient information is risky business: Proposed new changes to the Privacy Act to ensure effective information governance and privacy training. It contains hypothetical scenarios based on published cases about privacy breaches from Australia and Canada.

Scenario 1 - Intentional or Reckless Privacy Breach

Day Hospital DH is a private hospital and day surgery clinic. A group of employed hospital staff that have access to records about patients who had given birth at the hospital, disclose the personal and health information of those patients, without their authorisation or consent, to employees of private health and life insurers (who are looking to boost their sales). These hospital staff also disclose personal and health information of patients seeking treatment for work-related injuries (pursuant to workers’ compensation legislation) to local personal injury law firms. The affected patients are then contacted by the insurance companies and personal injury law firms seeking to solicit their products and services.

image for case study
Breach of current APPsProposed statutory tort for serious invasion of privacy

The impacted patients could make a complaint against Day Hospital DH to the Australian Information Commissioner for breach of APPs 6 (use or disclosure of personal information) and 11 (security of personal information).

As this could be considered a serious or repeated privacy interference by a body corporate, Day Hospital DH could be liable for paying a significant amount of compensation to the impacted patients plus additional civil penalties paid to the Commonwealth (potentially up to, or more, than $50M).

(The impacted patients could also apply to the Civil and Administrative Tribunal of their local State / Territory against Day Hospital DH for breach of personal, health and/or sensitive information under specific State / Territory based privacy laws.)

The impacted patients could potentially bring an action against Day Hospital DH for serious invasion of privacy by way of vicarious liability for the acts of the hospital employees.

The impacted patients would need to establish that the hospital staff acted intentionally or recklessly, and knew or ought to have known that the unauthorised disclosure would likely offend, distress or harm them, and that the staff were acting within the  scope of their employment when accessing and disclosing the personal and health information of the plaintiffs. The plaintiffs would also need to establish that they were of ordinary sensibilities.

(The impacted patients could also bring individual actions against the individual hospital employees for serious invasion of privacy.)

Scenario 2 – Inadvertent Disclosure or Disclosure Made in Good Faith

Doctor Z is a busy General Practitioner operating a sole trader medical practice. The practice has a privacy policy, but Doctor Z wasn’t very familiar with it. Patient K has been a regular patient of Doctor Z for nearly 3 years, including for a patient care plan with a psychologist for treatment of Patient K’s chronic mental health conditions, which included Post Traumatic Stress Disorder and Anxiety Disorder. Patient K’s employer was aware that they had been suffering from a chronic health condition and seeking treatment from Doctor Z as a result of medical certificates supplied by Patient K. However, the employer was not aware of the exact diagnosed health conditions or the complete history of treatment. Patient K became involved in a minor and brief verbal altercation with a work colleague. The employer’s People and Culture (P&C) Team were notified and they organised a meeting with Patient K the same day to discuss the incident. The P&C Team became concerned about Patient K’s wellbeing during the meeting, on the basis that Patient K appeared to be overreacting to the situation and was behaving in a threatening manner towards them. After the meeting, Patient K went home to take the rest of the day off and report back the following day. There was no indication that Patient K was going to self-harm or harm any other individual at the time they left work. The P&C telephoned Doctor Z to enquire about Patient K’s wellbeing and mentioned the workplace incident. Doctor Z informed the employer about Patient K’s mental health conditions.

scenario 2
Breach of current APPsProposed statutory tort for serious invasion of privacy

Patient K could make a complaint against Doctor Z to the Australian Information Commissioner for breach of APPs 6 (use or disclosure of personal information) and 11 (security of personal information).

(Patient K could also apply to the Civil and Administrative Tribunal of their local State / Territory against Doctor Z for breach of personal, health and/or sensitive information under specific State / Territory based privacy laws.)

Doctor Z could argue in defence that disclosure was permitted to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety pursuant to exemption under APP 6 for a permitted general situation.

Patient K could seek to bring an action against Doctor Z for a serious invasion of privacy for unauthorised disclosure of private health information.

The key issue would be establishing whether the disclosure by Doctor Z was intentional, or reckless, with a purpose to intrude or misuse their private information – knowing that Patient K was likely to be offended or suffer harm and distress.

Doctor Z could argue in defence that the disclosure was negligent, as opposed to intentional or reckless, on the basis that they incorrectly presumed that it was necessary in the circumstances to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health.

We can help you

If you have any questions, or would like more information about how we can assist you or your practice, please call 1800 867 113, or to organise a confidential discussion at a time that suits you, please click here 

1 2018 ONSC 6315

2 [2019] NSWSC 1781

3 [2015] AICmr 23.

Topic

Other resources

  1. doctor writing on note pad

    Case study guide - Mishandling patient information is risky business

  2. nsw-payroll-image

    NSW Payroll Tax Amendments: End of Exemption and Commencement of Bulk-Billing Rebate

  3. Payroll tax

    Payroll tax - Avant Law's top five tips

More ways we can help you

Indemnity insurance
Health insurance
Practice solutions
Finance
Legal services
Life & income protection

About the authors

Ben Ryan

Ben Ryan is a Partner in the commercial and corporate law practice at Avant Law, based in Brisbane. Ben has been working with medical practices since 2013. Ben works primarily on commercial structuring and intellectual property matters to help clients achieve strategic and commercially sensible results. He pursued a career in law to provide reliable and honest support to those in need of legal assistance and enjoys working with clients to develop solutions-oriented legal strategy and advice.

Marko Novakov

Marko Novakov is a Senior Associate in the commercial and corporate law practice at Avant Law, based in Melbourne. Marko has broad based experience practising in law firms and in-house legal roles in the areas of commercial law, corporate and regulatory governance, and litigation and alternative dispute resolution. Since 2023, Marko has focused on working with health practitioners and medical practices, primarily on commercial acquisitions and sales, governance, dispute resolution and intellectual property matters in order to help clients achieve both their strategic and commercial objectives. In working with his clients, Marko has developed a reputation of being a trusted advisor who can bridge the gap between legal expertise and effective communication. 

Prior to becoming a lawyer, Marko completed his Bachelor of Science Degree at the University of Toronto with a focus on Behavioural Neuroscience and with multiple publications in a peer-reviewed scientific journal for behavioural neuroendocrinology. Marko also attends and delivers presentations at conferences for doctors on commercial matters related to private practice. 

Disclaimers

This case study is not comprehensive and does not constitute legal advice. You should seek legal or other professional advice before relying on its content, and practise proper clinical decision making with regard to the individual circumstances. Persons implementing any recommendations contained in this article must exercise their own independent skill or judgement or seek appropriate professional advice relevant to their own particular practice. Compliance with any recommendations will not in any way guarantee discharge of the duty of care owed to patients and others coming into contact with the health professional or practice. Avant is not responsible to you or anyone else for any loss suffered in connection with the use of this information. Information is current to 27 August 2024. © Avant Mutual Group Limited 2024.

To Top

NSW State Office AddressLevel 6, Darling Park 3, 201 Sussex Street, Sydney NSW 2000
Telephone 02 9260 9000 | Facsimile 02 9261 2921

Mailing addressPO Box 746 Queen Victoria Building NSW 1230

Connect with Avant

facebookxlinkedininstagramyoutube

In the spirit of reconciliation, Avant acknowledges the Traditional Custodians of Country throughout Australia, and their connections to land, sea and community. As a national organisation, we pay our respects to Elders past and present, of the lands on which we gather and work, and extend that respect to all Aboriginal and Torres Strait Islander peoples.

IMPORTANT: Professional indemnity insurance and the Practice Medical Indemnity Policy available from Avant Mutual Group Limited ABN 58 123 154 898 (Avant Mutual) are issued by Avant Insurance Limited, ABN 82 003 707 471, AFSL 238 765 (Avant). Avant Cyber Insurance cover is available to eligible Avant Practice Medical Indemnity Policy holders up to the cessation of their policy and is provided under a Group Policy between Liberty Mutual Insurance Company ABN 61 086 083 605 (Liberty) and Avant. Private health insurance products are issued by The Doctors’ Health Fund Pty Limited, ABN 68 001 417 527, a member of the Avant Mutual Group. Avant arranges Avant Business Insurance as agent of the insurer Allianz Australia Insurance Limited ABN 15 000 122 850, AFSL 234 708 (Allianz) and may receive a commission on each policy arranged. Avant Travel Cover is available under a Group Policy between QBE Insurance (Australia) Limited, ABN 78 003 191 035, AFSL 239 545 (QBE) and Avant Mutual. Avant Travel Cover is underwritten by QBE and Avant may receive a benefit for arranging cover. Avant Finance is a registered business name of Avant Doctors’ Finance Pty Ltd (ACN 637 769 361) and licensed to Avant Doctors’ Finance Brokers Pty Ltd (ABN 75 640 406 784). Avant Doctors’ Finance Brokers Pty Ltd is a wholly owned subsidiary of Avant Doctors’ Finance Pty Ltd. Loan products may be provided by Avant Doctors’ Finance Pty Ltd or arranged by Avant Doctors’ Finance Brokers Pty Ltd. Credit services or assistance to which the National Credit Code applies are provided by Avant Doctors’ Finance Brokers Pty Ltd as authorised Credit Representative (Credit Representative Number 523242) for LMG Broker Services Pty Ltd ACN 632 405 504 Australian Credit Licence 517192. Legal services are provided by Avant Law Pty Ltd ABN 63 136 429 153 (Avant Law). Liability limited by a scheme approved under Professional Standards Legislation. Legal practitioners employed by Avant Law are members of the scheme.


The information provided on this website is general advice only and has been prepared without taking into account your objectives, financial situation and needs. You should consider these, having regard to the appropriateness of the advice before deciding to purchase or continue to hold these products. For full details including the terms, conditions, and exclusions that apply, please read and consider the relevant Product Disclosure Statement or policy wording and Target Market Determination (TMD) which are available on this website or by contacting us on 1800 128 268. Information on this site does not constitute legal or professional advice, and is current as at the date of initial publication.