Harsh penalties for unauthorised access to medical records
Sunday, 8 October 2023
Originally published March 2022, reviewed October 2023
Accessing medical records, if not required for the medical treatment of a patient or another authorised purpose, can have serious ramifications.
In this extreme case, a registered nurse faced criminal changes and a disciplinary tribunal for inappropriately accessing medical records.
Improper access to family members’ records
The nurse, who worked in an intensive care unit (ICU), accessed her own medical records and 34 other records, on multiple occasions without authority. These included her husband’s record, and those of two of his former partners and his children. At the time, none of the patients were under the nurse’s care or in the ICU. She also accessed 27 records of patients with no connection to herself.
The local health district investigated complaints of unauthorised access and found she had accessed records “for use and personal gain in external family court legal proceedings.” The health district terminated her employment and notified the police and the Independent Commission Against Corruption.
The NSW Nursing and Midwifery Council imposed conditions on her registration, including that she work under supervision, and a complaint was referred to the Health Care Complaints Commission (HCCC).
Nurse faces criminal and disciplinary charges
The police charged the nurse with 11 offences under the Crimes Act for unauthorised access to restricted data. She was convicted in the local court.
On appeal in the District Court of NSW, the guilty verdict was upheld, but without recording a conviction subject to an order for good behaviour, with a 12-month bond.
The HCCC referred the case to the disciplinary tribunal and outlined five complaints. These were the nurse’s criminal offences, three unsatisfactory professional conduct complaints, which included one for failure to notify the National Board of the charges and later conviction, and a professional misconduct complaint.
Response to the complaints
The nurse admitted all five of the complaints and acknowledged her behaviour was unacceptable, stating that she was “sincerely apologetic, disgusted and distraught” by her actions.
The nurse claimed she accessed her own record because a doctor asked for more details about a recent pathology test. She admitted accessing family records for personal reasons but did not provide a plausible reason as to why she accessed the non-family members’ records.
She also claimed she was unaware of the requirement under the National Law for registered health practitioners to notify the National Board within seven days of any charges for offences which are punishable by 12 or more months’ imprisonment, and any criminal findings, or convictions.
Registration on the line
The tribunal took into consideration the nurse’s acknowledgment that her actions were improper and unethical, her youth and inexperience at the time. Also, the positive reports provided by her supervisor regarding her reflection on work ethics and standards on confidentiality of patient information and records were considered.
However, the tribunal expressed concern about "whether the offending conduct might be repeated.”
Given the serious nature of the nurse’s conduct, the tribunal did not believe it could impose conditions that would adequately protect the public other than cancellation of her registration for six months.
Dos and don’ts for doctors
While this case involves a nurse, Avant has assisted many doctors to respond to allegations of privacy breaches, particularly in relation to unauthorised access of hospital medical records. Curiosity and legitimate clinical interest are no excuse. Although it may be tempting to view records – it is not appropriate, even if the patient is a family member, to do so without their consent, or other legal authority together with permission from the treating team. Not only is this a breach of privacy, it is also a breach of hospital policy and may lead to disciplinary action by the hospital and result in a tribunal hearing. As this case illustrates, it may also amount to a criminal offence.
Electronic medical record keeping systems enable practices and hospitals to monitor and audit records and identify unauthorised users. It is important to log out of a computer when you are no longer using it and not to share your password. This will avoid the risk of your details being linked to unauthorised access by other staff members.
There are examples where it is permitted to access records when not directly involved in caring for a patient, and privacy legislation permits access and disclosure of health records in certain situations. These include defending complaints and quality control activities, such as mortality and morbidity meetings or clinical audits. However, you need to ensure when accessing records for these non-clinical purposes, you are doing so in accordance with any relevant hospital or practice policies.
Key lessons
Accessing patient records without proper authority can have significant consequences.
Generally, you should only access medical records:
- for the purpose of providing medical treatment to the patient at the time
- in accordance with your practice or hospital’s policies
- for non-clinical purposes in accordance with privacy legislation, practice or hospital polices or with the patient’s consent.
Electronic medical record systems have monitoring and auditing functions so they can easily identify unauthorised users.
This case also provides a reminder to doctors that failing to notify the National Board or Ahpra within seven days of being charged with any offences which are punishable by 12 or more months’ imprisonment, and any criminal matter, can land you in trouble with the regulator.
Useful resources
- Factsheet: Medical records - the essentials
If you have concerns about accessing a patient’s medical records, you can contact our medico-legal advisers via email at nca@avant.org.au or call 1800 128 268, available 24/7 in emergencies.
More ways we can help you
Disclaimers
IMPORTANT: This publication is not comprehensive and does not constitute legal or medical advice. You should seek legal or other professional advice before relying on any content, and practise proper clinical decision making with regard to the individual circumstances. Persons implementing any recommendations contained in this publication must exercise their own independent skill or judgement or seek appropriate professional advice relevant to their own particular practice. Compliance with any recommendations will not in any way guarantee discharge of the duty of care owed to patients and others coming into contact with the health professional or practice. Avant is not responsible to you or anyone else for any loss suffered in connection with the use of this information. Information is only current at the date initially published.