The hidden cost of administration: patient privacy in practice

Everyday lapses in patient privacy can have serious consequences. From damaging patient trust to triggering legal action and reputational harm. The impact can be significant for you, your practice and your colleagues. This article highlights common breaches in healthcare and offers practical steps to protect patient information and reduce these risks.

Georgie Haysom, BSc, LLB (Hons) LLM (Bioethics), GAICD, General Manager, Advocacy, Education and Research, Avant

Thursday, 7 August 2025

It’s a typical Friday night in a busy emergency department. A patient is wheeled in on an ambulance stretcher, and during triage, the doctor discusses the patient’s past medical history, including sensitive details, in a raised voice. Several neighbouring patients, along with paramedics attending other cases, overhear the exchange. It’s a small moment, but one that could have serious consequences.

Scenarios like this are not uncommon. While privacy legislation provides a necessary framework to manage a patient’s health information, the real challenge lies in translating policy into consistent, everyday practice. In both public and private healthcare settings, breaches often arise not from malice, but from momentary lapses, systemic pressures, or a lack of awareness.

Common breaches: more than just cyber threats

While cyberattacks often make headlines, the most frequent privacy breaches in healthcare settings are far more routine and often preventable. These everyday lapses can occur in any clinical environment and typically stem from human error or oversight. Breaches of privacy can occur in many ways, from talking about a patient’s health information in a full waiting room, sending an email containing health information to the wrong person, losing a laptop containing patient information or the database being hacked. Unauthorised access or disclosure, or loss of personal information held in your practice is known as a “data breach”.  

These breaches, though often unintended, can have serious consequences. They may lead to patient distress, legal action and erosion of trust between the patient and doctor. For example, the accidental disclosure of a patient’s HIV status can result in significant emotional harm and social stigma. Similarly, unauthorised access to mental health records can damage the therapeutic relationship and deter patients from seeking future care.

Privacy starts with people: building a culture of responsibility

Staff responsibilities in maintaining privacy are paramount. Doctors must be vigilant in their daily routines, ensuring that patient information is protected at all times. This includes verifying the identity of individuals requesting information, documenting consent accurately, and using secure communication channels. Regular training sessions can help staff stay informed about the latest privacy regulations and best practices. Additionally, healthcare institutions should conduct periodic audits to identify potential vulnerabilities and address them proactively.

The impact of privacy breaches extends beyond individual patients. When trust in the healthcare system is compromised, patients may avoid seeking care or withhold critical information out of fear that their data could be exposed. This, in turn, can hinder the delivery of effective treatment and compromise patient outcomes. Doctors must prioritise privacy as a core value, fostering a culture of transparency and accountability. By doing so, the practice can ensure that patient trust is maintained, and the integrity of the healthcare system is upheld.

Best practice in action: practical tips to protect privacy

Privacy is not just a legal requirement; it’s a clinical responsibility. Best practice means:

  • Familiarising yourself with the policies to ensure you are not in breach. Hospitals and local health districts have their own policies and procedures about data management and access.
  • You should not access a medical record unless you have a legitimate reason to do so.
  • Documenting every time you access the medical record of a patient not in your care, and the reason, such as patient follow-up or for approved research.

Doctors should only access patient records where there is a genuine clinical need, or with specific authorisation. Accessing records out of personal interest, curiosity or for self-education is likely to breach legal, employment and professional obligations. Be sure that you understand your legal, professional and workplace obligations to maintain patient confidentiality and protect patient privacy.

By embedding privacy into daily routines and decision-making, doctors can protect not only patient information but also the trust that underpins every therapeutic relationship.

More information

For medico-legal advice, please contact us here, or call 1800 128 268, 24/7 in emergencies.

This article originally appeared in the BLMA newsletter Synapse, Issue 17 (2025).


IMPORTANT:
This publication is not comprehensive and does not constitute legal or medical advice. You should seek legal or other professional advice before relying on any content, and practise proper clinical decision making with regard to the individual circumstances. Persons implementing any recommendations contained in this publication must exercise their own independent skill or judgement or seek appropriate professional advice relevant to their own particular practice. Compliance with any recommendations will not in any way guarantee discharge of the duty of care owed to patients and others coming into contact with the health professional or practice. Avant is not responsible to you or anyone else for any loss suffered in connection with the use of this information. Information is only current at the date initially published.

To Top