Infectious Diseases and Patient Privacy: Competing Interests

27 October 2014
The obligation to maintain patient confidentiality in circumstances where a patient has been diagnosed with an infectious disease can lead to difficult medical and legal issues.

By Jenica Lim-Young, NSW

On the one hand, information will be required for legitimate medical reasons relating to the patient’s treatment, yet on the other hand, the patient may wish to limit the number of people who can access what they regard as ‘sensitive’ personal information so that it does not cause them embarrassment or discrimination.

The regulation of this type of information falls under either Freedom of Information legislation (for government agencies such as public hospitals) or Privacy legislation (for private hospital and health care practitioners). As of 12 March 2014, the Privacy Amendment (Enhancing Privacy Protection) Act 2012 has created 13 binding Australian Privacy Principles (‘APPs’) which apply to both public and private scenarios.

The APPs confirm the general duty that if a health care facility collects personal information about an individual for a particular purpose, that information must not be disclosed for any other purpose unless the patient has consented to the disclosure. There are further restrictions on disclosure of information in cases involving “sensitive information” which could arguably extend to patients diagnosed with certain infectious diseases.

The release of personal information can occur deliberately or inadvertently.  Accidental disclosures, such as identifying a patient as having an infectious disease in a way that could be viewed and understood by the patient’s visitors or other patients, could also arguably be considered a breach of the confidentiality obligations. Any breach of the APPs constitutes an interference with the privacy of an individual and can attract a complaint, legal action or civil penalty. 

However, there are exceptions to these privacy obligations. The APPs allow for disclosure to be made for purposes of law enforcement; in compliance with a court or tribunal order; or if a permitted health situation or permitted general situation exists. A “permitted health situation” refers to situations where the disclosure is necessary for research or for the compilation or analysis of statistics, relevant to public health or safety. A “permitted general situation” is a situation where the entity reasonably believes that the disclosure of information is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety.

Although the courts have not yet considered the practical application of these principles, one can foresee potential situations where breach of confidence may be justifiable. Such situations could include where a hospital must take precautions to protect visitors of a patient or other patients from contracting a disease, or alternatively restrict visits altogether. It is plausible that such action could lead to or in itself amount to inadvertent disclosure. If a patient’s disease carried a risk of becoming widespread, or if a patient with an infectious disease expressed an intention to put others at risk, disclosure to a responsible authority may be permissible and is in some cases mandated by public health legislation.

It should be noted that in Australia, the courts have not yet held that a hospital or doctor has a positive legal duty to warn a third party that a patient has an infectious disease. This is consistent with the general legal view in Australia, that a person does not have a duty of care to rescue or provide assistance to someone in need. However further case law may be required to clarify the special position that health care providers occupy and each case must turn on its own facts.

Where information is disclosed in contravention of the privacy obligations, a patient may be able to bring an action for breach of an APP, however financial compensation or “damages” cannot be awarded unless there is a physical or psychological injury resulting from the breach. It should be noted that hurt feelings and embarrassment alone will not satisfy current civil liability requirements to attract an award of damages.

Private organisations, medical practitioners and government entities need to be aware of these competing obligations with infectious diseases, where a careful balancing act must take place between the patient’s right to privacy and issues of public safety in order to avoid a complaint, civil penalty or legal action.