Patients are not able to provide informed consent for the use of their information if they are unclear about how the information will be used, who it will be shared with and the reason it is being shared. Patients must be advised of the use of their information when it is collected. This can occur through usual communications during a regular consultation. Patients should also be informed of circumstances in which personal information may be shared or disclosed.
In the case of PD v Harvey and Chen [2003] NSWSC 487 (PD v Harvey), a couple attended a medical clinic together and jointly requested HIV testing. After receiving her result, the HIV-negative partner (PD) attempted to find out her partner’s (FH) test result from the clinic. The medical practitioner refused to provide FH’s test result to PD. FH lied to PD by stating that he was HIV-negative. PD later acquired HIV from FH. During the initial consultation, the medical practitioner did not explain that the results of each person’s test could not be disclosed to the other person and never sought their understanding of that. Nor did the medical practitioner seek their consent for the test results to be shared between them. The court found that, by this omission, the medical practitioners breached their duty of care and awarded substantial damages to the patient. The court affirmed the importance and status of patient confidentiality, finding that medical practitioner–patient confidentiality cannot be breached without consent, except in the narrowest of circumstances.
This case demonstrates the importance of clarifying how personal health information will be used and disclosed, and of obtaining a patient’s consent for the use and disclosure of their personal health information. This should be undertaken at the outset of a relationship when privacy and other policies are explained – and on an ongoing basis where necessary. If the clinicians in PD v Harvey had sought and received consent to share HIV test results the relevant disclosure could have been made.
The case of AJD v Royal Prince Alfred Hospital [2014] NSWCATAD 125 dealt with a breach of health privacy principles. In that case the AJD’s personal health information was recorded in her children’s birth records. The hospital then released that information through a freedom of information request made by AJD’s ex-husband (the children’s father). It was found that the hospital had breached the health privacy principles by releasing the information that related to the mother to the father, and also that the hospital failed to ensure the security of the health information against unauthorised use and disclosure.
This decision may be relevant in the context of HIV, as couples often receive care from the same practice. It is important that each person’s health information be recorded separately on their own files and thoroughly reviewed if a request for the release of information is made.