Current Health Care Information Privacy Issues

Roger Clarke
Australian National University

Paper presented to the Australian Medical Informatics Association
Perth, April 1990

© Australian National University, 1990


Information privacy has become an increasingly important social value during the last 20 years. A number of sets of Information Privacy Principles have been developed around the world, of which those of the OECD (1980) are probably the most widely known. Australia has discussed the matter long and earnestly, but has lagged behind the rest of the world in actually doing much about it. Of the States, N.S.W. has led the way since the mid-1970s, with a Government-funded Committee supported by a small staff who research into privacy matters, and investigate and conciliate complaints.

In addition, since 1 January 1989, the Commonwealth Privacy Act 1988 has been in force. This establishes a set of Information Privacy Principles (IPPs), applies them to the Commonwealth Public Service, and creates a watchdog agency (the Privacy Commissioner, an additional member of the Human Rights and Equal Opportunities Commission). Exhibit 1 shows the structure of these Principles, and Exhibit 2 contains an informal short version of their contents.

Exhibit 1: Structure of the Information Privacy Principles

Exhibit 2: Information Privacy Principles
Unofficial Short Form

The Information Privacy Principles occupy 1500 words of careful legalese. This version conveys their essential content, not their detailed meaning, nor the manifold exceptions and qualifications.

1. Collection [applies only after 1 Jan 1989]

A collector shall only collect personal information for inclusion in a record or generally available publication where it is necessary for a lawful purpose. A collector shall not collect personal information by unlawful or unfair means.

2. Solicitation from the Individual [applies only after 1 Jan 1989]

Where personal information is solicited from the individual concerned, the collector shall ensure that person is aware of the purpose for which it is being collected, of any legal obligation to comply with the request, and of disclosure practices relating to it.

3. Solicitation of Information Generally [applies only after 1 Jan 1989]

When personal information is solicited, the collector shall ensure that it is relevant to the purpose of collection, up to date and complete, and that the collection is not unduly intrusive.

4. Storage and Security [applies generally]

A record-keeper shall ensure that records are secure against loss, unauthorised access, use, modification or disclosure, and against other misuse.

5. Public Access Rights [applies generally]

A record-keeper shall enable any individual to ascertain the nature, main purposes and subject access procedures relating to any personal information held, and shall maintain a record of such details.

6. Subject Access Rights [applies generally]

The individual concerned shall be entitled to have access to a record that contains personal information, except to the extent that the record-keeper is required or authorised to refuse.

7. Subject Alteration Rights [applies generally]

A record-keeper shall make reasonable alterations to ensure that records of personal information are accurate, relevant, up to date, complete and not misleading, and where unwilling to make an alteration, shall allow the individual concerned to attach to a record a statement of the alteration sought.

8. Quality of Information Used [applies generally]

A record-keeper shall not use personal information without taking reasonable steps to ensure that it is accurate, up to date and complete.

9. Relevance of Information Used [applies generally]

A record-keeper shall not use personal information unless it is relevant.

10. Use Limitations [applies only to data collected after 1 Jan 1989]

A record-keeper shall only use personal information for the purpose for which it was obtained, and for such additional purposes as are consented to by the individual, are authorised by law, are necessary in an emergency, and are reasonably necessary for the enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue.

11. Disclosure Limitations [applies only to data collected after 1 Jan 1989]

A record-keeper shall only disclose personal information if the individual to whom it relates should have been aware that it was subject to disclosure, or the disclosure has been consented to by the individual, authorised by law, or is necessary in an emergency, or is reasonably necessary for the enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue. In the last three cases a note to that effect shall be included in the record. The recipient of the information shall not use or disclose the information except for the purpose for which it was given it.

The Privacy Act 1988 also affects the private sector in several ways, particularly in relation to use of the Tax File Number. Subsequently, a 1989 statute imposed information privacy principles on criminal records, and a 1989 Bill, which was left on the Table of the Senate when the March 24 election was called, would have brought consumer credit reporting under the IPPs and the Privacy Commissioner.

Before embarking on an assessment of information privacy and health care records, it is important to clarify a number of matters relating to data, records and information:

This paper considers health care records in the light of the Information Privacy Principles. The following section identifies some of the issues which health care professionals must confront, and makes some suggestions as to the balance which should exist among the interests of the various parties. It is stressed at the outset that the author is not providing legal advice; nor is he competent to do so. The subsequent section considers the use of health care data for other purposes, such as health insurance, and government regulation.


This section identifies some issues which arise in applying the IPPs to data used by medical and other health care practitioners, group practices, hospitals, clinics and government medical examination centres. The issues are structured along the lines of the IPPs.

Data Collection

The Principles relating to the collection of data are concerned with what, why and how data is collected. In most cases, the individual is a client or patient, in most cases he or she is unwell, and 'confidence' exists in both senses of the word. Of all people, priests, solicitors and doctors appear to be those who excite the least embarrassment when asking for very sensitive data. Of course, particular care is needed with persons with less than full adult capabilities, including the young, the very old, the very ill and the mentally retarded. Additional sensitivities arise in circumstances in which a relationship exists other than health care. Examples include where a medical practitioner is contracted by an employer or insurer to examine and report on a person's fitness, and where an authority relationship exists (e.g. in a prison).

It is a fundamental of information privacy that the collection of data from third parties, including other doctors, requires the patient's prior and informed consent. This applies even where the collection of the data is judged by the health care professional to be in the patient's interests.

Data Storage

Appropriate standards are needed in relation to the condition in which the data is maintained. This includes precautions against fire and other accidents and criminal acts. In the case of computer-based records, the additional question arises as to how the records can be accessed during an equipment or power failure. Because of the data's sensitivity, appropriate security against unauthorised access and modification is essential.

One matter of concern to patients is the readability and understandability of medical data. It might be unreasonable to expect medical records to be readable and understandable by the man-in-the-street; but it is certainly not unreasonable to expect the records to be readable and understandable by other health professionals. Even private practice records will inevitably be used by people other than the professional who recorded them, including other members of a group practice, locums, a professional who subsequently buys the practice, and medical practitioners acting on behalf of interested parties such as insurers, medical tribunals and the patient. Rank bad writing is unprofessional, and private shorthand needs to be documented in a practice glossary.

'Internal Use'

Medical data should only be used for the purposes for which it was collected, and for additional purposes authorised by law, or consented to by the data subject. The purposes for which health data is collected needs to be clear. For example, in some countries (and in remote areas in Australia), a doctor may sell pharmaceuticals to his patients, and the purposes of health data might reasonably be interpreted as including the promotion of goods as well as of the doctor's own skills. During early 1990, complaints were made about the use of N.S.W. hospital records in fund-raising campaigns.

There is also concern about the use of identified data for the record-holder's own medical research. The NH&MRC, which enjoys a privileged position under the Privacy Act, issued Interim Guidelines in early 1990, dealing with this issue.

Disclosure to Third Parties

Personal data should only be disclosed for the purposes for which it was collected, and for additional purposes authorised by law, or consented to by the data subject. Since medical data is sensitive, and since a duty of confidence generally applies to data which a health care professional gathers in the course of his relationship with a patient, it is necessary to regard health care data as being unavailable to third parties in the absence of a clear and authoritative reason.

It is of course essential that relevant health data accompany the referral of a patient to another health care professional or institution, and the patient's agreement to go there implies consent to the disclosure of relevant data. Care is needed to ensure that only relevant parts of the patient's history are communicated, e.g. an occupational therapist does not need a history of sexually transmitted diseases.

A variety of organisations and individuals have an interest in medical data. Employers have an interest in an employee's fitness to work, and fitness to perform particular tasks such as flying aeroplanes, controlling air traffic, and driving trains, buses, trucks and cars. It is a moot point whether medical practitioners should disclose on medical certificates the precise condition for which the certificate has been provided, a general indication of the condition, or nothing more than a statement of the period he or she considers the person should be away from work.

The medical practitioner also has a higher degree of responsibility than most people do for public safety, and this can outweigh the responsibility to keep data private. For example, it is regarded by most people as being reprehensible for a doctor not to 'blow the whistle' on a patient who has a serious physical condition or impairment which the doctor knows is likely to result in significant danger to the public. In particular, doctors have explicit statutory responsibilities to notify serious communicable diseases to central government-run registries. (The statutory requirement to report cancer cases is justified on epidemiological research rather than public safety grounds). In some cases a public safety factor may be so important as to require that sensitive health data be conveyed as part of information provided about a referral, in particular if the patient has been diagnosed as HIV-positive.

The difficult cases are of course the borderline ones. In N.S.W., reporting by medical practitioners of cases of suspected child abuse has been mandatory since the mid-1970's (against the recommendations of the N.S.W. Privacy Committee). Very few of the many cases which come to light do so though doctors's reports. Some members of the public think that this is because doctors are predominantly upper-middle-class in background and/or orientation, and prefer to believe that such things don't happen. An alternative reason might be that, in many circumstances where a doctor suspects child abuse, he or she may judge the harm which would arise from reporting to be likely to be worse than that arising from staying silent. There is also the question as to whether the patient is the parent, the child, or the family.

Insurers may have an interest in health care data about a person's injuries and illnesses, both recent (where these have a bearing on a claim) and historical (where prior conditions are excluded by the policy conditions). In general, disclosure in these circumstances should not be regarded as a purpose for which the data was collected. Hence such disclosures generally require legal authority or patient consent.

Investigative authorities concerned with dispute resolution (such as Ombudsmen and Privacy watchdogs) and with criminal investigation (such as Royal Commissions and the Police), may have an interest in health care data concerning the subject of their investigation. A variety of legal authorities exist whereby medical records, or reports from them, have to be provided. These include sub poenas (literally 'under a penalty') and court orders. In addition, some organisations which undertake conciliation and arbitration of disputes, have statutory power to demand information or the production of documents. These organisations have proliferated during the last two decades, and include Ombudsmen, the Commonwealth Privacy Commissioner and some Consumer Affairs Departments. Guidelines are available from the N.S.W. Privacy Committee explaining the procedure which should be used to ensure protection of health data privacy when records are demanded under a legal authority.

Some sets of Information Privacy Principles, including those in the Commonwealth Privacy Act 1988, recognise the need for data to be disseminated in emergencies. There is concern on the part of many people, however, that too many disclosures to agencies such as the Police are made on the assumption that an emergency exists, rather than after the existence of an emergency has been demonstrated. The Privacy Act IPPs are very weak in this area, because they allow disclosure for any purpose related to law enforcement and even for protection of the public revenue.

As regards the form in which disclosures should be made, it is generally undesirable that health data records be provided in their naked form to a person without professional competence. One reason for this may be the poor quality of the records. Another reason, which applies as much to well-kept as to poorly kept records, is their technical nature, and the need for an appreciation of the subject-matter, and of the record-keeping institution's normal procedures.

It is therefore highly desirable that one of two approaches be adopted to disclosure of health data to third parties. The owner of the records can provide a report, written for an educated but lay audience, containing specific answers to the questions asked, and to whose accuracy the record-owner attests. Where called upon to subsequently submit the records for examination by an authority which has access to appropriate medical competence, a medical practitioner should not react to the request as though it were a personal affront, but should accept it as the legitimate exercising of a necessary control mechanism.

The other general disclosure mechanism is the provision of the records, or of certified copies of them, subject to the condition that they are not to be interpreted other than with the support of someone with appropriate medical competence. The definition of such competence should not be drawn too narrowly, e.g. if the records relate to psychiatric matters, then any psychiatrist, and perhaps any clinical psychologist or any general practitioner should be an acceptable intermediary or assistant.

Data Access by Subjects

A matter which is often of concern to the public is the jealous manner in which so many doctors protect their records from the sight of their patients. Admittedly some doctors are justified in being embarrassed about the quality of their records, but for many doctors this is not the reason. It is important to appreciate that, while the records (the documents or disks) are unequivocally the property of the practitioner or institution, the data is not. Data is not capable of being owned, and many different people have an interest in it, including and especially the person to whom it relates.

A matter of some uncertainty to many people is whether they are supposed to, or are even permitted to, look at information given to the patient by one health care professional for transport to another. Some doctors seal envelopes containing such information, which causes some patients (and not only the more hypochondriac, pessimistic, cynical or paranoid patients) to be nervous about the contents. It is suggested that a fair practice is to state that the receiving health care professional will be happy to show and explain the contents of the envelope. This ensures that the patient is not tempted by circumstances to feel that the medical professions are keeping something from them, and creates the opportunity for him or her to ask a question of both the sending and the receiving professional. It is likely that, given that opportunity, the large majority of patients would not exercise it.

Some health care professionals practise the withholding from patients of information which they judge to be prejudicial to the patient's state of mind, particularly such matters as a particularly fearsome diagnosis, or a particularly unpleasant prognosis. While it is arguable that some scope should exist for doctors to exercise their judgement in such a way, it is a paternalistic attitude ill-fitted to a late twentieth century democracy, and repugnant to many people. Any such action should be undertaken only after very serious consideration.

Patients who are not capable of exercising their own rights in relation to health care data should of course be able to have those rights exercised on their behalf by an appropriate representative. Hence children's data and that of mentally retarded people may be seen by parents or guardians, and that of aged people suffering from senile dementia by a son or daughter. Access by a similar representative of a comatose patient would appear reasonable.

A further issue is that of access to the health data of a competent adult by one or more of the person's near relatives, typically co-habiting spouse, or co-habiting parent, son or daughter. Clearly where there is express or even reasonably inferrable consent, such disclosure is desirable. Particularly in the case of co-habiting spouses, it is arguable that there should be a default presumption that the spouse may access the data on request unless the patient has actually denied such access, or the health care professional has information at their disposal which suggests that the patient would deny access if asked. Disclosure to a near relative may also be reasonable where the treating professional is considering withholding the information from the patient, and communicates it to a near relative in order to assess whether or not it should be so withheld.

The motivation of the person seeking access to records which relate to him- or herself should have little bearing on the record-owner's attitude. With very few exceptions, access should not be denied. There is the rare case of a person whose existing suicidal tendency is judged by the doctor to be very likely to be heightened by disclosure (which is justifiable on the basis of patient treatment); similarly with a person with an existing homicidal tendency (on the grounds of public safety). In each case, of course, the effect of withholding the information must be balanced against the effect of providing it. The other instance is the occasional 'vexatious litigant', by which is meant a person who has previously demonstrated an unreasonable propensity to initiate actions such as complaints to medical registration authorities or the Police, or court actions. Such exceptions require substantive evidence.

One of the particularly thorny issues is where a patient becomes a litigant. In these circumstances the health care professional or institution has a direct interest in non-disclosure. However there are mechanisms for discovery which must be respected, and must be respected, moreover, more assiduously than many other people, because the standing of health care professionals in the community is at stake.

A related thorny issue is the question of litigation by a person against another health care professional. Searching for a doctor to testify against another doctor is generally regarded by the public as being as fruitless as searching for a solicitor to help sue another solicitor. This reflects very badly on the profession. If doctors continue to close ranks, it should be anticipated that the high standing that the medical profession has enjoyed will be compromised.

Clearly, when a patient is given access to medical data, the scope for non- and mis-comprehension is significant, and records should generally be provided only in the presence of a suitably qualified intermediary. Naturally it is highly desirable that the intermediary be the or a person responsible for the records, but if this is impractical, or the data subject lacks confidence in that person, then any reasonable intermediary should be acceptable. This means that, in the most uncomfortable case, a conservative doctor must grit his teeth, while a firebrand doctor associated with the Stroppy Patients' Lobby Group Inc. assists a (probably ex-) patient understand the records.

Record Transfer

Although records are unequivocally the property of their originator, a patient has a very real interest in having them, or at least an accurate representation of their contents, transferred to his new health care professional. The practice of transferring records when an appropriately documented request is made, is therefore highly desirable from a treatment viewpoint. However a doctor may reasonably wish to retain at least a copy of the records, especially if he suspects the possibility of subsequent correspondence with an insurance company or a solicitor. In these circumstances, it may be more appropriate to provide a copy of the records, probably accompanied by annotations or a summary.

Record Destruction

Patient history is one of the relatively few classes of record for which some genuine justification exists for long-term retention (i.e. for the life of the patient, and a little longer to cater for the possibilities of foul play, accusations of malpractice, etc). However the volume of information which is generated becomes very large, and much of it does become irrelevant over time, and hence periodic summarisation and destruction of old material seems desirable.


There is a variety of additional uses to which health care data is put. These uses raise information privacy issues which are somewhat different from those which arise in health care practices and hospitals. They are discussed under the following headings:

Health Insurance and Pharmaceuticals Benefits

This section first considers matters which arise whether health insurance is provided by the private sector or by a government agency. Additional matters which arise with a national scheme such as Medicare are dealt with in a later section.

Given the enormous cost of health care, and the unequal way in which the burden of ill-health and accident falls, compulsory health insurance appears to be an inevitable feature of modern society. Further, because of the vast numbers of transactions which take place, the vast sums of money which flow, and the seemingly inherent tendency of some human beings to cheat when temptation is placed in front of them, any health insurance system must include controls.

A first level of control is the validation, or 'front-end verification', of transactions. Typically, the availability and amount of any refund, subsidy or fee-for-service is dependent on particular characteristics of the transaction (such as the actual service performed), the patient (such as whether he or she is a pensioner), the person performing the service, and the location in which the service is performed. For the transaction to be classified and the value computed, particular items of information must be available to the insurer, including the identities of the parties concerned.

Subsequently, as is conventional in any organisational control system, the details of each transaction must remain available as an 'audit trail', at least for the duration of the insurer's financial year and until the financial audit of that year's transactions is complete.

Depending on the extent to which errors and abuse occur, and the cost involved, additional controls may be implemented to protect against 'over-servicing'. These may take the form of monitoring the claims by each patient, and each health care professional, to detect for example, illogical treatment patterns (such as gynaecological treatment of a male, or successive tonsillectomies), and unlikely health care professional performance (such as a 150-hour work-week). The conventional approach to such controls is to periodically run computer-based analyses against the cumulative history of patients and treatment professionals, identify anomalies, sort them into descending order of surprisal value, and present the strangest and/or highest-value anomalies to human auditors.

Such surveillance of patients and health care professionals is clearly a breach of their privacy, and should only be undertaken if significant benefits can be demonstrated. However it must be acknowledged that some people would argue that such surveillance is necessary, irrespective of its effectiveness, merely on moral grounds. The Health Insurance Commission would presumably claim that the surveillance is adequately justified by the savings made through error-corrections, and through the dissuasion of dishonesty as a result of the periodic publicity attendant upon successful prosecutions.

Similarly, pharmaceuticals are an expensive item, and social equity appears to require insurance and/or subsidy schemes. Similar validation, control and surveillance mechanisms have been argued to be necessary, although the evidence appears to be more scant than is the case with health insurance. In addition to the health care professional who writes the script, and the patient, a pharmacist is involved, and the surveillance operation may be applied to all actors.

Very real concerns exist throughout the community about the possibility of government agencies in general, and the Health Insurance Commission in particular, wantonly invading health care information privacy, and even using the ubiquity of health care as a basis for a de facto national identification scheme and population register. When such concerns are expressed, however, it is important that they not overlook the need for some control to be exercised over health care benefits schemes.

Regulation of Health Care Professionals

Because of the history of 'quacks', and the gullibility of the public on matters pertaining to health, it is conventional to require health care professionals to have completed approved tertiary courses, and to be and remain licenced or registered in order to practise.

The regulatory controls over health care professionals and organisations which provide health care services extend also to the payment of fee-for-service, reimbursement or subsidy. This inevitably involves some degree of invasion of the privacy of health care professionals, since the interests of society in accurately identifying those people, confirming their qualifications to provide services, and tracing them in the event of default or fraud, are judged to be more important than the interests of those people in personal privacy. It appears that further regulatory measures are in the process of being imposed, including requirements on general practitioners for ongoing professional development after qualification, and regular and ad hoc inspections.

From the viewpoint of health care information privacy, investigative agencies will on occasions have an interest in data relating to patients of health care professionals who are under suspicion of, in particular, over-servicing. These agencies must appreciate the importance of patient interests in privacy, and be themselves subject to controls. In the interests of ensuring control over the expenditure of taxpayers' funds, however, it does appear that appropriately justified and suitably sensitive access to patient data may be necessary on occasions.

Health Care Professionals as Policemen

Reference has already been made to the statutory requirements of medical practitioners to report infectious diseases which have been specified by regulation, cancer and suspected cases of child abuse. Other circumstances have been noted in which the medical practitioner's duty of confidentiality to his patient may be overridden by a higher duty to the public.

The extent to which health care professionals are required to police the law appears is increasing. The Government has proposed that the Pharmaceuticals Benefits Scheme (PBS) will be enhanced from a batch system to an on-line system, to enable claims to be rejected before they are dispensed, e.g. due to lack of identifying information, or non-approval by the algorithm programmed into the computer. The pharmacist will therefore be placed in the position of having to tell the person that he cannot be sold the drug his doctor prescribed for him, or will have to pay the full price. Alternatively (and less likely), the pharmacist might, for marketing reasons, choose to take the financial risk, and carry the difference himself, pending clarification with the government agency responsible for the rejection. The proposal was suspended during the campaign preceding the March 24 election, but in such a manner that it may be expected to be resuscitated soon after the government's re-election.

Health care professionals express concern that their predominantly service orientation is compromised by this government-imposed role. Meanwhile some members of the public are concerned at the need for a government-sanctioned identity as a pre-condition of gaining access to treatment.

Increased Government Interventionism and Concentration

Government agencies appear to be using IT to move from mere background post-processing of health care related transactions, to on-line processing which actively intervenes in the health care process. The approach embodied in the enhanced Pharmaceutical Benefits Scheme is potentially applicable elsewhere in the health system, such as in the front-end validation of treatment transactions, and even of appointments.

Moreover, these functions appear to be in the process of being concentrated in the hands of a single agency, the Health Insurance Commission. The HIC was the agency which proposed the technical means for implementing the Australia Card scheme. It has a successful track record of applying IT to the Medicare scheme, and has the technocratic confidence to actively seek expansion of its functions. Several agencies which have been less successful with their own application of Information Technology, or which are already heavily committed to long-term IT development plans, have been prepared to cede functions to the HIC.

The HIC already has the Medicare and Medibank Private schemes. It has been proposed that it will develop and operate the enhanced Pharmaceutical Benefits Scheme. The enhanced PBS, like the Australia Card scheme proposal, involves linkages between the HIC and several other government agencies, in particular the Departments of Social Security (DSS) and of Veterans' Affairs (DVA), and presumably also the Department of Community Services and Health (DCSH).

There are some very serious concerns about the collection, storage, use, disclosure and retention practices of the HIC in relation to health care data. The documented instances of leaks of data relating to identified health care professionals are evidence either of inadequate security, or of a preparedness by the Commission to provide information to the public by informal means. Of greater concern to the general public are cases such as the McGoldrick investigation (in which the Victorian Police were provided with the identities of young women who had had D&Cs by a particular medical practitioner), which demonstrate a cavalier attitude on the part of the HIC to the information privacy interests of patients. It remains to be seen whether the Privacy Commissioner is able to use his Act and the IPPs to impose on the Commission an appropriate respect for values other than the discovery of error and the apprehension of offenders.


The community is placing increasing value on information privacy. This paper has identified some information privacy issues arising in relation to health care data. Many of these arise daily in sole and group health care practices, and in the larger health care organisations such as hospitals.

The regulatory uses of health-care data are proliferating. Privacy issues also arise from uses of health care data by other organisations, such as the Health Insurance Commission, which are concerned with matters other than health care itself. Such organisations must accordingly take great care to justify the collection of data, maintain it in secure storage, and use, disclose and retain as little identified data as possible.


Go to Roger's Home Page.

Go to the contents-page for this segment.

Send an email to Roger

Last Amended: 13 October 1995

These community service pages are a joint offering of the Australian National University (which provides the infrastructure), and Roger Clarke (who provides the content).

The Australian National University
Visiting Fellow, Faculty of
Engineering and Information Technology,

Information Sciences Building Room 211

Xamax Consultancy Pty Ltd, ACN: 002 360 456

78 Sidaway St
Chapman ACT 2611 AUSTRALIA

Tel: +61 6 288 6916 Fax: +61 6 288 1472