Privacy Commissioner rules on psychiatrist’s refusal to provide patient access to personal information

Patients have a general right to request access to personal information held about them. However, doctors may refuse access if they reasonably believe accessing the information would pose a serious threat to the life, health or safety of an individual, or the public. Any request must be considered carefully to see whether there is any way to grant at least partial access, for example to a redacted version or summary.  

Psychiatrist Dr T had been treating Ms S for severe bipolar disorder and depression for 10 years. The treatment included twice-weekly consultations and electroconvulsive therapy (ECT). 

Ms S complained to the medical regulator about the ECT treatment. After investigation, the regulator dismissed the complaint. Ms S then wrote to the regulator requesting a copy of Dr T’s response to the complaint. 

Dr T objected to the response being released and the regulator informed Ms S about that.  

Ms S then wrote to Dr T directly asking for a copy. Dr T replied, acknowledging her request but saying they could not help. Dr T did not respond to two further letters from Ms S. 

Ms S then complained to the Office of the Australian Information Commissioner (OAIC) alleging Dr T had breached the Australian Privacy Principles (APPs) by: 

• failing to provide her with access to her personal information (APP 12.1) 
• failing to respond to her request for access within a reasonable time (APP 12.4) 
• failing to take reasonable steps to give access in a way that met both parties’ needs (APP 12.5), and 
• failing to provide reasons for the refusal to provide access (APP 12.9). 

Ms S requested a declaration that she was entitled to access the report. 

Providing access to personal information 

The Privacy Commissioner noted that Dr T’s response to the regulator regarding the original complaint contained personal information about Ms S – including clinical notes, hospital records, second opinion reports and passages written by Ms S. While Dr T had not kept a copy of the response, Dr T was entitled to access a copy from the regulator. Because of this, for the purposes of the Privacy Act, Dr T ‘held’ the information and Ms S was entitled to request access. 

Exception to right of access – threat of serious harm 

Dr T argued they were entitled to withhold access since they reasonably believed reading the information contained in the response would pose a serious threat to Ms S’s life, health or safety (APP 12.3(a)). Dr T gave evidence Ms S’s condition had been known to deteriorate quickly in response to trigger events such as feedback on her personality, behaviour and/or presentation. 

By contrast, Ms S’s current GP provided a letter stating they had seen no evidence of mental instability that could induce self-harm. They considered there was an extremely remote possibility that reading the information could cause Ms S harm.  

The commissioner accepted Dr T did believe on reasonable grounds that releasing the information could cause significant distress to Ms S, potentially leading to a deterioration in her mental health and risk of self-harm.  

The commissioner concluded Dr T was entitled to withhold access to the information on this basis. 

Response to request for access 

The commissioner accepted that Dr T had responded to Ms S’s request within 15 days, which was within the 30 day period recommended in the OAIC’s APP guidelines.  

Dr T therefore had responded within a reasonable time and had not breached APP 12.4. 

Reasonable steps to accommodate request for access 

However, on the evidence, the commissioner found that at the time of refusing access, Dr T had not considered whether there was any way of giving Ms S access that might mitigate the threat to her health and safety.  

Dr T may ultimately have concluded there was no safe way to grant access. However they needed to have considered the options. For example, the APP guidelines contemplated options such as providing a redacted version of the information, providing a summary, or providing access through an agreed intermediary.  

On the evidence, Dr T had not considered any options. While they did later discuss providing access, this was some six months after the original request and only after Ms S had made a privacy complaint.  

The commissioner concluded Dr T had breached APP 12.5. 

Reasons for refusal 

Dr T’s response simply saying they ‘could not help’ did not contain any reasons for refusal or explain Ms S’s options given that refusal.  

While Dr T was not required to go into unreasonable detail about the reasons, the commissioner found they should have provided some explanation for the refusal, even if Dr T was circumspect in doing so. The reply should also have included the complaint options available and steps that should be followed. 

By failing to provide any reasons, Dr T had breached APP 12.9 

Access to the information 

Dr T submitted that if the commissioner ruled Ms S should have access to the information, this should be provided under supervision. Any access should be in the presence of an independent senior psychiatrist who could review the document and explain the contents to Ms S. Dr T also argued Ms S should only have access to the document on one occasion and should not be able to take any copies, to mitigate the risk she becomes fixated on the information it contained. 

The commissioner agreed access should be granted via a senior psychiatrist. This intermediary should have the opportunity to review the report and consider whether Ms S should be granted access at all, and if so: 

• how many sessions would be needed 
• which parts of the document Ms S should be able to access, and 
• any other issues relating to access. 

Damages 

The commissioner also ordered Dr T to pay Ms S $1000 for non-economic loss caused by the interference with her privacy. The commissioner found no grounds to award aggravated damages. 

Patients have a right to request access to records or health information that you or your practice hold about them. 

You need to respond to a patient’s request for access within a reasonable time, which is determined by legislation in some jurisdictions. Generally 30 calendar days is considered reasonable. 

You should give patients access unless an exemption applies. 

Legitimate reasons for declining access include:  

• you do not hold the information they request and are unable to access it, for example by ordering another copy 
• you reasonably believe that giving access would pose a serious threat to the life, health or safety of the patient or someone else, or to public health or public safety. 

Even if you believe you cannot give access to the information in the way the patient has requested, you need to consider whether there are other options, for example giving them partial access to the information.  

If you refuse access, you need to give the patient some explanation in writing, even if it would be unreasonable or inappropriate to go into detail.  

Avant factsheet – Providing medical records to a third party 

Avant factsheet – Medical records: the essentials 

Office of the Australian Information Commissioner – Guide to health privacy – Chapter 4: Giving access to health information